@delegance/claude-autopilot 5.0.7 → 5.2.0

package/dist/src/core/migrate/detector-rules.js

@@ -0,0 +1,147 @@
+// src/core/migrate/detector-rules.ts
+//
+// Detection rules for the init flow. Each rule has explicit confidence;
+// detector returns all matches with their confidence so the UI can
+// auto-select (1 high) or prompt (>1 or any non-high).
+export const DETECTION_RULES = [
+    {
+        name: 'nextjs-supabase',
+        stack: 'nextjs-supabase',
+        confidence: 'high',
+        requireAll: ['data/deltas', '.claude/supabase-envs.json'],
+        defaultSkill: 'migrate.supabase@1',
+        promptOnSelect: false,
+    },
+    {
+        name: 'supabase-cli',
+        stack: 'supabase-cli',
+        confidence: 'high',
+        requireAll: ['supabase/migrations'],
+        excludeIf: ['data/deltas'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'supabase', args: ['migration', 'up'] },
+        promptOnSelect: false,
+    },
+    {
+        name: 'prisma-migrate',
+        stack: 'prisma-migrate',
+        confidence: 'high',
+        requireAll: ['prisma/schema.prisma', 'prisma/migrations'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'prisma', args: ['migrate', 'dev'] },
+        promptOnSelect: false,
+    },
+    {
+        name: 'prisma-push',
+        stack: 'prisma-push',
+        confidence: 'low',
+        requireAll: ['prisma/schema.prisma'],
+        excludeIf: ['prisma/migrations'],
+        defaultSkill: 'migrate@1',
+        promptOnSelect: true,
+    },
+    {
+        name: 'drizzle-migrate',
+        stack: 'drizzle-migrate',
+        confidence: 'high',
+        requireAll: ['drizzle/migrations'],
+        requireAny: ['drizzle.config.ts', 'drizzle.config.js'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'drizzle-kit', args: ['migrate'] },
+        promptOnSelect: false,
+    },
+    {
+        name: 'drizzle-push',
+        stack: 'drizzle-push',
+        confidence: 'low',
+        requireAll: [],
+        requireAny: ['drizzle.config.ts', 'drizzle.config.js'],
+        excludeIf: ['drizzle/migrations'],
+        defaultSkill: 'migrate@1',
+        promptOnSelect: true,
+    },
+    {
+        name: 'rails',
+        stack: 'rails',
+        confidence: 'high',
+        requireAll: ['db/migrate', 'Gemfile'],
+        contentMatches: { file: 'Gemfile', pattern: /\brails\b/ },
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'rails', args: ['db:migrate'] },
+        promptOnSelect: false,
+    },
+    {
+        name: 'golang-migrate',
+        stack: 'golang-migrate',
+        confidence: 'high',
+        requireAll: ['go.mod', 'migrate'],
+        defaultSkill: 'migrate@1',
+        promptOnSelect: false,
+    },
+    {
+        name: 'flyway',
+        stack: 'flyway',
+        confidence: 'high',
+        requireAll: [],
+        requireAny: ['flyway.conf', 'flyway.toml'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'flyway', args: ['migrate'] },
+        promptOnSelect: false,
+    },
+    {
+        name: 'dbmate',
+        stack: 'dbmate',
+        confidence: 'high',
+        requireAll: ['dbmate'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'dbmate', args: ['up'] },
+        promptOnSelect: false,
+    },
+    {
+        name: 'alembic',
+        stack: 'alembic',
+        confidence: 'medium',
+        requireAll: ['alembic.ini'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'alembic', args: ['upgrade', 'head'] },
+        promptOnSelect: true,
+    },
+    {
+        name: 'django',
+        stack: 'django',
+        confidence: 'medium',
+        requireAll: ['manage.py'],
+        requireGlob: ['*/migrations/0001_*.py'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'python', args: ['manage.py', 'migrate'] },
+        promptOnSelect: true,
+    },
+    {
+        name: 'ecto',
+        stack: 'ecto',
+        confidence: 'medium',
+        requireAll: ['mix.exs', 'priv/repo/migrations'],
+        defaultSkill: 'migrate@1',
+        defaultCommand: { exec: 'mix', args: ['ecto.migrate'] },
+        promptOnSelect: true,
+    },
+    {
+        name: 'typeorm',
+        stack: 'typeorm',
+        confidence: 'medium',
+        requireAll: [],
+        requireAny: ['ormconfig.json', 'ormconfig.ts', 'ormconfig.js', 'data-source.ts'],
+        defaultSkill: 'migrate@1',
+        promptOnSelect: true,
+    },
+    {
+        name: 'supabase-bare',
+        stack: 'supabase-bare',
+        confidence: 'low',
+        requireAll: ['supabase'],
+        excludeIf: ['supabase/migrations', 'data/deltas'],
+        defaultSkill: 'migrate@1',
+        promptOnSelect: true,
+    },
+];
+//# sourceMappingURL=detector-rules.js.map

package/dist/src/core/migrate/detector.d.ts

@@ -0,0 +1,16 @@
+import { type DetectionRule, type Confidence } from './detector-rules.ts';
+export interface DetectionMatch {
+    rule: DetectionRule;
+    /** Same as rule.confidence — surfaced for the UI's convenience. */
+    confidence: Confidence;
+}
+export interface DetectionOutput {
+    matches: DetectionMatch[];
+    /** True when we have a single high-confidence match the caller can
+     *  auto-select. False when caller should prompt the user. */
+    autoSelect: boolean;
+    /** True when caller should prompt the user (>1 match, or any non-high). */
+    prompt: boolean;
+}
+export declare function detect(projectRoot: string): DetectionOutput;
+//# sourceMappingURL=detector.d.ts.map

package/dist/src/core/migrate/detector.js

@@ -0,0 +1,105 @@
+// src/core/migrate/detector.ts
+//
+// Runs detection rules against a project root. Returns ALL matching
+// rules with their confidence. The init flow uses this:
+//   - 1 high-confidence match → auto-select, write stack.md
+//   - >1 match OR any non-high → prompt user
+//   - 0 matches → fail closed (require --skip-migrate)
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { DETECTION_RULES } from "./detector-rules.js";
+function entryExists(projectRoot, rel) {
+    try {
+        fs.statSync(path.join(projectRoot, rel));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function fileMatches(projectRoot, rel, pattern) {
+    try {
+        const content = fs.readFileSync(path.join(projectRoot, rel), 'utf8');
+        return pattern.test(content);
+    }
+    catch {
+        return false;
+    }
+}
+function matchesGlob(projectRoot, glob) {
+    // Handle simple patterns: '*/migrations/0001_*.py'
+    // We do depth-2 directory walk for simplicity.
+    const parts = glob.split('/');
+    if (parts.length < 2)
+        return false;
+    const firstStar = parts[0] === '*';
+    if (!firstStar) {
+        // No leading wildcard; fall back to direct existence
+        return entryExists(projectRoot, glob);
+    }
+    // Depth-1 dirs under projectRoot, then check the rest
+    let dirs = [];
+    try {
+        dirs = fs.readdirSync(projectRoot, { withFileTypes: true })
+            .filter(d => d.isDirectory())
+            .map(d => d.name);
+    }
+    catch {
+        return false;
+    }
+    const remaining = parts.slice(1);
+    for (const dir of dirs) {
+        const subPath = path.join(projectRoot, dir, ...remaining.slice(0, -1));
+        const lastPart = remaining[remaining.length - 1];
+        // last part may be a glob like 0001_*.py
+        let entries = [];
+        try {
+            entries = fs.readdirSync(subPath);
+        }
+        catch {
+            continue;
+        }
+        const lastRegex = new RegExp('^' + lastPart.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+        if (entries.some(e => lastRegex.test(e)))
+            return true;
+    }
+    return false;
+}
+function ruleApplies(rule, projectRoot) {
+    for (const r of rule.requireAll) {
+        if (!entryExists(projectRoot, r))
+            return false;
+    }
+    if (rule.requireAny && rule.requireAny.length > 0) {
+        if (!rule.requireAny.some(r => entryExists(projectRoot, r)))
+            return false;
+    }
+    if (rule.requireGlob && rule.requireGlob.length > 0) {
+        if (!rule.requireGlob.every(g => matchesGlob(projectRoot, g)))
+            return false;
+    }
+    if (rule.contentMatches) {
+        if (!fileMatches(projectRoot, rule.contentMatches.file, rule.contentMatches.pattern))
+            return false;
+    }
+    if (rule.excludeIf) {
+        for (const ex of rule.excludeIf) {
+            if (entryExists(projectRoot, ex))
+                return false;
+        }
+    }
+    return true;
+}
+export function detect(projectRoot) {
+    const matches = [];
+    for (const rule of DETECTION_RULES) {
+        if (ruleApplies(rule, projectRoot)) {
+            matches.push({ rule, confidence: rule.confidence });
+        }
+    }
+    const highMatches = matches.filter(m => m.confidence === 'high');
+    const autoSelect = matches.length === 1 && highMatches.length === 1;
+    const prompt = matches.length > 0 && !autoSelect;
+    return { matches, autoSelect, prompt };
+}
+//# sourceMappingURL=detector.js.map

package/dist/src/core/migrate/dispatcher.d.ts

@@ -0,0 +1,19 @@
+import type { ResultArtifact } from './types.ts';
+export interface DispatchOptions {
+    repoRoot: string;
+    env: string;
+    yesFlag: boolean;
+    nonInteractive: boolean;
+    /** Runtime version, normally from package.json. */
+    currentRuntimeVersion: string;
+    /** Override env_file lookup (mainly for tests) */
+    envOverride?: Record<string, string>;
+    /** Optional changedFiles for envelope (passes through verbatim) */
+    changedFiles?: string[];
+    /** dryRun pass-through to the envelope */
+    dryRun?: boolean;
+    /** projectId for monorepo invocations */
+    projectId?: string;
+}
+export declare function dispatch(opts: DispatchOptions): Promise<ResultArtifact>;
+//# sourceMappingURL=dispatcher.d.ts.map

package/dist/src/core/migrate/dispatcher.js

@@ -0,0 +1,358 @@
+// src/core/migrate/dispatcher.ts
+//
+// Orchestrates the full migrate flow:
+//   1. Read .autopilot/stack.md, validate schema
+//   2. Resolve migrate.skill via alias map (path-escape protected)
+//   3. Skill manifest handshake (runtime range + API version)
+//   4. Build invocation envelope (UUID, nonce, git refs)
+//   5. Enforce policy (4-flag CI prod gate, clean git, etc.)
+//   6. Execute the env command via spawn(shell:false), capturing the
+//      result artifact (file or nonce-bound stdout fallback)
+//   7. Parse the result artifact, validate identity
+//   8. Append audit log entry (seq + prev_hash)
+//
+// Fails closed at every step. Always emits an audit entry, even on
+// failure, so operators can see what was attempted.
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+import * as yaml from 'js-yaml';
+import { validateStackMd } from "./schema-validator.js";
+import { resolveSkill } from "./alias-resolver.js";
+import { performHandshake } from "./handshake.js";
+import { buildEnvelope } from "./envelope.js";
+import { enforcePolicy } from "./policy-enforcer.js";
+import { executeCommand } from "./executor.js";
+import { parseResult } from "./result-parser.js";
+import { appendAuditEvent } from "./audit-log.js";
+import { ENVELOPE_CONTRACT_VERSION, RESULT_TEMPDIR_MODE } from "./contract.js";
+const DEFAULT_POLICY = {
+    allow_prod_in_ci: false,
+    require_clean_git: true,
+    require_manual_approval: true,
+    require_dry_run_first: false,
+};
+function readStackMd(repoRoot) {
+    const stackPath = path.join(repoRoot, '.autopilot', 'stack.md');
+    if (!fs.existsSync(stackPath))
+        return { ok: false, reason: 'stack.md not found' };
+    const raw = fs.readFileSync(stackPath, 'utf8');
+    let parsed;
+    try {
+        parsed = yaml.load(raw);
+    }
+    catch {
+        return { ok: false, reason: 'stack.md YAML parse failed' };
+    }
+    return { ok: true, raw, parsed: parsed };
+}
+function loadEnvFile(envFilePath, repoRoot) {
+    const abs = path.resolve(repoRoot, envFilePath);
+    if (!fs.existsSync(abs))
+        return {};
+    const out = {};
+    for (const rawLine of fs.readFileSync(abs, 'utf8').split('\n')) {
+        const line = rawLine.trim();
+        if (!line || line.startsWith('#'))
+            continue;
+        // Accept lowercase, uppercase, and mixed-case identifiers — many real-world
+        // env files (e.g. local docker postgres) use lowercase like `database_url`.
+        const m = /^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/.exec(line);
+        if (!m)
+            continue;
+        let value = m[2];
+        // Strip balanced surrounding quotes (single or double) to mirror typical
+        // dotenv parsing behavior.
+        if (value.length >= 2 &&
+            ((value.startsWith('"') && value.endsWith('"')) ||
+                (value.startsWith("'") && value.endsWith("'")))) {
+            value = value.slice(1, -1);
+        }
+        out[m[1]] = value;
+    }
+    return out;
+}
+function hashEnvelope(env) {
+    return 'sha256:' + crypto.createHash('sha256').update(JSON.stringify(env)).digest('hex');
+}
+async function emitAuditFailure(repoRoot, opts, reasonCode, partial) {
+    try {
+        await appendAuditEvent(path.join(repoRoot, '.autopilot', 'audit.log'), {
+            invocationId: partial.invocationId ?? 'pre-envelope',
+            event: 'dispatch',
+            requested_skill: partial.requested ?? 'unknown',
+            resolved_skill: partial.resolved ?? 'unknown',
+            skill_path: partial.skillPath ?? '',
+            envelope_contract_version: ENVELOPE_CONTRACT_VERSION,
+            skill_runtime_api_version: partial.apiVersion ?? 'unknown',
+            envelope_hash: partial.envelopeHash ?? '',
+            policy_decisions: partial.decisions ?? [],
+            mode: opts.dryRun ? 'dry-run' : 'apply',
+            actor: process.env.USER ?? 'unknown',
+            ci_provider: process.env.AUTOPILOT_CI_PROVIDER ?? null,
+            ci_run_id: process.env.GITHUB_RUN_ID ?? null,
+            result_status: `error:${reasonCode}`,
+            duration_ms: partial.durationMs ?? 0,
+        });
+    }
+    catch {
+        // last-ditch: don't let audit-log failure mask the real error
+    }
+}
+function synthErr(reasonCode, invocationId = 'pre-envelope', nonce = '') {
+    return {
+        contractVersion: ENVELOPE_CONTRACT_VERSION,
+        skillId: 'unknown',
+        invocationId,
+        nonce,
+        status: 'error',
+        reasonCode,
+        appliedMigrations: [],
+        destructiveDetected: false,
+        sideEffectsPerformed: ['no-side-effects'],
+        nextActions: [],
+    };
+}
+export async function dispatch(opts) {
+    const t0 = Date.now();
+    // 1. Read + validate stack.md
+    const stackResult = readStackMd(opts.repoRoot);
+    if (!stackResult.ok) {
+        await emitAuditFailure(opts.repoRoot, opts, 'invalid-stack-config', {});
+        return synthErr('invalid-stack-config');
+    }
+    const validation = validateStackMd(stackResult.raw);
+    if (!validation.valid) {
+        const msg = validation.errors.map(e => e.message).join('; ');
+        // Map known validator errors to a more specific reason code where possible
+        const reasonCode = /stableSkillId|skillId-not-in-registry/.test(msg)
+            ? 'stable-id-unknown'
+            : 'invalid-stack-config';
+        await emitAuditFailure(opts.repoRoot, opts, reasonCode, {});
+        return synthErr(reasonCode);
+    }
+    const requestedSkill = stackResult.parsed.migrate.skill;
+    // 2. Resolve alias
+    const resolved = resolveSkill(requestedSkill, { repoRoot: opts.repoRoot });
+    if (!resolved.ok) {
+        await emitAuditFailure(opts.repoRoot, opts, resolved.reasonCode, {
+            requested: requestedSkill,
+        });
+        return synthErr(resolved.reasonCode);
+    }
+    // 3. Handshake
+    const handshake = performHandshake({
+        skillPath: resolved.skillPath,
+        runtimeVersion: opts.currentRuntimeVersion,
+        envelopeContractVersion: ENVELOPE_CONTRACT_VERSION,
+    });
+    if (!handshake.ok) {
+        await emitAuditFailure(opts.repoRoot, opts, handshake.reasonCode, {
+            requested: requestedSkill,
+            resolved: resolved.stableId,
+            skillPath: resolved.skillPath,
+        });
+        return synthErr(handshake.reasonCode);
+    }
+    // 4. Envelope
+    let envelope;
+    try {
+        envelope = buildEnvelope({
+            changedFiles: opts.changedFiles ?? [],
+            env: opts.env,
+            repoRoot: opts.repoRoot,
+            dryRun: opts.dryRun ?? false,
+            projectId: opts.projectId,
+        });
+    }
+    catch {
+        await emitAuditFailure(opts.repoRoot, opts, 'envelope-build-failed', {
+            requested: requestedSkill,
+            resolved: resolved.stableId,
+            skillPath: resolved.skillPath,
+            apiVersion: handshake.manifest.skill_runtime_api_version,
+        });
+        return synthErr('envelope-build-failed');
+    }
+    const envelopeHash = hashEnvelope(envelope);
+    // 5. Policy
+    const policy = { ...DEFAULT_POLICY, ...(stackResult.parsed.migrate.policy ?? {}) };
+    const enforced = enforcePolicy({
+        policy,
+        env: opts.env,
+        repoRoot: opts.repoRoot,
+        ci: envelope.ci,
+        yesFlag: opts.yesFlag,
+        nonInteractive: opts.nonInteractive,
+        gitHead: envelope.gitHead,
+    });
+    if (!enforced.ok) {
+        await emitAuditFailure(opts.repoRoot, opts, enforced.reasonCode, {
+            invocationId: envelope.invocationId,
+            requested: requestedSkill,
+            resolved: resolved.stableId,
+            skillPath: resolved.skillPath,
+            apiVersion: handshake.manifest.skill_runtime_api_version,
+            decisions: enforced.decisions,
+            envelopeHash,
+        });
+        return synthErr(enforced.reasonCode, envelope.invocationId, envelope.nonce);
+    }
+    // 6. Execute
+    //
+    // Different skills source their command shape differently:
+    //   - migrate@1            — thin runner, requires envs.<env>.command
+    //   - migrate.supabase@1   — rich runner; we hand the script the envelope
+    //                            via env vars and let it discover settings from
+    //                            stack.md's `migrate.supabase` block + envs_file.
+    //   - none@1               — no-op skill; we synthesize a `skipped` result
+    //                            without spawning anything.
+    let envSpec;
+    if (resolved.stableId === 'none@1') {
+        // No-op skill — return synthetic skipped result without spawning anything.
+        // Still emit audit entry so the dispatch is observable.
+        const skipResult = {
+            contractVersion: ENVELOPE_CONTRACT_VERSION,
+            skillId: 'none@1',
+            invocationId: envelope.invocationId,
+            nonce: envelope.nonce,
+            status: 'skipped',
+            reasonCode: 'migration-disabled',
+            appliedMigrations: [],
+            destructiveDetected: false,
+            sideEffectsPerformed: ['no-side-effects'],
+            nextActions: [],
+        };
+        await appendAuditEvent(path.join(opts.repoRoot, '.autopilot', 'audit.log'), {
+            invocationId: envelope.invocationId,
+            event: 'dispatch',
+            requested_skill: requestedSkill,
+            resolved_skill: resolved.stableId,
+            skill_path: resolved.skillPath,
+            envelope_contract_version: ENVELOPE_CONTRACT_VERSION,
+            skill_runtime_api_version: handshake.manifest.skill_runtime_api_version,
+            envelope_hash: envelopeHash,
+            policy_decisions: enforced.decisions,
+            mode: opts.dryRun ? 'dry-run' : 'apply',
+            actor: process.env.USER ?? 'unknown',
+            ci_provider: process.env.AUTOPILOT_CI_PROVIDER ?? null,
+            ci_run_id: process.env.GITHUB_RUN_ID ?? null,
+            result_status: 'skipped',
+            duration_ms: Date.now() - t0,
+        });
+        return skipResult;
+    }
+    if (resolved.stableId === 'migrate.supabase@1') {
+        // Rich Supabase runner manages env discovery via the supabase block +
+        // envs_file. The script's envelope shim activates when AUTOPILOT_ENVELOPE
+        // is set, regardless of CLI args.
+        //
+        // We still honor envs.<env>.command when explicitly provided (tests +
+        // fixtures rely on it as an escape hatch). When omitted, fall back to
+        // invoking the packaged runner.
+        const supabaseBlock = stackResult.parsed.migrate.supabase;
+        if (!supabaseBlock) {
+            await emitAuditFailure(opts.repoRoot, opts, 'invalid-stack-config', {
+                invocationId: envelope.invocationId,
+                requested: requestedSkill,
+                resolved: resolved.stableId,
+                skillPath: resolved.skillPath,
+                apiVersion: handshake.manifest.skill_runtime_api_version,
+                decisions: enforced.decisions,
+                envelopeHash,
+            });
+            return synthErr('invalid-stack-config', envelope.invocationId, envelope.nonce);
+        }
+        envSpec = stackResult.parsed.migrate.envs?.[opts.env] ?? {
+            command: { exec: 'npx', args: ['tsx', 'scripts/supabase/migrate.ts'] },
+        };
+    }
+    else {
+        envSpec = stackResult.parsed.migrate.envs?.[opts.env];
+    }
+    if (!envSpec) {
+        await emitAuditFailure(opts.repoRoot, opts, 'env-not-configured', {
+            invocationId: envelope.invocationId,
+            requested: requestedSkill,
+            resolved: resolved.stableId,
+            skillPath: resolved.skillPath,
+            apiVersion: handshake.manifest.skill_runtime_api_version,
+            decisions: enforced.decisions,
+            envelopeHash,
+        });
+        return synthErr('env-not-configured', envelope.invocationId, envelope.nonce);
+    }
+    // Set up per-invocation result file with strict permissions
+    const tmpRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'autopilot-result-'));
+    fs.chmodSync(tmpRoot, RESULT_TEMPDIR_MODE);
+    const resultPath = path.join(tmpRoot, `${envelope.invocationId}.json`);
+    // Pre-create result file with O_CREAT|O_EXCL|O_WRONLY, mode 0o600, no symlink follow.
+    // The skill will then open the existing file for writing — TOCTOU window closed
+    // against a malicious pre-placed file or symlink.
+    const fd = fs.openSync(resultPath, fs.constants.O_CREAT | fs.constants.O_EXCL | fs.constants.O_WRONLY, 0o600);
+    fs.closeSync(fd);
+    const childEnv = {
+        ...(envSpec.env_file ? loadEnvFile(envSpec.env_file, opts.repoRoot) : {}),
+        ...(opts.envOverride ?? {}),
+        AUTOPILOT_ENVELOPE: JSON.stringify(envelope),
+        AUTOPILOT_RESULT_PATH: resultPath,
+    };
+    let execResult;
+    try {
+        execResult = await executeCommand(envSpec.command, {
+            cwd: opts.repoRoot,
+            env: childEnv,
+        });
+    }
+    catch {
+        await emitAuditFailure(opts.repoRoot, opts, 'execute-threw', {
+            invocationId: envelope.invocationId,
+            requested: requestedSkill,
+            resolved: resolved.stableId,
+            skillPath: resolved.skillPath,
+            apiVersion: handshake.manifest.skill_runtime_api_version,
+            decisions: enforced.decisions,
+            envelopeHash,
+        });
+        try {
+            fs.rmSync(tmpRoot, { recursive: true });
+        }
+        catch { /* */ }
+        return synthErr('execute-threw', envelope.invocationId, envelope.nonce);
+    }
+    // 7. Parse result artifact
+    const allowStdoutFallback = handshake.manifest.stdoutFallback === true;
+    const result = parseResult({
+        filePath: resultPath,
+        stdout: execResult.stdout,
+        expected: { invocationId: envelope.invocationId, nonce: envelope.nonce },
+        allowStdoutFallback,
+    });
+    // Cleanup temp dir
+    try {
+        fs.rmSync(tmpRoot, { recursive: true });
+    }
+    catch { /* */ }
+    // 8. Audit log entry (always emitted on the success path)
+    const durationMs = Date.now() - t0;
+    await appendAuditEvent(path.join(opts.repoRoot, '.autopilot', 'audit.log'), {
+        invocationId: envelope.invocationId,
+        event: 'dispatch',
+        requested_skill: requestedSkill,
+        resolved_skill: resolved.stableId,
+        skill_path: resolved.skillPath,
+        envelope_contract_version: ENVELOPE_CONTRACT_VERSION,
+        skill_runtime_api_version: handshake.manifest.skill_runtime_api_version,
+        envelope_hash: envelopeHash,
+        policy_decisions: enforced.decisions,
+        mode: opts.dryRun ? 'dry-run' : 'apply',
+        actor: process.env.USER ?? 'unknown',
+        ci_provider: process.env.AUTOPILOT_CI_PROVIDER ?? null,
+        ci_run_id: process.env.GITHUB_RUN_ID ?? null,
+        result_status: result.status,
+        duration_ms: durationMs,
+    });
+    return result;
+}
+//# sourceMappingURL=dispatcher.js.map

package/dist/src/core/migrate/doctor-checks.d.ts

@@ -0,0 +1,19 @@
+export interface CheckResult {
+    ok: boolean;
+    message?: string;
+    fixHint?: string;
+}
+export interface NamedCheckResult {
+    name: string;
+    result: CheckResult;
+}
+export declare function stackMdExists(repoRoot: string): CheckResult;
+export declare function schemaValidates(repoRoot: string): CheckResult;
+export declare function skillResolves(repoRoot: string): CheckResult;
+export declare function perEnvCommandsExplicit(repoRoot: string): CheckResult;
+export declare function policyFieldsValid(repoRoot: string): CheckResult;
+export declare function projectRootHasToolchain(repoRoot: string): CheckResult;
+export declare function deprecatedKeysAbsent(repoRoot: string): CheckResult;
+export declare function envFileSafety(repoRoot: string): CheckResult;
+export declare function runAllChecks(repoRoot: string): NamedCheckResult[];
+//# sourceMappingURL=doctor-checks.d.ts.map