feat(lib): implement FW-N1~FW-N4 items and pane snapshot guidelines

skills/tmux-agent-orchestrate-delegate-job/scripts/job_subscriber.py

@@ -85,7 +85,7 @@ class _Watcher:
         # --- production auth check: data.auth_token must match if expected ---
         expected_token = self.tokens.get(jid)
         if not mqtt_common.verify_hmac(payload, expected_token):
-            logger.warning("drop event for job %s: auth_token mismatch", jid)
+            logger.warning("drop event for job %s: HMAC verify failed", jid)
             return
         # Persistent audit log from the *subscriber's* vantage point: every event
         # that survives defensive parsing is recorded here, including ones a

skills/tmux-agent-orchestrate-delegate-job/scripts/publish_event.py

@@ -75,11 +75,9 @@ def build_payload(
         "detail": detail,
         "data": dict(data) if data else {},
     }
-    # Production: carry the per-job auth token so the subscriber can verify the
-    # publisher. The token is compared in plain text (bearer-token style) by the
-    # subscriber — NOT an HMAC. See SKILL.md "Auth token" and PLAN 8.2. The
-    # registry stores the per-job token in `auth_token`; only include it on the
-    # wire when set so the public broker (no auth) doesn't leak anything.
+    # Production: carry the per-job HMAC-SHA256 signature in `data.hmac_sig` so
+    # the subscriber can verify the publisher without exposing the secret token.
+    # The signature is calculated over the entire payload (with `data.hmac_sig` excluded).
     if auth_token:
         sign_payload = {k: v for k, v in payload.items() if k != "data"}
         sign_payload["data"] = {k: v for k, v in payload.get("data", {}).items() if k != "hmac_sig"}