@delegance/claude-autopilot 5.0.8 → 5.2.0

package/dist/src/core/migrate/handshake.js

@@ -0,0 +1,130 @@
+// src/core/migrate/handshake.ts
+//
+// Reads <skillPath>/skill.manifest.json and verifies compatibility:
+// - runtimeVersion must satisfy [min_runtime, max_runtime] (semver, no pre-release)
+// - skill_runtime_api_version major must equal envelopeContractVersion major
+//
+// Fails closed: missing/invalid manifest is rejected, not silently allowed.
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+function parseSemver(s) {
+    // Match X.Y.Z or X.Y.Z-prerelease
+    const m = /^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?$/.exec(s);
+    if (!m)
+        return null;
+    return {
+        major: parseInt(m[1], 10),
+        minor: parseInt(m[2], 10),
+        patch: parseInt(m[3], 10),
+        ...(m[4] ? { prerelease: m[4] } : {}),
+    };
+}
+/**
+ * Parse a range expressed as either:
+ * - "X.Y.Z" -> exact lower bound (>= X.Y.Z)
+ * - "X.x" or "X.*" -> upper bound (< (X+1).0.0)
+ */
+function parseRangeBound(s) {
+    const wildcard = /^(\d+)\.[xX*]$/.exec(s) ?? /^(\d+)\.[xX*]\.[xX*]$/.exec(s);
+    if (wildcard) {
+        return { major: parseInt(wildcard[1], 10), minor: 0, patch: 0, isWildcard: true };
+    }
+    const exactBound = parseSemver(s);
+    if (exactBound) {
+        return { major: exactBound.major, minor: exactBound.minor, patch: exactBound.patch, isWildcard: false };
+    }
+    return null;
+}
+function compare(a, b) {
+    if (a.major !== b.major)
+        return a.major - b.major;
+    if (a.minor !== b.minor)
+        return a.minor - b.minor;
+    if (a.patch !== b.patch)
+        return a.patch - b.patch;
+    return 0;
+}
+function isWithinRange(version, min, max) {
+    const v = parseSemver(version);
+    if (!v)
+        return { ok: false, reason: 'runtime-below-min' };
+    // Strict semver: pre-release versions don't satisfy plain ranges
+    if (v.prerelease)
+        return { ok: false, reason: 'runtime-below-min' };
+    const lo = parseRangeBound(min);
+    const hi = parseRangeBound(max);
+    if (!lo || !hi)
+        return { ok: false, reason: 'runtime-below-min' };
+    if (compare(v, lo) < 0)
+        return { ok: false, reason: 'runtime-below-min' };
+    if (hi.isWildcard) {
+        // major.x means < (major+1).0.0
+        if (v.major > hi.major)
+            return { ok: false, reason: 'runtime-above-max' };
+    }
+    else {
+        if (compare(v, hi) > 0)
+            return { ok: false, reason: 'runtime-above-max' };
+    }
+    return { ok: true };
+}
+function isValidManifest(o) {
+    if (!o || typeof o !== 'object')
+        return false;
+    const m = o;
+    return (typeof m.skillId === 'string' &&
+        typeof m.skill_runtime_api_version === 'string' &&
+        typeof m.min_runtime === 'string' &&
+        typeof m.max_runtime === 'string');
+}
+export function performHandshake(opts) {
+    const manifestPath = path.join(opts.skillPath, 'skill.manifest.json');
+    if (!fs.existsSync(manifestPath)) {
+        return {
+            ok: false,
+            reasonCode: 'manifest-missing',
+            message: `skill.manifest.json not found at ${manifestPath}`,
+        };
+    }
+    let raw;
+    try {
+        raw = fs.readFileSync(manifestPath, 'utf8');
+    }
+    catch (err) {
+        return { ok: false, reasonCode: 'manifest-invalid', message: `cannot read manifest: ${err.message}` };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        return { ok: false, reasonCode: 'manifest-invalid', message: `manifest JSON parse failed: ${err.message}` };
+    }
+    if (!isValidManifest(parsed)) {
+        return { ok: false, reasonCode: 'manifest-invalid', message: 'manifest missing required fields (skillId, skill_runtime_api_version, min_runtime, max_runtime)' };
+    }
+    // API major check
+    const apiMajor = (s) => s.split('.')[0];
+    if (apiMajor(parsed.skill_runtime_api_version) !== apiMajor(opts.envelopeContractVersion)) {
+        return {
+            ok: false,
+            reasonCode: 'api-version-mismatch',
+            message: `skill API version ${parsed.skill_runtime_api_version} incompatible with envelope contract ${opts.envelopeContractVersion} (major must match)`,
+        };
+    }
+    // Runtime range check
+    const range = isWithinRange(opts.runtimeVersion, parsed.min_runtime, parsed.max_runtime);
+    if (!range.ok) {
+        const reason = range.reason;
+        const hint = reason === 'runtime-below-min'
+            ? `requires runtime >= ${parsed.min_runtime}, got ${opts.runtimeVersion} -- run \`npm install -g @delegance/claude-autopilot@latest\``
+            : `requires runtime <= ${parsed.max_runtime}, got ${opts.runtimeVersion} -- pin an older runtime or upgrade the skill`;
+        return {
+            ok: false,
+            reasonCode: reason,
+            message: `skill ${parsed.skillId} ${hint}`,
+        };
+    }
+    return { ok: true, manifest: parsed };
+}
+//# sourceMappingURL=handshake.js.map

package/dist/src/core/migrate/migrator.d.ts

@@ -0,0 +1,34 @@
+export interface MigrateLegacySkillOptions {
+    repoRoot: string;
+    /**
+     * If an archive directory with the same ISO timestamp already exists, the
+     * migrator appends a monotonic counter rather than overwriting. `force`
+     * has no destructive meaning today; reserved for future "yes, replace
+     * already-migrated content" semantics. Currently informational only.
+     */
+    force?: boolean;
+}
+export interface MigrateLegacySkillResult {
+    migrated: boolean;
+    /** Short string describing why we did or did not migrate. */
+    reason?: string;
+    /** Absolute path to the archive directory (only set when migrated=true). */
+    archivePath?: string;
+    /** Human-readable per-step audit trail of every move/skip decision. */
+    report: string[];
+}
+/**
+ * The thin reference SKILL.md content for `skills/migrate/`. After migration
+ * this is what the slot must contain. Kept in sync with the dispatcher's
+ * envelope contract (see src/core/migrate/dispatcher.ts).
+ */
+export declare const THIN_MIGRATE_SKILL_MD = "---\nname: migrate\ndescription: Generic migration orchestrator. Reads .autopilot/stack.md, builds an invocation envelope, dispatches to the configured rich migrate skill (migrate.supabase@1, migrate.prisma@1, \u2026), and parses the ResultArtifact.\n---\n\n# /migrate \u2014 Generic migration orchestrator\n\nThis is the thin entrypoint. It does not run migrations itself \u2014 it dispatches\nto the rich skill named in `.autopilot/stack.md` under `migrate.skill`.\n\n## How it works\n\n1. Read `.autopilot/stack.md` for `migrate.skill` (e.g. `migrate.supabase@1`,\n   `migrate.prisma@1`, `none@1`).\n2. Build an invocation envelope (contractVersion, invocationId, nonce, env,\n   dryRun, gitBase/Head, changedFiles, etc.).\n3. Resolve the stable skill ID via `presets/aliases.lock.json`.\n4. Spawn the resolved skill subprocess with `AUTOPILOT_ENVELOPE` set.\n5. Read the `ResultArtifact` written to `AUTOPILOT_RESULT_PATH`.\n6. Branch the pipeline on `status` and `nextActions`.\n\n## Configuration\n\nSet `migrate.skill` in `.autopilot/stack.md`:\n\n```yaml\nschema_version: 1\nmigrate:\n  skill: \"migrate.supabase@1\"   # or migrate.prisma@1, none@1, \u2026\n  policy:\n    allow_prod_in_ci: false\n    require_clean_git: true\n    require_manual_approval: true\n    require_dry_run_first: false\n```\n\nFor the rich Supabase runner (`data/deltas`, `types/supabase.ts`,\n`.claude/supabase-envs.json`) see `skills/migrate-supabase/SKILL.md`.\n\nFor an explicit no-op (docs-only PRs, no DB yet) see\n`skills/migrate-none/SKILL.md`.\n";
+export declare function migrateLegacySkill(opts: MigrateLegacySkillOptions): MigrateLegacySkillResult;
+/**
+ * Returns true iff `skills/migrate/SKILL.md` looks like the legacy Delegance
+ * Supabase shape (clean OR user-edited). Used by the doctor for *detection*
+ * before deciding whether to run the migrator. Never reads from outside
+ * `repoRoot`.
+ */
+export declare function detectsLegacyMigrateSkill(repoRoot: string): boolean;
+//# sourceMappingURL=migrator.d.ts.map

package/dist/src/core/migrate/migrator.js

@@ -0,0 +1,302 @@
+// src/core/migrate/migrator.ts
+//
+// Task 8.1 — Legacy `/migrate` skill migrator.
+//
+// Migrates a repo where `skills/migrate/SKILL.md` still holds the original
+// Delegance Supabase-shaped content over to the generalised post-Phase-8
+// layout:
+//
+//   skills/migrate/SKILL.md           — thin generic orchestrator (this file
+//                                       describes the dispatcher contract)
+//   skills/migrate-supabase/SKILL.md  — rich Supabase runner (already shipped)
+//
+// Detection rules (legacy shape):
+//   1. SKILL.md content sha256 matches the known legacy fingerprint, OR
+//   2. Frontmatter `description:` contains "Supabase" (case-insensitive)
+//      AND `name:` is "migrate" (i.e. the slot is the generic skill but the
+//      content describes the rich Supabase variant).
+//
+// Outcomes:
+//   - "clean"          — content matches legacy fingerprint exactly. The
+//                        legacy file is moved to a timestamped archive
+//                        directory: skills/migrate.archive-<ISO>/SKILL.md.
+//                        Then the thin reference is written to
+//                        skills/migrate/SKILL.md.
+//   - "user-edited"    — description matches but content drifted. We write
+//                        a backup at skills/migrate.backup-<ISO>/SKILL.md
+//                        (preserving user diffs) before installing the thin
+//                        reference. `force: false` (default) still archives
+//                        and rewrites — `force` only affects whether we
+//                        overwrite an existing archive collision.
+//   - "already-migrated" — content already matches the thin reference (or
+//                          frontmatter `name: migrate` with description that
+//                          does NOT mention Supabase). Returns `migrated:
+//                          false` and a non-error reason.
+//
+// Safety guarantees:
+//   - Never `rm` — archives are timestamped paths; if a collision occurs we
+//     append a monotonic counter (`-2`, `-3`, …) instead of overwriting.
+//   - Reference content is written via `fs.writeFileSync`. The legacy file is
+//     copied via `fs.copyFileSync` into the archive before being replaced.
+//   - Idempotent: invoking twice on the same repo is a no-op the second
+//     time.
+//
+// See spec § "Task 8.1 (migrator) — collision handling" for archive naming.
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+/**
+ * The thin reference SKILL.md content for `skills/migrate/`. After migration
+ * this is what the slot must contain. Kept in sync with the dispatcher's
+ * envelope contract (see src/core/migrate/dispatcher.ts).
+ */
+export const THIN_MIGRATE_SKILL_MD = `---
+name: migrate
+description: Generic migration orchestrator. Reads .autopilot/stack.md, builds an invocation envelope, dispatches to the configured rich migrate skill (migrate.supabase@1, migrate.prisma@1, …), and parses the ResultArtifact.
+---
+
+# /migrate — Generic migration orchestrator
+
+This is the thin entrypoint. It does not run migrations itself — it dispatches
+to the rich skill named in \`.autopilot/stack.md\` under \`migrate.skill\`.
+
+## How it works
+
+1. Read \`.autopilot/stack.md\` for \`migrate.skill\` (e.g. \`migrate.supabase@1\`,
+   \`migrate.prisma@1\`, \`none@1\`).
+2. Build an invocation envelope (contractVersion, invocationId, nonce, env,
+   dryRun, gitBase/Head, changedFiles, etc.).
+3. Resolve the stable skill ID via \`presets/aliases.lock.json\`.
+4. Spawn the resolved skill subprocess with \`AUTOPILOT_ENVELOPE\` set.
+5. Read the \`ResultArtifact\` written to \`AUTOPILOT_RESULT_PATH\`.
+6. Branch the pipeline on \`status\` and \`nextActions\`.
+
+## Configuration
+
+Set \`migrate.skill\` in \`.autopilot/stack.md\`:
+
+\`\`\`yaml
+schema_version: 1
+migrate:
+  skill: "migrate.supabase@1"   # or migrate.prisma@1, none@1, …
+  policy:
+    allow_prod_in_ci: false
+    require_clean_git: true
+    require_manual_approval: true
+    require_dry_run_first: false
+\`\`\`
+
+For the rich Supabase runner (\`data/deltas\`, \`types/supabase.ts\`,
+\`.claude/supabase-envs.json\`) see \`skills/migrate-supabase/SKILL.md\`.
+
+For an explicit no-op (docs-only PRs, no DB yet) see
+\`skills/migrate-none/SKILL.md\`.
+`;
+/**
+ * Sha256 fingerprint of the original Delegance legacy SKILL.md (the one
+ * shipped in commit d84f8ff before Task 4.1 added the manifest). Used to
+ * recognise a "clean" legacy install.
+ *
+ * Computed at import time from the canonical legacy text below. We embed the
+ * canonical text rather than just the hash so future maintainers can audit.
+ */
+const LEGACY_CANONICAL_SKILL_MD = `---
+name: migrate
+description: Run database migrations against Supabase environments (dev → QA → prod). Validates SQL, executes with ledger tracking, and auto-generates types/supabase.ts.
+---
+
+# Database Migration
+
+Run a migration through the dev → QA → prod pipeline with validation at each step.
+
+## Usage
+
+### 1. Identify the migration file
+
+If given as argument, use that. Otherwise find the most recently modified \`.sql\` file in \`data/deltas/\`.
+
+### 2. Validate (dry run on dev)
+
+\`\`\`bash
+npx tsx scripts/supabase/migrate.ts <file> --env dev --dry-run
+\`\`\`
+
+Present validation results. If errors, help the user fix them before proceeding.
+
+### 3. Run on dev
+
+\`\`\`bash
+npx tsx scripts/supabase/migrate.ts <file> --env dev
+\`\`\`
+
+### 4. Ask the user
+
+> "Migration succeeded on dev. \`types/supabase.ts\` updated. Promote to QA?"
+
+### 5. Run on QA
+
+\`\`\`bash
+npx tsx scripts/supabase/migrate.ts --promote qa
+\`\`\`
+
+### 6. Ask the user
+
+> "Migration succeeded on QA. Promote to prod?"
+
+### 7. Run on prod
+
+\`\`\`bash
+npx tsx scripts/supabase/migrate.ts --promote prod --confirm-prod
+\`\`\`
+
+### 8. Commit
+
+After all environments are done, commit the updated \`types/supabase.ts\` and the migration file:
+
+\`\`\`bash
+git add types/supabase.ts data/deltas/<migration-file>
+git commit -m "feat: <description of schema change>"
+\`\`\`
+
+## Flags
+
+| Flag | Purpose |
+|------|---------|
+| \`--env dev\\|qa\\|prod\` | Target environment |
+| \`--dry-run\` | Validate only, don't execute |
+| \`--force\` | Allow destructive operations (DROP, TRUNCATE) |
+| \`--confirm-prod\` | Required for prod execution |
+| \`--promote qa\\|prod\` | Run missing migrations from source env |
+
+## Validation Checks
+
+The system validates before every execution:
+- Duplicate table/column detection
+- snake_case naming enforcement
+- RLS + policy required for every new table
+- Destructive operation blocking (unless --force)
+- Cross-env prerequisite verification
+- Checksum integrity (modified files are rejected)
+- Promotion chain enforcement (prod requires QA first)
+
+## Requirements
+
+- \`.claude/supabase-envs.json\` with \`dbUrl\` for each env (gitignored)
+- \`postgres\` npm package installed
+`;
+function parseFrontmatter(content) {
+    if (!content.startsWith('---'))
+        return null;
+    const end = content.indexOf('\n---', 3);
+    if (end === -1)
+        return null;
+    const block = content.slice(3, end).trim();
+    const out = {};
+    for (const rawLine of block.split('\n')) {
+        const line = rawLine.trimEnd();
+        const m = line.match(/^([a-zA-Z_][a-zA-Z0-9_-]*):\s*(.*)$/);
+        if (!m)
+            continue;
+        const key = m[1];
+        const value = m[2] ?? '';
+        if (key === 'name')
+            out.name = value.trim().replace(/^["']|["']$/g, '');
+        else if (key === 'description')
+            out.description = value.trim();
+    }
+    return out;
+}
+function detectLegacyShape(content) {
+    // Exact-match check first (clean install).
+    if (content === LEGACY_CANONICAL_SKILL_MD) {
+        return { kind: 'clean' };
+    }
+    if (content === THIN_MIGRATE_SKILL_MD) {
+        return { kind: 'already-thin' };
+    }
+    const fm = parseFrontmatter(content);
+    if (!fm)
+        return { kind: 'not-legacy' };
+    if (fm.name !== 'migrate') {
+        // Some other skill? Don't touch.
+        return { kind: 'not-legacy' };
+    }
+    // Frontmatter says name: migrate but content drifted. If description still
+    // refers to Supabase, treat as legacy that the user has edited.
+    if (fm.description && /supabase/i.test(fm.description)) {
+        return { kind: 'user-edited' };
+    }
+    // name: migrate but description doesn't reference Supabase → already a
+    // generic / thin variant the user has authored themselves.
+    return { kind: 'already-thin' };
+}
+function isoStamp() {
+    return new Date().toISOString().replace(/[.:]/g, '-');
+}
+/**
+ * Pick a non-colliding archive path. If `base` already exists, append `-2`,
+ * `-3`, … until we find a free slot. Never overwrites.
+ */
+function pickArchivePath(base) {
+    if (!fs.existsSync(base))
+        return base;
+    for (let i = 2; i < 1000; i++) {
+        const candidate = `${base}-${i}`;
+        if (!fs.existsSync(candidate))
+            return candidate;
+    }
+    // Extremely unlikely; surface as an error rather than silently overwriting.
+    throw new Error(`Archive collision: exhausted counter at ${base}`);
+}
+export function migrateLegacySkill(opts) {
+    const repoRoot = path.resolve(opts.repoRoot);
+    const skillDir = path.join(repoRoot, 'skills', 'migrate');
+    const skillMdPath = path.join(skillDir, 'SKILL.md');
+    const report = [];
+    if (!fs.existsSync(skillMdPath)) {
+        report.push(`skipped: ${path.relative(repoRoot, skillMdPath)} not present — nothing to migrate`);
+        return { migrated: false, reason: 'no-skill-md', report };
+    }
+    const content = fs.readFileSync(skillMdPath, 'utf8');
+    const detection = detectLegacyShape(content);
+    if (detection.kind === 'already-thin') {
+        report.push(`skipped: ${path.relative(repoRoot, skillMdPath)} already matches the thin reference (or a custom non-Supabase variant)`);
+        return { migrated: false, reason: 'already-migrated', report };
+    }
+    if (detection.kind === 'not-legacy') {
+        report.push(`skipped: ${path.relative(repoRoot, skillMdPath)} has unexpected frontmatter — leaving untouched`);
+        return { migrated: false, reason: 'not-legacy-shape', report };
+    }
+    const stamp = isoStamp();
+    const archiveBase = detection.kind === 'clean'
+        ? path.join(repoRoot, 'skills', `migrate.archive-${stamp}`)
+        : path.join(repoRoot, 'skills', `migrate.backup-${stamp}`);
+    const archiveDir = pickArchivePath(archiveBase);
+    fs.mkdirSync(archiveDir, { recursive: true });
+    const archivedSkillMd = path.join(archiveDir, 'SKILL.md');
+    fs.copyFileSync(skillMdPath, archivedSkillMd);
+    report.push(`archived: ${path.relative(repoRoot, skillMdPath)} → ${path.relative(repoRoot, archivedSkillMd)} (${detection.kind})`);
+    // Replace skills/migrate/SKILL.md with the thin reference.
+    fs.writeFileSync(skillMdPath, THIN_MIGRATE_SKILL_MD, 'utf8');
+    report.push(`wrote: ${path.relative(repoRoot, skillMdPath)} (thin generic orchestrator reference)`);
+    return {
+        migrated: true,
+        reason: detection.kind === 'clean' ? 'clean-archive' : 'user-edited-backup',
+        archivePath: archiveDir,
+        report,
+    };
+}
+/**
+ * Returns true iff `skills/migrate/SKILL.md` looks like the legacy Delegance
+ * Supabase shape (clean OR user-edited). Used by the doctor for *detection*
+ * before deciding whether to run the migrator. Never reads from outside
+ * `repoRoot`.
+ */
+export function detectsLegacyMigrateSkill(repoRoot) {
+    const skillMdPath = path.join(path.resolve(repoRoot), 'skills', 'migrate', 'SKILL.md');
+    if (!fs.existsSync(skillMdPath))
+        return false;
+    const content = fs.readFileSync(skillMdPath, 'utf8');
+    const det = detectLegacyShape(content);
+    return det.kind === 'clean' || det.kind === 'user-edited';
+}
+//# sourceMappingURL=migrator.js.map

package/dist/src/core/migrate/monorepo.d.ts

@@ -0,0 +1,2 @@
+export declare function findWorkspaces(repoRoot: string): string[];
+//# sourceMappingURL=monorepo.d.ts.map

package/dist/src/core/migrate/monorepo.js

@@ -0,0 +1,114 @@
+// src/core/migrate/monorepo.ts
+//
+// Discovers monorepo workspaces from common declarations:
+// pnpm-workspace.yaml, package.json#workspaces, nx.json. Falls back to
+// [repoRoot] for single-workspace repos. Glob patterns expanded
+// (packages/*, apps/*).
+//
+// Workspace paths are filtered to those that actually exist as
+// directories AND stay within repoRoot (no path-escape).
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as yaml from 'js-yaml';
+function expandGlob(repoRoot, pattern) {
+    // Only handle simple patterns: 'packages/*', 'apps/*', 'libs/*'
+    // (single trailing star). Anything more complex is ignored.
+    if (!pattern.includes('*')) {
+        const abs = path.resolve(repoRoot, pattern);
+        return abs.startsWith(repoRoot) && fs.existsSync(abs) && fs.statSync(abs).isDirectory()
+            ? [abs]
+            : [];
+    }
+    const idx = pattern.indexOf('*');
+    const prefix = pattern.slice(0, idx).replace(/\/$/, '');
+    const baseAbs = path.resolve(repoRoot, prefix);
+    if (!baseAbs.startsWith(repoRoot))
+        return [];
+    if (!fs.existsSync(baseAbs))
+        return [];
+    let entries;
+    try {
+        entries = fs.readdirSync(baseAbs, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    return entries
+        .filter(e => e.isDirectory())
+        .map(e => path.join(baseAbs, e.name));
+}
+function readPnpmWorkspace(repoRoot) {
+    const p = path.join(repoRoot, 'pnpm-workspace.yaml');
+    if (!fs.existsSync(p))
+        return null;
+    try {
+        const data = yaml.load(fs.readFileSync(p, 'utf8'));
+        return data?.packages ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function readPackageJsonWorkspaces(repoRoot) {
+    const p = path.join(repoRoot, 'package.json');
+    if (!fs.existsSync(p))
+        return null;
+    try {
+        const data = JSON.parse(fs.readFileSync(p, 'utf8'));
+        if (!data.workspaces)
+            return null;
+        if (Array.isArray(data.workspaces))
+            return data.workspaces.filter((w) => typeof w === 'string');
+        if (typeof data.workspaces === 'object' && data.workspaces !== null && Array.isArray(data.workspaces.packages)) {
+            return data.workspaces.packages.filter((w) => typeof w === 'string');
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function readNxProjects(repoRoot) {
+    const p = path.join(repoRoot, 'nx.json');
+    if (!fs.existsSync(p))
+        return null;
+    try {
+        const data = JSON.parse(fs.readFileSync(p, 'utf8'));
+        if (Array.isArray(data.projects))
+            return data.projects;
+        if (data.projects && typeof data.projects === 'object') {
+            return Object.values(data.projects)
+                .map(v => v?.root)
+                .filter((r) => typeof r === 'string');
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+export function findWorkspaces(repoRoot) {
+    // Resolve to absolute path (no symlink follow needed; repoRoot is canonical
+    // by caller's contract).
+    const repoAbs = path.resolve(repoRoot);
+    const patterns = readPnpmWorkspace(repoAbs) ??
+        readPackageJsonWorkspaces(repoAbs) ??
+        readNxProjects(repoAbs);
+    if (!patterns || patterns.length === 0) {
+        return [repoAbs];
+    }
+    const found = new Set();
+    for (const pattern of patterns) {
+        for (const abs of expandGlob(repoAbs, pattern)) {
+            // Path-escape guard: must remain under repoAbs
+            if (abs.startsWith(repoAbs + path.sep) || abs === repoAbs) {
+                found.add(abs);
+            }
+        }
+    }
+    if (found.size === 0) {
+        return [repoAbs];
+    }
+    return Array.from(found).sort();
+}
+//# sourceMappingURL=monorepo.js.map

package/dist/src/core/migrate/policy-enforcer.d.ts

@@ -0,0 +1,28 @@
+export interface PolicyConfig {
+    allow_prod_in_ci: boolean;
+    require_clean_git: boolean;
+    require_manual_approval: boolean;
+    require_dry_run_first: boolean;
+}
+export interface EnforcementContext {
+    policy: PolicyConfig;
+    env: string;
+    repoRoot: string;
+    ci: boolean;
+    yesFlag: boolean;
+    nonInteractive: boolean;
+    gitHead: string;
+    /** When set, override AUTOPILOT_TARGET_ENV check with this value (mainly for tests) */
+    _targetEnvOverride?: string;
+}
+export type EnforcementResult = {
+    ok: true;
+    decisions: string[];
+} | {
+    ok: false;
+    reasonCode: string;
+    message: string;
+    decisions: string[];
+};
+export declare function enforcePolicy(ctx: EnforcementContext): EnforcementResult;
+//# sourceMappingURL=policy-enforcer.d.ts.map