@bookedsolid/rea 0.1.0 → 0.2.0

package/dist/gateway/session.js

@@ -0,0 +1,17 @@
+/**
+ * Per-process session identifier. One `rea serve` invocation = one session_id.
+ * Matches how Claude Code's long-running sessions work today. Revisit when we
+ * add a streamable-HTTP transport that might serve multiple reconnecting
+ * clients.
+ */
+import crypto from 'node:crypto';
+let sessionId = null;
+export function currentSessionId() {
+    if (sessionId === null)
+        sessionId = crypto.randomUUID();
+    return sessionId;
+}
+/** Exposed for tests only — resets the module-level id. */
+export function __resetSessionForTests() {
+    sessionId = null;
+}

package/dist/policy/loader.d.ts

@@ -23,6 +23,43 @@ declare const PolicySchema: z.ZodObject<{
         delegate_to_subagent?: string[] | undefined;
         max_bash_output_lines?: number | undefined;
     }>>;
+    review: z.ZodOptional<z.ZodObject<{
+        codex_required: z.ZodOptional<z.ZodBoolean>;
+    }, "strict", z.ZodTypeAny, {
+        codex_required?: boolean | undefined;
+    }, {
+        codex_required?: boolean | undefined;
+    }>>;
+    redact: z.ZodOptional<z.ZodObject<{
+        match_timeout_ms: z.ZodOptional<z.ZodNumber>;
+        patterns: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            name: z.ZodString;
+            regex: z.ZodString;
+            flags: z.ZodOptional<z.ZodString>;
+        }, "strict", z.ZodTypeAny, {
+            name: string;
+            regex: string;
+            flags?: string | undefined;
+        }, {
+            name: string;
+            regex: string;
+            flags?: string | undefined;
+        }>, "many">>;
+    }, "strict", z.ZodTypeAny, {
+        match_timeout_ms?: number | undefined;
+        patterns?: {
+            name: string;
+            regex: string;
+            flags?: string | undefined;
+        }[] | undefined;
+    }, {
+        match_timeout_ms?: number | undefined;
+        patterns?: {
+            name: string;
+            regex: string;
+            flags?: string | undefined;
+        }[] | undefined;
+    }>>;
 }, "strict", z.ZodTypeAny, {
     version: string;
     profile: string;
@@ -39,6 +76,17 @@ declare const PolicySchema: z.ZodObject<{
         delegate_to_subagent: string[];
         max_bash_output_lines?: number | undefined;
     } | undefined;
+    review?: {
+        codex_required?: boolean | undefined;
+    } | undefined;
+    redact?: {
+        match_timeout_ms?: number | undefined;
+        patterns?: {
+            name: string;
+            regex: string;
+            flags?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }, {
     version: string;
     profile: string;
@@ -55,6 +103,17 @@ declare const PolicySchema: z.ZodObject<{
         delegate_to_subagent?: string[] | undefined;
         max_bash_output_lines?: number | undefined;
     } | undefined;
+    review?: {
+        codex_required?: boolean | undefined;
+    } | undefined;
+    redact?: {
+        match_timeout_ms?: number | undefined;
+        patterns?: {
+            name: string;
+            regex: string;
+            flags?: string | undefined;
+        }[] | undefined;
+    } | undefined;
 }>;
 /**
  * Async policy loader with TTL cache and mtime-based invalidation.

package/dist/policy/loader.js

@@ -3,6 +3,7 @@ import fsPromises from 'node:fs/promises';
 import path from 'node:path';
 import { parse as parseYaml } from 'yaml';
 import { z } from 'zod';
+import safeRegex from 'safe-regex';
 import { AutonomyLevel } from './types.js';
 const LEVEL_ORDER = {
     [AutonomyLevel.L0]: 0,
@@ -14,6 +15,37 @@ const ContextProtectionSchema = z.object({
     delegate_to_subagent: z.array(z.string()).default([]),
     max_bash_output_lines: z.number().int().positive().optional(),
 });
+/**
+ * G11.2: minimal review policy. Only `codex_required` is recognized today;
+ * G11.4 will expand this (profile defaults, reviewer pin, token caps).
+ * Kept strict so a typo (`codex_require`) fails loudly instead of silently
+ * defaulting.
+ */
+const ReviewPolicySchema = z
+    .object({
+    codex_required: z.boolean().optional(),
+})
+    .strict();
+/**
+ * G3: user-supplied redaction pattern. `name` is audit-stable; `regex` is a
+ * raw pattern source (no leading/trailing slashes); `flags` follows JS
+ * RegExp flag semantics. Every pattern is passed through `safe-regex` at
+ * load time — a flagged pattern rejects the entire policy load with an
+ * error that names the offender.
+ */
+const UserRedactPatternSchema = z
+    .object({
+    name: z.string().min(1),
+    regex: z.string().min(1),
+    flags: z.string().optional(),
+})
+    .strict();
+const RedactPolicySchema = z
+    .object({
+    match_timeout_ms: z.number().int().positive().optional(),
+    patterns: z.array(UserRedactPatternSchema).optional(),
+})
+    .strict();
 const PolicySchema = z
     .object({
     version: z.string(),
@@ -28,6 +60,8 @@ const PolicySchema = z
     notification_channel: z.string().default(''),
     injection_detection: z.enum(['block', 'warn']).optional(),
     context_protection: ContextProtectionSchema.optional(),
+    review: ReviewPolicySchema.optional(),
+    redact: RedactPolicySchema.optional(),
 })
     .strict();
 const DEFAULT_CACHE_TTL_MS = 30_000;
@@ -58,6 +92,34 @@ function applyMaxCeiling(policy) {
     }
     return policy;
 }
+/**
+ * G3: run every user-supplied redact pattern through `safe-regex`. A flagged
+ * pattern rejects the entire policy load with an error that names the
+ * offender. Also verifies the pattern actually compiles — a malformed regex
+ * source is a clear policy authoring bug and should fail loud.
+ */
+function checkUserRedactPatterns(policy, policyPath) {
+    const patterns = policy.redact?.patterns;
+    if (!patterns || patterns.length === 0)
+        return;
+    for (const entry of patterns) {
+        let compiled;
+        try {
+            compiled = new RegExp(entry.regex, entry.flags);
+        }
+        catch (err) {
+            throw new Error(`Invalid redact pattern "${entry.name}" at ${policyPath}: ` +
+                `cannot compile regex ${JSON.stringify(entry.regex)}` +
+                (entry.flags ? ` with flags ${JSON.stringify(entry.flags)}` : '') +
+                ` — ${err instanceof Error ? err.message : String(err)}`);
+        }
+        if (!safeRegex(compiled)) {
+            throw new Error(`Unsafe redact pattern "${entry.name}" at ${policyPath}: ` +
+                `safe-regex flagged ${JSON.stringify(entry.regex)} as potentially ReDoS-vulnerable. ` +
+                `Rewrite with bounded quantifiers / no nested repetition / no disjoint alternation.`);
+        }
+    }
+}
 function parseRawPolicy(raw, policyPath) {
     let parsed;
     try {
@@ -73,6 +135,9 @@ function parseRawPolicy(raw, policyPath) {
     catch (zodErr) {
         throw new Error(`Invalid policy schema at ${policyPath}: ${zodErr instanceof Error ? zodErr.message : zodErr}`);
     }
+    // G3: reject unsafe user-supplied redaction patterns. This runs BEFORE
+    // stripUndefined so the error references the user-authored field exactly.
+    checkUserRedactPatterns(parsedPolicy, policyPath);
     return applyMaxCeiling(stripUndefined(parsedPolicy));
 }
 function policyPathFor(baseDir) {

package/dist/policy/profiles.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Profile schema + merge helper used at `rea init` time.
+ *
+ * A profile is a named set of policy defaults shipped with the package under
+ * `profiles/*.yaml`. Profiles are NOT a runtime indirection — at init time the
+ * chosen profile is materialized literally into `.rea/policy.yaml`, so the
+ * resulting file is self-contained and survives `npm uninstall @bookedsolid/rea`.
+ *
+ * Merge order (lowest to highest precedence):
+ *   hardDefaults ← profile ← reagentTranslation ← wizardAnswers
+ *
+ * Hard defaults come from this module; profile YAMLs come from `profiles/`;
+ * reagent translation is applied by `cli/install/reagent.ts`; wizard answers
+ * come from `cli/init.ts` (interactive or `--yes`).
+ */
+import { z } from 'zod';
+import { AutonomyLevel } from './types.js';
+/**
+ * Profile is PolicySchema with every field optional. Strict mode still rejects
+ * unknown keys so a typo in a profile YAML fails loudly at init time rather
+ * than silently getting dropped on the floor.
+ */
+export declare const ProfileSchema: z.ZodObject<{
+    autonomy_level: z.ZodOptional<z.ZodNativeEnum<typeof AutonomyLevel>>;
+    max_autonomy_level: z.ZodOptional<z.ZodNativeEnum<typeof AutonomyLevel>>;
+    promotion_requires_human_approval: z.ZodOptional<z.ZodBoolean>;
+    block_ai_attribution: z.ZodOptional<z.ZodBoolean>;
+    blocked_paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    notification_channel: z.ZodOptional<z.ZodString>;
+    injection_detection: z.ZodOptional<z.ZodEnum<["block", "warn"]>>;
+    context_protection: z.ZodOptional<z.ZodObject<{
+        delegate_to_subagent: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        max_bash_output_lines: z.ZodOptional<z.ZodNumber>;
+    }, "strict", z.ZodTypeAny, {
+        delegate_to_subagent?: string[] | undefined;
+        max_bash_output_lines?: number | undefined;
+    }, {
+        delegate_to_subagent?: string[] | undefined;
+        max_bash_output_lines?: number | undefined;
+    }>>;
+}, "strict", z.ZodTypeAny, {
+    autonomy_level?: AutonomyLevel | undefined;
+    max_autonomy_level?: AutonomyLevel | undefined;
+    promotion_requires_human_approval?: boolean | undefined;
+    block_ai_attribution?: boolean | undefined;
+    blocked_paths?: string[] | undefined;
+    notification_channel?: string | undefined;
+    injection_detection?: "block" | "warn" | undefined;
+    context_protection?: {
+        delegate_to_subagent?: string[] | undefined;
+        max_bash_output_lines?: number | undefined;
+    } | undefined;
+}, {
+    autonomy_level?: AutonomyLevel | undefined;
+    max_autonomy_level?: AutonomyLevel | undefined;
+    promotion_requires_human_approval?: boolean | undefined;
+    block_ai_attribution?: boolean | undefined;
+    blocked_paths?: string[] | undefined;
+    notification_channel?: string | undefined;
+    injection_detection?: "block" | "warn" | undefined;
+    context_protection?: {
+        delegate_to_subagent?: string[] | undefined;
+        max_bash_output_lines?: number | undefined;
+    } | undefined;
+}>;
+export type Profile = z.infer<typeof ProfileSchema>;
+/** Hard defaults applied before any profile or wizard answer. */
+export declare const HARD_DEFAULTS: Profile;
+/**
+ * Shallow merge: `override` wins per top-level key when defined.
+ * Arrays are replaced, not concatenated — a profile that declares
+ * `blocked_paths` fully owns that list.
+ */
+export declare function mergeProfiles(base: Profile, override: Profile): Profile;
+/**
+ * Resolve `profiles/${name}.yaml` relative to the package root. Returns `null`
+ * when the profile file is absent; callers should fall through to hard defaults
+ * in that case and print a warning.
+ */
+export declare function loadProfile(name: string): Profile | null;

package/dist/policy/profiles.js

@@ -0,0 +1,94 @@
+/**
+ * Profile schema + merge helper used at `rea init` time.
+ *
+ * A profile is a named set of policy defaults shipped with the package under
+ * `profiles/*.yaml`. Profiles are NOT a runtime indirection — at init time the
+ * chosen profile is materialized literally into `.rea/policy.yaml`, so the
+ * resulting file is self-contained and survives `npm uninstall @bookedsolid/rea`.
+ *
+ * Merge order (lowest to highest precedence):
+ *   hardDefaults ← profile ← reagentTranslation ← wizardAnswers
+ *
+ * Hard defaults come from this module; profile YAMLs come from `profiles/`;
+ * reagent translation is applied by `cli/install/reagent.ts`; wizard answers
+ * come from `cli/init.ts` (interactive or `--yes`).
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+import { z } from 'zod';
+import { AutonomyLevel } from './types.js';
+import { PKG_ROOT } from '../cli/utils.js';
+const ContextProtectionProfileSchema = z
+    .object({
+    delegate_to_subagent: z.array(z.string()).optional(),
+    max_bash_output_lines: z.number().int().positive().optional(),
+})
+    .strict();
+/**
+ * Profile is PolicySchema with every field optional. Strict mode still rejects
+ * unknown keys so a typo in a profile YAML fails loudly at init time rather
+ * than silently getting dropped on the floor.
+ */
+export const ProfileSchema = z
+    .object({
+    autonomy_level: z.nativeEnum(AutonomyLevel).optional(),
+    max_autonomy_level: z.nativeEnum(AutonomyLevel).optional(),
+    promotion_requires_human_approval: z.boolean().optional(),
+    block_ai_attribution: z.boolean().optional(),
+    blocked_paths: z.array(z.string()).optional(),
+    notification_channel: z.string().optional(),
+    injection_detection: z.enum(['block', 'warn']).optional(),
+    context_protection: ContextProtectionProfileSchema.optional(),
+})
+    .strict();
+/** Hard defaults applied before any profile or wizard answer. */
+export const HARD_DEFAULTS = {
+    autonomy_level: AutonomyLevel.L1,
+    max_autonomy_level: AutonomyLevel.L2,
+    promotion_requires_human_approval: true,
+    block_ai_attribution: true,
+    blocked_paths: ['.env', '.env.*'],
+    notification_channel: '',
+};
+/**
+ * Shallow merge: `override` wins per top-level key when defined.
+ * Arrays are replaced, not concatenated — a profile that declares
+ * `blocked_paths` fully owns that list.
+ */
+export function mergeProfiles(base, override) {
+    const merged = { ...base };
+    for (const [k, v] of Object.entries(override)) {
+        if (v !== undefined) {
+            merged[k] = v;
+        }
+    }
+    return merged;
+}
+/**
+ * Resolve `profiles/${name}.yaml` relative to the package root. Returns `null`
+ * when the profile file is absent; callers should fall through to hard defaults
+ * in that case and print a warning.
+ */
+export function loadProfile(name) {
+    const profilePath = path.join(PKG_ROOT, 'profiles', `${name}.yaml`);
+    if (!fs.existsSync(profilePath))
+        return null;
+    const raw = fs.readFileSync(profilePath, 'utf8');
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch (err) {
+        throw new Error(`Failed to parse profile YAML at ${profilePath}: ${err instanceof Error ? err.message : err}`);
+    }
+    // Empty YAML file → parseYaml returns null; treat as empty profile.
+    if (parsed === null || parsed === undefined)
+        return {};
+    try {
+        return ProfileSchema.parse(parsed);
+    }
+    catch (err) {
+        throw new Error(`Invalid profile schema at ${profilePath}: ${err instanceof Error ? err.message : err}`);
+    }
+}

package/dist/policy/types.d.ts

@@ -18,6 +18,42 @@ export interface ContextProtection {
     delegate_to_subagent: string[];
     max_bash_output_lines?: number;
 }
+/**
+ * Review policy knobs. G11.2 only needs `codex_required` as an optional
+ * signal to the reviewer selector; G11.4 will flesh this out into a full
+ * first-class no-Codex mode (profile defaults, init defaults, etc.).
+ */
+export interface ReviewPolicy {
+    /**
+     * When `false`, the selector treats ClaudeSelfReviewer as the preferred
+     * reviewer (not degraded). When `true` or unset, Codex is preferred and
+     * a ClaudeSelfReviewer result is marked `degraded: true` in the audit
+     * log. Default when unset is `true` (Codex required).
+     */
+    codex_required?: boolean;
+}
+/**
+ * User-supplied redaction pattern entry. Each pattern has a stable `name` used
+ * in audit events, a raw `regex` source string, and optional `flags`. The
+ * loader validates every pattern via `safe-regex` at load time (G3) — any
+ * pattern flagged unsafe fails the load with a specific error naming the
+ * offender. The `regex` source is compiled inside a `SafeRegex` timeout
+ * wrapper by the gateway at middleware-creation time.
+ */
+export interface UserRedactPattern {
+    name: string;
+    regex: string;
+    flags?: string;
+}
+/**
+ * Redaction policy knobs (G3). `match_timeout_ms` bounds every per-call regex
+ * execution; `patterns` are user-supplied regexes layered on top of the
+ * built-in SECRET_PATTERNS.
+ */
+export interface RedactPolicy {
+    match_timeout_ms?: number;
+    patterns?: UserRedactPattern[];
+}
 export interface Policy {
     version: string;
     profile: string;
@@ -31,4 +67,6 @@ export interface Policy {
     notification_channel: string;
     injection_detection?: 'block' | 'warn';
     context_protection?: ContextProtection;
+    review?: ReviewPolicy;
+    redact?: RedactPolicy;
 }

package/dist/registry/loader.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Registry loader — parses `.rea/registry.yaml`, validates with zod, and
+ * caches the result with the same TTL + mtime-invalidation pattern as
+ * `src/policy/loader.ts`. Keep the two loaders structurally similar; if one
+ * gets a new invariant (e.g. cross-process locking), the other probably
+ * needs it too.
+ */
+import { z } from 'zod';
+import { Tier } from '../policy/types.js';
+import type { Registry } from './types.js';
+declare const RegistryServerSchema: z.ZodObject<{
+    name: z.ZodString;
+    command: z.ZodString;
+    args: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    env: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
+    env_passthrough: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
+    tier_overrides: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodNativeEnum<typeof Tier>>>;
+    enabled: z.ZodDefault<z.ZodBoolean>;
+}, "strict", z.ZodTypeAny, {
+    name: string;
+    command: string;
+    args: string[];
+    env: Record<string, string>;
+    enabled: boolean;
+    env_passthrough?: string[] | undefined;
+    tier_overrides?: Record<string, Tier> | undefined;
+}, {
+    name: string;
+    command: string;
+    args?: string[] | undefined;
+    env?: Record<string, string> | undefined;
+    env_passthrough?: string[] | undefined;
+    tier_overrides?: Record<string, Tier> | undefined;
+    enabled?: boolean | undefined;
+}>;
+declare const RegistrySchema: z.ZodObject<{
+    version: z.ZodLiteral<"1">;
+    servers: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        command: z.ZodString;
+        args: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        env: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
+        env_passthrough: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
+        tier_overrides: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodNativeEnum<typeof Tier>>>;
+        enabled: z.ZodDefault<z.ZodBoolean>;
+    }, "strict", z.ZodTypeAny, {
+        name: string;
+        command: string;
+        args: string[];
+        env: Record<string, string>;
+        enabled: boolean;
+        env_passthrough?: string[] | undefined;
+        tier_overrides?: Record<string, Tier> | undefined;
+    }, {
+        name: string;
+        command: string;
+        args?: string[] | undefined;
+        env?: Record<string, string> | undefined;
+        env_passthrough?: string[] | undefined;
+        tier_overrides?: Record<string, Tier> | undefined;
+        enabled?: boolean | undefined;
+    }>, "many">>;
+    reviewer: z.ZodOptional<z.ZodEnum<["codex", "claude-self"]>>;
+}, "strict", z.ZodTypeAny, {
+    version: "1";
+    servers: {
+        name: string;
+        command: string;
+        args: string[];
+        env: Record<string, string>;
+        enabled: boolean;
+        env_passthrough?: string[] | undefined;
+        tier_overrides?: Record<string, Tier> | undefined;
+    }[];
+    reviewer?: "codex" | "claude-self" | undefined;
+}, {
+    version: "1";
+    servers?: {
+        name: string;
+        command: string;
+        args?: string[] | undefined;
+        env?: Record<string, string> | undefined;
+        env_passthrough?: string[] | undefined;
+        tier_overrides?: Record<string, Tier> | undefined;
+        enabled?: boolean | undefined;
+    }[] | undefined;
+    reviewer?: "codex" | "claude-self" | undefined;
+}>;
+/**
+ * Async registry loader with TTL cache and mtime-based invalidation.
+ * Mirrors the contract of `loadPolicyAsync` — see its header for the
+ * security/concurrency rationale.
+ */
+export declare function loadRegistryAsync(baseDir: string): Promise<Registry>;
+/** Synchronous loader — for CLI startup paths. No cache. */
+export declare function loadRegistry(baseDir: string): Registry;
+export declare function invalidateRegistryCache(baseDir?: string): void;
+export { RegistrySchema, RegistryServerSchema };

package/dist/registry/loader.js

@@ -0,0 +1,153 @@
+/**
+ * Registry loader — parses `.rea/registry.yaml`, validates with zod, and
+ * caches the result with the same TTL + mtime-invalidation pattern as
+ * `src/policy/loader.ts`. Keep the two loaders structurally similar; if one
+ * gets a new invariant (e.g. cross-process locking), the other probably
+ * needs it too.
+ */
+import fs from 'node:fs';
+import fsPromises from 'node:fs/promises';
+import path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+import { z } from 'zod';
+import { Tier } from '../policy/types.js';
+/**
+ * Regex used to refuse passthrough of var names that look like secrets.
+ * Explicit `env:` mapping is the escape hatch — if a user types the value into
+ * the registry, the operator has consciously authorized it. Passthrough pulls
+ * from the host environment silently, so we refuse secret-looking names there.
+ */
+const SECRET_NAME_HEURISTIC = /(TOKEN|KEY|SECRET|PASSWORD|CREDENTIAL)/i;
+const RegistryServerSchema = z
+    .object({
+    name: z
+        .string()
+        .regex(/^[a-z0-9][a-z0-9-]*$/, 'server name must be lowercase-kebab and cannot start with a dash'),
+    command: z.string().min(1),
+    args: z.array(z.string()).default([]),
+    env: z.record(z.string()).default({}),
+    env_passthrough: z
+        .array(z
+        .string()
+        .regex(/^[A-Za-z_][A-Za-z0-9_]*$/, 'env var name must match POSIX identifier syntax')
+        .refine((name) => !SECRET_NAME_HEURISTIC.test(name), (name) => ({
+        message: `env_passthrough refuses secret-looking name "${name}" — use an explicit env: mapping instead`,
+    })))
+        .optional(),
+    tier_overrides: z.record(z.nativeEnum(Tier)).optional(),
+    enabled: z.boolean().default(true),
+})
+    .strict();
+/**
+ * G11.2: optional `reviewer:` pin at the registry top level. Values are
+ * intentionally constrained to the two reviewers the selector knows how
+ * to dispatch — an unknown string (e.g. a typo'd `claude_self`) is
+ * rejected at parse time, same as `env_passthrough` does for secret-looking
+ * names. If we grow a third reviewer, extend this enum alongside the
+ * RegistryReviewer type.
+ */
+const RegistryReviewerSchema = z.enum(['codex', 'claude-self']);
+const RegistrySchema = z
+    .object({
+    version: z.literal('1'),
+    servers: z.array(RegistryServerSchema).default([]),
+    reviewer: RegistryReviewerSchema.optional(),
+})
+    .strict();
+const DEFAULT_CACHE_TTL_MS = 30_000;
+const REA_DIR = '.rea';
+const REGISTRY_FILE = 'registry.yaml';
+const cache = new Map();
+const inflight = new Map();
+function registryPathFor(baseDir) {
+    return path.join(baseDir, REA_DIR, REGISTRY_FILE);
+}
+function stripUndefined(input) {
+    const servers = input.servers.map((s) => {
+        const out = {
+            name: s.name,
+            command: s.command,
+            args: s.args,
+            env: s.env,
+            enabled: s.enabled,
+        };
+        if (s.env_passthrough !== undefined)
+            out.env_passthrough = s.env_passthrough;
+        if (s.tier_overrides !== undefined)
+            out.tier_overrides = s.tier_overrides;
+        return out;
+    });
+    const out = { version: input.version, servers };
+    if (input.reviewer !== undefined)
+        out.reviewer = input.reviewer;
+    return out;
+}
+function parseRaw(raw, filePath) {
+    let parsed;
+    try {
+        parsed = parseYaml(raw);
+    }
+    catch (err) {
+        throw new Error(`Failed to parse registry YAML at ${filePath}: ${err instanceof Error ? err.message : err}`);
+    }
+    // Empty file → treat as an empty registry so `rea init` + no edits still works.
+    const normalized = parsed === null || parsed === undefined ? { version: '1', servers: [] } : parsed;
+    try {
+        return stripUndefined(RegistrySchema.parse(normalized));
+    }
+    catch (err) {
+        throw new Error(`Invalid registry schema at ${filePath}: ${err instanceof Error ? err.message : err}`);
+    }
+}
+async function readFromDisk(baseDir, filePath, currentMtime) {
+    const raw = await fsPromises.readFile(filePath, 'utf8');
+    const registry = parseRaw(raw, filePath);
+    cache.set(baseDir, { registry, cachedAt: Date.now(), mtimeMs: currentMtime });
+    return registry;
+}
+/**
+ * Async registry loader with TTL cache and mtime-based invalidation.
+ * Mirrors the contract of `loadPolicyAsync` — see its header for the
+ * security/concurrency rationale.
+ */
+export async function loadRegistryAsync(baseDir) {
+    const filePath = registryPathFor(baseDir);
+    const ttlMs = Number(process.env.REA_REGISTRY_CACHE_TTL_MS ?? DEFAULT_CACHE_TTL_MS);
+    const now = Date.now();
+    let currentMtime;
+    try {
+        const stat = await fsPromises.stat(filePath);
+        currentMtime = stat.mtimeMs;
+    }
+    catch {
+        throw new Error(`Registry file not found: ${filePath}`);
+    }
+    const cached = cache.get(baseDir);
+    if (cached !== undefined && cached.mtimeMs === currentMtime && now - cached.cachedAt < ttlMs) {
+        return cached.registry;
+    }
+    const pending = inflight.get(baseDir);
+    if (pending)
+        return pending;
+    const read = readFromDisk(baseDir, filePath, currentMtime).finally(() => {
+        inflight.delete(baseDir);
+    });
+    inflight.set(baseDir, read);
+    return read;
+}
+/** Synchronous loader — for CLI startup paths. No cache. */
+export function loadRegistry(baseDir) {
+    const filePath = registryPathFor(baseDir);
+    if (!fs.existsSync(filePath)) {
+        throw new Error(`Registry file not found: ${filePath}`);
+    }
+    const raw = fs.readFileSync(filePath, 'utf8');
+    return parseRaw(raw, filePath);
+}
+export function invalidateRegistryCache(baseDir) {
+    if (baseDir === undefined)
+        cache.clear();
+    else
+        cache.delete(baseDir);
+}
+export { RegistrySchema, RegistryServerSchema };