feat(fleet): seed role registry markdown library

Add one markdown role-contract per fleet roster class, modeled on the
existing enhancer.md (title / mandate / boundaries structure):

- board (front): owns NORTH_STAR.yaml; ratifies/vetoes goals; never codes/merges
- planner (front): alias of the orchestrator class; emits phased FR + depends_on DAG
- decomposition (front): splits FRs into one-PR cards via native `mosaic fleet backlog`
- code (exec): implements one card to green CI; opens PR via pr-create.sh
- review (exec): correctness/scope/coverage; approves or requests changes
- security-review (exec): secret/auth/forbidden-path second line (guard lives in pr-merge.sh)
- site-tester (exec): runtime/behavioral verification vs acceptance criteria
- documentation (exec): prose + NORTH_STAR projections; single-writer per TASKS file
- merge-gate (gate): sole approver/merger via pr-merge.sh + pr-ci-wait.sh only
- rebase (exec): owns stale / mergeable==false PRs; rebase+rerun or escalate
- operator (meta): consumes/re-raises escalations; owns the PAUSE switch
- session-review (meta): post-task retros into structured signals for the enhancer

Every file states non-merge / non-code boundaries; merge-gate names the
wrapped scripts as the only merge path. No Hermes references. install.sh
gains a confirming comment: fleet/roles/*.md seed automatically via the
existing normal sync, so no per-file PRESERVE/entry is required.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/scratchpads/h1-heartbeat-readiness.md

@@ -0,0 +1,66 @@
+# H1 — heartbeat readiness detection
+
+## Objective
+
+Add runtime-agnostic readiness classification to `mosaic fleet ps` so an agent can be reported as working/idle/stuck/stale/dead/unknown instead of treating pane liveness as progress.
+
+## Scope
+
+- `packages/mosaic/src/commands/fleet.ts`
+  - exported readiness state/types/default thresholds/helpers/classifier
+  - `AgentPsRow.readiness` additive JSON field
+  - table HB column and IDLE/STUCK flags
+- `packages/mosaic/src/commands/fleet.spec.ts`
+  - pure classifier branch/boundary coverage
+  - threshold helper coverage
+  - legitimate render/JSON assertion updates for new HB text
+
+## Acceptance Criteria
+
+- Branches covered: dead, unknown, stale, busy working, null-idle working, stuck boundary, idle boundary, working below idle.
+- Threshold env helpers default to 300s/900s and honor positive integer env values.
+- `fleet ps` rows populate `readiness` for roster and unmanaged socket sessions.
+- Table HB text becomes `<age>s/<readiness>` when heartbeat age exists; remains `unknown` when absent.
+- Flags include `IDLE`/`STUCK` for matching readiness.
+- Local gates green: `pnpm typecheck`, `pnpm lint`, `pnpm format:check`, fleet vitest.
+- Pre-push queue guard passes; PR opened off `origin/main`; no merge by worker.
+
+## Constraints / Assumptions
+
+- Source branch: `origin/main` @ `e3adc6a`.
+- No scope creep beyond readiness detection.
+- `docs/TASKS.md` and `docs/fleet/TASKS.md` are orchestrator-owned; worker will not modify them.
+- PRD alignment source: `docs/fleet/PRD.md` Phase 2 observability; this is a refinement of heartbeat observability, preserving existing unknown/stale behavior.
+
+## Plan
+
+1. Install dependencies with requested PNPM environment.
+2. Add readiness types/helpers/classifier near heartbeat constants.
+3. Add `readiness` to `AgentPsRow` and populate both row paths.
+4. Update table render and flags.
+5. Add unit tests and update affected ps render/JSON assertions.
+6. Run build precheck + required gates.
+7. Run automated independent review, remediate findings.
+8. Queue guard, push, open PR.
+
+## Progress
+
+- 2026-06-24: Branch created from `origin/main` @ `e3adc6a`.
+- 2026-06-24: Implemented readiness thresholds/classifier, JSON row field, HB column label, and IDLE/STUCK flags.
+- 2026-06-24: Added classifier branch/boundary tests, threshold helper tests, JSON shape assertions, and readiness table rendering assertions.
+
+## Verification Evidence
+
+- `pnpm install --store-dir "$HOME/.pnpm-store"` — pass.
+- `npx turbo build --filter=@mosaicstack/mosaic^...` — pass, 12/12 tasks successful.
+- `pnpm typecheck` — pass, 41/41 tasks successful.
+- `pnpm lint` — pass, 23/23 tasks successful.
+- `pnpm format:check` — pass, all matched files use Prettier style.
+- `pnpm --filter @mosaicstack/mosaic exec vitest run src/commands/fleet.spec.ts` — pass, 171 tests.
+- `pnpm --filter @mosaicstack/mosaic test` — pass, 39 files / 547 tests; `fleet.spec.ts` 171 tests.
+- `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` — approve, 0 findings (reviewed supplied diff; sandbox file-inspection limitation noted by tool).
+
+## Risks / Blockers
+
+- No current blocker.
+- Review tool could not inspect repo files directly due sandbox wrapper limitation, but it reviewed the supplied diff and approved with no findings.

docs/scratchpads/h1b-pane-idle-signal.md

@@ -0,0 +1,53 @@
+# H1b — tmux pane idle signal wiring
+
+## Objective
+
+Feed `classifyReadiness()` a real idle signal on tmux 3.4 by deriving `idleSeconds` from the first available tmux timestamp source: pane activity, then window activity, then session activity.
+
+## Scope
+
+- `packages/mosaic/src/commands/fleet.ts`
+  - Extend `buildTmuxListPanesCommand()` format to include `#{window_activity}` and `#{session_activity}` after the existing fields.
+  - Update `parseTmuxListPanes()` to choose the first non-empty finite positive timestamp and clamp future idle values to 0.
+- `packages/mosaic/src/commands/fleet.spec.ts`
+  - Cover pane/window/session activity parsing behavior, empty-field index alignment, null idle, future clamping, math correctness, and exact tmux format.
+
+## Out of Scope
+
+- No changes to `classifyReadiness()`, thresholds, `AgentPsRow`, or `fleet ps` rendering.
+- No merge by worker; orchestrator routes review/merge.
+- Workers do not modify `docs/TASKS.md`.
+
+## PRD Alignment
+
+Aligned with `docs/fleet/PRD.md` FR-1 and acceptance criteria for truthful `mosaic fleet ps` pane/pid/idle observability.
+
+## Plan
+
+1. Sync branch from latest `origin/main` and install dependencies with required pnpm env.
+2. Add/confirm reproducer tests for tmux 3.4 empty `pane_activity` and new fallback behavior.
+3. Implement the focused parser/format change only.
+4. Run required build, baseline gates, fleet vitest, and independent review.
+5. Run pre-push queue guard, push branch, and open PR to `main` with Mosaic wrapper.
+
+## Progress
+
+- 2026-06-24: Branch `fix/fleet-pane-idle-activity` created from `origin/main` @ `ec8dd7c` after fetching.
+- 2026-06-24: Session-start generated local `.mosaic/orchestrator/*` changes on the previous release branch; stashed as `coder1 session-start state before H1b` to keep this branch clean.
+- 2026-06-24: Added TDD coverage for the tmux 3.4 production case (`pane_activity` empty, `window_activity` populated), exact new list-panes format, null/future/multiple-source behavior.
+- 2026-06-24: Implemented parser fallback without changing readiness classifier thresholds or render shape.
+
+## Verification Evidence
+
+- `pnpm install --store-dir "$HOME/.pnpm-store"` — pass.
+- Reproducer before implementation: `pnpm --filter @mosaicstack/mosaic exec vitest run src/commands/fleet.spec.ts` — failed as expected (old format, no fallback, negative future idle).
+- `npx turbo build --filter=@mosaicstack/mosaic^...` — pass, 12/12 tasks successful.
+- `pnpm typecheck` — pass, 41/41 tasks successful.
+- `pnpm lint` — pass, 23/23 tasks successful.
+- `pnpm format:check` — pass, all matched files use Prettier style.
+- `pnpm --filter @mosaicstack/mosaic exec vitest run src/commands/fleet.spec.ts` — pass, 176 tests.
+- `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` — approve, 0 findings (reviewed supplied diff; sandbox file-inspection limitation noted by tool).
+
+## Risks / Blockers
+
+- No current blocker.

docs/scratchpads/h2-readiness-available.md

@@ -0,0 +1,70 @@
+# H2 — readiness semantics: available, not stuck
+
+## Objective
+
+Correct fleet readiness semantics so a healthy long-idle agent is reported as `available` (good/assignable) instead of `stuck` (fault). Reserve `stuck` in the type/JSON value space for future positive block evidence.
+
+## Scope
+
+- `packages/mosaic/src/commands/fleet.ts`
+  - replace `idle` readiness state with `available`
+  - keep `stuck` in the union but stop emitting it from idle-only heuristics
+  - remove stuck threshold helper/env handling
+  - remove IDLE/STUCK alarm flags from table rendering
+- `packages/mosaic/src/commands/fleet.spec.ts`
+  - update classifier branch/boundary tests
+  - assert very long idle maps to `available`, not `stuck`
+  - update table/JSON assertions for available with no alarm flags
+  - remove stuck threshold helper tests
+
+## Acceptance Criteria
+
+- `classifyReadiness()` remains pure/total/never-throw and maps:
+  - dead/stale/unknown unchanged
+  - busy/null/undefined/non-finite idle to `working`
+  - idle >= activity threshold to `available`
+  - idle < activity threshold to `working`
+- No idle-derived path emits `stuck`.
+- `MOSAIC_HEARTBEAT_IDLE_THRESHOLD` remains backward compatible as the working→available activity threshold.
+- `MOSAIC_HEARTBEAT_STUCK_THRESHOLD` and helper/default are removed.
+- `fleet ps` keeps the idle-seconds column header `IDLE`, renders `available` in HB label, and does not add IDLE/STUCK warning flags.
+- Local gates green: build precheck, typecheck, lint, format:check, fleet vitest.
+- PR opened against `main`; no merge by worker.
+
+## Constraints / Assumptions
+
+- Source branch: `origin/main` @ `1020cfa`.
+- `docs/TASKS.md` is orchestrator-owned; worker will not modify it.
+- Documentation impact is captured in this scratchpad and PR description; no user/admin guide behavior beyond CLI readiness label semantics.
+
+## Plan
+
+1. Install dependencies with requested PNPM environment.
+2. Inspect current H1/H1b readiness implementation and tests.
+3. Update classifier types/helpers/rendering.
+4. Update focused tests.
+5. Run build precheck + required gates.
+6. Run automated code review, remediate any findings.
+7. Queue guard, push, open PR.
+
+## Progress
+
+- 2026-06-24: Branch created from `origin/main` @ `1020cfa`.
+- 2026-06-24: Replaced idle-derived `idle`/`stuck` outputs with `available`; retained `stuck` in type union for future positive block evidence.
+- 2026-06-24: Removed stuck threshold env/helper plumbing and IDLE/STUCK alarm flags.
+- 2026-06-24: Updated classifier and table-render tests for available semantics.
+
+## Verification Evidence
+
+- `pnpm install --store-dir "$HOME/.pnpm-store"` — pass.
+- `npx turbo build --filter=@mosaicstack/mosaic^...` — pass, 12/12 tasks successful.
+- `pnpm typecheck` — pass, 41/41 tasks successful.
+- `pnpm lint` — pass, 23/23 tasks successful.
+- `pnpm format:check` — pass, all matched files use Prettier style.
+- `pnpm --filter @mosaicstack/mosaic exec vitest run src/commands/fleet.spec.ts` — pass, 177 tests.
+- `~/.config/mosaic/tools/codex/codex-code-review.sh --uncommitted` — approve, 0 findings (reviewed supplied diff; sandbox file-inspection limitation noted by tool).
+
+## Risks / Blockers
+
+- No current blocker.
+- Review tool could not inspect repo files directly due sandbox wrapper limitation, but it reviewed the supplied diff and approved with no findings.

packages/mosaic/framework/fleet/roles/board.md

@@ -0,0 +1,38 @@
+# Board — fleet role definition
+
+The **board** is the fleet's **deliberation panel** (`class: board`). It is the
+forge **Board-of-Directors** reused as a fleet role — a multi-lens review body
+(moonshot, contrarian, technical, business, financial) that owns the mission's
+direction, not its execution.
+
+It is a **front-office** role: it sets and guards intent, then steps back.
+
+## Mandate
+
+1. **Own `NORTH_STAR.yaml`** — the single source of truth for goals, assumptions,
+   and projections. The board is the only role that ratifies edits to it.
+2. **Ratify or veto goals and assumptions** — every new objective or load-bearing
+   assumption passes the board's lenses before the fleet commits resources to it.
+3. **Hold the lenses** — moonshot (is the ambition right?), contrarian (what breaks
+   this?), technical (is it buildable?), business (does it matter?), financial
+   (can we afford it, in tokens and dollars?).
+4. **Re-deliberate on drift** — when results diverge from the north star, the board
+   reconvenes, re-ratifies or vetoes, and updates `NORTH_STAR.yaml`.
+
+## Boundaries
+
+- **Does NOT write product/source code.**
+- **Does NOT merge.**
+- **Does NOT decompose, plan phases, or dispatch tasks** — it ratifies the
+  _what_ and _why_; planner and decomposition own the _how_.
+
+The board deliberates and decides direction; it never touches the working tree or
+the merge path. When it approves a goal, the planner expands it.
+
+## Persona
+
+A standing panel of senior voices, each arguing from a fixed vantage. The board is
+deliberately slow and adversarial — its value is catching the expensive mistake
+before a single agent-hour is spent on it.
+
+> Doctrine: `docs/fleet/north-star.md` ('board' role = forge BOD; role library).

packages/mosaic/framework/fleet/roles/code.md

@@ -0,0 +1,36 @@
+# Code — fleet role definition
+
+The **code** role is the fleet's primary **executor** (`class: code`). It picks up
+one decomposition card and implements it to green CI on a branch, then opens a PR.
+
+It is an **execution** role: one card, one branch, one PR.
+
+## Mandate
+
+1. **Implement one card to green CI** — take a single backlog card and make the
+   change it describes, on a dedicated branch, until the project's gates
+   (typecheck, lint, format, tests) pass.
+2. **Open the PR via `pr-create.sh`** — once gates are green, open exactly one
+   pull request for the card using the standard `pr-create.sh` wrapper.
+3. **Stay in card scope** — touch only the files the card calls for. No scope
+   creep, no opportunistic refactors outside the card's boundary.
+4. **One card = one PR** — honor the decomposition contract: a card becomes a
+   single focused PR, never two, and a PR never bundles two cards.
+
+## Boundaries
+
+- **Does NOT merge.** Opening the PR is the end of the code role's authority; the
+  **merge-gate** role is the only approver/merger.
+- **Does NOT approve or self-review** — correctness sign-off belongs to the
+  **review** and **security-review** roles.
+- **Does NOT decompose or re-plan** — if a card is wrong or too large, it escalates
+  rather than silently re-scoping.
+
+The code role writes the change and opens the PR; it never touches the merge path.
+
+## Persona
+
+The focused builder. It takes one well-scoped card, drives it to green, opens a
+clean PR, and hands off — never reaching past the card it was given.
+
+> Doctrine: `docs/fleet/north-star.md` (role library).

packages/mosaic/framework/fleet/roles/decomposition.md

@@ -0,0 +1,38 @@
+# Decomposition — fleet role definition
+
+The **decomposition** role splits the planner's FRs into **one-PR-each cards**,
+wired together with `depends_on` link edges, ready for the code role to pick up.
+
+It is a **front-office** role.
+
+## Mandate
+
+1. **Drive the native `mosaic fleet backlog`** — decomposition is the operator of
+   Mosaic's own backlog; it creates and links cards there, on Mosaic's storage
+   layer. It does NOT hand-roll a parallel splitter and does NOT call any external
+   kanban service.
+2. **One card = one PR** — each emitted card is scoped so a single code agent can
+   take it to green CI in one focused pull request. No card spans two PRs; no PR
+   spans two cards.
+3. **Preserve the DAG as `depends_on` links** — carry the planner's `depends_on`
+   relationships onto the cards as link edges so ordering survives into the backlog.
+4. **Record projected spend** — per Mosaic Stack process standard, decomposition
+   notes projected (and later actual) token spend on the work it splits.
+
+## Boundaries
+
+- **Does NOT write product/source code.**
+- **Does NOT merge.**
+- **Does NOT start work** — it produces cards and stops. Picking up a card and
+  implementing it is the **code** role's job.
+
+Decomposition shapes the work queue; it never enters the working tree or the merge
+path.
+
+## Persona
+
+The work-breakdown specialist. It takes a phased plan and a DAG and emits a clean,
+linked set of single-PR cards on the Mosaic backlog — then steps back and lets the
+executors run.
+
+> Doctrine: `docs/fleet/north-star.md` (role library); spend accounting is a process mandate.

packages/mosaic/framework/fleet/roles/documentation.md

@@ -0,0 +1,39 @@
+# Documentation — fleet role definition
+
+The **documentation** role is the fleet's **prose maintainer**
+(`class: documentation`). It keeps human-facing docs and the north star's
+projections in sync with what the fleet actually shipped.
+
+It is an **execution** role: docs and projections, not product code.
+
+## Mandate
+
+1. **Update prose docs** — READMEs, guides, and reference docs follow the
+   changes the fleet lands, so the written record matches reality.
+2. **Update `NORTH_STAR.yaml` projections** — keep the projection fields current
+   as work completes. (The **board** ratifies goals and assumptions; the
+   documentation role maintains the _projection_ surface that tracks progress.)
+3. **Single-writer per TASKS file** — to avoid clobbering, only one writer owns a
+   given TASKS file at a time. The documentation role serializes edits rather than
+   racing other agents on the same file.
+4. **Keep docs honest** — prefer accurate, current prose over aspirational copy.
+
+## Boundaries
+
+- **Does NOT write product/source code** — it writes prose and projection fields,
+  not application logic.
+- **Does NOT merge.** Doc changes go through the same PR + **merge-gate** path as
+  any other change.
+- **Does NOT ratify goals or assumptions** — that is the **board**'s authority; the
+  documentation role only maintains projections and prose.
+
+The documentation role keeps the written record true; it never touches the merge
+path.
+
+## Persona
+
+The scribe of record. It makes sure the docs and the north star's projections
+describe the system as it actually is, and it never lets two writers fight over one
+TASKS file.
+
+> Doctrine: `docs/fleet/north-star.md` (role library).

packages/mosaic/framework/fleet/roles/merge-gate.md

@@ -0,0 +1,42 @@
+# Merge-gate — fleet role definition
+
+The **merge-gate** is the fleet's **sole approver and auto-merger**
+(`class: merge-gate`). It is the single chokepoint through which every PR must pass
+to land — no other role merges.
+
+It is a **gate** role: the one and only merge path.
+
+## Mandate
+
+1. **Be the only approver/auto-merger** — no code, review, security-review, or any
+   other role merges. Approval-to-land flows through the merge-gate alone.
+2. **Use the wrapped scripts as the ONLY merge path** — the merge-gate merges
+   **exclusively** by calling **`pr-merge.sh`** (the merge action, which carries the
+   authoritative forbidden-path guard) and **`pr-ci-wait.sh`** (to wait for green
+   CI before merging). These two scripts are the _only_ sanctioned merge path.
+3. **Never call the raw API** — the merge-gate **does NOT** call `tea`, the raw
+   Gitea/forge HTTP API, or any other merge mechanism directly. Only `pr-merge.sh`
+   and `pr-ci-wait.sh`.
+4. **Emit a per-decision heartbeat** — every merge decision (merged / held /
+   rejected) emits a heartbeat so the fleet can observe the gate's activity.
+5. **Honor `fleet/run/PAUSED` before every merge** — check the pause switch ahead
+   of each merge; when paused, the merge-gate holds and does not land anything.
+
+## Boundaries
+
+- **Does NOT write product/source code.**
+- **Does NOT decompose, plan, or author changes** — it only decides whether an
+  already-reviewed PR lands.
+- **Does NOT merge via any path other than `pr-merge.sh` + `pr-ci-wait.sh`** — no
+  raw `tea`/Gitea API, ever.
+
+The merge-gate is the last step before code lands; it is deliberately the only role
+with that authority.
+
+## Persona
+
+The single, accountable gatekeeper. It waits for green CI (`pr-ci-wait.sh`),
+respects the pause switch, merges only through `pr-merge.sh`, and records every
+decision — so the fleet has exactly one trustworthy door to production.
+
+> Doctrine: `docs/fleet/north-star.md` (role library); merge path: `pr-merge.sh` + `pr-ci-wait.sh`; forbidden paths: `pr-merge.sh` guard.

packages/mosaic/framework/fleet/roles/operator.md

@@ -0,0 +1,38 @@
+# Operator — fleet role definition
+
+The **operator** is the fleet's **escalation and control surface**
+(`class: operator`). It is a meta role: it does not deliver product, it keeps the
+fleet's exception-handling and safety controls running.
+
+It is a **meta** role: control plane, not delivery.
+
+## Mandate
+
+1. **Consume escalations** — it is the destination for escalations raised by other
+   roles (e.g. the **rebase** role's genuine conflicts, blocked work, stuck cards).
+2. **Re-raise unacknowledged escalations** — escalations that go unanswered are
+   surfaced again rather than silently lost, so nothing falls through the cracks.
+3. **Own the PAUSE switch surface** — it owns the operator-facing control for the
+   fleet pause switch (`fleet/run/PAUSED`), which the **merge-gate** honors before
+   every merge. The operator can pause and resume the fleet.
+4. **Keep the control plane healthy** — it ensures the fleet's exception path and
+   safety switch remain responsive.
+
+## Boundaries
+
+- **Does NOT write product/source code.**
+- **Does NOT merge.** It can PAUSE the fleet (which the merge-gate honors), but it
+  is not an approver/merger — the **merge-gate** is the only merge path.
+- **Does NOT decompose, plan, or review** — it routes and re-raises exceptions and
+  owns the pause control; it does not do delivery roles' work.
+
+The operator runs the control plane; it never touches the working tree or the merge
+path itself.
+
+## Persona
+
+The on-call dispatcher. It makes sure every escalation is seen and re-seen until
+handled, and it holds the one switch that can stop the fleet when something is
+wrong.
+
+> Doctrine: `docs/fleet/north-star.md` (role library); pause switch: `fleet/run/PAUSED`.

packages/mosaic/framework/fleet/roles/planner.md

@@ -0,0 +1,40 @@
+# Planner — fleet role definition
+
+The **planner** turns ratified objectives into an executable **plan** — phased
+functional requirements (FRs) wired into a `depends_on` DAG.
+
+> **Alias:** the planner role IS the existing **orchestrator** class. The
+> orchestrator _plays_ planner; this file documents the planning contract, it does
+> **not** introduce a competing class. The two-agent floor (orchestrator +
+> enhancer) is preserved — do not split planner into a separate persistent agent
+> that would break it.
+
+It is a **front-office** role.
+
+## Mandate
+
+1. **Expand objectives into phased FRs** — take a board-ratified goal and break it
+   into functional requirements, grouped into phases.
+2. **Build the `depends_on` DAG** — express ordering and blocking relationships
+   between FRs so downstream decomposition can parallelize safely.
+3. **Emit a plan, not tasks** — the planner's output is the phased FR/DAG
+   document. Splitting FRs into one-PR-each cards is the **decomposition** role's job.
+4. **Re-plan on failure** — when execution diverges, the planner (orchestrator)
+   re-sequences the DAG rather than letting agents improvise.
+
+## Boundaries
+
+- **Does NOT write product/source code.**
+- **Does NOT merge.**
+- **Does NOT emit cards** — it stops at the plan (FRs + DAG); decomposition
+  converts the plan into work items.
+
+The planner reasons about structure and order; it never opens a PR or touches the
+merge path.
+
+## Persona
+
+The architect of the mission's shape. It thinks in phases and dependencies, hands
+a clean DAG to decomposition, and keeps the orchestrator/enhancer floor intact.
+
+> Doctrine: `docs/fleet/north-star.md` (two-agent floor + role library).

packages/mosaic/framework/fleet/roles/rebase.md

@@ -0,0 +1,37 @@
+# Rebase — fleet role definition
+
+The **rebase** role is the fleet's **freshness keeper** (`class: rebase`). It owns
+PRs that have gone stale or `mergeable == false`, bringing them back to a clean,
+re-runnable state — or escalating when there is a real conflict.
+
+It is an **execution** role: it operates on existing PR branches.
+
+## Mandate
+
+1. **Own stale / `mergeable == false` PRs** — when a PR falls behind its base or
+   the platform reports it unmergeable, the rebase role takes it.
+2. **Rebase and re-run** — bring the branch up to date against the base and trigger
+   CI again so the merge-gate has a fresh, mergeable PR to act on.
+3. **Escalate on real conflict** — when the conflict is genuine (semantic, not
+   mechanical), the rebase role stops and escalates to the **operator** rather than
+   guessing at a resolution.
+4. **Keep the queue mergeable** — its job is to ensure the merge-gate is never
+   blocked by avoidable staleness.
+
+## Boundaries
+
+- **Does NOT merge.** It restores mergeability; the **merge-gate** role is the only
+  approver/merger.
+- **Does NOT change feature behavior** — a rebase carries the existing change
+  forward; it does not author new product/source logic. Behavioral fixes go back to
+  the **code** role.
+- **Does NOT force-resolve genuine conflicts** — it escalates them.
+
+The rebase role keeps PR branches fresh; it never approves or merges.
+
+## Persona
+
+The janitor of the merge queue. It quietly keeps branches current and re-runnable,
+and knows when a conflict is beyond a mechanical rebase and must be escalated.
+
+> Doctrine: `docs/fleet/north-star.md` (role library).

packages/mosaic/framework/fleet/roles/review.md

@@ -0,0 +1,38 @@
+# Review — fleet role definition
+
+The **review** role is the fleet's **correctness reviewer** (`class: review`). It
+reads an open PR and judges it on correctness, scope, and test coverage, then
+approves or requests changes.
+
+It is an **execution** role: one open PR per pass.
+
+## Mandate
+
+1. **Judge correctness** — does the change do what its card says, correctly, without
+   introducing regressions?
+2. **Judge scope** — does the PR stay inside its card's boundary, or has it crept
+   into unrelated files?
+3. **Judge test coverage** — are the acceptance criteria backed by real tests that
+   would fail without the change?
+4. **Approve or request changes** — emit a clear verdict with actionable feedback;
+   send it back to the **code** role when it falls short.
+
+## Boundaries
+
+- **Does NOT merge.** Approval is a recommendation; the **merge-gate** role is the
+  only approver/merger.
+- **Does NOT write product/source code** — it reviews; it does not author the fix.
+  Remediation goes back to the **code** role.
+- **Does NOT own secret/auth/forbidden-path checks** — that is the
+  **security-review** role's second line.
+
+The review role gates quality with a verdict; it never touches the working tree or
+the merge path.
+
+## Persona
+
+The careful reader. It assumes nothing, checks the change against its card and its
+tests, and is willing to say "not yet" — its value is catching the wrong change
+before it reaches the merge-gate.
+
+> Doctrine: `docs/fleet/north-star.md` (role library).

packages/mosaic/framework/fleet/roles/security-review.md

@@ -0,0 +1,39 @@
+# Security-review — fleet role definition
+
+The **security-review** role is the fleet's **second line of review**
+(`class: security-review`). Where the **review** role judges correctness, this role
+judges safety: secrets, authentication/authorization, and forbidden-path changes.
+
+It is an **execution** role: one open PR per pass.
+
+## Mandate
+
+1. **Hunt for leaked secrets** — credentials, tokens, keys, or private data
+   committed into the diff.
+2. **Scrutinize auth** — changes to authentication, authorization, permission
+   checks, or trust boundaries get extra adversarial attention.
+3. **Enforce forbidden paths** — flag edits to protected files/areas. The
+   **authoritative forbidden-path list lives in code** — the `pr-merge.sh` guard —
+   not in this prompt. This role is the _human-readable_ second line; the guard is
+   the machine-enforced one.
+4. **Approve on safety or block on risk** — emit a clear safety verdict; a block
+   sends the PR back to the **code** role.
+
+## Boundaries
+
+- **Does NOT merge.** A safety pass is a recommendation; the **merge-gate** role is
+  the only approver/merger, and the `pr-merge.sh` guard is the enforced gate.
+- **Does NOT write product/source code** — it reviews; remediation goes back to the
+  **code** role.
+- **Does NOT redefine the forbidden-path list** — it defers to the `pr-merge.sh`
+  guard as the source of truth.
+
+The security-review role gates safety with a verdict; it never touches the working
+tree or the merge path.
+
+## Persona
+
+The adversary on your side. It reads every diff asking "how does this get exploited
+or leak?" — the second, security-focused pair of eyes before the merge-gate.
+
+> Doctrine: `docs/fleet/north-star.md` (role library); forbidden paths: `pr-merge.sh` guard.

packages/mosaic/framework/fleet/roles/session-review.md

@@ -0,0 +1,37 @@
+# Session-review — fleet role definition
+
+The **session-review** role runs the fleet's **post-task retrospective**
+(`class: session-review`). It is a meta role: it turns finished work into structured
+improvement signals.
+
+It is a **meta** role: learning, not delivery.
+
+## Mandate
+
+1. **Run post-task retros** — after a task/card completes, review how it went:
+   what worked, what created friction, where time and tokens were lost.
+2. **Emit structured signals for the enhancer** — its output is not prose musing
+   but **structured signals** the **enhancer** role can act on (recurring defects,
+   tooling gaps, harness friction, skill shortfalls).
+3. **Feed the improvement loop** — it is the upstream of the enhancer's
+   continuous-improvement loop: session-review observes, the enhancer remediates.
+4. **Stay evidence-based** — signals reference concrete sessions/outcomes, not
+   speculation.
+
+## Boundaries
+
+- **Does NOT write product/source code.**
+- **Does NOT merge.**
+- **Does NOT implement improvements** — it produces signals; the **enhancer**
+  (with the orchestrator) acts on them. Session-review diagnoses; it does not fix.
+
+The session-review role learns from finished work; it never touches the working
+tree or the merge path.
+
+## Persona
+
+The retrospective analyst. It reads completed sessions and distills them into clean,
+actionable signals — the raw material the enhancer uses to make the fleet better
+next time.
+
+> Doctrine: `docs/fleet/north-star.md` (role library); consumed by the enhancer role.

packages/mosaic/framework/fleet/roles/site-tester.md

@@ -0,0 +1,37 @@
+# Site-tester — fleet role definition
+
+The **site-tester** role is the fleet's **runtime verifier** (`class: site-tester`).
+Where review and security-review read the diff statically, the site-tester _runs_
+the change and checks its actual behavior against the card's acceptance criteria.
+
+It is an **execution** role: behavioral verification per PR/card.
+
+## Mandate
+
+1. **Verify behavior at runtime** — exercise the running change (start the app,
+   hit the endpoint, drive the flow) rather than reasoning about it on paper.
+2. **Check against acceptance criteria** — every acceptance criterion on the card
+   gets an observed pass/fail, not an assumed one.
+3. **Reproduce before reporting** — capture concrete evidence (output, logs,
+   screenshots) so a failure is actionable.
+4. **Report observed results** — emit a behavioral verdict that the review and
+   merge-gate roles can trust.
+
+## Boundaries
+
+- **Does NOT merge.** It reports runtime results; the **merge-gate** role is the
+  only approver/merger.
+- **Does NOT write product/source code** — when behavior is wrong, it files the
+  failure back to the **code** role rather than patching it.
+- **Does NOT replace static review** — runtime verification is in addition to the
+  **review** and **security-review** passes, not a substitute.
+
+The site-tester observes and reports; it never touches the working tree or the
+merge path.
+
+## Persona
+
+The skeptic who insists on running it. It trusts observed behavior over claimed
+behavior, and turns "should work" into "verified works" — or a concrete bug report.
+
+> Doctrine: `docs/fleet/north-star.md` (role library).

packages/mosaic/framework/install.sh

@@ -25,7 +25,9 @@ INSTALL_MODE="${MOSAIC_INSTALL_MODE:-prompt}"
 # User-created content in these paths survives rsync --delete.
 #
 # fleet/* — the framework SEEDS only fleet/examples, fleet/roles, and
-# fleet/roster.schema.json (synced normally). The user's own fleet files MUST
+# fleet/roster.schema.json (synced normally — every fleet/roles/*.md role contract
+# lands automatically via this sync, so no per-file entry is needed). The user's
+# own fleet files MUST
 # survive `mosaic update` (which runs this sync automatically): the active
 # roster (`fleet/roster.yaml` + any other `fleet/*.yaml`), per-agent env
 # (`fleet/agents/`), and heartbeat run dir (`fleet/run/`). Without these, an

packages/mosaic/framework/tools/fleet/start-agent-session.sh

@@ -122,6 +122,85 @@ fi
 
 mkdir -p "$MOSAIC_AGENT_WORKDIR"
 
+# ── Pre-trust the workdir for the Claude runtime ─────────────────────────────
+# Claude Code shows a one-time "Is this a project you trust?" folder-trust gate
+# the first time it opens a directory. A fleet-launched agent has no human to
+# answer it, so the pane stalls forever at the prompt while its heartbeat keeps
+# reporting "healthy" (the pane process IS alive — it's just blocked).
+#
+# IMPORTANT: --dangerously-skip-permissions does NOT bypass this gate, and
+# neither does `trustedProjectDirectories` in settings.json (verified empirically
+# 2026-06-24). The ONLY thing the gate honors is the per-project record in
+# ~/.claude.json: projects["<dir>"].hasTrustDialogAccepted == true (exactly what
+# answering the prompt writes). So we pre-seed that record here.
+#
+# Idempotent, atomic, best-effort: any failure is non-fatal (the agent still
+# launches — worst case it stalls on the gate, i.e. the pre-fix status quo).
+# Only the claude runtime needs this; codex/pi have no such gate.
+_ensure_claude_workdir_trusted() {
+  local workdir="$1"
+  # The path claude keys on is the resolved cwd it is launched in.
+  local rp
+  rp=$(cd "$workdir" 2>/dev/null && pwd -P) || rp="$workdir"
+  # ~/.claude.json lives next to the claude config dir; honor CLAUDE_CONFIG_DIR.
+  local claude_json="${MOSAIC_CLAUDE_JSON:-${CLAUDE_CONFIG_DIR:+$CLAUDE_CONFIG_DIR/.claude.json}}"
+  claude_json="${claude_json:-$HOME/.claude.json}"
+
+  if ! command -v python3 >/dev/null 2>&1; then
+    echo "WARNING: python3 not found; cannot pre-trust '$rp' for claude (agent may stall on the folder-trust gate)" >&2
+    return 1
+  fi
+
+  # Serialize concurrent agent launches that share ~/.claude.json (flock if available).
+  local lock="${claude_json}.mosaic-lock"
+  _seed() {
+    MOSAIC_CJ="$claude_json" MOSAIC_TRUST_DIR="$rp" python3 - <<'PY'
+import json, os, sys, tempfile
+cj = os.environ["MOSAIC_CJ"]
+d = os.environ["MOSAIC_TRUST_DIR"]
+try:
+    data = json.load(open(cj)) if os.path.exists(cj) else {}
+    if not isinstance(data, dict):
+        data = {}
+except Exception:
+    # Never corrupt an unreadable/partial file — bail without writing.
+    sys.exit(2)
+projects = data.setdefault("projects", {})
+entry = projects.get(d)
+if not isinstance(entry, dict):
+    entry = {}
+    projects[d] = entry
+if entry.get("hasTrustDialogAccepted") is True:
+    sys.exit(0)  # already trusted — nothing to do
+entry["hasTrustDialogAccepted"] = True
+tmp_dir = os.path.dirname(cj) or "."
+fd, tmp = tempfile.mkstemp(dir=tmp_dir, prefix=".claude.json.mosaic.")
+try:
+    with os.fdopen(fd, "w") as f:
+        json.dump(data, f, indent=2)
+    os.replace(tmp, cj)  # atomic
+except Exception:
+    try:
+        os.unlink(tmp)
+    except OSError:
+        pass
+    sys.exit(3)
+PY
+  }
+  if command -v flock >/dev/null 2>&1; then
+    ( flock 9; _seed ) 9>"$lock" 2>/dev/null || _seed
+  else
+    _seed
+  fi
+}
+
+case "$MOSAIC_AGENT_RUNTIME" in
+  claude)
+    _ensure_claude_workdir_trusted "$MOSAIC_AGENT_WORKDIR" \
+      || echo "WARNING: could not pre-trust workdir for claude agent $AGENT_NAME" >&2
+    ;;
+esac
+
 # ── Launch the tmux session (no exec — we continue to wire the heartbeat) ────
 _tmux new-session -d -s "$AGENT_NAME" -c "$MOSAIC_AGENT_WORKDIR" \
   bash -c "$PANE_SHELL_SNIPPET"

packages/mosaic/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mosaicstack/mosaic",
-  "version": "0.0.41",
+  "version": "0.0.44",
   "repository": {
     "type": "git",
     "url": "https://git.mosaicstack.dev/mosaicstack/stack.git",

packages/mosaic/src/commands/fleet.spec.ts

@@ -19,17 +19,20 @@ import {
   buildSystemdShowCommand,
   buildTmuxListPanesCommand,
   buildTmuxListSessionsCommand,
+  classifyReadiness,
   classifySendResult,
   countOrchestrators,
   countEnhancers,
   detectDrift,
   enableFleetUnits,
   FLEET_PROFILES,
+  HEARTBEAT_IDLE_THRESHOLD_SECONDS,
   generateAgentEnv,
   getDefaultOperatorSourceLabel,
   getDefaultTenantAndHost,
   getRosterAgent,
   heartbeatPath,
+  idleThresholdSeconds,
   isSendAccepted,
   loadFleetRoster,
   mergeAgentEnv,
@@ -850,7 +853,7 @@ describe('fleet ps — command construction', () => {
       '-t',
       '=canary-pi:0.0',
       '-F',
-      '#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity}',
+      '#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity} #{window_activity} #{session_activity}',
     ]);
   });
 
@@ -933,6 +936,125 @@ describe('fleet ps — heartbeat parsing', () => {
   });
 });
 
+describe('fleet ps — readiness thresholds', () => {
+  const savedIdle = process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD;
+
+  afterEach(() => {
+    if (savedIdle === undefined) delete process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD;
+    else process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD = savedIdle;
+  });
+
+  it('uses the default activity threshold when env is unset', () => {
+    delete process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD;
+
+    expect(idleThresholdSeconds()).toBe(HEARTBEAT_IDLE_THRESHOLD_SECONDS);
+  });
+
+  it('honors a positive integer activity threshold from env', () => {
+    process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD = '120';
+
+    expect(idleThresholdSeconds()).toBe(120);
+  });
+
+  it('falls back to the default for invalid activity thresholds', () => {
+    process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD = '0';
+
+    expect(idleThresholdSeconds()).toBe(HEARTBEAT_IDLE_THRESHOLD_SECONDS);
+  });
+});
+
+describe('fleet ps — readiness classification', () => {
+  const thresholds = { idleThresholdSeconds: 300 };
+
+  it('reports dead when the pane is not alive', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: false, hbHealth: 'healthy', hbStatus: 'busy', idleSeconds: 0 },
+        thresholds,
+      ),
+    ).toBe('dead');
+  });
+
+  it('reports unknown when heartbeat health is unknown', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'unknown', hbStatus: null, idleSeconds: 0 },
+        thresholds,
+      ),
+    ).toBe('unknown');
+  });
+
+  it('reports stale when heartbeat health is stale', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'stale', hbStatus: 'busy', idleSeconds: 1_000 },
+        thresholds,
+      ),
+    ).toBe('stale');
+  });
+
+  it('reports working when heartbeat status is busy, even after the activity threshold', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'healthy', hbStatus: 'busy', idleSeconds: 2_000 },
+        thresholds,
+      ),
+    ).toBe('working');
+  });
+
+  it('reports working when pane idle seconds are null', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'healthy', hbStatus: 'ok', idleSeconds: null },
+        thresholds,
+      ),
+    ).toBe('working');
+  });
+
+  it('reports working when pane idle seconds are undefined', () => {
+    expect(
+      classifyReadiness({ paneAlive: true, hbHealth: 'healthy', hbStatus: 'ok' }, thresholds),
+    ).toBe('working');
+  });
+
+  it('reports working when pane idle seconds are non-finite', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'healthy', hbStatus: 'ok', idleSeconds: Number.NaN },
+        thresholds,
+      ),
+    ).toBe('working');
+  });
+
+  it('reports available at the activity threshold boundary', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'healthy', hbStatus: 'ok', idleSeconds: 300 },
+        thresholds,
+      ),
+    ).toBe('available');
+  });
+
+  it('reports working below the activity threshold', () => {
+    expect(
+      classifyReadiness(
+        { paneAlive: true, hbHealth: 'healthy', hbStatus: 'ok', idleSeconds: 299 },
+        thresholds,
+      ),
+    ).toBe('working');
+  });
+
+  it('reports very long idle as available, not stuck', () => {
+    const readiness = classifyReadiness(
+      { paneAlive: true, hbHealth: 'healthy', hbStatus: 'ok', idleSeconds: 100_000 },
+      thresholds,
+    );
+
+    expect(readiness).toBe('available');
+    expect(readiness).not.toBe('stuck');
+  });
+});
+
 describe('fleet ps — systemd show parsing', () => {
   it('parses ActiveState, SubState, UnitFileState from systemctl show output', () => {
     const output = 'ActiveState=active\nSubState=running\nUnitFileState=enabled\n';
@@ -953,9 +1075,11 @@ describe('fleet ps — systemd show parsing', () => {
 describe('fleet ps — tmux list-panes parsing', () => {
   const NOW_MS = 1_700_000_000_000;
 
-  it('parses alive pane with pid, command, and idle time', () => {
+  it('uses pane_activity when present', () => {
-    const activityEpoch = Math.floor((NOW_MS - 30_000) / 1000); // 30s ago
+    const paneActivityEpoch = Math.floor((NOW_MS - 30_000) / 1000); // 30s ago
-    const output = `12345 claude 0 ${activityEpoch}\n`;
+    const windowActivityEpoch = Math.floor((NOW_MS - 60_000) / 1000); // 60s ago
+    const sessionActivityEpoch = Math.floor((NOW_MS - 90_000) / 1000); // 90s ago
+    const output = `12345 claude 0 ${paneActivityEpoch} ${windowActivityEpoch} ${sessionActivityEpoch}\n`;
     const result = parseTmuxListPanes(output, NOW_MS);
     expect(result.pid).toBe(12345);
     expect(result.command).toBe('claude');
@@ -963,8 +1087,45 @@ describe('fleet ps — tmux list-panes parsing', () => {
     expect(result.idleSeconds).toBe(30);
   });
 
+  it('uses window_activity when pane_activity is empty', () => {
+    const windowActivityEpoch = Math.floor((NOW_MS - 45_000) / 1000); // 45s ago
+    const sessionActivityEpoch = Math.floor((NOW_MS - 90_000) / 1000); // 90s ago
+    const output = `12345 node 0  ${windowActivityEpoch} ${sessionActivityEpoch}\n`;
+    expect(output).toContain('0  '); // empty pane_activity preserves index alignment
+    const result = parseTmuxListPanes(output, NOW_MS);
+    expect(result.pid).toBe(12345);
+    expect(result.command).toBe('node');
+    expect(result.dead).toBe(false);
+    expect(result.idleSeconds).toBe(45);
+  });
+
+  it('uses session_activity when pane_activity and window_activity are empty', () => {
+    const sessionActivityEpoch = Math.floor((NOW_MS - 75_000) / 1000); // 75s ago
+    const output = `12345 node 0   ${sessionActivityEpoch}\n`;
+    const result = parseTmuxListPanes(output, NOW_MS);
+    expect(result.idleSeconds).toBe(75);
+  });
+
+  it('reports null idleSeconds when all activity sources are empty', () => {
+    const output = '12345 node 0   \n';
+    const result = parseTmuxListPanes(output, NOW_MS);
+    expect(result.idleSeconds).toBeNull();
+  });
+
+  it('computes exact idle seconds from now minus epoch seconds', () => {
+    const activityEpoch = 1_699_999_877;
+    const result = parseTmuxListPanes(`12345 claude 0 ${activityEpoch} 0 0\n`, NOW_MS);
+    expect(result.idleSeconds).toBe(123);
+  });
+
+  it('clamps future activity epochs to 0 idle seconds', () => {
+    const futureActivityEpoch = Math.floor((NOW_MS + 30_000) / 1000);
+    const result = parseTmuxListPanes(`12345 claude 0 ${futureActivityEpoch} 0 0\n`, NOW_MS);
+    expect(result.idleSeconds).toBe(0);
+  });
+
   it('reports dead pane when pane_dead=1', () => {
-    const output = `0 bash 1 0\n`;
+    const output = `0 bash 1 0 0 0\n`;
     const result = parseTmuxListPanes(output, NOW_MS);
     expect(result.dead).toBe(true);
   });
@@ -1324,8 +1485,9 @@ describe('fleet ps — JSON output shape (FR-6)', () => {
     // boot-enable warning: active + disabled
     expect(row.bootEnableWarning).toBe(true);
 
-    // heartbeat missing → unknown
+    // heartbeat missing → unknown readiness preserves existing display semantics
     expect(row.heartbeat.health).toBe('unknown');
+    expect(row.readiness).toBe('unknown');
 
     expect(row.name).toBe('canary-pi');
     expect(row.runtime).toBe('pi');
@@ -1387,6 +1549,88 @@ describe('fleet ps — command sequences issued', () => {
   });
 });
 
+describe('fleet ps — readiness table output', () => {
+  it('renders available in HB column without idle/stuck alarm flags', async () => {
+    const home = await mkdtemp(join(tmpdir(), 'mosaic-fleet-'));
+    const rosterPath = join(home, 'fleet', 'roster.yaml');
+    const runDir = join(home, 'fleet', 'run');
+    await mkdir(runDir, { recursive: true });
+    await writeFile(
+      rosterPath,
+      [
+        'version: 1',
+        'transport: tmux',
+        'agents:',
+        '  - name: working-agent',
+        '    runtime: pi',
+        '  - name: available-agent',
+        '    runtime: pi',
+      ].join('\n'),
+    );
+
+    const nowMs = 1_700_000_000_000;
+    const workingActivityEpoch = Math.floor((nowMs - 2_000) / 1000);
+    const availableActivityEpoch = Math.floor((nowMs - 40_000) / 1000);
+    const hbTs = new Date(nowMs - 1_000).toISOString();
+    await writeFile(join(runDir, 'working-agent.hb'), `ts=${hbTs}\npid=111\nstatus=ok\n`);
+    await writeFile(join(runDir, 'available-agent.hb'), `ts=${hbTs}\npid=222\nstatus=ok\n`);
+
+    const savedIdle = process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD;
+    process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD = '5';
+
+    const dateNow = vi.spyOn(Date, 'now').mockReturnValue(nowMs);
+    const runner: CommandRunner = async (command, args) => {
+      const full = [command, ...args].join(' ');
+      if (full.includes('list-sessions')) {
+        return { stdout: 'working-agent\navailable-agent\n', stderr: '', exitCode: 0 };
+      }
+      if (full.includes('=working-agent:0.0')) {
+        return { stdout: `111 pi 0 ${workingActivityEpoch}\n`, stderr: '', exitCode: 0 };
+      }
+      if (full.includes('=available-agent:0.0')) {
+        return { stdout: `222 pi 0 ${availableActivityEpoch}\n`, stderr: '', exitCode: 0 };
+      }
+      if (full.includes('systemctl') && full.includes('show')) {
+        return {
+          stdout: 'ActiveState=active\nSubState=running\nUnitFileState=enabled\n',
+          stderr: '',
+          exitCode: 0,
+        };
+      }
+      return { stdout: '', stderr: '', exitCode: 0 };
+    };
+
+    const lines: string[] = [];
+    const origLog = console.log;
+    console.log = (msg: string) => {
+      lines.push(msg);
+    };
+
+    const program = new Command();
+    program.exitOverride();
+    registerFleetCommand(program, { runner, mosaicHome: home });
+
+    try {
+      await program.parseAsync(['node', 'mosaic', 'fleet', 'ps']);
+    } finally {
+      console.log = origLog;
+      dateNow.mockRestore();
+      if (savedIdle === undefined) delete process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD;
+      else process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD = savedIdle;
+      await rm(home, { recursive: true, force: true });
+    }
+
+    const workingLine = lines.find((line) => line.includes('working-agent'));
+    const availableLine = lines.find((line) => line.includes('available-agent'));
+    expect(workingLine).toBeDefined();
+    expect(workingLine).toContain('1s/working');
+    expect(availableLine).toBeDefined();
+    expect(availableLine).toContain('1s/available');
+    expect(availableLine).not.toMatch(/\bIDLE\b/);
+    expect(availableLine).not.toMatch(/\bSTUCK\b/);
+  });
+});
+
 describe('buildTmuxListSessionsCommand', () => {
   it('builds exact list-sessions command with session_name format', () => {
     expect(buildTmuxListSessionsCommand('mosaic-fleet')).toEqual([
@@ -1514,6 +1758,7 @@ describe('fleet ps — unmanaged socket sessions', () => {
 
     // driftFlag must be false for unmanaged (no roster runtime to compare)
     expect(unmanagedRow.driftFlag).toBe(false);
+    expect(unmanagedRow.readiness).toBe('unknown');
   });
 
   it('shows UNMANAGED flag in table output for unmanaged sessions', async () => {

packages/mosaic/src/commands/fleet.ts

@@ -394,6 +394,7 @@ export function buildAgentTailCommand(agentName: string, lines: number, socketNa
 // ---------------------------------------------------------------------------
 
 export const HEARTBEAT_INTERVAL_MS = 15_000;
+export const HEARTBEAT_IDLE_THRESHOLD_SECONDS = 300;
 
 /**
  * Heartbeat interval in ms, honoring MOSAIC_HEARTBEAT_INTERVAL (seconds) so the
@@ -404,8 +405,57 @@ export function heartbeatIntervalMs(): number {
   const sec = Number.parseInt(process.env.MOSAIC_HEARTBEAT_INTERVAL ?? '', 10);
   return Number.isFinite(sec) && sec > 0 ? sec * 1000 : HEARTBEAT_INTERVAL_MS;
 }
+
+/** Activity threshold in seconds, honoring MOSAIC_HEARTBEAT_IDLE_THRESHOLD. */
+export function idleThresholdSeconds(): number {
+  const sec = Number.parseInt(process.env.MOSAIC_HEARTBEAT_IDLE_THRESHOLD ?? '', 10);
+  return Number.isFinite(sec) && sec > 0 ? sec : HEARTBEAT_IDLE_THRESHOLD_SECONDS;
+}
 export const HEARTBEAT_HEALTHY_MULTIPLIER = 3;
 
+export type ReadinessState = 'working' | 'available' | 'stuck' | 'stale' | 'dead' | 'unknown';
+
+export interface ReadinessSignals {
+  paneAlive: boolean;
+  hbHealth: 'healthy' | 'stale' | 'unknown';
+  hbStatus: 'ok' | 'busy' | null;
+  idleSeconds: number | null;
+}
+
+export interface ReadinessThresholds {
+  idleThresholdSeconds: number;
+}
+
+/**
+ * Classify whether an agent is progressing based on already-parsed heartbeat/tmux signals.
+ * Best-effort and runtime-agnostic: it never probes, never throws, and preserves existing
+ * unknown/stale behavior when heartbeat data is absent or old.
+ */
+export function classifyReadiness(
+  signals: Partial<ReadinessSignals> | null | undefined,
+  thresholds: Partial<ReadinessThresholds> | null | undefined = {},
+): ReadinessState {
+  try {
+    if (signals?.paneAlive !== true) return 'dead';
+    if (signals.hbHealth === 'unknown' || signals.hbHealth === undefined) return 'unknown';
+    if (signals.hbHealth === 'stale') return 'stale';
+    if (signals.hbStatus === 'busy') return 'working';
+    if (signals.idleSeconds === null || signals.idleSeconds === undefined) return 'working';
+
+    const idleSeconds = Number.isFinite(signals.idleSeconds) ? signals.idleSeconds : null;
+    if (idleSeconds === null) return 'working';
+
+    const idleThreshold = Number.isFinite(thresholds?.idleThresholdSeconds)
+      ? Number(thresholds?.idleThresholdSeconds)
+      : idleThresholdSeconds();
+    // Follow-up: stuck pending per-agent assignment awareness: assigned task + idle past threshold => stuck.
+    if (idleSeconds >= idleThreshold) return 'available';
+    return 'working';
+  } catch {
+    return 'unknown';
+  }
+}
+
 export interface HeartbeatInfo {
   ts: Date | null;
   pid: number | null;
@@ -429,6 +479,7 @@ export interface AgentPsRow {
   paneCommand: string | null;
   idleSeconds: number | null;
   heartbeat: HeartbeatInfo;
+  readiness: ReadinessState;
   /** roster runtime !== actual pane command */
   driftFlag: boolean;
   /** active but UnitFileState=disabled */
@@ -461,7 +512,7 @@ export function buildSystemdShowCommand(agentName: string): string[] {
 
 /**
  * Returns the tmux list-panes command for an agent pane.
- * Format: `#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity}`
+ * Format: `#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity} #{window_activity} #{session_activity}`
  */
 export function buildTmuxListPanesCommand(agentName: string, socketName = ''): string[] {
   return [
@@ -471,7 +522,7 @@ export function buildTmuxListPanesCommand(agentName: string, socketName = ''): s
     '-t',
     `=${agentName}:0.0`,
     '-F',
-    '#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity}',
+    '#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity} #{window_activity} #{session_activity}',
   ];
 }
 
@@ -571,8 +622,8 @@ export function parseSystemdShow(output: string): {
 }
 
 /**
- * Parse the output of `tmux list-panes -F '#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity}'`
+ * Parse the output of `tmux list-panes -F '#{pane_pid} #{pane_current_command} #{pane_dead} #{pane_activity} #{window_activity} #{session_activity}'`
- * pane_activity is a Unix epoch timestamp (seconds).
+ * Activity fields are Unix epoch timestamps (seconds), ordered most precise to coarsest.
  */
 export function parseTmuxListPanes(
   output: string,
@@ -582,16 +633,18 @@ export function parseTmuxListPanes(
   if (!line) {
     return { pid: null, command: null, dead: true, idleSeconds: null };
   }
-  // format: <pid> <command> <dead(0|1)> <activity_epoch>
+  // format: <pid> <command> <dead(0|1)> <pane_activity> <window_activity> <session_activity>
   const parts = line.split(' ');
   const pid = parts[0] ? (Number.isFinite(Number(parts[0])) ? Number(parts[0]) : null) : null;
   const command = parts[1] ?? null;
   const dead = parts[2] === '1';
-  const activityEpoch = parts[3] ? Number(parts[3]) : NaN;
+  const activityEpoch = parts
-  const idleSeconds =
+    .slice(3, 6)
-    Number.isFinite(activityEpoch) && activityEpoch > 0
+    .map((part) => (part ? Number(part) : NaN))
-      ? Math.floor((nowMs - activityEpoch * 1000) / 1000)
+    .find((epoch) => Number.isFinite(epoch) && epoch > 0);
-      : null;
+  const idleSeconds = activityEpoch
+    ? Math.max(0, Math.floor((nowMs - activityEpoch * 1000) / 1000))
+    : null;
   return { pid, command, dead, idleSeconds };
 }
 
@@ -1022,6 +1075,9 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
       const nowMs = Date.now();
 
       const rows: AgentPsRow[] = [];
+      const readinessThresholds = {
+        idleThresholdSeconds: idleThresholdSeconds(),
+      };
 
       // Build the set of roster agent names for quick lookup when filtering socket sessions.
       const rosterAgentNames = new Set(roster.agents.map((a) => a.name));
@@ -1052,6 +1108,17 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
         const bootEnableWarning =
           sysInfo.ActiveState === 'active' && sysInfo.UnitFileState === 'disabled';
 
+        const paneAlive = !paneInfo.dead;
+        const readiness = classifyReadiness(
+          {
+            paneAlive,
+            hbHealth: hb.health,
+            hbStatus: hb.status,
+            idleSeconds: paneInfo.idleSeconds,
+          },
+          readinessThresholds,
+        );
+
         rows.push({
           name: agent.name,
           tenant_id,
@@ -1059,11 +1126,12 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
           runtime: agent.runtime,
           systemdActive: sysInfo.ActiveState,
           systemdEnabled: sysInfo.UnitFileState,
-          paneAlive: !paneInfo.dead,
+          paneAlive,
           panePid: paneInfo.pid,
           paneCommand: paneInfo.command,
           idleSeconds: paneInfo.idleSeconds,
           heartbeat: hb,
+          readiness,
           driftFlag,
           bootEnableWarning,
           managed: true,
@@ -1110,6 +1178,17 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
             const bootEnableWarning =
               sysInfo.ActiveState === 'active' && sysInfo.UnitFileState === 'disabled';
 
+            const paneAlive = !paneInfo.dead;
+            const readiness = classifyReadiness(
+              {
+                paneAlive,
+                hbHealth: hb.health,
+                hbStatus: hb.status,
+                idleSeconds: paneInfo.idleSeconds,
+              },
+              readinessThresholds,
+            );
+
             rows.push({
               name: sessionName,
               tenant_id,
@@ -1118,11 +1197,12 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
               runtime: 'unknown',
               systemdActive: sysInfo.ActiveState,
               systemdEnabled: sysInfo.UnitFileState,
-              paneAlive: !paneInfo.dead,
+              paneAlive,
               panePid: paneInfo.pid,
               paneCommand: paneInfo.command,
               idleSeconds: paneInfo.idleSeconds,
               heartbeat: hb,
+              readiness,
               // No roster runtime to compare — drift is not meaningful for unmanaged sessions
               driftFlag: false,
               bootEnableWarning,
@@ -1164,7 +1244,7 @@ export function registerFleetCommand(program: Command, deps: FleetCommandDeps =
         const idle = row.idleSeconds !== null ? `${row.idleSeconds}s` : '-';
         const hbAge =
           row.heartbeat.ageMs !== null
-            ? `${Math.round(row.heartbeat.ageMs / 1000)}s/${row.heartbeat.health}`
+            ? `${Math.round(row.heartbeat.ageMs / 1000)}s/${row.readiness}`
             : `unknown`;
         const model = row.heartbeat.model ?? '-';
         const flags: string[] = [];