@cat-factory/sandbox-fixtures 0.7.2 → 0.7.5

package/LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2026 Igor Savin
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2026 Igor Savin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/expectation.d.ts

@@ -0,0 +1,9 @@
+import type { SandboxExpectation } from '@cat-factory/contracts';
+/** Concise builder for a graded expectation; `matchHints` defaults to `[summary]`-matching. */
+export declare function exp(id: string, summary: string, grade: {
+    impact: number;
+    trickiness: number;
+    detail?: string;
+    matchHints?: string[];
+}): SandboxExpectation;
+//# sourceMappingURL=expectation.d.ts.map

package/dist/expectation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expectation.d.ts","sourceRoot":"","sources":["../src/expectation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAA;AAEhE,+FAA+F;AAC/F,wBAAgB,GAAG,CACjB,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,KAAK,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GACpF,kBAAkB,CASpB"}

package/dist/expectation.js

@@ -0,0 +1,12 @@
+/** Concise builder for a graded expectation; `matchHints` defaults to `[summary]`-matching. */
+export function exp(id, summary, grade) {
+    return {
+        id,
+        summary,
+        detail: grade.detail ?? '',
+        impact: grade.impact,
+        trickiness: grade.trickiness,
+        matchHints: grade.matchHints ?? [],
+    };
+}
+//# sourceMappingURL=expectation.js.map

package/dist/expectation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expectation.js","sourceRoot":"","sources":["../src/expectation.ts"],"names":[],"mappings":"AAEA,+FAA+F;AAC/F,MAAM,UAAU,GAAG,CACjB,EAAU,EACV,OAAe,EACf,KAAqF;IAErF,OAAO;QACL,EAAE;QACF,OAAO;QACP,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;QAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;KACnC,CAAA;AACH,CAAC"}

package/dist/fixtures/architecture.d.ts

@@ -0,0 +1,3 @@
+import type { SandboxFixtureDefinition } from '../types.js';
+export declare const ARCHITECTURE_FIXTURES: SandboxFixtureDefinition[];
+//# sourceMappingURL=architecture.d.ts.map

package/dist/fixtures/architecture.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"architecture.d.ts","sourceRoot":"","sources":["../../src/fixtures/architecture.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAA;AAwB3D,eAAO,MAAM,qBAAqB,EAAE,wBAAwB,EA8L3D,CAAA"}

package/dist/fixtures/architecture.js

@@ -0,0 +1,160 @@
+import { exp } from '../expectation.js';
+// architecture-proposal review fixtures. Mapped to the `architect-companion` agent (it
+// reviews an `architect`'s design). The proposal under review is carried as the `architect`
+// step's entry in `priorOutputs`; the companion critiques it. The expectations are the
+// scaling/consistency/operability gaps a strong design review should raise.
+/** Build an architect-companion context whose prior output is the design proposal to review. */
+function proposalContext(block, proposal) {
+    return {
+        agentKind: 'architect-companion',
+        pipelineName: 'sandbox',
+        stepIndex: 1,
+        isFinalStep: true,
+        block,
+        priorOutputs: [{ agentKind: 'architect', output: proposal }],
+        decisions: [],
+        resolvedDecision: null,
+    };
+}
+export const ARCHITECTURE_FIXTURES = [
+    {
+        id: 'arch-counter-redis-moderate',
+        agentKind: 'architect-companion',
+        kind: 'architecture',
+        name: 'View-counter design (moderate)',
+        difficulty: 'moderate',
+        summary: 'A "count page views" design that ignores cache durability and write contention.',
+        payload: proposalContext({
+            title: 'Page view counter',
+            type: 'service',
+            description: 'Show a near-real-time view count on each article.',
+        }, [
+            '# Design: page view counter',
+            '',
+            'On each request we INCR a Redis key `views:{articleId}` and read it back to render the count.',
+            'A background job copies the Redis counts into the `articles.view_count` column every hour so the',
+            'numbers survive. Redis runs as a single instance. This is simple and fast.',
+        ].join('\n')),
+        expectations: [
+            exp('cache-durability', 'Redis is the source of truth between hourly flushes — a single-instance crash loses up to an hour of counts.', {
+                impact: 5,
+                trickiness: 3,
+                detail: 'Single Redis + hourly persistence makes a cache the durable store; the central design flaw.',
+                matchHints: [
+                    'lose counts',
+                    'lose up to',
+                    'data loss',
+                    'durability',
+                    'redis crash',
+                    'single instance',
+                    'single point of failure',
+                    'persistence',
+                ],
+            }),
+            exp('hot-key', 'A viral article is a single hot Redis key — a write/throughput hotspot with no sharding plan.', {
+                impact: 3,
+                trickiness: 4,
+                matchHints: ['hot key', 'hotspot', 'hot spot', 'contention', 'shard'],
+            }),
+            exp('read-cost', 'Reading the count back from Redis on every render is unnecessary; the count can be returned from the INCR or cached.', {
+                impact: 2,
+                trickiness: 3,
+                matchHints: ['read back', 'every render', 'return from incr', 'extra round trip'],
+            }),
+            exp('idempotency', 'No dedupe: refresh/bots inflate counts — is a "view" unique per user/session, and over what window?', {
+                impact: 3,
+                trickiness: 4,
+                detail: 'Whether a view is deduped is a real product/correctness question the design skips.',
+                matchHints: ['dedupe', 'deduplicat', 'unique', 'bot', 'refresh', 'idempoten'],
+            }),
+        ],
+        notes: 'The cache-as-durable-store flaw is the must-find; hot-key and dedupe are the higher-skill catches.',
+    },
+    {
+        id: 'arch-outbox-events-complex',
+        agentKind: 'architect-companion',
+        kind: 'architecture',
+        name: 'Order-events pipeline (complex)',
+        difficulty: 'complex',
+        summary: 'An event-publishing design with a dual-write, at-least-once, and ordering pitfalls.',
+        payload: proposalContext({
+            title: 'Publish order events',
+            type: 'service',
+            description: 'When an order changes, publish an event other services consume (fulfilment, analytics, email).',
+        }, [
+            '# Design: order event publishing',
+            '',
+            'In the order service, after we commit the order to Postgres we publish an `OrderChanged` event to',
+            'Kafka. Consumers (fulfilment, analytics, email) subscribe and react. If publishing fails we log it',
+            'and retry in a background sweep. Each event carries the full order. We use a topic per event type and',
+            'partition by event type so throughput is high.',
+        ].join('\n')),
+        expectations: [
+            exp('dual-write', 'Commit-then-publish is a dual write: a crash between the two loses the event despite a committed order — needs a transactional outbox / CDC.', {
+                impact: 5,
+                trickiness: 5,
+                detail: 'The headline distributed-systems flaw and the standout catch — "we commit then publish" is the tell.',
+                matchHints: [
+                    'dual write',
+                    'dual-write',
+                    'outbox',
+                    'cdc',
+                    'change data capture',
+                    'commit then publish',
+                    'two-phase',
+                ],
+            }),
+            exp('ordering', 'Partitioning by event TYPE (not order id) means events for one order can be processed out of order.', {
+                impact: 5,
+                trickiness: 5,
+                detail: 'Partition key is the subtle but critical choice; per-type partitioning destroys per-order ordering.',
+                matchHints: [
+                    'out of order',
+                    'ordering',
+                    'partition by',
+                    'partition key',
+                    'per-order',
+                    'order id key',
+                ],
+            }),
+            exp('idempotent-consumers', 'At-least-once delivery + retries means consumers must be idempotent — the email service will double-send otherwise.', {
+                impact: 4,
+                trickiness: 3,
+                matchHints: [
+                    'idempoten',
+                    'at least once',
+                    'at-least-once',
+                    'duplicate',
+                    'double-send',
+                    'exactly once',
+                ],
+            }),
+            exp('full-payload', 'Carrying the full order in every event couples consumers to the order schema and bloats the topic; consider a thin event + lookup or a versioned schema.', {
+                impact: 3,
+                trickiness: 3,
+                matchHints: [
+                    'full order',
+                    'full payload',
+                    'schema coupling',
+                    'schema version',
+                    'thin event',
+                    'bloat',
+                ],
+            }),
+            exp('retry-sweep', 'The "log and retry in a background sweep" path has no durable record of the failed publish to retry from — what does the sweep read?', {
+                impact: 4,
+                trickiness: 4,
+                detail: 'Ties back to the outbox: without a persisted intent there is nothing for the sweep to replay.',
+                matchHints: [
+                    'nothing to retry',
+                    'no record',
+                    'what does the sweep',
+                    'durable record',
+                    'persisted',
+                ],
+            }),
+        ],
+        notes: 'A dense distributed-systems review: the dual-write and partition-key/ordering flaws are the high-impact, high-trickiness wow catches.',
+    },
+];
+//# sourceMappingURL=architecture.js.map

package/dist/fixtures/architecture.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"architecture.js","sourceRoot":"","sources":["../../src/fixtures/architecture.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAA;AAGvC,uFAAuF;AACvF,4FAA4F;AAC5F,uFAAuF;AACvF,4EAA4E;AAE5E,gGAAgG;AAChG,SAAS,eAAe,CACtB,KAA2D,EAC3D,QAAgB;IAEhB,OAAO;QACL,SAAS,EAAE,qBAAqB;QAChC,YAAY,EAAE,SAAS;QACvB,SAAS,EAAE,CAAC;QACZ,WAAW,EAAE,IAAI;QACjB,KAAK;QACL,YAAY,EAAE,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAC5D,SAAS,EAAE,EAAE;QACb,gBAAgB,EAAE,IAAI;KACvB,CAAA;AACH,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAA+B;IAC/D;QACE,EAAE,EAAE,6BAA6B;QACjC,SAAS,EAAE,qBAAqB;QAChC,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,gCAAgC;QACtC,UAAU,EAAE,UAAU;QACtB,OAAO,EAAE,iFAAiF;QAC1F,OAAO,EAAE,eAAe,CACtB;YACE,KAAK,EAAE,mBAAmB;YAC1B,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,mDAAmD;SACjE,EACD;YACE,6BAA6B;YAC7B,EAAE;YACF,+FAA+F;YAC/F,kGAAkG;YAClG,4EAA4E;SAC7E,CAAC,IAAI,CAAC,IAAI,CAAC,CACb;QACD,YAAY,EAAE;YACZ,GAAG,CACD,kBAAkB,EAClB,8GAA8G,EAC9G;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,6FAA6F;gBAC/F,UAAU,EAAE;oBACV,aAAa;oBACb,YAAY;oBACZ,WAAW;oBACX,YAAY;oBACZ,aAAa;oBACb,iBAAiB;oBACjB,yBAAyB;oBACzB,aAAa;iBACd;aACF,CACF;YACD,GAAG,CACD,SAAS,EACT,+FAA+F,EAC/F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO,CAAC;aACtE,CACF;YACD,GAAG,CACD,WAAW,EACX,sHAAsH,EACtH;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,kBAAkB,EAAE,kBAAkB,CAAC;aAClF,CACF;YACD,GAAG,CACD,aAAa,EACb,qGAAqG,EACrG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,oFAAoF;gBACtF,UAAU,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,CAAC;aAC9E,CACF;SACF;QACD,KAAK,EACH,oGAAoG;KACvG;IACD;QACE,EAAE,EAAE,4BAA4B;QAChC,SAAS,EAAE,qBAAqB;QAChC,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,iCAAiC;QACvC,UAAU,EAAE,SAAS;QACrB,OAAO,EAAE,qFAAqF;QAC9F,OAAO,EAAE,eAAe,CACtB;YACE,KAAK,EAAE,sBAAsB;YAC7B,IAAI,EAAE,SAAS;YACf,WAAW,EACT,gGAAgG;SACnG,EACD;YACE,kCAAkC;YAClC,EAAE;YACF,mGAAmG;YACnG,oGAAoG;YACpG,uGAAuG;YACvG,gDAAgD;SACjD,CAAC,IAAI,CAAC,IAAI,CAAC,CACb;QACD,YAAY,EAAE;YACZ,GAAG,CACD,YAAY,EACZ,8IAA8I,EAC9I;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,sGAAsG;gBACxG,UAAU,EAAE;oBACV,YAAY;oBACZ,YAAY;oBACZ,QAAQ;oBACR,KAAK;oBACL,qBAAqB;oBACrB,qBAAqB;oBACrB,WAAW;iBACZ;aACF,CACF;YACD,GAAG,CACD,UAAU,EACV,qGAAqG,EACrG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,qGAAqG;gBACvG,UAAU,EAAE;oBACV,cAAc;oBACd,UAAU;oBACV,cAAc;oBACd,eAAe;oBACf,WAAW;oBACX,cAAc;iBACf;aACF,CACF;YACD,GAAG,CACD,sBAAsB,EACtB,qHAAqH,EACrH;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE;oBACV,WAAW;oBACX,eAAe;oBACf,eAAe;oBACf,WAAW;oBACX,aAAa;oBACb,cAAc;iBACf;aACF,CACF;YACD,GAAG,CACD,cAAc,EACd,0JAA0J,EAC1J;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE;oBACV,YAAY;oBACZ,cAAc;oBACd,iBAAiB;oBACjB,gBAAgB;oBAChB,YAAY;oBACZ,OAAO;iBACR;aACF,CACF;YACD,GAAG,CACD,aAAa,EACb,sIAAsI,EACtI;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,+FAA+F;gBACjG,UAAU,EAAE;oBACV,kBAAkB;oBAClB,WAAW;oBACX,qBAAqB;oBACrB,gBAAgB;oBAChB,WAAW;iBACZ;aACF,CACF;SACF;QACD,KAAK,EACH,uIAAuI;KAC1I;CACF,CAAA"}

package/dist/fixtures/clarity.d.ts

@@ -0,0 +1,3 @@
+import type { SandboxFixtureDefinition } from '../types.js';
+export declare const CLARITY_FIXTURES: SandboxFixtureDefinition[];
+//# sourceMappingURL=clarity.d.ts.map

package/dist/fixtures/clarity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clarity.d.ts","sourceRoot":"","sources":["../../src/fixtures/clarity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAA;AAO3D,eAAO,MAAM,gBAAgB,EAAE,wBAAwB,EA0NtD,CAAA"}

package/dist/fixtures/clarity.js

@@ -0,0 +1,174 @@
+import { exp } from '../expectation.js';
+// clarity-review (bug-report triage) fixtures. The payload is a `ClarityContext`:
+// `{ block: { title, type, description }, investigation? }`. Each is a vague/ambiguous
+// bug report; the expectations are the missing facts or conflations a good triage should
+// surface so the bug becomes actionable.
+export const CLARITY_FIXTURES = [
+    {
+        id: 'clarity-slow-page-simple',
+        agentKind: 'clarity-review',
+        kind: 'clarity',
+        name: 'Page is slow (simple)',
+        difficulty: 'simple',
+        summary: 'A one-line "the dashboard is slow" report with no repro, scope, or baseline.',
+        payload: {
+            block: {
+                title: 'Dashboard is slow',
+                type: 'service',
+                description: 'The dashboard is really slow now. Please fix it, it was fine before.',
+            },
+        },
+        expectations: [
+            exp('repro', 'No reproduction steps: which dashboard/view, what actions, signed in as whom?', {
+                impact: 5,
+                trickiness: 1,
+                matchHints: ['reproduction', 'reproduce', 'repro', 'steps'],
+            }),
+            exp('quantify', '"Slow" is not quantified — how slow, vs what baseline, and measured how?', {
+                impact: 4,
+                trickiness: 1,
+                matchHints: ['how slow', 'quantif', 'load time', 'response time', 'baseline', 'measured'],
+            }),
+            exp('regression-window', '"Fine before" — when did it regress, and what changed (deploy, data growth) around then?', {
+                impact: 4,
+                trickiness: 3,
+                detail: 'Pinning the regression window is the highest-leverage triage question and is easy to skip past.',
+                matchHints: ['when did', 'regress', 'started', 'deploy', 'recently'],
+            }),
+            exp('scope', 'Is it all users or one account — could it be data-volume-dependent for a specific tenant?', {
+                impact: 3,
+                trickiness: 3,
+                matchHints: ['all users', 'one user', 'specific account', 'tenant', 'data volume'],
+            }),
+        ],
+        notes: 'Missing repro is the must-find; the regression-window question is the higher-skill catch.',
+    },
+    {
+        id: 'clarity-login-loop-moderate',
+        agentKind: 'clarity-review',
+        kind: 'clarity',
+        name: 'Login keeps failing (moderate)',
+        difficulty: 'moderate',
+        summary: 'A login bug report that conflates several distinct failure modes.',
+        payload: {
+            block: {
+                title: 'Login keeps failing',
+                type: 'service',
+                description: [
+                    'Users say login keeps failing. Sometimes it says the password is wrong even though it is right,',
+                    'and sometimes it just loops back to the login page. A couple of people mentioned the code from',
+                    'the app did not work. Happens on and off.',
+                ].join(' '),
+            },
+        },
+        expectations: [
+            exp('conflation', 'Three distinct failures are conflated: wrong-password, redirect loop, and 2FA code rejection.', {
+                impact: 5,
+                trickiness: 4,
+                detail: 'Separating the symptoms is the key triage move — each likely has a different root cause.',
+                matchHints: [
+                    'separate',
+                    'distinct',
+                    'conflate',
+                    'three different',
+                    'different issues',
+                    '2fa',
+                ],
+            }),
+            exp('repro', 'No reproduction: which accounts, after what action, and is "wrong even though right" verified?', {
+                impact: 5,
+                trickiness: 1,
+                matchHints: ['reproduction', 'reproduce', 'repro', 'steps'],
+            }),
+            exp('environment', 'Missing environment: browser/app version, platform, and whether it correlates with any of them.', {
+                impact: 3,
+                trickiness: 1,
+                matchHints: ['browser', 'app version', 'platform', 'device', 'os'],
+            }),
+            exp('intermittent', '"On and off" — is the redirect loop tied to expired sessions/cookies or a specific server?', {
+                impact: 4,
+                trickiness: 4,
+                detail: 'The loop smells like a session/cookie or load-balancer-affinity issue; a sharp triager probes that.',
+                matchHints: [
+                    'session',
+                    'cookie',
+                    'expired',
+                    'load balancer',
+                    'sticky',
+                    'server instance',
+                ],
+            }),
+        ],
+        notes: 'The symptom-conflation and the session/cookie hypothesis are the high-skill catches.',
+    },
+    {
+        id: 'clarity-data-loss-complex',
+        agentKind: 'clarity-review',
+        kind: 'clarity',
+        name: 'Edits sometimes disappear (complex)',
+        difficulty: 'complex',
+        summary: 'An intermittent data-loss report with a partial investigation already attached.',
+        payload: {
+            block: {
+                title: 'Saved edits sometimes disappear',
+                type: 'service',
+                description: [
+                    'Customers report that edits they make to a document sometimes disappear after a while. They save,',
+                    'see the change, then later it is back to an old version. It does not happen every time. This is',
+                    'causing churn — please prioritize.',
+                ].join(' '),
+            },
+            investigation: [
+                'Investigator notes: the document service has a "last write wins" update path. Two browser tabs (or the',
+                'mobile app and web open at once) each hold a copy loaded at different times. There is no version check',
+                'on save. Logs show overlapping saves to the same document id within a few seconds for affected users.',
+            ].join(' '),
+        },
+        expectations: [
+            exp('root-cause', 'The investigation points at a lost-update / concurrent-write race (last-write-wins, no version check) — confirm and frame it as the likely root cause.', {
+                impact: 5,
+                trickiness: 3,
+                detail: 'Restate the investigator’s finding as the working hypothesis instead of asking generic questions.',
+                matchHints: [
+                    'last write wins',
+                    'lost update',
+                    'concurrent',
+                    'race',
+                    'version check',
+                    'optimistic',
+                ],
+            }),
+            exp('repro-multitab', 'Targeted repro: two tabs / web + mobile editing the same document, confirming the overlap window.', {
+                impact: 4,
+                trickiness: 3,
+                matchHints: [
+                    'two tabs',
+                    'multiple tabs',
+                    'web and mobile',
+                    'same document',
+                    'concurrent edit',
+                ],
+            }),
+            exp('data-recovery', 'Is the overwritten version recoverable (history/audit), and how many customers/documents are affected so far?', {
+                impact: 5,
+                trickiness: 4,
+                detail: 'Data-loss bugs need a recovery/containment question, not just a fix — frequently missed under time pressure.',
+                matchHints: [
+                    'recover',
+                    'restore',
+                    'version history',
+                    'audit',
+                    'how many affected',
+                    'blast radius',
+                ],
+            }),
+            exp('not-every-time', 'Explain "not every time": it only manifests on overlapping concurrent saves, not on a single editor.', {
+                impact: 3,
+                trickiness: 2,
+                matchHints: ['not every time', 'intermittent', 'only when', 'overlap'],
+            }),
+        ],
+        notes: 'With an investigation attached, the skill is synthesizing it (root cause) and adding the recovery/blast-radius question — not re-asking what is already known.',
+    },
+];
+//# sourceMappingURL=clarity.js.map

package/dist/fixtures/clarity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"clarity.js","sourceRoot":"","sources":["../../src/fixtures/clarity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAA;AAGvC,kFAAkF;AAClF,uFAAuF;AACvF,yFAAyF;AACzF,yCAAyC;AAEzC,MAAM,CAAC,MAAM,gBAAgB,GAA+B;IAC1D;QACE,EAAE,EAAE,0BAA0B;QAC9B,SAAS,EAAE,gBAAgB;QAC3B,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,uBAAuB;QAC7B,UAAU,EAAE,QAAQ;QACpB,OAAO,EAAE,8EAA8E;QACvF,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,KAAK,EAAE,mBAAmB;gBAC1B,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE,sEAAsE;aACpF;SACF;QACD,YAAY,EAAE;YACZ,GAAG,CACD,OAAO,EACP,+EAA+E,EAC/E;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC;aAC5D,CACF;YACD,GAAG,CAAC,UAAU,EAAE,0EAA0E,EAAE;gBAC1F,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,UAAU,CAAC;aAC1F,CAAC;YACF,GAAG,CACD,mBAAmB,EACnB,0FAA0F,EAC1F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,iGAAiG;gBACnG,UAAU,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAC;aACrE,CACF;YACD,GAAG,CACD,OAAO,EACP,2FAA2F,EAC3F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,kBAAkB,EAAE,QAAQ,EAAE,aAAa,CAAC;aACnF,CACF;SACF;QACD,KAAK,EACH,2FAA2F;KAC9F;IACD;QACE,EAAE,EAAE,6BAA6B;QACjC,SAAS,EAAE,gBAAgB;QAC3B,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,gCAAgC;QACtC,UAAU,EAAE,UAAU;QACtB,OAAO,EAAE,mEAAmE;QAC5E,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,KAAK,EAAE,qBAAqB;gBAC5B,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE;oBACX,iGAAiG;oBACjG,gGAAgG;oBAChG,2CAA2C;iBAC5C,CAAC,IAAI,CAAC,GAAG,CAAC;aACZ;SACF;QACD,YAAY,EAAE;YACZ,GAAG,CACD,YAAY,EACZ,+FAA+F,EAC/F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,0FAA0F;gBAC5F,UAAU,EAAE;oBACV,UAAU;oBACV,UAAU;oBACV,UAAU;oBACV,iBAAiB;oBACjB,kBAAkB;oBAClB,KAAK;iBACN;aACF,CACF;YACD,GAAG,CACD,OAAO,EACP,gGAAgG,EAChG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC;aAC5D,CACF;YACD,GAAG,CACD,aAAa,EACb,iGAAiG,EACjG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC;aACnE,CACF;YACD,GAAG,CACD,cAAc,EACd,4FAA4F,EAC5F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,qGAAqG;gBACvG,UAAU,EAAE;oBACV,SAAS;oBACT,QAAQ;oBACR,SAAS;oBACT,eAAe;oBACf,QAAQ;oBACR,iBAAiB;iBAClB;aACF,CACF;SACF;QACD,KAAK,EAAE,sFAAsF;KAC9F;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,SAAS,EAAE,gBAAgB;QAC3B,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,qCAAqC;QAC3C,UAAU,EAAE,SAAS;QACrB,OAAO,EAAE,iFAAiF;QAC1F,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,KAAK,EAAE,iCAAiC;gBACxC,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE;oBACX,mGAAmG;oBACnG,iGAAiG;oBACjG,oCAAoC;iBACrC,CAAC,IAAI,CAAC,GAAG,CAAC;aACZ;YACD,aAAa,EAAE;gBACb,wGAAwG;gBACxG,wGAAwG;gBACxG,uGAAuG;aACxG,CAAC,IAAI,CAAC,GAAG,CAAC;SACZ;QACD,YAAY,EAAE;YACZ,GAAG,CACD,YAAY,EACZ,wJAAwJ,EACxJ;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,mGAAmG;gBACrG,UAAU,EAAE;oBACV,iBAAiB;oBACjB,aAAa;oBACb,YAAY;oBACZ,MAAM;oBACN,eAAe;oBACf,YAAY;iBACb;aACF,CACF;YACD,GAAG,CACD,gBAAgB,EAChB,mGAAmG,EACnG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE;oBACV,UAAU;oBACV,eAAe;oBACf,gBAAgB;oBAChB,eAAe;oBACf,iBAAiB;iBAClB;aACF,CACF;YACD,GAAG,CACD,eAAe,EACf,+GAA+G,EAC/G;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,8GAA8G;gBAChH,UAAU,EAAE;oBACV,SAAS;oBACT,SAAS;oBACT,iBAAiB;oBACjB,OAAO;oBACP,mBAAmB;oBACnB,cAAc;iBACf;aACF,CACF;YACD,GAAG,CACD,gBAAgB,EAChB,sGAAsG,EACtG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,gBAAgB,EAAE,cAAc,EAAE,WAAW,EAAE,SAAS,CAAC;aACvE,CACF;SACF;QACD,KAAK,EACH,gKAAgK;KACnK;CACF,CAAA"}

package/dist/fixtures/code-review.d.ts

@@ -0,0 +1,3 @@
+import type { SandboxFixtureDefinition } from '../types.js';
+export declare const CODE_REVIEW_FIXTURES: SandboxFixtureDefinition[];
+//# sourceMappingURL=code-review.d.ts.map

package/dist/fixtures/code-review.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-review.d.ts","sourceRoot":"","sources":["../../src/fixtures/code-review.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAA;AAwB3D,eAAO,MAAM,oBAAoB,EAAE,wBAAwB,EAkQ1D,CAAA"}

package/dist/fixtures/code-review.js

@@ -0,0 +1,214 @@
+import { exp } from '../expectation.js';
+// reviewer (code-review) fixtures. The payload is a reviewer `AgentRunContext`: the work
+// to review is carried as the `coder` step's entry in `priorOutputs` (a code snippet in a
+// fenced block). The expectations are the genuine correctness/security/edge-case problems a
+// strong reviewer should find, graded by impact (how bad to miss) and trickiness (how subtle).
+/** Build a reviewer context whose only prior output is the coder's snippet to review. */
+function reviewerContext(block, snippet) {
+    return {
+        agentKind: 'reviewer',
+        pipelineName: 'sandbox',
+        stepIndex: 1,
+        isFinalStep: true,
+        block,
+        priorOutputs: [{ agentKind: 'coder', output: snippet }],
+        decisions: [],
+        resolvedDecision: null,
+    };
+}
+export const CODE_REVIEW_FIXTURES = [
+    {
+        id: 'review-token-bucket-simple',
+        agentKind: 'reviewer',
+        kind: 'code-review',
+        name: 'Rate limiter (simple)',
+        difficulty: 'simple',
+        summary: 'A "token bucket" rate limiter that is neither a token bucket nor concurrency-safe.',
+        payload: reviewerContext({
+            title: 'Per-IP rate limiter',
+            type: 'api',
+            description: 'A token-bucket rate limiter middleware that allows 100 requests/minute per IP.',
+        }, [
+            'Implemented the limiter:',
+            '',
+            '```ts',
+            'const counts = new Map<string, number>()',
+            '',
+            'export function allow(ip: string): boolean {',
+            '  const count = counts.get(ip) ?? 0',
+            '  if (count >= 100) return false',
+            '  counts.set(ip, count + 1)',
+            '  return true',
+            '}',
+            '```',
+            '',
+            'The counter increments on each request and rejects once it hits 100.',
+        ].join('\n')),
+        expectations: [
+            exp('no-window-reset', 'There is no time window: the count never resets, so this is a lifetime cap of 100, not 100/minute.', {
+                impact: 5,
+                trickiness: 3,
+                detail: 'The headline bug — the feature simply does not do what the spec ("per minute") asks.',
+                matchHints: [
+                    'never resets',
+                    'no window',
+                    'time window',
+                    'per minute',
+                    'lifetime',
+                    'does not reset',
+                ],
+            }),
+            exp('unbounded-map', 'The Map grows unbounded (one entry per IP, never evicted) — a memory leak / DoS vector.', {
+                impact: 4,
+                trickiness: 3,
+                matchHints: ['unbounded', 'memory leak', 'never evicted', 'grows', 'grow forever'],
+            }),
+            exp('concurrency', 'Read-modify-write on the shared Map is not atomic; concurrent requests can over-admit.', {
+                impact: 3,
+                trickiness: 4,
+                matchHints: ['atomic', 'race', 'concurrent', 'read-modify-write', 'thread'],
+            }),
+        ],
+        notes: 'The missing time-window reset is the high-impact must-find; the concurrency hazard is the subtler catch.',
+    },
+    {
+        id: 'review-pagination-moderate',
+        agentKind: 'reviewer',
+        kind: 'code-review',
+        name: 'Offset pagination (moderate)',
+        difficulty: 'moderate',
+        summary: 'A list endpoint with SQL injection, unbounded page size, and an off-by-one.',
+        payload: reviewerContext({
+            title: 'List orders endpoint',
+            type: 'api',
+            description: 'GET /orders?page=&size= returns a page of the current user’s orders, newest first.',
+        }, [
+            'Added the handler:',
+            '',
+            '```ts',
+            'async function listOrders(req) {',
+            '  const page = req.query.page ?? 1',
+            '  const size = req.query.size ?? 20',
+            '  const offset = page * size',
+            '  const sql =',
+            '    `SELECT * FROM orders WHERE user_id = ${req.userId} ORDER BY created_at DESC ` +',
+            '    `LIMIT ${size} OFFSET ${offset}`',
+            '  return db.query(sql)',
+            '}',
+            '```',
+        ].join('\n')),
+        expectations: [
+            exp('sql-injection', 'Values are interpolated straight into SQL — `size`, `page`, and `userId` must be parameterized.', {
+                impact: 5,
+                trickiness: 1,
+                detail: 'Classic SQL injection; the most impactful and least subtle issue here.',
+                matchHints: [
+                    'sql injection',
+                    'parameterize',
+                    'parameterized',
+                    'interpolat',
+                    'prepared statement',
+                ],
+            }),
+            exp('offset-off-by-one', 'Offset is `page * size`, so page 1 skips the first page; it should be `(page - 1) * size`.', {
+                impact: 4,
+                trickiness: 4,
+                detail: 'A subtle correctness bug: with 1-based pages, page 1 already skips `size` rows.',
+                matchHints: [
+                    'off-by-one',
+                    'off by one',
+                    'page - 1',
+                    'page minus one',
+                    'skips the first',
+                    'should be (page',
+                ],
+            }),
+            exp('unbounded-size', 'No upper bound on `size`: a client can request a huge page and exhaust memory / the DB.', {
+                impact: 4,
+                trickiness: 3,
+                matchHints: ['unbounded', 'max size', 'cap the', 'upper bound', 'limit the page size'],
+            }),
+            exp('query-types', 'Query params are strings: `page`/`size` are not parsed to numbers and not validated as positive integers.', {
+                impact: 3,
+                trickiness: 3,
+                matchHints: [
+                    'positive integer',
+                    'not a number',
+                    'parsed to a number',
+                    'coerce',
+                    'cast to a number',
+                    'nan',
+                ],
+            }),
+        ],
+        notes: 'SQL injection is the must-find; the `page * size` off-by-one is the high-trickiness catch.',
+    },
+    {
+        id: 'review-jwt-verify-complex',
+        agentKind: 'reviewer',
+        kind: 'code-review',
+        name: 'JWT verification (complex)',
+        difficulty: 'complex',
+        summary: 'A hand-rolled JWT verifier with several serious, subtle security holes.',
+        payload: reviewerContext({
+            title: 'Verify session JWT',
+            type: 'service',
+            description: 'Verify an incoming JWT and return its claims, rejecting invalid tokens.',
+        }, [
+            'Implemented verification:',
+            '',
+            '```ts',
+            'function verify(token: string, secret: string) {',
+            '  const [headerB64, payloadB64, sig] = token.split(".")',
+            '  const header = JSON.parse(atob(headerB64))',
+            '  const payload = JSON.parse(atob(payloadB64))',
+            '  if (header.alg === "none") return payload',
+            '  const expected = hmacSha256(`${headerB64}.${payloadB64}`, secret)',
+            '  if (sig === expected) {',
+            '    return payload',
+            '  }',
+            '  throw new Error("bad token")',
+            '}',
+            '```',
+        ].join('\n')),
+        expectations: [
+            exp('alg-none', 'It accepts `alg: "none"` and returns the payload unverified — anyone can forge a token.', {
+                impact: 5,
+                trickiness: 5,
+                detail: 'The canonical JWT "alg=none" bypass; the most dangerous and most impressive catch.',
+                matchHints: [
+                    'alg none',
+                    'alg: none',
+                    'algorithm none',
+                    'none algorithm',
+                    'forge',
+                    'unverified',
+                ],
+            }),
+            exp('no-exp', 'No expiry (`exp`)/`nbf` check, so an old or stolen token is accepted forever.', {
+                impact: 5,
+                trickiness: 2,
+                matchHints: ['expiry', 'expiration', 'exp claim', 'expired', 'nbf', 'not before'],
+            }),
+            exp('timing-unsafe', 'Signature compared with `===` (timing-unsafe); use a constant-time comparison.', {
+                impact: 3,
+                trickiness: 4,
+                detail: 'A timing side-channel on signature comparison — a hallmark of an expert review.',
+                matchHints: ['timing', 'constant-time', 'constant time', 'timing-safe', 'timing attack'],
+            }),
+            exp('alg-confusion', 'Header `alg` is trusted but only HMAC is computed — an RS256→HS256 key-confusion attack is possible.', {
+                impact: 4,
+                trickiness: 5,
+                detail: 'The classic JWT algorithm-confusion class; rarely surfaced.',
+                matchHints: ['algorithm confusion', 'alg confusion', 'rs256', 'hs256', 'key confusion'],
+            }),
+            exp('audience-issuer', 'No `aud`/`iss` validation, so a token minted for another service is accepted.', {
+                impact: 3,
+                trickiness: 3,
+                matchHints: ['audience', 'aud claim', 'issuer', 'iss claim'],
+            }),
+        ],
+        notes: 'A dense security review: alg=none and algorithm-confusion are the high-trickiness wow catches; alg=none and missing-exp are the high-impact must-finds.',
+    },
+];
+//# sourceMappingURL=code-review.js.map

package/dist/fixtures/code-review.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-review.js","sourceRoot":"","sources":["../../src/fixtures/code-review.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAA;AAGvC,yFAAyF;AACzF,0FAA0F;AAC1F,4FAA4F;AAC5F,+FAA+F;AAE/F,yFAAyF;AACzF,SAAS,eAAe,CACtB,KAA2D,EAC3D,OAAe;IAEf,OAAO;QACL,SAAS,EAAE,UAAU;QACrB,YAAY,EAAE,SAAS;QACvB,SAAS,EAAE,CAAC;QACZ,WAAW,EAAE,IAAI;QACjB,KAAK;QACL,YAAY,EAAE,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QACvD,SAAS,EAAE,EAAE;QACb,gBAAgB,EAAE,IAAI;KACvB,CAAA;AACH,CAAC;AAED,MAAM,CAAC,MAAM,oBAAoB,GAA+B;IAC9D;QACE,EAAE,EAAE,4BAA4B;QAChC,SAAS,EAAE,UAAU;QACrB,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,uBAAuB;QAC7B,UAAU,EAAE,QAAQ;QACpB,OAAO,EAAE,oFAAoF;QAC7F,OAAO,EAAE,eAAe,CACtB;YACE,KAAK,EAAE,qBAAqB;YAC5B,IAAI,EAAE,KAAK;YACX,WAAW,EACT,gFAAgF;SACnF,EACD;YACE,0BAA0B;YAC1B,EAAE;YACF,OAAO;YACP,0CAA0C;YAC1C,EAAE;YACF,8CAA8C;YAC9C,qCAAqC;YACrC,kCAAkC;YAClC,6BAA6B;YAC7B,eAAe;YACf,GAAG;YACH,KAAK;YACL,EAAE;YACF,sEAAsE;SACvE,CAAC,IAAI,CAAC,IAAI,CAAC,CACb;QACD,YAAY,EAAE;YACZ,GAAG,CACD,iBAAiB,EACjB,oGAAoG,EACpG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,sFAAsF;gBACxF,UAAU,EAAE;oBACV,cAAc;oBACd,WAAW;oBACX,aAAa;oBACb,YAAY;oBACZ,UAAU;oBACV,gBAAgB;iBACjB;aACF,CACF;YACD,GAAG,CACD,eAAe,EACf,yFAAyF,EACzF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,OAAO,EAAE,cAAc,CAAC;aACnF,CACF;YACD,GAAG,CACD,aAAa,EACb,wFAAwF,EACxF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,mBAAmB,EAAE,QAAQ,CAAC;aAC5E,CACF;SACF;QACD,KAAK,EACH,0GAA0G;KAC7G;IACD;QACE,EAAE,EAAE,4BAA4B;QAChC,SAAS,EAAE,UAAU;QACrB,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,8BAA8B;QACpC,UAAU,EAAE,UAAU;QACtB,OAAO,EAAE,6EAA6E;QACtF,OAAO,EAAE,eAAe,CACtB;YACE,KAAK,EAAE,sBAAsB;YAC7B,IAAI,EAAE,KAAK;YACX,WAAW,EACT,oFAAoF;SACvF,EACD;YACE,oBAAoB;YACpB,EAAE;YACF,OAAO;YACP,kCAAkC;YAClC,oCAAoC;YACpC,qCAAqC;YACrC,8BAA8B;YAC9B,eAAe;YACf,sFAAsF;YACtF,sCAAsC;YACtC,wBAAwB;YACxB,GAAG;YACH,KAAK;SACN,CAAC,IAAI,CAAC,IAAI,CAAC,CACb;QACD,YAAY,EAAE;YACZ,GAAG,CACD,eAAe,EACf,iGAAiG,EACjG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,wEAAwE;gBAChF,UAAU,EAAE;oBACV,eAAe;oBACf,cAAc;oBACd,eAAe;oBACf,YAAY;oBACZ,oBAAoB;iBACrB;aACF,CACF;YACD,GAAG,CACD,mBAAmB,EACnB,4FAA4F,EAC5F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,iFAAiF;gBACzF,UAAU,EAAE;oBACV,YAAY;oBACZ,YAAY;oBACZ,UAAU;oBACV,gBAAgB;oBAChB,iBAAiB;oBACjB,iBAAiB;iBAClB;aACF,CACF;YACD,GAAG,CACD,gBAAgB,EAChB,yFAAyF,EACzF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,qBAAqB,CAAC;aACvF,CACF;YACD,GAAG,CACD,aAAa,EACb,2GAA2G,EAC3G;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE;oBACV,kBAAkB;oBAClB,cAAc;oBACd,oBAAoB;oBACpB,QAAQ;oBACR,kBAAkB;oBAClB,KAAK;iBACN;aACF,CACF;SACF;QACD,KAAK,EACH,4FAA4F;KAC/F;IACD;QACE,EAAE,EAAE,2BAA2B;QAC/B,SAAS,EAAE,UAAU;QACrB,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,4BAA4B;QAClC,UAAU,EAAE,SAAS;QACrB,OAAO,EAAE,yEAAyE;QAClF,OAAO,EAAE,eAAe,CACtB;YACE,KAAK,EAAE,oBAAoB;YAC3B,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,yEAAyE;SACvF,EACD;YACE,2BAA2B;YAC3B,EAAE;YACF,OAAO;YACP,kDAAkD;YAClD,yDAAyD;YACzD,8CAA8C;YAC9C,gDAAgD;YAChD,6CAA6C;YAC7C,qEAAqE;YACrE,2BAA2B;YAC3B,oBAAoB;YACpB,KAAK;YACL,gCAAgC;YAChC,GAAG;YACH,KAAK;SACN,CAAC,IAAI,CAAC,IAAI,CAAC,CACb;QACD,YAAY,EAAE;YACZ,GAAG,CACD,UAAU,EACV,yFAAyF,EACzF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,oFAAoF;gBACtF,UAAU,EAAE;oBACV,UAAU;oBACV,WAAW;oBACX,gBAAgB;oBAChB,gBAAgB;oBAChB,OAAO;oBACP,YAAY;iBACb;aACF,CACF;YACD,GAAG,CACD,QAAQ,EACR,+EAA+E,EAC/E;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,CAAC;aAClF,CACF;YACD,GAAG,CACD,eAAe,EACf,gFAAgF,EAChF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,iFAAiF;gBACzF,UAAU,EAAE,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,eAAe,CAAC;aACzF,CACF;YACD,GAAG,CACD,eAAe,EACf,sGAAsG,EACtG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,6DAA6D;gBACrE,UAAU,EAAE,CAAC,qBAAqB,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,CAAC;aACxF,CACF;YACD,GAAG,CACD,iBAAiB,EACjB,+EAA+E,EAC/E;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,CAAC;aAC7D,CACF;SACF;QACD,KAAK,EACH,yJAAyJ;KAC5J;CACF,CAAA"}

package/dist/fixtures/requirements.d.ts

@@ -0,0 +1,3 @@
+import type { SandboxFixtureDefinition } from '../types.js';
+export declare const REQUIREMENTS_FIXTURES: SandboxFixtureDefinition[];
+//# sourceMappingURL=requirements.d.ts.map

package/dist/fixtures/requirements.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"requirements.d.ts","sourceRoot":"","sources":["../../src/fixtures/requirements.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAA;AAQ3D,eAAO,MAAM,qBAAqB,EAAE,wBAAwB,EAsO3D,CAAA"}

package/dist/fixtures/requirements.js

@@ -0,0 +1,178 @@
+import { exp } from '../expectation.js';
+// requirements-review fixtures. The payload is a `RequirementsContext`:
+// `{ block: { title, type, description }, docs: [], tasks: [] }`. Each spec is a real,
+// under-specified requirement; the expectations are the gaps/ambiguities/risks a strong
+// reviewer should raise, graded by how bad they are to miss (impact) and how hard they
+// are to spot (trickiness).
+export const REQUIREMENTS_FIXTURES = [
+    {
+        id: 'req-notify-prefs-simple',
+        agentKind: 'requirements-review',
+        kind: 'requirements',
+        name: 'Notification preferences (simple)',
+        difficulty: 'simple',
+        summary: 'A thin "let users mute notifications" spec with obvious unanswered questions.',
+        payload: {
+            block: {
+                title: 'Notification preferences',
+                type: 'service',
+                description: 'Let users turn off notifications they do not want. Add a settings page where they can toggle notifications on or off.',
+            },
+            docs: [],
+            tasks: [],
+        },
+        expectations: [
+            exp('channels', 'Which channels are in scope (email, push, in-app, SMS)?', {
+                impact: 4,
+                trickiness: 1,
+                detail: 'A single on/off toggle is meaningless without knowing what it governs.',
+                matchHints: ['channel', 'email', 'push', 'in-app', 'sms'],
+            }),
+            exp('default-state', 'What is the default state for a new user / a newly added notification type?', {
+                impact: 3,
+                trickiness: 2,
+                matchHints: ['default state', 'default value', 'opt-in', 'opt in', 'opt-out', 'opt out'],
+            }),
+            exp('granularity', 'Global on/off vs per-category preferences — the spec conflates them.', {
+                impact: 3,
+                trickiness: 3,
+                detail: '"notifications they do not want" implies per-type control, but the UI describes one toggle.',
+                matchHints: ['per-category', 'per category', 'granularity', 'per-type', 'per type'],
+            }),
+            exp('transactional', 'Are critical/transactional messages (security alerts, password resets) exempt from muting?', {
+                impact: 4,
+                trickiness: 4,
+                detail: 'Letting users mute security alerts is a real safety/compliance gap that is easy to overlook.',
+                matchHints: ['transactional', 'security alert', 'critical', 'mandatory'],
+            }),
+        ],
+        notes: 'The transactional-exemption item is the high-trickiness "wow" catch; the channel-scope item is the high-impact must-find.',
+    },
+    {
+        id: 'req-csv-export-moderate',
+        agentKind: 'requirements-review',
+        kind: 'requirements',
+        name: 'CSV export (moderate)',
+        difficulty: 'moderate',
+        summary: 'An "export my data to CSV" feature that omits scale, auth, and format details.',
+        payload: {
+            block: {
+                title: 'Export report to CSV',
+                type: 'api',
+                description: 'Add a button that lets a user export their transactions report as a CSV file so they can open it in Excel. The export should include all of their transactions.',
+            },
+            docs: [],
+            tasks: [],
+        },
+        expectations: [
+            exp('volume', 'How many rows can "all transactions" be — does it need streaming/pagination or a background job?', {
+                impact: 5,
+                trickiness: 3,
+                detail: 'A synchronous in-memory export silently breaks for large accounts; this is the most impactful gap.',
+                matchHints: [
+                    'how many rows',
+                    'large',
+                    'streaming',
+                    'background job',
+                    'pagination',
+                    'timeout',
+                ],
+            }),
+            exp('authz', 'What stops a user exporting another user’s transactions — how is ownership enforced?', {
+                impact: 5,
+                trickiness: 2,
+                matchHints: ['authorization', 'ownership', 'access control', 'another user', 'tenant'],
+            }),
+            exp('encoding', 'CSV specifics: delimiter, encoding (UTF-8 BOM for Excel), quoting, and date/number formatting.', {
+                impact: 3,
+                trickiness: 2,
+                detail: 'Excel mangles UTF-8 without a BOM and misreads locale-formatted numbers/dates.',
+                matchHints: ['encoding', 'utf-8', 'utf8', 'delimiter', 'bom', 'quoting', 'escaping'],
+            }),
+            exp('injection', 'CSV/formula injection: a cell starting with =, +, -, @ executes when opened in Excel.', {
+                impact: 4,
+                trickiness: 5,
+                detail: 'A genuine security issue ("CSV injection") almost no one raises — the standout catch.',
+                matchHints: [
+                    'csv injection',
+                    'formula injection',
+                    'starts with =',
+                    'spreadsheet injection',
+                ],
+            }),
+        ],
+        notes: 'CSV/formula injection is the trick item; the row-volume and authorization items are the must-finds.',
+    },
+    {
+        id: 'req-billing-proration-complex',
+        agentKind: 'requirements-review',
+        kind: 'requirements',
+        name: 'Mid-cycle plan change billing (complex)',
+        difficulty: 'complex',
+        summary: 'A subscription plan-change spec dense with proration, timezone, and currency edge cases.',
+        payload: {
+            block: {
+                title: 'Mid-cycle plan upgrades and downgrades',
+                type: 'service',
+                description: [
+                    'Let a customer change their subscription plan at any time. When they upgrade, charge them the',
+                    'difference for the rest of the billing cycle. When they downgrade, credit the difference toward',
+                    'their next invoice. The change takes effect immediately. Plans are billed monthly on the date the',
+                    'customer first subscribed.',
+                ].join(' '),
+            },
+            docs: [],
+            tasks: [],
+        },
+        expectations: [
+            exp('proration-basis', 'How is the prorated amount computed — by remaining days, seconds, or a fixed fraction — and how are partial-cent results rounded?', {
+                impact: 5,
+                trickiness: 5,
+                detail: 'Rounding/credit accumulation across repeated mid-cycle changes is where real billing bugs and revenue leakage hide; the standout catch.',
+                matchHints: [
+                    'proration',
+                    'prorate',
+                    'rounding',
+                    'round',
+                    'partial cent',
+                    'remaining days',
+                ],
+            }),
+            exp('cycle-anchor', 'Billing on "the date the customer subscribed" is undefined for the 29th–31st in short months.', {
+                impact: 4,
+                trickiness: 4,
+                detail: 'Anniversary billing on Jan 31 has no Feb 31 — the cycle-anchor rule must be pinned down.',
+                matchHints: [
+                    '29th',
+                    '30th',
+                    '31st',
+                    'short month',
+                    'anniversary',
+                    'last day of the month',
+                ],
+            }),
+            exp('timezone', 'In which timezone is "immediately" / the cycle boundary evaluated (customer, merchant, UTC)?', {
+                impact: 4,
+                trickiness: 4,
+                matchHints: ['timezone', 'time zone', 'utc', 'midnight'],
+            }),
+            exp('downgrade-credit', 'Credit vs refund: is a downgrade credit refundable, does it expire, and what if it exceeds the next invoice?', {
+                impact: 4,
+                trickiness: 2,
+                matchHints: ['credit', 'refund', 'exceeds', 'expire'],
+            }),
+            exp('currency', 'No mention of currency, tax/VAT recomputation, or multi-currency accounts.', {
+                impact: 3,
+                trickiness: 2,
+                matchHints: ['currency', 'tax', 'vat'],
+            }),
+            exp('payment-failure', 'What happens if the immediate upgrade charge fails — is the plan change rolled back or left active unpaid?', {
+                impact: 5,
+                trickiness: 3,
+                matchHints: ['payment fails', 'charge fails', 'declined', 'rolled back', 'rollback'],
+            }),
+        ],
+        notes: 'A deliberately dense spec: proration rounding (trick + impact) is the headline; payment-failure handling and cycle-anchor are the high-impact must-finds.',
+    },
+];
+//# sourceMappingURL=requirements.js.map

package/dist/fixtures/requirements.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"requirements.js","sourceRoot":"","sources":["../../src/fixtures/requirements.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,mBAAmB,CAAA;AAGvC,wEAAwE;AACxE,uFAAuF;AACvF,wFAAwF;AACxF,uFAAuF;AACvF,4BAA4B;AAE5B,MAAM,CAAC,MAAM,qBAAqB,GAA+B;IAC/D;QACE,EAAE,EAAE,yBAAyB;QAC7B,SAAS,EAAE,qBAAqB;QAChC,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,mCAAmC;QACzC,UAAU,EAAE,QAAQ;QACpB,OAAO,EAAE,+EAA+E;QACxF,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,KAAK,EAAE,0BAA0B;gBACjC,IAAI,EAAE,SAAS;gBACf,WAAW,EACT,uHAAuH;aAC1H;YACD,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,EAAE;SACV;QACD,YAAY,EAAE;YACZ,GAAG,CAAC,UAAU,EAAE,yDAAyD,EAAE;gBACzE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,wEAAwE;gBAChF,UAAU,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC;aAC1D,CAAC;YACF,GAAG,CACD,eAAe,EACf,6EAA6E,EAC7E;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,eAAe,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;aACzF,CACF;YACD,GAAG,CAAC,aAAa,EAAE,sEAAsE,EAAE;gBACzF,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,6FAA6F;gBAC/F,UAAU,EAAE,CAAC,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,CAAC;aACpF,CAAC;YACF,GAAG,CACD,eAAe,EACf,4FAA4F,EAC5F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,8FAA8F;gBAChG,UAAU,EAAE,CAAC,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,CAAC;aACzE,CACF;SACF;QACD,KAAK,EACH,2HAA2H;KAC9H;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,SAAS,EAAE,qBAAqB;QAChC,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,uBAAuB;QAC7B,UAAU,EAAE,UAAU;QACtB,OAAO,EAAE,gFAAgF;QACzF,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,KAAK,EAAE,sBAAsB;gBAC7B,IAAI,EAAE,KAAK;gBACX,WAAW,EACT,iKAAiK;aACpK;YACD,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,EAAE;SACV;QACD,YAAY,EAAE;YACZ,GAAG,CACD,QAAQ,EACR,kGAAkG,EAClG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,oGAAoG;gBACtG,UAAU,EAAE;oBACV,eAAe;oBACf,OAAO;oBACP,WAAW;oBACX,gBAAgB;oBAChB,YAAY;oBACZ,SAAS;iBACV;aACF,CACF;YACD,GAAG,CACD,OAAO,EACP,sFAAsF,EACtF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,eAAe,EAAE,WAAW,EAAE,gBAAgB,EAAE,cAAc,EAAE,QAAQ,CAAC;aACvF,CACF;YACD,GAAG,CACD,UAAU,EACV,gGAAgG,EAChG;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EAAE,gFAAgF;gBACxF,UAAU,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,CAAC;aACrF,CACF;YACD,GAAG,CACD,WAAW,EACX,uFAAuF,EACvF;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,uFAAuF;gBACzF,UAAU,EAAE;oBACV,eAAe;oBACf,mBAAmB;oBACnB,eAAe;oBACf,uBAAuB;iBACxB;aACF,CACF;SACF;QACD,KAAK,EACH,qGAAqG;KACxG;IACD;QACE,EAAE,EAAE,+BAA+B;QACnC,SAAS,EAAE,qBAAqB;QAChC,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,yCAAyC;QAC/C,UAAU,EAAE,SAAS;QACrB,OAAO,EACL,0FAA0F;QAC5F,OAAO,EAAE;YACP,KAAK,EAAE;gBACL,KAAK,EAAE,wCAAwC;gBAC/C,IAAI,EAAE,SAAS;gBACf,WAAW,EAAE;oBACX,+FAA+F;oBAC/F,iGAAiG;oBACjG,mGAAmG;oBACnG,4BAA4B;iBAC7B,CAAC,IAAI,CAAC,GAAG,CAAC;aACZ;YACD,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,EAAE;SACV;QACD,YAAY,EAAE;YACZ,GAAG,CACD,iBAAiB,EACjB,mIAAmI,EACnI;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,yIAAyI;gBAC3I,UAAU,EAAE;oBACV,WAAW;oBACX,SAAS;oBACT,UAAU;oBACV,OAAO;oBACP,cAAc;oBACd,gBAAgB;iBACjB;aACF,CACF;YACD,GAAG,CACD,cAAc,EACd,+FAA+F,EAC/F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,MAAM,EACJ,0FAA0F;gBAC5F,UAAU,EAAE;oBACV,MAAM;oBACN,MAAM;oBACN,MAAM;oBACN,aAAa;oBACb,aAAa;oBACb,uBAAuB;iBACxB;aACF,CACF;YACD,GAAG,CACD,UAAU,EACV,8FAA8F,EAC9F;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,CAAC;aACzD,CACF;YACD,GAAG,CACD,kBAAkB,EAClB,8GAA8G,EAC9G;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;aACtD,CACF;YACD,GAAG,CACD,UAAU,EACV,4EAA4E,EAC5E;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC;aACvC,CACF;YACD,GAAG,CACD,iBAAiB,EACjB,4GAA4G,EAC5G;gBACE,MAAM,EAAE,CAAC;gBACT,UAAU,EAAE,CAAC;gBACb,UAAU,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,UAAU,CAAC;aACrF,CACF;SACF;QACD,KAAK,EACH,2JAA2J;KAC9J;CACF,CAAA"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export { type SandboxFixtureDefinition, type SandboxFixtureDifficulty, type SandboxExpectation, type SandboxFixtureKind, } from './types.js';
+export { exp } from './expectation.js';
+export { BUILTIN_SANDBOX_FIXTURES, builtinFixturesFor, builtinFixture, toSandboxFixture, } from './registry.js';
+export { REQUIREMENTS_FIXTURES } from './fixtures/requirements.js';
+export { CLARITY_FIXTURES } from './fixtures/clarity.js';
+export { CODE_REVIEW_FIXTURES } from './fixtures/code-review.js';
+export { ARCHITECTURE_FIXTURES } from './fixtures/architecture.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,GACxB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AAEtC,OAAO,EACL,wBAAwB,EACxB,kBAAkB,EAClB,cAAc,EACd,gBAAgB,GACjB,MAAM,eAAe,CAAA;AAEtB,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA"}

package/dist/index.js

@@ -0,0 +1,14 @@
+// @cat-factory/sandbox-fixtures — hand-authored, standardized, graded no-repo fixtures for
+// the Sandbox. These are the inline (text-only) agent inputs that need NO repository
+// checkout — requirements review, bug-report (clarity) review, code review, and
+// architecture-proposal review — each with a set of expected findings graded by trickiness
+// (how hard to spot; catching it is a "wow") and impact (how bad to miss). Depends only on
+// @cat-factory/contracts so the published @cat-factory/sandbox can load it via workspace:*.
+export {} from './types.js';
+export { exp } from './expectation.js';
+export { BUILTIN_SANDBOX_FIXTURES, builtinFixturesFor, builtinFixture, toSandboxFixture, } from './registry.js';
+export { REQUIREMENTS_FIXTURES } from './fixtures/requirements.js';
+export { CLARITY_FIXTURES } from './fixtures/clarity.js';
+export { CODE_REVIEW_FIXTURES } from './fixtures/code-review.js';
+export { ARCHITECTURE_FIXTURES } from './fixtures/architecture.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2FAA2F;AAC3F,qFAAqF;AACrF,gFAAgF;AAChF,2FAA2F;AAC3F,2FAA2F;AAC3F,4FAA4F;AAE5F,OAAO,EAKN,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AAEtC,OAAO,EACL,wBAAwB,EACxB,kBAAkB,EAClB,cAAc,EACd,gBAAgB,GACjB,MAAM,eAAe,CAAA;AAEtB,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA"}

package/dist/registry.d.ts

@@ -0,0 +1,19 @@
+import { type SandboxFixture } from '@cat-factory/contracts';
+import type { SandboxFixtureDefinition } from './types.js';
+/**
+ * Every builtin, no-repo Sandbox fixture, hand-authored and committed for reproducibility.
+ * Ordered by agent then difficulty (simple → complex) for stable display.
+ */
+export declare const BUILTIN_SANDBOX_FIXTURES: readonly SandboxFixtureDefinition[];
+/** The builtin fixtures authored for a given agent kind. */
+export declare function builtinFixturesFor(agentKind: string): SandboxFixtureDefinition[];
+/** A builtin fixture by id, or undefined. */
+export declare function builtinFixture(id: string): SandboxFixtureDefinition | undefined;
+/**
+ * Project an authoring {@link SandboxFixtureDefinition} into the wire `SandboxFixture` the
+ * Sandbox stores/serves: an inline `builtin` fixture whose objective is the graded
+ * `findings` set. Validates against the contract schema so a malformed fixture fails loudly
+ * at load (e.g. an inline payload missing, or an expectation out of the 1..5 range).
+ */
+export declare function toSandboxFixture(def: SandboxFixtureDefinition, now: number): SandboxFixture;
+//# sourceMappingURL=registry.d.ts.map

package/dist/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,cAAc,EAAwB,MAAM,wBAAwB,CAAA;AAMlF,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAA;AAE1D;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,wBAAwB,EAKvE,CAAA;AAED,4DAA4D;AAC5D,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,wBAAwB,EAAE,CAEhF;AAED,6CAA6C;AAC7C,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,wBAAwB,GAAG,SAAS,CAE/E;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,wBAAwB,EAAE,GAAG,EAAE,MAAM,GAAG,cAAc,CAW3F"}

package/dist/registry.js

@@ -0,0 +1,43 @@
+import { sandboxFixtureSchema } from '@cat-factory/contracts';
+import * as v from 'valibot';
+import { ARCHITECTURE_FIXTURES } from './fixtures/architecture.js';
+import { CLARITY_FIXTURES } from './fixtures/clarity.js';
+import { CODE_REVIEW_FIXTURES } from './fixtures/code-review.js';
+import { REQUIREMENTS_FIXTURES } from './fixtures/requirements.js';
+/**
+ * Every builtin, no-repo Sandbox fixture, hand-authored and committed for reproducibility.
+ * Ordered by agent then difficulty (simple → complex) for stable display.
+ */
+export const BUILTIN_SANDBOX_FIXTURES = [
+    ...REQUIREMENTS_FIXTURES,
+    ...CLARITY_FIXTURES,
+    ...CODE_REVIEW_FIXTURES,
+    ...ARCHITECTURE_FIXTURES,
+];
+/** The builtin fixtures authored for a given agent kind. */
+export function builtinFixturesFor(agentKind) {
+    return BUILTIN_SANDBOX_FIXTURES.filter((f) => f.agentKind === agentKind);
+}
+/** A builtin fixture by id, or undefined. */
+export function builtinFixture(id) {
+    return BUILTIN_SANDBOX_FIXTURES.find((f) => f.id === id);
+}
+/**
+ * Project an authoring {@link SandboxFixtureDefinition} into the wire `SandboxFixture` the
+ * Sandbox stores/serves: an inline `builtin` fixture whose objective is the graded
+ * `findings` set. Validates against the contract schema so a malformed fixture fails loudly
+ * at load (e.g. an inline payload missing, or an expectation out of the 1..5 range).
+ */
+export function toSandboxFixture(def, now) {
+    return v.parse(sandboxFixtureSchema, {
+        id: def.id,
+        kind: def.kind,
+        name: def.name,
+        payload: def.payload,
+        repoRef: null,
+        objective: { kind: 'findings', expectations: def.expectations },
+        origin: 'builtin',
+        createdAt: now,
+    });
+}
+//# sourceMappingURL=registry.js.map

package/dist/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,oBAAoB,EAAE,MAAM,wBAAwB,CAAA;AAClF,OAAO,KAAK,CAAC,MAAM,SAAS,CAAA;AAC5B,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAClE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAA;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAA;AAGlE;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAwC;IAC3E,GAAG,qBAAqB;IACxB,GAAG,gBAAgB;IACnB,GAAG,oBAAoB;IACvB,GAAG,qBAAqB;CACzB,CAAA;AAED,4DAA4D;AAC5D,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAA;AAC1E,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,cAAc,CAAC,EAAU;IACvC,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;AAC1D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAA6B,EAAE,GAAW;IACzE,OAAO,CAAC,CAAC,KAAK,CAAC,oBAAoB,EAAE;QACnC,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,OAAO,EAAE,IAAI;QACb,SAAS,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,YAAY,EAAE,GAAG,CAAC,YAAY,EAAE;QAC/D,MAAM,EAAE,SAAS;QACjB,SAAS,EAAE,GAAG;KACf,CAAC,CAAA;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,34 @@
+import type { SandboxExpectation, SandboxFixtureKind } from '@cat-factory/contracts';
+/** How hard the fixture is, used to offer a simple → complex range per agent. */
+export type SandboxFixtureDifficulty = 'simple' | 'moderate' | 'complex';
+export interface SandboxFixtureDefinition {
+    /** Stable, unique kebab id, e.g. `req-notify-prefs-simple`. */
+    id: string;
+    /**
+     * The agent kind this fixture exercises (an `AgentKind` string, e.g.
+     * `requirements-review`, `clarity-review`, `reviewer`, `architect-companion`). Used to
+     * group fixtures by agent and to look the agent up in the Sandbox catalog.
+     */
+    agentKind: string;
+    /** The inline fixture kind (`requirements` | `architecture` | `code-review`). */
+    kind: SandboxFixtureKind;
+    /** Human label for the fixture browser. */
+    name: string;
+    /** Difficulty tier (the simple → complex range). */
+    difficulty: SandboxFixtureDifficulty;
+    /** One-line description of what this fixture probes. */
+    summary: string;
+    /**
+     * The inline agent-run context this fixture supplies as input — the synthesized
+     * context the agent reasons over (a `RequirementsContext` / `ClarityContext` /
+     * reviewer `AgentRunContext`). Kept as a record to match the wire contract; the
+     * payload-conformance test asserts each one against the real context type.
+     */
+    payload: Record<string, unknown>;
+    /** What a strong answer should surface, each graded by trickiness/impact. */
+    expectations: SandboxExpectation[];
+    /** Authoring rationale — why this fixture is interesting / what the tricky bits are. */
+    notes?: string;
+}
+export type { SandboxExpectation, SandboxFixtureKind };
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAA;AAQpF,iFAAiF;AACjF,MAAM,MAAM,wBAAwB,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAA;AAExE,MAAM,WAAW,wBAAwB;IACvC,+DAA+D;IAC/D,EAAE,EAAE,MAAM,CAAA;IACV;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAA;IACjB,iFAAiF;IACjF,IAAI,EAAE,kBAAkB,CAAA;IACxB,2CAA2C;IAC3C,IAAI,EAAE,MAAM,CAAA;IACZ,oDAAoD;IACpD,UAAU,EAAE,wBAAwB,CAAA;IACpC,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAA;IACf;;;;;OAKG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAChC,6EAA6E;IAC7E,YAAY,EAAE,kBAAkB,EAAE,CAAA;IAClC,wFAAwF;IACxF,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,YAAY,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@cat-factory/sandbox-fixtures",
-  "version": "0.7.2",
+  "version": "0.7.5",
+  "description": "Hand-authored, standardized, graded no-repo fixtures for the Sandbox: inline agent inputs (requirements/clarity/code-review/architecture-proposal review) with expectations rated by trickiness and impact.",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/kibertoad/cat-factory.git",
     "directory": "backend/packages/sandbox-fixtures"
   },
-  "description": "Hand-authored, standardized, graded no-repo fixtures for the Sandbox: inline agent inputs (requirements/clarity/code-review/architecture-proposal review) with expectations rated by trickiness and impact.",
   "files": [
     "dist"
   ],
@@ -25,13 +25,13 @@
   },
   "dependencies": {
     "valibot": "^1.4.1",
-    "@cat-factory/contracts": "0.7.2"
+    "@cat-factory/contracts": "0.10.0"
   },
   "devDependencies": {
     "typescript": "7.0.1-rc",
     "vitest": "^4.1.9",
-    "@cat-factory/kernel": "0.7.2",
-    "@cat-factory/orchestration": "0.7.2"
+    "@cat-factory/kernel": "0.10.1",
+    "@cat-factory/orchestration": "0.7.7"
   },
   "scripts": {
     "build": "tsc -b tsconfig.build.json",