feat(fleet): auto-enable units on install + drift recognizes wrapped runtimes

- mosaic fleet install now enables mosaic-tmux-holder.service and
  mosaic-agent@<name>.service via systemctl --user enable after copying
  unit files; enabling is non-fatal (warns and continues on failure)
- best-effort loginctl enable-linger for logout survival
- --no-enable flag opts out of auto-enable
- detectDrift updated to use RUNTIME_ACCEPTABLE_COMMANDS map:
  pi/codex/opencode/claude accept 'node' (mosaic yolo wrapper);
  dogfood accepts python3/python; canary-pi (runtime=pi, pane=python3)
  still correctly flags DRIFT

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RMoEx7hfdFGjUiCHuN1RRi

packages/mosaic/framework/install.sh

@@ -21,19 +21,11 @@ INSTALL_MODE="${MOSAIC_INSTALL_MODE:-prompt}"
 
 # Files/dirs preserved across upgrades (never overwritten).
 # User-created content in these paths survives rsync --delete.
-PRESERVE_PATHS=("CONSTITUTION.md" "AGENTS.md" "SOUL.md" "USER.md" "TOOLS.md" "STANDARDS.md" "memory" "sources" "credentials")
-
-# Framework-owned contract files: re-copied from defaults/ on every upgrade (the
-# user must not edit them; a divergent copy is backed up once before overwrite).
-# USER_SEEDED files are written once on first install, then owned by the user.
-# Both lists are APPEND-FRIENDLY — add a new shipped framework file here and to the
-# matching list in packages/mosaic/src/config/file-adapter.ts.
-FRAMEWORK_OWNED=("CONSTITUTION.md" "AGENTS.md" "STANDARDS.md")
-USER_SEEDED=("TOOLS.md")
+PRESERVE_PATHS=("AGENTS.md" "SOUL.md" "USER.md" "TOOLS.md" "STANDARDS.md" "memory" "sources" "credentials")
 
 # Current framework schema version — bump this when the layout changes.
 # The migration system uses this to run upgrade steps.
-FRAMEWORK_VERSION=3
+FRAMEWORK_VERSION=2
 
 # ─── colours ──────────────────────────────────────────────────────────────────
 if [[ -t 1 ]]; then
@@ -48,45 +40,6 @@ warn() { echo -e "  ${YELLOW}⚠${RESET} $1" >&2; }
 fail() { echo -e "  ${RED}✗${RESET} $1" >&2; }
 step() { echo -e "\n${BOLD}$1${RESET}"; }
 
-# ─── snapshot / restore (crash safety for upgrades) ──────────────────────────
-SNAPSHOT_DIR=""
-make_snapshot() {
-  is_existing_install || return 0
-  SNAPSHOT_DIR="$(mktemp -d "${TMPDIR:-/tmp}/mosaic-snapshot-XXXXXX")"
-  cp -a "$TARGET_DIR/." "$SNAPSHOT_DIR/" 2>/dev/null || true
-}
-restore_snapshot() {
-  [[ -n "$SNAPSHOT_DIR" && -d "$SNAPSHOT_DIR" ]] || return 0
-  fail "Install interrupted/failed — restoring previous state from snapshot"
-  rm -rf "$TARGET_DIR"; mkdir -p "$TARGET_DIR"
-  cp -a "$SNAPSHOT_DIR/." "$TARGET_DIR/" 2>/dev/null || true
-}
-cleanup_snapshot() { [[ -n "$SNAPSHOT_DIR" && -d "$SNAPSHOT_DIR" ]] && rm -rf "$SNAPSHOT_DIR"; SNAPSHOT_DIR=""; }
-
-# Reconcile contract files after sync: framework-owned overwrite (backup-once),
-# user-seeded seed-if-absent.
-reconcile_framework_files() {
-  local defaults="$TARGET_DIR/defaults" f
-  [[ -d "$defaults" ]] || return 0
-  for f in "${FRAMEWORK_OWNED[@]}"; do
-    [[ -f "$defaults/$f" ]] || continue
-    if [[ -f "$TARGET_DIR/$f" ]] && ! cmp -s "$TARGET_DIR/$f" "$defaults/$f"; then
-      if [[ ! -f "$TARGET_DIR/${f}.pre-constitution.bak" ]]; then
-        cp "$TARGET_DIR/$f" "$TARGET_DIR/${f}.pre-constitution.bak"
-        warn "$f is now framework-owned and was updated; your previous copy is saved as ${f}.pre-constitution.bak — re-apply intended changes as a .local overlay or policy/ file (see CONSTITUTION.md / constitution/LAYER-MODEL.md)."
-      fi
-    fi
-    cp "$defaults/$f" "$TARGET_DIR/$f"
-  done
-  for f in "${USER_SEEDED[@]}"; do
-    [[ -f "$defaults/$f" ]] || continue
-    if [[ ! -f "$TARGET_DIR/$f" ]]; then
-      cp "$defaults/$f" "$TARGET_DIR/$f"
-      ok "Seeded $f from defaults"
-    fi
-  done
-}
-
 # ─── helpers ──────────────────────────────────────────────────────────────────
 
 is_existing_install() {
@@ -160,14 +113,11 @@ sync_framework() {
   fi
 
   if command -v rsync >/dev/null 2>&1; then
-    local rsync_args=(-a --delete --exclude ".git" --exclude ".framework-version" --exclude "*.pre-constitution.bak")
+    local rsync_args=(-a --delete --exclude ".git" --exclude ".framework-version")
 
     if [[ "$INSTALL_MODE" == "keep" ]]; then
-      # Anchor to the transfer root (leading /) so we preserve the TOP-LEVEL
-      # ~/.config/mosaic/<file> without also excluding defaults/<file> from sync
-      # (reconcile_framework_files needs the freshly-synced defaults/ copies).
       for path in "${PRESERVE_PATHS[@]}"; do
-        rsync_args+=(--exclude "/$path")
+        rsync_args+=(--exclude "$path")
       done
     fi
 
@@ -187,7 +137,7 @@ sync_framework() {
     done
   fi
 
-  find "$TARGET_DIR" -mindepth 1 -maxdepth 1 ! -name ".git" ! -name ".framework-version" ! -name "*.pre-constitution.bak" -exec rm -rf {} +
+  find "$TARGET_DIR" -mindepth 1 -maxdepth 1 ! -name ".git" ! -name ".framework-version" -exec rm -rf {} +
   cp -R "$SOURCE_DIR"/. "$TARGET_DIR"/
   rm -rf "$TARGET_DIR/.git"
 
@@ -245,15 +195,10 @@ run_migrations() {
     fi
   fi
 
-  # ── Migration: v2 → v3 (Constitution split) ───────────────────────────────
-  # CONSTITUTION.md / AGENTS.md / STANDARDS.md become framework-owned (overwritten
-  # on upgrade). reconcile_framework_files() has already run before this point: it
-  # backed up any user-edited copy to <file>.pre-constitution.bak and installed the
-  # new framework version. Nothing further to do here — the advisory was emitted at
-  # reconcile time. (STANDARDS.local.md composition lands with the overlay composer.)
-  if [[ "$from_version" -lt 3 ]]; then
-    ok "Migrated to the Constitution layout (framework-owned CONSTITUTION/AGENTS/STANDARDS)"
-  fi
+  # ── Future migrations go here ──────────────────────────────────────────────
+  # if [[ "$from_version" -lt 3 ]]; then
+  #   ...
+  # fi
 }
 
 # ═══════════════════════════════════════════════════════════════════════════════
@@ -271,10 +216,6 @@ else
   ok "Install mode: overwrite"
 fi
 
-# Snapshot before any destructive file operation; restore on interrupt/failure.
-make_snapshot
-trap 'restore_snapshot' ERR INT TERM
-
 sync_framework
 
 # Ensure persistent directories exist
@@ -289,7 +230,15 @@ mkdir -p "$TARGET_DIR/credentials"
 # packages/mosaic/src/config/file-adapter.ts (FileConfigAdapter.syncFramework).
 # SOUL.md and USER.md are intentionally NOT seeded here — they are generated
 # by `mosaic init` from templates with user-supplied values.
-reconcile_framework_files
+DEFAULTS_DIR="$TARGET_DIR/defaults"
+if [[ -d "$DEFAULTS_DIR" ]]; then
+  for default_file in CONSTITUTION.md AGENTS.md STANDARDS.md TOOLS.md; do
+    if [[ -f "$DEFAULTS_DIR/$default_file" ]] && [[ ! -f "$TARGET_DIR/$default_file" ]]; then
+      cp "$DEFAULTS_DIR/$default_file" "$TARGET_DIR/$default_file"
+      ok "Seeded $default_file from defaults"
+    fi
+  done
+fi
 
 # Ensure tool scripts are executable
 find "$TARGET_DIR/tools" -name "*.sh" -exec chmod +x {} + 2>/dev/null || true
@@ -300,18 +249,6 @@ ok "Framework synced to $TARGET_DIR"
 # Run migrations before post-install (migrations may remove old bin/ etc.)
 run_migrations
 
-# File-system phase complete and consistent — clear the restore trap.
-trap - ERR INT TERM
-cleanup_snapshot
-
-# Testability / minimal-install hook: stop after the file-system phase, before any
-# environment-touching post-install steps (runtime linking, MCP setup, skills, doctor).
-if [[ "${MOSAIC_SYNC_ONLY:-0}" == "1" ]]; then
-  write_framework_version
-  ok "Sync-only mode: file phase complete"
-  exit 0
-fi
-
 step "Post-install tasks"
 
 SCRIPTS="$TARGET_DIR/tools/_scripts"

packages/mosaic/framework/tools/_scripts/mosaic-init

@@ -274,13 +274,6 @@ detect_existing_config
 echo "[mosaic-init] Generating SOUL.md — agent identity contract"
 echo ""
 
-# Fail-closed persona: in non-interactive mode the agent NAME must be supplied
-# explicitly (--name) — never silently ship an agent named "Assistant".
-if [[ $NON_INTERACTIVE -eq 1 && -z "$AGENT_NAME" ]]; then
-  echo "[mosaic-init] ERROR: --name (agent name) is required in non-interactive mode." >&2
-  exit 1
-fi
-
 prompt_if_empty AGENT_NAME "What name should agents use" "Assistant"
 prompt_if_empty ROLE_DESCRIPTION "Agent role description" "execution partner and visibility engine"
 

packages/mosaic/framework/tools/quality/scripts/test-install-migration.sh

@@ -1,67 +0,0 @@
-#!/usr/bin/env bash
-# test-install-migration.sh — fixture matrix for the v2→v3 (Constitution) upgrade
-# migration in install.sh. Runs the installer against throwaway MOSAIC_HOME dirs
-# with MOSAIC_SYNC_ONLY=1 (file phase only — no environment-touching post-install)
-# and asserts the framework-owned-overwrite + user-preserve + backup semantics.
-#
-# Mirrors the TS fixture suite in packages/mosaic/src/config/file-adapter.test.ts;
-# both installers MUST behave identically.
-#
-# Usage:  bash test-install-migration.sh
-set -uo pipefail
-
-FW="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../.." && pwd)"   # packages/mosaic/framework
-INSTALL="$FW/install.sh"
-DEFA="$FW/defaults"
-
-pass=0; fail=0
-chk() { if eval "$2"; then echo "  ✓ $1"; pass=$((pass + 1)); else echo "  ✗ $1"; fail=$((fail + 1)); fi; }
-run() { MOSAIC_HOME="$1" MOSAIC_INSTALL_MODE="$2" MOSAIC_SYNC_ONLY=1 bash "$INSTALL" >/dev/null 2>&1; }
-
-echo "install.sh v2→v3 migration fixture matrix:"
-
-# F1 — fresh install
-T1=$(mktemp -d); run "$T1" overwrite
-chk "F1 fresh: CONSTITUTION/AGENTS/STANDARDS/TOOLS seeded" \
-  "[ -f '$T1/CONSTITUTION.md' ] && [ -f '$T1/AGENTS.md' ] && [ -f '$T1/STANDARDS.md' ] && [ -f '$T1/TOOLS.md' ]"
-chk "F1 fresh: AGENTS == shipped default" "cmp -s '$T1/AGENTS.md' '$DEFA/AGENTS.md'"
-chk "F1 fresh: framework-version stamped 3" "[ \"\$(cat '$T1/.framework-version' 2>/dev/null)\" = 3 ]"
-
-# F2 — legacy install with a user-edited AGENTS.md (the sanctioned pre-constitution customization)
-T2=$(mktemp -d); mkdir -p "$T2/credentials"
-printf '# user-edited AGENTS pre-constitution\n' > "$T2/AGENTS.md"
-printf '# my persona\n' > "$T2/SOUL.md"
-printf 'token\n' > "$T2/credentials/c.json"
-echo 2 > "$T2/.framework-version"
-run "$T2" keep
-chk "F2 legacy-edited: AGENTS overwritten to framework version" "cmp -s '$T2/AGENTS.md' '$DEFA/AGENTS.md'"
-chk "F2 legacy-edited: prior AGENTS saved to .pre-constitution.bak" \
-  "grep -q 'user-edited AGENTS pre-constitution' '$T2/AGENTS.md.pre-constitution.bak'"
-chk "F2 legacy-edited: SOUL.md preserved" "grep -q 'my persona' '$T2/SOUL.md'"
-chk "F2 legacy-edited: credentials preserved" "grep -q token '$T2/credentials/c.json'"
-chk "F2 legacy-edited: CONSTITUTION.md installed" "[ -f '$T2/CONSTITUTION.md' ]"
-run "$T2" keep
-chk "F2 idempotent: .pre-constitution.bak preserved across a 2nd upgrade" \
-  "grep -q 'user-edited AGENTS pre-constitution' '$T2/AGENTS.md.pre-constitution.bak'"
-
-# F3 — user-tuned STANDARDS.md
-T3=$(mktemp -d); printf '# tuned standards\n' > "$T3/STANDARDS.md"; printf '# persona\n' > "$T3/SOUL.md"; echo 2 > "$T3/.framework-version"
-run "$T3" keep
-chk "F3 tuned-standard: STANDARDS overwritten" "cmp -s '$T3/STANDARDS.md' '$DEFA/STANDARDS.md'"
-chk "F3 tuned-standard: tuned copy backed up" "grep -q 'tuned standards' '$T3/STANDARDS.md.pre-constitution.bak'"
-
-# F4 — unattended / no TTY (stdin closed): must complete without hanging, default to keep
-T4=$(mktemp -d); printf '# persona\n' > "$T4/SOUL.md"; printf '# old\n' > "$T4/AGENTS.md"; echo 2 > "$T4/.framework-version"
-MOSAIC_HOME="$T4" MOSAIC_SYNC_ONLY=1 bash "$INSTALL" </dev/null >/dev/null 2>&1
-chk "F4 no-TTY: completed, AGENTS updated" "cmp -s '$T4/AGENTS.md' '$DEFA/AGENTS.md'"
-
-# F5 — failure path must not corrupt existing data (invalid mode rejected before any file op)
-T5=$(mktemp -d); mkdir -p "$T5/credentials"; printf '# orig\n' > "$T5/SOUL.md"; printf 'keepme\n' > "$T5/credentials/c.json"; echo 2 > "$T5/.framework-version"
-MOSAIC_HOME="$T5" MOSAIC_INSTALL_MODE=bogus MOSAIC_SYNC_ONLY=1 bash "$INSTALL" >/dev/null 2>&1; rc=$?
-chk "F5 failure: invalid mode rejected (nonzero exit)" "[ $rc -ne 0 ]"
-chk "F5 failure: SOUL + credentials intact" "grep -q orig '$T5/SOUL.md' && grep -q keepme '$T5/credentials/c.json'"
-
-rm -rf "$T1" "$T2" "$T3" "$T4" "$T5"
-echo
-echo "RESULT: $pass passed, $fail failed"
-[ "$fail" -eq 0 ]

packages/mosaic/framework/tools/quality/scripts/verify-sanitized.sh

@@ -53,15 +53,9 @@ _selftest() {
   local tmp; tmp="$(mktemp -d)" || return 1
   printf 'contact jason.woltje at jarvis-brain (PDA-friendly)\n' > "$tmp/planted.md"
   printf 'X="${VAR:-$HOME/src/whatever/x.json}"\n' > "$tmp/planted.sh"
-  printf 'name: jason-woltje\n' > "$tmp/planted.yaml"
-  printf '[Service]\nUser=jarvis\n' > "$tmp/planted.service"
   local rc=0
   grep -qIEi "$DENYLIST" "$tmp/planted.md" || { echo "✗ SELF-TEST: identity denylist regex broken" >&2; rc=1; }
   grep -qIE  "$STRUCTURAL_SH" "$tmp/planted.sh" || { echo "✗ SELF-TEST: structural regex broken" >&2; rc=1; }
-  # Prove the identity scan covers the config formats it claims to (yaml/service/etc).
-  local n_ext
-  n_ext=$(find "$tmp" -type f \( -name '*.yaml' -o -name '*.service' \) -print0 | xargs -0 -r grep -lIEi "$DENYLIST" 2>/dev/null | wc -l)
-  [[ "$n_ext" -eq 2 ]] || { echo "✗ SELF-TEST: identity scan does not cover .yaml/.service extensions" >&2; rc=1; }
   rm -rf "$tmp"; return $rc
 }
 _selftest || exit 2

packages/mosaic/src/commands/fleet.spec.ts

@@ -10,11 +10,14 @@ import {
   buildAgentWatchCreateViewerCommand,
   buildAgentWatchKillViewerCommand,
   buildAgentVerifyAcceptedCommand,
+  buildEnableLingerCommand,
   buildFleetServiceCommand,
+  buildSystemdEnableCommand,
   buildSystemdShowCommand,
   buildTmuxListPanesCommand,
   classifySendResult,
   detectDrift,
+  enableFleetUnits,
   generateAgentEnv,
   getDefaultOperatorSourceLabel,
   getDefaultTenantAndHost,
@@ -28,10 +31,12 @@ import {
   parseTmuxListPanes,
   registerFleetCommand,
   resolveFleetPaths,
+  RUNTIME_ACCEPTABLE_COMMANDS,
   VERIFY_DEFAULT_TIMEOUT_MS,
   VERIFY_POLL_INTERVAL_MS,
   type AgentPsRow,
   type CommandRunner,
+  type FleetRoster,
   type InteractiveRunner,
   type SleepFn,
 } from './fleet.js';
@@ -909,6 +914,118 @@ describe('fleet ps — drift detection', () => {
   it('does NOT flag drift when pane command is null (pane dead)', () => {
     expect(detectDrift('pi', null)).toBe(false);
   });
+
+  it('does NOT flag drift when pane=node for wrapped pi agent (mosaic yolo pi)', () => {
+    expect(detectDrift('pi', 'node')).toBe(false);
+  });
+
+  it('does NOT flag drift when pane=node for wrapped codex agent (mosaic yolo codex)', () => {
+    expect(detectDrift('codex', 'node')).toBe(false);
+  });
+
+  it('flags drift when pane=python3 for pi runtime (canary-pi dogfood regression guard)', () => {
+    expect(detectDrift('pi', 'python3')).toBe(true);
+  });
+
+  it('does NOT flag drift when pane=python3 for dogfood runtime', () => {
+    expect(detectDrift('dogfood', 'python3')).toBe(false);
+  });
+
+  it('flags drift for unknown pane command on known runtime', () => {
+    expect(detectDrift('claude', 'bash')).toBe(true);
+  });
+
+  it('RUNTIME_ACCEPTABLE_COMMANDS is exported and contains expected entries', () => {
+    expect(RUNTIME_ACCEPTABLE_COMMANDS['pi']).toContain('node');
+    expect(RUNTIME_ACCEPTABLE_COMMANDS['pi']).not.toContain('python3');
+    expect(RUNTIME_ACCEPTABLE_COMMANDS['dogfood']).toContain('python3');
+    expect(RUNTIME_ACCEPTABLE_COMMANDS['codex']).toContain('node');
+  });
+});
+
+describe('fleet install — auto-enable units for boot-survival', () => {
+  it('buildSystemdEnableCommand and buildEnableLingerCommand return correct command arrays', () => {
+    expect(buildSystemdEnableCommand('mosaic-tmux-holder.service')).toEqual([
+      'systemctl',
+      '--user',
+      'enable',
+      'mosaic-tmux-holder.service',
+    ]);
+    expect(buildEnableLingerCommand('testuser')).toEqual(['loginctl', 'enable-linger', 'testuser']);
+  });
+
+  it('enables holder and each agent unit via injected runner after install', async () => {
+    const minimalRoster: FleetRoster = {
+      version: 1,
+      transport: 'tmux',
+      tmux: { socketName: 'mosaic-factory', holderSession: '_holder' },
+      defaults: { workingDirectory: '~/src' },
+      runtimes: { codex: { resetCommand: '/clear' } },
+      agents: [{ name: 'coder0', runtime: 'codex', className: 'worker' }],
+    };
+
+    const calls: string[][] = [];
+    const runner: CommandRunner = async (command, args) => {
+      calls.push([command, ...args]);
+      return { stdout: '', stderr: '', exitCode: 0 };
+    };
+
+    await enableFleetUnits(runner, minimalRoster, {});
+
+    expect(calls).toContainEqual(['systemctl', '--user', 'enable', 'mosaic-tmux-holder.service']);
+    expect(calls).toContainEqual(['systemctl', '--user', 'enable', 'mosaic-agent@coder0.service']);
+  });
+
+  it('install still succeeds when systemctl enable returns non-zero (non-fatal)', async () => {
+    const minimalRoster: FleetRoster = {
+      version: 1,
+      transport: 'tmux',
+      tmux: { socketName: 'mosaic-factory', holderSession: '_holder' },
+      defaults: { workingDirectory: '~/src' },
+      runtimes: { codex: { resetCommand: '/clear' } },
+      agents: [{ name: 'coder0', runtime: 'codex', className: 'worker' }],
+    };
+
+    const calls: string[][] = [];
+    const runner: CommandRunner = async (command, args) => {
+      calls.push([command, ...args]);
+      // Simulate systemctl enable failure
+      if (command === 'systemctl' && args.includes('enable')) {
+        return { stdout: '', stderr: 'Unit not found', exitCode: 1 };
+      }
+      return { stdout: '', stderr: '', exitCode: 0 };
+    };
+
+    // Must NOT reject/throw even when enable calls fail
+    await expect(enableFleetUnits(runner, minimalRoster, {})).resolves.toBeUndefined();
+
+    // The enable attempt must have been made
+    expect(calls.some((c) => c.includes('enable'))).toBe(true);
+  });
+
+  it('--no-enable skips all systemctl enable and loginctl linger calls', async () => {
+    const minimalRoster: FleetRoster = {
+      version: 1,
+      transport: 'tmux',
+      tmux: { socketName: 'mosaic-factory', holderSession: '_holder' },
+      defaults: { workingDirectory: '~/src' },
+      runtimes: { codex: { resetCommand: '/clear' } },
+      agents: [{ name: 'coder0', runtime: 'codex', className: 'worker' }],
+    };
+
+    const calls: string[][] = [];
+    const runner: CommandRunner = async (command, args) => {
+      calls.push([command, ...args]);
+      return { stdout: '', stderr: '', exitCode: 0 };
+    };
+
+    await enableFleetUnits(runner, minimalRoster, { enable: false });
+
+    // No calls should include 'enable'
+    expect(calls.every((c) => !c.includes('enable'))).toBe(true);
+    // No loginctl calls at all
+    expect(calls.every((c) => c[0] !== 'loginctl')).toBe(true);
+  });
 });
 
 describe('fleet ps — tenant and host', () => {

packages/mosaic/src/commands/fleet.ts

@@ -210,6 +210,93 @@ export function buildFleetServiceCommand(action: FleetServiceAction, agentName?:
   return ['systemctl', '--user', action, service];
 }
 
+/**
+ * Returns the systemctl --user enable command for a given unit.
+ * Used by the install auto-enable step to persist units across reboots.
+ */
+export function buildSystemdEnableCommand(unit: string): string[] {
+  return ['systemctl', '--user', 'enable', unit];
+}
+
+/**
+ * Returns the loginctl enable-linger command for a given user.
+ * Linger allows user systemd services to survive logout.
+ */
+export function buildEnableLingerCommand(user: string): string[] {
+  return ['loginctl', 'enable-linger', user];
+}
+
+/**
+ * Enable fleet units for boot-survival after install.
+ * Non-fatal: if systemctl enable returns non-zero, a warning is printed and we continue.
+ * If opts.enable === false (--no-enable flag), the whole step is skipped.
+ */
+export async function enableFleetUnits(
+  runner: CommandRunner,
+  roster: FleetRoster,
+  opts: { enable?: boolean },
+): Promise<void> {
+  if (opts.enable === false) {
+    return;
+  }
+  try {
+    let succeeded = 0;
+    let failed = 0;
+
+    const holderResult = await runner(
+      ...splitCommand(buildSystemdEnableCommand('mosaic-tmux-holder.service')),
+    );
+    if (holderResult.exitCode === 0) {
+      succeeded++;
+    } else {
+      failed++;
+      process.stderr.write(
+        `Warning: could not enable mosaic-tmux-holder.service: ${holderResult.stderr || holderResult.stdout || 'non-zero exit'}\n`,
+      );
+    }
+
+    for (const agent of roster.agents) {
+      const unit = `mosaic-agent@${agent.name}.service`;
+      const result = await runner(...splitCommand(buildSystemdEnableCommand(unit)));
+      if (result.exitCode === 0) {
+        succeeded++;
+      } else {
+        failed++;
+        process.stderr.write(
+          `Warning: could not enable ${unit}: ${result.stderr || result.stdout || 'non-zero exit'}\n`,
+        );
+      }
+    }
+
+    if (succeeded > 0) {
+      console.log(`Enabled ${succeeded} unit(s) for boot-survival.`);
+    }
+    if (failed > 0) {
+      process.stderr.write(
+        `Warning: ${failed} unit(s) could not be enabled (systemctl unavailable?). Run manually if needed.\n`,
+      );
+    }
+
+    // Best-effort linger
+    let username: string;
+    try {
+      username = userInfo().username;
+    } catch {
+      username = process.env['USER'] ?? process.env['LOGNAME'] ?? 'unknown';
+    }
+    const lingerResult = await runner(...splitCommand(buildEnableLingerCommand(username)));
+    if (lingerResult.exitCode !== 0) {
+      process.stderr.write(
+        `Hint: run 'loginctl enable-linger ${username}' as root to survive logout.\n`,
+      );
+    }
+  } catch (err) {
+    process.stderr.write(
+      `Warning: auto-enable step failed unexpectedly: ${err instanceof Error ? err.message : String(err)}\n`,
+    );
+  }
+}
+
 export function buildAgentSendCommand(
   paths: FleetPaths,
   agentName: string,
@@ -437,32 +524,41 @@ export function parseTmuxListPanes(
   return { pid, command, dead, idleSeconds };
 }
 
+/**
+ * Maps each known runtime to the set of acceptable pane commands.
+ * A pane running any of these commands for the given runtime is NOT considered drifted.
+ * Runtimes launched via `mosaic yolo` wrap in node, so 'node' is acceptable for most.
+ * The dogfood runtime accepts python3/python (the canary-pi dogfood stub).
+ */
+export const RUNTIME_ACCEPTABLE_COMMANDS: Record<string, readonly string[]> = {
+  claude: ['claude', 'node'],
+  codex: ['codex', 'node'],
+  opencode: ['opencode', 'node'],
+  pi: ['pi', 'node'],
+  dogfood: ['python3', 'python'],
+};
+
 /**
  * Determine if there is a runtime drift: roster says one runtime but the pane
  * is actually running something from a different runtime. We detect this by
- * checking if the pane command doesn't match a known canonical command for the
+ * checking if the pane command doesn't match a known acceptable command for the
  * roster's declared runtime.
  *
- * Known canonical commands per runtime:
- *   claude → claude
- *   codex  → codex
- *   opencode → opencode
- *   pi     → pi
+ * Known acceptable commands per runtime (see RUNTIME_ACCEPTABLE_COMMANDS):
+ *   claude   → claude, node  (node covers mosaic yolo wrapper)
+ *   codex    → codex, node
+ *   opencode → opencode, node
+ *   pi       → pi, node      (python3 still flags drift for canary-pi dogfood stub)
+ *   dogfood  → python3, python
  *
  * If the pane is running something else (e.g., python3/dogfood-agent.py) for
  * an agent whose roster runtime is "pi", that's a drift.
  */
 export function detectDrift(rosterRuntime: string, paneCommand: string | null): boolean {
   if (!paneCommand) return false;
-  const knownCommands: Record<string, string[]> = {
-    claude: ['claude'],
-    codex: ['codex'],
-    opencode: ['opencode'],
-    pi: ['pi'],
-  };
-  const expected = knownCommands[rosterRuntime];
-  if (!expected) return false;
-  return !expected.includes(paneCommand);
+  const acceptable = RUNTIME_ACCEPTABLE_COMMANDS[rosterRuntime];
+  if (!acceptable) return false;
+  return !acceptable.includes(paneCommand);
 }
 
 /**
@@ -706,12 +802,22 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
   cmd
     .command('install')
     .description('Install local fleet tools and user systemd units')
-    .action(async () => installFleet(cmd, frameworkRoot));
+    .option('--no-enable', 'Skip enabling units for boot-survival')
+    .action(async (opts: { enable?: boolean }) => {
+      await installFleet(cmd, frameworkRoot);
+      const roster = await loadRosterForCommand(cmd);
+      await enableFleetUnits(runner, roster, opts);
+    });
 
   cmd
     .command('install-systemd')
     .description('Install local fleet tools and user systemd units')
-    .action(async () => installFleet(cmd, frameworkRoot));
+    .option('--no-enable', 'Skip enabling units for boot-survival')
+    .action(async (opts: { enable?: boolean }) => {
+      await installFleet(cmd, frameworkRoot);
+      const roster = await loadRosterForCommand(cmd);
+      await enableFleetUnits(runner, roster, opts);
+    });
 
   for (const action of ['start', 'stop', 'restart'] as const) {
     cmd

packages/mosaic/src/config/file-adapter.test.ts

@@ -99,8 +99,11 @@ describe('FileConfigAdapter.syncFramework — defaults seeding', () => {
     );
   });
 
-  it('overwrites framework-owned files (backup-once) but preserves user-seeded files', async () => {
-    // Plant a root-level AGENTS.md in sourceDir so syncDirectory's preserve is exercised.
+  it('preserves existing contract files — never overwrites user customization', async () => {
+    // Also plant a root-level AGENTS.md in sourceDir so that `syncDirectory`
+    // itself (not just the seed loop) has something to try to overwrite.
+    // Without this, the test would silently pass even if preserve semantics
+    // were broken in syncDirectory.
     writeFileSync(join(fixture.sourceDir, 'AGENTS.md'), '# shipped AGENTS from source root\n');
 
     writeFileSync(join(fixture.mosaicHome, 'TOOLS.md'), '# user-customized TOOLS\n');
@@ -109,50 +112,18 @@ describe('FileConfigAdapter.syncFramework — defaults seeding', () => {
     const adapter = new FileConfigAdapter(fixture.mosaicHome, fixture.sourceDir);
     await adapter.syncFramework('keep');
 
-    // User-seeded TOOLS.md is preserved.
     expect(readFileSync(join(fixture.mosaicHome, 'TOOLS.md'), 'utf-8')).toBe(
       '# user-customized TOOLS\n',
     );
-    // Framework-owned AGENTS.md is overwritten from defaults/ ...
-    expect(readFileSync(join(fixture.mosaicHome, 'AGENTS.md'), 'utf-8')).toBe('# AGENTS default\n');
-    // ... and the user's prior copy is backed up exactly once.
-    expect(readFileSync(join(fixture.mosaicHome, 'AGENTS.md.pre-constitution.bak'), 'utf-8')).toBe(
+    expect(readFileSync(join(fixture.mosaicHome, 'AGENTS.md'), 'utf-8')).toBe(
       '# user-customized AGENTS\n',
     );
-    // Framework-owned STANDARDS.md (absent) gets installed.
+    // And the missing contract file still gets seeded.
     expect(readFileSync(join(fixture.mosaicHome, 'STANDARDS.md'), 'utf-8')).toContain(
       '# STANDARDS default',
     );
   });
 
-  it('backs up a divergent framework-owned file only once (idempotent across re-sync)', async () => {
-    writeFileSync(join(fixture.mosaicHome, 'AGENTS.md'), '# user-customized AGENTS\n');
-    const adapter = new FileConfigAdapter(fixture.mosaicHome, fixture.sourceDir);
-
-    await adapter.syncFramework('keep'); // 1st: backup created, AGENTS overwritten
-    await adapter.syncFramework('keep'); // 2nd: AGENTS already == default, no new backup
-
-    expect(readFileSync(join(fixture.mosaicHome, 'AGENTS.md.pre-constitution.bak'), 'utf-8')).toBe(
-      '# user-customized AGENTS\n',
-    );
-  });
-
-  it('preserves SOUL.md and credentials through a framework-owned overwrite', async () => {
-    writeFileSync(join(fixture.mosaicHome, 'SOUL.md'), '# my persona\n');
-    writeFileSync(join(fixture.mosaicHome, 'AGENTS.md'), '# user-customized AGENTS\n');
-    mkdirSync(join(fixture.mosaicHome, 'credentials'), { recursive: true });
-    writeFileSync(join(fixture.mosaicHome, 'credentials', 'c.json'), 'token\n');
-
-    const adapter = new FileConfigAdapter(fixture.mosaicHome, fixture.sourceDir);
-    await adapter.syncFramework('keep');
-
-    expect(readFileSync(join(fixture.mosaicHome, 'SOUL.md'), 'utf-8')).toBe('# my persona\n');
-    expect(readFileSync(join(fixture.mosaicHome, 'credentials', 'c.json'), 'utf-8')).toBe(
-      'token\n',
-    );
-    expect(readFileSync(join(fixture.mosaicHome, 'AGENTS.md'), 'utf-8')).toBe('# AGENTS default\n');
-  });
-
   it('is a no-op for seeding when defaults/ dir does not exist', async () => {
     rmSync(fixture.defaultsDir, { recursive: true });
 

packages/mosaic/src/config/file-adapter.ts

@@ -13,17 +13,12 @@ import { join } from 'node:path';
  * This list must match the explicit seed loop in
  * packages/mosaic/framework/install.sh.
  */
-// Framework-owned contract files: re-copied from defaults/ on every upgrade (a
-// divergent existing copy is backed up once to <file>.pre-constitution.bak first).
-// MUST match FRAMEWORK_OWNED in packages/mosaic/framework/install.sh (append-friendly).
-export const FRAMEWORK_OWNED_FILES = ['CONSTITUTION.md', 'AGENTS.md', 'STANDARDS.md'] as const;
-
-// User-seeded contract files: written once on first install, then owned by the user.
-// MUST match USER_SEEDED in packages/mosaic/framework/install.sh.
-export const USER_SEEDED_FILES = ['TOOLS.md'] as const;
-
-// Union, retained for callers/tests that assert the full seed set on a fresh install.
-export const DEFAULT_SEED_FILES = [...FRAMEWORK_OWNED_FILES, ...USER_SEEDED_FILES] as const;
+export const DEFAULT_SEED_FILES = [
+  'CONSTITUTION.md',
+  'AGENTS.md',
+  'STANDARDS.md',
+  'TOOLS.md',
+] as const;
 import type { ConfigService, ConfigSection, ResolvedConfig } from './config-service.js';
 import type { SoulConfig, UserConfig, ToolsConfig, InstallAction } from '../types.js';
 import { soulSchema, userSchema, toolsSchema } from './schemas.js';
@@ -164,7 +159,6 @@ export class FileConfigAdapter implements ConfigService {
     const preservePaths =
       action === 'keep' || action === 'reconfigure'
         ? [
-            'CONSTITUTION.md',
             'AGENTS.md',
             'SOUL.md',
             'USER.md',
@@ -181,10 +175,10 @@ export class FileConfigAdapter implements ConfigService {
       excludeGit: true,
     });
 
-    // Reconcile framework-contract files from framework/defaults/ into the mosaic
-    // home root: framework-owned files (CONSTITUTION/AGENTS/STANDARDS) are overwritten
-    // every upgrade (backup-once); user-seeded files (TOOLS) are written on first
-    // install only. Mirrors reconcile_framework_files() in install.sh.
+    // Copy framework-contract files (AGENTS.md, STANDARDS.md, TOOLS.md)
+    // from framework/defaults/ into the mosaic home root if they don't
+    // exist yet. These are written on first install only and are never
+    // overwritten afterwards — the user may have customized them.
     //
     // SOUL.md and USER.md are deliberately NOT seeded here. They are
     // generated from templates by the soul/user wizard stages with
@@ -192,20 +186,7 @@ export class FileConfigAdapter implements ConfigService {
     // identity flow and leak placeholder content into the mosaic home.
     const defaultsDir = join(this.sourceDir, 'defaults');
     if (existsSync(defaultsDir)) {
-      // Framework-owned: overwrite from defaults/ every sync; back up a divergent
-      // existing copy ONCE to <file>.pre-constitution.bak before the first overwrite.
-      for (const entry of FRAMEWORK_OWNED_FILES) {
-        const src = join(defaultsDir, entry);
-        const dest = join(this.mosaicHome, entry);
-        if (!existsSync(src) || !statSync(src).isFile()) continue;
-        const bak = `${dest}.pre-constitution.bak`;
-        if (existsSync(dest) && !readFileSync(src).equals(readFileSync(dest)) && !existsSync(bak)) {
-          copyFileSync(dest, bak);
-        }
-        copyFileSync(src, dest);
-      }
-      // User-seeded: write only if absent.
-      for (const entry of USER_SEEDED_FILES) {
+      for (const entry of DEFAULT_SEED_FILES) {
         const src = join(defaultsDir, entry);
         const dest = join(this.mosaicHome, entry);
         if (existsSync(dest)) continue;