diff --git a/AGENTS.md b/AGENTS.md
index df8117c..003f906 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -56,9 +56,18 @@ decided by TTY + config + flags. `init` is the canonical onboarding command (the
   `resurrect save`, and cleans continuum's stale boot. These are SAFE for an active session — the
   boot agent's script is idempotent (`has-session` → exit 0, never spawns a duplicate or touches
   existing panes), and a first `resurrect save` is read-only w.r.t. the live session. It mirrors
-  the `models` schedule exception (a non-interactive launchd agent is safe to (re)load). Gate the
-  whole activation behind `RIG_TMUX_DRY_RUN` (the unit suite + CI set it). Migration backs up the
-  original (`~/.tmux.conf.rig-bak-<UTC>`, timestamped) and never overwrites an existing backup.
+  the **stateless background daemons** exception (safe to (re)load because no live user session
+  rides on them): the `models` schedule (a non-interactive cron) and the `tg_ctl` inbound daemon
+  (`tg_ctl` block) both (re)load via launchd. `tg_ctl` writes the `ai.hyperide.tg-ctl.plist`
+  LaunchAgent **byte-exact** to the working hand-created file (so a re-apply is a no-op `skipped`,
+  never a spurious rewrite) and (re)loads it with `launchctl bootout`/`bootstrap` in the
+  `gui/<uid>` domain; it also boots out + removes the dead predecessor `com.ultra.codex-tg-bot`.
+  Gate the tmux activation behind `RIG_TMUX_DRY_RUN`, and `tg_ctl` behind `RIG_TG_CTL_DRY_RUN`
+  (mirrors `RIG_SCHEDULE_DRY_RUN`) — which writes the managed plist but skips every
+  live/destructive mutation (the `launchctl` bootstrap/bootout AND the stale-predecessor teardown:
+  no bootout, no on-disk backup+remove). The unit suite + CI set these, so tests/smoke NEVER touch
+  the real launchd domain or delete the predecessor file. Migration backs up the original
+  (`~/.tmux.conf.rig-bak-<UTC>`, timestamped) and never overwrites an existing backup.
 
 ## The integration seam (agent-tools)
 
diff --git a/docs/config-schema.md b/docs/config-schema.md
index 28e0c4b..c707715 100644
--- a/docs/config-schema.md
+++ b/docs/config-schema.md
@@ -40,6 +40,7 @@ agents_md: { ... }            # AGENTS.md (canonical) + CLAUDE.md (symlink), def
 github: { ... }               # GitHub repo branch ruleset via gh api, default ON (no-op without a github remote)
 tmux: { ... }                 # rig-managed tmux config (generate + migrate ~/.tmux.conf), opt-in
 gitignore: { ... }            # rig-managed block in the GLOBAL git excludesfile (ignores **/.claude/worktrees/ in EVERY repo), default ON
+tg_ctl: { ... }               # tg-ctl inbound daemon as a macOS boot LaunchAgent, default ON (macOS-only)
 ```
 
 If `agent_tools_source` is omitted, rig resolves it from `$RIG_AGENT_TOOLS_SOURCE`, then
@@ -679,6 +680,65 @@ reconciles. Shown in the **global** section of status (not the repo section).
 
 ---
 
+## `tg_ctl`
+
+rig provisions the **tg-ctl inbound control daemon** (tg-cli's long-poll / inject-into-tmux /
+voice→text daemon, run as `tg-ctl run`) as a **macOS boot LaunchAgent** so it auto-starts at
+login/boot — exactly like the tmux boot service. **Default ON** (an absent or empty `tg_ctl:`
+block still provisions it, so `rig init` on a clean machine sets it up with no config). This is a
+**per-MACHINE** concern (one inbound daemon per machine), so the block belongs in the **GLOBAL**
+layer (`~/.config/rig/config.yaml`) — never a committed repo `rig.yaml`. **macOS-only** (launchd);
+off darwin it is a no-op.
+
+```yaml
+tg_ctl:
+  enabled: true                       # provision the tg-ctl LaunchAgent (default true; false = off)
+  boot: true                          # write + load the boot agent (default true)
+  # everything below is auto-discovered per-machine — override only if non-standard:
+  label: ai.hyperide.tg-ctl           # launchd Label / plist filename stem (advanced)
+  bun_path: ~/.bun/bin/bun            # the bun binary (default: `which bun` → ~/.bun fallback)
+  tg_ctl_path: ~/.files/bin/tg-ctl    # the tg-ctl Bun script
+  config_dir: ~/.config/tg-cli        # tg-cli config + launchd logs (default honors $TG_CTL_CONFIG_DIR)
+```
+
+| Key | Type | Default | Meaning |
+|-----|------|---------|---------|
+| `enabled` | bool | `true` | `false` = **don't touch tg-ctl at all** — rig emits no action, so it neither provisions NOR cleans up NOR reports drift (a hands-off opt-out). Use `boot: false` instead to keep rig tracking a leftover plist. |
+| `boot` | bool | `true` | `false` = provisioned-but-no-boot: rig writes/loads nothing, but a leftover plist (or the stale predecessor) IS still surfaced as drift so you see the orphan |
+| `label` | str | `ai.hyperide.tg-ctl` | launchd Label / plist filename stem (one identity for install/drift/remove) |
+| `bun_path` | str | discovered | the bun binary; default `which bun`, else `~/.bun/bin/bun` |
+| `tg_ctl_path` | str | `~/.files/bin/tg-ctl` | the tg-ctl Bun script launchd runs (`bun <path> run`) |
+| `config_dir` | str | `~/.config/tg-cli` | tg-cli config dir; the launchd out/err logs land here (honors `$TG_CTL_CONFIG_DIR`) |
+
+> **`enabled: false` vs `boot: false`.** `enabled: false` is a complete opt-out — rig stops
+> emitting the action, so a previously-installed plist is NOT cleaned up or flagged (rig is
+> hands-off). If you want rig to keep watching for / flagging a leftover plist while not running
+> the daemon, use `boot: false` (the action still runs; drift surfaces the orphan).
+
+**What rig writes.** `~/Library/LaunchAgents/ai.hyperide.tg-ctl.plist` — a `RunAtLoad` +
+`KeepAlive` agent that runs `bun ~/.files/bin/tg-ctl run` with a login PATH and the tg-cli config
+dir's logs. The plist is **byte-exact** to a hand-created working file, so `rig apply` against an
+already-correct live plist is a true **no-op** (`skipped`), never a spurious rewrite.
+
+**(Re)load mechanism.** Unlike tmux-boot (which only writes the plist), rig **(re)loads** the agent
+via `launchctl bootout`/`bootstrap` in the per-user `gui/<uid>` domain, so a clean `rig init` starts
+the daemon without a reboot, and a changed plist is picked up on the next `apply`.
+
+**Stale-predecessor teardown.** If the dead predecessor service
+`~/Library/LaunchAgents/com.ultra.codex-tg-bot.plist` exists, `rig apply` **boots it out**, backs it
+up (timestamped), and removes it.
+
+**Drift.** `rig status` flags (in the **GLOBAL** section) when the agent is missing, divergent, or
+written-but-not-loaded; a leftover plist when `boot: false`, or the stale predecessor, surfaces as a
+disk→config **extra**. `rig apply` reconciles.
+
+**Dry-run seam.** `RIG_TG_CTL_DRY_RUN=1` writes the managed plist into the configured (HOME-isolated)
+path but skips every live/destructive mutation — the gui-domain `launchctl bootstrap`/`bootout` AND
+the stale-predecessor teardown (its bootout and the on-disk backup+remove of its plist) — so
+tests/smoke never touch the real launchd domain or delete the predecessor file.
+
+---
+
 ## Validation
 
 `apply`/`status`/`init` validate before touching disk and **fail closed** on:
@@ -693,6 +753,7 @@ that is not a list of strings, an unknown `tmux`/`tmux.<sub>` key, a bad `tmux.a
 `tmux.resurrect.processes` that is not a list of strings, a `tmux.continuum.save_interval` that is
 not an int >= 1, a non-bool `tmux` boolean knob, a non-mapping `gitignore` block / non-bool
 `gitignore.enabled` / unknown `gitignore` key / non-string `gitignore.excludesfile` / a
-`gitignore.entries` that is not a list of strings or that contains a rig-managed marker line, and an
-`agent_tools_source` that is not an agent-tools checkout. `--dry-run` prints the resolved plan and
-exits 0 without writing.
+`gitignore.entries` that is not a list of strings or that contains a rig-managed marker line, an
+unknown `tg_ctl` key, a non-bool `tg_ctl.enabled`/`tg_ctl.boot`, a non-string
+`tg_ctl.label`/`bun_path`/`tg_ctl_path`/`config_dir`, and an `agent_tools_source` that is not an
+agent-tools checkout. `--dry-run` prints the resolved plan and exits 0 without writing.
diff --git a/riglib/actions/runner.py b/riglib/actions/runner.py
index a7e7144..01e23e4 100644
--- a/riglib/actions/runner.py
+++ b/riglib/actions/runner.py
@@ -1107,6 +1107,54 @@ def _launchctl_load_enable(plist: Path) -> int:
     return res.returncode
 
 
+# ── gui-domain launchctl (modern bootstrap/bootout) ─────────────────────────────────
+# The model-freshness schedule uses the legacy ``launchctl load/unload`` (``_launchctl_loaded``
+# above); the tg-ctl inbound daemon uses the MODERN per-user ``gui/<uid>`` domain verbs
+# (``bootstrap``/``bootout``), which is what macOS recommends and what loads a fresh agent without
+# a reboot. Kept separate so the two services don't share a verb set.
+def _gui_domain() -> str:
+    """The per-user GUI launchd domain target ``gui/<uid>`` for the current user."""
+    return f"gui/{os.getuid()}"
+
+
+def _launchctl_gui(verb: str, plist_path: str) -> int:
+    """``launchctl <verb> gui/<uid> <plist>`` — bootstrap (load) / bootout (unload) an agent in
+    the per-user GUI domain. Returns the rc; a non-zero rc from ``bootout`` of an unloaded agent
+    is harmless (the caller bootstraps after). One shell for both verbs (DRY)."""
+    try:
+        res = subprocess.run(
+            ["launchctl", verb, _gui_domain(), plist_path],
+            capture_output=True, text=True, timeout=20,
+        )
+    except (OSError, subprocess.SubprocessError):
+        return 1
+    return res.returncode
+
+
+# Thin, self-documenting wrappers so call sites read as bootout/bootstrap (and tests can spy on
+# each verb independently).
+def _launchctl_bootout(plist_path: str) -> int:
+    return _launchctl_gui("bootout", plist_path)
+
+
+def _launchctl_bootstrap(plist_path: str) -> int:
+    return _launchctl_gui("bootstrap", plist_path)
+
+
+def _launchctl_gui_loaded(label: str) -> bool:
+    """True when ``label`` is loaded in the per-user GUI domain (``launchctl print gui/<uid>/
+    <label>`` returns 0). Used by the install no-op check + drift so a written-but-not-loaded
+    agent is still flagged."""
+    try:
+        res = subprocess.run(
+            ["launchctl", "print", f"{_gui_domain()}/{label}"],
+            capture_output=True, text=True, timeout=20,
+        )
+    except (OSError, subprocess.SubprocessError):
+        return False
+    return res.returncode == 0
+
+
 # ── git/gh shells (isolated for testability) ──────────────────────────────────────
 def _git_global(key: str) -> str | None:
     try:
@@ -1673,6 +1721,199 @@ def _is_rig_import_line(line: str, import_line: str, rig_conf_name: str) -> bool
     return False
 
 
+# ── tg-ctl inbound-daemon LaunchAgent provisioning (macOS) ──────────────────────────
+def _tg_ctl_dry_run() -> bool:
+    """Honor RIG_TG_CTL_DRY_RUN — write the managed plist file but make NO live/destructive change.
+
+    For CI / containers / smoke where a real ``launchctl bootstrap`` (a per-user daemon mutation
+    HOME can't redirect) is unwanted. Under dry-run: the managed plist still lands under the
+    (HOME-isolated) path (so callers can assert the artifact), but the gui-domain (re)load AND the
+    stale-predecessor teardown (its ``bootout`` AND the on-disk backup+remove of its plist) are
+    BOTH skipped — dry-run never mutates the live launchd domain nor deletes the predecessor file,
+    it only reports what it would do. Mirrors ``RIG_SCHEDULE_DRY_RUN`` (the schedule's seam).
+    """
+    return os.environ.get("RIG_TG_CTL_DRY_RUN", "").strip().lower() in ("1", "true", "yes")
+
+
+def _tg_ctl_config_dir_default() -> str:
+    """The tg-cli config dir, honoring ``$TG_CTL_CONFIG_DIR`` (the daemon's own env), else the
+    documented default ``~/.config/tg-cli``. The launchd logs land here, next to the daemon's
+    .env/config.yaml, so everything tg-ctl is in one place."""
+    return os.environ.get("TG_CTL_CONFIG_DIR", "").strip() or "~/.config/tg-cli"
+
+
+def tg_ctl_plan_from_action(action: Action):
+    """Rebuild the pure :class:`~riglib.tg_ctl.TgCtlPlan` an action describes.
+
+    Shared by the install handler and the drift check so both agree on the exact desired plist
+    from the action's options. ``Path.home()`` is the resolved HOME at apply time (a test
+    monkeypatches it to a tmp HOME). The bun path is discovered at apply time unless pinned.
+    Lazy import keeps the actions package import-light.
+    """
+    from ..tg_ctl import DEFAULT_BOOT_LABEL, DEFAULT_TG_CTL_PATH, build_tg_ctl
+
+    opts = action.options
+    config_dir = opts.get("config_dir") or _tg_ctl_config_dir_default()
+    # `boot` is default-ON: a YAML `boot:` with no value (None) means "use the default" (True),
+    # NOT False — `bool(None)` would silently disable it (codex P1). Only an explicit `False` is off.
+    boot = opts.get("boot", True)
+    return build_tg_ctl(
+        home=Path.home(),
+        boot=True if boot is None else bool(boot),
+        boot_label=str(opts.get("label") or DEFAULT_BOOT_LABEL),
+        bun_path=opts.get("bun_path") or None,
+        tg_ctl_path=str(opts.get("tg_ctl_path") or DEFAULT_TG_CTL_PATH),
+        config_dir=str(config_dir),
+    )
+
+
+def _tg_ctl_teardown_stale(plan, dry: bool) -> tuple[Path | None, str | None]:
+    """Tear down the dead predecessor service (``com.ultra.codex-tg-bot``) if its plist exists:
+    bootout + timestamped backup + remove. Returns (backup_path, detail) or (None, None) when
+    there is nothing to tear down. Under ``dry`` it touches NOTHING — neither launchd nor disk —
+    and returns a "would remove" detail (the dry-run contract: no live mutation, no disk write).
+    """
+    stale = plan.stale_plist_path
+    if not stale.is_file():
+        return None, None
+    if dry:
+        return None, (
+            f"RIG_TG_CTL_DRY_RUN — would boot out + remove stale predecessor {stale.name}"
+        )
+    _launchctl_bootout(str(stale))  # harmless rc!=0 if it wasn't loaded
+    bak = _timestamped_backup_path(stale.with_name(stale.name + ".rig-bak"))
+    bak.write_text(stale.read_text(encoding="utf-8"), encoding="utf-8")
+    stale.unlink()
+    return bak, f"removed stale predecessor {stale.name} (booted out, backed up → {bak.name})"
+
+
+def _do_provision_tg_ctl(action: Action, on_conflict: str) -> ActionResult:
+    """Provision the tg-ctl inbound daemon as a macOS LaunchAgent (idempotent).
+
+    Mirrors the tmux-boot provisioning shape (render -> backup-differing -> write), but unlike
+    tmux this agent IS (re)loaded into launchd so a clean ``rig init`` starts it without a reboot:
+
+      - render ``~/Library/LaunchAgents/ai.hyperide.tg-ctl.plist`` (byte-exact to the working
+        hand-created file — see riglib.tg_ctl.render_plist's sort_keys note);
+      - back up any existing DIFFERING plist (on_conflict=backup) before rewrite;
+      - ensure the log dir (the tg-cli config dir) exists so launchd can open the logs;
+      - tear down the stale predecessor (``com.ultra.codex-tg-bot``): ``bootout`` + timestamped
+        backup + remove its plist, if present;
+      - (re)load via ``launchctl bootout``/``bootstrap`` in the per-user gui domain.
+
+    macOS-only (launchd). Off darwin it is a ``skipped`` no-op (no Linux equivalent yet).
+    A re-apply that finds the plist byte-identical AND the agent loaded is a ``skipped`` no-op —
+    the idempotency contract that keeps a re-apply against the live plist from rewriting it.
+    ``RIG_TG_CTL_DRY_RUN`` writes the plist but skips every live launchd mutation.
+    """
+    plan = tg_ctl_plan_from_action(action)
+
+    if sys.platform != "darwin":
+        return ActionResult(
+            action, "skipped",
+            "tg_ctl/boot: skipped (launchd is macOS-only; no Linux equivalent yet)",
+        )
+
+    details: list[str] = []
+    changed = False
+    headline_backup: Path | None = None
+    dry = _tg_ctl_dry_run()
+
+    # 0) tear down the dead predecessor service first (bootout + backup + remove its plist).
+    # Under dry-run this is a pure no-op that only REPORTS what it would do (no disk mutation).
+    stale_backup, stale_detail = _tg_ctl_teardown_stale(plan, dry)
+    if stale_detail:
+        details.append(stale_detail)
+    if stale_backup is not None:  # a real removal happened (never under dry-run)
+        headline_backup = stale_backup
+        changed = True
+
+    if not plan.boot_enabled:
+        # boot disabled: don't write/load the agent. A leftover plist is surfaced by drift as an
+        # EXTRA (it still auto-starts the daemon), but apply never deletes the user's own file.
+        if not changed:
+            return ActionResult(action, "skipped", "tg_ctl/boot: disabled (tg_ctl.boot=false) — nothing to provision")
+        return ActionResult(action, "backed_up" if headline_backup else "created",
+                            f"tg_ctl/boot: {'; '.join(details)}", headline_backup)
+
+    # 1) ensure the log dir (tg-cli config dir) exists so launchd can open StandardOut/ErrorPath.
+    plan.config_dir.mkdir(parents=True, exist_ok=True)
+
+    # 2) write the plist (idempotent on identical bytes; honors on_conflict for a differing one).
+    plan.plist_path.parent.mkdir(parents=True, exist_ok=True)
+    desired = plan.render_plist()
+    already = plan.plist_path.is_file()
+    current = plan.plist_path.read_text(encoding="utf-8") if already else ""
+
+    # The install-if-missing no-op: present AND byte-identical AND already loaded → nothing to do.
+    # (Skip the loaded check under dry-run — it would query the real launchd domain.)
+    if already and current == desired and not changed and (dry or _launchctl_gui_loaded(plan.boot_label)):
+        return ActionResult(
+            action, "skipped",
+            f"tg_ctl/boot: launchd agent '{plan.boot_label}' already installed and loaded",
+        )
+
+    out = fsutil.write_file(plan.plist_path, desired, on_conflict)
+    if out.status == "error":
+        return ActionResult(action, "error", f"tg_ctl/boot: {out.detail}", out.backup)
+    if out.backup:
+        headline_backup = headline_backup or out.backup
+        details.append(f"backed up prior plist → {out.backup.name}")
+    # Conflict-skip: the existing plist DIFFERS but on_conflict=skip said don't write it. The
+    # desired agent never hit disk, so we must NOT (re)load the stale plist and must NOT report a
+    # change — surface the unresolved drift instead (mirrors the schedule conflict-skip path).
+    if out.status == "skipped" and already and current != desired:
+        if changed:  # the stale-predecessor removal still happened — report it, plus the skip.
+            details.append(
+                f"{plan.plist_path.name} differs but on_conflict=skip — left unchanged "
+                f"(drift NOT reconciled; re-run with on_conflict=backup/overwrite)"
+            )
+            return ActionResult(action, "backed_up" if headline_backup else "created",
+                                f"tg_ctl/boot: {'; '.join(details)}", headline_backup)
+        return ActionResult(
+            action, "skipped",
+            f"tg_ctl/boot: launchd plist {plan.plist_path} differs but on_conflict=skip — "
+            f"left unchanged (drift NOT reconciled; re-run with on_conflict=backup/overwrite)",
+        )
+    if out.status != "skipped":
+        changed = True
+        details.append(f"wrote {plan.plist_path.name}")
+
+    if dry:
+        return ActionResult(
+            action,
+            "backed_up" if headline_backup else ("created" if changed else "skipped"),
+            f"tg_ctl/boot: {'; '.join(details) or 'plist already current'} "
+            f"(RIG_TG_CTL_DRY_RUN — skipped launchctl bootstrap)",
+            headline_backup,
+        )
+
+    # 3) (re)load via the per-user gui domain so a changed plist is picked up without a reboot.
+    # bootout first is safe — it is a harmless no-op when the label isn't loaded. We (re)load
+    # whenever the plist was (re)written OR the agent isn't currently loaded.
+    needs_load = changed or not _launchctl_gui_loaded(plan.boot_label)
+    if needs_load:
+        _launchctl_bootout(str(plan.plist_path))
+        rc = _launchctl_bootstrap(str(plan.plist_path))
+        if rc != 0:
+            return ActionResult(
+                action, "error",
+                f"tg_ctl/boot: wrote {plan.plist_path} but `launchctl bootstrap` failed (rc={rc})",
+                headline_backup,
+            )
+        if not changed:  # plist byte-identical but the agent wasn't loaded → loading IS the change.
+            changed = True
+            details.append(f"loaded launchd agent '{plan.boot_label}'")
+        else:
+            details.append(f"(re)loaded launchd agent '{plan.boot_label}'")
+
+    if not changed:
+        return ActionResult(action, "skipped",
+                            f"tg_ctl/boot: launchd agent '{plan.boot_label}' already installed and loaded")
+    status = "backed_up" if headline_backup else "created"
+    return ActionResult(action, status, f"tg_ctl/boot: {'; '.join(details)}", headline_backup)
+
+
 # ── AGENTS.md / CLAUDE.md canonical + symlink ─────────────────────────────────────
 # One file is the real source of truth; the other is a relative symlink to it, so every
 # agent harness (Claude Code reads CLAUDE.md; Codex/others read AGENTS.md) sees identical
@@ -2328,4 +2569,5 @@ def _do_provision_global_excludes(action: Action, on_conflict: str) -> ActionRes
     "provision_github_ruleset": _do_provision_github_ruleset,
     "provision_tmux": _do_provision_tmux,
     "provision_global_excludes": _do_provision_global_excludes,
+    "provision_tg_ctl": _do_provision_tg_ctl,
 }
diff --git a/riglib/cli.py b/riglib/cli.py
index 7b4b069..e20a79b 100644
--- a/riglib/cli.py
+++ b/riglib/cli.py
@@ -549,6 +549,9 @@ def cmd_status(args: argparse.Namespace) -> int:
     # surface the model-freshness schedule explicitly (installed / drifted / not configured),
     # so `rig status` answers "is the daily checker cron there?" at a glance.
     _print_schedule_status(plan, report)
+    # surface the tg-ctl inbound-daemon boot agent in the GLOBAL section (installed / drifted /
+    # disabled), so status answers "is the Telegram control daemon auto-starting?" at a glance.
+    _print_tg_ctl_status(plan, report)
 
     # missing-target: a hook command in the harness settings.json that points at a file gone
     # from disk (the dead-rtk-hook case) surfaces PROACTIVELY here, before it bites at runtime
@@ -676,6 +679,31 @@ def _print_schedule_status(plan, report) -> None:
           + _dim(f"(daily {when}, {platform}, '{opts.get('label', '')}')"))
 
 
+def _print_tg_ctl_status(plan, report) -> None:
+    """Report the tg-ctl inbound-daemon boot agent (GLOBAL): installed / drifted / disabled / unsupported.
+
+    A per-machine LaunchAgent, so it lives in the GLOBAL section of status (not per-repo). Resolves
+    the desired state through the SAME plan builder apply/drift use (so the label/boot flag never
+    drift). Off macOS the provisioner is a no-op, so status says 'unsupported' — never a misleading
+    'installed' (codex P2). Stays silent only when no ``provision_tg_ctl`` action is in the plan
+    (default-on, so that is unusual — keeps the helper defensive)."""
+    from .actions.runner import tg_ctl_plan_from_action
+    from .drift import _on_darwin
+
+    tg_actions = [a for a in plan.actions if a.kind == "provision_tg_ctl"]
+    if not tg_actions:
+        return
+    tg = tg_ctl_plan_from_action(tg_actions[0])  # shared resolution → boot_label / boot_enabled
+    if not _on_darwin():
+        state = _dim("unsupported (macOS-only; no-op off darwin)")
+    elif not tg.boot_enabled:
+        state = _dim("disabled (tg_ctl.boot=false)")
+    else:
+        drifted = [d for d in report.items if d.category == "tg_ctl" and d.direction != "extra"]
+        state = _warn(f"drifted ({drifted[0].detail})") if drifted else _ok("installed")
+    print(f"\n  [GLOBAL] tg-ctl inbound daemon: {state}  " + _dim(f"(launchd boot agent, '{tg.boot_label}')"))
+
+
 def cmd_doctor(args: argparse.Namespace) -> int:
     from .doctor import bootstrap, diagnose
 
diff --git a/riglib/config.py b/riglib/config.py
index 7bb32c9..454161e 100644
--- a/riglib/config.py
+++ b/riglib/config.py
@@ -40,6 +40,7 @@
     "github",
     "tmux",
     "gitignore",
+    "tg_ctl",
 }
 _VALID_CATEGORIES = {"skills", "agent_hooks", "git_hooks", "ci", "mcp"}
 _VALID_ON_CONFLICT = {"skip", "overwrite", "backup"}
@@ -263,6 +264,7 @@ def validate(data: dict[str, Any]) -> None:
     _validate_github(data.get("github", {}))
     _validate_tmux(data.get("tmux", {}))
     _validate_gitignore(data.get("gitignore", {}))
+    _validate_tg_ctl(data.get("tg_ctl", {}))
 
 
 def _validate_ci(ci: dict[str, Any]) -> None:
@@ -715,3 +717,43 @@ def _validate_tmux(t: dict[str, Any]) -> None:
                     "tmux.login_shell.shell must be an absolute path to the shell BINARY with no "
                     f"arguments (rig adds `-l`), or empty to use $SHELL — got {shell!r}"
                 )
+
+
+# The keys the tg_ctl block accepts. Listed once so the validator rejects a typo (fail-closed,
+# consistent with every other block).
+_TG_CTL_KEYS = {
+    "enabled",
+    "boot",
+    "label",
+    "bun_path",
+    "tg_ctl_path",
+    "config_dir",
+}
+
+
+def _validate_tg_ctl(t: dict[str, Any]) -> None:
+    """Validate the ``tg_ctl`` block — rig-managed tg-ctl inbound-daemon LaunchAgent.
+
+    This is a per-MACHINE concern (one inbound Telegram control daemon per machine), so it
+    belongs in the GLOBAL layer (``~/.config/rig/config.yaml``), like ``harness``/``tmux``/
+    ``git_hooks`` — NOT a committed repo ``rig.yaml``. Default **ON**: an EMPTY/absent block
+    still provisions the daemon (a present block with ``enabled`` not false opts in). Fail-closed,
+    consistent with every other block, on: a non-mapping block, an unknown key (typo guard), a
+    non-bool ``enabled``/``boot``, and a non-string ``label``/``bun_path``/``tg_ctl_path``/
+    ``config_dir``.
+    """
+    if not isinstance(t, dict):
+        raise ConfigError("tg_ctl must be a mapping")
+    if not t:
+        return
+    unknown = set(t) - _TG_CTL_KEYS
+    if unknown:
+        raise ConfigError(f"unknown tg_ctl key(s): {', '.join(sorted(unknown))}")
+    for boolkey in ("enabled", "boot"):
+        value = t.get(boolkey)
+        if value is not None and not isinstance(value, bool):
+            raise ConfigError(f"tg_ctl.{boolkey} must be a bool, got {value!r}")
+    for strkey in ("label", "bun_path", "tg_ctl_path", "config_dir"):
+        value = t.get(strkey)
+        if value is not None and not isinstance(value, str):
+            raise ConfigError(f"tg_ctl.{strkey} must be a string, got {value!r}")
diff --git a/riglib/drift.py b/riglib/drift.py
index f647b77..69f2003 100644
--- a/riglib/drift.py
+++ b/riglib/drift.py
@@ -24,6 +24,7 @@
     _ci_companion_files,
     _find_marker_lines,
     _git_global,
+    _launchctl_gui_loaded,
     _launchctl_loaded,
     _read_crontab,
     _tmux_dry_run,
@@ -43,11 +44,13 @@
     resolve_global_excludes,
     schedule_plan_from_action,
     skill_harness_link_target,
+    tg_ctl_plan_from_action,
     tmux_plan_from_action,
 )
 from .config import GITIGNORE_BEGIN_MARKER
 from .github_ruleset import DEFAULT_RULESET_NAME
 from .plan import Action, InstallPlan
+from .tg_ctl import STALE_PREDECESSOR_LABEL
 
 
 @dataclass
@@ -129,6 +132,8 @@ def detect(
             _check_tmux(action, report)
         elif action.kind == "provision_global_excludes":
             _check_global_excludes(action, report)
+        elif action.kind == "provision_tg_ctl":
+            _check_tg_ctl(action, report)
 
     _extras_skills(declared_skill_dirs, report)
     _extras_ci(declared_ci_dirs, report)
@@ -823,6 +828,62 @@ def _check_tmux(action: Action, report: DriftReport) -> None:
             )
 
 
+def _check_tg_ctl(action: Action, report: DriftReport) -> None:
+    """Flag drift on the rig-managed tg-ctl LaunchAgent (macOS).
+
+    missing  — boot enabled but the plist is absent, OR present + byte-identical but the agent is
+               NOT loaded in the gui domain (launchd never picked it up → daemon not running).
+    modified — the plist on disk differs from the desired byte-exact render (a hand edit, or an
+               upgrade that changed the args/PATH). ``rig apply`` reconciles + (re)loads.
+    extra    — a leftover plist when boot is DISABLED (it still auto-starts the daemon), OR the
+               stale predecessor ``com.ultra.codex-tg-bot`` plist (apply boots it out + removes it).
+    Off darwin (no launchd) tg-ctl provisioning is a no-op, so there is nothing to check.
+    Shares the desired-plist computation with the install handler, so apply and status can never
+    disagree.
+    """
+    if not _on_darwin():
+        return
+    plan = tg_ctl_plan_from_action(action)
+
+    # the stale predecessor service is always drift while it exists (apply removes it).
+    if plan.stale_plist_path.is_file():
+        report.items.append(
+            DriftItem("extra", "tg_ctl", action.item, plan.stale_plist_path,
+                      f"stale predecessor '{STALE_PREDECESSOR_LABEL}' LaunchAgent present — "
+                      f"apply boots it out and removes it")
+        )
+
+    if not plan.boot_enabled:
+        # boot disabled: a leftover managed plist still auto-starts the daemon → surface it as a
+        # disk->config extra (apply never deletes the user's own file).
+        if plan.plist_path.is_file():
+            report.items.append(
+                DriftItem("extra", "tg_ctl", action.item, plan.plist_path,
+                          "tg-ctl boot plist present but tg_ctl.boot is disabled "
+                          "(it still starts the daemon at login — remove it or re-enable boot)")
+            )
+        return
+
+    desired = plan.render_plist()
+    if not plan.plist_path.is_file():
+        report.items.append(
+            DriftItem("missing", "tg_ctl", action.item, plan.plist_path,
+                      "tg-ctl boot LaunchAgent not installed")
+        )
+        return
+    if plan.plist_path.read_text(encoding="utf-8") != desired:
+        report.items.append(
+            DriftItem("modified", "tg_ctl", action.item, plan.plist_path,
+                      "tg-ctl boot LaunchAgent differs from the configured plist")
+        )
+        return
+    if not _launchctl_gui_loaded(plan.boot_label):
+        report.items.append(
+            DriftItem("missing", "tg_ctl", action.item, plan.plist_path,
+                      f"tg-ctl LaunchAgent '{plan.boot_label}' installed but not loaded")
+        )
+
+
 def _file_drift(report: DriftReport, action: Action, path: Path, desired: str, label: str) -> None:
     """Append a ``missing`` (absent) or ``modified`` (content differs) DriftItem for a rig file."""
     if not path.is_file():
diff --git a/riglib/plan.py b/riglib/plan.py
index fde47c4..db8e778 100644
--- a/riglib/plan.py
+++ b/riglib/plan.py
@@ -527,6 +527,9 @@ def build(config: LoadedConfig, catalog: Catalog, *, project_type: str = "unknow
     # ── gitignore (rig-managed block in the GLOBAL git excludes file) ──────────────
     _build_global_excludes(config, plan)
 
+    # ── tg_ctl (rig-managed tg-ctl inbound daemon LaunchAgent) ─────────────────────
+    _build_tg_ctl(config, plan)
+
     return plan
 
 
@@ -922,3 +925,47 @@ def _build_tmux(config: LoadedConfig, plan: InstallPlan) -> None:
             },
         )
     )
+
+
+def _build_tg_ctl(config: LoadedConfig, plan: InstallPlan) -> None:
+    """Plan the rig-managed tg-ctl inbound-daemon LaunchAgent, unless ``enabled: false``.
+
+    Default **ON** (like ``agents_md``/``github``): an ABSENT or empty ``tg_ctl:`` block still
+    provisions the daemon, so ``rig init`` on a clean machine sets it up with no config at all.
+    Only ``enabled: false`` opts out. This is a per-MACHINE concern (one inbound Telegram
+    control daemon per machine), so the block belongs in the GLOBAL layer
+    (``~/.config/rig/config.yaml``) — but it cascades into the merged config the same way.
+
+    Unlike tmux, the tg-ctl artifact paths are HOME-anchored per-machine (not repo-relative):
+    the runner resolves them against ``Path.home()`` at apply time (so a committed rig.yaml stays
+    portable and never anchors ~/.files/bin to a repo root). The action just carries the raw
+    config knobs; the bun path is discovered at apply time.
+    """
+    from .tg_ctl import DEFAULT_BOOT_LABEL
+
+    # An ABSENT key (None) defaults to provisioning (default-on). A PRESENT block (validate() has
+    # already guaranteed it is a mapping) opts in unless `enabled: false`.
+    t = config.data.get("tg_ctl") or {}
+    if t.get("enabled") is False:
+        return
+
+    plan.actions.append(
+        Action(
+            kind="provision_tg_ctl",
+            category="tg_ctl",
+            item="boot",
+            source=config.repo_root,  # no carrier; rig generates the plist
+            # target is the launchd LABEL (not a filesystem path) — the runner resolves the real
+            # ~/Library/LaunchAgents/<label>.plist against HOME at apply time. `label or DEFAULT`
+            # (not `get(key, default)`) so a YAML `label:` with no value (None) can't become the
+            # literal string "None".
+            target=Path(t.get("label") or DEFAULT_BOOT_LABEL),
+            options={
+                "boot": t.get("boot", True),
+                "label": t.get("label"),
+                "bun_path": t.get("bun_path"),
+                "tg_ctl_path": t.get("tg_ctl_path"),
+                "config_dir": t.get("config_dir"),
+            },
+        )
+    )
diff --git a/riglib/tg_ctl.py b/riglib/tg_ctl.py
new file mode 100644
index 0000000..eefd18f
--- /dev/null
+++ b/riglib/tg_ctl.py
@@ -0,0 +1,200 @@
+"""tg-ctl boot provisioning — PURE planning of the rig-managed LaunchAgent.
+
+What this is
+------------
+``tg-ctl`` (``~/.files/bin/tg-ctl``, a Bun script) is the INBOUND control daemon for tg-cli:
+it long-polls Telegram and injects replies into the agent's tmux pane, renders agent
+questions as Telegram buttons, and does voice->text. The daemon command is ``tg-ctl run``.
+Config lives in ``~/.config/tg-cli/`` (.env + config.yaml); the daemon reads it itself.
+
+rig provisions this daemon as a macOS LaunchAgent so it auto-starts at login/boot — exactly
+like rig already does for the tmux boot service (see :mod:`riglib.tmux`). This module is the
+analog of that one: it is **stdlib-only and effect-free** — it computes WHAT the LaunchAgent
+plist should be (the generated ``ai.hyperide.tg-ctl.plist`` XML). The effectful writes (write
+the plist, back up a differing prior, ``launchctl bootstrap``/``bootout`` in the gui domain,
+remove the stale predecessor) live in ``actions/runner.py`` (the one-engine apply path), and
+drift detection diffs the desired artifact against disk in ``drift.py``. Three consumers
+(plan, apply, drift) share THIS so the desired state never drifts between them.
+
+How it is reached
+-----------------
+``plan._build_tg_ctl`` reads the ``tg_ctl:`` config block, calls :func:`build_tg_ctl` to
+resolve a :class:`TgCtlPlan`, and emits a ``provision_tg_ctl`` action. ``runner.
+_do_provision_tg_ctl`` renders the plist from the same plan and writes + (re)loads it.
+``drift._check_tg_ctl`` re-renders and diffs.
+
+Invariants
+----------
+- **Byte-exact plist.** ``render_plist`` emits ``plistlib`` XML with ``sort_keys=False`` so the
+  key order matches the hand-created, WORKING live plist on the CTO's machine. With sorted keys
+  ``rig apply`` would spuriously rewrite the live file every run (NOT idempotent). Key order is
+  load-bearing for the no-op contract — do not reorder the payload dict.
+- **gui-domain (re)load.** apply (re)loads the agent via ``launchctl bootout``/``bootstrap``
+  in the per-user ``gui/<uid>`` domain (the modern replacement for ``load``/``unload``), so a
+  changed plist is picked up without a reboot.
+- **Stale predecessor removal.** The dead predecessor service ``com.ultra.codex-tg-bot`` is
+  ``bootout``'d and its plist removed (timestamped backup) on reconcile.
+
+This is a per-MACHINE concern (one inbound daemon per machine), so the ``tg_ctl:`` block
+belongs in the GLOBAL layer (``~/.config/rig/config.yaml``), like ``harness``/``tmux``/
+``git_hooks`` — NOT a committed repo ``rig.yaml``.
+"""
+
+from __future__ import annotations
+
+import shutil
+from dataclasses import dataclass
+from pathlib import Path
+
+# The boot launchd label (macOS). Reverse-DNS per Apple convention; one identity for the plist
+# Label + filename stem so install/drift/remove all key off it. Distinct from the tmux-boot
+# label (ai.hyperide.tmux-boot) so the two agents never collide.
+DEFAULT_BOOT_LABEL = "ai.hyperide.tg-ctl"
+
+# The dead predecessor service rig must tear down on reconcile (the old codex-tg-bot daemon
+# that tg-ctl replaced). bootout + remove its plist (with a timestamped backup).
+STALE_PREDECESSOR_LABEL = "com.ultra.codex-tg-bot"
+
+# Default tg-ctl install location (HOME-relative; resolved per-machine). The symlink at
+# ~/.files/bin/tg-ctl points at the checked-out Bun script; launchd runs it via bun.
+DEFAULT_TG_CTL_PATH = "~/.files/bin/tg-ctl"
+
+# Default tg-cli config dir (honoring $TG_CTL_CONFIG_DIR). The launchd logs land here next to
+# the daemon's own .env/config.yaml so everything tg-ctl is in one place.
+DEFAULT_CONFIG_DIR = "~/.config/tg-cli"
+
+# The launchd log basenames (under the config dir). Match the live, working plist.
+OUT_LOG_NAME = "launchd.tg-ctl.out.log"
+ERR_LOG_NAME = "launchd.tg-ctl.err.log"
+
+# Common bun install locations, checked when PATH resolution fails (a non-interactive
+# `rig apply` env may have a bare PATH). Ordered: the user's ~/.bun, Apple-silicon brew,
+# Intel brew. ``~`` is expanded against the resolved HOME at render time.
+_BUN_FALLBACK_PATHS = ("~/.bun/bin/bun", "/opt/homebrew/bin/bun", "/usr/local/bin/bun")
+
+# The PATH the daemon runs with — a sane login PATH that finds bun, brew tools, the user's
+# ~/.local/bin, and the system dirs. Matches the live working plist. ``{bun_dir}`` is the
+# directory of the resolved bun binary so the daemon can re-exec bun if needed.
+_DAEMON_PATH_TEMPLATE = "{bun_dir}:/opt/homebrew/bin:{home}/.local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
+
+
+@dataclass(frozen=True)
+class TgCtlPlan:
+    """The desired tg-ctl LaunchAgent state, fully resolved. Pure data, no I/O."""
+
+    home: Path
+    enabled: bool
+    boot_enabled: bool
+    boot_label: str
+    bun_path: Path
+    tg_ctl_path: Path
+    config_dir: Path
+
+    # ── resolved artifact paths ──────────────────────────────────────────────────────
+    @property
+    def plist_path(self) -> Path:
+        return self.home / "Library" / "LaunchAgents" / f"{self.boot_label}.plist"
+
+    @property
+    def stale_plist_path(self) -> Path:
+        return self.home / "Library" / "LaunchAgents" / f"{STALE_PREDECESSOR_LABEL}.plist"
+
+    @property
+    def out_log_path(self) -> Path:
+        return self.config_dir / OUT_LOG_NAME
+
+    @property
+    def err_log_path(self) -> Path:
+        return self.config_dir / ERR_LOG_NAME
+
+    @property
+    def working_directory(self) -> Path:
+        # the daemon runs from the dir holding the tg-ctl script (matches the live plist).
+        return self.tg_ctl_path.parent
+
+    @property
+    def daemon_path_env(self) -> str:
+        return _DAEMON_PATH_TEMPLATE.format(bun_dir=str(self.bun_path.parent), home=str(self.home))
+
+    # ── the generated LaunchAgent plist ──────────────────────────────────────────────
+    def render_plist(self) -> str:
+        """The rig-owned ``ai.hyperide.tg-ctl.plist`` XML.
+
+        plistlib gives idiomatic, escape-safe XML (no hand-rolled string concat / injection).
+        ``sort_keys=False`` is LOAD-BEARING: it preserves the insertion order below, matching
+        the hand-created, WORKING live plist byte-for-byte so ``rig apply`` is a true no-op
+        against it (sorted keys would reorder Label/ProgramArguments/EnvironmentVariables/… and
+        force a spurious rewrite every run). Do NOT reorder this dict.
+        """
+        import plistlib
+
+        payload = {
+            "Label": self.boot_label,
+            "ProgramArguments": [str(self.bun_path), str(self.tg_ctl_path), "run"],
+            "WorkingDirectory": str(self.working_directory),
+            "EnvironmentVariables": {
+                "PATH": self.daemon_path_env,
+                "HOME": str(self.home),
+            },
+            "RunAtLoad": True,
+            "KeepAlive": True,
+            "ThrottleInterval": 10,
+            "StandardOutPath": str(self.out_log_path),
+            "StandardErrorPath": str(self.err_log_path),
+        }
+        return plistlib.dumps(payload, fmt=plistlib.FMT_XML, sort_keys=False).decode("utf-8")
+
+
+def _resolve_bun_bin(home: Path) -> Path:
+    """The bun binary path for the LaunchAgent: prefer PATH, else the first existing common
+    location (~/.bun, Apple-silicon /opt/homebrew, Intel /usr/local). Falls back to ~/.bun/bin
+    when none exist (so the plist is still well-formed). HOME-relative fallbacks expand against
+    the resolved ``home`` so a test tmp HOME never points at the real ~/.bun.
+    """
+    found = shutil.which("bun")
+    if found:
+        return Path(found)
+    for cand in _BUN_FALLBACK_PATHS:
+        p = _expand_home(cand, home)
+        if p.exists():
+            return p
+    return _expand_home(_BUN_FALLBACK_PATHS[0], home)
+
+
+def _expand_home(p: str | Path, home: Path) -> Path:
+    """Expand a ``~``/``~/...`` path against the resolved ``home`` (never the real one)."""
+    s = str(p)
+    if s == "~":
+        return home
+    if s.startswith("~/"):
+        return home / s[2:]
+    return Path(s)
+
+
+def build_tg_ctl(
+    *,
+    home: Path,
+    enabled: bool = True,
+    boot: bool = True,
+    boot_label: str = DEFAULT_BOOT_LABEL,
+    bun_path: str | Path | None = None,
+    tg_ctl_path: str | Path = DEFAULT_TG_CTL_PATH,
+    config_dir: str | Path = DEFAULT_CONFIG_DIR,
+) -> TgCtlPlan:
+    """Resolve the desired :class:`TgCtlPlan` from the (already-validated) tg_ctl config block.
+
+    ``home`` is the resolved HOME (the caller passes ``Path.home()`` or a test tmp HOME). The
+    bun path is discovered (``which bun`` -> ~/.bun fallback) unless an explicit ``bun_path`` is
+    given. ``tg_ctl_path`` / ``config_dir`` are HOME-relative by default and honor an explicit
+    override (the runner passes the ``$TG_CTL_CONFIG_DIR``-resolved dir when set).
+    """
+    resolved_bun = _expand_home(bun_path, home) if bun_path else _resolve_bun_bin(home)
+    return TgCtlPlan(
+        home=home,
+        enabled=bool(enabled),
+        boot_enabled=bool(boot),
+        boot_label=str(boot_label),
+        bun_path=resolved_bun,
+        tg_ctl_path=_expand_home(tg_ctl_path, home),
+        config_dir=_expand_home(config_dir, home),
+    )
diff --git a/tests/conftest.py b/tests/conftest.py
index 4819f0f..f46f83c 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -65,15 +65,39 @@ def _noop_provision(action, on_conflict):
 
         return ActionResult(action, "skipped", "models/model-freshness: scheduler stubbed in tests")
 
+    def _noop_tg_ctl(action, on_conflict):
+        from riglib.actions.runner import ActionResult
+
+        return ActionResult(action, "skipped", "tg_ctl/boot: daemon provisioner stubbed in tests")
+
     # Patch BOTH the module attr and the dispatch-table entry: `run_plan` resolves the handler
     # from `_HANDLERS` (a dict built at import with a direct function reference), so patching
     # only the module attr would leave the e2e `run_plan` path calling the real installer.
     monkeypatch.setattr(runner, "_do_provision_schedule", _noop_provision)
     monkeypatch.setitem(runner._HANDLERS, "provision_schedule", _noop_provision)
+    # tg_ctl: (boot:) is ALSO in the DEFAULT scaffold (default-on), so an e2e `rig init --yes`
+    # would otherwise write a real ~/Library/LaunchAgents/ai.hyperide.tg-ctl.plist AND shell out
+    # to the real `launchctl bootstrap`. Neutralize it suite-wide exactly like the schedule; the
+    # dedicated tests (test_tg_ctl.py) call `_do_provision_tg_ctl` with their own HOME-isolated
+    # tmp dirs + stubbed launchctl seams, which override this stub for those tests.
+    monkeypatch.setattr(runner, "_do_provision_tg_ctl", _noop_tg_ctl)
+    monkeypatch.setitem(runner._HANDLERS, "provision_tg_ctl", _noop_tg_ctl)
+    # tg_ctl is default-on, so a provision_tg_ctl action exists in EVERY e2e plan. Its drift
+    # check reads the REAL ``_on_darwin()`` (true on a macOS dev box) and would flag the missing
+    # plist — but the provisioner above is stubbed, so apply never writes it, leaving a permanent
+    # phantom drift in e2e tests. Neutralize the drift check suite-wide too (the dedicated
+    # test_tg_ctl.py restores the real one). Symmetric with the provisioner stub.
+    monkeypatch.setattr(driftmod, "_check_tg_ctl", lambda action, report: None)
 
     for mod in (runner, driftmod):
         monkeypatch.setattr(mod, "_launchctl", lambda verb, arg: 0, raising=False)
         monkeypatch.setattr(mod, "_launchctl_loaded", lambda label: False, raising=False)
+        # the gui-domain verbs the tg-ctl provisioner uses — stub them so neither runner nor
+        # drift can EVER reach the real launchd domain in any test (a test that mutates the real
+        # launchd domain is a FAIL). Dedicated tg-ctl tests install their own stubs/spies.
+        monkeypatch.setattr(mod, "_launchctl_bootstrap", lambda plist: 0, raising=False)
+        monkeypatch.setattr(mod, "_launchctl_bootout", lambda plist: 0, raising=False)
+        monkeypatch.setattr(mod, "_launchctl_gui_loaded", lambda label: False, raising=False)
         monkeypatch.setattr(mod, "_read_crontab", lambda: (crontab_store["has"], crontab_store["content"]))
 
     def _fake_write_crontab(contents):
diff --git a/tests/smoke.sh b/tests/smoke.sh
index 45166f0..a27d762 100755
--- a/tests/smoke.sh
+++ b/tests/smoke.sh
@@ -15,6 +15,20 @@ set -euo pipefail
 ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 RIG="python3 $ROOT/bin/rig"
 
+# Provision tg-ctl in DRY-RUN for the WHOLE smoke: tg_ctl is default-on, so the apply legs below
+# would otherwise (on macOS) shell out to the real `launchctl bootstrap` and write the real
+# user's launchd domain. RIG_TG_CTL_DRY_RUN writes the plist into the (HOME-isolated) path but
+# NEVER touches the live launchd domain — the hard isolation rule. (The dedicated tg-ctl leg
+# below relies on this too.)
+export RIG_TG_CTL_DRY_RUN=1
+
+# Resolve an agent-tools checkout ONCE, up front, against the REAL HOME — the apply leg below
+# overwrites $HOME with an isolated tmp dir, so any later HOME-relative discovery would miss it.
+AGENT_TOOLS="${RIG_AGENT_TOOLS_SOURCE:-}"
+for cand in "$AGENT_TOOLS" "$HOME/xp/agent-tools" "$HOME/work/agent-tools" "$HOME/agent-tools"; do
+  if [[ -n "$cand" && -d "$cand/skills" && -d "$cand/agent-hooks" ]]; then AGENT_TOOLS="$cand"; break; fi
+done
+
 pass() { printf '  \033[32m✔\033[0m %s\n' "$1"; }
 fail() { printf '  \033[31m✗ %s\033[0m\n' "$1"; exit 1; }
 
@@ -30,11 +44,8 @@ $RIG doctor >/dev/null 2>&1 || true
 pass "rig doctor"
 
 # ── 3. headless setup against a sample config, isolated HOME ──────────────────
-# Locate an agent-tools checkout to apply FROM. Prefer the env override, then defaults.
-SRC="${RIG_AGENT_TOOLS_SOURCE:-}"
-for cand in "$SRC" "$HOME/xp/agent-tools" "$HOME/work/agent-tools" "$HOME/agent-tools"; do
-  if [[ -n "$cand" && -d "$cand/skills" && -d "$cand/agent-hooks" ]]; then SRC="$cand"; break; fi
-done
+# Apply FROM the agent-tools checkout resolved up top (before HOME gets isolated).
+SRC="$AGENT_TOOLS"
 if [[ -z "$SRC" || ! -d "$SRC/skills" ]]; then
   printf '  \033[33m○ skip\033[0m apply smoke — no agent-tools checkout found (set RIG_AGENT_TOOLS_SOURCE)\n'
 else
@@ -77,6 +88,16 @@ tmux:
 gitignore:
   enabled: true
 YAML
+  # the review MCP server is only declarable when the agent-tools checkout actually carries it
+  # (a README-only mcp/ dir — an incomplete checkout — would make `review` an unknown item and
+  # fail the whole apply on an env unrelated to what this smoke proves). Include it only if present.
+  if [[ -d "$SRC/mcp/review" ]]; then
+    cat >> "$TMP/rig.yaml" <<YAML
+mcp:
+  items:
+    review: { enabled: true, command: "review --mcp" }
+YAML
+  fi
 
   # dry-run first (must write nothing)
   $RIG init -C "$TMP" --config "$TMP/rig.yaml" --yes --dry-run >/dev/null || fail "init --dry-run"
@@ -175,6 +196,7 @@ git_hooks: { dispatcher: { enabled: false } }
 mcp: { enabled: false }
 agents_md: { enabled: false }
 gitignore: { enabled: false }
+tg_ctl: { enabled: false }
 YAML
   CLEANREPO="$TMP/clean-repo"; mkdir -p "$CLEANREPO"; ( cd "$CLEANREPO" && git init -q )
   cp "$CLEAN" "$CLEANREPO/rig.yaml"
@@ -201,6 +223,57 @@ YAML
   pass "rig status: non-git dir → no 'should be committed', repo layer N/A"
 fi
 
+# ── 3b. tg-ctl inbound-daemon LaunchAgent provisioning (macOS, dry-run isolated) ──
+# Proves the tg_ctl boot LaunchAgent is provisioned by `rig apply` with the plist landing under
+# the ISOLATED HOME and NO real `launchctl` call (RIG_TG_CTL_DRY_RUN, exported at the top).
+# macOS-only (launchd); skipped off darwin and when no agent-tools checkout is found (rig's plan
+# build requires a source even when carrier categories are off). Uses the source resolved up top.
+if [[ "$(uname -s)" != "Darwin" ]]; then
+  printf '  \033[33m○ skip\033[0m tg-ctl leg — not macOS (launchd-only)\n'
+elif [[ -z "$AGENT_TOOLS" || ! -d "$AGENT_TOOLS/skills" ]]; then
+  printf '  \033[33m○ skip\033[0m tg-ctl leg — no agent-tools checkout (set RIG_AGENT_TOOLS_SOURCE)\n'
+else
+  TG_TMP="$(mktemp -d)"
+  TG_HOME="$TG_TMP/home"; mkdir -p "$TG_HOME"
+  ( cd "$TG_TMP" && git init -q )
+  # a FOCUSED tg-ctl config: every other default-on category off (incl. models, whose cron would
+  # otherwise shell out to launchctl) so the leg exercises ONLY tg-ctl.
+  cat > "$TG_TMP/rig.yaml" <<YAML
+version: 1
+agent_tools_source: $AGENT_TOOLS
+skills:      { enabled: false }
+agent_hooks: { enabled: false }
+ci:          { enabled: false }
+mcp:         { enabled: false }
+agents_md:   { enabled: false }
+github:      { ruleset: { enabled: false } }
+models:      { enabled: false }
+tg_ctl:
+  enabled: true
+  bun_path: /usr/bin/true
+  tg_ctl_path: $TG_HOME/.files/bin/tg-ctl
+  config_dir: $TG_HOME/.config/tg-cli
+YAML
+  PLIST="$TG_HOME/Library/LaunchAgents/ai.hyperide.tg-ctl.plist"
+  HOME="$TG_HOME" $RIG apply -C "$TG_TMP" --config "$TG_TMP/rig.yaml" >/dev/null 2>&1 \
+    || { rm -rf "$TG_TMP"; fail "tg-ctl apply (dry-run) nonzero"; }
+  [[ -f "$PLIST" ]] || { rm -rf "$TG_TMP"; fail "tg-ctl plist not written under isolated HOME"; }
+  grep -q "<string>ai.hyperide.tg-ctl</string>" "$PLIST" \
+    || { rm -rf "$TG_TMP"; fail "tg-ctl plist missing Label"; }
+  # idempotency: a second apply against the now-current plist must change NOTHING — the summary
+  # must carry no non-zero created/updated/backed_up count. (We do NOT assert `rig status` in-sync
+  # here: under dry-run the plist is written but never bootstrapped, and drift's loaded-state check
+  # queries the REAL launchd domain — a machine-dependent result the smoke can't control. The
+  # deterministic drift/in-sync coverage lives in test_tg_ctl.py with the launchctl seams stubbed.)
+  out="$(HOME="$TG_HOME" $RIG apply -C "$TG_TMP" --config "$TG_TMP/rig.yaml" 2>&1)"
+  summary="$(echo "$out" | grep '^Summary:' || true)"
+  if echo "$summary" | grep -Eq "(created|updated|backed_up)=[1-9]"; then
+    rm -rf "$TG_TMP"; fail "tg-ctl second apply was not idempotent: $summary"
+  fi
+  rm -rf "$TG_TMP"
+  pass "rig provisions tg-ctl boot LaunchAgent (dry-run, isolated, idempotent)"
+fi
+
 # ── 4. unit suite ─────────────────────────────────────────────────────────────
 # Run pytest the way the repo actually runs it: prefer `uv run --with pytest` (the documented
 # command — README/AGENTS.md), so a machine whose bare `python3` is a clean interpreter without
diff --git a/tests/test_catalog_plan.py b/tests/test_catalog_plan.py
index b8ede20..3b25362 100644
--- a/tests/test_catalog_plan.py
+++ b/tests/test_catalog_plan.py
@@ -204,8 +204,8 @@ def test_xdg_config_home_maps_dispatcher_dir(fake_agent_tools, tmp_path, monkeyp
 
 def test_plan_disabled_category(fake_agent_tools, tmp_path):
     cat = Catalog.scan(str(fake_agent_tools))
-    # agents_md, the github ruleset, and the global-excludes block are default-ON, so turn them
-    # off too to assert a truly empty plan.
+    # agents_md, the github ruleset, the global-excludes block, and tg_ctl are default-ON, so turn
+    # them off too to assert a truly empty plan.
     cfg = _cfg(
         {
             "skills": {"enabled": False},
@@ -215,6 +215,7 @@ def test_plan_disabled_category(fake_agent_tools, tmp_path):
             "agents_md": {"enabled": False},
             "github": {"ruleset": {"enabled": False}},
             "gitignore": {"enabled": False},
+            "tg_ctl": {"enabled": False},
         },
         tmp_path,
     )
diff --git a/tests/test_tg_ctl.py b/tests/test_tg_ctl.py
new file mode 100644
index 0000000..899ba7f
--- /dev/null
+++ b/tests/test_tg_ctl.py
@@ -0,0 +1,677 @@
+"""tg-ctl boot provisioning — config, pure plist rendering, install, drift.
+
+rig provisions the ``tg-ctl`` inbound control daemon (tg-cli's long-poll/inject/voice daemon)
+as a macOS LaunchAgent so it auto-starts at login/boot — exactly like the tmux boot service.
+This module mirrors :mod:`test_tmux`: stdlib-only pure render tests for the byte-exact plist,
+HOME-isolated install/idempotency/conflict tests that NEVER touch the real
+``~/Library/LaunchAgents`` or run a real ``launchctl`` (the gui-domain seams are stubbed per
+test), the stale-predecessor (``com.ultra.codex-tg-bot``) teardown, and drift detection.
+
+HARD ISOLATION (CTO): every install/drift test points ``Path.home()`` at a tmp dir AND stubs
+``_launchctl_bootstrap``/``_launchctl_bootout``/``_launchctl_gui_loaded`` so no test can mutate
+the real launchd domain or write the real LaunchAgents dir. The one test that reads the live
+machine plist is READ-ONLY and skips when the file is absent.
+"""
+
+from __future__ import annotations
+
+import plistlib
+import sys
+from pathlib import Path
+
+import pytest
+
+from riglib import drift as driftmod
+from riglib import tg_ctl
+from riglib.actions import runner
+from riglib.config import ConfigError, validate
+
+# captured at import (before any monkeypatch runs) — the genuine handler + drift check.
+_REAL_PROVISION = runner._do_provision_tg_ctl
+_REAL_CHECK = driftmod._check_tg_ctl
+
+
+@pytest.fixture(autouse=True)
+def _real_tg_ctl(monkeypatch):
+    """Restore the REAL provision_tg_ctl handler + drift check for THIS module's tests.
+
+    conftest's autouse ``_isolate_scheduler`` stubs ``_do_provision_tg_ctl`` (+ the ``_HANDLERS``
+    entry) and ``drift._check_tg_ctl`` to no-ops so e2e tests can't touch the host launchd. These
+    dedicated tests EXERCISE the real install + drift logic — with HOME-isolated tmp dirs +
+    stubbed launchctl seams — so they restore the real implementations. conftest still stubs the
+    gui-domain ``_launchctl*`` seams to safe no-ops; tests that assert on launchctl calls re-stub
+    them with a spy, and drift tests override ``_on_darwin``/``_launchctl_gui_loaded`` explicitly.
+    """
+    monkeypatch.setattr(runner, "_do_provision_tg_ctl", _REAL_PROVISION)
+    monkeypatch.setitem(runner._HANDLERS, "provision_tg_ctl", _REAL_PROVISION)
+    monkeypatch.setattr(driftmod, "_check_tg_ctl", _REAL_CHECK)
+    # These tests assert on the LIVE (non-dry) provisioning path by default. A leaked ambient
+    # RIG_TG_CTL_DRY_RUN (e.g. exported by tests/smoke.sh when it shells out to pytest) would
+    # silently route them through the dry-run branch — so clear it; the one dry-run test sets it.
+    monkeypatch.delenv("RIG_TG_CTL_DRY_RUN", raising=False)
+
+
+def _force_darwin(monkeypatch):
+    monkeypatch.setattr(sys, "platform", "darwin")
+
+
+def _isolate_home(monkeypatch, tmp_path) -> Path:
+    home = tmp_path / "home"
+    home.mkdir(exist_ok=True)
+    monkeypatch.setattr(Path, "home", classmethod(lambda cls: home))
+    return home
+
+
+# ── config validation ───────────────────────────────────────────────────────────────────
+def test_tg_ctl_block_accepted():
+    validate({"version": 1, "tg_ctl": {"enabled": True}})
+
+
+def test_tg_ctl_block_empty_ok():
+    validate({"version": 1, "tg_ctl": {}})
+
+
+def test_tg_ctl_full_block_accepted():
+    validate(
+        {
+            "version": 1,
+            "tg_ctl": {
+                "enabled": True,
+                "boot": True,
+                "label": "ai.hyperide.tg-ctl",
+                "bun_path": "/Users/u/.bun/bin/bun",
+                "tg_ctl_path": "~/.files/bin/tg-ctl",
+                "config_dir": "~/.config/tg-cli",
+            },
+        }
+    )
+
+
+def test_tg_ctl_unknown_key_rejected():
+    with pytest.raises(ConfigError):
+        validate({"version": 1, "tg_ctl": {"nope": 1}})
+
+
+def test_tg_ctl_enabled_must_be_bool():
+    with pytest.raises(ConfigError):
+        validate({"version": 1, "tg_ctl": {"enabled": "yes"}})
+
+
+def test_tg_ctl_boot_must_be_bool():
+    with pytest.raises(ConfigError):
+        validate({"version": 1, "tg_ctl": {"boot": "yes"}})
+
+
+@pytest.mark.parametrize("key", ["label", "bun_path", "tg_ctl_path", "config_dir"])
+def test_tg_ctl_string_keys_reject_non_string(key):
+    with pytest.raises(ConfigError):
+        validate({"version": 1, "tg_ctl": {key: 123}})
+
+
+def test_tg_ctl_enabled_null_is_accepted():
+    """`enabled: null` (explicit None) is valid and is NOT treated as disabled (default-on)."""
+    validate({"version": 1, "tg_ctl": {"enabled": None}})
+
+
+# ── pure plist rendering ─────────────────────────────────────────────────────────────────
+def _plan(home="/Users/ultra", **over):
+    """A TgCtlPlan with an explicit bun_path so render is deterministic (no `which bun`)."""
+    over.setdefault("bun_path", str(Path(home) / ".bun" / "bin" / "bun"))
+    return tg_ctl.build_tg_ctl(home=Path(home), **over)
+
+
+# The exact, hand-created + WORKING plist shape rig must match byte-for-byte (from the prompt).
+_EXPECTED_LIVE_PLIST = """<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+\t<key>Label</key>
+\t<string>ai.hyperide.tg-ctl</string>
+\t<key>ProgramArguments</key>
+\t<array>
+\t\t<string>/Users/ultra/.bun/bin/bun</string>
+\t\t<string>/Users/ultra/.files/bin/tg-ctl</string>
+\t\t<string>run</string>
+\t</array>
+\t<key>WorkingDirectory</key>
+\t<string>/Users/ultra/.files/bin</string>
+\t<key>EnvironmentVariables</key>
+\t<dict>
+\t\t<key>PATH</key>
+\t\t<string>/Users/ultra/.bun/bin:/opt/homebrew/bin:/Users/ultra/.local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+\t\t<key>HOME</key>
+\t\t<string>/Users/ultra</string>
+\t</dict>
+\t<key>RunAtLoad</key>
+\t<true/>
+\t<key>KeepAlive</key>
+\t<true/>
+\t<key>ThrottleInterval</key>
+\t<integer>10</integer>
+\t<key>StandardOutPath</key>
+\t<string>/Users/ultra/.config/tg-cli/launchd.tg-ctl.out.log</string>
+\t<key>StandardErrorPath</key>
+\t<string>/Users/ultra/.config/tg-cli/launchd.tg-ctl.err.log</string>
+</dict>
+</plist>
+"""
+
+
+def test_render_matches_exact_expected_plist():
+    """The render must equal the hand-created WORKING plist BYTE-FOR-BYTE (the no-op contract).
+
+    Key ORDER is load-bearing (plistlib defaults to sorting keys, which would reorder Label /
+    ProgramArguments / EnvironmentVariables and force a spurious rewrite every apply). The
+    render pins ``sort_keys=False`` to preserve insertion order.
+    """
+    got = _plan(home="/Users/ultra").render_plist()
+    assert got == _EXPECTED_LIVE_PLIST
+
+
+def test_render_is_well_formed_and_labelled():
+    p = _plan()
+    parsed = plistlib.loads(p.render_plist().encode("utf-8"))
+    assert parsed["Label"] == p.boot_label
+    assert parsed["RunAtLoad"] is True
+    assert parsed["KeepAlive"] is True
+    assert parsed["ThrottleInterval"] == 10
+    assert parsed["ProgramArguments"] == [str(p.bun_path), str(p.tg_ctl_path), "run"]
+
+
+def test_render_preserves_key_order_not_sorted():
+    """Regression guard: the keys must NOT be alphabetically sorted (Label must precede
+    EnvironmentVariables; PATH must precede HOME) — the byte-exact-vs-live contract."""
+    body = _plan().render_plist()
+    assert body.index("<key>Label</key>") < body.index("<key>EnvironmentVariables</key>")
+    assert body.index("<key>PATH</key>") < body.index("<key>HOME</key>")
+    assert body.index("<key>RunAtLoad</key>") < body.index("<key>StandardOutPath</key>")
+
+
+def test_render_is_deterministic():
+    assert _plan().render_plist() == _plan().render_plist()
+
+
+def test_label_is_configurable():
+    p = _plan(boot_label="com.me.tg")
+    assert p.boot_label == "com.me.tg"
+    assert "com.me.tg" in p.render_plist()
+    assert p.plist_path.name == "com.me.tg.plist"
+
+
+def test_paths_resolve_against_injected_home():
+    p = _plan(home="/home/u")
+    assert p.tg_ctl_path == Path("/home/u/.files/bin/tg-ctl")
+    assert p.config_dir == Path("/home/u/.config/tg-cli")
+    assert p.out_log_path == Path("/home/u/.config/tg-cli/launchd.tg-ctl.out.log")
+    assert p.plist_path == Path("/home/u/Library/LaunchAgents/ai.hyperide.tg-ctl.plist")
+    assert p.working_directory == Path("/home/u/.files/bin")
+
+
+def test_bun_path_falls_back_to_home_bun_when_not_on_path(monkeypatch):
+    """When bun isn't on PATH and no explicit bun_path is given, fall back to ~/.bun/bin/bun
+    expanded against the INJECTED home (never the real ~/.bun)."""
+    monkeypatch.setattr(tg_ctl.shutil, "which", lambda name: None)
+    monkeypatch.setattr(tg_ctl.Path, "exists", lambda self: False)
+    p = tg_ctl.build_tg_ctl(home=Path("/home/u"))
+    assert p.bun_path == Path("/home/u/.bun/bin/bun")
+
+
+def test_bun_path_prefers_path_resolution(monkeypatch):
+    monkeypatch.setattr(tg_ctl.shutil, "which", lambda name: "/opt/homebrew/bin/bun")
+    p = tg_ctl.build_tg_ctl(home=Path("/home/u"))
+    assert p.bun_path == Path("/opt/homebrew/bin/bun")
+    # the daemon PATH carries the resolved bun DIR first so the daemon can find bun.
+    assert p.daemon_path_env.startswith("/opt/homebrew/bin:")
+
+
+def test_explicit_config_dir_is_honored():
+    p = _plan(config_dir="/var/tg")
+    assert p.config_dir == Path("/var/tg")
+    assert p.out_log_path == Path("/var/tg/launchd.tg-ctl.out.log")
+
+
+# ── install (runner) — write + (re)load, idempotent, conflict, stale-predecessor ─────────
+def _action(home, **over):
+    from riglib.plan import Action
+
+    options = {
+        "boot": True,
+        "label": None,
+        "bun_path": str(home / ".bun" / "bin" / "bun"),  # deterministic (no `which bun`)
+        "tg_ctl_path": None,
+        "config_dir": None,
+    }
+    options.update(over)
+    return Action(
+        kind="provision_tg_ctl",
+        category="tg_ctl",
+        item="boot",
+        source=home,
+        target=Path("ai.hyperide.tg-ctl"),
+        options=options,
+    )
+
+
+def _stub_launchctl(monkeypatch, *, loaded=False, spy=None):
+    """Stub the gui-domain launchctl seams. `loaded` is the gui-loaded state; `spy` (a list)
+    records (verb, plist) calls so a test can assert bootout/bootstrap fired — WITHOUT ever
+    touching the real launchd domain."""
+    def _bootout(plist):
+        if spy is not None:
+            spy.append(("bootout", plist))
+        return 0
+
+    def _bootstrap(plist):
+        if spy is not None:
+            spy.append(("bootstrap", plist))
+        return 0
+
+    monkeypatch.setattr(runner, "_launchctl_bootout", _bootout)
+    monkeypatch.setattr(runner, "_launchctl_bootstrap", _bootstrap)
+    monkeypatch.setattr(runner, "_launchctl_gui_loaded", lambda label: loaded)
+
+
+def test_apply_writes_plist_and_bootstraps(monkeypatch, tmp_path):
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert res.status in ("created", "backed_up")
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    assert plist.is_file()
+    parsed = plistlib.loads(plist.read_bytes())
+    assert parsed["Label"] == "ai.hyperide.tg-ctl"
+    # the log dir (config dir) was created so launchd can open the logs.
+    assert (home / ".config" / "tg-cli").is_dir()
+    # the agent was (re)loaded via the gui domain: bootout then bootstrap.
+    assert ("bootstrap", str(plist)) in spy
+
+
+def test_apply_is_idempotent_when_loaded(monkeypatch, tmp_path):
+    """A re-apply against the byte-identical plist with the agent already loaded is a no-op."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    _stub_launchctl(monkeypatch, loaded=False)
+    runner._do_provision_tg_ctl(_action(home), "backup")  # install
+    # now the agent is loaded → a second apply must be a `skipped` no-op (no rewrite, no reload).
+    _stub_launchctl(monkeypatch, loaded=True)
+    res2 = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert res2.status == "skipped", res2.detail
+
+
+def test_reapply_against_identical_plist_does_not_rewrite(monkeypatch, tmp_path):
+    """Idempotency at the byte level: a re-apply must not change the plist mtime-content."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    _stub_launchctl(monkeypatch, loaded=True)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    desired = runner.tg_ctl_plan_from_action(_action(home)).render_plist()
+    plist.write_text(desired, encoding="utf-8")
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert res.status == "skipped"
+    assert plist.read_text(encoding="utf-8") == desired  # untouched
+
+
+def test_apply_reloads_when_plist_present_but_not_loaded(monkeypatch, tmp_path):
+    """Plist byte-identical but the agent isn't loaded → loading IT is the change (not skipped)."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text(runner.tg_ctl_plan_from_action(_action(home)).render_plist(), encoding="utf-8")
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert res.status != "skipped"
+    assert ("bootstrap", str(plist)) in spy
+
+
+def test_apply_backs_up_a_differing_plist(monkeypatch, tmp_path):
+    """on_conflict=backup: an existing DIFFERING plist is backed up (timestamped) before rewrite."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    _stub_launchctl(monkeypatch, loaded=False)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text("<plist>OLD HAND-EDITED</plist>\n", encoding="utf-8")
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert res.status == "backed_up"
+    baks = list(plist.parent.glob("ai.hyperide.tg-ctl.plist.*"))
+    assert baks, "a differing plist must be backed up before rewrite"
+    assert "OLD HAND-EDITED" in baks[0].read_text()
+    assert "ai.hyperide.tg-ctl" in plist.read_text() and "OLD HAND-EDITED" not in plist.read_text()
+
+
+def test_apply_skip_does_not_load_a_differing_plist(monkeypatch, tmp_path):
+    """on_conflict=skip + a differing existing plist → leave it untouched AND do NOT bootstrap
+    the stale config (that would load the wrong agent). Surface unresolved drift instead."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text("<plist>USER OWNED</plist>\n", encoding="utf-8")
+    res = runner._do_provision_tg_ctl(_action(home), "skip")
+    assert res.status == "skipped"
+    assert plist.read_text() == "<plist>USER OWNED</plist>\n"  # untouched
+    assert "on_conflict=skip" in res.detail
+    assert not any(verb == "bootstrap" for verb, _ in spy)  # never loaded the stale plist
+
+
+def test_apply_disabled_boot_does_not_write_or_load(monkeypatch, tmp_path):
+    """tg_ctl.boot=false: no plist written, no launchctl call. A `skipped` no-op."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    res = runner._do_provision_tg_ctl(_action(home, boot=False), "backup")
+    assert res.status == "skipped"
+    assert not (home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist").exists()
+    assert spy == []
+
+
+def test_apply_off_darwin_is_skipped(monkeypatch, tmp_path):
+    """Off macOS (no launchd) tg-ctl provisioning is a no-op — no plist, no launchctl."""
+    monkeypatch.setattr(sys, "platform", "linux")
+    home = _isolate_home(monkeypatch, tmp_path)
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert res.status == "skipped"
+    assert not (home / "Library" / "LaunchAgents").exists()
+    assert spy == []
+
+
+def test_dry_run_writes_plist_but_skips_launchctl(monkeypatch, tmp_path):
+    """RIG_TG_CTL_DRY_RUN: the plist lands but no launchctl bootstrap/bootout fires."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setenv("RIG_TG_CTL_DRY_RUN", "1")
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert (home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist").is_file()
+    assert spy == []  # NO real launchd mutation
+    assert "RIG_TG_CTL_DRY_RUN" in res.detail
+
+
+def test_dry_run_does_not_remove_stale_predecessor(monkeypatch, tmp_path):
+    """REGRESSION (review): under dry-run the stale-predecessor teardown must touch NOTHING — no
+    bootout, no backup file, and the predecessor plist must STAY on disk (the message said 'would
+    remove' while the code actually removed it). Dry-run only reports what it would do."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setenv("RIG_TG_CTL_DRY_RUN", "1")
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    stale = home / "Library" / "LaunchAgents" / "com.ultra.codex-tg-bot.plist"
+    stale.parent.mkdir(parents=True, exist_ok=True)
+    stale.write_text("<plist>DEAD</plist>\n", encoding="utf-8")
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    assert stale.is_file(), "dry-run must NOT delete the stale predecessor plist"
+    assert stale.read_text() == "<plist>DEAD</plist>\n"  # untouched
+    assert not list(stale.parent.glob("com.ultra.codex-tg-bot.plist.rig-bak-*"))  # no backup written
+    assert spy == []  # no bootout
+    assert "would boot out" in res.detail.lower()
+
+
+# ── stale predecessor (com.ultra.codex-tg-bot) teardown ──────────────────────────────────
+def test_apply_removes_stale_predecessor(monkeypatch, tmp_path):
+    """The dead codex-tg-bot LaunchAgent is booted out + backed up + removed on reconcile."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    stale = home / "Library" / "LaunchAgents" / "com.ultra.codex-tg-bot.plist"
+    stale.parent.mkdir(parents=True, exist_ok=True)
+    stale.write_text("<plist>DEAD PREDECESSOR</plist>\n", encoding="utf-8")
+    res = runner._do_provision_tg_ctl(_action(home), "backup")
+    # the stale plist is gone, backed up, and booted out of launchd.
+    assert not stale.exists()
+    baks = list(stale.parent.glob("com.ultra.codex-tg-bot.plist.rig-bak-*"))
+    assert baks and "DEAD PREDECESSOR" in baks[0].read_text()
+    assert ("bootout", str(stale)) in spy
+    assert "stale predecessor" in res.detail.lower()
+    # the new tg-ctl agent is still installed in the same run.
+    assert (home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist").is_file()
+
+
+def test_apply_no_stale_predecessor_is_clean(monkeypatch, tmp_path):
+    """No stale predecessor present → no bootout for it, just the normal tg-ctl install."""
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    spy: list = []
+    _stub_launchctl(monkeypatch, loaded=False, spy=spy)
+    runner._do_provision_tg_ctl(_action(home), "backup")
+    stale = home / "Library" / "LaunchAgents" / "com.ultra.codex-tg-bot.plist"
+    assert ("bootout", str(stale)) not in spy
+
+
+# ── full apply path through run_plan ─────────────────────────────────────────────────────
+def test_run_plan_provisions_tg_ctl(monkeypatch, tmp_path):
+    from riglib.actions.runner import run_plan
+    from riglib.plan import InstallPlan
+
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    _stub_launchctl(monkeypatch, loaded=False)
+    report = run_plan(InstallPlan(actions=[_action(home)]))
+    assert not report.errors
+    assert report.changed == 1
+
+
+# ── drift ────────────────────────────────────────────────────────────────────────────────
+def test_drift_tg_ctl_missing(monkeypatch, tmp_path):
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: True)
+    report = detect(InstallPlan(actions=[_action(tmp_path / "home")]))
+    drift = [d for d in report.items if d.category == "tg_ctl"]
+    assert drift and drift[0].direction == "missing"
+
+
+def test_drift_tg_ctl_in_sync_after_apply(monkeypatch, tmp_path):
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    _force_darwin(monkeypatch)
+    home = _isolate_home(monkeypatch, tmp_path)
+    _stub_launchctl(monkeypatch, loaded=True)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: True)
+    monkeypatch.setattr("riglib.drift._launchctl_gui_loaded", lambda label: True)
+    runner._do_provision_tg_ctl(_action(home), "backup")
+    report = detect(InstallPlan(actions=[_action(home)]))
+    assert not [d for d in report.items if d.category == "tg_ctl"]
+
+
+def test_drift_tg_ctl_modified(monkeypatch, tmp_path):
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: True)
+    monkeypatch.setattr("riglib.drift._launchctl_gui_loaded", lambda label: True)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text("<plist>HAND EDITED, DIFFERENT</plist>\n", encoding="utf-8")
+    report = detect(InstallPlan(actions=[_action(home)]))
+    drift = [d for d in report.items if d.category == "tg_ctl"]
+    assert drift and drift[0].direction == "modified"
+
+
+def test_drift_tg_ctl_not_loaded(monkeypatch, tmp_path):
+    """Plist present + identical but the agent isn't loaded in the gui domain → missing drift."""
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: True)
+    monkeypatch.setattr("riglib.drift._launchctl_gui_loaded", lambda label: False)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text(runner.tg_ctl_plan_from_action(_action(home)).render_plist(), encoding="utf-8")
+    report = detect(InstallPlan(actions=[_action(home)]))
+    drift = [d for d in report.items if d.category == "tg_ctl"]
+    assert drift and drift[0].direction == "missing"
+    assert "not loaded" in drift[0].detail
+
+
+def test_drift_flags_stale_predecessor(monkeypatch, tmp_path):
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: True)
+    monkeypatch.setattr("riglib.drift._launchctl_gui_loaded", lambda label: True)
+    # the tg-ctl plist itself is in sync, but the stale predecessor lingers.
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text(runner.tg_ctl_plan_from_action(_action(home)).render_plist(), encoding="utf-8")
+    stale = home / "Library" / "LaunchAgents" / "com.ultra.codex-tg-bot.plist"
+    stale.write_text("<plist>DEAD</plist>\n", encoding="utf-8")
+    report = detect(InstallPlan(actions=[_action(home)]))
+    extra = [d for d in report.items if d.category == "tg_ctl" and d.direction == "extra"]
+    assert extra and "predecessor" in extra[0].detail.lower()
+
+
+def test_drift_boot_disabled_flags_leftover_plist(monkeypatch, tmp_path):
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: True)
+    plist = home / "Library" / "LaunchAgents" / "ai.hyperide.tg-ctl.plist"
+    plist.parent.mkdir(parents=True, exist_ok=True)
+    plist.write_text("<plist/>\n", encoding="utf-8")
+    report = detect(InstallPlan(actions=[_action(home, boot=False)]))
+    extra = [d for d in report.items if d.category == "tg_ctl" and d.direction == "extra"]
+    assert extra and "boot is disabled" in extra[0].detail
+
+
+def test_drift_off_darwin_is_silent(monkeypatch, tmp_path):
+    from riglib.drift import detect
+    from riglib.plan import InstallPlan
+
+    _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: False)
+    report = detect(InstallPlan(actions=[_action(tmp_path / "home")]))
+    assert not [d for d in report.items if d.category == "tg_ctl"]
+
+
+# ── plan building ────────────────────────────────────────────────────────────────────────
+def _cfg(data, repo_root):
+    from riglib.config import LoadedConfig
+
+    return LoadedConfig(data=data, repo_root=repo_root)
+
+
+def _build(data, repo_root, fake_agent_tools):
+    from riglib.catalog import Catalog
+    from riglib.plan import build
+
+    data = {"agent_tools_source": str(fake_agent_tools), **data}
+    cat = Catalog.scan(str(fake_agent_tools))
+    return build(_cfg(data, repo_root), cat, project_type="unknown")
+
+
+def test_plan_provisions_tg_ctl_by_default(fake_agent_tools, tmp_path):
+    """tg_ctl is default-on: an ABSENT block still emits a provision_tg_ctl action."""
+    plan = _build({}, tmp_path, fake_agent_tools)
+    assert [a for a in plan.actions if a.kind == "provision_tg_ctl"]
+
+
+def test_plan_no_tg_ctl_when_disabled(fake_agent_tools, tmp_path):
+    plan = _build({"tg_ctl": {"enabled": False}}, tmp_path, fake_agent_tools)
+    assert not [a for a in plan.actions if a.kind == "provision_tg_ctl"]
+
+
+def test_plan_emits_single_tg_ctl_action(fake_agent_tools, tmp_path):
+    plan = _build({"tg_ctl": {"enabled": True}}, tmp_path, fake_agent_tools)
+    acts = [a for a in plan.actions if a.kind == "provision_tg_ctl"]
+    assert len(acts) == 1
+    assert acts[0].category == "tg_ctl" and acts[0].item == "boot"
+
+
+def test_plan_carries_knobs(fake_agent_tools, tmp_path):
+    plan = _build(
+        {"tg_ctl": {"enabled": True, "boot": False, "label": "com.me.tg",
+                    "config_dir": "/var/tg"}},
+        tmp_path, fake_agent_tools,
+    )
+    a = next(a for a in plan.actions if a.kind == "provision_tg_ctl")
+    assert a.options["boot"] is False
+    assert a.options["label"] == "com.me.tg"
+    assert a.options["config_dir"] == "/var/tg"
+
+
+def test_plan_boot_null_resolves_to_enabled(fake_agent_tools, tmp_path):
+    """REGRESSION (codex P1): `boot: null` (YAML `boot:` with no value) must default to TRUE, not
+    `bool(None)`=False — the resolved plan must keep the boot agent ENABLED."""
+    plan = _build({"tg_ctl": {"boot": None}}, tmp_path, fake_agent_tools)
+    a = next(a for a in plan.actions if a.kind == "provision_tg_ctl")
+    tg = runner.tg_ctl_plan_from_action(a)
+    assert tg.boot_enabled is True
+
+
+def test_plan_label_null_resolves_to_default(fake_agent_tools, tmp_path):
+    """REGRESSION (review): `label: null` must resolve to the default label, never the literal
+    string 'None' (neither in the action target nor the resolved plan)."""
+    plan = _build({"tg_ctl": {"label": None}}, tmp_path, fake_agent_tools)
+    a = next(a for a in plan.actions if a.kind == "provision_tg_ctl")
+    assert a.target.name != "None"
+    assert tg_ctl.DEFAULT_BOOT_LABEL in str(a.target)
+    tg = runner.tg_ctl_plan_from_action(a)
+    assert tg.boot_label == tg_ctl.DEFAULT_BOOT_LABEL
+
+
+# ── status line (GLOBAL section) ─────────────────────────────────────────────────────────
+def _status_line(monkeypatch, tmp_path, *, darwin, drift_items=None, options_over=None):
+    """Render the tg-ctl GLOBAL status line for a one-action plan, with `_on_darwin` forced."""
+    from riglib import cli
+    from riglib.drift import DriftReport
+    from riglib.plan import InstallPlan
+
+    home = _isolate_home(monkeypatch, tmp_path)
+    monkeypatch.setattr("riglib.drift._on_darwin", lambda: darwin)
+    action = _action(home, **(options_over or {}))
+    report = DriftReport(items=list(drift_items or []))
+    captured: list[str] = []
+    monkeypatch.setattr("builtins.print", lambda *a, **k: captured.append(" ".join(str(x) for x in a)))
+    cli._print_tg_ctl_status(InstallPlan(actions=[action]), report)
+    return "\n".join(captured)
+
+
+def test_status_off_darwin_says_unsupported(monkeypatch, tmp_path):
+    """REGRESSION (codex P2): off macOS, status must say 'unsupported' — NOT a misleading
+    'installed' (apply is a no-op off darwin)."""
+    line = _status_line(monkeypatch, tmp_path, darwin=False)
+    assert "unsupported" in line
+    assert "installed" not in line
+
+
+def test_status_on_darwin_in_sync_says_installed(monkeypatch, tmp_path):
+    line = _status_line(monkeypatch, tmp_path, darwin=True, drift_items=[])
+    assert "installed" in line
+
+
+def test_status_boot_disabled_says_disabled(monkeypatch, tmp_path):
+    line = _status_line(monkeypatch, tmp_path, darwin=True, options_over={"boot": False})
+    assert "disabled" in line
+
+
+# ── the live machine plist (read-only idempotency proof) ─────────────────────────────────
+def test_render_matches_live_machine_plist_if_present():
+    """If THIS machine has the hand-created working plist, the render must equal it byte-for-byte
+    (so `rig apply` is a true no-op against the live file). READ-ONLY: skips when absent (CI /
+    another machine). This is the proof the no-op contract holds against the real artifact."""
+    live = Path("/Users/ultra/Library/LaunchAgents/ai.hyperide.tg-ctl.plist")
+    if not live.is_file():
+        pytest.skip("live ai.hyperide.tg-ctl.plist not present on this machine")
+    got = tg_ctl.build_tg_ctl(home=Path("/Users/ultra")).render_plist()
+    assert got == live.read_text(encoding="utf-8")