feat(lib): implement FW-N1~FW-N4 items and pane snapshot guidelines

skills/tmux-agent-orchestrate-delegate-job/scripts/publish_event.py

@@ -75,11 +75,9 @@ def build_payload(
         "detail": detail,
         "data": dict(data) if data else {},
     }
-    # Production: carry the per-job auth token so the subscriber can verify the
-    # publisher. The token is compared in plain text (bearer-token style) by the
-    # subscriber — NOT an HMAC. See SKILL.md "Auth token" and PLAN 8.2. The
-    # registry stores the per-job token in `auth_token`; only include it on the
-    # wire when set so the public broker (no auth) doesn't leak anything.
+    # Production: carry the per-job HMAC-SHA256 signature in `data.hmac_sig` so
+    # the subscriber can verify the publisher without exposing the secret token.
+    # The signature is calculated over the entire payload (with `data.hmac_sig` excluded).
     if auth_token:
         sign_payload = {k: v for k, v in payload.items() if k != "data"}
         sign_payload["data"] = {k: v for k, v in payload.get("data", {}).items() if k != "hmac_sig"}