feat: harden Bezalel tailscale bootstrap packet (#535)

docs/BEZALEL_TAILSCALE_BOOTSTRAP.md

@@ -0,0 +1,96 @@
+# Bezalel Tailscale Bootstrap
+
+Refs #535
+
+This is the repo-side operator packet for installing Tailscale on the Bezalel VPS and verifying the internal network path for federation work.
+
+Important truth:
+- issue #535 names `104.131.15.18`
+- older Bezalel control-plane docs also mention `159.203.146.185`
+- the current source of truth in this repo is `ansible/inventory/hosts.ini`, which currently resolves `bezalel` to `67.205.155.108`
+
+Because of that drift, `scripts/bezalel_tailscale_bootstrap.py` now resolves the target host from `ansible/inventory/hosts.ini` by default instead of trusting a stale hardcoded IP.
+
+## What the script does
+
+`python3 scripts/bezalel_tailscale_bootstrap.py`
+
+Safe by default:
+- builds the remote bootstrap script
+- writes it locally to `/tmp/bezalel_tailscale_bootstrap.sh`
+- prints the SSH command needed to run it
+- does **not** touch the VPS unless `--apply` is passed
+
+When applied, the remote script does all of the issue’s repo-side bootstrap steps:
+- installs Tailscale
+- runs `tailscale up --ssh --hostname bezalel`
+- appends the provided Mac SSH public key to `~/.ssh/authorized_keys`
+- prints `tailscale status --json`
+- pings the expected peer targets:
+  - Mac: `100.124.176.28`
+  - Ezra: `100.126.61.75`
+
+## Required secrets / inputs
+
+- Tailscale auth key
+- Mac SSH public key
+
+Provide them either directly or through files:
+- `--auth-key` or `--auth-key-file`
+- `--ssh-public-key` or `--ssh-public-key-file`
+
+## Dry-run example
+
+```bash
+python3 scripts/bezalel_tailscale_bootstrap.py \
+  --auth-key-file ~/.config/tailscale/auth_key \
+  --ssh-public-key-file ~/.ssh/id_ed25519.pub \
+  --json
+```
+
+This prints:
+- resolved host
+- host source (`inventory:<path>` when pulled from `ansible/inventory/hosts.ini`)
+- local script path
+- SSH command to execute
+- peer targets
+
+## Apply example
+
+```bash
+python3 scripts/bezalel_tailscale_bootstrap.py \
+  --auth-key-file ~/.config/tailscale/auth_key \
+  --ssh-public-key-file ~/.ssh/id_ed25519.pub \
+  --apply \
+  --json
+```
+
+## Verifying success after apply
+
+The script now parses the remote stdout into structured verification data:
+- `verification.tailscale.self.tailscale_ips`
+- `verification.tailscale.self.dns_name`
+- `verification.peers`
+- `verification.ping_ok`
+
+A successful run should show:
+- at least one Bezalel Tailscale IP under `tailscale_ips`
+- `ping_ok.mac = 100.124.176.28`
+- `ping_ok.ezra = 100.126.61.75`
+
+## Expected remote install commands
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh
+tailscale up --ssh --hostname bezalel
+install -d -m 700 ~/.ssh
+touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
+tailscale status --json
+```
+
+## Why this PR does not claim live completion
+
+This repo can safely ship the bootstrap script, host resolution logic, structured proof parsing, and operator packet.
+It cannot honestly claim that Bezalel was actually joined to the tailnet unless a human/operator runs the script with a real auth key and real SSH access to the VPS.
+
+That means the correct PR language for #535 is advancement, not pretend closure.

docs/RUNBOOK_INDEX.md

@@ -14,6 +14,7 @@ Quick-reference index for common operational tasks across the Timmy Foundation i
 | Agent scorecard | fleet-ops | `python3 scripts/agent_scorecard.py` |
 | View fleet manifest | fleet-ops | `cat manifest.yaml` |
 | Run nightly codebase genome pass | timmy-home | `python3 scripts/codebase_genome_nightly.py --dry-run` |
+| Prepare Bezalel Tailscale bootstrap | timmy-home | `python3 scripts/bezalel_tailscale_bootstrap.py --auth-key-file <path> --ssh-public-key-file <path> --json` |
 
 ## the-nexus (Frontend + Brain)
 

scripts/agent-dispatch.sh

@@ -1,111 +0,0 @@
-#!/bin/bash
-# ============================================================================
-# Agent Dispatch — One-shot prompt generator for fleet workers
-# ============================================================================
-# Refs: timmy-home #512
-#
-# Packages context, token, repo, issue, and Git/Gitea commands into a
-# copy-pasteable prompt for any agent (Claude, Sonnet, Kimi, Grok, etc.).
-#
-# Usage:
-#   scripts/agent-dispatch.sh <agent> <repo> <issue#> [<org>]
-#
-# Supported agents:
-#   sonnet, claude, kimi, grok, gemini, ezra, bezalel, allegro, timmy
-#
-# Example:
-#   scripts/agent-dispatch.sh sonnet the-nexus 844 Timmy_Foundation
-# ============================================================================
-
-set -euo pipefail
-
-AGENT="${1:-}"
-REPO="${2:-}"
-ISSUE="${3:-}"
-ORG="${4:-Timmy_Foundation}"
-
-TOKEN="${GITEA_TOKEN:-$(cat ~/.config/gitea/token 2>/dev/null || true)}"
-FORGE="https://forge.alexanderwhitestone.com"
-
-if [ -z "$AGENT" ] || [ -z "$REPO" ] || [ -z "$ISSUE" ]; then
-    echo "Usage: $0 <agent> <repo> <issue#> [<org>]"
-    echo ""
-    echo "Supported agents:"
-    echo "  sonnet    — Anthropic Claude Sonnet (cloud, high-reasoning)"
-    echo "  claude    — Anthropic Claude (general)"
-    echo "  kimi      — Moonshot Kimi K2.5 (cloud, long-context)"
-    echo "  grok      — xAI Grok (cloud, real-time)"
-    echo "  gemini    — Google Gemini (cloud, multimodal)"
-    echo "  ezra      — Local archivist house (read-before-write)"
-    echo "  bezalel   — Local artificer house (proof-required)"
-    echo "  allegro   — Local dispatch house (tempo-and-routing)"
-    echo "  timmy     — Local sovereign house (final review)"
-    exit 1
-fi
-
-# Validate agent
-VALID_AGENTS="sonnet claude kimi grok gemini ezra bezalel allegro timmy"
-if ! echo "$VALID_AGENTS" | grep -qw "$AGENT"; then
-    echo "ERROR: Unknown agent '$AGENT'"
-    echo "Valid agents: $VALID_AGENTS"
-    exit 1
-fi
-
-# Fetch issue details
-if [ -n "$TOKEN" ]; then
-    ISSUE_JSON=$(curl -s -H "Authorization: token ${TOKEN}" \
-        "${FORGE}/api/v1/repos/${ORG}/${REPO}/issues/${ISSUE}" 2>/dev/null || true)
-    ISSUE_TITLE=$(echo "$ISSUE_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('title',''))" 2>/dev/null || true)
-    ISSUE_BODY=$(echo "$ISSUE_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('body',''))" 2>/dev/null || true)
-else
-    echo "WARNING: No Gitea token found. Issue details will be blank."
-    ISSUE_TITLE=""
-    ISSUE_BODY=""
-fi
-
-cat <<EOF
-================================================================================
-  DISPATCH PROMPT — ${AGENT} → ${ORG}/${REPO}#${ISSUE}
-================================================================================
-
-Agent: ${AGENT}
-Repo:  ${ORG}/${REPO}
-Issue: #${ISSUE}
-Title: ${ISSUE_TITLE}
-
---- ISSUE BODY ---
-${ISSUE_BODY}
-
---- INSTRUCTIONS ---
-
-1. Clone the repo:
-   git clone --depth 1 "https://\${TOKEN}@forge.alexanderwhitestone.com/${ORG}/${REPO}.git"
-   cd ${REPO}
-
-2. Create branch:
-   git checkout -b ${AGENT}/${REPO}-${ISSUE}
-
-3. Read the issue, implement the fix or feature.
-
-4. Test your changes locally.
-
-5. Commit and push:
-   git add -A
-   git commit -m "[${AGENT}] ${ISSUE_TITLE} (#${ISSUE})"
-   git push origin ${AGENT}/${REPO}-${ISSUE}
-
-6. Open PR via Gitea API:
-   curl -X POST \\
-     -H "Authorization: token \${TOKEN}" \\
-     -H "Content-Type: application/json" \\
-     "${FORGE}/api/v1/repos/${ORG}/${REPO}/pulls" \\
-     -d '{"title":"[${AGENT}] ${ISSUE_TITLE}","head":"${AGENT}/${REPO}-${ISSUE}","base":"main","body":"Closes #${ISSUE}"}'
-
-7. File new issues for anything discovered.
-
-Token: \${GITEA_TOKEN} or ~/.config/gitea/token
-Forge: ${FORGE}
-
-Sovereignty and service always.
-================================================================================
-EOF

scripts/bezalel_tailscale_bootstrap.py

@@ -16,11 +16,14 @@ import argparse
 import json
 import shlex
 import subprocess
+import re
+from json import JSONDecoder
 from pathlib import Path
 from typing import Any
 
-DEFAULT_HOST = "159.203.146.185"
+DEFAULT_HOST = "67.205.155.108"
 DEFAULT_HOSTNAME = "bezalel"
+DEFAULT_INVENTORY_PATH = Path(__file__).resolve().parents[1] / "ansible" / "inventory" / "hosts.ini"
 DEFAULT_PEERS = {
     "mac": "100.124.176.28",
     "ezra": "100.126.61.75",
@@ -66,6 +69,37 @@ def parse_tailscale_status(payload: dict[str, Any]) -> dict[str, Any]:
     }
 
 
+def resolve_host(host: str | None, inventory_path: Path = DEFAULT_INVENTORY_PATH, hostname: str = DEFAULT_HOSTNAME) -> tuple[str, str]:
+    if host:
+        return host, "explicit"
+    if inventory_path.exists():
+        pattern = re.compile(rf"^{re.escape(hostname)}\s+.*ansible_host=([^\s]+)")
+        for line in inventory_path.read_text().splitlines():
+            match = pattern.search(line.strip())
+            if match:
+                return match.group(1), f"inventory:{inventory_path}"
+    return DEFAULT_HOST, "default"
+
+
+def parse_apply_output(stdout: str) -> dict[str, Any]:
+    result: dict[str, Any] = {"tailscale": None, "ping_ok": {}}
+    text = stdout or ""
+    start = text.find("{")
+    if start != -1:
+        try:
+            payload, _ = JSONDecoder().raw_decode(text[start:])
+            if isinstance(payload, dict):
+                result["tailscale"] = parse_tailscale_status(payload)
+        except Exception:
+            pass
+
+    for line in text.splitlines():
+        if line.startswith("PING_OK:"):
+            _, name, ip = line.split(":", 2)
+            result["ping_ok"][name] = ip
+    return result
+
+
 def build_ssh_command(host: str, remote_script_path: str = "/tmp/bezalel_tailscale_bootstrap.sh") -> list[str]:
     return ["ssh", host, f"bash {shlex.quote(remote_script_path)}"]
 
@@ -89,8 +123,9 @@ def parse_peer_args(items: list[str]) -> dict[str, str]:
 
 def parse_args() -> argparse.Namespace:
     parser = argparse.ArgumentParser(description="Prepare or execute Tailscale bootstrap for the Bezalel VPS.")
-    parser.add_argument("--host", default=DEFAULT_HOST)
+    parser.add_argument("--host")
     parser.add_argument("--hostname", default=DEFAULT_HOSTNAME)
+    parser.add_argument("--inventory-path", type=Path, default=DEFAULT_INVENTORY_PATH)
     parser.add_argument("--auth-key", help="Tailscale auth key")
     parser.add_argument("--auth-key-file", type=Path, help="Path to file containing the Tailscale auth key")
     parser.add_argument("--ssh-public-key", help="SSH public key to append to authorized_keys")
@@ -116,6 +151,7 @@ def main() -> None:
     auth_key = _read_secret(args.auth_key, args.auth_key_file)
     ssh_public_key = _read_secret(args.ssh_public_key, args.ssh_public_key_file)
     peers = parse_peer_args(args.peer)
+    resolved_host, host_source = resolve_host(args.host, args.inventory_path, args.hostname)
 
     if not auth_key:
         raise SystemExit("Missing Tailscale auth key. Use --auth-key or --auth-key-file.")
@@ -126,28 +162,31 @@ def main() -> None:
     write_script(args.script_out, script)
 
     payload: dict[str, Any] = {
-        "host": args.host,
+        "host": resolved_host,
+        "host_source": host_source,
         "hostname": args.hostname,
+        "inventory_path": str(args.inventory_path),
         "script_out": str(args.script_out),
         "remote_script_path": args.remote_script_path,
-        "ssh_command": build_ssh_command(args.host, args.remote_script_path),
+        "ssh_command": build_ssh_command(resolved_host, args.remote_script_path),
         "peer_targets": peers,
         "applied": False,
     }
 
     if args.apply:
-        result = run_remote(args.host, args.remote_script_path)
+        result = run_remote(resolved_host, args.remote_script_path)
         payload["applied"] = True
         payload["exit_code"] = result.returncode
         payload["stdout"] = result.stdout
         payload["stderr"] = result.stderr
+        payload["verification"] = parse_apply_output(result.stdout)
 
     if args.json:
         print(json.dumps(payload, indent=2))
         return
 
     print("--- Bezalel Tailscale Bootstrap ---")
-    print(f"Host: {args.host}")
+    print(f"Host: {resolved_host} ({host_source})")
     print(f"Local script: {args.script_out}")
     print("SSH command: " + " ".join(payload["ssh_command"]))
     if args.apply:

scripts/sonnet-smoke-test.sh

@@ -1,195 +0,0 @@
-#!/bin/bash
-# ============================================================================
-# Sonnet Workforce Smoke Test
-# ============================================================================
-# Refs: timmy-home #512
-#
-# Validates that the Sonnet workforce agent can perform the full
-# clone → code → commit → push → PR workflow via Gitea HTTP.
-#
-# Usage:
-#   scripts/sonnet-smoke-test.sh [--cleanup]
-#
-# Exit codes:
-#   0 — all checks passed
-#   1 — one or more checks failed
-# ============================================================================
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-TOKEN="${GITEA_TOKEN:-$(cat ~/.config/gitea/token 2>/dev/null || true)}"
-FORGE="https://forge.alexanderwhitestone.com"
-ORG="Timmy_Foundation"
-REPO="timmy-home"
-TEST_BRANCH="smoke/sonnet-$(date +%s)"
-
-# Colors
-GREEN='\\033[0;32m'
-RED='\\033[0;31m'
-YELLOW='\\033[0;33m'
-NC='\\033[0m'
-
-PASS=0
-FAIL=0
-
-log_pass() { echo -e "${GREEN}✓${NC} $1"; PASS=$((PASS + 1)); }
-log_fail() { echo -e "${RED}✗${NC} $1"; FAIL=$((FAIL + 1)); }
-log_info() { echo -e "${YELLOW}▶${NC} $1"; }
-
-# ── Prerequisites ──────────────────────────────────────────────────────────────────────────────────────
-
-log_info "Checking prerequisites..."
-
-if [ -z "$TOKEN" ]; then
-    log_fail "Gitea token not found (checked GITEA_TOKEN env and ~/.config/gitea/token)"
-    exit 1
-fi
-
-if ! command -v git &>/dev/null; then
-    log_fail "git not installed"
-    exit 1
-fi
-
-if ! command -v curl &>/dev/null; then
-    log_fail "curl not installed"
-    exit 1
-fi
-
-if ! command -v python3 &>/dev/null; then
-    log_fail "python3 not installed"
-    exit 1
-fi
-
-log_pass "Prerequisites OK"
-
-# ── 1. Clone via Gitea HTTP ───────────────────────────────────────────────────────────────────────────────────────────────────────
-
-log_info "Step 1: Clone repo via Gitea HTTP..."
-
-TMPDIR=$(mktemp -d)
-CLONE_URL="${FORGE}/${ORG}/${REPO}.git"
-
-cd "$TMPDIR"
-if git clone --depth 1 "https://${TOKEN}@${FORGE#https://}/${ORG}/${REPO}.git" smoke-clone 2>/dev/null; then
-    log_pass "Clone via Gitea HTTP"
-else
-    log_fail "Clone via Gitea HTTP"
-    rm -rf "$TMPDIR"
-    exit 1
-fi
-
-# ── 2. Commit ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-
-log_info "Step 2: Create branch and commit..."
-
-cd "$TMPDIR/smoke-clone"
-git checkout -b "$TEST_BRANCH" 2>/dev/null || true
-
-# Make a harmless change
-printf "# Sonnet smoke test marker\\n# timestamp: %s\\n" "$(date -u +%Y-%m-%dT%H:%M:%SZ)" > SONNET_SMOKE_MARKER.md
-git add SONNET_SMOKE_MARKER.md
-
-if git -c user.email="sonnet@timmy.local" -c user.name="Sonnet Smoke Test" \
-   commit -m "test: sonnet smoke test marker" 2>/dev/null; then
-    log_pass "Commit created"
-else
-    log_fail "Commit failed"
-    rm -rf "$TMPDIR"
-    exit 1
-fi
-
-# ── 3. Push ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-
-log_info "Step 3: Push branch..."
-
-if git push origin "$TEST_BRANCH" 2>/dev/null; then
-    log_pass "Push to origin"
-else
-    log_fail "Push to origin"
-    rm -rf "$TMPDIR"
-    exit 1
-fi
-
-# ── 4. Create PR ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-
-log_info "Step 4: Create PR via Gitea API..."
-
-PR_RESPONSE=$(curl -s -X POST \
-    -H "Authorization: token ${TOKEN}" \
-    -H "Content-Type: application/json" \
-    "${FORGE}/api/v1/repos/${ORG}/${REPO}/pulls" \
-    -d "{
-      \"title\": \"test: sonnet smoke test ${TEST_BRANCH}\",
-      \"head\": \"${TEST_BRANCH}\",
-      \"base\": \"main\",
-      \"body\": \"Automated smoke test verifying Sonnet can clone, commit, push, and open a PR.\\n\\nRefs #512\"
-    }" 2>/dev/null)
-
-PR_NUMBER=$(echo "$PR_RESPONSE" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('number',''))")
-
-if [ -n "$PR_NUMBER" ] && [ "$PR_NUMBER" != "None" ]; then
-    log_pass "PR created (#${PR_NUMBER})"
-    PR_URL="${FORGE}/${ORG}/${REPO}/pulls/${PR_NUMBER}"
-    echo "  URL: $PR_URL"
-else
-    log_fail "PR creation failed"
-    echo "  Response: $PR_RESPONSE"
-    rm -rf "$TMPDIR"
-    exit 1
-fi
-
-# ── 5. Verify PR exists ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-
-log_info "Step 5: Verify PR exists via API..."
-
-PR_CHECK=$(curl -s -H "Authorization: token ${TOKEN}" \
-    "${FORGE}/api/v1/repos/${ORG}/${REPO}/pulls/${PR_NUMBER}" 2>/dev/null)
-
-PR_STATE=$(echo "$PR_CHECK" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('state',''))")
-
-if [ "$PR_STATE" = "open" ]; then
-    log_pass "PR verified open via API"
-else
-    log_fail "PR state is '$PR_STATE', expected 'open'"
-fi
-
-# ── Cleanup (optional) ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-
-if [ "${1:-}" = "--cleanup" ]; then
-    log_info "Cleaning up smoke test artifacts..."
-    curl -s -X PATCH -H "Authorization: token ${TOKEN}" \
-        -H "Content-Type: application/json" \
-        "${FORGE}/api/v1/repos/${ORG}/${REPO}/pulls/${PR_NUMBER}" \
-        -d '{"state":"closed"}' >/dev/null 2>&1 || true
-    git push origin --delete "$TEST_BRANCH" 2>/dev/null || true
-    log_pass "Cleanup complete"
-fi
-
-rm -rf "$TMPDIR"
-
-# ── Summary ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-
-echo ""
-echo "================================================================"
-echo "  Sonnet Smoke Test Summary"
-echo "================================================================"
-echo -e "  Passed: ${GREEN}${PASS}${NC}"
-echo -e "  Failed: ${RED}${FAIL}${NC}"
-echo ""
-
-if [ "$FAIL" -gt 0 ]; then
-    echo -e "${RED}RESULT: FAILED${NC}"
-    exit 1
-else
-    echo -e "${GREEN}RESULT: PASSED${NC}"
-    echo ""
-    echo "Sonnet workforce is verified end-to-end:"
-    echo "  ✓ Clone via Gitea HTTP"
-    echo "  ✓ Branch + commit"
-    echo "  ✓ Push to origin"
-    echo "  ✓ Open PR via API"
-    echo "  ✓ Verify PR state"
-    exit 0
-fi

tests/test_bezalel_tailscale_bootstrap.py

@@ -2,9 +2,12 @@ from scripts.bezalel_tailscale_bootstrap import (
     DEFAULT_PEERS,
     build_remote_script,
     build_ssh_command,
+    parse_apply_output,
     parse_peer_args,
     parse_tailscale_status,
+    resolve_host,
 )
+from pathlib import Path
 
 
 def test_build_remote_script_contains_install_up_and_key_append():
@@ -78,3 +81,46 @@ def test_parse_peer_args_merges_overrides_into_defaults():
         "ezra": "100.126.61.76",
         "forge": "100.70.0.9",
     }
+
+
+def test_resolve_host_prefers_inventory_over_stale_default(tmp_path: Path):
+    inventory = tmp_path / "hosts.ini"
+    inventory.write_text(
+        "[fleet]\n"
+        "ezra ansible_host=143.198.27.163 ansible_user=root\n"
+        "bezalel ansible_host=67.205.155.108 ansible_user=root\n"
+    )
+
+    host, source = resolve_host(None, inventory)
+
+    assert host == "67.205.155.108"
+    assert source == f"inventory:{inventory}"
+
+
+def test_parse_apply_output_extracts_status_and_ping_markers():
+    stdout = (
+        '{"Self": {"HostName": "bezalel", "DNSName": "bezalel.tailnet.ts.net", "TailscaleIPs": ["100.90.0.10"]}, '
+        '"Peer": {"node-1": {"HostName": "ezra", "TailscaleIPs": ["100.126.61.75"]}}}'
+        "\nPING_OK:mac:100.124.176.28\n"
+        "PING_OK:ezra:100.126.61.75\n"
+    )
+
+    result = parse_apply_output(stdout)
+
+    assert result["tailscale"]["self"]["tailscale_ips"] == ["100.90.0.10"]
+    assert result["ping_ok"] == {"mac": "100.124.176.28", "ezra": "100.126.61.75"}
+
+
+def test_runbook_doc_exists_and_mentions_inventory_auth_and_peer_checks():
+    doc = Path("docs/BEZALEL_TAILSCALE_BOOTSTRAP.md")
+    assert doc.exists(), "missing docs/BEZALEL_TAILSCALE_BOOTSTRAP.md"
+    text = doc.read_text()
+    assert "ansible/inventory/hosts.ini" in text
+    assert "tailscale up" in text
+    assert "authorized_keys" in text
+    assert "100.124.176.28" in text
+    assert "100.126.61.75" in text
+
+    runbook = Path("docs/RUNBOOK_INDEX.md").read_text()
+    assert "Prepare Bezalel Tailscale bootstrap" in runbook
+    assert "scripts/bezalel_tailscale_bootstrap.py" in runbook

uni-wizard/v4/uni_wizard/__init__.py

@@ -38,7 +38,6 @@ class House(Enum):
     EZRA = "ezra"        # Archivist, reader
     BEZALEL = "bezalel"  # Artificer, builder
     ALLEGRO = "allegro"  # Tempo-and-dispatch, connected
-    SONNET = "sonnet"    # Anthropic Claude Sonnet (cloud, high-reasoning)
 
 
 class Mode(Enum):