@agentbridge1/cli 0.0.1

package/bin/agentbridge.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+const { spawnSync } = require("node:child_process");
+const path = require("node:path");
+
+const entry = path.join(__dirname, "..", "dist", "index.js");
+const result = spawnSync(process.execPath, [entry, ...process.argv.slice(2)], {
+  stdio: "inherit",
+  env: process.env,
+});
+
+process.exit(result.status === null ? 1 : result.status);

package/dist/acceptance-block.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BLOCKING_ACCEPTANCE_DECISIONS = void 0;
+exports.isBlockingAcceptanceDecision = isBlockingAcceptanceDecision;
+exports.isBlockingCompletionState = isBlockingCompletionState;
+exports.shouldBlockAcceptanceAction = shouldBlockAcceptanceAction;
+/** Decisions that block action commands (handoff, accept, done-as-action). */
+exports.BLOCKING_ACCEPTANCE_DECISIONS = new Set(["needs_proof", "stale_evidence", "failed", "needs_review"]);
+function isBlockingAcceptanceDecision(decision) {
+    return exports.BLOCKING_ACCEPTANCE_DECISIONS.has(decision);
+}
+function isBlockingCompletionState(state) {
+    return (state === "needs_proof" ||
+        state === "stale_evidence" ||
+        state === "failed" ||
+        state === "needs_review");
+}
+function shouldBlockAcceptanceAction(report) {
+    return (isBlockingAcceptanceDecision(report.decision) ||
+        (report.completion != null && isBlockingCompletionState(report.completion.state)));
+}

package/dist/acceptance-preflight.js

@@ -0,0 +1,91 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAcceptanceWorkContext = resolveAcceptanceWorkContext;
+const server_sync_1 = require("./server-sync");
+const http_1 = require("./http");
+const work_context_resolver_1 = require("./work-context-resolver");
+const preflight_changed_files_1 = require("./preflight-changed-files");
+const errors_1 = require("./errors");
+/**
+ * Shared path for check/done/handoff/accept: git dirty sync, local-session-only
+ * work context (no config CR adoption), then fresh acceptance report from server.
+ */
+async function resolveAcceptanceWorkContext(ctx, options = {}) {
+    let preflight = { syncedFiles: [], observedFiles: [] };
+    try {
+        preflight = await (0, preflight_changed_files_1.preflightSyncChangedFiles)(ctx);
+    }
+    catch (err) {
+        const debugMessage = err instanceof Error ? err.message : String(err);
+        throw new errors_1.SafeCliError({
+            code: "WORK_CONTEXT_SYNC_FAILED",
+            category: "WORK_CONTEXT_ERROR",
+            what: "Failed to sync the local changed-file snapshot before fetching acceptance status.",
+            why: "If preflight sync is skipped, acceptance can read stale server drift and block incorrectly.",
+            next: `Retry the command after fixing sync errors. ${process.env.AGENTBRIDGE_DEBUG_HTTP === "1" ? `Debug: ${debugMessage}` : "Run `agentbridge doctor` if this keeps failing."}`,
+        });
+    }
+    const resolution = await (0, work_context_resolver_1.resolveWorkContext)(ctx, {
+        useConfigActiveChangeRequestId: false,
+        includeOtherActiveSessions: true,
+        skipAcceptanceFetchInBind: true,
+        ...options,
+    });
+    if (resolution.state !== "current_session_resolved" || !resolution.binding) {
+        return { resolution, preflight, report: null };
+    }
+    let report;
+    try {
+        report = await (0, server_sync_1.fetchAcceptanceCheck)(ctx, {
+            workSessionId: resolution.binding.workSessionId,
+        });
+    }
+    catch (err) {
+        if (err instanceof http_1.CliHttpError && err.status === 404) {
+            return {
+                resolution: {
+                    ...resolution,
+                    state: "stale_orphan_session_detected",
+                    binding: null,
+                    resolvedServerSessionId: null,
+                    resolvedChangeRequestId: null,
+                    message: `Local session ${resolution.binding.workSessionId} was not found on the server. Run agentbridge session abandon to clear it.`,
+                },
+                preflight,
+                report: null,
+            };
+        }
+        throw err;
+    }
+    const requestedCr = resolution.requestedChangeRequestId;
+    const reportCr = report.change_request_id?.trim() ?? null;
+    if (requestedCr && reportCr && requestedCr !== reportCr) {
+        return {
+            resolution: {
+                ...resolution,
+                state: "mismatch",
+                binding: null,
+                resolvedServerSessionId: report.work_session_id,
+                resolvedChangeRequestId: reportCr,
+                message: `Local session belongs to change request ${reportCr}, not ${requestedCr}.`,
+            },
+            preflight,
+            report: null,
+        };
+    }
+    const binding = {
+        workSessionId: report.work_session_id,
+        changeRequestId: report.change_request_id ?? null,
+        report,
+    };
+    return {
+        resolution: {
+            ...resolution,
+            binding,
+            resolvedServerSessionId: report.work_session_id,
+            resolvedChangeRequestId: report.change_request_id ?? null,
+        },
+        preflight,
+        report,
+    };
+}

package/dist/api-client.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CliHttpError = exports.postJson = void 0;
+var http_1 = require("./http");
+Object.defineProperty(exports, "postJson", { enumerable: true, get: function () { return http_1.postJson; } });
+Object.defineProperty(exports, "CliHttpError", { enumerable: true, get: function () { return http_1.CliHttpError; } });

package/dist/authority-request.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderAuthorityRequest = renderAuthorityRequest;
+function renderAuthorityRequest(input) {
+    const title = input.severity === "tier_c" ? "HANDSHAKE REQUIRED" : "AUTHORITY REQUEST";
+    return [
+        "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━",
+        `  ${title}`,
+        "",
+        `  ${input.requestingAgent} is attempting an out-of-lane change.`,
+        "",
+        `  Current task: ${input.currentTask}`,
+        `  Authorised lane: ${input.authorizedLane}`,
+        `  Change detected: ${input.targetFile}`,
+        `  Owned by: ${input.targetDomainOwner}`,
+        "",
+        "  Decision:",
+        "    [a] approve",
+        "    [d] deny",
+        "    [l] limit scope",
+        "    [h] handoff",
+        "    [x] abandon",
+        "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━",
+    ].join("\n");
+}

package/dist/briefing.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderSessionBriefing = renderSessionBriefing;
+function renderSessionBriefing(input) {
+    const { state, testRun } = input;
+    const inLane = state.changedFiles.filter((file) => {
+        const crossing = state.crossings.find((c) => c.file === file);
+        return !crossing || crossing.domain === state.laneDomain;
+    }).length;
+    const outOfLane = state.changedFiles.length - inLane;
+    const approvals = state.crossings.filter((c) => c.status === "approved").length;
+    const denied = state.crossings.filter((c) => c.status === "denied").length;
+    const line1 = `Session closed — ${state.agentId} · ${state.laneDomain ?? "unclassified"} lane`;
+    const line2 = `Touched: ${inLane} in-lane, ${outOfLane} cross-domain file(s)`;
+    const line3 = approvals + denied > 0
+        ? `Crossings: ${approvals} approved, ${denied} denied`
+        : `Crossings: ${state.crossings.length} observed`;
+    const line4 = testRun
+        ? `Tests: ${testRun.passed ? "PASS" : "FAIL"} via ${testRun.command}`
+        : "Tests: not run";
+    const line5 = state.closeReason
+        ? `Close reason: ${state.closeReason}`
+        : "Close reason: completed";
+    const line6 = "Next: continue in-lane | handoff if cross-domain work is needed";
+    return [line1, line2, line3, line4, line5, line6].join("\n");
+}

package/dist/bug-registry.js

@@ -0,0 +1,350 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BUG_FOUND_IN = exports.BUG_STATUSES = exports.BUG_SEVERITIES = exports.BUG_CATEGORIES = void 0;
+exports.sanitizeBugText = sanitizeBugText;
+exports.slugifyTitle = slugifyTitle;
+exports.renderBugMarkdown = renderBugMarkdown;
+exports.parseSimpleYamlFrontmatter = parseSimpleYamlFrontmatter;
+exports.parseBugRecordFromFile = parseBugRecordFromFile;
+exports.validateBugReportInput = validateBugReportInput;
+exports.validateBugCloseReadiness = validateBugCloseReadiness;
+exports.resolveBugRegistryDir = resolveBugRegistryDir;
+exports.buildBugRecord = buildBugRecord;
+exports.writeBugReportFile = writeBugReportFile;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+exports.BUG_CATEGORIES = [
+    "PRE_FLIGHT",
+    "CONFIG_AUTH",
+    "IDENTITY_RESOLUTION",
+    "WORK_CONTEXT",
+    "START_FLOW",
+    "WATCH_SCOPE",
+    "PROOF_SCOPE",
+    "STALE_PROOF",
+    "SCOPE_DRIFT",
+    "HANDOFF_ACCEPT",
+    "MEMORY_BLOAT",
+    "MEMORY_NOT_APPLIED",
+    "UI_RETURN_PATH",
+    "OAUTH_AUTH",
+    "CLI_UX",
+    "SERVER_API",
+    "UNKNOWN",
+];
+exports.BUG_SEVERITIES = ["P0", "P1", "P2", "P3"];
+exports.BUG_STATUSES = [
+    "open",
+    "investigating",
+    "fixing",
+    "fixed_pending_verification",
+    "verified",
+    "closed",
+    "wont_fix",
+];
+exports.BUG_FOUND_IN = ["dogfood", "production", "unit_test", "user_report"];
+const SECRET_PATTERNS = [
+    /\bsk-[a-zA-Z0-9]{8,}\b/g,
+    /\bBearer\s+[a-zA-Z0-9._\-+/=]{8,}\b/gi,
+    /\bAGENTBRIDGE_API_KEY\s*=\s*\S+/gi,
+    /\bapi[_-]?key\s*[:=]\s*\S+/gi,
+    /\bpassword\s*[:=]\s*\S+/gi,
+    /\btoken\s*[:=]\s*\S+/gi,
+];
+function sanitizeBugText(value) {
+    let out = value;
+    for (const pattern of SECRET_PATTERNS) {
+        out = out.replace(pattern, "[REDACTED]");
+    }
+    return out;
+}
+function slugifyTitle(title) {
+    return title
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 60);
+}
+function quoteYaml(value) {
+    if (/[:#\n"'&*]|^\s|-\s/.test(value)) {
+        return JSON.stringify(value);
+    }
+    return value;
+}
+function yamlStringList(key, values) {
+    if (!values || values.length === 0) {
+        return [`${key}: []`];
+    }
+    return [`${key}:`, ...values.map((v) => `  - ${quoteYaml(v)}`)];
+}
+function renderBugMarkdown(record) {
+    const createdAt = record.created_at ?? new Date().toISOString();
+    const lines = [
+        "---",
+        `id: ${quoteYaml(record.id)}`,
+        `title: ${quoteYaml(record.title)}`,
+        `severity: ${record.severity}`,
+        `category: ${record.category}`,
+        `status: ${record.status}`,
+        "found_in:",
+        ...record.found_in.map((v) => `  - ${v}`),
+        `project_id: ${quoteYaml(record.project_id ?? "")}`,
+        `work_session_id: ${quoteYaml(record.work_session_id ?? "")}`,
+        `change_request_id: ${quoteYaml(record.change_request_id ?? "")}`,
+        ...yamlStringList("affected_commands", record.affected_commands),
+        ...yamlStringList("affected_files", record.affected_files),
+        `user_impact: ${quoteYaml(record.user_impact ?? "")}`,
+        `root_cause: ${quoteYaml(record.root_cause ?? "")}`,
+        `fix_summary: ${quoteYaml(record.fix_summary ?? "")}`,
+        ...yamlStringList("regression_tests", record.regression_tests),
+        ...yamlStringList("verification_commands", record.verification_commands),
+        `agentbridge_should_have_caught_by: ${quoteYaml(record.agentbridge_should_have_caught_by ?? "")}`,
+        "memory_candidate:",
+        `  invariant: ${quoteYaml(record.memory_candidate?.invariant ?? "")}`,
+        `  known_trap: ${quoteYaml(record.memory_candidate?.known_trap ?? "")}`,
+        `  future_proof_requirement: ${quoteYaml(record.memory_candidate?.future_proof_requirement ?? "")}`,
+        `created_at: ${quoteYaml(createdAt)}`,
+        `closed_at: ${quoteYaml(record.closed_at ?? "")}`,
+        "---",
+        "",
+        `# ${record.title}`,
+        "",
+        "## Observed behavior",
+        "",
+        record.observed_behavior?.trim() ? record.observed_behavior.trim() : "_TBD_",
+        "",
+        "## Expected behavior",
+        "",
+        record.expected_behavior?.trim() ? record.expected_behavior.trim() : "_TBD_",
+        "",
+        "## Reproduction",
+        "",
+        "_TBD_",
+        "",
+        "## Notes",
+        "",
+        "_TBD_",
+        "",
+    ];
+    return lines.join("\n");
+}
+function parseSimpleYamlFrontmatter(content) {
+    const match = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+    if (!match) {
+        throw new Error("Bug file missing YAML frontmatter");
+    }
+    const block = match[1];
+    const result = {};
+    let currentListKey = null;
+    let currentNestedKey = null;
+    const nested = {};
+    for (const rawLine of block.split("\n")) {
+        const line = rawLine.trimEnd();
+        if (line.trim().length === 0)
+            continue;
+        const listItem = line.match(/^\s+-\s+(.*)$/);
+        if (listItem && currentListKey) {
+            const arr = result[currentListKey] ?? [];
+            arr.push(parseYamlScalar(listItem[1] ?? ""));
+            result[currentListKey] = arr;
+            continue;
+        }
+        const nestedScalar = line.match(/^\s{2}([a-z_]+):\s*(.*)$/);
+        if (nestedScalar && currentNestedKey) {
+            const [, nk, nv] = nestedScalar;
+            if (!nested[currentNestedKey])
+                nested[currentNestedKey] = {};
+            nested[currentNestedKey][nk ?? ""] = parseYamlScalar(nv ?? "");
+            continue;
+        }
+        const kv = line.match(/^([a-z_]+):\s*(.*)$/);
+        if (!kv)
+            continue;
+        const [, key, rawValue] = kv;
+        if (!key)
+            continue;
+        if (rawValue === "") {
+            currentListKey = key;
+            currentNestedKey = key === "memory_candidate" ? key : null;
+            if (key !== "memory_candidate" && key !== "found_in") {
+                result[key] = [];
+            }
+            if (key === "memory_candidate") {
+                result[key] = {};
+            }
+            continue;
+        }
+        currentListKey = null;
+        currentNestedKey = null;
+        result[key] = parseYamlScalar(rawValue);
+    }
+    if (Object.keys(nested).length > 0) {
+        for (const [k, v] of Object.entries(nested)) {
+            result[k] = v;
+        }
+    }
+    return result;
+}
+function parseYamlScalar(raw) {
+    const trimmed = raw.trim();
+    if ((trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+        (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function parseBugRecordFromFile(content) {
+    const fm = parseSimpleYamlFrontmatter(content);
+    const bodyMatch = content.match(/^---\r?\n[\s\S]*?\r?\n---\r?\n([\s\S]*)$/);
+    const body = bodyMatch?.[1] ?? "";
+    const observed = body.match(/## Observed behavior\r?\n\r?\n([\s\S]*?)(?:\r?\n## |\r?\n$)/)?.[1]?.trim() ??
+        "";
+    const expected = body.match(/## Expected behavior\r?\n\r?\n([\s\S]*?)(?:\r?\n## |\r?\n$)/)?.[1]?.trim() ??
+        "";
+    const memoryRaw = fm.memory_candidate;
+    const memoryCandidate = memoryRaw && typeof memoryRaw === "object" && !Array.isArray(memoryRaw)
+        ? memoryRaw
+        : undefined;
+    return {
+        id: String(fm.id ?? ""),
+        title: String(fm.title ?? ""),
+        severity: fm.severity,
+        category: fm.category,
+        status: fm.status,
+        found_in: Array.isArray(fm.found_in) ? fm.found_in : [],
+        project_id: fm.project_id ? String(fm.project_id) : undefined,
+        work_session_id: fm.work_session_id ? String(fm.work_session_id) : undefined,
+        change_request_id: fm.change_request_id ? String(fm.change_request_id) : undefined,
+        affected_commands: Array.isArray(fm.affected_commands)
+            ? fm.affected_commands
+            : undefined,
+        affected_files: Array.isArray(fm.affected_files)
+            ? fm.affected_files
+            : undefined,
+        user_impact: fm.user_impact ? String(fm.user_impact) : undefined,
+        root_cause: fm.root_cause ? String(fm.root_cause) : undefined,
+        fix_summary: fm.fix_summary ? String(fm.fix_summary) : undefined,
+        regression_tests: Array.isArray(fm.regression_tests)
+            ? fm.regression_tests
+            : undefined,
+        verification_commands: Array.isArray(fm.verification_commands)
+            ? fm.verification_commands
+            : undefined,
+        agentbridge_should_have_caught_by: fm.agentbridge_should_have_caught_by
+            ? String(fm.agentbridge_should_have_caught_by)
+            : undefined,
+        memory_candidate: memoryCandidate,
+        created_at: fm.created_at ? String(fm.created_at) : undefined,
+        closed_at: fm.closed_at ? String(fm.closed_at) : undefined,
+        observed_behavior: observed === "_TBD_" ? "" : observed,
+        expected_behavior: expected === "_TBD_" ? "" : expected,
+    };
+}
+function isNonEmpty(value) {
+    return Boolean(value && value.trim().length > 0);
+}
+function hasItems(values) {
+    return Boolean(values && values.some((v) => v.trim().length > 0));
+}
+function validateBugReportInput(input) {
+    const errors = [];
+    if (!isNonEmpty(input.title))
+        errors.push("title is required");
+    if (!input.severity || !exports.BUG_SEVERITIES.includes(input.severity)) {
+        errors.push(`severity must be one of: ${exports.BUG_SEVERITIES.join(", ")}`);
+    }
+    if (!input.category || !exports.BUG_CATEGORIES.includes(input.category)) {
+        errors.push(`category must be one of: ${exports.BUG_CATEGORIES.join(", ")}`);
+    }
+    const foundIn = input.foundIn ?? [];
+    if (foundIn.length === 0) {
+        errors.push("found_in requires at least one value");
+    }
+    else {
+        for (const item of foundIn) {
+            if (!exports.BUG_FOUND_IN.includes(item)) {
+                errors.push(`invalid found_in value: ${item}`);
+            }
+        }
+    }
+    if (!isNonEmpty(input.observed))
+        errors.push("observed behavior is required");
+    if (!isNonEmpty(input.expected))
+        errors.push("expected behavior is required");
+    return { ok: errors.length === 0, errors };
+}
+function validateBugCloseReadiness(record) {
+    const errors = [];
+    if (!exports.BUG_SEVERITIES.includes(record.severity)) {
+        errors.push(`invalid severity: ${record.severity}`);
+    }
+    if (!exports.BUG_STATUSES.includes(record.status)) {
+        errors.push(`invalid status: ${record.status}`);
+    }
+    const closingStatuses = ["verified", "closed"];
+    if (!closingStatuses.includes(record.status)) {
+        return { ok: errors.length === 0, errors };
+    }
+    if (record.severity === "P0" || record.severity === "P1") {
+        if (!isNonEmpty(record.root_cause))
+            errors.push("root_cause is required for P0/P1 close");
+        if (!isNonEmpty(record.fix_summary))
+            errors.push("fix_summary is required for P0/P1 close");
+        if (!hasItems(record.regression_tests)) {
+            errors.push("regression_tests requires at least one entry for P0/P1 close");
+        }
+        if (!hasItems(record.verification_commands)) {
+            errors.push("verification_commands requires at least one entry for P0/P1 close");
+        }
+        if (!isNonEmpty(record.agentbridge_should_have_caught_by)) {
+            errors.push("agentbridge_should_have_caught_by is required for P0/P1 close");
+        }
+    }
+    return { ok: errors.length === 0, errors };
+}
+function resolveBugRegistryDir(repoRoot) {
+    return (0, node_path_1.join)(repoRoot, "docs", "bugs");
+}
+function buildBugRecord(options) {
+    const date = new Date().toISOString().slice(0, 10);
+    const slug = slugifyTitle(options.title);
+    const id = `bug-${date}-${slug}`;
+    const observed = sanitizeBugText([options.observed, options.logs ? `\n\nLogs:\n${options.logs}` : ""]
+        .filter(Boolean)
+        .join("\n"));
+    const expected = sanitizeBugText(options.expected);
+    return {
+        id,
+        title: sanitizeBugText(options.title),
+        severity: options.severity,
+        category: options.category,
+        status: options.status ?? "open",
+        found_in: options.foundIn,
+        project_id: options.projectId ? sanitizeBugText(options.projectId) : undefined,
+        work_session_id: options.workSessionId ? sanitizeBugText(options.workSessionId) : undefined,
+        change_request_id: options.changeRequestId
+            ? sanitizeBugText(options.changeRequestId)
+            : undefined,
+        affected_commands: options.affectedCommands?.map(sanitizeBugText),
+        affected_files: options.affectedFiles?.map(sanitizeBugText),
+        user_impact: options.userImpact ? sanitizeBugText(options.userImpact) : undefined,
+        observed_behavior: observed,
+        expected_behavior: expected,
+        regression_tests: [],
+        verification_commands: [],
+        memory_candidate: {
+            invariant: "",
+            known_trap: "",
+            future_proof_requirement: "",
+        },
+        created_at: new Date().toISOString(),
+    };
+}
+function writeBugReportFile(repoRoot, record) {
+    const dir = resolveBugRegistryDir(repoRoot);
+    (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+    const filename = `${record.id.replace(/^bug-/, "")}.md`;
+    const path = (0, node_path_1.join)(dir, filename);
+    (0, node_fs_1.writeFileSync)(path, renderBugMarkdown(record), "utf8");
+    return path;
+}

package/dist/build-info.json

@@ -0,0 +1,6 @@
+{
+  "builtAt": "2026-06-01T12:25:02.951Z",
+  "gitHead": "6278b82",
+  "sourceLatestMtime": "2026-06-01T11:23:58.375Z",
+  "sourceLatestFile": "build.mjs"
+}

package/dist/canonical-state.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toCanonicalWorkContextState = toCanonicalWorkContextState;
+function toCanonicalWorkContextState(state) {
+    if (state === "mismatch")
+        return "mismatch";
+    if (state === "other_active_sessions_exist" || state === "ambiguous_active_sessions") {
+        return "other_active_sessions_exist";
+    }
+    return "no_current_session";
+}

package/dist/claimed-paths.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fileWithinClaimedPaths = fileWithinClaimedPaths;
+exports.filesOutsideClaimedPaths = filesOutsideClaimedPaths;
+function escapeRegex(text) {
+    return text.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function globToRegex(glob) {
+    const normalized = glob.replaceAll("\\", "/");
+    const withDouble = normalized.replaceAll("**", "__DOUBLE_STAR__");
+    const withSingle = withDouble.replaceAll("*", "__SINGLE_STAR__");
+    const escaped = escapeRegex(withSingle)
+        .replaceAll("__DOUBLE_STAR__", ".*")
+        .replaceAll("__SINGLE_STAR__", "[^/]*");
+    return new RegExp(`^${escaped}$`);
+}
+/** True when `file` matches an explicit claimed scope path or glob. */
+function fileWithinClaimedPaths(file, claimedPaths) {
+    if (claimedPaths.length === 0)
+        return false;
+    const normalizedFile = file.trim().replaceAll("\\", "/");
+    return claimedPaths.some((claim) => {
+        const normalized = claim.trim().replaceAll("\\", "/");
+        if (!normalized)
+            return false;
+        if (normalized === normalizedFile)
+            return true;
+        if (normalized.endsWith("/**")) {
+            const prefix = normalized.slice(0, -3);
+            return normalizedFile.startsWith(prefix);
+        }
+        if (normalized.includes("*")) {
+            return globToRegex(normalized).test(normalizedFile);
+        }
+        return normalizedFile.startsWith(normalized.endsWith("/") ? normalized : `${normalized}/`);
+    });
+}
+function filesOutsideClaimedPaths(files, claimedPaths) {
+    if (claimedPaths.length === 0)
+        return [...files];
+    return files.filter((file) => !fileWithinClaimedPaths(file, claimedPaths));
+}

package/dist/cli-failure-log.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logCliFailure = logCliFailure;
+const errors_1 = require("./errors");
+const redact_secrets_1 = require("./redact-secrets");
+function failureLogEnabled() {
+    const debug = process.env.AGENTBRIDGE_DEBUG;
+    const failureLog = process.env.AGENTBRIDGE_FAILURE_LOG;
+    return debug === "1" || debug === "true" || failureLog === "1" || failureLog === "true";
+}
+function logCliFailure(err, ctx = {}) {
+    if (!failureLogEnabled())
+        return;
+    const view = (0, errors_1.formatCliError)(err);
+    const payload = {
+        timestamp: new Date().toISOString(),
+        command: ctx.command ?? null,
+        projectId: ctx.projectId ?? null,
+        workSessionId: ctx.workSessionId ?? null,
+        changeRequestId: ctx.changeRequestId ?? null,
+        correlation_id: ctx.correlationId ?? null,
+        error_code: view.code,
+        error_category: view.category,
+        user_visible_message: (0, redact_secrets_1.redactSecrets)(view.what),
+        next_action: (0, redact_secrets_1.redactSecrets)(view.next),
+    };
+    Object.keys(payload).forEach((key) => {
+        const value = payload[key];
+        if (typeof value === "string") {
+            payload[key] = (0, redact_secrets_1.redactSecrets)(value);
+        }
+    });
+    process.stderr.write(`[agentbridge:failure] ${JSON.stringify(payload)}\n`);
+}