@3030-labs/wotw 0.8.4

package/dist/index.js

@@ -0,0 +1,1290 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/daemon/config.ts
+import { cosmiconfig } from "cosmiconfig";
+import { parse as parseYaml } from "yaml";
+import { z } from "zod";
+
+// src/utils/actionable-error.ts
+var ActionableError = class extends Error {
+  static {
+    __name(this, "ActionableError");
+  }
+  code;
+  summary;
+  suggestions;
+  docs;
+  constructor(opts) {
+    const lines = [opts.summary];
+    if (opts.suggestions.length > 0) {
+      lines.push("", "What to try:");
+      for (const suggestion of opts.suggestions) {
+        lines.push(`  - ${suggestion}`);
+      }
+    }
+    if (opts.docs) {
+      lines.push("", `Docs: ${opts.docs}`);
+    }
+    super(lines.join("\n"));
+    this.name = "ActionableError";
+    this.code = opts.code;
+    this.summary = opts.summary;
+    this.suggestions = opts.suggestions;
+    this.docs = opts.docs;
+    if (opts.cause !== void 0) {
+      this.cause = opts.cause;
+    }
+  }
+};
+function looksLikePermissionDenied(e) {
+  const msg = e instanceof Error ? e.message : String(e);
+  const code = e instanceof Error ? e.code : void 0;
+  return code === "EACCES" || code === "EPERM" || /EACCES|EPERM/i.test(msg);
+}
+__name(looksLikePermissionDenied, "looksLikePermissionDenied");
+function configParseError(configPath, cause) {
+  return new ActionableError({
+    code: "CONFIG_PARSE_ERROR",
+    summary: `Could not parse wotw config at ${configPath}: ${cause instanceof Error ? cause.message : String(cause)}`,
+    suggestions: [
+      `Validate the file with \`node -e 'console.log(JSON.parse(require("fs").readFileSync(process.argv[1], "utf8")))' ` + configPath + "` (for JSON) or `yamllint " + configPath + "` (for YAML).",
+      "Check for unmatched braces, missing colons, or trailing commas.",
+      "Compare against the example at docs/configuration.md.",
+      "Delete the file and re-run `wotw init` to regenerate a fresh config."
+    ],
+    docs: "docs/configuration.md",
+    cause
+  });
+}
+__name(configParseError, "configParseError");
+function wikiDirPermissionError(path, cause) {
+  return new ActionableError({
+    code: "WIKI_DIR_PERMISSION_DENIED",
+    summary: `Cannot create or write to wiki directory at ${path}: permission denied.`,
+    suggestions: [
+      `Check the directory's owner and permissions: \`ls -la "${path}"\`.`,
+      `Ensure the daemon's user can write: \`chmod u+w "${path}"\` (or relocate to a writable parent).`,
+      "If running under Docker, confirm the volume mount has the right ownership.",
+      "Choose a different `wiki_root` in wotw.config.yaml."
+    ],
+    docs: "docs/configuration.md",
+    cause
+  });
+}
+__name(wikiDirPermissionError, "wikiDirPermissionError");
+function daemonAlreadyRunningError(lockPath, cause) {
+  return new ActionableError({
+    code: "DAEMON_ALREADY_RUNNING",
+    summary: `Another wotw daemon already holds the lock at ${lockPath}.`,
+    suggestions: [
+      "Run `wotw status` to see the live daemon's PID and health.",
+      "If you intend to replace it, `wotw stop` first, then `wotw start`.",
+      "If the lock is stale (e.g. after a crash), `wotw stop --force` clears it."
+    ],
+    docs: "docs/cli-reference.md",
+    cause
+  });
+}
+__name(daemonAlreadyRunningError, "daemonAlreadyRunningError");
+
+// src/utils/fs.ts
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  renameSync,
+  rmSync,
+  statSync,
+  writeFileSync
+} from "fs";
+import { mkdir, readFile, rename, writeFile } from "fs/promises";
+import { homedir } from "os";
+import { dirname, isAbsolute, resolve } from "path";
+import { randomUUID } from "crypto";
+function expandHome(path) {
+  if (path.startsWith("~")) {
+    return resolve(homedir(), path.slice(path.startsWith("~/") ? 2 : 1));
+  }
+  return path;
+}
+__name(expandHome, "expandHome");
+function resolvePath(path, base) {
+  const expanded = expandHome(path);
+  if (isAbsolute(expanded)) return expanded;
+  return resolve(base ?? process.cwd(), expanded);
+}
+__name(resolvePath, "resolvePath");
+function ensureDirSync(dir) {
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+}
+__name(ensureDirSync, "ensureDirSync");
+function atomicWriteSync(filePath, contents) {
+  ensureDirSync(dirname(filePath));
+  const tmp = `${filePath}.${randomUUID()}.tmp`;
+  let renamed = false;
+  try {
+    writeFileSync(tmp, contents);
+    renameSync(tmp, filePath);
+    renamed = true;
+  } finally {
+    if (!renamed) {
+      try {
+        rmSync(tmp, { force: true });
+      } catch {
+      }
+    }
+  }
+}
+__name(atomicWriteSync, "atomicWriteSync");
+function removeIfExistsSync(filePath) {
+  if (existsSync(filePath)) {
+    rmSync(filePath, { force: true });
+  }
+}
+__name(removeIfExistsSync, "removeIfExistsSync");
+
+// src/daemon/config.ts
+var MODULE_NAME = "wotw";
+var PLAN_DEFAULTS = {
+  founding: {
+    storage_bytes: 2 * 1024 ** 3,
+    // 2 GB
+    max_files_per_day: 50,
+    max_file_size_bytes: 25 * 1024 ** 2,
+    // 25 MB
+    max_ingest_bytes_per_day: 250 * 1024 ** 2,
+    // 250 MB
+    heal_cooldown_seconds: 3600,
+    // 1 hour
+    query_rate_limit_per_hour: 60
+  },
+  pro: {
+    storage_bytes: 10 * 1024 ** 3,
+    // 10 GB
+    max_files_per_day: 200,
+    max_file_size_bytes: 100 * 1024 ** 2,
+    // 100 MB
+    max_ingest_bytes_per_day: 1024 ** 3,
+    // 1 GB
+    heal_cooldown_seconds: 900,
+    // 15 min
+    query_rate_limit_per_hour: 300
+  }
+};
+function defaultConfig() {
+  return {
+    wiki_root: "./wiki-store",
+    raw_path: "./wiki-store/raw",
+    llm: {
+      provider: "anthropic",
+      model: "claude-sonnet-4-5"
+    },
+    execution: {
+      mode: "auto",
+      cli_path: "claude",
+      cli_model: "claude-sonnet-4-5",
+      api_key_env: "ANTHROPIC_API_KEY"
+    },
+    models: {
+      ingest: "claude-haiku-4-5",
+      query: "claude-sonnet-4-5",
+      lint: "claude-sonnet-4-5",
+      compound_eval: "claude-haiku-4-5"
+    },
+    watcher: {
+      debounce_initial_ms: 5e3,
+      debounce_max_ms: 6e4,
+      debounce_growth_factor: 1.5,
+      burst_threshold: 5,
+      max_batch_size: 20,
+      ignore_patterns: ["**/.git/**", "**/node_modules/**", "**/.DS_Store", "**/Thumbs.db"]
+    },
+    ingestion: {
+      max_turns: 50,
+      max_budget_per_batch_usd: 1,
+      resume_session: true,
+      dead_letter_file: ".wotw/failed-batches.jsonl",
+      staging: true
+    },
+    cost: {
+      max_daily_usd: 10,
+      max_per_query_usd: 0.5,
+      max_per_ingest_usd: 2,
+      track_file: "~/.wotw/cost-log.jsonl"
+    },
+    server: {
+      port: 8787,
+      host: "127.0.0.1",
+      auth_token: null,
+      rate_limit_rpm: 60,
+      trust_proxy: false
+    },
+    daemon: {
+      pid_file: "~/.wotw/daemon.pid",
+      lock_file: "~/.wotw/daemon.lock",
+      log_file: "~/.wotw/daemon.log",
+      log_level: "info"
+    },
+    compounding: {
+      enabled: true,
+      min_source_pages: 3,
+      confidence_threshold: 70
+    },
+    provenance: {
+      enabled: true,
+      chain_file: "provenance-chain.jsonl",
+      // Review item 37: default ON so partial-corruption is detected at
+      // boot. Pre-fix default false let a chain with one bad line boot
+      // silently and advance on top of a verifiably-broken tail forever.
+      verify_on_startup: true
+    },
+    multi_user: {
+      enabled: false,
+      workspaces_dir: "~/.wotw/workspaces"
+    },
+    query: {
+      expand: true
+    },
+    fact_extraction: {
+      enabled: "auto",
+      force_enabled: false,
+      questions_per_fact: 3
+    },
+    lint: {
+      schedule_enabled: false,
+      interval_hours: 24,
+      auto_fix: false
+    },
+    health: {
+      staleness_thresholds: [7, 30, 90, 180, 365],
+      staleness_scores: [100, 80, 60, 40, 20, 0],
+      weights: {
+        staleness: 0.25,
+        source_availability: 0.25,
+        link_health: 0.2,
+        duplicate_risk: 0.15,
+        contradiction_risk: 0.15
+      },
+      duplicate_threshold: 60,
+      auto_fix_staleness_below: 40,
+      max_fixes_per_run: 10,
+      detect_contradictions: false,
+      consolidation_threshold: 5,
+      consolidation_enabled: true,
+      zero_hit_threshold: 0.2,
+      enrichment_enabled: true,
+      query_log_file: ".wotw/query-log.jsonl"
+    },
+    hosted: {
+      enabled: false,
+      tenant_id: null,
+      concurrency_cap: 1,
+      paused: false,
+      plan: "pro",
+      limits: {
+        storage_bytes: PLAN_DEFAULTS.pro.storage_bytes,
+        max_files_per_day: PLAN_DEFAULTS.pro.max_files_per_day,
+        max_file_size_bytes: PLAN_DEFAULTS.pro.max_file_size_bytes,
+        max_ingest_bytes_per_day: PLAN_DEFAULTS.pro.max_ingest_bytes_per_day,
+        heal_cooldown_seconds: PLAN_DEFAULTS.pro.heal_cooldown_seconds,
+        query_rate_limit_per_hour: PLAN_DEFAULTS.pro.query_rate_limit_per_hour,
+        onboarding_burst_multiplier: 3,
+        onboarding_burst_hours: 48
+      },
+      timezone: "America/New_York",
+      created_at: null
+    }
+  };
+}
+__name(defaultConfig, "defaultConfig");
+async function loadConfig(searchFrom) {
+  const explorer = cosmiconfig(MODULE_NAME, {
+    searchPlaces: [
+      "package.json",
+      `.${MODULE_NAME}rc`,
+      `.${MODULE_NAME}rc.json`,
+      `.${MODULE_NAME}rc.yaml`,
+      `.${MODULE_NAME}rc.yml`,
+      // `wotw.yaml` / `wotw.yml` are what the `wotw init` wizard writes
+      // (see src/cli/commands/init.ts:CONFIG_CANDIDATES). They must be in
+      // searchPlaces or every fresh-init vault runs with all-defaults.
+      // Finding #12 from PASS-023 dogfood pass.
+      `${MODULE_NAME}.yaml`,
+      `${MODULE_NAME}.yml`,
+      `${MODULE_NAME}.config.json`,
+      `${MODULE_NAME}.config.yaml`,
+      `${MODULE_NAME}.config.yml`
+    ],
+    loaders: {
+      ".yaml": /* @__PURE__ */ __name((_filepath, content) => parseYaml(content), ".yaml"),
+      ".yml": /* @__PURE__ */ __name((_filepath, content) => parseYaml(content), ".yml")
+    }
+  });
+  let result;
+  try {
+    result = await explorer.search(searchFrom ?? process.cwd());
+  } catch (err) {
+    const hintPath = err instanceof Error && err.filepath ? err.filepath : searchFrom ?? process.cwd();
+    throw configParseError(hintPath, err);
+  }
+  const defaults = defaultConfig();
+  let merged;
+  let path = null;
+  if (!result || !result.config) {
+    console.warn(
+      "[wotw] no wotw.yaml found \u2014 using all defaults (auth disabled, max_daily_usd: 10.0)"
+    );
+    merged = defaults;
+  } else {
+    merged = mergeConfig(defaults, result.config);
+    path = result.filepath;
+  }
+  const withEnv = applyEnvOverrides(merged);
+  const validated = validateConfig(withEnv);
+  validateHostedConfig(validated);
+  return { config: validated, path };
+}
+__name(loadConfig, "loadConfig");
+function applyEnvOverrides(config) {
+  const out = structuredClone(config);
+  const env = process.env;
+  if (env.WOTW_HOSTED !== void 0) {
+    const v = env.WOTW_HOSTED.trim().toLowerCase();
+    out.hosted.enabled = v === "true" || v === "1" || v === "yes" || v === "on";
+  }
+  if (env.TENANT_ID && env.TENANT_ID.length > 0) {
+    out.hosted.tenant_id = env.TENANT_ID;
+  }
+  if (env.WIKI_ROOT && env.WIKI_ROOT.length > 0) {
+    out.wiki_root = env.WIKI_ROOT;
+    if (out.raw_path === "./wiki-store/raw") {
+      out.raw_path = "raw";
+    }
+  }
+  if (env.WOTW_PLAN === "founding" || env.WOTW_PLAN === "pro") {
+    out.hosted.plan = env.WOTW_PLAN;
+  }
+  if (env.WOTW_TIMEZONE && env.WOTW_TIMEZONE.length > 0) {
+    out.hosted.timezone = env.WOTW_TIMEZONE;
+  }
+  if (env.WOTW_PORT) {
+    const n = Number.parseInt(env.WOTW_PORT, 10);
+    if (Number.isFinite(n) && n > 0 && n < 65536) {
+      out.server.port = n;
+    }
+  }
+  if (env.WOTW_HOST && env.WOTW_HOST.length > 0) {
+    out.server.host = env.WOTW_HOST;
+  }
+  if (env.WOTW_LOG_LEVEL) {
+    const lvl = env.WOTW_LOG_LEVEL;
+    if (lvl === "trace" || lvl === "debug" || lvl === "info" || lvl === "warn" || lvl === "error" || lvl === "fatal") {
+      out.daemon.log_level = lvl;
+    }
+  }
+  if (env.WOTW_RUNTIME_MODE === "auto" || env.WOTW_RUNTIME_MODE === "cli" || env.WOTW_RUNTIME_MODE === "api") {
+    out.execution.mode = env.WOTW_RUNTIME_MODE;
+  }
+  if (env.WOTW_LLM_PROVIDER === "anthropic" || env.WOTW_LLM_PROVIDER === "openai" || env.WOTW_LLM_PROVIDER === "gemini" || env.WOTW_LLM_PROVIDER === "ollama") {
+    out.llm.provider = env.WOTW_LLM_PROVIDER;
+    switch (env.WOTW_LLM_PROVIDER) {
+      case "anthropic":
+        out.execution.api_key_env = "ANTHROPIC_API_KEY";
+        break;
+      case "openai":
+        out.execution.api_key_env = "OPENAI_API_KEY";
+        break;
+      case "gemini":
+        out.execution.api_key_env = "GOOGLE_API_KEY";
+        break;
+      case "ollama":
+        break;
+    }
+  }
+  if (env.WOTW_LLM_MODEL && env.WOTW_LLM_MODEL.length > 0) {
+    out.llm.model = env.WOTW_LLM_MODEL;
+  }
+  if (env.WOTW_OLLAMA_URL && env.WOTW_OLLAMA_URL.length > 0) {
+    out.llm.ollama_url = env.WOTW_OLLAMA_URL;
+  }
+  if (env.WOTW_MCP_BEARER && env.WOTW_MCP_BEARER.length > 0) {
+    out.server.auth_token = env.WOTW_MCP_BEARER;
+  } else if (env.ADMIN_SERVICE_KEY && env.ADMIN_SERVICE_KEY.length > 0) {
+    out.server.auth_token = env.ADMIN_SERVICE_KEY;
+  }
+  if (env.WOTW_LOG_FILE !== void 0) {
+    out.daemon.log_file = env.WOTW_LOG_FILE;
+  } else if (out.hosted.enabled) {
+    out.daemon.log_file = "";
+  }
+  if (out.hosted.enabled) {
+    out.ingestion.staging = false;
+    out.lint.schedule_enabled = true;
+    out.lint.auto_fix = true;
+  }
+  return out;
+}
+__name(applyEnvOverrides, "applyEnvOverrides");
+var UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function validateHostedConfig(config) {
+  if (!config.hosted.enabled) return;
+  if (!config.hosted.tenant_id || config.hosted.tenant_id.length === 0) {
+    throw new Error(
+      "Config error: hosted.enabled is true but TENANT_ID / hosted.tenant_id is unset."
+    );
+  }
+  if (!UUID_REGEX.test(config.hosted.tenant_id)) {
+    throw new Error(
+      `Config error: hosted.tenant_id "${config.hosted.tenant_id}" is not a valid UUID.`
+    );
+  }
+  if (!config.wiki_root || config.wiki_root.length === 0) {
+    throw new Error("Config error: hosted.enabled is true but wiki_root / WIKI_ROOT is unset.");
+  }
+  if (!config.wiki_root.startsWith("/")) {
+    throw new Error(
+      `Config error: hosted.enabled is true but wiki_root "${config.wiki_root}" is not absolute. In hosted mode the daemon must persist tenant data on a mounted volume; a relative path resolves against process.cwd() which is the ephemeral container fs.`
+    );
+  }
+}
+__name(validateHostedConfig, "validateHostedConfig");
+function mergeConfig(base, override) {
+  const out = structuredClone(base);
+  const assign = /* @__PURE__ */ __name((key, value) => {
+    out[key] = { ...out[key], ...value };
+  }, "assign");
+  if (override.wiki_root !== void 0) out.wiki_root = override.wiki_root;
+  if (override.raw_path !== void 0) out.raw_path = override.raw_path;
+  if (override.llm) assign("llm", override.llm);
+  if (override.execution) assign("execution", override.execution);
+  if (override.models) assign("models", override.models);
+  if (override.watcher) assign("watcher", override.watcher);
+  if (override.ingestion) assign("ingestion", override.ingestion);
+  if (override.cost) assign("cost", override.cost);
+  if (override.server) assign("server", override.server);
+  if (override.daemon) assign("daemon", override.daemon);
+  if (override.compounding) assign("compounding", override.compounding);
+  if (override.provenance) assign("provenance", override.provenance);
+  if (override.multi_user) assign("multi_user", override.multi_user);
+  if (override.query) assign("query", override.query);
+  if (override.fact_extraction) assign("fact_extraction", override.fact_extraction);
+  if (override.lint) assign("lint", override.lint);
+  if (override.health) {
+    const healthBase = out.health;
+    const healthOverride = override.health;
+    out.health = { ...healthBase, ...healthOverride };
+    if (healthOverride.weights) {
+      out.health.weights = { ...healthBase.weights, ...healthOverride.weights };
+    }
+  }
+  if (override.hosted) assign("hosted", override.hosted);
+  return out;
+}
+__name(mergeConfig, "mergeConfig");
+var positiveNumber = z.number().positive();
+var nonNegativeNumber = z.number().min(0);
+var logLevelSchema = z.enum(["trace", "debug", "info", "warn", "error", "fatal"]);
+var llmProviderSchema = z.enum(["anthropic", "openai", "gemini", "ollama"]);
+var WotwConfigSchema = z.object({
+  wiki_root: z.string().min(1),
+  raw_path: z.string().min(1),
+  llm: z.object({
+    provider: llmProviderSchema,
+    model: z.string().min(1),
+    ollama_url: z.string().min(1).optional()
+  }),
+  execution: z.object({
+    mode: z.enum(["auto", "cli", "api"]),
+    cli_path: z.string().min(1),
+    cli_model: z.string().min(1),
+    api_key_env: z.string().min(1)
+  }),
+  models: z.object({
+    ingest: z.string().min(1),
+    query: z.string().min(1),
+    lint: z.string().min(1),
+    compound_eval: z.string().min(1)
+  }),
+  watcher: z.object({
+    debounce_initial_ms: positiveNumber,
+    debounce_max_ms: positiveNumber,
+    debounce_growth_factor: positiveNumber,
+    burst_threshold: z.number().int().positive(),
+    max_batch_size: z.number().int().positive(),
+    ignore_patterns: z.array(z.string())
+  }),
+  ingestion: z.object({
+    max_turns: z.number().int().positive(),
+    max_budget_per_batch_usd: positiveNumber,
+    resume_session: z.boolean(),
+    dead_letter_file: z.string(),
+    staging: z.boolean()
+  }),
+  cost: z.object({
+    max_daily_usd: positiveNumber,
+    max_per_query_usd: positiveNumber,
+    max_per_ingest_usd: positiveNumber,
+    track_file: z.string().min(1)
+  }),
+  server: z.object({
+    port: z.number().int().min(1).max(65535),
+    host: z.string().min(1),
+    auth_token: z.string().nullable(),
+    rate_limit_rpm: z.number().int().positive(),
+    trust_proxy: z.boolean()
+  }),
+  daemon: z.object({
+    pid_file: z.string().min(1),
+    lock_file: z.string().min(1),
+    // Empty string is meaningful: "log to stdout" (used by hosted mode for
+    // container log capture). initLogger treats empty as no destination
+    // and defaults to pino's stdout output.
+    log_file: z.string(),
+    log_level: logLevelSchema
+  }),
+  compounding: z.object({
+    enabled: z.boolean(),
+    min_source_pages: z.number().int().min(0),
+    confidence_threshold: z.number().min(0).max(100)
+  }),
+  provenance: z.object({
+    enabled: z.boolean(),
+    chain_file: z.string().min(1),
+    verify_on_startup: z.boolean()
+  }),
+  multi_user: z.object({
+    enabled: z.boolean(),
+    workspaces_dir: z.string().min(1)
+  }),
+  query: z.object({
+    expand: z.boolean()
+  }),
+  fact_extraction: z.object({
+    enabled: z.union([z.boolean(), z.literal("auto")]),
+    force_enabled: z.boolean(),
+    questions_per_fact: z.number().int().min(1).max(5),
+    model: z.string().min(1).optional()
+  }),
+  lint: z.object({
+    schedule_enabled: z.boolean(),
+    interval_hours: positiveNumber,
+    auto_fix: z.boolean()
+  }),
+  hosted: z.object({
+    enabled: z.boolean(),
+    tenant_id: z.string().nullable(),
+    concurrency_cap: z.number().int().positive(),
+    paused: z.boolean(),
+    plan: z.enum(["founding", "pro"]),
+    limits: z.object({
+      storage_bytes: positiveNumber,
+      max_files_per_day: z.number().int().positive(),
+      max_file_size_bytes: positiveNumber,
+      max_ingest_bytes_per_day: positiveNumber,
+      heal_cooldown_seconds: nonNegativeNumber,
+      query_rate_limit_per_hour: z.number().int().positive(),
+      onboarding_burst_multiplier: positiveNumber,
+      onboarding_burst_hours: positiveNumber
+    }),
+    timezone: z.string().min(1),
+    created_at: z.string().nullable()
+  }),
+  health: z.object({
+    staleness_thresholds: z.array(z.number().int().min(0)),
+    staleness_scores: z.array(z.number().min(0).max(100)),
+    weights: z.object({
+      staleness: nonNegativeNumber,
+      source_availability: nonNegativeNumber,
+      link_health: nonNegativeNumber,
+      duplicate_risk: nonNegativeNumber,
+      contradiction_risk: nonNegativeNumber
+    }),
+    duplicate_threshold: z.number().min(0).max(100),
+    auto_fix_staleness_below: z.number().min(0).max(100),
+    max_fixes_per_run: z.number().int().min(0),
+    detect_contradictions: z.boolean(),
+    consolidation_threshold: z.number().int().min(2),
+    consolidation_enabled: z.boolean(),
+    zero_hit_threshold: z.number().min(0).max(1),
+    enrichment_enabled: z.boolean(),
+    query_log_file: z.string()
+  })
+});
+function validateConfig(config) {
+  const result = WotwConfigSchema.safeParse(config);
+  if (!result.success) {
+    const issue = result.error.issues[0];
+    const path = issue.path.join(".");
+    throw new Error(`Config error: "${path}" ${issue.message}`);
+  }
+  return result.data;
+}
+__name(validateConfig, "validateConfig");
+function resolveConfigPaths(config, baseDir) {
+  const out = structuredClone(config);
+  out.wiki_root = resolvePath(out.wiki_root, baseDir);
+  out.raw_path = resolvePath(out.raw_path, baseDir);
+  out.cost.track_file = resolvePath(out.cost.track_file, baseDir);
+  out.daemon.pid_file = resolvePath(out.daemon.pid_file, baseDir);
+  out.daemon.lock_file = resolvePath(out.daemon.lock_file, baseDir);
+  if (out.daemon.log_file.length > 0) {
+    out.daemon.log_file = resolvePath(out.daemon.log_file, baseDir);
+  }
+  out.multi_user.workspaces_dir = resolvePath(out.multi_user.workspaces_dir, baseDir);
+  out.provenance.chain_file = resolvePath(out.provenance.chain_file, out.wiki_root);
+  if (out.ingestion.dead_letter_file.length > 0) {
+    out.ingestion.dead_letter_file = resolvePath(out.ingestion.dead_letter_file, out.wiki_root);
+  }
+  if (out.health.query_log_file.length > 0) {
+    out.health.query_log_file = resolvePath(out.health.query_log_file, out.wiki_root);
+  }
+  return out;
+}
+__name(resolveConfigPaths, "resolveConfigPaths");
+
+// src/daemon/lifecycle.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2 } from "path";
+import lockfile from "proper-lockfile";
+function writePidFile(pidFilePath, contents) {
+  ensureDirSync(dirname2(pidFilePath));
+  atomicWriteSync(pidFilePath, JSON.stringify(contents));
+}
+__name(writePidFile, "writePidFile");
+function readPidFile(pidFilePath) {
+  if (!existsSync2(pidFilePath)) return null;
+  try {
+    const raw = readFileSync2(pidFilePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object" && "pid" in parsed && typeof parsed.pid === "number") {
+      return parsed;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+__name(readPidFile, "readPidFile");
+function removePidFile(pidFilePath) {
+  removeIfExistsSync(pidFilePath);
+}
+__name(removePidFile, "removePidFile");
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    const code = err.code;
+    if (code === "ESRCH") return false;
+    if (code === "EPERM") return true;
+    return false;
+  }
+}
+__name(isProcessAlive, "isProcessAlive");
+function checkDaemonAlive(pidFilePath) {
+  const contents = readPidFile(pidFilePath);
+  if (!contents) return { alive: false, pid: null, stale: false, contents: null };
+  const alive = isProcessAlive(contents.pid);
+  return { alive, pid: contents.pid, stale: !alive, contents };
+}
+__name(checkDaemonAlive, "checkDaemonAlive");
+async function acquireStartLock(lockPath) {
+  ensureDirSync(dirname2(lockPath));
+  if (!existsSync2(lockPath)) writeFileSync2(lockPath, "");
+  const release = await lockfile.lock(lockPath, {
+    stale: 1e4,
+    retries: { retries: 0 }
+  });
+  return release;
+}
+__name(acquireStartLock, "acquireStartLock");
+
+// src/utils/logger.ts
+import { mkdirSync as mkdirSync2 } from "fs";
+import { dirname as dirname3 } from "path";
+import pino from "pino";
+var rootLogger = null;
+var REDACT_PATHS = [
+  "headers.authorization",
+  "headers.Authorization",
+  "*.headers.authorization",
+  "*.headers.Authorization",
+  "req.headers.authorization",
+  "req.headers.Authorization",
+  "request.headers.authorization",
+  "request.headers.Authorization",
+  "response.headers.authorization",
+  "response.headers.Authorization",
+  "headers['x-admin-key']",
+  "headers['x-api-key']",
+  "headers.cookie",
+  "*.headers.cookie",
+  "config.api_key",
+  "config.headers.authorization",
+  "err.config.headers.authorization",
+  "err.request.headers.authorization",
+  "err.response.headers.authorization",
+  // Provider SDK error shapes — observed leaking via err.headers.* on Axios-based clients.
+  "err.headers.authorization",
+  "err.headers.Authorization",
+  // Env-bag dumps (occasionally added by ad-hoc debug logs).
+  "env.ANTHROPIC_API_KEY",
+  "env.OPENAI_API_KEY",
+  "env.GOOGLE_API_KEY",
+  "env.ADMIN_SERVICE_KEY",
+  "env.WOTW_MCP_BEARER",
+  "env.WOTW_INTERNAL_ADMIN_KEY",
+  "env.WOTW_CLOUD_SINK_SECRET",
+  "ANTHROPIC_API_KEY",
+  "OPENAI_API_KEY",
+  "GOOGLE_API_KEY",
+  "ADMIN_SERVICE_KEY",
+  "WOTW_MCP_BEARER",
+  "WOTW_INTERNAL_ADMIN_KEY",
+  "WOTW_CLOUD_SINK_SECRET",
+  "apiKey",
+  "api_key",
+  "*.apiKey",
+  "*.api_key",
+  "secret",
+  "*.secret"
+];
+function safeErrSerializer(err) {
+  if (!(err instanceof Error)) {
+    return { message: String(err) };
+  }
+  const out = {
+    type: err.constructor.name,
+    message: err.message
+  };
+  if (err.stack) out.stack = err.stack;
+  const maybeCode = err.code;
+  if (typeof maybeCode === "string") out.code = maybeCode;
+  const maybeCause = err.cause;
+  if (maybeCause && typeof maybeCause === "object" && "message" in maybeCause) {
+    out.cause = {
+      type: maybeCause.constructor?.name ?? "Error",
+      message: maybeCause.message
+    };
+  }
+  return out;
+}
+__name(safeErrSerializer, "safeErrSerializer");
+function initLogger(level = "info", logFile) {
+  const options = {
+    level,
+    base: { pid: process.pid, hostname: void 0 },
+    timestamp: pino.stdTimeFunctions.isoTime,
+    redact: {
+      paths: REDACT_PATHS,
+      censor: "[Redacted]",
+      remove: false
+    },
+    serializers: {
+      err: safeErrSerializer,
+      error: safeErrSerializer
+    }
+  };
+  if (logFile) {
+    mkdirSync2(dirname3(logFile), { recursive: true });
+    rootLogger = pino(options, pino.destination({ dest: logFile, sync: false, mkdir: true }));
+  } else {
+    rootLogger = pino({
+      ...options,
+      transport: {
+        target: "pino-pretty",
+        options: { colorize: true, translateTime: "HH:MM:ss.l", ignore: "pid,hostname" }
+      }
+    });
+  }
+  return rootLogger;
+}
+__name(initLogger, "initLogger");
+var defaultContext = {};
+function getLogger(module, extra) {
+  if (!rootLogger) {
+    rootLogger = initLogger("info");
+  }
+  const ctx = { ...defaultContext, ...extra, ...module ? { module } : {} };
+  return Object.keys(ctx).length > 0 ? rootLogger.child(ctx) : rootLogger;
+}
+__name(getLogger, "getLogger");
+
+// src/utils/version.ts
+import { createRequire } from "module";
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../../package.json");
+var VERSION = pkg.version;
+
+// src/ingestion/execution-mode.ts
+import { spawnSync } from "child_process";
+import { platform } from "os";
+var ExecutionModeError = class extends Error {
+  static {
+    __name(this, "ExecutionModeError");
+  }
+  code;
+  constructor(message, code) {
+    super(message);
+    this.name = "ExecutionModeError";
+    this.code = code;
+  }
+};
+function findOnPath(binary) {
+  const prog = platform() === "win32" ? "where" : "which";
+  try {
+    const result = spawnSync(prog, [binary], { encoding: "utf8" });
+    if (result.status !== 0) return null;
+    const stdout = result.stdout.trim();
+    if (!stdout) return null;
+    const first = stdout.split(/\r?\n/)[0]?.trim();
+    return first && first.length > 0 ? first : null;
+  } catch {
+    return null;
+  }
+}
+__name(findOnPath, "findOnPath");
+function findApiKey(envVarName) {
+  const value = process.env[envVarName];
+  if (value && value.trim().length > 0) return envVarName;
+  return null;
+}
+__name(findApiKey, "findApiKey");
+function resolveExecutionMode(config) {
+  const { mode, cli_path: cliPath, cli_model: cliModel, api_key_env: apiKeyEnv } = config.execution;
+  const detectCli = /* @__PURE__ */ __name(() => findOnPath(cliPath), "detectCli");
+  const detectKey = /* @__PURE__ */ __name(() => findApiKey(apiKeyEnv), "detectKey");
+  if (mode === "cli") {
+    const path = detectCli();
+    if (!path) {
+      throw new ExecutionModeError(
+        `execution.mode is 'cli' but the '${cliPath}' binary was not found on PATH. Install Claude Code CLI (https://docs.claude.com/claude-code) or set execution.mode to 'api'.`,
+        "CLI_BINARY_NOT_FOUND"
+      );
+    }
+    return {
+      mode: "cli",
+      configuredMode: "cli",
+      cliPath: path,
+      apiKeyEnv: null,
+      effectiveModelHint: cliModel,
+      description: `CLI mode: using claude binary at ${path}, model ${cliModel}, zero marginal cost (subscription-covered)`
+    };
+  }
+  if (mode === "api") {
+    const keyEnv2 = detectKey();
+    if (!keyEnv2) {
+      throw new ExecutionModeError(
+        `execution.mode is 'api' but ${apiKeyEnv} is not set. Set the env var or change execution.mode to 'cli'/'auto'.`,
+        "API_KEY_NOT_SET"
+      );
+    }
+    return {
+      mode: "api",
+      configuredMode: "api",
+      cliPath: null,
+      apiKeyEnv: keyEnv2,
+      effectiveModelHint: `model-router (ingest=${config.models.ingest}, query=${config.models.query})`,
+      description: `API mode: using Agent SDK with ${keyEnv2}, model routing enabled (per-token billing)`
+    };
+  }
+  if (config.llm.provider !== "anthropic") {
+    const keyEnv2 = detectKey();
+    if (!keyEnv2 && config.llm.provider !== "ollama") {
+      throw new ExecutionModeError(
+        `auto-detect: llm.provider='${config.llm.provider}' but ${apiKeyEnv} is not set. Refusing to fall back to CLI mode for non-anthropic provider.`,
+        "API_KEY_NOT_SET"
+      );
+    }
+    return {
+      mode: "api",
+      configuredMode: "auto",
+      cliPath: null,
+      apiKeyEnv: keyEnv2,
+      effectiveModelHint: `model-router (ingest=${config.models.ingest}, query=${config.models.query})`,
+      description: `API mode (auto-detected, provider=${config.llm.provider}): using ${keyEnv2 ?? "no-key"}, model routing enabled`
+    };
+  }
+  const cli = detectCli();
+  if (cli) {
+    return {
+      mode: "cli",
+      configuredMode: "auto",
+      cliPath: cli,
+      apiKeyEnv: null,
+      effectiveModelHint: cliModel,
+      description: `CLI mode (auto-detected): using claude binary at ${cli}, model ${cliModel}, zero marginal cost (subscription-covered)`
+    };
+  }
+  const keyEnv = detectKey();
+  if (keyEnv) {
+    return {
+      mode: "api",
+      configuredMode: "auto",
+      cliPath: null,
+      apiKeyEnv: keyEnv,
+      effectiveModelHint: `model-router (ingest=${config.models.ingest}, query=${config.models.query})`,
+      description: `API mode (auto-detected): using Agent SDK with ${keyEnv}, model routing enabled (per-token billing)`
+    };
+  }
+  throw new ExecutionModeError(
+    `No '${cliPath}' binary on PATH and no ${apiKeyEnv} env var set. Install Claude Code CLI (https://docs.claude.com/claude-code) or set an API key to run watcher-on-the-wall.`,
+    "NO_RUNTIME_AVAILABLE"
+  );
+}
+__name(resolveExecutionMode, "resolveExecutionMode");
+
+// src/daemon/index.ts
+function ensureDirSyncOrActionable(path) {
+  try {
+    ensureDirSync(path);
+  } catch (err) {
+    if (looksLikePermissionDenied(err)) {
+      throw wikiDirPermissionError(path, err);
+    }
+    throw err;
+  }
+}
+__name(ensureDirSyncOrActionable, "ensureDirSyncOrActionable");
+var Daemon = class {
+  static {
+    __name(this, "Daemon");
+  }
+  subsystems = [];
+  shuttingDown = false;
+  opts;
+  config = null;
+  executionMode = null;
+  releaseLock = null;
+  constructor(opts) {
+    this.opts = opts;
+  }
+  /** Resolve config and return it. */
+  async init() {
+    const loaded = await loadConfig(this.opts.workingDir);
+    this.config = resolveConfigPaths(loaded.config, this.opts.workingDir);
+    const logToStdout = process.env.WOTW_LOG_STDOUT === "1" || process.env.WOTW_LOG_STDOUT === "true";
+    initLogger(this.config.daemon.log_level, logToStdout ? void 0 : this.config.daemon.log_file);
+    const log = getLogger("daemon");
+    log.info(
+      {
+        pid: process.pid,
+        cwd: this.opts.workingDir,
+        configPath: loaded.path
+      },
+      "daemon initializing"
+    );
+    ensureDirSyncOrActionable(this.config.wiki_root);
+    ensureDirSyncOrActionable(this.config.raw_path);
+    try {
+      this.executionMode = resolveExecutionMode(this.config);
+    } catch (err) {
+      if (err instanceof ExecutionModeError) {
+        log.fatal({ code: err.code }, err.message);
+      } else {
+        log.fatal({ err }, "failed to resolve execution mode");
+      }
+      throw err;
+    }
+    log.info(
+      {
+        mode: this.executionMode.mode,
+        configured: this.executionMode.configuredMode,
+        cliPath: this.executionMode.cliPath,
+        apiKeyEnv: this.executionMode.apiKeyEnv,
+        model: this.executionMode.effectiveModelHint
+      },
+      this.executionMode.description
+    );
+    return this.config;
+  }
+  /** Return the resolved execution mode, or null if init() hasn't run yet. */
+  getExecutionMode() {
+    return this.executionMode;
+  }
+  /** Attach a subsystem for start/stop management. */
+  attachSubsystem(sub) {
+    this.subsystems.push(sub);
+  }
+  /**
+   * Main run loop. Acquires the start lock, writes the PID file, starts all
+   * subsystems, installs signal handlers, and blocks until shutdown.
+   */
+  async run() {
+    if (!this.config) throw new Error("Daemon.init() must be called before run()");
+    const log = getLogger("daemon");
+    const alive = checkDaemonAlive(this.config.daemon.pid_file);
+    if (alive.alive) {
+      log.error({ pid: alive.pid }, "another daemon instance is already running");
+      throw daemonAlreadyRunningError(this.config.daemon.pid_file);
+    }
+    try {
+      this.releaseLock = await acquireStartLock(this.config.daemon.lock_file);
+    } catch (err) {
+      log.error({ err }, "failed to acquire start lock");
+      throw daemonAlreadyRunningError(this.config.daemon.lock_file, err);
+    }
+    writePidFile(this.config.daemon.pid_file, {
+      pid: process.pid,
+      started_at: (/* @__PURE__ */ new Date()).toISOString(),
+      version: VERSION
+    });
+    log.info({ pidFile: this.config.daemon.pid_file }, "PID file written");
+    this.installSignalHandlers();
+    for (const sub of this.subsystems) {
+      try {
+        log.info({ subsystem: sub.name }, "starting subsystem");
+        await sub.start();
+      } catch (err) {
+        log.error({ err, subsystem: sub.name }, "subsystem failed to start");
+        await this.shutdown(1);
+        return;
+      }
+    }
+    log.info({ subsystems: this.subsystems.map((s) => s.name) }, "daemon running");
+    await new Promise((resolve2) => {
+      const check = setInterval(() => {
+        if (this.shuttingDown) {
+          clearInterval(check);
+          resolve2();
+        }
+      }, 250);
+    });
+  }
+  /** Install SIGTERM / SIGINT handlers for graceful shutdown. */
+  installSignalHandlers() {
+    const handle = /* @__PURE__ */ __name((signal) => {
+      const log = getLogger("daemon");
+      log.info({ signal }, "received shutdown signal");
+      void this.shutdown(0);
+    }, "handle");
+    process.on("SIGTERM", handle);
+    process.on("SIGINT", handle);
+    process.on("uncaughtException", (err) => {
+      const log = getLogger("daemon");
+      log.fatal({ err }, "uncaught exception");
+      void this.shutdown(1);
+    });
+    process.on("unhandledRejection", (reason) => {
+      const log = getLogger("daemon");
+      log.fatal(
+        { reason: reason instanceof Error ? reason.message : String(reason) },
+        "unhandled rejection \u2014 shutting down"
+      );
+      void this.shutdown(1);
+    });
+  }
+  /** Stop all subsystems, release the lock, remove the PID file, and exit. */
+  async shutdown(exitCode) {
+    if (this.shuttingDown) return;
+    this.shuttingDown = true;
+    const log = getLogger("daemon");
+    log.info("daemon shutting down");
+    for (const sub of [...this.subsystems].reverse()) {
+      try {
+        await sub.stop();
+        log.info({ subsystem: sub.name }, "subsystem stopped");
+      } catch (err) {
+        log.error({ err, subsystem: sub.name }, "subsystem stop failed");
+      }
+    }
+    if (this.config) {
+      removePidFile(this.config.daemon.pid_file);
+    }
+    if (this.releaseLock) {
+      try {
+        await this.releaseLock();
+      } catch {
+      }
+    }
+    log.info("daemon shutdown complete");
+    await new Promise((r) => setTimeout(r, 50));
+    process.exit(exitCode);
+  }
+};
+
+// src/provenance/hash.ts
+import { createHash } from "crypto";
+import { readFileSync as readFileSync3 } from "fs";
+import { readFile as readFile2 } from "fs/promises";
+var GENESIS_HASH = "0".repeat(64);
+function canonicalJson(value) {
+  const normalize = /* @__PURE__ */ __name((v) => {
+    if (v === null || typeof v !== "object") return v;
+    if (Array.isArray(v)) return v.map(normalize);
+    const sorted = {};
+    for (const key of Object.keys(v).sort()) {
+      sorted[key] = normalize(v[key]);
+    }
+    return sorted;
+  }, "normalize");
+  return JSON.stringify(normalize(value));
+}
+__name(canonicalJson, "canonicalJson");
+function sha256Hex(input) {
+  return createHash("sha256").update(input).digest("hex");
+}
+__name(sha256Hex, "sha256Hex");
+var sha256 = sha256Hex;
+function sha256Canonical(value) {
+  return sha256Hex(canonicalJson(value));
+}
+__name(sha256Canonical, "sha256Canonical");
+var sha256Json = sha256Canonical;
+var stableStringify = canonicalJson;
+function sha256FileSync(filePath) {
+  return sha256Hex(readFileSync3(filePath));
+}
+__name(sha256FileSync, "sha256FileSync");
+async function sha256File(path) {
+  try {
+    const buf = await readFile2(path);
+    return sha256Hex(buf);
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+}
+__name(sha256File, "sha256File");
+async function sha256Files(paths) {
+  const out = {};
+  await Promise.all(
+    paths.map(async (p) => {
+      const h = await sha256File(p);
+      if (h !== null) out[p] = h;
+    })
+  );
+  return out;
+}
+__name(sha256Files, "sha256Files");
+
+// src/utils/sanitize.ts
+var DEFAULT_REDACTIONS = [
+  {
+    name: "aws-access-key",
+    pattern: /\bAKIA[0-9A-Z]{16}\b/g,
+    replacement: "[REDACTED:AWS_ACCESS_KEY]"
+  },
+  {
+    name: "aws-secret-key",
+    pattern: /\b[A-Za-z0-9/+=]{40}\b(?=.*(?:secret|aws))/gi,
+    replacement: "[REDACTED:AWS_SECRET_KEY]"
+  },
+  {
+    name: "github-token",
+    // Review item 2: also catch GitHub fine-grained personal access
+    // tokens (`github_pat_*`, 82+ chars per docs).
+    pattern: /\bgh[pousr]_[A-Za-z0-9]{36,255}\b|\bgithub_pat_[A-Za-z0-9_]{50,}\b/g,
+    replacement: "[REDACTED:GITHUB_TOKEN]"
+  },
+  {
+    name: "anthropic-api-key",
+    // Anthropic keys span ~95-115 chars after `sk-ant-`. The 80,120
+    // window stays generous enough to catch both legacy and current
+    // formats including api03- prefix.
+    pattern: /\bsk-ant-[A-Za-z0-9-_]{80,120}\b/g,
+    replacement: "[REDACTED:ANTHROPIC_API_KEY]"
+  },
+  {
+    name: "openai-api-key",
+    // Review item 2: original `\bsk-[A-Za-z0-9]{20,}\b` missed modern
+    // formats with `-` and `_` in the body — `sk-proj-*`,
+    // `sk-svcacct-*`, `sk-admin-*` all use `-` separators after the
+    // prefix and longer character set. Updated character class.
+    pattern: /\bsk-(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,200}\b|\bsk-[A-Za-z0-9]{20,200}\b/g,
+    replacement: "[REDACTED:OPENAI_API_KEY]"
+  },
+  {
+    name: "gemini-api-key",
+    // Review item 2: Google AI Studio API keys are `AIza` + 35 chars.
+    // No rule existed pre-fix.
+    pattern: /\bAIza[A-Za-z0-9_-]{35}\b/g,
+    replacement: "[REDACTED:GEMINI_API_KEY]"
+  },
+  {
+    name: "wotw-daemon-token",
+    // Review item 2: daemon tokens emitted by `wotw user add` are
+    // `wotw_` + base64url chars. Pre-fix these went unredacted.
+    pattern: /\bwotw_[A-Za-z0-9_-]{30,200}\b/g,
+    replacement: "[REDACTED:WOTW_TOKEN]"
+  },
+  {
+    name: "private-key-block",
+    pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+    replacement: "[REDACTED:PRIVATE_KEY_BLOCK]"
+  },
+  {
+    name: "jwt",
+    pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
+    replacement: "[REDACTED:JWT]"
+  },
+  {
+    // L-SEC-3: This pattern is deliberately scoped to full `scheme://`
+    // URIs with a `user:password@` userinfo component. The `\w+:\/\/`
+    // prefix is load-bearing — without it the pattern would also match
+    // bare `user@host` email addresses and `mailto:user@host` URIs,
+    // both of which carry no password and must not be over-redacted.
+    // Verified by unit tests in test/unit/sanitize.test.ts.
+    name: "password-in-url",
+    pattern: /(\w+:\/\/[^:/\s]+:)[^@\s]+(@)/g,
+    replacement: "$1[REDACTED]$2"
+  },
+  {
+    name: "credit-card",
+    pattern: /\b(?:\d[ -]*?){13,16}\b/g,
+    replacement: "[REDACTED:PAN]"
+  },
+  {
+    name: "us-ssn",
+    pattern: /\b\d{3}-\d{2}-\d{4}\b/g,
+    replacement: "[REDACTED:SSN]"
+  }
+];
+function sanitize(input, rules = DEFAULT_REDACTIONS) {
+  let out = input;
+  for (const rule of rules) {
+    out = out.replace(rule.pattern, rule.replacement);
+  }
+  return out;
+}
+__name(sanitize, "sanitize");
+function sanitizeWithReport(input, rules = DEFAULT_REDACTIONS) {
+  const triggered = [];
+  let out = input;
+  for (const rule of rules) {
+    if (rule.pattern.test(out)) {
+      triggered.push(rule.name);
+      rule.pattern.lastIndex = 0;
+      out = out.replace(rule.pattern, rule.replacement);
+    }
+  }
+  return { output: out, triggered };
+}
+__name(sanitizeWithReport, "sanitizeWithReport");
+export {
+  DEFAULT_REDACTIONS,
+  Daemon,
+  GENESIS_HASH,
+  canonicalJson,
+  defaultConfig,
+  getLogger,
+  initLogger,
+  loadConfig,
+  mergeConfig,
+  resolveConfigPaths,
+  sanitize,
+  sanitizeWithReport,
+  sha256,
+  sha256Canonical,
+  sha256File,
+  sha256FileSync,
+  sha256Files,
+  sha256Hex,
+  sha256Json,
+  stableStringify
+};
+//# sourceMappingURL=index.js.map