feat: add Nginx + Let's Encrypt deploy config for Gitea TLS

Stage reverse proxy configuration and automated deploy script
for securing the Gitea instance with TLS. Includes:

- Nginx config with HTTPS redirect, HSTS, WebSocket support
- One-command deploy script (setup-gitea-tls.sh) that installs
  Nginx + Certbot, obtains cert, patches app.ini, blocks port 3000
- app.ini hardening reference from security audit (#971)

Requires DNS A record for git.alexanderwhitestone.com -> 143.198.27.163
before running the deploy script on the server.

Fixes #989

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

deploy/gitea-app-ini.patch

@@ -0,0 +1,50 @@
+# ── Gitea app.ini Hardening Patch ────────────────────────────────────────────
+#
+# Apply these changes to /etc/gitea/app.ini (or custom/conf/app.ini)
+# AFTER running setup-gitea-tls.sh, or apply manually.
+#
+# The deploy script handles DOMAIN, ROOT_URL, HTTP_ADDR, and COOKIE_SECURE
+# automatically. This file documents the FULL recommended hardening config
+# from the security audit (#971).
+#
+# ── Instructions ────────────────────────────────────────────────────────────
+#
+# 1. Back up your current app.ini:
+#      cp /etc/gitea/app.ini /etc/gitea/app.ini.bak
+#
+# 2. Apply each section below by editing app.ini.
+#
+# 3. Restart Gitea:
+#      systemctl restart gitea
+#      # or: docker restart gitea
+
+# ── [server] section ───────────────────────────────────────────────────────
+# These are set automatically by setup-gitea-tls.sh:
+#
+#   DOMAIN           = git.alexanderwhitestone.com
+#   HTTP_ADDR        = 127.0.0.1
+#   HTTP_PORT        = 3000
+#   PROTOCOL         = http
+#   ROOT_URL         = https://git.alexanderwhitestone.com/
+#
+# Additionally recommended:
+#   ENABLE_PPROF     = false
+#   OFFLINE_MODE     = true
+
+# ── [security] section ─────────────────────────────────────────────────────
+# INSTALL_LOCK             = true
+# SECRET_KEY               = <generate with: gitea generate secret SECRET_KEY>
+# REVERSE_PROXY_TRUST_LOCAL = true
+# COOKIE_SECURE            = true    (set by deploy script)
+# SET_COOKIE_HTTP_ONLY     = true
+
+# ── [service] section ──────────────────────────────────────────────────────
+# DISABLE_REGISTRATION              = true
+# ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+# SHOW_REGISTRATION_BUTTON          = false
+# ENABLE_REVERSE_PROXY_AUTHENTICATION = false
+# REQUIRE_SIGNIN_VIEW               = true
+
+# ── [repository] section ───────────────────────────────────────────────────
+# FORCE_PRIVATE   = true
+# DEFAULT_PRIVATE = private

deploy/nginx-gitea.conf

@@ -0,0 +1,75 @@
+# ── Gitea Reverse Proxy — TLS via Let's Encrypt ─────────────────────────────
+#
+# Install path: /etc/nginx/sites-available/gitea
+# Symlink:      ln -s /etc/nginx/sites-available/gitea /etc/nginx/sites-enabled/
+#
+# Prerequisites:
+#   - DNS A record: git.alexanderwhitestone.com -> 143.198.27.163
+#   - certbot + python3-certbot-nginx installed
+#   - Certificate obtained via: certbot --nginx -d git.alexanderwhitestone.com
+#
+# After certbot runs, it will auto-modify the ssl lines below.
+# This config is the pre-certbot template that certbot enhances.
+
+# ── HTTP → HTTPS redirect ───────────────────────────────────────────────────
+server {
+    listen 80;
+    listen [::]:80;
+    server_name git.alexanderwhitestone.com;
+
+    # Let's Encrypt ACME challenge
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# ── HTTPS — reverse proxy to Gitea ──────────────────────────────────────────
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name git.alexanderwhitestone.com;
+
+    # ── TLS (managed by certbot) ────────────────────────────────────────────
+    ssl_certificate     /etc/letsencrypt/live/git.alexanderwhitestone.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/git.alexanderwhitestone.com/privkey.pem;
+
+    # ── TLS hardening ───────────────────────────────────────────────────────
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # ── Security headers ────────────────────────────────────────────────────
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header Referrer-Policy strict-origin-when-cross-origin always;
+
+    # ── Proxy to Gitea ──────────────────────────────────────────────────────
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support (for live updates)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Large repo pushes
+        client_max_body_size 512m;
+
+        # Timeouts for large git operations
+        proxy_connect_timeout 300;
+        proxy_send_timeout    300;
+        proxy_read_timeout    300;
+    }
+}

deploy/setup-gitea-tls.sh

@@ -0,0 +1,299 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ── Gitea TLS Setup — Nginx + Let's Encrypt ─────────────────────────────────
+#
+# Sets up a reverse proxy with automatic TLS for the Gitea instance.
+#
+# Prerequisites:
+#   - Ubuntu/Debian server with root access
+#   - DNS A record pointing to this server's IP
+#   - Gitea running on localhost:3000
+#
+# Usage:
+#   sudo bash deploy/setup-gitea-tls.sh git.alexanderwhitestone.com
+#   sudo bash deploy/setup-gitea-tls.sh git.alexanderwhitestone.com --email admin@alexanderwhitestone.com
+#
+# What it does:
+#   1. Installs Nginx + Certbot
+#   2. Deploys the Nginx reverse proxy config
+#   3. Obtains a Let's Encrypt TLS certificate
+#   4. Patches Gitea app.ini for HTTPS
+#   5. Blocks direct access to port 3000
+#   6. Restarts services
+
+BOLD='\033[1m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+CYAN='\033[0;36m'
+NC='\033[0m'
+
+info()  { echo -e "${GREEN}[+]${NC} $1"; }
+warn()  { echo -e "${YELLOW}[!]${NC} $1"; }
+error() { echo -e "${RED}[x]${NC} $1"; }
+step()  { echo -e "\n${BOLD}── $1 ──${NC}"; }
+
+# ── Parse arguments ─────────────────────────────────────────────────────────
+
+DOMAIN=""
+EMAIL=""
+GITEA_INI="/etc/gitea/app.ini"
+DRY_RUN=false
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --email)    EMAIL="$2"; shift 2 ;;
+        --ini)      GITEA_INI="$2"; shift 2 ;;
+        --dry-run)  DRY_RUN=true; shift ;;
+        -*)         error "Unknown option: $1"; exit 1 ;;
+        *)          DOMAIN="$1"; shift ;;
+    esac
+done
+
+if [ -z "$DOMAIN" ]; then
+    error "Usage: $0 <domain> [--email you@example.com] [--ini /path/to/app.ini]"
+    exit 1
+fi
+
+if [ -z "$EMAIL" ]; then
+    EMAIL="admin@${DOMAIN#*.}"
+fi
+
+echo -e "${CYAN}${BOLD}"
+echo "  ╔══════════════════════════════════════════╗"
+echo "  ║   Gitea TLS Setup                        ║"
+echo "  ║   Nginx + Let's Encrypt                  ║"
+echo "  ╚══════════════════════════════════════════╝"
+echo -e "${NC}"
+echo "  Domain:    $DOMAIN"
+echo "  Email:     $EMAIL"
+echo "  Gitea INI: $GITEA_INI"
+echo "  Dry run:   $DRY_RUN"
+echo ""
+
+# ── Preflight checks ───────────────────────────────────────────────────────
+
+if [ "$(id -u)" -ne 0 ]; then
+    error "This script must be run as root (or with sudo)"
+    exit 1
+fi
+
+# Verify DNS resolves to this server
+step "Checking DNS"
+RESOLVED_IP=$(dig +short "$DOMAIN" 2>/dev/null | head -1)
+LOCAL_IP=$(curl -4sf https://ifconfig.me 2>/dev/null || hostname -I 2>/dev/null | awk '{print $1}')
+
+if [ -z "$RESOLVED_IP" ]; then
+    error "DNS record for $DOMAIN not found."
+    error "Create an A record pointing $DOMAIN to $LOCAL_IP first."
+    exit 1
+fi
+
+if [ "$RESOLVED_IP" != "$LOCAL_IP" ]; then
+    warn "DNS for $DOMAIN resolves to $RESOLVED_IP but this server is $LOCAL_IP"
+    warn "Let's Encrypt will fail if DNS doesn't point here. Continue anyway? [y/N]"
+    read -r CONTINUE
+    if [ "$CONTINUE" != "y" ] && [ "$CONTINUE" != "Y" ]; then
+        exit 1
+    fi
+fi
+info "DNS OK: $DOMAIN -> $RESOLVED_IP"
+
+# Verify Gitea is running
+step "Checking Gitea"
+if curl -sf http://127.0.0.1:3000/ > /dev/null 2>&1; then
+    info "Gitea is running on localhost:3000"
+else
+    warn "Gitea not responding on localhost:3000 — continuing anyway"
+fi
+
+if $DRY_RUN; then
+    info "Dry run — would install nginx, certbot, configure TLS for $DOMAIN"
+    exit 0
+fi
+
+# ── Step 1: Install Nginx + Certbot ────────────────────────────────────────
+
+step "Installing Nginx + Certbot"
+apt-get update -qq
+apt-get install -y -qq nginx certbot python3-certbot-nginx
+info "Nginx + Certbot installed"
+
+# ── Step 2: Deploy Nginx config ────────────────────────────────────────────
+
+step "Deploying Nginx Configuration"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+NGINX_CONF="$SCRIPT_DIR/nginx-gitea.conf"
+
+if [ ! -f "$NGINX_CONF" ]; then
+    error "nginx-gitea.conf not found at $NGINX_CONF"
+    exit 1
+fi
+
+# Install config (replacing domain if different)
+sed "s/git\.alexanderwhitestone\.com/$DOMAIN/g" "$NGINX_CONF" \
+    > /etc/nginx/sites-available/gitea
+
+ln -sf /etc/nginx/sites-available/gitea /etc/nginx/sites-enabled/gitea
+
+# Remove default site if it conflicts
+if [ -L /etc/nginx/sites-enabled/default ]; then
+    rm /etc/nginx/sites-enabled/default
+    info "Removed default Nginx site"
+fi
+
+# Test config (will fail on missing cert — that's expected pre-certbot)
+# First deploy without SSL, get cert, then enable SSL
+cat > /etc/nginx/sites-available/gitea <<PRESSL
+# Temporary HTTP-only config for certbot initial setup
+server {
+    listen 80;
+    listen [::]:80;
+    server_name $DOMAIN;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+}
+PRESSL
+
+nginx -t && systemctl reload nginx
+info "Temporary HTTP proxy deployed"
+
+# ── Step 3: Obtain TLS Certificate ─────────────────────────────────────────
+
+step "Obtaining TLS Certificate"
+certbot --nginx \
+    -d "$DOMAIN" \
+    --email "$EMAIL" \
+    --agree-tos \
+    --non-interactive \
+    --redirect
+
+info "TLS certificate obtained and Nginx configured"
+
+# Now deploy the full config (certbot may have already modified it, but
+# let's ensure our hardened version is in place)
+sed "s/git\.alexanderwhitestone\.com/$DOMAIN/g" "$NGINX_CONF" \
+    > /etc/nginx/sites-available/gitea
+
+nginx -t && systemctl reload nginx
+info "Full TLS proxy config deployed"
+
+# ── Step 4: Patch Gitea app.ini ─────────────────────────────────────────────
+
+step "Patching Gitea Configuration"
+if [ -f "$GITEA_INI" ]; then
+    # Backup first
+    cp "$GITEA_INI" "${GITEA_INI}.bak.$(date +%Y%m%d%H%M%S)"
+    info "Backed up app.ini"
+
+    # Patch server section
+    sed -i "s|^DOMAIN\s*=.*|DOMAIN = $DOMAIN|" "$GITEA_INI"
+    sed -i "s|^ROOT_URL\s*=.*|ROOT_URL = https://$DOMAIN/|" "$GITEA_INI"
+    sed -i "s|^HTTP_ADDR\s*=.*|HTTP_ADDR = 127.0.0.1|" "$GITEA_INI"
+
+    # Enable secure cookies
+    if grep -q "^COOKIE_SECURE" "$GITEA_INI"; then
+        sed -i "s|^COOKIE_SECURE\s*=.*|COOKIE_SECURE = true|" "$GITEA_INI"
+    else
+        sed -i "/^\[security\]/a COOKIE_SECURE = true" "$GITEA_INI"
+    fi
+
+    info "Gitea config patched: DOMAIN=$DOMAIN, ROOT_URL=https://$DOMAIN/, HTTP_ADDR=127.0.0.1"
+else
+    warn "Gitea config not found at $GITEA_INI"
+    warn "Update manually:"
+    warn "  DOMAIN = $DOMAIN"
+    warn "  ROOT_URL = https://$DOMAIN/"
+    warn "  HTTP_ADDR = 127.0.0.1"
+fi
+
+# ── Step 5: Block direct port 3000 access ───────────────────────────────────
+
+step "Blocking Direct Port 3000 Access"
+if command -v ufw &> /dev/null; then
+    ufw deny 3000/tcp 2>/dev/null || true
+    info "Port 3000 blocked via ufw"
+else
+    # Use iptables as fallback
+    iptables -A INPUT -p tcp --dport 3000 -j DROP 2>/dev/null || true
+    info "Port 3000 blocked via iptables (not persistent — install ufw for persistence)"
+fi
+
+# Ensure HTTP/HTTPS are allowed
+if command -v ufw &> /dev/null; then
+    ufw allow 80/tcp 2>/dev/null || true
+    ufw allow 443/tcp 2>/dev/null || true
+    ufw allow 22/tcp 2>/dev/null || true
+fi
+
+# ── Step 6: Restart Gitea ───────────────────────────────────────────────────
+
+step "Restarting Gitea"
+if systemctl is-active --quiet gitea; then
+    systemctl restart gitea
+    info "Gitea restarted"
+elif docker ps --format '{{.Names}}' | grep -q gitea; then
+    docker restart "$(docker ps --format '{{.Names}}' | grep gitea | head -1)"
+    info "Gitea container restarted"
+else
+    warn "Could not auto-restart Gitea — restart it manually"
+fi
+
+# ── Step 7: Verify ──────────────────────────────────────────────────────────
+
+step "Verifying Deployment"
+sleep 3
+
+# Check HTTPS
+if curl -sf "https://$DOMAIN" > /dev/null 2>&1; then
+    info "HTTPS is working: https://$DOMAIN"
+else
+    warn "HTTPS check failed — may need a moment to propagate"
+fi
+
+# Check HSTS
+HSTS=$(curl -sI "https://$DOMAIN" 2>/dev/null | grep -i "strict-transport-security" || true)
+if [ -n "$HSTS" ]; then
+    info "HSTS header present: $HSTS"
+else
+    warn "HSTS header not detected — check Nginx config"
+fi
+
+# Check HTTP redirect
+HTTP_STATUS=$(curl -sI "http://$DOMAIN" 2>/dev/null | head -1 | awk '{print $2}')
+if [ "$HTTP_STATUS" = "301" ]; then
+    info "HTTP->HTTPS redirect working (301)"
+else
+    warn "HTTP redirect returned $HTTP_STATUS (expected 301)"
+fi
+
+# ── Summary ─────────────────────────────────────────────────────────────────
+
+echo ""
+echo -e "${GREEN}${BOLD}"
+echo "  ╔══════════════════════════════════════════╗"
+echo "  ║   Gitea TLS Setup Complete!              ║"
+echo "  ╚══════════════════════════════════════════╝"
+echo -e "${NC}"
+echo ""
+echo "  Gitea:    https://$DOMAIN"
+echo ""
+echo "  Certbot auto-renewal is enabled by default."
+echo "  Test it:  certbot renew --dry-run"
+echo ""
+echo "  To check status:"
+echo "    nginx -t                    # test config"
+echo "    systemctl status nginx      # proxy status"
+echo "    certbot certificates        # TLS cert info"
+echo ""

scripts/backfill_retro.py

@@ -17,8 +17,23 @@ REPO_ROOT = Path(__file__).resolve().parent.parent
 RETRO_FILE = REPO_ROOT / ".loop" / "retro" / "cycles.jsonl"
 SUMMARY_FILE = REPO_ROOT / ".loop" / "retro" / "summary.json"
 
-GITEA_API = "http://localhost:3000/api/v1"
-REPO_SLUG = "rockachopa/Timmy-time-dashboard"
+
+def _get_gitea_api() -> str:
+    """Read Gitea API URL from env var, then ~/.hermes/gitea_api file, then default."""
+    # Check env vars first (TIMMY_GITEA_API is preferred, GITEA_API for compatibility)
+    api_url = os.environ.get("TIMMY_GITEA_API") or os.environ.get("GITEA_API")
+    if api_url:
+        return api_url
+    # Check ~/.hermes/gitea_api file
+    api_file = Path.home() / ".hermes" / "gitea_api"
+    if api_file.exists():
+        return api_file.read_text().strip()
+    # Default fallback
+    return "http://localhost:3000/api/v1"
+
+
+GITEA_API = _get_gitea_api()
+REPO_SLUG = os.environ.get("REPO_SLUG", "rockachopa/Timmy-time-dashboard")
 TOKEN_FILE = Path.home() / ".hermes" / "gitea_token"
 
 TAG_RE = re.compile(r"\[([^\]]+)\]")

scripts/loop_guard.py

@@ -30,7 +30,22 @@ IDLE_STATE_FILE = REPO_ROOT / ".loop" / "idle_state.json"
 CYCLE_RESULT_FILE = REPO_ROOT / ".loop" / "cycle_result.json"
 TOKEN_FILE = Path.home() / ".hermes" / "gitea_token"
 
-GITEA_API = os.environ.get("GITEA_API", "http://localhost:3000/api/v1")
+
+def _get_gitea_api() -> str:
+    """Read Gitea API URL from env var, then ~/.hermes/gitea_api file, then default."""
+    # Check env vars first (TIMMY_GITEA_API is preferred, GITEA_API for compatibility)
+    api_url = os.environ.get("TIMMY_GITEA_API") or os.environ.get("GITEA_API")
+    if api_url:
+        return api_url
+    # Check ~/.hermes/gitea_api file
+    api_file = Path.home() / ".hermes" / "gitea_api"
+    if api_file.exists():
+        return api_file.read_text().strip()
+    # Default fallback
+    return "http://localhost:3000/api/v1"
+
+
+GITEA_API = _get_gitea_api()
 REPO_SLUG = os.environ.get("REPO_SLUG", "rockachopa/Timmy-time-dashboard")
 
 # Default cycle duration in seconds (5 min); stale threshold = 2× this
@@ -187,7 +202,11 @@ def load_queue() -> list[dict]:
                 # Persist the cleaned queue so stale entries don't recur
                 _save_cleaned_queue(data, open_numbers)
         return ready
-    except (json.JSONDecodeError, OSError):
+    except json.JSONDecodeError as exc:
+        print(f"[loop-guard] WARNING: Corrupt queue.json ({exc}) — returning empty queue")
+        return []
+    except OSError as exc:
+        print(f"[loop-guard] WARNING: Cannot read queue.json ({exc}) — returning empty queue")
         return []
 
 

scripts/triage_score.py

@@ -20,11 +20,28 @@ from datetime import datetime, timezone
 from pathlib import Path
 
 # ── Config ──────────────────────────────────────────────────────────────
-GITEA_API = os.environ.get("GITEA_API", "http://localhost:3000/api/v1")
+
+
+def _get_gitea_api() -> str:
+    """Read Gitea API URL from env var, then ~/.hermes/gitea_api file, then default."""
+    # Check env vars first (TIMMY_GITEA_API is preferred, GITEA_API for compatibility)
+    api_url = os.environ.get("TIMMY_GITEA_API") or os.environ.get("GITEA_API")
+    if api_url:
+        return api_url
+    # Check ~/.hermes/gitea_api file
+    api_file = Path.home() / ".hermes" / "gitea_api"
+    if api_file.exists():
+        return api_file.read_text().strip()
+    # Default fallback
+    return "http://localhost:3000/api/v1"
+
+
+GITEA_API = _get_gitea_api()
 REPO_SLUG = os.environ.get("REPO_SLUG", "rockachopa/Timmy-time-dashboard")
 TOKEN_FILE = Path.home() / ".hermes" / "gitea_token"
 REPO_ROOT = Path(__file__).resolve().parent.parent
 QUEUE_FILE = REPO_ROOT / ".loop" / "queue.json"
+QUEUE_BACKUP_FILE = REPO_ROOT / ".loop" / "queue.json.bak"
 RETRO_FILE = REPO_ROOT / ".loop" / "retro" / "triage.jsonl"
 QUARANTINE_FILE = REPO_ROOT / ".loop" / "quarantine.json"
 CYCLE_RETRO_FILE = REPO_ROOT / ".loop" / "retro" / "cycles.jsonl"
@@ -326,9 +343,38 @@ def run_triage() -> list[dict]:
     ready = [s for s in scored if s["ready"]]
     not_ready = [s for s in scored if not s["ready"]]
 
+    # Save backup before writing (if current file exists and is valid)
+    if QUEUE_FILE.exists():
+        try:
+            json.loads(QUEUE_FILE.read_text())  # Validate current file
+            QUEUE_BACKUP_FILE.write_text(QUEUE_FILE.read_text())
+        except (json.JSONDecodeError, OSError):
+            pass  # Current file is corrupt, don't overwrite backup
+
+    # Write new queue file
     QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
     QUEUE_FILE.write_text(json.dumps(ready, indent=2) + "\n")
 
+    # Validate the write by re-reading and parsing
+    try:
+        json.loads(QUEUE_FILE.read_text())
+    except (json.JSONDecodeError, OSError) as exc:
+        print(f"[triage] ERROR: queue.json validation failed: {exc}", file=sys.stderr)
+        # Restore from backup if available
+        if QUEUE_BACKUP_FILE.exists():
+            try:
+                backup_data = QUEUE_BACKUP_FILE.read_text()
+                json.loads(backup_data)  # Validate backup
+                QUEUE_FILE.write_text(backup_data)
+                print(f"[triage] Restored queue.json from backup")
+            except (json.JSONDecodeError, OSError) as restore_exc:
+                print(f"[triage] ERROR: Backup restore failed: {restore_exc}", file=sys.stderr)
+                # Write empty list as last resort
+                QUEUE_FILE.write_text("[]\n")
+        else:
+            # No backup, write empty list
+            QUEUE_FILE.write_text("[]\n")
+
     # Write retro entry
     retro_entry = {
         "timestamp": datetime.now(timezone.utc).isoformat(),

src/dashboard/routes/system.py

@@ -56,11 +56,13 @@ async def self_modify_queue(request: Request):
 
 @router.get("/swarm/mission-control", response_class=HTMLResponse)
 async def mission_control(request: Request):
+    """Render the swarm mission control dashboard page."""
     return templates.TemplateResponse(request, "mission_control.html", {})
 
 
 @router.get("/bugs", response_class=HTMLResponse)
 async def bugs_page(request: Request):
+    """Render the bug tracking page."""
     return templates.TemplateResponse(
         request,
         "bugs.html",
@@ -75,16 +77,19 @@ async def bugs_page(request: Request):
 
 @router.get("/self-coding", response_class=HTMLResponse)
 async def self_coding(request: Request):
+    """Render the self-coding automation status page."""
     return templates.TemplateResponse(request, "self_coding.html", {"stats": {}})
 
 
 @router.get("/hands", response_class=HTMLResponse)
 async def hands_page(request: Request):
+    """Render the hands (automation executions) page."""
     return templates.TemplateResponse(request, "hands.html", {"executions": []})
 
 
 @router.get("/creative/ui", response_class=HTMLResponse)
 async def creative_ui(request: Request):
+    """Render the creative UI playground page."""
     return templates.TemplateResponse(request, "creative.html", {})
 
 

src/dashboard/routes/tasks.py

@@ -145,6 +145,7 @@ async def tasks_page(request: Request):
 
 @router.get("/tasks/pending", response_class=HTMLResponse)
 async def tasks_pending(request: Request):
+    """Return HTMX partial for pending approval tasks."""
     with _get_db() as db:
         rows = db.execute(
             "SELECT * FROM tasks WHERE status='pending_approval' ORDER BY created_at DESC"
@@ -164,6 +165,7 @@ async def tasks_pending(request: Request):
 
 @router.get("/tasks/active", response_class=HTMLResponse)
 async def tasks_active(request: Request):
+    """Return HTMX partial for active (approved/running/paused) tasks."""
     with _get_db() as db:
         rows = db.execute(
             "SELECT * FROM tasks WHERE status IN ('approved','running','paused') ORDER BY created_at DESC"
@@ -183,6 +185,7 @@ async def tasks_active(request: Request):
 
 @router.get("/tasks/completed", response_class=HTMLResponse)
 async def tasks_completed(request: Request):
+    """Return HTMX partial for completed/vetoed/failed tasks (last 50)."""
     with _get_db() as db:
         rows = db.execute(
             "SELECT * FROM tasks WHERE status IN ('completed','vetoed','failed') ORDER BY completed_at DESC LIMIT 50"
@@ -241,26 +244,31 @@ async def create_task_form(
 
 @router.post("/tasks/{task_id}/approve", response_class=HTMLResponse)
 async def approve_task(request: Request, task_id: str):
+    """Approve a pending task and move it to active queue."""
     return await _set_status(request, task_id, "approved")
 
 
 @router.post("/tasks/{task_id}/veto", response_class=HTMLResponse)
 async def veto_task(request: Request, task_id: str):
+    """Veto a task, marking it as rejected."""
     return await _set_status(request, task_id, "vetoed")
 
 
 @router.post("/tasks/{task_id}/pause", response_class=HTMLResponse)
 async def pause_task(request: Request, task_id: str):
+    """Pause a running or approved task."""
     return await _set_status(request, task_id, "paused")
 
 
 @router.post("/tasks/{task_id}/cancel", response_class=HTMLResponse)
 async def cancel_task(request: Request, task_id: str):
+    """Cancel a task (marks as vetoed)."""
     return await _set_status(request, task_id, "vetoed")
 
 
 @router.post("/tasks/{task_id}/retry", response_class=HTMLResponse)
 async def retry_task(request: Request, task_id: str):
+    """Retry a failed/vetoed task by moving it back to approved."""
     return await _set_status(request, task_id, "approved")
 
 
@@ -271,6 +279,7 @@ async def modify_task(
     title: str = Form(...),
     description: str = Form(""),
 ):
+    """Update task title and description."""
     with _get_db() as db:
         db.execute(
             "UPDATE tasks SET title=?, description=? WHERE id=?",

src/infrastructure/world/__init__.py

@@ -0,0 +1,29 @@
+"""World interface — engine-agnostic adapter pattern for embodied agents.
+
+Provides the ``WorldInterface`` ABC and an adapter registry so Timmy can
+observe, act, and speak in any game world (Morrowind, Luanti, Godot, …)
+through a single contract.
+
+Quick start::
+
+    from infrastructure.world import get_adapter, register_adapter
+    from infrastructure.world.interface import WorldInterface
+
+    register_adapter("mock", MockWorldAdapter)
+    world = get_adapter("mock")
+    perception = world.observe()
+"""
+
+from infrastructure.world.registry import AdapterRegistry
+
+_registry = AdapterRegistry()
+
+register_adapter = _registry.register
+get_adapter = _registry.get
+list_adapters = _registry.list_adapters
+
+__all__ = [
+    "register_adapter",
+    "get_adapter",
+    "list_adapters",
+]

src/infrastructure/world/adapters/__init__.py

@@ -0,0 +1 @@
+"""Built-in world adapters."""

src/infrastructure/world/adapters/mock.py

@@ -0,0 +1,99 @@
+"""Mock world adapter — returns canned perception and logs commands.
+
+Useful for testing the heartbeat loop and WorldInterface contract
+without a running game server.
+"""
+
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from datetime import UTC, datetime
+
+from infrastructure.world.interface import WorldInterface
+from infrastructure.world.types import (
+    ActionResult,
+    ActionStatus,
+    CommandInput,
+    PerceptionOutput,
+)
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class _ActionLog:
+    """Record of an action dispatched to the mock world."""
+
+    command: CommandInput
+    timestamp: datetime
+
+
+class MockWorldAdapter(WorldInterface):
+    """In-memory mock adapter for testing.
+
+    * ``observe()`` returns configurable canned perception.
+    * ``act()`` logs the command and returns success.
+    * ``speak()`` logs the message.
+
+    Inspect ``action_log`` and ``speech_log`` to verify behaviour in tests.
+    """
+
+    def __init__(
+        self,
+        *,
+        location: str = "Test Chamber",
+        entities: list[str] | None = None,
+        events: list[str] | None = None,
+    ) -> None:
+        self._location = location
+        self._entities = entities or ["TestNPC"]
+        self._events = events or []
+        self._connected = False
+        self.action_log: list[_ActionLog] = []
+        self.speech_log: list[dict] = []
+
+    # -- lifecycle ---------------------------------------------------------
+
+    def connect(self) -> None:
+        self._connected = True
+        logger.info("MockWorldAdapter connected")
+
+    def disconnect(self) -> None:
+        self._connected = False
+        logger.info("MockWorldAdapter disconnected")
+
+    @property
+    def is_connected(self) -> bool:
+        return self._connected
+
+    # -- core contract -----------------------------------------------------
+
+    def observe(self) -> PerceptionOutput:
+        logger.debug("MockWorldAdapter.observe()")
+        return PerceptionOutput(
+            timestamp=datetime.now(UTC),
+            location=self._location,
+            entities=list(self._entities),
+            events=list(self._events),
+            raw={"adapter": "mock"},
+        )
+
+    def act(self, command: CommandInput) -> ActionResult:
+        logger.debug("MockWorldAdapter.act(%s)", command.action)
+        self.action_log.append(_ActionLog(command=command, timestamp=datetime.now(UTC)))
+        return ActionResult(
+            status=ActionStatus.SUCCESS,
+            message=f"Mock executed: {command.action}",
+            data={"adapter": "mock"},
+        )
+
+    def speak(self, message: str, target: str | None = None) -> None:
+        logger.debug("MockWorldAdapter.speak(%r, target=%r)", message, target)
+        self.speech_log.append(
+            {
+                "message": message,
+                "target": target,
+                "timestamp": datetime.now(UTC).isoformat(),
+            }
+        )

src/infrastructure/world/adapters/tes3mp.py

@@ -0,0 +1,58 @@
+"""TES3MP world adapter — stub for Morrowind multiplayer via TES3MP.
+
+This adapter will eventually connect to a TES3MP server and translate
+the WorldInterface contract into TES3MP commands.  For now every method
+raises ``NotImplementedError`` with guidance on what needs wiring up.
+
+Once PR #864 merges, import PerceptionOutput and CommandInput directly
+from ``infrastructure.morrowind.schemas`` if their shapes differ from
+the canonical types in ``infrastructure.world.types``.
+"""
+
+from __future__ import annotations
+
+import logging
+
+from infrastructure.world.interface import WorldInterface
+from infrastructure.world.types import ActionResult, CommandInput, PerceptionOutput
+
+logger = logging.getLogger(__name__)
+
+
+class TES3MPWorldAdapter(WorldInterface):
+    """Stub adapter for TES3MP (Morrowind multiplayer).
+
+    All core methods raise ``NotImplementedError``.
+    Implement ``connect()`` first — it should open a socket to the
+    TES3MP server and authenticate.
+    """
+
+    def __init__(self, *, host: str = "localhost", port: int = 25565) -> None:
+        self._host = host
+        self._port = port
+        self._connected = False
+
+    # -- lifecycle ---------------------------------------------------------
+
+    def connect(self) -> None:
+        raise NotImplementedError("TES3MPWorldAdapter.connect() — wire up TES3MP server socket")
+
+    def disconnect(self) -> None:
+        raise NotImplementedError("TES3MPWorldAdapter.disconnect() — close TES3MP server socket")
+
+    @property
+    def is_connected(self) -> bool:
+        return self._connected
+
+    # -- core contract (stubs) ---------------------------------------------
+
+    def observe(self) -> PerceptionOutput:
+        raise NotImplementedError("TES3MPWorldAdapter.observe() — poll TES3MP for player/NPC state")
+
+    def act(self, command: CommandInput) -> ActionResult:
+        raise NotImplementedError(
+            "TES3MPWorldAdapter.act() — translate CommandInput to TES3MP packet"
+        )
+
+    def speak(self, message: str, target: str | None = None) -> None:
+        raise NotImplementedError("TES3MPWorldAdapter.speak() — send chat message via TES3MP")

src/infrastructure/world/interface.py

@@ -0,0 +1,64 @@
+"""Abstract WorldInterface — the contract every game-world adapter must fulfil.
+
+Follows a Gymnasium-inspired pattern: observe → act → speak, with each
+method returning strongly-typed data structures.
+
+Any future engine (TES3MP, Luanti, Godot, …) plugs in by subclassing
+``WorldInterface`` and implementing the three methods.
+"""
+
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+
+from infrastructure.world.types import ActionResult, CommandInput, PerceptionOutput
+
+
+class WorldInterface(ABC):
+    """Engine-agnostic base class for world adapters.
+
+    Subclasses must implement:
+        - ``observe()``  — gather structured perception from the world
+        - ``act()``      — dispatch a command and return the outcome
+        - ``speak()``    — send a message to an NPC / player / broadcast
+
+    Lifecycle hooks ``connect()`` and ``disconnect()`` are optional.
+    """
+
+    # -- lifecycle (optional overrides) ------------------------------------
+
+    def connect(self) -> None:  # noqa: B027
+        """Establish connection to the game world.
+
+        Default implementation is a no-op.  Override to open sockets,
+        authenticate, etc.
+        """
+
+    def disconnect(self) -> None:  # noqa: B027
+        """Tear down the connection.
+
+        Default implementation is a no-op.
+        """
+
+    @property
+    def is_connected(self) -> bool:
+        """Return ``True`` if the adapter has an active connection.
+
+        Default returns ``True``.  Override for adapters that maintain
+        persistent connections.
+        """
+        return True
+
+    # -- core contract (must implement) ------------------------------------
+
+    @abstractmethod
+    def observe(self) -> PerceptionOutput:
+        """Return a structured snapshot of the current world state."""
+
+    @abstractmethod
+    def act(self, command: CommandInput) -> ActionResult:
+        """Execute *command* in the world and return the result."""
+
+    @abstractmethod
+    def speak(self, message: str, target: str | None = None) -> None:
+        """Send *message* in the world, optionally directed at *target*."""

src/infrastructure/world/registry.py

@@ -0,0 +1,54 @@
+"""Adapter registry — register and instantiate world adapters by name.
+
+Usage::
+
+    registry = AdapterRegistry()
+    registry.register("mock", MockWorldAdapter)
+    adapter = registry.get("mock", some_kwarg="value")
+"""
+
+from __future__ import annotations
+
+import logging
+from typing import Any
+
+from infrastructure.world.interface import WorldInterface
+
+logger = logging.getLogger(__name__)
+
+
+class AdapterRegistry:
+    """Name → WorldInterface class registry with instantiation."""
+
+    def __init__(self) -> None:
+        self._adapters: dict[str, type[WorldInterface]] = {}
+
+    def register(self, name: str, cls: type[WorldInterface]) -> None:
+        """Register an adapter class under *name*.
+
+        Raises ``TypeError`` if *cls* is not a ``WorldInterface`` subclass.
+        """
+        if not (isinstance(cls, type) and issubclass(cls, WorldInterface)):
+            raise TypeError(f"{cls!r} is not a WorldInterface subclass")
+        if name in self._adapters:
+            logger.warning("Overwriting adapter %r (was %r)", name, self._adapters[name])
+        self._adapters[name] = cls
+        logger.info("Registered world adapter: %s → %s", name, cls.__name__)
+
+    def get(self, name: str, **kwargs: Any) -> WorldInterface:
+        """Instantiate and return the adapter registered as *name*.
+
+        Raises ``KeyError`` if *name* is not registered.
+        """
+        cls = self._adapters[name]
+        return cls(**kwargs)
+
+    def list_adapters(self) -> list[str]:
+        """Return sorted list of registered adapter names."""
+        return sorted(self._adapters)
+
+    def __contains__(self, name: str) -> bool:
+        return name in self._adapters
+
+    def __len__(self) -> int:
+        return len(self._adapters)

src/infrastructure/world/types.py

@@ -0,0 +1,71 @@
+"""Canonical data types for world interaction.
+
+These mirror the PerceptionOutput / CommandInput types from PR #864's
+``morrowind/schemas.py``.  When that PR merges, these can be replaced
+with re-exports — but until then they serve as the stable contract for
+every WorldInterface adapter.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import UTC, datetime
+from enum import StrEnum
+
+
+class ActionStatus(StrEnum):
+    """Outcome of an action dispatched to the world."""
+
+    SUCCESS = "success"
+    FAILURE = "failure"
+    PENDING = "pending"
+    NOOP = "noop"
+
+
+@dataclass
+class PerceptionOutput:
+    """Structured world state returned by ``WorldInterface.observe()``.
+
+    Attributes:
+        timestamp:  When the observation was captured.
+        location:   Free-form location descriptor (e.g. "Balmora, Fighters Guild").
+        entities:   List of nearby entity descriptions.
+        events:     Recent game events since last observation.
+        raw:        Optional raw / engine-specific payload for advanced consumers.
+    """
+
+    timestamp: datetime = field(default_factory=lambda: datetime.now(UTC))
+    location: str = ""
+    entities: list[str] = field(default_factory=list)
+    events: list[str] = field(default_factory=list)
+    raw: dict = field(default_factory=dict)
+
+
+@dataclass
+class CommandInput:
+    """Action command sent via ``WorldInterface.act()``.
+
+    Attributes:
+        action:     Verb / action name (e.g. "move", "attack", "use_item").
+        target:     Optional target identifier.
+        parameters: Arbitrary key-value payload for engine-specific params.
+    """
+
+    action: str
+    target: str | None = None
+    parameters: dict = field(default_factory=dict)
+
+
+@dataclass
+class ActionResult:
+    """Outcome returned by ``WorldInterface.act()``.
+
+    Attributes:
+        status:   Whether the action succeeded, failed, etc.
+        message:  Human-readable description of the outcome.
+        data:     Arbitrary engine-specific result payload.
+    """
+
+    status: ActionStatus = ActionStatus.SUCCESS
+    message: str = ""
+    data: dict = field(default_factory=dict)

src/loop/heartbeat.py

@@ -0,0 +1,286 @@
+"""Heartbeat v2 — WorldInterface-driven cognitive loop.
+
+Drives real observe → reason → act → reflect cycles through whatever
+``WorldInterface`` adapter is connected.  When no adapter is present,
+gracefully falls back to the existing ``run_cycle()`` behaviour.
+
+Usage::
+
+    heartbeat = Heartbeat(world=adapter, interval=30.0)
+    await heartbeat.run_once()          # single cycle
+    await heartbeat.start()             # background loop
+    heartbeat.stop()                    # graceful shutdown
+"""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import time
+from dataclasses import dataclass, field
+from datetime import UTC, datetime
+
+from loop.phase1_gather import gather
+from loop.phase2_reason import reason
+from loop.phase3_act import act
+from loop.schema import ContextPayload
+
+logger = logging.getLogger(__name__)
+
+
+# ---------------------------------------------------------------------------
+# Cycle log entry
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class CycleRecord:
+    """One observe → reason → act → reflect cycle."""
+
+    cycle_id: int
+    timestamp: str
+    observation: dict = field(default_factory=dict)
+    reasoning_summary: str = ""
+    action_taken: str = ""
+    action_status: str = ""
+    reflect_notes: str = ""
+    duration_ms: int = 0
+
+
+# ---------------------------------------------------------------------------
+# Heartbeat
+# ---------------------------------------------------------------------------
+
+
+class Heartbeat:
+    """Manages the recurring cognitive loop with optional world adapter.
+
+    Parameters
+    ----------
+    world:
+        A ``WorldInterface`` instance (or ``None`` for passive mode).
+    interval:
+        Seconds between heartbeat ticks.  30 s for embodied mode,
+        300 s (5 min) for passive thinking.
+    on_cycle:
+        Optional async callback invoked after each cycle with the
+        ``CycleRecord``.
+    """
+
+    def __init__(
+        self,
+        *,
+        world=None,  # WorldInterface | None
+        interval: float = 30.0,
+        on_cycle=None,  # Callable[[CycleRecord], Awaitable[None]] | None
+    ) -> None:
+        self._world = world
+        self._interval = interval
+        self._on_cycle = on_cycle
+        self._cycle_count: int = 0
+        self._running = False
+        self._task: asyncio.Task | None = None
+        self.history: list[CycleRecord] = []
+
+    # -- properties --------------------------------------------------------
+
+    @property
+    def world(self):
+        return self._world
+
+    @world.setter
+    def world(self, adapter) -> None:
+        self._world = adapter
+
+    @property
+    def interval(self) -> float:
+        return self._interval
+
+    @interval.setter
+    def interval(self, value: float) -> None:
+        self._interval = max(1.0, value)
+
+    @property
+    def is_running(self) -> bool:
+        return self._running
+
+    @property
+    def cycle_count(self) -> int:
+        return self._cycle_count
+
+    # -- single cycle ------------------------------------------------------
+
+    async def run_once(self) -> CycleRecord:
+        """Execute one full heartbeat cycle.
+
+        If a world adapter is present:
+            1. Observe — ``world.observe()``
+            2. Gather + Reason + Act via the three-phase loop, with the
+               observation injected into the payload
+            3. Dispatch the decided action back to ``world.act()``
+            4. Reflect — log the cycle
+
+        Without an adapter the existing loop runs on a timer-sourced
+        payload (passive thinking).
+        """
+        self._cycle_count += 1
+        start = time.monotonic()
+        record = CycleRecord(
+            cycle_id=self._cycle_count,
+            timestamp=datetime.now(UTC).isoformat(),
+        )
+
+        if self._world is not None:
+            record = await self._embodied_cycle(record)
+        else:
+            record = await self._passive_cycle(record)
+
+        record.duration_ms = int((time.monotonic() - start) * 1000)
+        self.history.append(record)
+
+        # Broadcast via WebSocket (best-effort)
+        await self._broadcast(record)
+
+        if self._on_cycle:
+            await self._on_cycle(record)
+
+        logger.info(
+            "Heartbeat cycle #%d complete (%d ms) — action=%s status=%s",
+            record.cycle_id,
+            record.duration_ms,
+            record.action_taken or "(passive)",
+            record.action_status or "n/a",
+        )
+        return record
+
+    # -- background loop ---------------------------------------------------
+
+    async def start(self) -> None:
+        """Start the recurring heartbeat loop as a background task."""
+        if self._running:
+            logger.warning("Heartbeat already running")
+            return
+        self._running = True
+        self._task = asyncio.current_task() or asyncio.ensure_future(self._loop())
+        if self._task is not asyncio.current_task():
+            return
+        await self._loop()
+
+    async def _loop(self) -> None:
+        logger.info(
+            "Heartbeat loop started (interval=%.1fs, adapter=%s)",
+            self._interval,
+            type(self._world).__name__ if self._world else "None",
+        )
+        while self._running:
+            try:
+                await self.run_once()
+            except Exception:
+                logger.exception("Heartbeat cycle failed")
+            await asyncio.sleep(self._interval)
+
+    def stop(self) -> None:
+        """Signal the heartbeat loop to stop after the current cycle."""
+        self._running = False
+        logger.info("Heartbeat stop requested")
+
+    # -- internal: embodied cycle ------------------------------------------
+
+    async def _embodied_cycle(self, record: CycleRecord) -> CycleRecord:
+        """Cycle with a live world adapter: observe → reason → act → reflect."""
+        from infrastructure.world.types import ActionStatus, CommandInput
+
+        # 1. Observe
+        perception = self._world.observe()
+        record.observation = {
+            "location": perception.location,
+            "entities": perception.entities,
+            "events": perception.events,
+        }
+
+        # 2. Feed observation into the three-phase loop
+        obs_content = (
+            f"Location: {perception.location}\n"
+            f"Entities: {', '.join(perception.entities)}\n"
+            f"Events: {', '.join(perception.events)}"
+        )
+        payload = ContextPayload(
+            source="world",
+            content=obs_content,
+            metadata={"perception": record.observation},
+        )
+
+        gathered = gather(payload)
+        reasoned = reason(gathered)
+        acted = act(reasoned)
+
+        # Extract action decision from the acted payload
+        action_name = acted.metadata.get("action", "idle")
+        action_target = acted.metadata.get("action_target")
+        action_params = acted.metadata.get("action_params", {})
+        record.reasoning_summary = acted.metadata.get("reasoning", acted.content[:200])
+
+        # 3. Dispatch action to world
+        if action_name != "idle":
+            cmd = CommandInput(
+                action=action_name,
+                target=action_target,
+                parameters=action_params,
+            )
+            result = self._world.act(cmd)
+            record.action_taken = action_name
+            record.action_status = result.status.value
+        else:
+            record.action_taken = "idle"
+            record.action_status = ActionStatus.NOOP.value
+
+        # 4. Reflect
+        record.reflect_notes = (
+            f"Observed {len(perception.entities)} entities at {perception.location}. "
+            f"Action: {record.action_taken} → {record.action_status}."
+        )
+
+        return record
+
+    # -- internal: passive cycle -------------------------------------------
+
+    async def _passive_cycle(self, record: CycleRecord) -> CycleRecord:
+        """Cycle without a world adapter — existing think_once() behaviour."""
+        payload = ContextPayload(
+            source="timer",
+            content="heartbeat",
+            metadata={"mode": "passive"},
+        )
+
+        gathered = gather(payload)
+        reasoned = reason(gathered)
+        acted = act(reasoned)
+
+        record.reasoning_summary = acted.content[:200]
+        record.action_taken = "think"
+        record.action_status = "noop"
+        record.reflect_notes = "Passive thinking cycle — no world adapter connected."
+
+        return record
+
+    # -- broadcast ---------------------------------------------------------
+
+    async def _broadcast(self, record: CycleRecord) -> None:
+        """Emit heartbeat cycle data via WebSocket (best-effort)."""
+        try:
+            from infrastructure.ws_manager.handler import ws_manager
+
+            await ws_manager.broadcast(
+                "heartbeat.cycle",
+                {
+                    "cycle_id": record.cycle_id,
+                    "timestamp": record.timestamp,
+                    "action": record.action_taken,
+                    "action_status": record.action_status,
+                    "reasoning_summary": record.reasoning_summary[:300],
+                    "observation": record.observation,
+                    "duration_ms": record.duration_ms,
+                },
+            )
+        except (ImportError, AttributeError, ConnectionError, RuntimeError) as exc:
+            logger.debug("Heartbeat broadcast skipped: %s", exc)

src/loop/phase1_gather.py

@@ -17,9 +17,9 @@ logger = logging.getLogger(__name__)
 def gather(payload: ContextPayload) -> ContextPayload:
     """Accept raw input and return structured context for reasoning.
 
-    Stub: tags the payload with phase=gather and logs transit.
-    Timmy will flesh this out with context selection, memory lookup,
-    adapter polling, and attention-residual weighting.
+    When the payload carries a ``perception`` dict in metadata (injected by
+    the heartbeat loop from a WorldInterface adapter), that observation is
+    folded into the gathered context.  Otherwise behaves as before.
     """
     logger.info(
         "Phase 1 (Gather) received: source=%s content_len=%d tokens=%d",
@@ -28,7 +28,20 @@ def gather(payload: ContextPayload) -> ContextPayload:
         payload.token_count,
     )
 
-    result = payload.with_metadata(phase="gather", gathered=True)
+    extra: dict = {"phase": "gather", "gathered": True}
+
+    # Enrich with world observation when present
+    perception = payload.metadata.get("perception")
+    if perception:
+        extra["world_observation"] = perception
+        logger.info(
+            "Phase 1 (Gather) world observation: location=%s entities=%d events=%d",
+            perception.get("location", "?"),
+            len(perception.get("entities", [])),
+            len(perception.get("events", [])),
+        )
+
+    result = payload.with_metadata(**extra)
 
     logger.info(
         "Phase 1 (Gather) produced: metadata_keys=%s",

tests/infrastructure/world/test_interface.py

@@ -0,0 +1,129 @@
+"""Tests for the WorldInterface contract and type system."""
+
+import pytest
+
+from infrastructure.world.interface import WorldInterface
+from infrastructure.world.types import (
+    ActionResult,
+    ActionStatus,
+    CommandInput,
+    PerceptionOutput,
+)
+
+# ---------------------------------------------------------------------------
+# Type construction
+# ---------------------------------------------------------------------------
+
+
+class TestPerceptionOutput:
+    def test_defaults(self):
+        p = PerceptionOutput()
+        assert p.location == ""
+        assert p.entities == []
+        assert p.events == []
+        assert p.raw == {}
+        assert p.timestamp is not None
+
+    def test_custom_values(self):
+        p = PerceptionOutput(
+            location="Balmora",
+            entities=["Guard", "Merchant"],
+            events=["door_opened"],
+        )
+        assert p.location == "Balmora"
+        assert len(p.entities) == 2
+        assert "door_opened" in p.events
+
+
+class TestCommandInput:
+    def test_minimal(self):
+        c = CommandInput(action="move")
+        assert c.action == "move"
+        assert c.target is None
+        assert c.parameters == {}
+
+    def test_with_target_and_params(self):
+        c = CommandInput(action="attack", target="Rat", parameters={"weapon": "sword"})
+        assert c.target == "Rat"
+        assert c.parameters["weapon"] == "sword"
+
+
+class TestActionResult:
+    def test_defaults(self):
+        r = ActionResult()
+        assert r.status == ActionStatus.SUCCESS
+        assert r.message == ""
+
+    def test_failure(self):
+        r = ActionResult(status=ActionStatus.FAILURE, message="blocked")
+        assert r.status == ActionStatus.FAILURE
+
+
+class TestActionStatus:
+    def test_values(self):
+        assert ActionStatus.SUCCESS.value == "success"
+        assert ActionStatus.FAILURE.value == "failure"
+        assert ActionStatus.PENDING.value == "pending"
+        assert ActionStatus.NOOP.value == "noop"
+
+
+# ---------------------------------------------------------------------------
+# Abstract contract
+# ---------------------------------------------------------------------------
+
+
+class TestWorldInterfaceContract:
+    """Verify the ABC cannot be instantiated directly."""
+
+    def test_cannot_instantiate(self):
+        with pytest.raises(TypeError):
+            WorldInterface()
+
+    def test_subclass_must_implement_observe(self):
+        class Incomplete(WorldInterface):
+            def act(self, command):
+                pass
+
+            def speak(self, message, target=None):
+                pass
+
+        with pytest.raises(TypeError):
+            Incomplete()
+
+    def test_subclass_must_implement_act(self):
+        class Incomplete(WorldInterface):
+            def observe(self):
+                return PerceptionOutput()
+
+            def speak(self, message, target=None):
+                pass
+
+        with pytest.raises(TypeError):
+            Incomplete()
+
+    def test_subclass_must_implement_speak(self):
+        class Incomplete(WorldInterface):
+            def observe(self):
+                return PerceptionOutput()
+
+            def act(self, command):
+                return ActionResult()
+
+        with pytest.raises(TypeError):
+            Incomplete()
+
+    def test_complete_subclass_instantiates(self):
+        class Complete(WorldInterface):
+            def observe(self):
+                return PerceptionOutput()
+
+            def act(self, command):
+                return ActionResult()
+
+            def speak(self, message, target=None):
+                pass
+
+        adapter = Complete()
+        assert adapter.is_connected is True  # default
+        assert isinstance(adapter.observe(), PerceptionOutput)
+        assert isinstance(adapter.act(CommandInput(action="test")), ActionResult)

tests/infrastructure/world/test_mock_adapter.py

@@ -0,0 +1,80 @@
+"""Tests for the MockWorldAdapter — full observe/act/speak cycle."""
+
+from infrastructure.world.adapters.mock import MockWorldAdapter
+from infrastructure.world.types import ActionStatus, CommandInput, PerceptionOutput
+
+
+class TestMockWorldAdapter:
+    def test_observe_returns_perception(self):
+        adapter = MockWorldAdapter(location="Vivec")
+        perception = adapter.observe()
+        assert isinstance(perception, PerceptionOutput)
+        assert perception.location == "Vivec"
+        assert perception.raw == {"adapter": "mock"}
+
+    def test_observe_entities(self):
+        adapter = MockWorldAdapter(entities=["Jiub", "Silt Strider"])
+        perception = adapter.observe()
+        assert perception.entities == ["Jiub", "Silt Strider"]
+
+    def test_act_logs_command(self):
+        adapter = MockWorldAdapter()
+        cmd = CommandInput(action="move", target="north")
+        result = adapter.act(cmd)
+        assert result.status == ActionStatus.SUCCESS
+        assert "move" in result.message
+        assert len(adapter.action_log) == 1
+        assert adapter.action_log[0].command.action == "move"
+
+    def test_act_multiple_commands(self):
+        adapter = MockWorldAdapter()
+        adapter.act(CommandInput(action="attack"))
+        adapter.act(CommandInput(action="defend"))
+        adapter.act(CommandInput(action="retreat"))
+        assert len(adapter.action_log) == 3
+
+    def test_speak_logs_message(self):
+        adapter = MockWorldAdapter()
+        adapter.speak("Hello, traveler!")
+        assert len(adapter.speech_log) == 1
+        assert adapter.speech_log[0]["message"] == "Hello, traveler!"
+        assert adapter.speech_log[0]["target"] is None
+
+    def test_speak_with_target(self):
+        adapter = MockWorldAdapter()
+        adapter.speak("Die, scum!", target="Cliff Racer")
+        assert adapter.speech_log[0]["target"] == "Cliff Racer"
+
+    def test_lifecycle(self):
+        adapter = MockWorldAdapter()
+        assert adapter.is_connected is False
+        adapter.connect()
+        assert adapter.is_connected is True
+        adapter.disconnect()
+        assert adapter.is_connected is False
+
+    def test_full_observe_act_speak_cycle(self):
+        """Acceptance criterion: full observe/act/speak cycle passes."""
+        adapter = MockWorldAdapter(
+            location="Seyda Neen",
+            entities=["Fargoth", "Hrisskar"],
+            events=["quest_started"],
+        )
+        adapter.connect()
+
+        # Observe
+        perception = adapter.observe()
+        assert perception.location == "Seyda Neen"
+        assert len(perception.entities) == 2
+        assert "quest_started" in perception.events
+
+        # Act
+        result = adapter.act(CommandInput(action="talk", target="Fargoth"))
+        assert result.status == ActionStatus.SUCCESS
+
+        # Speak
+        adapter.speak("Where is your ring, Fargoth?", target="Fargoth")
+        assert len(adapter.speech_log) == 1
+
+        adapter.disconnect()
+        assert adapter.is_connected is False

tests/infrastructure/world/test_registry.py

@@ -0,0 +1,68 @@
+"""Tests for the adapter registry."""
+
+import pytest
+
+from infrastructure.world.adapters.mock import MockWorldAdapter
+from infrastructure.world.registry import AdapterRegistry
+
+
+class TestAdapterRegistry:
+    def test_register_and_get(self):
+        reg = AdapterRegistry()
+        reg.register("mock", MockWorldAdapter)
+        adapter = reg.get("mock")
+        assert isinstance(adapter, MockWorldAdapter)
+
+    def test_register_with_kwargs(self):
+        reg = AdapterRegistry()
+        reg.register("mock", MockWorldAdapter)
+        adapter = reg.get("mock", location="Custom Room")
+        assert adapter._location == "Custom Room"
+
+    def test_get_unknown_raises(self):
+        reg = AdapterRegistry()
+        with pytest.raises(KeyError):
+            reg.get("nonexistent")
+
+    def test_register_non_subclass_raises(self):
+        reg = AdapterRegistry()
+        with pytest.raises(TypeError):
+            reg.register("bad", dict)
+
+    def test_list_adapters(self):
+        reg = AdapterRegistry()
+        reg.register("beta", MockWorldAdapter)
+        reg.register("alpha", MockWorldAdapter)
+        assert reg.list_adapters() == ["alpha", "beta"]
+
+    def test_contains(self):
+        reg = AdapterRegistry()
+        reg.register("mock", MockWorldAdapter)
+        assert "mock" in reg
+        assert "other" not in reg
+
+    def test_len(self):
+        reg = AdapterRegistry()
+        assert len(reg) == 0
+        reg.register("mock", MockWorldAdapter)
+        assert len(reg) == 1
+
+    def test_overwrite_warns(self, caplog):
+        import logging
+
+        reg = AdapterRegistry()
+        reg.register("mock", MockWorldAdapter)
+        with caplog.at_level(logging.WARNING):
+            reg.register("mock", MockWorldAdapter)
+        assert "Overwriting" in caplog.text
+
+
+class TestModuleLevelRegistry:
+    """Test the convenience functions in infrastructure.world.__init__."""
+
+    def test_register_and_get(self):
+        from infrastructure.world import get_adapter, register_adapter
+
+        register_adapter("test_mock", MockWorldAdapter)
+        adapter = get_adapter("test_mock")
+        assert isinstance(adapter, MockWorldAdapter)

tests/infrastructure/world/test_tes3mp_adapter.py

@@ -0,0 +1,44 @@
+"""Tests for the TES3MP stub adapter."""
+
+import pytest
+
+from infrastructure.world.adapters.tes3mp import TES3MPWorldAdapter
+from infrastructure.world.types import CommandInput
+
+
+class TestTES3MPStub:
+    """Acceptance criterion: stub imports cleanly and raises NotImplementedError."""
+
+    def test_instantiates(self):
+        adapter = TES3MPWorldAdapter(host="127.0.0.1", port=25565)
+        assert adapter._host == "127.0.0.1"
+        assert adapter._port == 25565
+
+    def test_is_connected_default_false(self):
+        adapter = TES3MPWorldAdapter()
+        assert adapter.is_connected is False
+
+    def test_connect_raises(self):
+        adapter = TES3MPWorldAdapter()
+        with pytest.raises(NotImplementedError, match="connect"):
+            adapter.connect()
+
+    def test_disconnect_raises(self):
+        adapter = TES3MPWorldAdapter()
+        with pytest.raises(NotImplementedError, match="disconnect"):
+            adapter.disconnect()
+
+    def test_observe_raises(self):
+        adapter = TES3MPWorldAdapter()
+        with pytest.raises(NotImplementedError, match="observe"):
+            adapter.observe()
+
+    def test_act_raises(self):
+        adapter = TES3MPWorldAdapter()
+        with pytest.raises(NotImplementedError, match="act"):
+            adapter.act(CommandInput(action="move"))
+
+    def test_speak_raises(self):
+        adapter = TES3MPWorldAdapter()
+        with pytest.raises(NotImplementedError, match="speak"):
+            adapter.speak("Hello")

tests/loop/test_heartbeat.py

@@ -0,0 +1,176 @@
+"""Tests for Heartbeat v2 — WorldInterface-driven cognitive loop.
+
+Acceptance criteria:
+- With MockWorldAdapter: heartbeat runs, logs show observe→reason→act→reflect
+- Without adapter: existing think_once() behaviour unchanged
+- WebSocket broadcasts include current action and reasoning summary
+"""
+
+from unittest.mock import AsyncMock, patch
+
+import pytest
+
+from infrastructure.world.adapters.mock import MockWorldAdapter
+from infrastructure.world.types import ActionStatus
+from loop.heartbeat import CycleRecord, Heartbeat
+
+
+@pytest.fixture
+def mock_adapter():
+    adapter = MockWorldAdapter(
+        location="Balmora",
+        entities=["Guard", "Merchant"],
+        events=["player_entered"],
+    )
+    adapter.connect()
+    return adapter
+
+
+class TestHeartbeatWithAdapter:
+    """With MockWorldAdapter: heartbeat runs full embodied cycle."""
+
+    @pytest.mark.asyncio
+    async def test_run_once_returns_cycle_record(self, mock_adapter):
+        hb = Heartbeat(world=mock_adapter)
+        record = await hb.run_once()
+        assert isinstance(record, CycleRecord)
+        assert record.cycle_id == 1
+
+    @pytest.mark.asyncio
+    async def test_observation_populated(self, mock_adapter):
+        hb = Heartbeat(world=mock_adapter)
+        record = await hb.run_once()
+        assert record.observation["location"] == "Balmora"
+        assert "Guard" in record.observation["entities"]
+        assert "player_entered" in record.observation["events"]
+
+    @pytest.mark.asyncio
+    async def test_action_dispatched_to_world(self, mock_adapter):
+        """Act phase should dispatch to world.act() for non-idle actions."""
+        hb = Heartbeat(world=mock_adapter)
+        record = await hb.run_once()
+        # The default loop phases don't set an explicit action, so it
+        # falls through to "idle" → NOOP. That's correct behaviour —
+        # the real LLM-powered reason phase will set action metadata.
+        assert record.action_status in (
+            ActionStatus.NOOP.value,
+            ActionStatus.SUCCESS.value,
+        )
+
+    @pytest.mark.asyncio
+    async def test_reflect_notes_present(self, mock_adapter):
+        hb = Heartbeat(world=mock_adapter)
+        record = await hb.run_once()
+        assert "Balmora" in record.reflect_notes
+
+    @pytest.mark.asyncio
+    async def test_cycle_count_increments(self, mock_adapter):
+        hb = Heartbeat(world=mock_adapter)
+        await hb.run_once()
+        await hb.run_once()
+        assert hb.cycle_count == 2
+        assert len(hb.history) == 2
+
+    @pytest.mark.asyncio
+    async def test_duration_recorded(self, mock_adapter):
+        hb = Heartbeat(world=mock_adapter)
+        record = await hb.run_once()
+        assert record.duration_ms >= 0
+
+    @pytest.mark.asyncio
+    async def test_on_cycle_callback(self, mock_adapter):
+        received = []
+
+        async def callback(record):
+            received.append(record)
+
+        hb = Heartbeat(world=mock_adapter, on_cycle=callback)
+        await hb.run_once()
+        assert len(received) == 1
+        assert received[0].cycle_id == 1
+
+
+class TestHeartbeatWithoutAdapter:
+    """Without adapter: existing think_once() behaviour unchanged."""
+
+    @pytest.mark.asyncio
+    async def test_passive_cycle(self):
+        hb = Heartbeat(world=None)
+        record = await hb.run_once()
+        assert record.action_taken == "think"
+        assert record.action_status == "noop"
+        assert "Passive" in record.reflect_notes
+
+    @pytest.mark.asyncio
+    async def test_passive_no_observation(self):
+        hb = Heartbeat(world=None)
+        record = await hb.run_once()
+        assert record.observation == {}
+
+
+class TestHeartbeatLifecycle:
+    def test_interval_property(self):
+        hb = Heartbeat(interval=60.0)
+        assert hb.interval == 60.0
+        hb.interval = 10.0
+        assert hb.interval == 10.0
+
+    def test_interval_minimum(self):
+        hb = Heartbeat()
+        hb.interval = 0.1
+        assert hb.interval == 1.0
+
+    def test_world_property(self):
+        hb = Heartbeat()
+        assert hb.world is None
+        adapter = MockWorldAdapter()
+        hb.world = adapter
+        assert hb.world is adapter
+
+    def test_stop_sets_flag(self):
+        hb = Heartbeat()
+        assert not hb.is_running
+        hb.stop()
+        assert not hb.is_running
+
+
+class TestHeartbeatBroadcast:
+    """WebSocket broadcasts include action and reasoning summary."""
+
+    @pytest.mark.asyncio
+    async def test_broadcast_called(self, mock_adapter):
+        with patch(
+            "loop.heartbeat.ws_manager",
+            create=True,
+        ) as mock_ws:
+            mock_ws.broadcast = AsyncMock()
+            # Patch the import inside heartbeat
+            with patch("infrastructure.ws_manager.handler.ws_manager") as ws_mod:
+                ws_mod.broadcast = AsyncMock()
+                hb = Heartbeat(world=mock_adapter)
+                await hb.run_once()
+                ws_mod.broadcast.assert_called_once()
+                call_args = ws_mod.broadcast.call_args
+                assert call_args[0][0] == "heartbeat.cycle"
+                data = call_args[0][1]
+                assert "action" in data
+                assert "reasoning_summary" in data
+                assert "observation" in data
+
+
+class TestHeartbeatLog:
+    """Verify logging of observe→reason→act→reflect cycle."""
+
+    @pytest.mark.asyncio
+    async def test_embodied_cycle_logs(self, mock_adapter, caplog):
+        import logging
+
+        with caplog.at_level(logging.INFO):
+            hb = Heartbeat(world=mock_adapter)
+            await hb.run_once()
+
+        messages = caplog.text
+        assert "Phase 1 (Gather)" in messages
+        assert "Phase 2 (Reason)" in messages
+        assert "Phase 3 (Act)" in messages
+        assert "Heartbeat cycle #1 complete" in messages

tests/loop/test_loop_guard_corrupt_queue.py

@@ -0,0 +1,97 @@
+"""Tests for load_queue corrupt JSON handling in loop_guard.py."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+import scripts.loop_guard as lg
+
+
+@pytest.fixture(autouse=True)
+def _isolate(tmp_path, monkeypatch):
+    """Redirect loop_guard paths to tmp_path for isolation."""
+    monkeypatch.setattr(lg, "QUEUE_FILE", tmp_path / "queue.json")
+    monkeypatch.setattr(lg, "IDLE_STATE_FILE", tmp_path / "idle_state.json")
+    monkeypatch.setattr(lg, "CYCLE_RESULT_FILE", tmp_path / "cycle_result.json")
+    monkeypatch.setattr(lg, "GITEA_API", "http://test:3000/api/v1")
+    monkeypatch.setattr(lg, "REPO_SLUG", "owner/repo")
+
+
+def test_load_queue_missing_file(tmp_path):
+    """Missing queue file returns empty list."""
+    result = lg.load_queue()
+    assert result == []
+
+
+def test_load_queue_valid_data(tmp_path):
+    """Valid queue.json returns ready items."""
+    data = [
+        {"issue": 1, "title": "Ready issue", "ready": True},
+        {"issue": 2, "title": "Not ready", "ready": False},
+    ]
+    lg.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    lg.QUEUE_FILE.write_text(json.dumps(data, indent=2))
+
+    result = lg.load_queue()
+    assert len(result) == 1
+    assert result[0]["issue"] == 1
+
+
+def test_load_queue_corrupt_json_logs_warning(tmp_path, capsys):
+    """Corrupt queue.json returns empty list and logs warning."""
+    lg.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    lg.QUEUE_FILE.write_text("not valid json {{{")
+
+    result = lg.load_queue()
+    assert result == []
+
+    captured = capsys.readouterr()
+    assert "WARNING" in captured.out
+    assert "Corrupt queue.json" in captured.out
+
+
+def test_load_queue_not_a_list(tmp_path):
+    """Queue.json that is not a list returns empty list."""
+    lg.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    lg.QUEUE_FILE.write_text(json.dumps({"not": "a list"}))
+
+    result = lg.load_queue()
+    assert result == []
+
+
+def test_load_queue_no_ready_items(tmp_path):
+    """Queue with no ready items returns empty list."""
+    data = [
+        {"issue": 1, "title": "Not ready 1", "ready": False},
+        {"issue": 2, "title": "Not ready 2", "ready": False},
+    ]
+    lg.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    lg.QUEUE_FILE.write_text(json.dumps(data, indent=2))
+
+    result = lg.load_queue()
+    assert result == []
+
+
+def test_load_queue_oserror_logs_warning(tmp_path, monkeypatch, capsys):
+    """OSError when reading queue.json returns empty list and logs warning."""
+    lg.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    lg.QUEUE_FILE.write_text("[]")
+
+    # Mock Path.read_text to raise OSError
+    original_read_text = Path.read_text
+
+    def mock_read_text(self, *args, **kwargs):
+        if self.name == "queue.json":
+            raise OSError("Permission denied")
+        return original_read_text(self, *args, **kwargs)
+
+    monkeypatch.setattr(Path, "read_text", mock_read_text)
+
+    result = lg.load_queue()
+    assert result == []
+
+    captured = capsys.readouterr()
+    assert "WARNING" in captured.out
+    assert "Cannot read queue.json" in captured.out

tests/scripts/test_triage_score_validation.py

@@ -0,0 +1,159 @@
+"""Tests for queue.json validation and backup in triage_score.py."""
+
+from __future__ import annotations
+
+import json
+
+import pytest
+import scripts.triage_score as ts
+
+
+@pytest.fixture(autouse=True)
+def _isolate(tmp_path, monkeypatch):
+    """Redirect triage_score paths to tmp_path for isolation."""
+    monkeypatch.setattr(ts, "QUEUE_FILE", tmp_path / "queue.json")
+    monkeypatch.setattr(ts, "QUEUE_BACKUP_FILE", tmp_path / "queue.json.bak")
+    monkeypatch.setattr(ts, "RETRO_FILE", tmp_path / "retro" / "triage.jsonl")
+    monkeypatch.setattr(ts, "QUARANTINE_FILE", tmp_path / "quarantine.json")
+    monkeypatch.setattr(ts, "CYCLE_RETRO_FILE", tmp_path / "retro" / "cycles.jsonl")
+
+
+def test_backup_created_on_write(tmp_path):
+    """When writing queue.json, a backup should be created from previous valid file."""
+    # Create initial valid queue file
+    initial_data = [{"issue": 1, "title": "Test", "ready": True}]
+    ts.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_FILE.write_text(json.dumps(initial_data))
+
+    # Write new data
+    new_data = [{"issue": 2, "title": "New", "ready": True}]
+    ts.QUEUE_FILE.write_text(json.dumps(new_data, indent=2) + "\n")
+
+    # Manually run the backup logic as run_triage would
+    if ts.QUEUE_FILE.exists():
+        try:
+            json.loads(ts.QUEUE_FILE.read_text())
+            ts.QUEUE_BACKUP_FILE.write_text(ts.QUEUE_FILE.read_text())
+        except (json.JSONDecodeError, OSError):
+            pass
+
+    # Both files should exist with same content
+    assert ts.QUEUE_BACKUP_FILE.exists()
+    assert json.loads(ts.QUEUE_BACKUP_FILE.read_text()) == new_data
+
+
+def test_corrupt_queue_restored_from_backup(tmp_path, capsys):
+    """If queue.json is corrupt, it should be restored from backup."""
+    # Create a valid backup
+    valid_data = [{"issue": 1, "title": "Backup", "ready": True}]
+    ts.QUEUE_BACKUP_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_BACKUP_FILE.write_text(json.dumps(valid_data, indent=2) + "\n")
+
+    # Create a corrupt queue file
+    ts.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_FILE.write_text("not valid json {{{")
+
+    # Run validation and restore logic
+    try:
+        json.loads(ts.QUEUE_FILE.read_text())
+    except (json.JSONDecodeError, OSError):
+        if ts.QUEUE_BACKUP_FILE.exists():
+            try:
+                backup_data = ts.QUEUE_BACKUP_FILE.read_text()
+                json.loads(backup_data)  # Validate backup
+                ts.QUEUE_FILE.write_text(backup_data)
+                print("[triage] Restored queue.json from backup")
+            except (json.JSONDecodeError, OSError):
+                ts.QUEUE_FILE.write_text("[]\n")
+        else:
+            ts.QUEUE_FILE.write_text("[]\n")
+
+    # Queue should be restored from backup
+    assert json.loads(ts.QUEUE_FILE.read_text()) == valid_data
+    captured = capsys.readouterr()
+    assert "Restored queue.json from backup" in captured.out
+
+
+def test_corrupt_queue_no_backup_writes_empty_list(tmp_path):
+    """If queue.json is corrupt and no backup exists, write empty list."""
+    # Ensure no backup exists
+    assert not ts.QUEUE_BACKUP_FILE.exists()
+
+    # Create a corrupt queue file
+    ts.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_FILE.write_text("not valid json {{{")
+
+    # Run validation and restore logic
+    try:
+        json.loads(ts.QUEUE_FILE.read_text())
+    except (json.JSONDecodeError, OSError):
+        if ts.QUEUE_BACKUP_FILE.exists():
+            try:
+                backup_data = ts.QUEUE_BACKUP_FILE.read_text()
+                json.loads(backup_data)
+                ts.QUEUE_FILE.write_text(backup_data)
+            except (json.JSONDecodeError, OSError):
+                ts.QUEUE_FILE.write_text("[]\n")
+        else:
+            ts.QUEUE_FILE.write_text("[]\n")
+
+    # Should have empty list
+    assert json.loads(ts.QUEUE_FILE.read_text()) == []
+
+
+def test_corrupt_backup_writes_empty_list(tmp_path):
+    """If both queue.json and backup are corrupt, write empty list."""
+    # Create a corrupt backup
+    ts.QUEUE_BACKUP_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_BACKUP_FILE.write_text("also corrupt backup")
+
+    # Create a corrupt queue file
+    ts.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_FILE.write_text("not valid json {{{")
+
+    # Run validation and restore logic
+    try:
+        json.loads(ts.QUEUE_FILE.read_text())
+    except (json.JSONDecodeError, OSError):
+        if ts.QUEUE_BACKUP_FILE.exists():
+            try:
+                backup_data = ts.QUEUE_BACKUP_FILE.read_text()
+                json.loads(backup_data)
+                ts.QUEUE_FILE.write_text(backup_data)
+            except (json.JSONDecodeError, OSError):
+                ts.QUEUE_FILE.write_text("[]\n")
+        else:
+            ts.QUEUE_FILE.write_text("[]\n")
+
+    # Should have empty list
+    assert json.loads(ts.QUEUE_FILE.read_text()) == []
+
+
+def test_valid_queue_not_corrupt_no_backup_overwrite(tmp_path):
+    """Don't overwrite backup if current queue.json is corrupt."""
+    # Create a valid backup
+    valid_backup = [{"issue": 99, "title": "Old Backup", "ready": True}]
+    ts.QUEUE_BACKUP_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_BACKUP_FILE.write_text(json.dumps(valid_backup, indent=2) + "\n")
+
+    # Create a corrupt queue file
+    ts.QUEUE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    ts.QUEUE_FILE.write_text("corrupt data")
+
+    # Try to save backup (should skip because current is corrupt)
+    if ts.QUEUE_FILE.exists():
+        try:
+            json.loads(ts.QUEUE_FILE.read_text())  # This will fail
+            ts.QUEUE_BACKUP_FILE.write_text(ts.QUEUE_FILE.read_text())
+        except (json.JSONDecodeError, OSError):
+            pass  # Should hit this branch
+
+    # Backup should still have original valid data
+    assert json.loads(ts.QUEUE_BACKUP_FILE.read_text()) == valid_backup
+
+
+def test_backup_path_configuration():
+    """Ensure backup file path is properly configured relative to queue file."""
+    assert ts.QUEUE_BACKUP_FILE.parent == ts.QUEUE_FILE.parent
+    assert ts.QUEUE_BACKUP_FILE.name == "queue.json.bak"
+    assert ts.QUEUE_FILE.name == "queue.json"