@c956180462/awbs 0.0.1

package/src/usecases/index.ts

@@ -0,0 +1,136 @@
+import { join, relative } from "node:path";
+import { INDEX_PATH, SUMMARY_PATH } from "../domain/constants.ts";
+import { assertUserDataPath } from "../domain/path-policy.ts";
+import { fromPosixPath, normalizeUserPath, toPosixPath } from "../domain/paths.ts";
+import type { IndexEntry, IndexKind, IndexStatus, SummaryEntry } from "../domain/types.ts";
+import type { FileDatabasePort } from "../ports/file-database.ts";
+import type { GitPort } from "../ports/git.ts";
+import type { IndexStorePort } from "../ports/index-store.ts";
+import type { SummaryStorePort } from "../ports/summary-store.ts";
+import { requireTrustedCommit, withTrustedWorktree } from "./trusted-chain.ts";
+
+export type IndexUseCases = {
+  rebuildIndex(cwd: string): { active: number; removed: number; path: string };
+  queryIndex(cwd: string, term: string | null, options: { json?: boolean; status?: IndexStatus | "all" }): IndexEntry[];
+  setSummary(cwd: string, args: { path: string; summary: string }): SummaryEntry;
+  getSummary(cwd: string, path: string): SummaryEntry | null;
+  listSummaries(cwd: string): SummaryEntry[];
+};
+
+export function createIndexUseCases(deps: {
+  files: FileDatabasePort;
+  git: GitPort;
+  index: IndexStorePort;
+  summaries: SummaryStorePort;
+}): IndexUseCases {
+  return {
+    rebuildIndex(cwd: string): { active: number; removed: number; path: string } {
+      const root = deps.files.findProjectRoot(cwd);
+      const indexFile = join(root, INDEX_PATH);
+      const oldEntries = deps.index.readIndex(indexFile);
+      const commit = requireTrustedCommit(deps.git, root);
+      const activePaths = new Set<string>();
+      const nextEntries: IndexEntry[] = [];
+
+      withTrustedWorktree(deps, root, commit, "awbs-index-", (trustedRoot) => {
+        for (const fileEntry of deps.files.walkIndexableEntries(trustedRoot)) {
+          const absPath = join(trustedRoot, fromPosixPath(fileEntry.path));
+          const entry: IndexEntry = {
+            path: fileEntry.path,
+            kind: fileEntry.kind,
+            sha256: fileEntry.sha256,
+            size: fileEntry.size,
+            mtime: fileEntry.mtime,
+            commit,
+            status: "active",
+            ...resolveSummary(deps.summaries, join(root, SUMMARY_PATH), absPath, fileEntry.path, fileEntry.kind, fileEntry.sha256)
+          };
+          activePaths.add(fileEntry.path);
+          nextEntries.push(entry);
+        }
+      });
+
+      for (const oldEntry of oldEntries) {
+        if (!activePaths.has(oldEntry.path)) {
+          nextEntries.push({
+            ...oldEntry,
+            status: "removed",
+            summary: oldEntry.summary || `Removed ${oldEntry.kind}: ${oldEntry.path}`,
+            summarySource: oldEntry.summarySource ?? "fallback"
+          });
+        }
+      }
+
+      nextEntries.sort((a, b) => a.path.localeCompare(b.path));
+      deps.index.writeIndex(indexFile, nextEntries);
+
+      return {
+        active: nextEntries.filter((entry) => entry.status === "active").length,
+        removed: nextEntries.filter((entry) => entry.status === "removed").length,
+        path: toPosixPath(relative(root, indexFile))
+      };
+    },
+
+    queryIndex(cwd: string, term: string | null, options: { json?: boolean; status?: IndexStatus | "all" }): IndexEntry[] {
+      const root = deps.files.findProjectRoot(cwd);
+      const indexFile = join(root, INDEX_PATH);
+      return deps.index.queryIndex(indexFile, term, { status: options.status });
+    },
+
+    setSummary(cwd: string, args: { path: string; summary: string }): SummaryEntry {
+      const root = deps.files.findProjectRoot(cwd);
+      const relPath = normalizeUserPath(args.path);
+      assertUserDataPath(relPath, "write a summary for");
+      const commit = requireTrustedCommit(deps.git, root);
+      let kind: IndexKind | "unknown" = "unknown";
+      let sha256: string | null = null;
+      withTrustedWorktree(deps, root, commit, "awbs-summary-", (trustedRoot) => {
+        const absPath = join(trustedRoot, fromPosixPath(relPath));
+        const exists = deps.files.pathExists(absPath);
+        kind = exists ? (deps.files.isDirectory(absPath) ? "directory" : "file") : "unknown";
+        sha256 = exists && kind === "file" ? deps.files.sha256File(absPath) : null;
+      });
+      return deps.summaries.writeSummary(join(root, SUMMARY_PATH), {
+        path: relPath,
+        kind,
+        sha256,
+        commit,
+        summary: args.summary
+      });
+    },
+
+    getSummary(cwd: string, path: string): SummaryEntry | null {
+      const root = deps.files.findProjectRoot(cwd);
+      const relPath = normalizeUserPath(path);
+      assertUserDataPath(relPath, "read a summary for");
+      const commit = requireTrustedCommit(deps.git, root);
+      let sha256: string | null = null;
+      withTrustedWorktree(deps, root, commit, "awbs-summary-", (trustedRoot) => {
+        const absPath = join(trustedRoot, fromPosixPath(relPath));
+        sha256 = deps.files.pathExists(absPath) && !deps.files.isDirectory(absPath) ? deps.files.sha256File(absPath) : null;
+      });
+      return deps.summaries.findSummary(join(root, SUMMARY_PATH), relPath, sha256);
+    },
+
+    listSummaries(cwd: string): SummaryEntry[] {
+      const root = deps.files.findProjectRoot(cwd);
+      return deps.summaries.readSummaries(join(root, SUMMARY_PATH));
+    }
+  };
+}
+
+function resolveSummary(
+  summaries: SummaryStorePort,
+  summaryFile: string,
+  absPath: string,
+  relPath: string,
+  kind: IndexKind,
+  sha256: string | null
+): { summary: string; summarySource: "external" | "path-level" | "fallback" } {
+  const external = summaries.findSummary(summaryFile, relPath, sha256);
+  if (external) {
+    const summarySource = sha256 !== null && external.sha256 === null ? "path-level" : "external";
+    return { summary: external.summary, summarySource };
+  }
+  return { summary: summaries.fallbackSummary(absPath, relPath, kind), summarySource: "fallback" };
+}

package/src/usecases/init.ts

@@ -0,0 +1,48 @@
+import { join } from "node:path";
+import { AWBS_DIR } from "../domain/constants.ts";
+import type { AuthorityPort } from "../ports/authority.ts";
+import type { FileDatabasePort } from "../ports/file-database.ts";
+import type { GitPort } from "../ports/git.ts";
+
+export type InitUseCases = {
+  initProject(cwd: string): void;
+};
+
+export function createInitUseCases(deps: { files: FileDatabasePort; git: GitPort; authority: AuthorityPort }): InitUseCases {
+  return {
+    initProject(cwd: string): void {
+      if (!deps.git.isRepository(cwd)) {
+        deps.git.init(cwd);
+      }
+
+      deps.files.ensureDir(join(cwd, AWBS_DIR, "index"));
+      deps.files.ensureDir(join(cwd, AWBS_DIR, "summaries"));
+      deps.files.ensureDir(join(cwd, AWBS_DIR, "views"));
+      deps.files.ensureDir(join(cwd, AWBS_DIR, "changesets"));
+      deps.authority.ensureInitialized(cwd);
+
+      const configPath = join(cwd, AWBS_DIR, "config.json");
+      if (!deps.files.pathExists(configPath)) {
+        deps.files.writeJson(configPath, {
+          schemaVersion: 1,
+          name: "awbs-project",
+          createdAt: new Date().toISOString()
+        });
+      }
+
+      const awbsGitignore = join(cwd, AWBS_DIR, ".gitignore");
+      const ignored = ensureIgnoredLines(deps.files.pathExists(awbsGitignore) ? deps.files.readText(awbsGitignore) : "", ["/index/", "/views/", "/changesets/", "/private/"]);
+      deps.files.writeText(awbsGitignore, ignored);
+    }
+  };
+}
+
+function ensureIgnoredLines(existing: string, required: string[]): string {
+  const lines = existing.split(/\r?\n/).filter(Boolean);
+  for (const line of required) {
+    if (!lines.includes(line)) {
+      lines.push(line);
+    }
+  }
+  return `${lines.join("\n")}\n`;
+}

package/src/usecases/ledger.ts

@@ -0,0 +1,146 @@
+import { TRUSTED_REF } from "../domain/constants.ts";
+import { AwbsError } from "../domain/errors.ts";
+import { contentHash } from "../domain/hash.ts";
+import type { AuthorityLedger, AuthorityLedgerInspectReport } from "../domain/authority-types.ts";
+import { filterIgnoredStatus } from "../domain/paths.ts";
+import type { AuthorityPort } from "../ports/authority.ts";
+import type { FileDatabasePort } from "../ports/file-database.ts";
+import type { GitPort } from "../ports/git.ts";
+import { withTrustedWorktree } from "./trusted-chain.ts";
+
+export type LedgerBootstrapResult = {
+  parentTrustedCommit: string;
+  currentTrustedCommit: string;
+  headEntryId: string | null;
+};
+
+export type LedgerUseCases = {
+  bootstrapLedger(cwd: string): LedgerBootstrapResult;
+  inspectLedger(cwd: string): AuthorityLedgerInspectReport;
+  verifyLedger(cwd: string): AuthorityLedgerInspectReport;
+  formatLedgerReport(report: AuthorityLedgerInspectReport): string;
+};
+
+export function createLedgerUseCases(deps: { files: FileDatabasePort; git: GitPort; authority: AuthorityPort }): LedgerUseCases {
+  return {
+    bootstrapLedger(cwd: string): LedgerBootstrapResult {
+      const root = deps.files.findProjectRoot(cwd);
+      deps.authority.ensureInitialized(root);
+      if (deps.git.refCommit(root, TRUSTED_REF) || deps.authority.hasLedger(root)) {
+        throw new AwbsError("AWBS trusted chain is already bootstrapped.");
+      }
+
+      const parentTrustedCommit = deps.git.requireHeadCommit(root);
+      const dirtyBefore = filterIgnoredStatus(deps.git.statusPorcelain(root), root, [".awbs/authority/catalog.mirror.json"]);
+      if (dirtyBefore.trim().length > 0) {
+        throw new AwbsError(`Working tree must be clean before bootstrapping the trusted chain:\n${dirtyBefore}`);
+      }
+
+      const ledger = deps.authority.bootstrapLedger(root, parentTrustedCommit);
+      deps.git.addAll(root, [".awbs/authority"]);
+      deps.git.commit(root, `awbs: bootstrap trusted chain\n\nAWBS-Ledger-Entry: ${ledger.headEntryId ?? ""}`);
+      const currentTrustedCommit = deps.git.requireHeadCommit(root);
+      deps.git.updateRef(root, TRUSTED_REF, currentTrustedCommit);
+      return {
+        parentTrustedCommit,
+        currentTrustedCommit,
+        headEntryId: ledger.headEntryId
+      };
+    },
+
+    inspectLedger(cwd: string): AuthorityLedgerInspectReport {
+      const root = deps.files.findProjectRoot(cwd);
+      return inspectTrustedLedger(deps, root);
+    },
+
+    verifyLedger(cwd: string): AuthorityLedgerInspectReport {
+      const root = deps.files.findProjectRoot(cwd);
+      return inspectTrustedLedger(deps, root);
+    },
+
+    formatLedgerReport(report: AuthorityLedgerInspectReport): string {
+      const lines = [
+        `Trusted chain: ${report.ok ? "ok" : "failed"}`,
+        `Current trusted commit: ${report.currentTrustedCommit ?? "(none)"}`,
+        `Head entry: ${report.headEntryId ?? "(none)"}`,
+        `Entries: ${report.entries}`
+      ];
+      if (report.errors.length > 0) {
+        lines.push("", "Errors:");
+        for (const error of report.errors) {
+          lines.push(`  ${error}`);
+        }
+      }
+      return lines.join("\n");
+    }
+  };
+}
+
+export function inspectTrustedLedger(
+  deps: { files: FileDatabasePort; git: GitPort; authority: AuthorityPort },
+  root: string
+): AuthorityLedgerInspectReport {
+  const errors: string[] = [];
+  const currentTrustedCommit = deps.git.refCommit(root, TRUSTED_REF);
+  let ledger: AuthorityLedger | null = null;
+
+  if (!currentTrustedCommit) {
+    errors.push("AWBS trusted chain is not bootstrapped.");
+  } else {
+    try {
+      withTrustedWorktree(deps, root, currentTrustedCommit, "awbs-ledger-", (trustedRoot) => {
+        ledger = deps.authority.readLedger(trustedRoot);
+      });
+      const headEntry = ledger?.entries.find((entry) => entry.entryId === ledger?.headEntryId);
+      if (!headEntry) {
+        errors.push("Trusted ledger head entry is missing.");
+      }
+      if (ledger) {
+        errors.push(...verifyLedgerHashChain(ledger));
+      }
+    } catch (error) {
+      errors.push(error instanceof Error ? error.message : String(error));
+    }
+  }
+
+  return {
+    ok: errors.length === 0,
+    currentTrustedCommit,
+    headEntryId: ledger?.headEntryId ?? null,
+    entries: ledger?.entries.length ?? 0,
+    errors,
+    ledger
+  };
+}
+
+function verifyLedgerHashChain(ledger: AuthorityLedger): string[] {
+  const errors: string[] = [];
+  let previousHash: string | null = null;
+  const seen = new Set<string>();
+
+  for (const entry of ledger.entries) {
+    if (seen.has(entry.entryId)) {
+      errors.push(`Duplicate ledger entry id: ${entry.entryId}`);
+    }
+    seen.add(entry.entryId);
+
+    if (entry.previousEntryHash !== previousHash) {
+      errors.push(`Ledger entry ${entry.entryId} does not link to the previous entry hash.`);
+    }
+    if (entry.entryHash !== ledgerEntryHash(entry)) {
+      errors.push(`Ledger entry ${entry.entryId} hash mismatch.`);
+    }
+    previousHash = entry.entryHash;
+  }
+
+  const last = ledger.entries.at(-1);
+  if (last && ledger.headEntryId !== last.entryId) {
+    errors.push("Trusted ledger head entry is not the latest ledger entry.");
+  }
+  return errors;
+}
+
+function ledgerEntryHash(entry: AuthorityLedger["entries"][number]): string {
+  const { entryHash: _entryHash, ...hashable } = entry;
+  return contentHash(hashable);
+}

package/src/usecases/session.ts

@@ -0,0 +1,48 @@
+import type { AuthoritySessionControlInput, AuthoritySessionRecoverResult, AuthoritySessionStartResult, AuthoritySessionStatusReport, AuthoritySessionStopResult } from "../domain/session-types.ts";
+import type { AuthoritySessionPort } from "../ports/authority-session.ts";
+
+export type AuthoritySessionUseCases = {
+  startSession(cwd: string, input: AuthoritySessionControlInput): Promise<AuthoritySessionStartResult>;
+  statusSession(cwd: string): AuthoritySessionStatusReport;
+  stopSession(cwd: string, controllerToken: string): AuthoritySessionStopResult;
+  recoverSession(cwd: string, recoverySecret: string): AuthoritySessionRecoverResult;
+  formatStatus(report: AuthoritySessionStatusReport): string;
+};
+
+export function createAuthoritySessionUseCases(deps: { session: AuthoritySessionPort }): AuthoritySessionUseCases {
+  return {
+    startSession(cwd: string, input: AuthoritySessionControlInput): Promise<AuthoritySessionStartResult> {
+      return deps.session.start(cwd, input);
+    },
+
+    statusSession(cwd: string): AuthoritySessionStatusReport {
+      return deps.session.status(cwd);
+    },
+
+    stopSession(cwd: string, controllerToken: string): AuthoritySessionStopResult {
+      return deps.session.stop(cwd, controllerToken);
+    },
+
+    recoverSession(cwd: string, recoverySecret: string): AuthoritySessionRecoverResult {
+      return deps.session.recover(cwd, recoverySecret);
+    },
+
+    formatStatus(report: AuthoritySessionStatusReport): string {
+      const lines = [
+        `Authority session: ${report.status}`,
+        `Active: ${report.active ? "yes" : "no"}`,
+        `Repo: ${report.repoId ?? "(none)"}`,
+        `PID: ${report.pid ?? "(none)"}`,
+        `Endpoint: ${report.socketPath ?? "(none)"}`,
+        `Started: ${report.startedAt ?? "(none)"}`
+      ];
+      if (report.errors.length > 0) {
+        lines.push("", "Errors:");
+        for (const error of report.errors) {
+          lines.push(`  ${error}`);
+        }
+      }
+      return lines.join("\n");
+    }
+  };
+}

package/src/usecases/trusted-chain.ts

@@ -0,0 +1,56 @@
+import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join, relative, resolve } from "node:path";
+import { TRUSTED_REF } from "../domain/constants.ts";
+import { AwbsError } from "../domain/errors.ts";
+import type { FileDatabasePort } from "../ports/file-database.ts";
+import type { GitPort } from "../ports/git.ts";
+
+export function requireTrustedCommit(git: GitPort, root: string): string {
+  const trustedCommit = git.refCommit(root, TRUSTED_REF);
+  if (!trustedCommit) {
+    throw new AwbsError("AWBS trusted chain is not bootstrapped. Run `awbs ledger bootstrap` after creating an initial Git commit.");
+  }
+  return trustedCommit;
+}
+
+export function withTrustedWorktree<T>(
+  deps: { files: FileDatabasePort; git: GitPort },
+  root: string,
+  commit: string,
+  prefix: string,
+  fn: (worktreeRoot: string) => T
+): T {
+  const parent = mkdtempSync(join(tmpdir(), prefix));
+  const worktreeRoot = join(parent, "worktree");
+  try {
+    deps.git.createDetachedWorktree(root, worktreeRoot, commit);
+    copyPrivateMaterial(deps.files, root, worktreeRoot);
+    return fn(worktreeRoot);
+  } finally {
+    try {
+      deps.git.removeWorktree(root, worktreeRoot);
+    } catch {
+      // Best-effort cleanup; the caller's primary error should remain visible.
+    }
+    rmSync(parent, { recursive: true, force: true });
+  }
+}
+
+function copyPrivateMaterial(files: FileDatabasePort, root: string, worktreeRoot: string): void {
+  const source = join(root, ".awbs", "private");
+  const destination = join(worktreeRoot, ".awbs", "private");
+  if (!existsSync(source)) {
+    return;
+  }
+  files.copyPath(source, destination);
+}
+
+export function assertInsideParent(parent: string, child: string): void {
+  const normalizedParent = resolve(parent);
+  const normalizedChild = resolve(child);
+  const childRelative = relative(normalizedParent, normalizedChild);
+  if (childRelative.startsWith("..") || dirname(childRelative) === ".." || normalizedChild === normalizedParent) {
+    throw new AwbsError(`Path escapes expected parent: ${child}`);
+  }
+}

package/src/usecases/view.ts

@@ -0,0 +1,166 @@
+import { randomUUID } from "node:crypto";
+import { join, relative, resolve } from "node:path";
+import { VIEW_MANIFEST } from "../domain/constants.ts";
+import { AwbsError } from "../domain/errors.ts";
+import { assertUserDataPaths } from "../domain/path-policy.ts";
+import { fromPosixPath, normalizeUserPaths } from "../domain/paths.ts";
+import type { AuthorityCatalogView, AuthorityViewContract, AuthorityViewSource } from "../domain/authority-types.ts";
+import type { IndexKind, ViewManifest } from "../domain/types.ts";
+import type { AuthorityPort } from "../ports/authority.ts";
+import type { FileDatabasePort } from "../ports/file-database.ts";
+import type { GitPort } from "../ports/git.ts";
+import { requireTrustedCommit, withTrustedWorktree } from "./trusted-chain.ts";
+
+export type ViewUseCases = {
+  createView(cwd: string, args: { out: string; readPaths: string[]; writePaths: string[] }): ViewManifest;
+  inspectView(cwd: string, viewId: string): { contract: AuthorityViewContract; catalogView: AuthorityCatalogView };
+  revokeView(cwd: string, viewId: string): AuthorityViewContract;
+};
+
+export function createViewUseCases(deps: { files: FileDatabasePort; git: GitPort; authority: AuthorityPort }): ViewUseCases {
+  return {
+    createView(cwd: string, args: { out: string; readPaths: string[]; writePaths: string[] }): ViewManifest {
+      const root = deps.files.findProjectRoot(cwd);
+      deps.authority.ensureInitialized(root);
+      const baseCommit = requireTrustedCommit(deps.git, root);
+      const workspacePath = resolve(root, args.out);
+      assertWorkspaceOutputPath(root, workspacePath);
+      deps.files.assertSafeOutputDirectory(workspacePath);
+
+      const readPaths = normalizeUserPaths(args.readPaths);
+      const writePaths = normalizeUserPaths(args.writePaths);
+      if (readPaths.length === 0 && writePaths.length === 0) {
+        throw new AwbsError("view create requires at least one --read or --write path.");
+      }
+      assertUserDataPaths(readPaths, "project");
+      assertUserDataPaths(writePaths, "project");
+
+      const selectedPaths = uniquePaths([...readPaths, ...writePaths]);
+
+      const viewId = randomUUID();
+      const baselineRoot = join(root, ".awbs", "views", viewId, "baseline");
+      const sources: ViewManifest["sources"] = [];
+      const contractSources: AuthorityViewSource[] = [];
+
+      deps.files.ensureDir(workspacePath);
+      deps.files.ensureDir(baselineRoot);
+
+      withTrustedWorktree(deps, root, baseCommit, "awbs-view-", (trustedRoot) => {
+        for (const relPath of selectedPaths) {
+          const trustedSourceAbs = join(trustedRoot, fromPosixPath(relPath));
+          if (!deps.files.pathExists(trustedSourceAbs)) {
+            throw new AwbsError(`Selected path does not exist in trusted database: ${relPath}`);
+          }
+          const sourceAbs = join(root, fromPosixPath(relPath));
+          const workspaceAbs = join(workspacePath, fromPosixPath(relPath));
+          const baselineAbs = join(baselineRoot, fromPosixPath(relPath));
+          deps.files.copyPath(trustedSourceAbs, workspaceAbs);
+          deps.files.copyPath(trustedSourceAbs, baselineAbs);
+          const kind: IndexKind = deps.files.isDirectory(trustedSourceAbs) ? "directory" : "file";
+          const sha256 = kind === "file" ? deps.files.sha256File(trustedSourceAbs) : null;
+          sources.push({
+            path: relPath,
+            sourcePath: sourceAbs,
+            workspacePath: workspaceAbs,
+            baselinePath: baselineAbs,
+            kind,
+            sha256
+          });
+          contractSources.push({
+            path: relPath,
+            sourcePath: sourceAbs,
+            workspacePath: workspaceAbs,
+            baselinePath: baselineAbs,
+            kind,
+            sha256,
+            mode: writePaths.includes(relPath) ? "write" : "read",
+            ext: {}
+          });
+        }
+      });
+
+      const createdAt = new Date().toISOString();
+      const contract: AuthorityViewContract = {
+        schemaVersion: 1,
+        viewId,
+        baseCommit,
+        createdAt,
+        readPaths,
+        writePaths,
+        sources: contractSources,
+        ext: { workspacePath }
+      };
+      deps.authority.createView(root, contract);
+
+      const manifest: ViewManifest = {
+        schemaVersion: 1,
+        viewId,
+        projectRoot: root,
+        workspacePath,
+        baseCommit,
+        createdAt,
+        readPaths,
+        writePaths,
+        sources
+      };
+
+      deps.files.writeJson(join(workspacePath, VIEW_MANIFEST), manifest);
+      deps.files.writeJson(join(root, ".awbs", "views", viewId, "manifest.json"), manifest);
+      return manifest;
+    },
+
+    inspectView(cwd: string, viewId: string): { contract: AuthorityViewContract; catalogView: AuthorityCatalogView } {
+      const root = deps.files.findProjectRoot(cwd);
+      const contract = deps.authority.getViewContract(root, viewId, { allowRevoked: true });
+      const catalog = deps.authority.readCatalog(root);
+      const catalogView = catalog.views.find((view) => view.viewId === viewId);
+      if (!catalogView) {
+        throw new AwbsError(`View is not registered in authority catalog: ${viewId}`);
+      }
+      return { contract, catalogView };
+    },
+
+    revokeView(cwd: string, viewId: string): AuthorityViewContract {
+      const root = deps.files.findProjectRoot(cwd);
+      return deps.authority.revokeView(root, viewId);
+    }
+  };
+}
+
+function uniquePaths(paths: string[]): string[] {
+  const seen = new Set<string>();
+  const result: string[] = [];
+  for (const path of paths) {
+    if (!seen.has(path)) {
+      seen.add(path);
+      result.push(path);
+    }
+  }
+  return result;
+}
+
+function assertWorkspaceOutputPath(root: string, workspacePath: string): void {
+  const rootPath = resolve(root);
+  const outputPath = resolve(workspacePath);
+  if (outputPath === rootPath) {
+    throw new AwbsError("Workspace output cannot be the database root.");
+  }
+
+  for (const reserved of [".awbs", ".git"]) {
+    const reservedPath = resolve(rootPath, reserved);
+    if (isSameOrInside(reservedPath, outputPath)) {
+      throw new AwbsError(`Workspace output cannot be inside AWBS reserved directory: ${reserved}`);
+    }
+  }
+}
+
+function isSameOrInside(parent: string, child: string): boolean {
+  const parentPath = pathKey(resolve(parent));
+  const childPath = pathKey(resolve(child));
+  const rel = relative(parentPath, childPath);
+  return childPath === parentPath || (!rel.startsWith("..") && !rel.includes(":"));
+}
+
+function pathKey(path: string): string {
+  return path.replace(/\\/g, "/").toLowerCase();
+}