@cleocode/cant 2026.4.91 → 2026.4.94

package/dist/hierarchy.d.ts

@@ -55,6 +55,48 @@ export interface TeamDefinition {
 export declare const LEAD_FORBIDDEN_TOOLS: readonly ["Edit", "Write", "Bash"];
 /** Forbidden tools for orchestrator-role agents (ULTRAPLAN section 10.5 ORCH-001). */
 export declare const ORCHESTRATOR_FORBIDDEN_TOOLS: readonly ["Edit", "Write", "Bash"];
+/**
+ * Forbidden tools for worker-role agents per the thin-agent inversion-of-control
+ * rule (ORC-012, T931). Workers MUST NOT spawn subagents; these tool names are
+ * the canonical Claude Code spawn surfaces and are stripped at parse time.
+ *
+ * @task T931 Thin-agent runtime enforcer
+ * @task T907 Thin-agent enforcement
+ */
+export declare const WORKER_FORBIDDEN_SPAWN_TOOLS: readonly ["Agent", "Task"];
+/**
+ * Diagnostic code emitted when {@link stripSpawnToolsForWorker} removed one or
+ * more tools from a worker-role tool list. Callers that want to surface the
+ * strip to audit logs should inspect the `removed` array on the warning.
+ */
+export declare const THIN_AGENT_TOOLS_STRIPPED: "THIN_AGENT_TOOLS_STRIPPED";
+/**
+ * Structured warning returned by {@link stripSpawnToolsForWorker} when any
+ * spawn-capable tool was removed from a worker-role tool list. Surfaced by the
+ * parser so downstream layers (bundle compiler, composer, registry install)
+ * can attach the warning to their own diagnostic channels.
+ *
+ * @task T931 Thin-agent runtime enforcer
+ */
+export interface ThinAgentToolsStrippedWarning {
+    /** Stable diagnostic code — `'THIN_AGENT_TOOLS_STRIPPED'`. */
+    readonly code: typeof THIN_AGENT_TOOLS_STRIPPED;
+    /** Human-readable message explaining the strip. */
+    readonly message: string;
+    /** The exact tool names that were removed. */
+    readonly removed: readonly string[];
+}
+/**
+ * Result returned by {@link stripSpawnToolsForWorker}. Always carries the
+ * (possibly unchanged) `tools` list; `warning` is only populated when at least
+ * one tool was stripped.
+ */
+export interface StripSpawnToolsResult {
+    /** Final tool list after thin-agent enforcement. */
+    readonly tools: readonly string[];
+    /** Structured warning iff any tool was removed. */
+    readonly warning: ThinAgentToolsStrippedWarning | null;
+}
 /**
  * Result of a spawn validation check.
  */
@@ -85,11 +127,39 @@ export declare function validateSpawnRequest(callerName: string, callerRole: Rol
  * Filter a tool list based on role constraints.
  *
  * Leads and orchestrators have Edit, Write, and Bash stripped per
- * ULTRAPLAN sections 10.4 (LEAD-001) and 10.5 (ORCH-001). Workers
- * retain all tools.
+ * ULTRAPLAN sections 10.4 (LEAD-001) and 10.5 (ORCH-001). Workers have
+ * `Agent` and `Task` stripped per the thin-agent inversion-of-control rule
+ * (ORC-012, T931) — workers MUST NOT spawn subagents.
  *
  * @param tools - The full list of tool names available to the agent.
  * @param role  - The agent's role in the hierarchy.
  * @returns The filtered tool list with forbidden tools removed.
  */
 export declare function filterToolsForRole(tools: string[], role: Role): string[];
+/**
+ * Strip spawn-capable tools (`Agent`, `Task`) from a worker-role tool list at
+ * parse time. This is the parse-time half of the T931 thin-agent runtime
+ * enforcer — workers MUST NOT carry the Claude Code `Agent`/`Task` surfaces
+ * because doing so would let them spawn subagents and break the worker
+ * inversion-of-control contract (ORC-012).
+ *
+ * The runtime half (`enforceThinAgent` in `@cleocode/core/orchestration`)
+ * performs the same check immediately before dispatch as a defense-in-depth
+ * guard against misconfigured `.cant` sources or hand-written payloads that
+ * bypass the parser.
+ *
+ * @param tools - The flat tool allowlist declared on a worker agent. Missing
+ *                or non-array inputs are coerced to an empty result for safety.
+ * @returns A {@link StripSpawnToolsResult} that always carries `tools` and
+ *          carries a `warning` iff any tool was removed.
+ *
+ * @example
+ * ```typescript
+ * const result = stripSpawnToolsForWorker(['Agent', 'Read', 'Edit']);
+ * // result.tools   → ['Read', 'Edit']
+ * // result.warning → { code: 'THIN_AGENT_TOOLS_STRIPPED', removed: ['Agent'] }
+ * ```
+ *
+ * @task T931 Thin-agent runtime enforcer
+ */
+export declare function stripSpawnToolsForWorker(tools: readonly string[]): StripSpawnToolsResult;

package/dist/hierarchy.js

@@ -13,13 +13,29 @@
  * @packageDocumentation
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ORCHESTRATOR_FORBIDDEN_TOOLS = exports.LEAD_FORBIDDEN_TOOLS = void 0;
+exports.THIN_AGENT_TOOLS_STRIPPED = exports.WORKER_FORBIDDEN_SPAWN_TOOLS = exports.ORCHESTRATOR_FORBIDDEN_TOOLS = exports.LEAD_FORBIDDEN_TOOLS = void 0;
 exports.validateSpawnRequest = validateSpawnRequest;
 exports.filterToolsForRole = filterToolsForRole;
+exports.stripSpawnToolsForWorker = stripSpawnToolsForWorker;
 /** Forbidden tools for lead-role agents (ULTRAPLAN section 10.4 LEAD-001). */
 exports.LEAD_FORBIDDEN_TOOLS = ['Edit', 'Write', 'Bash'];
 /** Forbidden tools for orchestrator-role agents (ULTRAPLAN section 10.5 ORCH-001). */
 exports.ORCHESTRATOR_FORBIDDEN_TOOLS = ['Edit', 'Write', 'Bash'];
+/**
+ * Forbidden tools for worker-role agents per the thin-agent inversion-of-control
+ * rule (ORC-012, T931). Workers MUST NOT spawn subagents; these tool names are
+ * the canonical Claude Code spawn surfaces and are stripped at parse time.
+ *
+ * @task T931 Thin-agent runtime enforcer
+ * @task T907 Thin-agent enforcement
+ */
+exports.WORKER_FORBIDDEN_SPAWN_TOOLS = ['Agent', 'Task'];
+/**
+ * Diagnostic code emitted when {@link stripSpawnToolsForWorker} removed one or
+ * more tools from a worker-role tool list. Callers that want to surface the
+ * strip to audit logs should inspect the `removed` array on the warning.
+ */
+exports.THIN_AGENT_TOOLS_STRIPPED = 'THIN_AGENT_TOOLS_STRIPPED';
 // ---------------------------------------------------------------------------
 // Spawn validation
 // ---------------------------------------------------------------------------
@@ -88,16 +104,71 @@ function validateSpawnRequest(callerName, callerRole, targetName, _targetRole, t
  * Filter a tool list based on role constraints.
  *
  * Leads and orchestrators have Edit, Write, and Bash stripped per
- * ULTRAPLAN sections 10.4 (LEAD-001) and 10.5 (ORCH-001). Workers
- * retain all tools.
+ * ULTRAPLAN sections 10.4 (LEAD-001) and 10.5 (ORCH-001). Workers have
+ * `Agent` and `Task` stripped per the thin-agent inversion-of-control rule
+ * (ORC-012, T931) — workers MUST NOT spawn subagents.
  *
  * @param tools - The full list of tool names available to the agent.
  * @param role  - The agent's role in the hierarchy.
  * @returns The filtered tool list with forbidden tools removed.
  */
 function filterToolsForRole(tools, role) {
-    if (role === 'worker')
-        return tools;
+    if (role === 'worker') {
+        return stripSpawnToolsForWorker(tools).tools.slice();
+    }
     const forbidden = role === 'lead' ? exports.LEAD_FORBIDDEN_TOOLS : exports.ORCHESTRATOR_FORBIDDEN_TOOLS;
     return tools.filter((t) => !forbidden.includes(t));
 }
+/**
+ * Strip spawn-capable tools (`Agent`, `Task`) from a worker-role tool list at
+ * parse time. This is the parse-time half of the T931 thin-agent runtime
+ * enforcer — workers MUST NOT carry the Claude Code `Agent`/`Task` surfaces
+ * because doing so would let them spawn subagents and break the worker
+ * inversion-of-control contract (ORC-012).
+ *
+ * The runtime half (`enforceThinAgent` in `@cleocode/core/orchestration`)
+ * performs the same check immediately before dispatch as a defense-in-depth
+ * guard against misconfigured `.cant` sources or hand-written payloads that
+ * bypass the parser.
+ *
+ * @param tools - The flat tool allowlist declared on a worker agent. Missing
+ *                or non-array inputs are coerced to an empty result for safety.
+ * @returns A {@link StripSpawnToolsResult} that always carries `tools` and
+ *          carries a `warning` iff any tool was removed.
+ *
+ * @example
+ * ```typescript
+ * const result = stripSpawnToolsForWorker(['Agent', 'Read', 'Edit']);
+ * // result.tools   → ['Read', 'Edit']
+ * // result.warning → { code: 'THIN_AGENT_TOOLS_STRIPPED', removed: ['Agent'] }
+ * ```
+ *
+ * @task T931 Thin-agent runtime enforcer
+ */
+function stripSpawnToolsForWorker(tools) {
+    if (!Array.isArray(tools)) {
+        return { tools: [], warning: null };
+    }
+    const blocked = exports.WORKER_FORBIDDEN_SPAWN_TOOLS;
+    const removed = [];
+    const kept = [];
+    for (const tool of tools) {
+        if (blocked.includes(tool)) {
+            removed.push(tool);
+        }
+        else {
+            kept.push(tool);
+        }
+    }
+    if (removed.length === 0) {
+        return { tools: kept, warning: null };
+    }
+    return {
+        tools: kept,
+        warning: {
+            code: exports.THIN_AGENT_TOOLS_STRIPPED,
+            message: `Removed ${removed.length} spawn-capable tool(s) from worker role: ${removed.join(', ')}. Workers cannot spawn subagents (ORC-012).`,
+            removed,
+        },
+    };
+}

package/dist/index.d.ts

@@ -6,8 +6,8 @@ export { composeSpawnPayload, escalateTier, estimateTokens, TIER_CAPS } from './
 export { brainContextProvider } from './context-provider-brain.js';
 export type { CantDocumentResult, CantListResult, CantPipelineResult, CantValidationResult, SectionKind, } from './document';
 export { executePipeline, listSections, parseDocument, validateDocument, } from './document';
-export type { Role, SpawnValidation, TeamDefinition, TeamRouting } from './hierarchy.js';
-export { filterToolsForRole, LEAD_FORBIDDEN_TOOLS, ORCHESTRATOR_FORBIDDEN_TOOLS, validateSpawnRequest, } from './hierarchy.js';
+export type { Role, SpawnValidation, StripSpawnToolsResult, TeamDefinition, TeamRouting, ThinAgentToolsStrippedWarning, } from './hierarchy.js';
+export { filterToolsForRole, LEAD_FORBIDDEN_TOOLS, ORCHESTRATOR_FORBIDDEN_TOOLS, stripSpawnToolsForWorker, THIN_AGENT_TOOLS_STRIPPED, validateSpawnRequest, WORKER_FORBIDDEN_SPAWN_TOOLS, } from './hierarchy.js';
 export type { ConsolidateOptions, MentalModel, MentalModelObservation, MentalModelScope, MentalModelStore, ObservationTrigger, SessionOutput, } from './mental-model.js';
 export { consolidate, createEmptyModel, harvestObservations, renderMentalModel, } from './mental-model.js';
 export type { ConvertedFile, MigrationOptions, MigrationResult, UnconvertedSection, } from './migrate/index';

package/dist/index.js

@@ -2,7 +2,7 @@
 // JIT Agent Composer (ULTRAPLAN Wave 5)
 // Wave 7a: BRAIN-backed ContextProvider (T432)
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveWorktreeRoot = exports.mergeWorktree = exports.listWorktrees = exports.createWorktree = exports.isCantAgentV3 = exports.parseCANTMessage = exports.initCantParser = exports.isWasmAvailable = exports.isNativeAvailable = exports.initWasm = exports.cantValidateDocumentNative = exports.cantParseNative = exports.cantParseDocumentNative = exports.cantExtractAgentProfilesNative = exports.cantExecutePipelineNative = exports.cantClassifyDirectiveNative = exports.showSummary = exports.showDiff = exports.serializeCantDocument = exports.migrateMarkdown = exports.renderMentalModel = exports.harvestObservations = exports.createEmptyModel = exports.consolidate = exports.validateSpawnRequest = exports.ORCHESTRATOR_FORBIDDEN_TOOLS = exports.LEAD_FORBIDDEN_TOOLS = exports.filterToolsForRole = exports.validateDocument = exports.parseDocument = exports.listSections = exports.executePipeline = exports.brainContextProvider = exports.TIER_CAPS = exports.estimateTokens = exports.escalateTier = exports.composeSpawnPayload = exports.toCantAgentV3 = exports.compileBundle = void 0;
+exports.resolveWorktreeRoot = exports.mergeWorktree = exports.listWorktrees = exports.createWorktree = exports.isCantAgentV3 = exports.parseCANTMessage = exports.initCantParser = exports.isWasmAvailable = exports.isNativeAvailable = exports.initWasm = exports.cantValidateDocumentNative = exports.cantParseNative = exports.cantParseDocumentNative = exports.cantExtractAgentProfilesNative = exports.cantExecutePipelineNative = exports.cantClassifyDirectiveNative = exports.showSummary = exports.showDiff = exports.serializeCantDocument = exports.migrateMarkdown = exports.renderMentalModel = exports.harvestObservations = exports.createEmptyModel = exports.consolidate = exports.WORKER_FORBIDDEN_SPAWN_TOOLS = exports.validateSpawnRequest = exports.THIN_AGENT_TOOLS_STRIPPED = exports.stripSpawnToolsForWorker = exports.ORCHESTRATOR_FORBIDDEN_TOOLS = exports.LEAD_FORBIDDEN_TOOLS = exports.filterToolsForRole = exports.validateDocument = exports.parseDocument = exports.listSections = exports.executePipeline = exports.brainContextProvider = exports.TIER_CAPS = exports.estimateTokens = exports.escalateTier = exports.composeSpawnPayload = exports.toCantAgentV3 = exports.compileBundle = void 0;
 // Bundle compiler
 var bundle_1 = require("./bundle");
 Object.defineProperty(exports, "compileBundle", { enumerable: true, get: function () { return bundle_1.compileBundle; } });
@@ -20,12 +20,15 @@ Object.defineProperty(exports, "executePipeline", { enumerable: true, get: funct
 Object.defineProperty(exports, "listSections", { enumerable: true, get: function () { return document_1.listSections; } });
 Object.defineProperty(exports, "parseDocument", { enumerable: true, get: function () { return document_1.parseDocument; } });
 Object.defineProperty(exports, "validateDocument", { enumerable: true, get: function () { return document_1.validateDocument; } });
-// 3-tier hierarchy enforcement (ULTRAPLAN Wave 7)
+// 3-tier hierarchy enforcement (ULTRAPLAN Wave 7) + T931 thin-agent strip.
 var hierarchy_js_1 = require("./hierarchy.js");
 Object.defineProperty(exports, "filterToolsForRole", { enumerable: true, get: function () { return hierarchy_js_1.filterToolsForRole; } });
 Object.defineProperty(exports, "LEAD_FORBIDDEN_TOOLS", { enumerable: true, get: function () { return hierarchy_js_1.LEAD_FORBIDDEN_TOOLS; } });
 Object.defineProperty(exports, "ORCHESTRATOR_FORBIDDEN_TOOLS", { enumerable: true, get: function () { return hierarchy_js_1.ORCHESTRATOR_FORBIDDEN_TOOLS; } });
+Object.defineProperty(exports, "stripSpawnToolsForWorker", { enumerable: true, get: function () { return hierarchy_js_1.stripSpawnToolsForWorker; } });
+Object.defineProperty(exports, "THIN_AGENT_TOOLS_STRIPPED", { enumerable: true, get: function () { return hierarchy_js_1.THIN_AGENT_TOOLS_STRIPPED; } });
 Object.defineProperty(exports, "validateSpawnRequest", { enumerable: true, get: function () { return hierarchy_js_1.validateSpawnRequest; } });
+Object.defineProperty(exports, "WORKER_FORBIDDEN_SPAWN_TOOLS", { enumerable: true, get: function () { return hierarchy_js_1.WORKER_FORBIDDEN_SPAWN_TOOLS; } });
 // Mental Model Manager (ULTRAPLAN Wave 8)
 var mental_model_js_1 = require("./mental-model.js");
 Object.defineProperty(exports, "consolidate", { enumerable: true, get: function () { return mental_model_js_1.consolidate; } });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cleocode/cant",
-  "version": "2026.4.91",
+  "version": "2026.4.94",
   "description": "CANT protocol parser and runtime for CLEO — wraps cant-core via napi-rs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -9,9 +9,9 @@
     "napi/"
   ],
   "dependencies": {
-    "@cleocode/contracts": "2026.4.91",
-    "@cleocode/lafs": "2026.4.91",
-    "@cleocode/core": "2026.4.91"
+    "@cleocode/contracts": "2026.4.94",
+    "@cleocode/lafs": "2026.4.94",
+    "@cleocode/core": "2026.4.94"
   },
   "devDependencies": {
     "typescript": "^6.0.2",