diff --git a/internal/app/app.go b/internal/app/app.go
index 0de52fa..7bc278d 100644
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -16,9 +16,9 @@ import (
 	"golang.org/x/term"
 
 	"github.com/harrybrwn/patterm/internal/mcp"
-	"github.com/harrybrwn/patterm/internal/policy"
 	"github.com/harrybrwn/patterm/internal/preset"
 	"github.com/harrybrwn/patterm/internal/scratchpad"
+	"github.com/harrybrwn/patterm/internal/trust"
 )
 
 // Options configures a patterm run.
@@ -41,11 +41,6 @@ func Run(ctx context.Context, opts Options) error {
 		return fmt.Errorf("app: load presets: %w", err)
 	}
 
-	pol, err := policy.Load()
-	if err != nil {
-		return fmt.Errorf("app: load policy: %w", err)
-	}
-
 	// Ensure the per-project scratchpad dir exists so MCP and the UI
 	// can read/write into it. SPEC §3.
 	pads, err := scratchpad.Open(opts.ProjectKey)
@@ -53,6 +48,12 @@ func Run(ctx context.Context, opts Options) error {
 		return fmt.Errorf("app: scratchpad init: %w", err)
 	}
 
+	// Per-project trust store for command-preset trust gating (SPEC §7).
+	trustStore, err := trust.Open(opts.ProjectKey)
+	if err != nil {
+		return fmt.Errorf("app: trust init: %w", err)
+	}
+
 	// In-process MCP server bound to the per-PID socket. Children that
 	// support MCP get pointed at `patterm mcp-stdio --socket=... --identity=...`.
 	// SPEC §10.
@@ -76,7 +77,7 @@ func Run(ctx context.Context, opts Options) error {
 	// Wire the tool host into MCP. Spawns through MCP use the host
 	// terminal's viewport grid for their initial PTY size; SIGWINCH paths
 	// resize them later.
-	host := newToolHost(sess, pads, launcher, presets, pol, layout.childCols(), layout.childRows())
+	host := newToolHost(sess, pads, launcher, presets, trustStore, layout.childCols(), layout.childRows())
 	mcpSrv.SetHost(host)
 
 	var restoreState *term.State
@@ -96,11 +97,14 @@ func Run(ctx context.Context, opts Options) error {
 		presets:  presets,
 		launcher: launcher,
 		pads:     pads,
+		trust:    trustStore,
 		hostCols: cols,
 		hostRows: rows,
 		stdinTTY: term.IsTerminal(int(os.Stdin.Fd())),
 	}
 	host.attention = st
+	host.focus = st
+	host.prompter = st
 	st.lastExit.Store(-1)
 	sess.Subscribe(st)
 
@@ -200,6 +204,7 @@ type uiState struct {
 	presets  preset.Set
 	launcher *Launcher
 	pads     *scratchpad.Store
+	trust    *trust.Store
 
 	outMu sync.Mutex
 
@@ -220,6 +225,13 @@ type uiState struct {
 	attentionText string
 	attentionAt   string
 
+	// pendingTrust is the most recent trust prompt — surfaced in the
+	// status line until the user resolves it with Ctrl-K. v1 keeps the
+	// confirmation modal minimal: the user opens the palette and picks
+	// "Trust preset <name>" / "Deny preset <name>". A future iteration
+	// can promote this to a dedicated inline modal.
+	pendingTrust *trustRequest
+
 	dimsMu             sync.Mutex
 	hostCols, hostRows uint16
 	stdinTTY           bool
@@ -231,6 +243,42 @@ func (st *uiState) dbgf(format string, args ...any) {
 	logf(format, args...)
 }
 
+// trustRequest is one outstanding SPEC §7 trust prompt: an agent tried
+// to spawn / start / restart against an untrusted command preset and
+// the host wants user confirmation before the next attempt succeeds.
+type trustRequest struct {
+	processID  string
+	presetName string
+	reason     string
+}
+
+// promptTrust is the SPEC §7 trust gate UI hook. Replaces any prior
+// pending request — the most recent prompt wins.
+func (st *uiState) promptTrust(processID, presetName, reason string) {
+	st.mu.Lock()
+	st.pendingTrust = &trustRequest{processID: processID, presetName: presetName, reason: reason}
+	st.mu.Unlock()
+	st.drawStatusLine()
+}
+
+// focusProcess is the SPEC §7 select_process hook. Routes through the
+// normal focus-change path; only takes effect if the process exists.
+func (st *uiState) focusProcess(processID string) {
+	c := st.sess.FindChild(processID)
+	if c == nil {
+		return
+	}
+	st.mu.Lock()
+	st.focusedID = c.ID
+	st.focusedName = c.DisplayName()
+	st.renderer = newViewportRenderer(st.layoutSnapshot())
+	st.mu.Unlock()
+	st.repaintFocused()
+	st.drawTabBar()
+	st.drawSidebar()
+	st.drawStatusLine()
+}
+
 // notifyAttention is the request_human_attention sink (SPEC §7). We
 // surface a one-line toast in the status row and remember the most
 // recent ask so the status line keeps showing it. The sidebar-blink is
@@ -370,6 +418,10 @@ func (st *uiState) drawStatusLine() {
 	focusName := st.focusedName
 	attention := st.attentionText
 	attentionAt := st.attentionAt
+	var trustMsg string
+	if st.pendingTrust != nil {
+		trustMsg = fmt.Sprintf("trust preset %q? [y]es / [n]o", st.pendingTrust.presetName)
+	}
 	st.mu.Unlock()
 	if palOpen {
 		return
@@ -403,6 +455,13 @@ func (st *uiState) drawStatusLine() {
 	if attention != "" && attentionAt == focusID {
 		left = "[!] " + attention
 	}
+	if attention != "" && attentionAt == "" {
+		// Sticky attention/flash from somewhere outside the focused pane.
+		left = "[!] " + attention
+	}
+	if trustMsg != "" {
+		left = "[trust] " + trustMsg
+	}
 	right := "Ctrl-K · palette"
 
 	pad := int(cols) - len(left) - len(right)
@@ -490,6 +549,48 @@ func (st *uiState) stdinLoop() error {
 func (st *uiState) processStdin(chunk []byte) {
 	st.mu.Lock()
 
+	// Trust modal is modal: y/Y accepts, n/N or ESC denies. Everything
+	// else is ignored so a typo doesn't leak into the focused PTY while
+	// the prompt is up. SPEC §7 trust gate.
+	if st.pendingTrust != nil {
+		req := *st.pendingTrust
+		consumed := 0
+		var resolved string
+		for _, b := range chunk {
+			consumed++
+			switch b {
+			case 'y', 'Y':
+				resolved = "accept"
+			case 'n', 'N', 0x1b: // ESC
+				resolved = "deny"
+			default:
+				continue
+			}
+			break
+		}
+		if resolved != "" {
+			st.pendingTrust = nil
+			st.mu.Unlock()
+			if resolved == "accept" {
+				if err := st.trust.Grant(req.presetName); err != nil {
+					st.flashError(fmt.Sprintf("trust grant: %v", err))
+				} else {
+					st.flashTransient(fmt.Sprintf("trusted preset %q (retry the call)", req.presetName))
+				}
+			} else {
+				st.flashTransient(fmt.Sprintf("denied trust for preset %q", req.presetName))
+			}
+			st.drawStatusLine()
+			// Discard the rest of the chunk; we intentionally don't
+			// recurse into the regular handler so a stray Enter doesn't
+			// submit anything to the focused PTY.
+			_ = consumed
+			return
+		}
+		st.mu.Unlock()
+		return
+	}
+
 	forward := make([]byte, 0, len(chunk))
 	flushForward := func() {
 		if len(forward) == 0 {
@@ -641,7 +742,7 @@ func (st *uiState) closePalette(action paletteAction) {
 		}
 		l := st.layoutSnapshot()
 		st.launcher.SetSize(l.childCols(), l.childRows())
-		if _, err := st.launcher.LaunchProcess(action.preset, action.preset.Name); err != nil {
+		if _, err := st.launcher.LaunchCommandPreset(action.preset, action.preset.Name, ""); err != nil {
 			st.flashError(fmt.Sprintf("spawn %s: %v", action.preset.Name, err))
 		}
 
@@ -687,6 +788,16 @@ func (st *uiState) flashError(msg string) {
 	st.drawStatusLine()
 }
 
+// flashTransient is the softer cousin of flashError used for
+// trust-prompt resolutions. Same status-line surface; the prefix differs.
+func (st *uiState) flashTransient(msg string) {
+	st.mu.Lock()
+	st.attentionText = msg
+	st.attentionAt = ""
+	st.mu.Unlock()
+	st.drawStatusLine()
+}
+
 // repaintFocused redraws the current focused child's screen snapshot.
 // Callers must NOT hold st.mu — repaintFocused takes it
 // briefly itself.
diff --git a/internal/app/child.go b/internal/app/child.go
index 723c8a5..f9bb748 100644
--- a/internal/app/child.go
+++ b/internal/app/child.go
@@ -6,6 +6,9 @@ import (
 	"errors"
 	"fmt"
 	"os/exec"
+	"regexp"
+	"strconv"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"syscall"
@@ -15,20 +18,34 @@ import (
 	"github.com/harrybrwn/patterm/internal/vt"
 )
 
+// portRegex matches dev-server URLs of the form `http(s)://host:NNNN[/path]`
+// and reports the port. SPEC §7 get_process_ports is best-effort; we
+// stick to URL-form sightings because bare `:NNNN` produces too many
+// false positives (timestamps, exit codes, etc.).
+var portRegex = regexp.MustCompile(`https?://[^\s:/]+:(\d{2,5})(?:/[^\s]*)?`)
+
 type ChildStatus string
 
 const (
-	StatusRunning ChildStatus = "running"
-	StatusExited  ChildStatus = "exited"
-	StatusErrored ChildStatus = "errored"
+	StatusStarting ChildStatus = "starting"
+	StatusRunning  ChildStatus = "running"
+	StatusStopped  ChildStatus = "stopped"
+	StatusExited   ChildStatus = "exited"
+	StatusErrored  ChildStatus = "errored"
 )
 
-// ChildKind matches the two preset flavours in SPEC §10.
+// ChildKind matches the three process kinds in SPEC §7.
+//   - agent: vendor LLM CLI launched from an agent preset (MCP-wired,
+//     ephemeral — lost when the PTY exits).
+//   - terminal: a bare interactive shell (ephemeral).
+//   - command: a process preset or freeform argv (session-persistent —
+//     survives PTY exit so it can be restart_process'd).
 type ChildKind string
 
 const (
-	KindAgent   ChildKind = "agent"
-	KindProcess ChildKind = "process"
+	KindAgent    ChildKind = "agent"
+	KindTerminal ChildKind = "terminal"
+	KindCommand  ChildKind = "command"
 )
 
 // Owner reflects the SPEC §6 input-ownership flag.
@@ -39,86 +56,192 @@ const (
 	OwnerOrchestrator Owner = "orchestrator"
 )
 
-// Child is one PTY-backed process plus its emulator. The same struct
-// represents both agent presets (with MCP) and process presets (raw).
+// Child is one entry in the session — a PTY-backed process plus its
+// emulator. Covers all three kinds (agent / terminal / command).
+//
+// For KindCommand the entry is session-persistent: argv/env/workingDir
+// stay populated across stop/restart so Restart() can rebuild the PTY
+// against the same spec.
 type Child struct {
 	ID       string
 	Name     string
 	Argv     []string
+	Env      []string
+	WorkDir  string
 	Kind     ChildKind
 	ParentID string // empty for top-level sessions
 
+	// PresetRef names the source preset (when known). Used by trust
+	// gating to re-check on restart_process. Empty for freeform-argv
+	// command entries and for ephemeral terminals.
+	PresetRef string
+
 	// Identity is the per-spawn token the mcp-stdio proxy uses to
-	// identify itself when calling tools. Empty for process presets.
+	// identify itself when calling tools. Empty for non-agent entries.
 	Identity string
 
-	pty *pkgpty.PTY
-	em  *vt.GhosttyEmulator
+	// nameMu guards Name (rename_process).
+	nameMu sync.RWMutex
+
+	// ptyMu guards pty + em so Restart can swap them while pumpChild /
+	// reapChild loops detect the swap by observing nil/closed PTY.
+	ptyMu sync.RWMutex
+	pty   *pkgpty.PTY
+	em    *vt.GhosttyEmulator
 
 	status   atomic.Pointer[ChildStatus]
 	exitCode atomic.Int32
 
 	owner atomic.Pointer[Owner]
 
-	// lastWrite is the wall time of the most recent PTY-master write.
+	// lastWriteNS is the wall time of the most recent PTY-master write.
 	// SPEC §11 idle heuristic: a pane is idle once nothing has been
 	// written for the preset's threshold (default 1s).
 	lastWriteNS atomic.Int64
 
+	// screenVersion increments on every PTY-out chunk. SPEC §7
+	// get_process_output exposes it so orchestrators can detect changes
+	// without diffing content.
+	screenVersion atomic.Int64
+
 	// ringMu guards ring. The ring buffer carries the last `ringCap`
-	// bytes the PTY produced, used by SPEC §7 read_output stream mode.
+	// bytes the PTY produced, used by SPEC §7 get_process_output stream
+	// mode and search_output scrollback.
 	ringMu     sync.Mutex
 	ring       []byte
 	ringStart  int64 // absolute offset of ring[0]
 	ringWrites int64 // cumulative bytes written
+
+	// portsMu guards ports. Best-effort port detection: regex on stream.
+	portsMu sync.Mutex
+	ports   []PortSighting
+}
+
+// PortSighting is one entry returned by get_process_ports.
+type PortSighting struct {
+	Port        int    `json:"port"`
+	URL         string `json:"url,omitempty"`
+	FirstSeenAt string `json:"first_seen_at"`
 }
 
 const ringCap = 1 << 20 // 1 MiB per SPEC §5
 
-func newChild(id, name string, kind ChildKind, argv, env []string, cols, rows uint16, parentID string) (*Child, error) {
-	if len(argv) == 0 {
-		return nil, errors.New("child: empty argv")
-	}
-	em, err := vt.NewGhosttyEmulator(cols, rows)
-	if err != nil {
-		return nil, fmt.Errorf("child %s emulator: %w", id, err)
-	}
-	p, err := pkgpty.Start(argv, env, cols, rows)
-	if err != nil {
-		em.Close()
-		return nil, fmt.Errorf("child %s pty: %w", id, err)
-	}
+// newChildEntry builds the in-memory Child record but does NOT start a
+// PTY. Used so command entries can exist in the `stopped` state from the
+// moment they're created. Agents and terminals call newChild() which
+// chains newChildEntry + startPTY for the initial run.
+func newChildEntry(id, name string, kind ChildKind, argv, env []string, parentID, workDir, presetRef string) *Child {
 	c := &Child{
-		ID:       id,
-		Name:     name,
-		Argv:     argv,
-		Kind:     kind,
-		ParentID: parentID,
-		pty:      p,
-		em:       em,
-		ring:     make([]byte, 0, ringCap),
+		ID:        id,
+		Name:      name,
+		Argv:      argv,
+		Env:       env,
+		WorkDir:   workDir,
+		Kind:      kind,
+		ParentID:  parentID,
+		PresetRef: presetRef,
+		ring:      make([]byte, 0, ringCap),
 	}
-	st := StatusRunning
+	st := StatusStopped
 	c.status.Store(&st)
 	c.exitCode.Store(-1)
-	// Agents spawned by an orchestrator default to orchestrator-owned;
-	// everything else (top-level, processes) defaults to user. SPEC §6.
 	def := OwnerUser
 	if kind == KindAgent && parentID != "" {
 		def = OwnerOrchestrator
 	}
 	c.owner.Store(&def)
-
 	if kind == KindAgent {
 		c.Identity = mintIdentity()
 	}
+	return c
+}
 
+func newChild(id, name string, kind ChildKind, argv, env []string, cols, rows uint16, parentID, workDir, presetRef string) (*Child, error) {
+	if len(argv) == 0 {
+		return nil, errors.New("child: empty argv")
+	}
+	c := newChildEntry(id, name, kind, argv, env, parentID, workDir, presetRef)
+	if err := c.startPTY(cols, rows); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+// startPTY (re)builds the emulator + PTY for this entry. Called by
+// newChild on initial spawn and by Restart on subsequent runs. The
+// status transitions stopped/exited → starting → running. On error the
+// entry returns to errored.
+func (c *Child) startPTY(cols, rows uint16) error {
+	em, err := vt.NewGhosttyEmulator(cols, rows)
+	if err != nil {
+		return fmt.Errorf("child %s emulator: %w", c.ID, err)
+	}
+	starting := StatusStarting
+	c.status.Store(&starting)
+	p, err := pkgpty.Start(c.Argv, c.Env, cols, rows)
+	if err != nil {
+		em.Close()
+		errored := StatusErrored
+		c.status.Store(&errored)
+		return fmt.Errorf("child %s pty: %w", c.ID, err)
+	}
 	em.OnWritePTY(func(b []byte) {
 		_, _ = p.Write(b)
 	})
-	return c, nil
+	c.ptyMu.Lock()
+	c.pty = p
+	c.em = em
+	c.ptyMu.Unlock()
+	running := StatusRunning
+	c.status.Store(&running)
+	c.exitCode.Store(-1)
+	c.lastWriteNS.Store(0)
+	return nil
 }
 
+// IsLive reports whether the PTY is currently attached and running.
+// Used by callers that need to gate input on a live PTY (vs. a stopped
+// command entry).
+func (c *Child) IsLive() bool {
+	st := c.Status()
+	return st == StatusStarting || st == StatusRunning
+}
+
+// PTY returns the current PTY pointer under read-lock. May be nil for a
+// stopped command entry.
+func (c *Child) PTY() *pkgpty.PTY {
+	c.ptyMu.RLock()
+	defer c.ptyMu.RUnlock()
+	return c.pty
+}
+
+// Emulator returns the current emulator pointer under read-lock.
+func (c *Child) Emulator() *vt.GhosttyEmulator {
+	c.ptyMu.RLock()
+	defer c.ptyMu.RUnlock()
+	return c.em
+}
+
+// DisplayName is the rename_process-aware accessor for Name. Callers
+// that read Name directly skip the lock; the field is still safe to
+// read because Go strings are immutable, but DisplayName signals intent.
+func (c *Child) DisplayName() string {
+	c.nameMu.RLock()
+	defer c.nameMu.RUnlock()
+	return c.Name
+}
+
+// SetName updates the display name (rename_process).
+func (c *Child) SetName(name string) {
+	c.nameMu.Lock()
+	c.Name = name
+	c.nameMu.Unlock()
+}
+
+// ScreenVersion returns the current emulator snapshot version, bumped
+// on every PTY-out chunk.
+func (c *Child) ScreenVersion() int64 { return c.screenVersion.Load() }
+
 func (c *Child) Status() ChildStatus {
 	st := c.status.Load()
 	if st == nil {
@@ -129,7 +252,13 @@ func (c *Child) Status() ChildStatus {
 
 func (c *Child) ExitCode() int { return int(c.exitCode.Load()) }
 
-func (c *Child) PID() int { return c.pty.Pid() }
+func (c *Child) PID() int {
+	pty := c.PTY()
+	if pty == nil {
+		return 0
+	}
+	return pty.Pid()
+}
 
 func (c *Child) Owner() Owner {
 	o := c.owner.Load()
@@ -153,8 +282,8 @@ func (c *Child) IdleMS() int64 {
 
 func (c *Child) recordWrite(chunk []byte) {
 	c.lastWriteNS.Store(time.Now().UnixNano())
+	c.screenVersion.Add(1)
 	c.ringMu.Lock()
-	defer c.ringMu.Unlock()
 	c.ring = append(c.ring, chunk...)
 	c.ringWrites += int64(len(chunk))
 	if len(c.ring) > ringCap {
@@ -162,6 +291,52 @@ func (c *Child) recordWrite(chunk []byte) {
 		c.ring = c.ring[drop:]
 		c.ringStart += int64(drop)
 	}
+	c.ringMu.Unlock()
+	c.scanPortsFromChunk(chunk)
+}
+
+// scanPortsFromChunk does best-effort port detection on a PTY chunk.
+// SPEC §7 get_process_ports — no probing, just stream scanning.
+func (c *Child) scanPortsFromChunk(chunk []byte) {
+	matches := portRegex.FindAllSubmatch(chunk, -1)
+	if len(matches) == 0 {
+		return
+	}
+	now := time.Now().UTC().Format(time.RFC3339)
+	c.portsMu.Lock()
+	defer c.portsMu.Unlock()
+	for _, m := range matches {
+		urlForm := string(m[0])
+		portStr := string(m[1])
+		port, err := strconv.Atoi(portStr)
+		if err != nil || port < 1 || port > 65535 {
+			continue
+		}
+		seen := false
+		for _, p := range c.ports {
+			if p.Port == port {
+				seen = true
+				break
+			}
+		}
+		if seen {
+			continue
+		}
+		ent := PortSighting{Port: port, FirstSeenAt: now}
+		if strings.HasPrefix(urlForm, "http") {
+			ent.URL = urlForm
+		}
+		c.ports = append(c.ports, ent)
+	}
+}
+
+// Ports returns a snapshot of detected port sightings.
+func (c *Child) Ports() []PortSighting {
+	c.portsMu.Lock()
+	defer c.portsMu.Unlock()
+	out := make([]PortSighting, len(c.ports))
+	copy(out, c.ports)
+	return out
 }
 
 // StreamRead returns ring bytes from `since` to the current write head,
@@ -185,7 +360,11 @@ func (c *Child) StreamRead(since int64) ([]byte, int64) {
 }
 
 func (c *Child) signal(sig syscall.Signal) error {
-	pid := c.pty.Pid()
+	pty := c.PTY()
+	if pty == nil {
+		return errors.New("child has no pty")
+	}
+	pid := pty.Pid()
 	if pid <= 0 {
 		return errors.New("child has no pid")
 	}
@@ -211,20 +390,43 @@ func (c *Child) markExited(err error) {
 	c.status.Store(&st)
 }
 
+// teardownPTY closes the current PTY/emulator and nils them out. Used
+// by Restart so the new PTY can take their place. Safe to call when
+// they're already nil.
+func (c *Child) teardownPTY() {
+	c.ptyMu.Lock()
+	p, em := c.pty, c.em
+	c.pty, c.em = nil, nil
+	c.ptyMu.Unlock()
+	if p != nil {
+		_ = p.Close()
+	}
+	if em != nil {
+		_ = em.Close()
+	}
+}
+
 // InjectAsUser is the path the human takes when typing in the focused
 // pane. SPEC §6: the user's first keystroke flips ownership.
 func (c *Child) InjectAsUser(b []byte) error {
 	c.SetOwner(OwnerUser)
-	_, err := c.pty.Write(b)
+	pty := c.PTY()
+	if pty == nil {
+		return errors.New("child has no pty")
+	}
+	_, err := pty.Write(b)
 	return err
 }
 
-// InjectAsOrchestrator is the path send_message_to / report_to_parent /
-// initial_prompt / timer_wait writes take. Ownership flips back to
-// orchestrator. SPEC §6.
+// InjectAsOrchestrator is the path send_message / initial_prompt /
+// timer_wait writes take. Ownership flips back to orchestrator. SPEC §6.
 func (c *Child) InjectAsOrchestrator(b []byte) error {
 	c.SetOwner(OwnerOrchestrator)
-	_, err := c.pty.Write(b)
+	pty := c.PTY()
+	if pty == nil {
+		return errors.New("child has no pty")
+	}
+	_, err := pty.Write(b)
 	return err
 }
 
@@ -233,3 +435,12 @@ func mintIdentity() string {
 	_, _ = rand.Read(buf[:])
 	return hex.EncodeToString(buf[:])
 }
+
+// mintProcessID generates the opaque short token SPEC §7 calls a
+// process_id: lowercase `p_` followed by 6 hex chars. Collisions inside
+// one session are checked by the caller (session.go).
+func mintProcessID() string {
+	var buf [3]byte
+	_, _ = rand.Read(buf[:])
+	return "p_" + hex.EncodeToString(buf[:])
+}
diff --git a/internal/app/host.go b/internal/app/host.go
index ccfba7a..40020c7 100644
--- a/internal/app/host.go
+++ b/internal/app/host.go
@@ -9,36 +9,70 @@ import (
 	"time"
 
 	"github.com/harrybrwn/patterm/internal/mcp"
-	"github.com/harrybrwn/patterm/internal/policy"
 	"github.com/harrybrwn/patterm/internal/preset"
 	"github.com/harrybrwn/patterm/internal/scratchpad"
+	"github.com/harrybrwn/patterm/internal/trust"
+	pkgvt "github.com/harrybrwn/patterm/internal/vt"
 )
 
 // attentionSink is implemented by uiState to surface
 // request_human_attention notifications.
 type attentionSink interface {
-	notifyAttention(childID, reason string)
+	notifyAttention(processID, reason string)
 }
 
-// toolHost adapts the running session + scratchpad store to the MCP
-// ToolHost interface. SPEC §7 tools route through here.
+// focusSink is implemented by uiState so MCP select_process can route
+// to the existing focus-change path.
+type focusSink interface {
+	focusProcess(processID string)
+}
+
+// trustPrompter is implemented by uiState to surface the SPEC §7 trust
+// confirmation modal when an agent first uses an untrusted command
+// preset. The host returns `needs_trust` to the caller; the prompt
+// completes asynchronously and the next call from the same caller
+// succeeds (or fails again if the user denied).
+type trustPrompter interface {
+	promptTrust(processID, presetName, reason string)
+}
+
+// toolHost adapts the running session + scratchpad store + trust store
+// to the MCP ToolHost interface. SPEC §7 tools route through here.
 type toolHost struct {
-	sess       *Session
-	pads       *scratchpad.Store
-	launcher   *Launcher
-	presets    preset.Set
-	policy     *policy.Policy
+	sess     *Session
+	pads     *scratchpad.Store
+	launcher *Launcher
+	presets  preset.Set
+	trust    *trust.Store
+
 	sizeMu     sync.Mutex
 	defaultRow uint16
 	defaultCol uint16
 
-	attention attentionSink
+	startedAtMu sync.Mutex
+	startedAt   map[string]time.Time
+
+	attention attentionSink
+	focus     focusSink
+	prompter  trustPrompter
 
-	// timersMu guards timers.
 	timersMu  sync.Mutex
 	nextTimer int
 }
 
+func newToolHost(sess *Session, pads *scratchpad.Store, launcher *Launcher, presets preset.Set, tr *trust.Store, cols, rows uint16) *toolHost {
+	return &toolHost{
+		sess:       sess,
+		pads:       pads,
+		launcher:   launcher,
+		presets:    presets,
+		trust:      tr,
+		defaultCol: cols,
+		defaultRow: rows,
+		startedAt:  make(map[string]time.Time),
+	}
+}
+
 func (h *toolHost) SetSize(cols, rows uint16) {
 	h.sizeMu.Lock()
 	defer h.sizeMu.Unlock()
@@ -52,120 +86,651 @@ func (h *toolHost) size() (uint16, uint16) {
 	return h.defaultCol, h.defaultRow
 }
 
-func newToolHost(sess *Session, pads *scratchpad.Store, launcher *Launcher, presets preset.Set, pol *policy.Policy, cols, rows uint16) *toolHost {
-	return &toolHost{
-		sess:       sess,
-		pads:       pads,
-		launcher:   launcher,
-		presets:    presets,
-		policy:     pol,
-		defaultCol: cols,
-		defaultRow: rows,
+// ResolveCallerIdentity maps an mcp-stdio greeting token to a
+// process_id so subsequent tool calls on this connection know who's
+// asking.
+func (h *toolHost) ResolveCallerIdentity(identity string) string {
+	c := h.sess.FindChildByIdentity(identity)
+	if c == nil {
+		return ""
 	}
+	return c.ID
 }
 
-// PolicyCheck — SPEC §9 hook. Lets an orchestrator ask whether a
-// prompt-looking string is safe to auto-answer.
-func (h *toolHost) PolicyCheck(prompt string) string {
-	if h.policy == nil {
-		return string(policy.Unknown)
+// CallerRole inspects the caller's parent. Top-level callers are
+// orchestrators; descendants are sub-agents. Unknown callers are
+// treated as orchestrators so they don't get silently denied — this
+// matches SPEC §7's caller-role concept where the role enforces what
+// the caller can do, not who they are.
+func (h *toolHost) CallerRole(processID string) mcp.CallerRole {
+	if processID == "" {
+		return mcp.RoleOrchestrator
 	}
-	return string(h.policy.Should(prompt))
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.RoleOrchestrator
+	}
+	if c.ParentID == "" {
+		return mcp.RoleOrchestrator
+	}
+	return mcp.RoleSubAgent
 }
 
-// Children — SPEC §7 list_children. The idle_ms field gives the
-// orchestrator the SPEC §11 done-signal without needing to poll bytes.
-func (h *toolHost) Children() []mcp.ChildInfo {
-	cs := h.sess.Children()
-	out := make([]mcp.ChildInfo, 0, len(cs))
-	for _, c := range cs {
-		out = append(out, mcp.ChildInfo{
-			ID:       c.ID,
-			Name:     c.Name,
-			Type:     string(c.Kind),
-			Status:   string(c.Status()),
-			ExitCode: c.ExitCode(),
-			IdleMS:   c.IdleMS(),
-			ParentID: c.ParentID,
-		})
-	}
-	return out
-}
+// ───────────────────────────────────────────────────────────────────
+// Lifecycle
+// ───────────────────────────────────────────────────────────────────
 
-func (h *toolHost) Spawn(callerID, name string, argv []string, shell bool) (mcp.ChildInfo, error) {
-	if shell && len(argv) > 0 {
-		argv = []string{"sh", "-lc", strings.Join(argv, " ")}
-	}
-	parent := callerID
-	cols, rows := h.size()
-	c, err := h.sess.Spawn(name, KindProcess, argv, nil, cols, rows, parent)
-	if err != nil {
-		return mcp.ChildInfo{}, err
-	}
-	return mcp.ChildInfo{
-		ID:       c.ID,
-		Name:     c.Name,
-		Type:     string(c.Kind),
-		Status:   string(c.Status()),
-		ParentID: c.ParentID,
-	}, nil
-}
-
-func (h *toolHost) SpawnAgent(callerID, presetName, displayName, initialPrompt string) (mcp.ChildInfo, error) {
+func (h *toolHost) SpawnAgent(callerID string, args mcp.SpawnAgentArgs) (mcp.ProcessInfo, error) {
 	var p *preset.Preset
 	for _, ap := range h.presets.Agents {
-		if ap.Name == presetName {
+		if ap.Name == args.Agent {
 			p = ap
 			break
 		}
 	}
 	if p == nil {
-		return mcp.ChildInfo{}, fmt.Errorf("unknown agent preset %q", presetName)
+		return mcp.ProcessInfo{}, mcp.Errorf("unknown_agent", "unknown agent preset %q", args.Agent)
 	}
-	if displayName == "" {
-		displayName = presetName
+	display := args.Name
+	if display == "" {
+		display = args.Agent
 	}
-	c, err := h.launcher.LaunchAgent(p, displayName, initialPrompt, callerID)
+	c, err := h.launcher.LaunchAgent(p, display, args.AgentInstructions, callerID)
 	if err != nil {
-		return mcp.ChildInfo{}, err
+		return mcp.ProcessInfo{}, err
 	}
-	return mcp.ChildInfo{
-		ID:       c.ID,
-		Name:     c.Name,
-		Type:     string(c.Kind),
-		Status:   string(c.Status()),
-		ParentID: c.ParentID,
+	h.recordStart(c.ID)
+	return h.processInfoOf(c), nil
+}
+
+func (h *toolHost) SpawnProcess(callerID string, args mcp.SpawnProcessArgs) (mcp.ProcessInfo, error) {
+	if args.Kind == "" {
+		args.Kind = "command"
+	}
+	if args.Kind != "command" && args.Kind != "terminal" {
+		return mcp.ProcessInfo{}, mcp.Errorf("invalid_kind", "spawn_process: kind must be 'command' or 'terminal'")
+	}
+	env := h.mergeEnv(args.Env)
+	if args.Kind == "terminal" {
+		c, err := h.launcher.LaunchTerminal(args.Argv, h.terminalName(args.Name), callerID, args.WorkingDir, env)
+		if err != nil {
+			return mcp.ProcessInfo{}, err
+		}
+		h.recordStart(c.ID)
+		return h.processInfoOf(c), nil
+	}
+	// kind == "command"
+	if args.Preset != "" {
+		if !h.trust.IsTrusted(args.Preset) {
+			h.askForTrust(callerID, args.Preset, "spawn_process")
+			return mcp.ProcessInfo{}, mcp.Errorf("needs_trust", "command preset %q is not trusted in this project — patterm has surfaced a confirmation; retry after the user accepts", args.Preset)
+		}
+		ps := h.commandPresetByName(args.Preset)
+		if ps == nil {
+			return mcp.ProcessInfo{}, mcp.Errorf("not_found", "command preset %q not found", args.Preset)
+		}
+		display := args.Name
+		if display == "" {
+			display = ps.Name
+		}
+		c, err := h.launcher.LaunchCommandPreset(ps, display, callerID)
+		if err != nil {
+			return mcp.ProcessInfo{}, err
+		}
+		h.recordStart(c.ID)
+		return h.processInfoOf(c), nil
+	}
+	if len(args.Argv) == 0 {
+		return mcp.ProcessInfo{}, mcp.Errorf("invalid_args", "spawn_process: either preset or argv required")
+	}
+	display := args.Name
+	if display == "" {
+		display = args.Argv[0]
+	}
+	c, err := h.launcher.LaunchCommandArgv(args.Argv, display, callerID, args.WorkingDir, env, args.Shell)
+	if err != nil {
+		return mcp.ProcessInfo{}, err
+	}
+	h.recordStart(c.ID)
+	return h.processInfoOf(c), nil
+}
+
+func (h *toolHost) StartProcess(callerID, processID string) (mcp.ProcessInfo, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.ProcessInfo{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	if c.Kind != KindCommand {
+		return mcp.ProcessInfo{}, mcp.Errorf("wrong_kind", "start_process: only command entries can be started post-creation (this is %s)", c.Kind)
+	}
+	if c.IsLive() {
+		return h.processInfoOf(c), nil
+	}
+	if c.PresetRef != "" && !h.trust.IsTrusted(c.PresetRef) {
+		h.askForTrust(callerID, c.PresetRef, "start_process")
+		return mcp.ProcessInfo{}, mcp.Errorf("needs_trust", "command preset %q is not trusted in this project", c.PresetRef)
+	}
+	cols, rows := h.size()
+	if err := h.sess.Start(processID, cols, rows); err != nil {
+		return mcp.ProcessInfo{}, err
+	}
+	h.recordStart(processID)
+	return h.processInfoOf(c), nil
+}
+
+func (h *toolHost) RestartProcess(callerID, processID string, sig syscall.Signal) (mcp.ProcessInfo, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.ProcessInfo{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	if c.Kind != KindCommand && !c.IsLive() {
+		return mcp.ProcessInfo{}, mcp.Errorf("wrong_kind", "restart_process: %s entries can only be restarted while live", c.Kind)
+	}
+	if c.Kind == KindCommand && c.PresetRef != "" && !h.trust.IsTrusted(c.PresetRef) {
+		h.askForTrust(callerID, c.PresetRef, "restart_process")
+		return mcp.ProcessInfo{}, mcp.Errorf("needs_trust", "command preset %q is not trusted in this project", c.PresetRef)
+	}
+	cols, rows := h.size()
+	if err := h.sess.Restart(processID, sig, cols, rows); err != nil {
+		return mcp.ProcessInfo{}, err
+	}
+	h.recordStart(processID)
+	return h.processInfoOf(c), nil
+}
+
+func (h *toolHost) StopProcess(callerID, processID string, sig syscall.Signal) (mcp.ProcessInfo, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.ProcessInfo{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	if err := h.sess.Kill(processID, sig); err != nil {
+		return mcp.ProcessInfo{}, err
+	}
+	return h.processInfoOf(c), nil
+}
+
+func (h *toolHost) CloseProcess(callerID, processID string) error {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	_ = c // close removes by id; the lookup just validates existence.
+	return h.sess.Close(processID, syscall.SIGTERM)
+}
+
+func (h *toolHost) RenameProcess(callerID, processID, name string) error {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	if name == "" {
+		return mcp.Errorf("invalid_args", "rename_process: name required")
+	}
+	c.SetName(name)
+	return nil
+}
+
+func (h *toolHost) SelectProcess(callerID, processID string) error {
+	if h.sess.FindChild(processID) == nil {
+		return mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	if h.focus != nil {
+		h.focus.focusProcess(processID)
+	}
+	return nil
+}
+
+// ───────────────────────────────────────────────────────────────────
+// Inspection
+// ───────────────────────────────────────────────────────────────────
+
+func (h *toolHost) ListProcesses(callerID, kindFilter string) []mcp.ProcessInfo {
+	cs := h.sess.Children()
+	out := make([]mcp.ProcessInfo, 0, len(cs))
+	for _, c := range cs {
+		if kindFilter != "" && string(c.Kind) != kindFilter {
+			continue
+		}
+		out = append(out, h.processInfoOf(c))
+	}
+	return out
+}
+
+func (h *toolHost) GetProcessStatus(callerID, processID string) (mcp.ProcessStatus, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.ProcessStatus{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	info := h.processInfoOf(c)
+	st := mcp.ProcessStatus{ProcessInfo: info}
+	st.WorkingDir = c.WorkDir
+	st.Argv = append([]string(nil), c.Argv...)
+	if t := h.startedAtOf(c.ID); !t.IsZero() {
+		st.StartedAt = t.UTC().Format(time.RFC3339)
+	}
+	if em := c.Emulator(); em != nil {
+		if sc, err := em.ActiveScreen(); err == nil {
+			st.ActiveScreen = activeScreenName(sc)
+		}
+		if cur, err := em.Cursor(); err == nil {
+			st.Cursor = mcp.Cursor{X: int(cur.Col), Y: int(cur.Row)}
+		}
+		cols, rows := em.Size()
+		st.Cols, st.Rows = int(cols), int(rows)
+	}
+	st.ScreenVersion = c.ScreenVersion()
+	return st, nil
+}
+
+func (h *toolHost) GetProjectStatus(callerID string) (mcp.ProjectStatus, error) {
+	caller := h.WhoAmI(callerID)
+	processes := h.ListProcesses(callerID, "")
+	pads, _ := h.pads.List()
+	return mcp.ProjectStatus{
+		Project:     caller.Project,
+		Caller:      caller,
+		Processes:   processes,
+		Scratchpads: pads,
 	}, nil
 }
 
-// ReadOutput — SPEC §7. Grid uses the emulator's PlainText; stream uses
-// the per-child ring buffer. For grid reads on agents we apply the
-// preset's chrome_trim_hints (SPEC §10) so banners/input-box noise
-// doesn't pollute orchestrator parsing.
-func (h *toolHost) ReadOutput(callerID, childID, mode string, sinceOffset int) (string, int, error) {
-	c := h.sess.FindChild(childID)
+func (h *toolHost) GetProcessOutput(callerID, processID, mode string, sinceOffset int64) (mcp.ProcessOutput, error) {
+	c := h.sess.FindChild(processID)
 	if c == nil {
-		return "", 0, fmt.Errorf("no such child %q", childID)
+		return mcp.ProcessOutput{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	out := mcp.ProcessOutput{
+		Mode:          mode,
+		IdleMS:        c.IdleMS(),
+		Status:        string(c.Status()),
+		ScreenVersion: c.ScreenVersion(),
+	}
+	if em := c.Emulator(); em != nil {
+		if sc, err := em.ActiveScreen(); err == nil {
+			out.ActiveScreen = activeScreenName(sc)
+		}
+		if cur, err := em.Cursor(); err == nil {
+			out.Cursor = mcp.Cursor{X: int(cur.Col), Y: int(cur.Row)}
+		}
+		cols, rows := em.Size()
+		out.Cols, out.Rows = int(cols), int(rows)
 	}
 	switch mode {
 	case "grid":
-		txt, err := c.em.PlainText()
+		em := c.Emulator()
+		if em == nil {
+			return out, nil
+		}
+		txt, err := em.PlainText()
 		if err != nil {
-			return "", 0, err
+			return mcp.ProcessOutput{}, err
 		}
 		if c.Kind == KindAgent {
-			txt = applyChromeTrim(txt, h.chromeHintsFor(c.Name))
+			txt = applyChromeTrim(txt, h.chromeHintsFor(c.PresetRef))
 		}
-		return txt, 0, nil
+		out.Content = txt
+		return out, nil
 	case "stream":
-		b, off := c.StreamRead(int64(sinceOffset))
-		return string(b), int(off), nil
+		b, end := c.StreamRead(sinceOffset)
+		out.Content = stripANSI(string(b))
+		out.NewOffset = end
+		return out, nil
 	default:
-		return "", 0, fmt.Errorf("unknown read_output mode %q", mode)
+		return mcp.ProcessOutput{}, mcp.Errorf("invalid_args", "unknown mode %q (want grid|stream)", mode)
 	}
 }
 
+func (h *toolHost) GetProcessRawOutput(callerID, processID string, sinceOffset int64) (mcp.RawOutput, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.RawOutput{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	b, end := c.StreamRead(sinceOffset)
+	return mcp.RawOutput{
+		Content:   string(b),
+		NewOffset: end,
+		Status:    string(c.Status()),
+	}, nil
+}
+
+func (h *toolHost) SearchOutput(callerID, processID, pattern, kind string, limit int) (mcp.SearchResult, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return mcp.SearchResult{}, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	re, err := regexp.Compile(pattern)
+	if err != nil {
+		return mcp.SearchResult{}, mcp.Errorf("invalid_args", "regex: %v", err)
+	}
+	b, _ := c.StreamRead(0)
+	text := string(b)
+	if kind == "rendered" {
+		text = stripANSI(text)
+	}
+	lines := strings.Split(text, "\n")
+	matches := make([]mcp.SearchMatch, 0, limit)
+	truncated := false
+	for i, line := range lines {
+		if re.MatchString(line) {
+			if len(matches) >= limit {
+				truncated = true
+				break
+			}
+			matches = append(matches, mcp.SearchMatch{LineNo: i + 1, Text: line})
+		}
+	}
+	return mcp.SearchResult{Matches: matches, Truncated: truncated}, nil
+}
+
+func (h *toolHost) WaitForPattern(callerID, processID, pattern string, timeoutSeconds float64, scope string) (bool, string, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return false, "", mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	re, err := regexp.Compile(pattern)
+	if err != nil {
+		return false, "", mcp.Errorf("invalid_args", "regex: %v", err)
+	}
+	if scope == "" {
+		scope = "grid"
+	}
+	deadline := time.Now().Add(time.Duration(timeoutSeconds * float64(time.Second)))
+	tick := time.NewTicker(50 * time.Millisecond)
+	defer tick.Stop()
+	for {
+		text := ""
+		switch scope {
+		case "grid":
+			if em := c.Emulator(); em != nil {
+				if t, err := em.PlainText(); err == nil {
+					text = t
+				}
+			}
+		case "scrollback":
+			b, _ := c.StreamRead(0)
+			text = stripANSI(string(b))
+		default:
+			return false, "", mcp.Errorf("invalid_args", "unknown scope %q (want grid|scrollback)", scope)
+		}
+		if m := re.FindString(text); m != "" {
+			return true, m, nil
+		}
+		if time.Now().After(deadline) {
+			return false, "", nil
+		}
+		<-tick.C
+		if !c.IsLive() && c.Status() != StatusStopped {
+			return false, "", nil
+		}
+	}
+}
+
+func (h *toolHost) GetProcessPorts(callerID, processID string) ([]mcp.PortSighting, error) {
+	c := h.sess.FindChild(processID)
+	if c == nil {
+		return nil, mcp.Errorf("not_found", "no such process %q", processID)
+	}
+	src := c.Ports()
+	out := make([]mcp.PortSighting, 0, len(src))
+	for _, p := range src {
+		out = append(out, mcp.PortSighting(p))
+	}
+	return out, nil
+}
+
+// ───────────────────────────────────────────────────────────────────
+// I/O
+// ───────────────────────────────────────────────────────────────────
+
+func (h *toolHost) SendInput(callerID string, args mcp.SendInputArgs) (mcp.SendInputResult, error) {
+	c := h.sess.FindChild(args.ProcessID)
+	if c == nil {
+		return mcp.SendInputResult{}, mcp.Errorf("not_found", "no such process %q", args.ProcessID)
+	}
+	if !c.IsLive() {
+		return mcp.SendInputResult{}, fmt.Errorf("process %q is %s", args.ProcessID, c.Status())
+	}
+	payload, err := encodeInput(args)
+	if err != nil {
+		return mcp.SendInputResult{}, err
+	}
+	if err := c.InjectAsOrchestrator(payload); err != nil {
+		return mcp.SendInputResult{}, err
+	}
+	res := mcp.SendInputResult{OK: true}
+	if args.WaitMS > 0 {
+		mode := args.TailMode
+		if mode == "" {
+			mode = "stream"
+		}
+		if mode != "none" {
+			time.Sleep(time.Duration(args.WaitMS) * time.Millisecond)
+			tail, err := h.GetProcessOutput(callerID, args.ProcessID, mode, 0)
+			if err == nil {
+				res.Tail = &tail
+			}
+		}
+	}
+	return res, nil
+}
+
+func encodeInput(args mcp.SendInputArgs) ([]byte, error) {
+	switch args.Kind {
+	case "", "text":
+		submit := true
+		if args.Submit != nil {
+			submit = *args.Submit
+		}
+		out := []byte(args.Text)
+		if submit {
+			out = append(out, '\n')
+		}
+		return out, nil
+	case "paste":
+		// Bracketed paste sentinels — SPEC §7. Always sent; emulator
+		// handles falling back when the target hasn't enabled bracketed
+		// paste mode (the sentinels just print).
+		return []byte("\x1b[200~" + args.Text + "\x1b[201~"), nil
+	case "key":
+		return encodeKey(args.Key)
+	}
+	return nil, mcp.Errorf("invalid_args", "send_input: unknown kind %q", args.Kind)
+}
+
+// encodeKey maps a SPEC §7 named key to bytes. We use legacy xterm
+// escapes here; the emulator's key encoder is concerned with what
+// arrives FROM the user, not bytes sent TO the child. Kitty keyboard
+// protocol support is a future refinement.
+func encodeKey(key string) ([]byte, error) {
+	switch key {
+	case "enter":
+		return []byte{'\r'}, nil
+	case "tab":
+		return []byte{'\t'}, nil
+	case "escape":
+		return []byte{0x1b}, nil
+	case "backspace":
+		return []byte{0x7f}, nil
+	case "ctrl-c":
+		return []byte{0x03}, nil
+	case "ctrl-d":
+		return []byte{0x04}, nil
+	case "up":
+		return []byte("\x1b[A"), nil
+	case "down":
+		return []byte("\x1b[B"), nil
+	case "right":
+		return []byte("\x1b[C"), nil
+	case "left":
+		return []byte("\x1b[D"), nil
+	case "home":
+		return []byte("\x1b[H"), nil
+	case "end":
+		return []byte("\x1b[F"), nil
+	case "page-up":
+		return []byte("\x1b[5~"), nil
+	case "page-down":
+		return []byte("\x1b[6~"), nil
+	case "f1":
+		return []byte("\x1bOP"), nil
+	case "f2":
+		return []byte("\x1bOQ"), nil
+	case "f3":
+		return []byte("\x1bOR"), nil
+	case "f4":
+		return []byte("\x1bOS"), nil
+	case "f5":
+		return []byte("\x1b[15~"), nil
+	case "f6":
+		return []byte("\x1b[17~"), nil
+	case "f7":
+		return []byte("\x1b[18~"), nil
+	case "f8":
+		return []byte("\x1b[19~"), nil
+	case "f9":
+		return []byte("\x1b[20~"), nil
+	case "f10":
+		return []byte("\x1b[21~"), nil
+	case "f11":
+		return []byte("\x1b[23~"), nil
+	case "f12":
+		return []byte("\x1b[24~"), nil
+	}
+	return nil, mcp.Errorf("invalid_args", "unknown key %q", key)
+}
+
+// ───────────────────────────────────────────────────────────────────
+// Coordination
+// ───────────────────────────────────────────────────────────────────
+
+// SendMessage delivers a tagged message into the target's PTY.
+// Direction is inferred from the caller↔target relationship (SPEC §7
+// send_message): parent→child → `[orchestrator]`; child→parent →
+// `[sub-agent:<caller>]`; everything else (siblings, unrelated) →
+// `not_related`.
+func (h *toolHost) SendMessage(callerID, targetID, message string) error {
+	target := h.sess.FindChild(targetID)
+	if target == nil {
+		return mcp.Errorf("not_found", "no such process %q", targetID)
+	}
+	caller := h.sess.FindChild(callerID)
+	line, err := classifySendMessage(caller, target, callerID, message)
+	if err != nil {
+		return err
+	}
+	return target.InjectAsOrchestrator([]byte(line))
+}
+
+// classifySendMessage is the pure routing-decision helper extracted
+// from SendMessage so unit tests can exercise the direction inference
+// without spinning up real PTYs.
+//
+// The caller pointer may be nil — that's the case when the request
+// arrives over an MCP connection without a resolved patterm identity
+// (a top-level tool client). In that case we treat the caller as an
+// implicit orchestrator and accept the message if the target is a
+// top-level process.
+func classifySendMessage(caller, target *Child, callerID, message string) (string, error) {
+	if target.ID == callerID {
+		return "", mcp.Errorf("not_related", "send_message: cannot send to self")
+	}
+	if caller != nil && target.ParentID == caller.ID {
+		return "[orchestrator] " + message + "\n", nil
+	}
+	if caller != nil && caller.ParentID == target.ID {
+		return fmt.Sprintf("[sub-agent:%s] %s\n", caller.DisplayName(), message), nil
+	}
+	if caller == nil && target.ParentID == "" {
+		return "[orchestrator] " + message + "\n", nil
+	}
+	return "", mcp.Errorf("not_related", "send_message: %q is neither parent nor child of caller (siblings must route through the parent in v1)", target.ID)
+}
+
+func (h *toolHost) RequestHumanAttention(callerID, processID, reason string) error {
+	if h.attention != nil {
+		h.attention.notifyAttention(processID, reason)
+	}
+	return nil
+}
+
+func (h *toolHost) TimerWait(callerID string, seconds float64, label string) (string, error) {
+	caller := h.sess.FindChild(callerID)
+	if caller == nil {
+		return "", mcp.Errorf("not_found", "caller %q not known to patterm", callerID)
+	}
+	h.timersMu.Lock()
+	h.nextTimer++
+	id := fmt.Sprintf("t%d", h.nextTimer)
+	h.timersMu.Unlock()
+	if label == "" {
+		label = id
+	}
+	go func() {
+		time.Sleep(time.Duration(seconds * float64(time.Second)))
+		if !caller.IsLive() {
+			return
+		}
+		line := fmt.Sprintf("[system] Your timer [%s] has completed.\n", label)
+		_ = caller.InjectAsOrchestrator([]byte(line))
+	}()
+	return id, nil
+}
+
+// ───────────────────────────────────────────────────────────────────
+// Scratchpads / Meta
+// ───────────────────────────────────────────────────────────────────
+
+func (h *toolHost) Scratchpads() *scratchpad.Store { return h.pads }
+
+func (h *toolHost) WhoAmI(callerID string) mcp.WhoAmI {
+	w := mcp.WhoAmI{
+		ProcessID: callerID,
+		Role:      h.CallerRole(callerID),
+		Project: mcp.ProjectMeta{
+			Path: h.sess.projectDir,
+			Key:  h.sess.projectKey,
+		},
+		AvailableTools: availableToolsForRole(h.CallerRole(callerID)),
+	}
+	if c := h.sess.FindChild(callerID); c != nil {
+		w.Name = c.DisplayName()
+		w.ParentProcessID = c.ParentID
+	}
+	return w
+}
+
+func (h *toolHost) Help(callerID, topic string) mcp.HelpResponse {
+	return helpFor(topic)
+}
+
+// ───────────────────────────────────────────────────────────────────
+// Internal helpers
+// ───────────────────────────────────────────────────────────────────
+
+func (h *toolHost) processInfoOf(c *Child) mcp.ProcessInfo {
+	info := mcp.ProcessInfo{
+		ID:              c.ID,
+		Name:            c.DisplayName(),
+		Kind:            string(c.Kind),
+		Status:          string(c.Status()),
+		ParentProcessID: c.ParentID,
+		IdleMS:          c.IdleMS(),
+	}
+	if !c.IsLive() && c.Status() != StatusStopped {
+		ec := c.ExitCode()
+		info.ExitCode = &ec
+	}
+	if c.Kind == KindCommand && c.PresetRef != "" {
+		t := h.trust.IsTrusted(c.PresetRef)
+		info.Trusted = &t
+	}
+	return info
+}
+
 func (h *toolHost) chromeHintsFor(presetName string) []string {
+	if presetName == "" {
+		return nil
+	}
 	for _, p := range h.presets.Agents {
 		if p.Name == presetName {
 			return p.ChromeTrimHints
@@ -174,9 +739,54 @@ func (h *toolHost) chromeHintsFor(presetName string) []string {
 	return nil
 }
 
-// applyChromeTrim deletes every line that matches any of the given
-// regexes. Compiled regexes are cached per call; the agent preset list
-// is small enough that recompilation cost is negligible.
+func (h *toolHost) commandPresetByName(name string) *preset.Preset {
+	for _, p := range h.presets.Processes {
+		if p.Name == name {
+			return p
+		}
+	}
+	return nil
+}
+
+func (h *toolHost) terminalName(name string) string {
+	if name != "" {
+		return name
+	}
+	return "terminal"
+}
+
+func (h *toolHost) mergeEnv(extra map[string]string) []string {
+	if len(extra) == 0 {
+		return nil
+	}
+	env := h.sess.ChildEnv()
+	for k, v := range extra {
+		env = append(env, k+"="+v)
+	}
+	return env
+}
+
+func (h *toolHost) recordStart(id string) {
+	h.startedAtMu.Lock()
+	defer h.startedAtMu.Unlock()
+	h.startedAt[id] = time.Now()
+}
+
+func (h *toolHost) startedAtOf(id string) time.Time {
+	h.startedAtMu.Lock()
+	defer h.startedAtMu.Unlock()
+	return h.startedAt[id]
+}
+
+func (h *toolHost) askForTrust(callerID, presetName, reason string) {
+	if h.prompter == nil {
+		return
+	}
+	h.prompter.promptTrust(callerID, presetName, reason)
+}
+
+// applyChromeTrim deletes lines matching any of the given regexes.
+// SPEC §10 chrome_trim_hints.
 func applyChromeTrim(txt string, hints []string) string {
 	if len(hints) == 0 {
 		return txt
@@ -208,128 +818,114 @@ func applyChromeTrim(txt string, hints []string) string {
 	return strings.Join(out, "\n")
 }
 
-func (h *toolHost) SendInput(callerID, childID string, payload []byte, appendNewline bool) error {
-	if appendNewline {
-		payload = append(payload, '\n')
+func activeScreenName(s pkgvt.Screen) string {
+	switch s {
+	case pkgvt.ScreenAlternate:
+		return "alternate"
+	default:
+		return "main"
 	}
-	c := h.sess.FindChild(childID)
-	if c == nil {
-		return fmt.Errorf("no such child %q", childID)
-	}
-	if c.Status() != StatusRunning {
-		return fmt.Errorf("child %q is %s", childID, c.Status())
-	}
-	return c.InjectAsOrchestrator(payload)
 }
 
-func (h *toolHost) Kill(callerID, childID string, sig syscall.Signal) error {
-	return h.sess.Kill(childID, sig)
+// ansiRegexp strips CSI escape sequences and common single-character
+// controls (BEL, OSC terminators) from the stream. The vt emulator
+// already handles full rendering for grid mode; this is only for
+// stream-mode ANSI-stripped output.
+var ansiRegexp = regexp.MustCompile(`\x1b\[[\x30-\x3f]*[\x20-\x2f]*[\x40-\x7e]|\x1b[\x40-\x5f]|\x07`)
+
+func stripANSI(s string) string {
+	return ansiRegexp.ReplaceAllString(s, "")
 }
 
-// SendMessageTo — SPEC §7 + §8. Injects "[orchestrator] <msg>\n" into
-// the target's PTY.
-func (h *toolHost) SendMessageTo(callerID, targetID, message string) error {
-	target := h.sess.FindChild(targetID)
-	if target == nil {
-		return fmt.Errorf("no such child %q", targetID)
+// availableToolsForRole — SPEC §7 whoami exposes the list a caller can
+// invoke from its current role. Sub-agents lose `spawn_agent` (§8
+// two-level-tree rule).
+func availableToolsForRole(role mcp.CallerRole) []string {
+	tools := []string{
+		"spawn_process", "start_process", "restart_process", "stop_process",
+		"close_process", "rename_process", "select_process",
+		"list_processes", "get_process_status", "get_project_status",
+		"get_process_output", "get_process_raw_output", "search_output",
+		"wait_for_pattern", "get_process_ports",
+		"send_input", "send_message", "request_human_attention", "timer_wait",
+		"scratchpad_list", "scratchpad_read", "scratchpad_write", "scratchpad_append",
+		"whoami", "help",
 	}
-	line := "[orchestrator] " + message + "\n"
-	return target.InjectAsOrchestrator([]byte(line))
+	if role == mcp.RoleOrchestrator {
+		tools = append([]string{"spawn_agent"}, tools...)
+	}
+	return tools
 }
 
-// ReportToParent — SPEC §8. Injects "[sub-agent:<name>] <msg>\n" into
-// the calling agent's parent pane.
-func (h *toolHost) ReportToParent(callerID, message string) error {
-	caller := h.sess.FindChild(callerID)
-	if caller == nil {
-		return fmt.Errorf("caller %q not known to patterm", callerID)
-	}
-	if caller.ParentID == "" {
-		return fmt.Errorf("caller %q has no parent", callerID)
-	}
-	parent := h.sess.FindChild(caller.ParentID)
-	if parent == nil {
-		return fmt.Errorf("parent %q gone", caller.ParentID)
-	}
-	line := fmt.Sprintf("[sub-agent:%s] %s\n", caller.Name, message)
-	return parent.InjectAsOrchestrator([]byte(line))
-}
-
-// TimerWait — SPEC §7. Returns immediately with a timer_id. After
-// seconds elapse, injects "[system] Your timer [<label>] has completed.\n"
-// into the calling agent's pane.
-func (h *toolHost) TimerWait(callerID string, seconds float64, label string) (string, error) {
-	caller := h.sess.FindChild(callerID)
-	if caller == nil {
-		return "", fmt.Errorf("caller %q not known to patterm", callerID)
-	}
-	h.timersMu.Lock()
-	h.nextTimer++
-	id := fmt.Sprintf("t%d", h.nextTimer)
-	h.timersMu.Unlock()
-	if label == "" {
-		label = id
-	}
-	go func() {
-		time.Sleep(time.Duration(seconds * float64(time.Second)))
-		if caller.Status() != StatusRunning {
-			return
+// helpFor — SPEC §7 help. Topic content is intentionally short; the
+// goal is orientation, not full documentation.
+func helpFor(topic string) mcp.HelpResponse {
+	switch topic {
+	case "", "topics":
+		return mcp.HelpResponse{
+			Topic: "topics",
+			Content: "Available topics: spawning, inspection, io, coordination, " +
+				"scratchpads, timers, readiness, permissions, conventions, topics. " +
+				"Call help(topic) for guidance. Call whoami for your role and the " +
+				"complete tool list available to you.",
 		}
-		line := fmt.Sprintf("[system] Your timer [%s] has completed.\n", label)
-		_ = caller.InjectAsOrchestrator([]byte(line))
-	}()
-	return id, nil
-}
-
-// WaitForPattern — SPEC §7. Polls the child's plain-text grid at ~50ms
-// until the regex matches or the timeout expires.
-func (h *toolHost) WaitForPattern(callerID, childID, pattern string, timeoutSeconds float64) (bool, string, error) {
-	c := h.sess.FindChild(childID)
-	if c == nil {
-		return false, "", fmt.Errorf("no such child %q", childID)
-	}
-	re, err := regexp.Compile(pattern)
-	if err != nil {
-		return false, "", fmt.Errorf("regex: %w", err)
-	}
-	deadline := time.Now().Add(time.Duration(timeoutSeconds * float64(time.Second)))
-	tick := time.NewTicker(50 * time.Millisecond)
-	defer tick.Stop()
-	for {
-		txt, err := c.em.PlainText()
-		if err == nil {
-			if m := re.FindString(txt); m != "" {
-				return true, m, nil
-			}
+	case "spawning":
+		return mcp.HelpResponse{
+			Topic:        "spawning",
+			Content:      "spawn_agent launches another vendor LLM CLI as a sub-agent (orchestrator only). spawn_process(kind: command, preset: …) starts a stored command; spawn_process(kind: terminal) opens a shell. Command presets need trust the first time — you'll get needs_trust until the human accepts.",
+			RelatedTools: []string{"spawn_agent", "spawn_process", "start_process", "restart_process"},
 		}
-		if time.Now().After(deadline) {
-			return false, "", nil
+	case "inspection":
+		return mcp.HelpResponse{
+			Topic:        "inspection",
+			Content:      "get_process_output gives you the visible pane (grid mode) or a byte slice from since_offset (stream mode). list_processes is for the whole session. get_project_status batches everything you need to orient yourself.",
+			RelatedTools: []string{"list_processes", "get_process_status", "get_process_output", "search_output", "wait_for_pattern", "get_project_status"},
 		}
-		<-tick.C
-		if c.Status() != StatusRunning {
-			return false, "", nil
+	case "io":
+		return mcp.HelpResponse{
+			Topic:        "io",
+			Content:      "send_input with kind=text submits a line (set submit=false to omit Enter). kind=key uses named keys (enter, tab, escape, ctrl-c, arrows, …). kind=paste wraps the text in bracketed-paste sentinels for multi-line content. Set wait_ms+tail_mode to read back the tail after sending.",
+			RelatedTools: []string{"send_input"},
+		}
+	case "coordination":
+		return mcp.HelpResponse{
+			Topic:        "coordination",
+			Content:      "send_message tags the message with the caller's role (parent → [orchestrator], child → [sub-agent:<name>]). Siblings must route through their parent. request_human_attention raises a UI notification when you can't safely decide.",
+			RelatedTools: []string{"send_message", "request_human_attention"},
+		}
+	case "scratchpads":
+		return mcp.HelpResponse{
+			Topic:        "scratchpads",
+			Content:      "Project-scoped markdown files. Read returns content + revision; pass that back as expected_revision on write to get last-write-wins-with-detection. Append is unconditional.",
+			RelatedTools: []string{"scratchpad_list", "scratchpad_read", "scratchpad_write", "scratchpad_append"},
+		}
+	case "timers":
+		return mcp.HelpResponse{
+			Topic:        "timers",
+			Content:      "timer_wait returns a timer_id immediately and injects `[system] Your timer [<label>] has completed.` into your pane when it fires. Use it instead of sleeping in your own process.",
+			RelatedTools: []string{"timer_wait"},
+		}
+	case "readiness":
+		return mcp.HelpResponse{
+			Topic:        "readiness",
+			Content:      "A pane is 'idle' once nothing has been written to its PTY for ~1s (SPEC §11). Treat idle as a signal to read, not a guarantee of completion. wait_for_pattern lets you wait on a known terminal marker for stronger evidence.",
+			RelatedTools: []string{"wait_for_pattern", "get_process_status"},
+		}
+	case "permissions":
+		return mcp.HelpResponse{
+			Topic:        "permissions",
+			Content:      "Sub-agents are launched with vendor permissions on — drive their confirmation prompts via get_process_output + send_input. When you can't safely decide, call request_human_attention.",
+			RelatedTools: []string{"get_process_output", "send_input", "request_human_attention"},
+		}
+	case "conventions":
+		return mcp.HelpResponse{
+			Topic: "conventions",
+			Content: "patterm tags messages in your input so you can tell who's writing:\n" +
+				"  [orchestrator] msg     — from your parent\n" +
+				"  [sub-agent:name] msg   — from one of your children\n" +
+				"  [system] msg           — patterm itself (timers, lifecycle)\n" +
+				"  no tag                 — the human typed into the pane",
 		}
 	}
-}
-
-func (h *toolHost) RequestHumanAttention(callerID, childID, reason string) error {
-	if h.attention != nil {
-		h.attention.notifyAttention(childID, reason)
-	}
-	return nil
-}
-
-func (h *toolHost) Scratchpads() *scratchpad.Store {
-	return h.pads
-}
-
-// ResolveCallerIdentity maps the per-spawn identity token back to a
-// child ID so the tools above can use it as a parent pointer / inject
-// target.
-func (h *toolHost) ResolveCallerIdentity(identity string) string {
-	c := h.sess.FindChildByIdentity(identity)
-	if c == nil {
-		return ""
-	}
-	return c.ID
+	return mcp.HelpResponse{Topic: topic, Content: fmt.Sprintf("unknown topic %q — try help('topics')", topic)}
 }
diff --git a/internal/app/host_test.go b/internal/app/host_test.go
new file mode 100644
index 0000000..0ceacee
--- /dev/null
+++ b/internal/app/host_test.go
@@ -0,0 +1,99 @@
+package app
+
+import (
+	"strings"
+	"testing"
+)
+
+// mkChild builds a Child without starting a PTY. Use sparingly — the
+// resulting child has no emulator / ring buffer / status pointer set
+// the way newChild would.
+func mkChild(id, name, parent string) *Child {
+	return &Child{ID: id, Name: name, ParentID: parent}
+}
+
+func TestClassifySendMessageOrchestratorToChild(t *testing.T) {
+	parent := mkChild("p_aaa", "claude-1", "")
+	child := mkChild("p_bbb", "codex-1", "p_aaa")
+
+	line, err := classifySendMessage(parent, child, parent.ID, "hi child")
+	if err != nil {
+		t.Fatalf("expected success, got %v", err)
+	}
+	if !strings.HasPrefix(line, "[orchestrator] hi child") {
+		t.Fatalf("parent→child should tag [orchestrator], got %q", line)
+	}
+}
+
+func TestClassifySendMessageChildToParent(t *testing.T) {
+	parent := mkChild("p_aaa", "claude-1", "")
+	child := mkChild("p_bbb", "codex-1", "p_aaa")
+
+	line, err := classifySendMessage(child, parent, child.ID, "status update")
+	if err != nil {
+		t.Fatalf("expected success, got %v", err)
+	}
+	if !strings.Contains(line, "[sub-agent:codex-1]") {
+		t.Fatalf("child→parent should tag [sub-agent:<name>], got %q", line)
+	}
+}
+
+func TestClassifySendMessageSiblingRejected(t *testing.T) {
+	parent := mkChild("p_aaa", "claude-1", "")
+	sibA := mkChild("p_bbb", "codex-1", "p_aaa")
+	sibB := mkChild("p_ccc", "codex-2", "p_aaa")
+	_ = parent
+
+	_, err := classifySendMessage(sibA, sibB, sibA.ID, "hey")
+	if err == nil {
+		t.Fatalf("sibling send_message should fail with not_related")
+	}
+	if !strings.Contains(err.Error(), "neither parent nor child") {
+		t.Fatalf("error should mention sibling routing rule, got %v", err)
+	}
+}
+
+func TestClassifySendMessageUnrelatedRejected(t *testing.T) {
+	// Two unrelated top-level processes — they have no shared lineage.
+	a := mkChild("p_aaa", "claude-1", "")
+	b := mkChild("p_bbb", "codex-1", "")
+
+	_, err := classifySendMessage(a, b, a.ID, "hi")
+	if err == nil {
+		t.Fatalf("unrelated top-level send_message should fail")
+	}
+}
+
+func TestClassifySendMessageCannotSendToSelf(t *testing.T) {
+	c := mkChild("p_aaa", "claude-1", "")
+	_, err := classifySendMessage(c, c, c.ID, "talking to myself")
+	if err == nil {
+		t.Fatalf("self-send should fail")
+	}
+}
+
+func TestClassifySendMessageNilCallerAcceptsTopLevel(t *testing.T) {
+	// Caller arrived over an MCP connection without a resolved patterm
+	// identity (top-level tool client). Target is top-level; should
+	// land as [orchestrator].
+	target := mkChild("p_aaa", "claude-1", "")
+	line, err := classifySendMessage(nil, target, "" /* unknown caller id */, "go")
+	if err != nil {
+		t.Fatalf("expected success for nil-caller → top-level target, got %v", err)
+	}
+	if !strings.HasPrefix(line, "[orchestrator] go") {
+		t.Fatalf("expected [orchestrator] tag, got %q", line)
+	}
+}
+
+func TestClassifySendMessageNilCallerRejectsNonTopLevelTarget(t *testing.T) {
+	parent := mkChild("p_aaa", "claude-1", "")
+	child := mkChild("p_bbb", "codex-1", "p_aaa")
+	_ = parent
+
+	_, err := classifySendMessage(nil, child, "", "hi")
+	if err == nil {
+		t.Fatalf("nil caller → non-top-level should fail")
+	}
+}
+
diff --git a/internal/app/launch.go b/internal/app/launch.go
index c4b78a3..93c6178 100644
--- a/internal/app/launch.go
+++ b/internal/app/launch.go
@@ -90,7 +90,15 @@ func (l *Launcher) LaunchAgent(p *preset.Preset, displayName, initialPrompt, par
 
 	// Spawn with the chosen identity.
 	cols, rows := l.size()
-	c, err := l.sess.spawnWithIdentity(displayName, KindAgent, argv, env, cols, rows, parentID, identity)
+	c, err := l.sess.Spawn(SpawnSpec{
+		Kind:      KindAgent,
+		Argv:      argv,
+		Env:       env,
+		Name:      displayName,
+		ParentID:  parentID,
+		PresetRef: p.Name,
+		Identity:  identity,
+	}, cols, rows)
 	if err != nil {
 		_ = os.Remove(mcpConfigPath)
 		return nil, err
@@ -111,17 +119,72 @@ func (l *Launcher) LaunchAgent(p *preset.Preset, displayName, initialPrompt, par
 	return c, nil
 }
 
-// LaunchProcess spawns a process preset. No MCP injection; just argv.
-func (l *Launcher) LaunchProcess(p *preset.Preset, displayName string) (*Child, error) {
-	if p.Kind != preset.KindProcess {
-		return nil, fmt.Errorf("launch: %q is not a process preset", p.Name)
+// LaunchCommandPreset spawns a process preset as a SPEC §7 command
+// entry. No MCP injection; just argv. The entry is session-persistent
+// (survives PTY exit so it can be Restart'd).
+func (l *Launcher) LaunchCommandPreset(p *preset.Preset, displayName, parentID string) (*Child, error) {
+	if p.Kind != preset.KindCommand {
+		return nil, fmt.Errorf("launch: %q is not a command preset", p.Name)
 	}
 	env := l.sess.ChildEnv()
 	for k, v := range p.Env {
 		env = append(env, k+"="+v)
 	}
 	cols, rows := l.size()
-	return l.sess.Spawn(displayName, KindProcess, p.ResolvedArgv(), env, cols, rows, "")
+	return l.sess.Spawn(SpawnSpec{
+		Kind:      KindCommand,
+		Argv:      p.ResolvedArgv(),
+		Env:       env,
+		Name:      displayName,
+		ParentID:  parentID,
+		WorkDir:   p.WorkingDir,
+		PresetRef: p.Name,
+	}, cols, rows)
+}
+
+// LaunchCommandArgv spawns a freeform-argv command entry. Trust gating
+// (SPEC §7) lives one level up in toolHost — by the time we get here
+// trust is settled (freeform argv is implicitly trusted).
+func (l *Launcher) LaunchCommandArgv(argv []string, displayName, parentID, workDir string, env []string, shell bool) (*Child, error) {
+	if shell && len(argv) > 0 {
+		argv = []string{"sh", "-lc", strings.Join(argv, " ")}
+	}
+	if env == nil {
+		env = l.sess.ChildEnv()
+	}
+	cols, rows := l.size()
+	return l.sess.Spawn(SpawnSpec{
+		Kind:     KindCommand,
+		Argv:     argv,
+		Env:      env,
+		Name:     displayName,
+		ParentID: parentID,
+		WorkDir:  workDir,
+	}, cols, rows)
+}
+
+// LaunchTerminal spawns a bare interactive shell. SPEC §7 kind=terminal.
+// argv defaults to $SHELL -i when empty.
+func (l *Launcher) LaunchTerminal(argv []string, displayName, parentID, workDir string, env []string) (*Child, error) {
+	if len(argv) == 0 {
+		sh := os.Getenv("SHELL")
+		if sh == "" {
+			sh = "/bin/sh"
+		}
+		argv = []string{sh, "-i"}
+	}
+	if env == nil {
+		env = l.sess.ChildEnv()
+	}
+	cols, rows := l.size()
+	return l.sess.Spawn(SpawnSpec{
+		Kind:     KindTerminal,
+		Argv:     argv,
+		Env:      env,
+		Name:     displayName,
+		ParentID: parentID,
+		WorkDir:  workDir,
+	}, cols, rows)
 }
 
 func (l *Launcher) writeMCPConfig() (identity, path string, err error) {
diff --git a/internal/app/session.go b/internal/app/session.go
index 9419d04..c4ef63a 100644
--- a/internal/app/session.go
+++ b/internal/app/session.go
@@ -12,8 +12,8 @@ import (
 	"fmt"
 	"os"
 	"sync"
-	"sync/atomic"
 	"syscall"
+	"time"
 
 	"github.com/harrybrwn/patterm/internal/vt"
 )
@@ -29,7 +29,10 @@ type Session struct {
 	children map[string]*Child
 	order    []string
 
-	nextChildSeq atomic.Int64
+	// nameSeq tracks the default-name counter per kind (agent-1,
+	// command-2, terminal-3, …). Reset is a non-goal: counters are
+	// monotonic across the session lifetime.
+	nameSeq map[ChildKind]int
 
 	// listeners is the set of UI listeners that want to hear about child
 	// lifecycle events (spawn/exit) — exactly one (the TUI) in v1.
@@ -53,6 +56,7 @@ func NewSession(projectDir, projectKey string) *Session {
 		projectDir: projectDir,
 		projectKey: projectKey,
 		children:   make(map[string]*Child),
+		nameSeq:    make(map[ChildKind]int),
 	}
 }
 
@@ -102,24 +106,45 @@ func (s *Session) ChildEnv() []string {
 	return env
 }
 
-// Spawn launches a new child with the given argv. kind is "agent" or
-// "process". parentID names the calling session/child for orchestrator
-// trees ("" for top-level). env is the full child environment; the
-// caller is responsible for adding preset-specific overrides.
-func (s *Session) Spawn(name string, kind ChildKind, argv, env []string, cols, rows uint16, parentID string) (*Child, error) {
+// SpawnSpec is the argument record for Session.Spawn — the new
+// argv-shaped spawn API matching SPEC §7 spawn_process.
+type SpawnSpec struct {
+	Kind      ChildKind
+	Argv      []string
+	Env       []string
+	WorkDir   string
+	Name      string
+	ParentID  string
+	PresetRef string
+	Identity  string // pre-minted; otherwise the constructor mints one for agents
+}
+
+// Spawn creates a new entry and starts its PTY. For Kind = command the
+// entry remains in the session after PTY exit (it can be Restart'd).
+// For agent/terminal the entry's lifetime equals the PTY's: reapChild
+// fires emitExit and the entry stays in `exited` status until the
+// caller `close_process`'s it.
+func (s *Session) Spawn(spec SpawnSpec, cols, rows uint16) (*Child, error) {
+	if len(spec.Argv) == 0 {
+		return nil, errors.New("session.Spawn: empty argv")
+	}
+	if spec.Env == nil {
+		spec.Env = s.ChildEnv()
+	}
+
 	s.mu.Lock()
-	id := fmt.Sprintf("c%d", s.nextChildSeq.Add(1))
-	if name == "" {
-		name = fmt.Sprintf("%s-%s", kind, id)
+	id := s.mintUniqueIDLocked()
+	s.nameSeq[spec.Kind]++
+	if spec.Name == "" {
+		spec.Name = fmt.Sprintf("%s-%d", spec.Kind, s.nameSeq[spec.Kind])
 	}
 	s.mu.Unlock()
 
-	if env == nil {
-		env = s.ChildEnv()
+	c := newChildEntry(id, spec.Name, spec.Kind, spec.Argv, spec.Env, spec.ParentID, spec.WorkDir, spec.PresetRef)
+	if spec.Identity != "" {
+		c.Identity = spec.Identity
 	}
-
-	c, err := newChild(id, name, kind, argv, env, cols, rows, parentID)
-	if err != nil {
+	if err := c.startPTY(cols, rows); err != nil {
 		return nil, err
 	}
 
@@ -134,27 +159,148 @@ func (s *Session) Spawn(name string, kind ChildKind, argv, env []string, cols, r
 	return c, nil
 }
 
-// spawnWithIdentity is like Spawn but lets the launcher pre-mint the
-// MCP identity so the config file can be written before the process
-// starts.
-func (s *Session) spawnWithIdentity(name string, kind ChildKind, argv, env []string, cols, rows uint16, parentID, identity string) (*Child, error) {
-	c, err := s.Spawn(name, kind, argv, env, cols, rows, parentID)
-	if err != nil {
-		return nil, err
+// AddCommandEntry registers a command entry without starting it. Used
+// by spawn_process(kind: command) when SPEC §7 needs the entry to exist
+// in `stopped` state first (we always start it after; the indirection
+// is here so future versions can support deferred starts).
+func (s *Session) AddCommandEntry(spec SpawnSpec) *Child {
+	s.mu.Lock()
+	id := s.mintUniqueIDLocked()
+	s.nameSeq[spec.Kind]++
+	if spec.Name == "" {
+		spec.Name = fmt.Sprintf("%s-%d", spec.Kind, s.nameSeq[spec.Kind])
+	}
+	if spec.Env == nil {
+		spec.Env = s.ChildEnv()
+	}
+	c := newChildEntry(id, spec.Name, spec.Kind, spec.Argv, spec.Env, spec.ParentID, spec.WorkDir, spec.PresetRef)
+	s.children[id] = c
+	s.order = append(s.order, id)
+	s.mu.Unlock()
+	s.emitSpawn(c)
+	return c
+}
+
+// Start (re)attaches a PTY to an entry that is currently stopped or
+// exited. Errors if the entry is already live.
+func (s *Session) Start(id string, cols, rows uint16) error {
+	c := s.FindChild(id)
+	if c == nil {
+		return fmt.Errorf("no such process %q", id)
+	}
+	if c.IsLive() {
+		return nil // SPEC §7 start_process is a no-op on a running entry
+	}
+	if err := c.startPTY(cols, rows); err != nil {
+		return err
+	}
+	go s.pumpChild(c)
+	go s.reapChild(c)
+	return nil
+}
+
+// Restart stops the entry (if live) then starts it again with the same
+// argv/env/workdir. Per SPEC §7: valid for command entries; valid for
+// agent/terminal only while their PTY is still live.
+func (s *Session) Restart(id string, sig syscall.Signal, cols, rows uint16) error {
+	c := s.FindChild(id)
+	if c == nil {
+		return fmt.Errorf("no such process %q", id)
+	}
+	if c.Kind != KindCommand && !c.IsLive() {
+		return fmt.Errorf("restart: %s entries can only be restarted while live", c.Kind)
+	}
+	if c.IsLive() {
+		if sig == 0 {
+			sig = syscall.SIGTERM
+		}
+		_ = c.signal(sig)
+		// Wait briefly for the reaper to mark exited. We don't need
+		// strict synchronization — the reaper will run regardless; we
+		// just want startPTY to land after teardown.
+		deadline := time.Now().Add(2 * time.Second)
+		for c.IsLive() && time.Now().Before(deadline) {
+			time.Sleep(20 * time.Millisecond)
+		}
+		if c.IsLive() {
+			// Force.
+			_ = c.signal(syscall.SIGKILL)
+			for c.IsLive() {
+				time.Sleep(20 * time.Millisecond)
+			}
+		}
+	}
+	c.teardownPTY()
+	if err := c.startPTY(cols, rows); err != nil {
+		return err
+	}
+	go s.pumpChild(c)
+	go s.reapChild(c)
+	return nil
+}
+
+// Close removes an entry from the session entirely. If still live,
+// stops it first. SPEC §7 close_process.
+func (s *Session) Close(id string, sig syscall.Signal) error {
+	c := s.FindChild(id)
+	if c == nil {
+		return fmt.Errorf("no such process %q", id)
+	}
+	if c.IsLive() {
+		if sig == 0 {
+			sig = syscall.SIGTERM
+		}
+		_ = c.signal(sig)
+		deadline := time.Now().Add(2 * time.Second)
+		for c.IsLive() && time.Now().Before(deadline) {
+			time.Sleep(20 * time.Millisecond)
+		}
+		if c.IsLive() {
+			_ = c.signal(syscall.SIGKILL)
+			for c.IsLive() {
+				time.Sleep(20 * time.Millisecond)
+			}
+		}
+	}
+	c.teardownPTY()
+	s.mu.Lock()
+	delete(s.children, id)
+	for i, oid := range s.order {
+		if oid == id {
+			s.order = append(s.order[:i], s.order[i+1:]...)
+			break
+		}
+	}
+	s.mu.Unlock()
+	return nil
+}
+
+// mintUniqueIDLocked mints an opaque process_id (SPEC §7) and retries
+// if it collides with an existing entry. Caller holds s.mu.
+func (s *Session) mintUniqueIDLocked() string {
+	for {
+		id := mintProcessID()
+		if _, exists := s.children[id]; !exists {
+			return id
+		}
 	}
-	c.Identity = identity
-	return c, nil
 }
 
 func (s *Session) pumpChild(c *Child) {
 	buf := make([]byte, 64*1024)
 	for {
-		n, err := c.pty.Read(buf)
+		pty := c.PTY()
+		if pty == nil {
+			return
+		}
+		n, err := pty.Read(buf)
 		if n > 0 {
 			chunk := make([]byte, n)
 			copy(chunk, buf[:n])
-			if _, werr := c.em.Write(chunk); werr != nil {
-				logf("emulator.Write(child %s): %v", c.ID, werr)
+			if em := c.Emulator(); em != nil {
+				if _, werr := em.Write(chunk); werr != nil {
+					logf("emulator.Write(child %s): %v", c.ID, werr)
+				}
 			}
 			c.recordWrite(chunk)
 			s.emitPTYOut(c.ID, chunk)
@@ -169,7 +315,11 @@ func (s *Session) pumpChild(c *Child) {
 }
 
 func (s *Session) reapChild(c *Child) {
-	err := c.pty.Wait()
+	pty := c.PTY()
+	if pty == nil {
+		return
+	}
+	err := pty.Wait()
 	c.markExited(err)
 	logf("child %s exited (err=%v)", c.ID, err)
 	s.emitExit(c)
@@ -233,7 +383,11 @@ func (s *Session) WriteInput(id string, b []byte) error {
 	if c.Status() != StatusRunning {
 		return fmt.Errorf("child %q is %s", id, c.Status())
 	}
-	_, err := c.pty.Write(b)
+	pty := c.PTY()
+	if pty == nil {
+		return fmt.Errorf("child %q has no pty", id)
+	}
+	_, err := pty.Write(b)
 	return err
 }
 
@@ -250,8 +404,12 @@ func (s *Session) ResizeAll(cols, rows uint16) {
 	}
 	s.mu.Unlock()
 	for _, c := range cs {
-		_ = c.pty.Resize(cols, rows)
-		_ = c.em.Resize(cols, rows)
+		if pty := c.PTY(); pty != nil {
+			_ = pty.Resize(cols, rows)
+		}
+		if em := c.Emulator(); em != nil {
+			_ = em.Resize(cols, rows)
+		}
 	}
 }
 
@@ -263,7 +421,11 @@ func (s *Session) SerializeChild(id string) ([]byte, error) {
 	if c == nil {
 		return nil, fmt.Errorf("no such child %q", id)
 	}
-	return c.em.SerializeVT()
+	em := c.Emulator()
+	if em == nil {
+		return nil, fmt.Errorf("child %q has no emulator", id)
+	}
+	return em.SerializeVT()
 }
 
 func (s *Session) SnapshotChild(id string) (string, vt.CursorState, error) {
@@ -271,11 +433,15 @@ func (s *Session) SnapshotChild(id string) (string, vt.CursorState, error) {
 	if c == nil {
 		return "", vt.CursorState{}, fmt.Errorf("no such child %q", id)
 	}
-	text, err := c.em.ScreenText()
+	em := c.Emulator()
+	if em == nil {
+		return "", vt.CursorState{}, fmt.Errorf("child %q has no emulator", id)
+	}
+	text, err := em.ScreenText()
 	if err != nil {
 		return "", vt.CursorState{}, err
 	}
-	cursor, err := c.em.Cursor()
+	cursor, err := em.Cursor()
 	if err != nil {
 		return "", vt.CursorState{}, err
 	}
@@ -297,8 +463,7 @@ func (s *Session) Shutdown() {
 	// Close emulators and PTY masters. The reaper goroutines will fire
 	// emitExit as Wait() returns.
 	for _, c := range cs {
-		_ = c.pty.Close()
-		_ = c.em.Close()
+		c.teardownPTY()
 	}
 }
 
diff --git a/internal/mcp/tools.go b/internal/mcp/tools.go
index 8710315..527248a 100644
--- a/internal/mcp/tools.go
+++ b/internal/mcp/tools.go
@@ -9,42 +9,224 @@ import (
 	"github.com/harrybrwn/patterm/internal/scratchpad"
 )
 
-// ToolHost is the interface the in-process server uses to reach the
-// running patterm process's state. The app package implements this so
-// internal/mcp doesn't import internal/app (which would be a cycle).
-type ToolHost interface {
-	Children() []ChildInfo
-	Spawn(callerID, name string, argv []string, shell bool) (ChildInfo, error)
-	SpawnAgent(callerID, presetName, displayName, initialPrompt string) (ChildInfo, error)
-	ReadOutput(callerID, childID, mode string, sinceOffset int) (content string, newOffset int, err error)
-	SendInput(callerID, childID string, payload []byte, appendNewline bool) error
-	Kill(callerID, childID string, sig syscall.Signal) error
-	SendMessageTo(callerID, targetID, message string) error
-	ReportToParent(callerID, message string) error
-	TimerWait(callerID string, seconds float64, label string) (string, error)
-	WaitForPattern(callerID, childID, pattern string, timeoutSeconds float64) (matched bool, snippet string, err error)
-	RequestHumanAttention(callerID, childID, reason string) error
-	Scratchpads() *scratchpad.Store
+// JSON-RPC error codes used by the patterm MCP surface. -32700..-32600
+// are the standard parse/invalid-request codes; the SPEC-defined error
+// names live in the -32000 range with a structured `data.kind` so the
+// caller can branch on the error type rather than parsing strings.
+const (
+	codeParseError     = -32700
+	codeInvalidRequest = -32600
+	codeMethodNotFound = -32601
+	codeInvalidParams  = -32602
+	codeInternal       = -32000
+	codeNeedsTrust     = -32010
+	codeRoleForbidden  = -32011
+	codeNotRelated     = -32012
+	codeNotFound       = -32013
+	codeWrongKind      = -32014
+	codeUnknownAgent   = -32015
+)
 
-	// ResolveCallerIdentity translates a per-spawn identity token into
-	// the child ID the server stores in its connection state.
+// CallerRole is one of "orchestrator" or "sub-agent". SPEC §7 caller
+// role: orchestrators sit at the root of a session tree; sub-agents
+// were spawned by another agent.
+type CallerRole string
+
+const (
+	RoleOrchestrator CallerRole = "orchestrator"
+	RoleSubAgent     CallerRole = "sub-agent"
+)
+
+// ToolHost is the interface the in-process server uses to reach the
+// running patterm process's state. internal/app implements this; the
+// split keeps internal/mcp free of an internal/app import (which would
+// be cyclic).
+type ToolHost interface {
+	// Identity resolution. The mcp-stdio greeting carries a per-spawn
+	// token; the server resolves it to a process_id before dispatching
+	// the rest of the connection's calls.
 	ResolveCallerIdentity(identity string) string
 
-	// PolicyCheck — SPEC §9. Returns "allow" / "punt" / "unknown" for
-	// a candidate auto-answer prompt the orchestrator is reading.
-	PolicyCheck(prompt string) string
+	// CallerRole returns the role for the given process_id. Unknown
+	// callers default to RoleOrchestrator (treated as a top-level peer)
+	// so they don't get silently denied.
+	CallerRole(processID string) CallerRole
+
+	// Lifecycle (SPEC §7).
+	SpawnAgent(callerID string, args SpawnAgentArgs) (ProcessInfo, error)
+	SpawnProcess(callerID string, args SpawnProcessArgs) (ProcessInfo, error)
+	StartProcess(callerID, processID string) (ProcessInfo, error)
+	RestartProcess(callerID, processID string, signal syscall.Signal) (ProcessInfo, error)
+	StopProcess(callerID, processID string, signal syscall.Signal) (ProcessInfo, error)
+	CloseProcess(callerID, processID string) error
+	RenameProcess(callerID, processID, name string) error
+	SelectProcess(callerID, processID string) error
+
+	// Inspection.
+	ListProcesses(callerID, kindFilter string) []ProcessInfo
+	GetProcessStatus(callerID, processID string) (ProcessStatus, error)
+	GetProjectStatus(callerID string) (ProjectStatus, error)
+	GetProcessOutput(callerID, processID, mode string, sinceOffset int64) (ProcessOutput, error)
+	GetProcessRawOutput(callerID, processID string, sinceOffset int64) (RawOutput, error)
+	SearchOutput(callerID, processID, pattern, kind string, limit int) (SearchResult, error)
+	WaitForPattern(callerID, processID, pattern string, timeoutSeconds float64, scope string) (matched bool, snippet string, err error)
+	GetProcessPorts(callerID, processID string) ([]PortSighting, error)
+
+	// I/O.
+	SendInput(callerID string, args SendInputArgs) (SendInputResult, error)
+
+	// Coordination.
+	SendMessage(callerID, targetID, message string) error
+	RequestHumanAttention(callerID, processID, reason string) error
+	TimerWait(callerID string, seconds float64, label string) (string, error)
+
+	// Scratchpads.
+	Scratchpads() *scratchpad.Store
+
+	// Meta.
+	WhoAmI(callerID string) WhoAmI
+	Help(callerID, topic string) HelpResponse
 }
 
-// ChildInfo is what list_children / spawn_process / spawn_agent return.
-// Matches SPEC §7 shape plus the §11 idle exposure.
-type ChildInfo struct {
-	ID       string `json:"child_id"`
-	Name     string `json:"name"`
-	Type     string `json:"type"`
-	Status   string `json:"status"`
-	ExitCode int    `json:"exit_code,omitempty"`
-	IdleMS   int64  `json:"idle_ms,omitempty"`
-	ParentID string `json:"parent_id,omitempty"`
+// ProcessInfo is the entry shape returned by list_processes, spawn_*,
+// stop_process, restart_process, start_process. SPEC §7.
+type ProcessInfo struct {
+	ID              string `json:"process_id"`
+	Name            string `json:"name"`
+	Kind            string `json:"kind"`
+	Status          string `json:"status"`
+	ParentProcessID string `json:"parent_process_id,omitempty"`
+	ExitCode        *int   `json:"exit_code,omitempty"`
+	IdleMS          int64  `json:"idle_ms,omitempty"`
+	Trusted         *bool  `json:"trusted,omitempty"`
+}
+
+// ProcessStatus is what get_process_status returns. Richer than
+// ProcessInfo: includes pane geometry, cursor, and active screen.
+type ProcessStatus struct {
+	ProcessInfo
+	WorkingDir    string  `json:"working_dir,omitempty"`
+	Argv          []string `json:"argv,omitempty"`
+	StartedAt     string  `json:"started_at,omitempty"`
+	ActiveScreen  string  `json:"active_screen,omitempty"`
+	Rows          int     `json:"rows,omitempty"`
+	Cols          int     `json:"cols,omitempty"`
+	Cursor        Cursor  `json:"cursor"`
+	ScreenVersion int64   `json:"screen_version,omitempty"`
+}
+
+// Cursor matches SPEC §7's `{x, y}` payload.
+type Cursor struct {
+	X int `json:"x"`
+	Y int `json:"y"`
+}
+
+// ProjectStatus is what get_project_status returns — everything an
+// agent needs to orient itself in one call.
+type ProjectStatus struct {
+	Project    ProjectMeta            `json:"project"`
+	Caller     WhoAmI                 `json:"caller"`
+	Processes  []ProcessInfo          `json:"processes"`
+	Scratchpads []scratchpad.Entry    `json:"scratchpads"`
+}
+
+// ProjectMeta is the project root info echoed in many payloads.
+type ProjectMeta struct {
+	Path string `json:"path"`
+	Key  string `json:"key"`
+}
+
+// ProcessOutput is the get_process_output payload. SPEC §7 enriches
+// the old read_output result with screen geometry + version.
+type ProcessOutput struct {
+	Content       string `json:"content"`
+	Mode          string `json:"mode"`
+	NewOffset     int64  `json:"new_offset,omitempty"`
+	ActiveScreen  string `json:"active_screen,omitempty"`
+	Rows          int    `json:"rows,omitempty"`
+	Cols          int    `json:"cols,omitempty"`
+	Cursor        Cursor `json:"cursor"`
+	IdleMS        int64  `json:"idle_ms,omitempty"`
+	Status        string `json:"status,omitempty"`
+	ScreenVersion int64  `json:"screen_version,omitempty"`
+}
+
+// RawOutput is the get_process_raw_output payload — ANSI preserved.
+type RawOutput struct {
+	Content   string `json:"content"`
+	NewOffset int64  `json:"new_offset"`
+	Status    string `json:"status,omitempty"`
+}
+
+// SearchResult is search_output's payload.
+type SearchResult struct {
+	Matches   []SearchMatch `json:"matches"`
+	Truncated bool          `json:"truncated"`
+}
+
+type SearchMatch struct {
+	LineNo int    `json:"line_no"`
+	Text   string `json:"text"`
+}
+
+// PortSighting matches the per-child store in internal/app.
+type PortSighting struct {
+	Port        int    `json:"port"`
+	URL         string `json:"url,omitempty"`
+	FirstSeenAt string `json:"first_seen_at"`
+}
+
+// SpawnAgentArgs is the input shape for spawn_agent.
+type SpawnAgentArgs struct {
+	Agent              string `json:"agent"`
+	AgentInstructions  string `json:"agent_instructions"`
+	Name               string `json:"name"`
+}
+
+// SpawnProcessArgs is the input shape for spawn_process.
+type SpawnProcessArgs struct {
+	Kind       string   `json:"kind"` // "terminal" | "command"
+	Preset     string   `json:"preset"`
+	Argv       []string `json:"argv"`
+	Name       string   `json:"name"`
+	WorkingDir string   `json:"working_dir"`
+	Env        map[string]string `json:"env"`
+	Shell      bool     `json:"shell"`
+}
+
+// SendInputArgs is the input shape for send_input — covers text /
+// paste / key with the optional wait+tail tail-after-send.
+type SendInputArgs struct {
+	ProcessID string `json:"process_id"`
+	Kind      string `json:"kind"` // "text" | "paste" | "key"
+	Text      string `json:"text"`
+	Key       string `json:"key"`
+	Submit    *bool  `json:"submit"`
+	WaitMS    int    `json:"wait_ms"`
+	TailMode  string `json:"tail_mode"` // "none" | "stream" | "grid"
+}
+
+// SendInputResult is the return shape of send_input.
+type SendInputResult struct {
+	OK   bool           `json:"ok"`
+	Tail *ProcessOutput `json:"tail,omitempty"`
+}
+
+// WhoAmI is the whoami return shape.
+type WhoAmI struct {
+	ProcessID       string     `json:"process_id"`
+	Name            string     `json:"name"`
+	Role            CallerRole `json:"role"`
+	ParentProcessID string     `json:"parent_process_id,omitempty"`
+	Project         ProjectMeta `json:"project"`
+	AvailableTools  []string   `json:"available_tools"`
+}
+
+// HelpResponse is the help return shape.
+type HelpResponse struct {
+	Topic        string   `json:"topic"`
+	Content      string   `json:"content"`
+	RelatedTools []string `json:"related_tools,omitempty"`
 }
 
 func (s *Server) SetHost(h ToolHost) {
@@ -54,7 +236,7 @@ func (s *Server) SetHost(h ToolHost) {
 }
 
 // dispatch routes a single JSON-RPC request. callerID is the ID of the
-// child that owns this connection (resolved at greeting time).
+// process that owns this connection (resolved at greeting time).
 func (s *Server) dispatch(callerID string, req []byte) []byte {
 	var msg struct {
 		JSONRPC string          `json:"jsonrpc"`
@@ -63,152 +245,271 @@ func (s *Server) dispatch(callerID string, req []byte) []byte {
 		Params  json.RawMessage `json:"params"`
 	}
 	if err := json.Unmarshal(req, &msg); err != nil {
-		return jsonRPCError(nil, -32700, "parse error: "+err.Error())
+		return jsonRPCError(nil, codeParseError, "parse error: "+err.Error(), nil)
 	}
 	s.mu.Lock()
 	host := s.host
 	s.mu.Unlock()
 	if host == nil {
-		return jsonRPCError(msg.ID, -32000, "patterm: tool host not initialized")
+		return jsonRPCError(msg.ID, codeInternal, "patterm: tool host not initialized", nil)
 	}
 
-	result, code, errMsg := callTool(host, callerID, msg.Method, msg.Params)
+	result, code, errMsg, data := callTool(host, callerID, msg.Method, msg.Params)
 	if errMsg != "" {
-		return jsonRPCError(msg.ID, code, errMsg)
+		return jsonRPCError(msg.ID, code, errMsg, data)
 	}
 	return jsonRPCResult(msg.ID, result)
 }
 
-func callTool(h ToolHost, callerID, method string, params json.RawMessage) (any, int, string) {
+// toolError lets host implementations attach a structured `kind` to a
+// JSON-RPC error so callers can branch on error type without parsing
+// the message. The MCP layer maps recognized error kinds to their SPEC
+// error codes; unknown errors fall through to codeInternal.
+type toolError struct {
+	Kind    string `json:"kind"`
+	Message string `json:"message"`
+}
+
+func (e *toolError) Error() string { return e.Message }
+
+// Errorf is a convenience for host implementations to return typed
+// errors that map to JSON-RPC codes (needs_trust, role_forbidden, …).
+func Errorf(kind, format string, a ...any) error {
+	return &toolError{Kind: kind, Message: fmt.Sprintf(format, a...)}
+}
+
+// callTool is the central dispatch. Returns (result, code, errMsg,
+// errData). On success errMsg is empty.
+func callTool(h ToolHost, callerID, method string, params json.RawMessage) (any, int, string, any) {
 	switch method {
-	case "list_children":
-		return h.Children(), 0, ""
+	case "spawn_agent":
+		var p SpawnAgentArgs
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		if p.Agent == "" {
+			return nil, codeInvalidParams, "spawn_agent: agent required", nil
+		}
+		// Role gate: only orchestrators may call spawn_agent (SPEC §8).
+		if h.CallerRole(callerID) == RoleSubAgent {
+			return nil, codeRoleForbidden, "spawn_agent: sub-agents cannot spawn agents; use vendor-native subagent tooling or ask your parent", structuredKind("role_forbidden")
+		}
+		info, err := h.SpawnAgent(callerID, p)
+		return mapToolResult(info, err)
 
 	case "spawn_process":
+		var p SpawnProcessArgs
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		info, err := h.SpawnProcess(callerID, p)
+		return mapToolResult(info, err)
+
+	case "start_process":
+		var p struct{ ProcessID string `json:"process_id"` }
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		info, err := h.StartProcess(callerID, p.ProcessID)
+		return mapToolResult(info, err)
+
+	case "restart_process":
 		var p struct {
-			Preset     string   `json:"preset"`
-			Argv       []string `json:"argv"`
-			Shell      bool     `json:"shell"`
-			Name       string   `json:"name"`
-			WorkingDir string   `json:"working_dir"`
+			ProcessID string `json:"process_id"`
+			Signal    int    `json:"signal"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
-		// Preset-by-name is the preferred path per SPEC §7; argv is the
-		// escape hatch. We don't load process presets here — the host
-		// is the source of truth — so a named preset call is rejected
-		// unless the caller also supplied argv. (Wiring full preset
-		// resolution into MCP is a small follow-up; the host's palette
-		// path covers the named case today.)
-		if len(p.Argv) == 0 {
-			return nil, -32602, "spawn_process: argv required"
-		}
-		ci, err := h.Spawn(callerID, p.Name, p.Argv, p.Shell)
-		if err != nil {
-			return nil, -32000, err.Error()
-		}
-		return ci, 0, ""
+		sig := syscall.Signal(p.Signal)
+		info, err := h.RestartProcess(callerID, p.ProcessID, sig)
+		return mapToolResult(info, err)
 
-	case "spawn_agent":
+	case "stop_process":
 		var p struct {
-			Preset        string `json:"preset"`
-			InitialPrompt string `json:"initial_prompt"`
-			Name          string `json:"name"`
+			ProcessID string `json:"process_id"`
+			Signal    int    `json:"signal"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
-		if p.Preset == "" {
-			return nil, -32602, "spawn_agent: preset required"
-		}
-		ci, err := h.SpawnAgent(callerID, p.Preset, p.Name, p.InitialPrompt)
-		if err != nil {
-			return nil, -32000, err.Error()
-		}
-		return ci, 0, ""
+		sig := syscall.Signal(p.Signal)
+		info, err := h.StopProcess(callerID, p.ProcessID, sig)
+		return mapToolResult(info, err)
 
-	case "read_output":
+	case "close_process":
+		var p struct{ ProcessID string `json:"process_id"` }
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		if err := h.CloseProcess(callerID, p.ProcessID); err != nil {
+			return mapToolError(err)
+		}
+		return "ok", 0, "", nil
+
+	case "rename_process":
 		var p struct {
-			ChildID     string `json:"child_id"`
+			ProcessID string `json:"process_id"`
+			Name      string `json:"name"`
+		}
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		if err := h.RenameProcess(callerID, p.ProcessID, p.Name); err != nil {
+			return mapToolError(err)
+		}
+		return "ok", 0, "", nil
+
+	case "select_process":
+		var p struct{ ProcessID string `json:"process_id"` }
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		if err := h.SelectProcess(callerID, p.ProcessID); err != nil {
+			return mapToolError(err)
+		}
+		return "ok", 0, "", nil
+
+	case "list_processes":
+		var p struct{ Kind string `json:"kind"` }
+		_ = unmarshalParamsOptional(params, &p)
+		return h.ListProcesses(callerID, p.Kind), 0, "", nil
+
+	case "get_process_status":
+		var p struct{ ProcessID string `json:"process_id"` }
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		st, err := h.GetProcessStatus(callerID, p.ProcessID)
+		if err != nil {
+			return mapToolError(err)
+		}
+		return st, 0, "", nil
+
+	case "get_project_status":
+		ps, err := h.GetProjectStatus(callerID)
+		if err != nil {
+			return mapToolError(err)
+		}
+		return ps, 0, "", nil
+
+	case "get_process_output":
+		var p struct {
+			ProcessID   string `json:"process_id"`
 			Mode        string `json:"mode"`
-			SinceOffset int    `json:"since_offset"`
+			SinceOffset int64  `json:"since_offset"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
 		if p.Mode == "" {
 			p.Mode = "grid"
 		}
-		content, newOff, err := h.ReadOutput(callerID, p.ChildID, p.Mode, p.SinceOffset)
+		out, err := h.GetProcessOutput(callerID, p.ProcessID, p.Mode, p.SinceOffset)
 		if err != nil {
-			return nil, -32000, err.Error()
+			return mapToolError(err)
 		}
-		return map[string]any{
-			"content":    content,
-			"new_offset": newOff,
-			"mode":       p.Mode,
-		}, 0, ""
+		return out, 0, "", nil
+
+	case "get_process_raw_output":
+		var p struct {
+			ProcessID   string `json:"process_id"`
+			SinceOffset int64  `json:"since_offset"`
+		}
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		out, err := h.GetProcessRawOutput(callerID, p.ProcessID, p.SinceOffset)
+		if err != nil {
+			return mapToolError(err)
+		}
+		return out, 0, "", nil
+
+	case "search_output":
+		var p struct {
+			ProcessID string `json:"process_id"`
+			Pattern   string `json:"pattern"`
+			Kind      string `json:"kind"`
+			Limit     int    `json:"limit"`
+		}
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		if p.Limit <= 0 {
+			p.Limit = 20
+		}
+		if p.Kind == "" {
+			p.Kind = "rendered"
+		}
+		res, err := h.SearchOutput(callerID, p.ProcessID, p.Pattern, p.Kind, p.Limit)
+		if err != nil {
+			return mapToolError(err)
+		}
+		return res, 0, "", nil
+
+	case "wait_for_pattern":
+		var p struct {
+			ProcessID      string  `json:"process_id"`
+			Pattern        string  `json:"pattern"`
+			TimeoutSeconds float64 `json:"timeout_seconds"`
+			Scope          string  `json:"scope"`
+		}
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		matched, snippet, err := h.WaitForPattern(callerID, p.ProcessID, p.Pattern, p.TimeoutSeconds, p.Scope)
+		if err != nil {
+			return mapToolError(err)
+		}
+		return map[string]any{"matched": matched, "snippet": snippet}, 0, "", nil
+
+	case "get_process_ports":
+		var p struct{ ProcessID string `json:"process_id"` }
+		if err := unmarshalParams(params, &p); err != nil {
+			return nil, codeInvalidParams, err.Error(), nil
+		}
+		ports, err := h.GetProcessPorts(callerID, p.ProcessID)
+		if err != nil {
+			return mapToolError(err)
+		}
+		return map[string]any{"ports": ports}, 0, "", nil
 
 	case "send_input":
-		var p struct {
-			ChildID       string `json:"child_id"`
-			Input         string `json:"input"`
-			AppendNewline *bool  `json:"append_newline"`
-		}
+		var p SendInputArgs
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
-		appendNL := true
-		if p.AppendNewline != nil {
-			appendNL = *p.AppendNewline
+		res, err := h.SendInput(callerID, p)
+		if err != nil {
+			return mapToolError(err)
 		}
-		if err := h.SendInput(callerID, p.ChildID, []byte(p.Input), appendNL); err != nil {
-			return nil, -32000, err.Error()
-		}
-		return "ok", 0, ""
+		return res, 0, "", nil
 
-	case "kill":
+	case "send_message":
 		var p struct {
-			ChildID string `json:"child_id"`
-			Signal  int    `json:"signal"`
+			TargetProcessID string `json:"target_process_id"`
+			Message         string `json:"message"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
-		sig := syscall.Signal(p.Signal)
-		if sig == 0 {
-			sig = syscall.SIGTERM
+		if err := h.SendMessage(callerID, p.TargetProcessID, p.Message); err != nil {
+			return mapToolError(err)
 		}
-		if err := h.Kill(callerID, p.ChildID, sig); err != nil {
-			return nil, -32000, err.Error()
-		}
-		return "ok", 0, ""
+		return "ok", 0, "", nil
 
-	case "send_message_to":
+	case "request_human_attention":
 		var p struct {
-			Target  string `json:"target"`
-			Message string `json:"message"`
+			ProcessID string `json:"process_id"`
+			Reason    string `json:"reason"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
-		if err := h.SendMessageTo(callerID, p.Target, p.Message); err != nil {
-			return nil, -32000, err.Error()
+		if err := h.RequestHumanAttention(callerID, p.ProcessID, p.Reason); err != nil {
+			return mapToolError(err)
 		}
-		return "ok", 0, ""
-
-	case "report_to_parent":
-		var p struct {
-			Message string `json:"message"`
-		}
-		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
-		}
-		if err := h.ReportToParent(callerID, p.Message); err != nil {
-			return nil, -32000, err.Error()
-		}
-		return "ok", 0, ""
+		return "ok", 0, "", nil
 
 	case "timer_wait":
 		var p struct {
@@ -216,61 +517,31 @@ func callTool(h ToolHost, callerID, method string, params json.RawMessage) (any,
 			Label   string  `json:"label"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
 		id, err := h.TimerWait(callerID, p.Seconds, p.Label)
 		if err != nil {
-			return nil, -32000, err.Error()
+			return mapToolError(err)
 		}
-		return map[string]string{"timer_id": id}, 0, ""
-
-	case "wait_for_pattern":
-		var p struct {
-			ChildID        string  `json:"child_id"`
-			Pattern        string  `json:"pattern"`
-			TimeoutSeconds float64 `json:"timeout_seconds"`
-		}
-		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
-		}
-		matched, snippet, err := h.WaitForPattern(callerID, p.ChildID, p.Pattern, p.TimeoutSeconds)
-		if err != nil {
-			return nil, -32000, err.Error()
-		}
-		return map[string]any{"matched": matched, "snippet": snippet}, 0, ""
-
-	case "request_human_attention":
-		var p struct {
-			ChildID string `json:"child_id"`
-			Reason  string `json:"reason"`
-		}
-		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
-		}
-		if err := h.RequestHumanAttention(callerID, p.ChildID, p.Reason); err != nil {
-			return nil, -32000, err.Error()
-		}
-		return "ok", 0, ""
+		return map[string]string{"timer_id": id}, 0, "", nil
 
 	case "scratchpad_list":
 		entries, err := h.Scratchpads().List()
 		if err != nil {
-			return nil, -32000, err.Error()
+			return nil, codeInternal, err.Error(), nil
 		}
-		return entries, 0, ""
+		return entries, 0, "", nil
 
 	case "scratchpad_read":
-		var p struct {
-			Name string `json:"name"`
-		}
+		var p struct{ Name string `json:"name"` }
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
 		content, rev, err := h.Scratchpads().Read(p.Name)
 		if err != nil {
-			return nil, -32000, err.Error()
+			return nil, codeInternal, err.Error(), nil
 		}
-		return map[string]any{"content": content, "revision": rev}, 0, ""
+		return map[string]any{"content": content, "revision": rev}, 0, "", nil
 
 	case "scratchpad_write":
 		var p struct {
@@ -279,22 +550,19 @@ func callTool(h ToolHost, callerID, method string, params json.RawMessage) (any,
 			ExpectedRevision string `json:"expected_revision"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
 		rev, err := h.Scratchpads().Write(p.Name, p.Content, p.ExpectedRevision)
 		if err != nil {
-			return nil, -32000, err.Error()
+			// Optimistic-concurrency miss returns ok:false + current_revision
+			// rather than a JSON-RPC error so callers can re-read + merge.
+			var rme *scratchpad.RevisionMismatchError
+			if errors.As(err, &rme) {
+				return map[string]any{"ok": false, "current_revision": rme.CurrentRevision}, 0, "", nil
+			}
+			return nil, codeInternal, err.Error(), nil
 		}
-		return map[string]any{"revision": rev}, 0, ""
-
-	case "policy_check":
-		var p struct {
-			Prompt string `json:"prompt"`
-		}
-		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
-		}
-		return map[string]string{"decision": h.PolicyCheck(p.Prompt)}, 0, ""
+		return map[string]any{"ok": true, "revision": rev}, 0, "", nil
 
 	case "scratchpad_append":
 		var p struct {
@@ -302,14 +570,62 @@ func callTool(h ToolHost, callerID, method string, params json.RawMessage) (any,
 			Content string `json:"content"`
 		}
 		if err := unmarshalParams(params, &p); err != nil {
-			return nil, -32602, err.Error()
+			return nil, codeInvalidParams, err.Error(), nil
 		}
 		if err := h.Scratchpads().Append(p.Name, p.Content); err != nil {
-			return nil, -32000, err.Error()
+			return nil, codeInternal, err.Error(), nil
 		}
-		return "ok", 0, ""
+		return map[string]any{"ok": true}, 0, "", nil
+
+	case "whoami":
+		return h.WhoAmI(callerID), 0, "", nil
+
+	case "help":
+		var p struct{ Topic string `json:"topic"` }
+		_ = unmarshalParamsOptional(params, &p)
+		return h.Help(callerID, p.Topic), 0, "", nil
 	}
-	return nil, -32601, "method not found: " + method
+	return nil, codeMethodNotFound, "method not found: " + method, nil
+}
+
+// mapToolResult is the (info, err) → JSON-RPC reply helper for the
+// many handlers that return a ProcessInfo-ish struct.
+func mapToolResult(v any, err error) (any, int, string, any) {
+	if err != nil {
+		return mapToolError(err)
+	}
+	return v, 0, "", nil
+}
+
+// mapToolError translates a host error to (code, message, data). If the
+// error is a *toolError its Kind names the SPEC-defined category and we
+// pick a stable JSON-RPC code for that category; otherwise we return a
+// generic internal error.
+func mapToolError(err error) (any, int, string, any) {
+	var te *toolError
+	if errors.As(err, &te) {
+		code := codeInternal
+		switch te.Kind {
+		case "needs_trust":
+			code = codeNeedsTrust
+		case "role_forbidden":
+			code = codeRoleForbidden
+		case "not_related":
+			code = codeNotRelated
+		case "not_found":
+			code = codeNotFound
+		case "wrong_kind":
+			code = codeWrongKind
+		case "unknown_agent":
+			code = codeUnknownAgent
+		}
+		return nil, code, te.Message, structuredKind(te.Kind)
+	}
+	return nil, codeInternal, err.Error(), nil
+}
+
+func structuredKind(kind string) map[string]string {
+	return map[string]string{"kind": kind}
 }
 
 func unmarshalParams(raw json.RawMessage, out any) error {
@@ -319,6 +635,13 @@ func unmarshalParams(raw json.RawMessage, out any) error {
 	return json.Unmarshal(raw, out)
 }
 
+func unmarshalParamsOptional(raw json.RawMessage, out any) error {
+	if len(raw) == 0 {
+		return nil
+	}
+	return json.Unmarshal(raw, out)
+}
+
 func jsonRPCResult(id json.RawMessage, result any) []byte {
 	resp := map[string]any{
 		"jsonrpc": "2.0",
@@ -329,19 +652,19 @@ func jsonRPCResult(id json.RawMessage, result any) []byte {
 	return b
 }
 
-func jsonRPCError(id json.RawMessage, code int, message string) []byte {
+func jsonRPCError(id json.RawMessage, code int, message string, data any) []byte {
+	errBody := map[string]any{
+		"code":    code,
+		"message": message,
+	}
+	if data != nil {
+		errBody["data"] = data
+	}
 	resp := map[string]any{
 		"jsonrpc": "2.0",
 		"id":      id,
-		"error": map[string]any{
-			"code":    code,
-			"message": message,
-		},
+		"error":   errBody,
 	}
 	b, _ := json.Marshal(resp)
 	return b
 }
-
-// Compile-time guard: every dispatch path is covered. fmt is imported
-// only so future error wrapping can land without re-adding the import.
-var _ = fmt.Sprintf
diff --git a/internal/policy/policy.go b/internal/policy/policy.go
deleted file mode 100644
index 3c5738c..0000000
--- a/internal/policy/policy.go
+++ /dev/null
@@ -1,166 +0,0 @@
-// Package policy implements SPEC §9 permissions hooks.
-//
-// patterm doesn't enforce permissions on the agent's behalf — the
-// orchestrator is the policy actor. But patterm ships a config that
-// surfaces the project's deny-list to the orchestrator (via
-// scratchpad_read("policy.md")) and exposes a Should() helper future
-// MCP middleware can call to short-circuit obviously-dangerous prompts.
-//
-// File location: $XDG_CONFIG_HOME/patterm/policy.json (global default;
-// per-project override at <project>/.patterm/policy.json is a v2
-// follow-up).
-package policy
-
-import (
-	"encoding/json"
-	"errors"
-	"os"
-	"path/filepath"
-	"regexp"
-	"sync"
-)
-
-// Decision is what Should() returns for a candidate auto-answer.
-type Decision string
-
-const (
-	// Allow: the prompt is in the always-safe allowlist; auto-answer.
-	Allow Decision = "allow"
-	// PuntToHuman: the prompt matches the deny-list; the orchestrator
-	// MUST call request_human_attention instead of auto-answering.
-	PuntToHuman Decision = "punt"
-	// Unknown: no rule applies. SPEC §9 says default is to punt; we
-	// keep this distinct so callers know it's a default, not a match.
-	Unknown Decision = "unknown"
-)
-
-type Policy struct {
-	// Allowlist patterns: prompts matching ANY of these are safe to
-	// auto-answer.
-	AllowPatterns []string `json:"allow_patterns"`
-	// Deny patterns: prompts matching ANY of these MUST be punted to
-	// the human. Default seed below covers SPEC §9 examples (writes,
-	// deletes, sudo, package install, broad shell).
-	DenyPatterns []string `json:"deny_patterns"`
-
-	mu          sync.Mutex
-	compiledAOK bool
-	allowRE     []*regexp.Regexp
-	denyRE      []*regexp.Regexp
-}
-
-// Default returns the seeded policy that ships out of the box.
-func Default() *Policy {
-	return &Policy{
-		AllowPatterns: []string{
-			`(?i)read.* from .*\?`,
-			`(?i)open .* in editor\?`,
-			`(?i)show diff\?`,
-		},
-		DenyPatterns: []string{
-			`(?i)sudo`,
-			`(?i)rm -rf`,
-			`(?i)delete .*permanently`,
-			`(?i)install package`,
-			`(?i)pip install`,
-			`(?i)npm install -g`,
-			`(?i)curl .* \| .*sh`,
-			`(?i)wget .* \| .*sh`,
-			`(?i)force.push`,
-			`(?i)git push --force`,
-			`(?i)drop (table|database)`,
-			`(?i)\.ssh/`,
-			`(?i)\.aws/credentials`,
-			`(?i)\.env\b`,
-		},
-	}
-}
-
-// Load reads the user's policy, falling back to Default if absent.
-// Errors other than ENOENT are returned.
-func Load() (*Policy, error) {
-	p, err := PathFor()
-	if err != nil {
-		return nil, err
-	}
-	body, err := os.ReadFile(p)
-	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			pol := Default()
-			_ = Save(pol)
-			return pol, nil
-		}
-		return nil, err
-	}
-	var pol Policy
-	if err := json.Unmarshal(body, &pol); err != nil {
-		return nil, err
-	}
-	return &pol, nil
-}
-
-// Save writes p to the standard location, creating directories.
-func Save(p *Policy) error {
-	path, err := PathFor()
-	if err != nil {
-		return err
-	}
-	if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil {
-		return err
-	}
-	body, err := json.MarshalIndent(p, "", "  ")
-	if err != nil {
-		return err
-	}
-	body = append(body, '\n')
-	return os.WriteFile(path, body, 0o600)
-}
-
-func PathFor() (string, error) {
-	if h := os.Getenv("XDG_CONFIG_HOME"); h != "" {
-		return filepath.Join(h, "patterm", "policy.json"), nil
-	}
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(home, ".config", "patterm", "policy.json"), nil
-}
-
-// Should classifies a candidate auto-answer prompt the orchestrator is
-// reading from a sub-agent's grid.
-func (p *Policy) Should(promptText string) Decision {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-	p.ensureCompiledLocked()
-	for _, re := range p.denyRE {
-		if re.MatchString(promptText) {
-			return PuntToHuman
-		}
-	}
-	for _, re := range p.allowRE {
-		if re.MatchString(promptText) {
-			return Allow
-		}
-	}
-	return Unknown
-}
-
-func (p *Policy) ensureCompiledLocked() {
-	if p.compiledAOK {
-		return
-	}
-	p.allowRE = make([]*regexp.Regexp, 0, len(p.AllowPatterns))
-	for _, s := range p.AllowPatterns {
-		if re, err := regexp.Compile(s); err == nil {
-			p.allowRE = append(p.allowRE, re)
-		}
-	}
-	p.denyRE = make([]*regexp.Regexp, 0, len(p.DenyPatterns))
-	for _, s := range p.DenyPatterns {
-		if re, err := regexp.Compile(s); err == nil {
-			p.denyRE = append(p.denyRE, re)
-		}
-	}
-	p.compiledAOK = true
-}
diff --git a/internal/preset/preset.go b/internal/preset/preset.go
index 646d2fb..dc6ae27 100644
--- a/internal/preset/preset.go
+++ b/internal/preset/preset.go
@@ -13,12 +13,15 @@ import (
 	"strings"
 )
 
-// Kind is "agent" or "process".
+// Kind is "agent" or "command". Process presets are SPEC §7's
+// `command` kind (session-persistent). Terminal entries don't have
+// presets — they're created freeform with `kind: terminal` via
+// spawn_process.
 type Kind string
 
 const (
 	KindAgent   Kind = "agent"
-	KindProcess Kind = "process"
+	KindCommand Kind = "command"
 )
 
 // Preset is one loaded preset file. Agent-only fields stay zero on
@@ -87,7 +90,7 @@ func Load() (Set, error) {
 	if err != nil {
 		return Set{}, err
 	}
-	procs, err := loadDir(filepath.Join(base, "presets", "processes"), KindProcess)
+	procs, err := loadDir(filepath.Join(base, "presets", "processes"), KindCommand)
 	if err != nil {
 		return Set{}, err
 	}
diff --git a/internal/scratchpad/scratchpad.go b/internal/scratchpad/scratchpad.go
index d119acb..93a3911 100644
--- a/internal/scratchpad/scratchpad.go
+++ b/internal/scratchpad/scratchpad.go
@@ -90,9 +90,21 @@ func (s *Store) Read(name string) (content string, revision string, err error) {
 	return string(b), revisionOf(b), nil
 }
 
+// RevisionMismatchError is returned by Write when expectedRevision
+// doesn't match the on-disk revision. The MCP scratchpad_write tool
+// surfaces CurrentRevision as `current_revision` in the response so
+// the caller can re-read and merge (SPEC §7 / §14).
+type RevisionMismatchError struct {
+	CurrentRevision string
+}
+
+func (e *RevisionMismatchError) Error() string {
+	return "scratchpad: revision mismatch (current=" + e.CurrentRevision + ")"
+}
+
 // Write replaces the file's contents. expectedRevision, if non-empty,
-// must match the current revision or the write is rejected (SPEC §14
-// last-write-wins-with-token).
+// must match the current revision or the write is rejected with a
+// *RevisionMismatchError (SPEC §14 last-write-wins-with-token).
 func (s *Store) Write(name, content, expectedRevision string) (string, error) {
 	p, err := s.safePath(name)
 	if err != nil {
@@ -100,8 +112,9 @@ func (s *Store) Write(name, content, expectedRevision string) (string, error) {
 	}
 	if expectedRevision != "" {
 		if cur, err := os.ReadFile(p); err == nil {
-			if revisionOf(cur) != expectedRevision {
-				return "", fmt.Errorf("scratchpad: revision mismatch")
+			curRev := revisionOf(cur)
+			if curRev != expectedRevision {
+				return "", &RevisionMismatchError{CurrentRevision: curRev}
 			}
 		}
 	}
diff --git a/internal/trust/trust.go b/internal/trust/trust.go
new file mode 100644
index 0000000..b00198a
--- /dev/null
+++ b/internal/trust/trust.go
@@ -0,0 +1,164 @@
+// Package trust implements SPEC §7's per-project command-preset trust
+// gating. Command presets are not trusted by default; the first time
+// an agent attempts to spawn / start / restart a process tied to one,
+// the MCP tool returns a `needs_trust` error and patterm surfaces a UI
+// confirmation. The user's acceptance is persisted to disk so the
+// confirmation isn't repeated every run.
+//
+// Trust is keyed by `(project, preset name)` in v1. Freeform-argv
+// command spawns bypass entirely (the agent had to compose the argv,
+// so the trust decision is already implicit).
+package trust
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"sync"
+)
+
+// Store is one project's trust file. Safe for concurrent use.
+type Store struct {
+	path string
+
+	mu      sync.RWMutex
+	granted map[string]bool
+}
+
+// Open loads (or creates) the trust file for projectKey. The file is
+// stored at $XDG_DATA_HOME/patterm/projects/<projectKey>/trust.json
+// (SPEC §3). Missing-file is not an error — it simply means no presets
+// are trusted yet.
+func Open(projectKey string) (*Store, error) {
+	if projectKey == "" {
+		return nil, errors.New("trust.Open: empty project key")
+	}
+	base, err := dataDir()
+	if err != nil {
+		return nil, err
+	}
+	dir := filepath.Join(base, "projects", projectKey)
+	if err := os.MkdirAll(dir, 0o700); err != nil {
+		return nil, fmt.Errorf("trust: mkdir %s: %w", dir, err)
+	}
+	path := filepath.Join(dir, "trust.json")
+	s := &Store{path: path, granted: make(map[string]bool)}
+	if err := s.loadLocked(); err != nil {
+		return nil, err
+	}
+	return s, nil
+}
+
+func dataDir() (string, error) {
+	if h := os.Getenv("XDG_DATA_HOME"); h != "" {
+		return filepath.Join(h, "patterm"), nil
+	}
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(home, ".local", "share", "patterm"), nil
+}
+
+// IsTrusted reports whether preset is granted.
+func (s *Store) IsTrusted(preset string) bool {
+	if preset == "" {
+		return false
+	}
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.granted[preset]
+}
+
+// Grant records that preset is trusted and persists the file.
+func (s *Store) Grant(preset string) error {
+	if preset == "" {
+		return errors.New("trust.Grant: empty preset")
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.granted[preset] {
+		return nil
+	}
+	s.granted[preset] = true
+	return s.saveLocked()
+}
+
+// Revoke removes a trust grant. Not used by the SPEC v1 flow but
+// useful for tests and future "untrust this" UI.
+func (s *Store) Revoke(preset string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if !s.granted[preset] {
+		return nil
+	}
+	delete(s.granted, preset)
+	return s.saveLocked()
+}
+
+// List returns the trusted presets in sorted order. For UI debugging.
+func (s *Store) List() []string {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	out := make([]string, 0, len(s.granted))
+	for k := range s.granted {
+		out = append(out, k)
+	}
+	sort.Strings(out)
+	return out
+}
+
+// Path returns the trust file path. Used by tests / diagnostics.
+func (s *Store) Path() string { return s.path }
+
+type fileShape struct {
+	// Presets is the JSON shape on disk: a list of granted preset names.
+	// Using a list (not a map) keeps the file diff-friendly and ordering
+	// stable across re-saves.
+	Presets []string `json:"presets"`
+}
+
+func (s *Store) loadLocked() error {
+	b, err := os.ReadFile(s.path)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil
+		}
+		return fmt.Errorf("trust: read %s: %w", s.path, err)
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var f fileShape
+	if err := json.Unmarshal(b, &f); err != nil {
+		return fmt.Errorf("trust: parse %s: %w", s.path, err)
+	}
+	for _, p := range f.Presets {
+		s.granted[p] = true
+	}
+	return nil
+}
+
+func (s *Store) saveLocked() error {
+	out := make([]string, 0, len(s.granted))
+	for k := range s.granted {
+		out = append(out, k)
+	}
+	sort.Strings(out)
+	body, err := json.MarshalIndent(fileShape{Presets: out}, "", "  ")
+	if err != nil {
+		return err
+	}
+	body = append(body, '\n')
+	tmp := s.path + ".tmp"
+	if err := os.WriteFile(tmp, body, 0o600); err != nil {
+		return fmt.Errorf("trust: write %s: %w", tmp, err)
+	}
+	if err := os.Rename(tmp, s.path); err != nil {
+		return fmt.Errorf("trust: rename %s: %w", s.path, err)
+	}
+	return nil
+}
diff --git a/internal/trust/trust_test.go b/internal/trust/trust_test.go
new file mode 100644
index 0000000..9c39784
--- /dev/null
+++ b/internal/trust/trust_test.go
@@ -0,0 +1,61 @@
+package trust
+
+import (
+	"os"
+	"testing"
+)
+
+func TestStoreGrantPersists(t *testing.T) {
+	dir := t.TempDir()
+	t.Setenv("XDG_DATA_HOME", dir)
+
+	s1, err := Open("projkey")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	if s1.IsTrusted("vitest") {
+		t.Fatalf("fresh store should not trust anything")
+	}
+	if err := s1.Grant("vitest"); err != nil {
+		t.Fatalf("grant: %v", err)
+	}
+	if !s1.IsTrusted("vitest") {
+		t.Fatalf("grant didn't take effect")
+	}
+
+	// Re-open and confirm persistence.
+	s2, err := Open("projkey")
+	if err != nil {
+		t.Fatalf("reopen: %v", err)
+	}
+	if !s2.IsTrusted("vitest") {
+		t.Fatalf("grant did not persist across reopen")
+	}
+	if s2.IsTrusted("bun-dev") {
+		t.Fatalf("unrelated preset should not be trusted")
+	}
+
+	// Verify the file exists at the expected path.
+	if _, err := os.Stat(s2.Path()); err != nil {
+		t.Fatalf("stat trust.json: %v", err)
+	}
+}
+
+func TestStoreRevokeWithoutGrantIsNoop(t *testing.T) {
+	dir := t.TempDir()
+	t.Setenv("XDG_DATA_HOME", dir)
+
+	s, err := Open("projkey")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	if err := s.Revoke("never-granted"); err != nil {
+		t.Fatalf("revoke noop should succeed: %v", err)
+	}
+}
+
+func TestStoreOpenRequiresProjectKey(t *testing.T) {
+	if _, err := Open(""); err == nil {
+		t.Fatalf("open with empty project key should fail")
+	}
+}
diff --git a/internal/vt/ghostty.go b/internal/vt/ghostty.go
index c58538b..4923965 100644
--- a/internal/vt/ghostty.go
+++ b/internal/vt/ghostty.go
@@ -212,6 +212,14 @@ func (e *GhosttyEmulator) Write(p []byte) (int, error) {
 	return len(p), nil
 }
 
+// Size returns the current grid (cols, rows). SPEC §7 get_process_output
+// and get_process_status surface these.
+func (e *GhosttyEmulator) Size() (uint16, uint16) {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+	return e.cols, e.rows
+}
+
 func (e *GhosttyEmulator) Resize(cols, rows uint16) error {
 	if cols == 0 || rows == 0 {
 		return fmt.Errorf("vt: cols and rows must be > 0 (got %dx%d)", cols, rows)
diff --git a/internal/vt/ghostty_nocgo.go b/internal/vt/ghostty_nocgo.go
index 6305d45..ebf21d2 100644
--- a/internal/vt/ghostty_nocgo.go
+++ b/internal/vt/ghostty_nocgo.go
@@ -17,6 +17,7 @@ func NewGhosttyEmulator(cols, rows uint16) (*GhosttyEmulator, error) {
 
 func (e *GhosttyEmulator) Write(p []byte) (int, error)    { return 0, errStub }
 func (e *GhosttyEmulator) Resize(cols, rows uint16) error { return errStub }
+func (e *GhosttyEmulator) Size() (uint16, uint16)         { return 0, 0 }
 func (e *GhosttyEmulator) PlainText() (string, error)     { return "", errStub }
 func (e *GhosttyEmulator) ScreenText() (string, error)    { return "", errStub }
 func (e *GhosttyEmulator) SerializeVT() ([]byte, error)   { return nil, errStub }