@devtrack-solution/codesdd 1.2.3 → 1.2.4

package/dist/core/sdd/reversa-rules-extractor.js

@@ -0,0 +1,86 @@
+import { attestReversaSource } from './reversa-source-safety.js';
+export function buildReversaRulesInventory(input) {
+    const accepted = input.sources
+        .map((source) => ({ source, attestation: attestReversaSource({ sourcePath: source.path, content: source.content }) }))
+        .filter((entry) => entry.attestation.status === 'accepted' && entry.attestation.attestation);
+    const blockedCount = input.sources.length - accepted.length;
+    const rules = accepted.flatMap(({ source, attestation }) => scanRules(attestation.normalized_path, source.content));
+    const workflows = accepted.flatMap(({ source, attestation }) => scanWorkflows(attestation.normalized_path, source.content));
+    const findings = [];
+    if (rules.length > 0) {
+        findings.push({
+            id: 'REV-FIND-RULES-INVARIANTS',
+            phase: 'rules',
+            title: 'Business rules and invariants',
+            summary: `Detected ${rules.length} rule, validation or invariant candidates.`,
+            confidence: 'medium',
+            source_refs: unique(rules.map((entry) => entry.source_ref)),
+            contradiction_refs: [],
+            promoted_refs: [],
+            metadata: { rules },
+        });
+    }
+    if (workflows.length > 0) {
+        findings.push({
+            id: 'REV-FIND-RULES-WORKFLOWS',
+            phase: 'rules',
+            title: 'Workflow transitions',
+            summary: `Detected ${workflows.length} workflow or state transition candidates.`,
+            confidence: 'medium',
+            source_refs: unique(workflows.map((entry) => entry.source_ref)),
+            contradiction_refs: [],
+            promoted_refs: [],
+            metadata: { workflows },
+        });
+    }
+    return {
+        schema_version: 1,
+        contract: 'reversa-evidence-bundle/v1',
+        operation_id: input.operationId,
+        generated_at: input.generatedAt,
+        feature_ref: input.featureRef,
+        mode: 'read-only',
+        source_attestations: accepted.map((entry) => entry.attestation.attestation),
+        findings,
+        artifacts: [{
+                path: `.sdd/evidence/reversa/${input.featureRef}/business-rules.yaml`,
+                artifact_type: 'business_rules',
+                phase: 'rules',
+                produced_by: 'codesdd reversa rules extractor',
+                write_scope: 'read_only',
+            }],
+        validations: [{
+                id: 'REV-VAL-RULES-SAFETY',
+                phase: 'rules',
+                command: 'buildReversaRulesInventory',
+                status: blockedCount === 0 ? 'passed' : 'blocked',
+                issue_codes: blockedCount === 0 ? [] : ['UNSAFE_SOURCE_BLOCKED'],
+            }],
+        contradictions: [],
+        human_questions: rules.length === 0 ? [{
+                id: 'REV-Q-RULES-MISSING',
+                question: 'No explicit business rules were detected. Which workflows or invariants should be reviewed manually?',
+                blocks_phase: 'artifact_generation',
+                required_before_apply: true,
+            }] : [],
+        quality_refs: [`.sdd/active/${input.featureRef}/5-quality.yaml`],
+        residual_risks: [],
+        metadata: { rule_count: rules.length, workflow_count: workflows.length },
+    };
+}
+function scanRules(sourceRef, content) {
+    return [...content.matchAll(/\b(?:if|validate|ensure|invariant|policy|rule|throw new)\b[^\n;]*/giu)].map((match) => ({
+        expression: match[0].trim(),
+        source_ref: sourceRef,
+    }));
+}
+function scanWorkflows(sourceRef, content) {
+    return [...content.matchAll(/\b(?:status|state|stage)\s*=\s*['"]?([A-Za-z0-9_-]+)['"]?/giu)].map((match) => ({
+        state: match[1] ?? 'unknown',
+        source_ref: sourceRef,
+    }));
+}
+function unique(values) {
+    return [...new Set(values)];
+}
+//# sourceMappingURL=reversa-rules-extractor.js.map

package/dist/core/sdd/reversa-source-safety.d.ts

@@ -0,0 +1,19 @@
+import { type ReversaSourceAttestation } from './reversa-evidence.js';
+export interface ReversaSourceIntakeInput {
+    sourcePath: string;
+    sourceType?: ReversaSourceAttestation['source_type'];
+    content?: string;
+    trustLevel?: ReversaSourceAttestation['trust_level'];
+}
+export interface ReversaSourceIntakeResult {
+    status: 'accepted' | 'blocked';
+    normalized_path: string | null;
+    reason: string | null;
+    attestation: ReversaSourceAttestation | null;
+    redacted_content?: string;
+}
+export declare function attestReversaSource(input: ReversaSourceIntakeInput): ReversaSourceIntakeResult;
+export declare function normalizeReversaSourcePath(value: string): string | null;
+export declare function redactReversaSensitiveText(value: string): string;
+export declare function isReversaCanonicalStatePath(value: string): boolean;
+//# sourceMappingURL=reversa-source-safety.d.ts.map

package/dist/core/sdd/reversa-source-safety.js

@@ -0,0 +1,105 @@
+import { createHash } from 'node:crypto';
+import { reversaSourceAttestationSchema } from './reversa-evidence.js';
+const WINDOWS_ABSOLUTE_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
+const SECRET_PATH_SEGMENTS = new Set([
+    '.aws',
+    '.env',
+    '.ssh',
+    'credential',
+    'credentials',
+    'id_rsa',
+    'pem',
+    'private',
+    'secret',
+    'secrets',
+    'token',
+]);
+const SENSITIVE_KEY_TOKENS = ['key', 'secret', 'token', 'password', 'credential', 'private', 'auth'];
+export function attestReversaSource(input) {
+    const normalizedPath = normalizeReversaSourcePath(input.sourcePath);
+    if (!normalizedPath) {
+        return blocked(input.sourcePath, 'Source path must be project-relative and must not contain traversal or absolute roots.');
+    }
+    if (isCanonicalStatePath(normalizedPath)) {
+        return blocked(normalizedPath, 'Reversa inputs cannot target canonical CodeSDD state under .sdd/state/.');
+    }
+    if (hasSecretPathSegment(normalizedPath)) {
+        return blocked(normalizedPath, 'Source path is blocked by Reversa secret-path policy.');
+    }
+    const redactedContent = typeof input.content === 'string' ? redactReversaSensitiveText(input.content) : undefined;
+    const redactionStatus = typeof input.content === 'string' && redactedContent !== input.content ? 'redacted' : 'not_required';
+    const attestation = reversaSourceAttestationSchema.parse({
+        source_ref: normalizedPath,
+        source_type: input.sourceType ?? inferSourceType(normalizedPath),
+        trust_level: input.trustLevel ?? 'hostile',
+        sha256: input.content ? createHash('sha256').update(redactedContent ?? input.content).digest('hex') : undefined,
+        redaction_status: redactionStatus,
+    });
+    return {
+        status: 'accepted',
+        normalized_path: normalizedPath,
+        reason: null,
+        attestation,
+        redacted_content: redactedContent,
+    };
+}
+export function normalizeReversaSourcePath(value) {
+    const normalized = value.trim().replace(/\\/gu, '/').replace(/^\.\//u, '');
+    if (!normalized || normalized === '.' || normalized.startsWith('/') || WINDOWS_ABSOLUTE_PATH_PATTERN.test(normalized)) {
+        return null;
+    }
+    const segments = normalized.split('/').filter(Boolean);
+    if (segments.some((segment) => segment === '..')) {
+        return null;
+    }
+    return segments.join('/');
+}
+export function redactReversaSensitiveText(value) {
+    return value
+        .split(/\r?\n/u)
+        .map((line) => {
+        const keyMatch = line.match(/^(\s*["']?([A-Za-z0-9_.-]+)["']?\s*[:=]\s*)(.+)$/u);
+        if (!keyMatch) {
+            return line.replace(/(bearer\s+)[A-Za-z0-9._~+/-]+=*/giu, '$1[REDACTED]');
+        }
+        const key = keyMatch[2] ?? '';
+        if (!SENSITIVE_KEY_TOKENS.some((token) => key.toLowerCase().includes(token))) {
+            return line;
+        }
+        return `${keyMatch[1]}[REDACTED]`;
+    })
+        .join('\n');
+}
+export function isReversaCanonicalStatePath(value) {
+    const normalized = normalizeReversaSourcePath(value);
+    return normalized ? isCanonicalStatePath(normalized) : false;
+}
+function blocked(sourcePath, reason) {
+    return {
+        status: 'blocked',
+        normalized_path: normalizeReversaSourcePath(sourcePath),
+        reason,
+        attestation: null,
+    };
+}
+function isCanonicalStatePath(value) {
+    return value === '.sdd/state' || value.startsWith('.sdd/state/');
+}
+function hasSecretPathSegment(value) {
+    return value
+        .toLowerCase()
+        .split('/')
+        .some((segment) => SECRET_PATH_SEGMENTS.has(segment) || segment.endsWith('.pem'));
+}
+function inferSourceType(path) {
+    if (/\.(md|mdx|txt|rst)$/iu.test(path))
+        return 'document';
+    if (/\.(ya?ml|json|toml|ini|env)$/iu.test(path))
+        return 'config';
+    if (/\.(log|out)$/iu.test(path))
+        return 'runtime_log';
+    if (/\.(sql|prisma)$/iu.test(path))
+        return 'database_schema';
+    return 'repository';
+}
+//# sourceMappingURL=reversa-source-safety.js.map

package/dist/core/sdd/reversa-surface-scout.d.ts

@@ -0,0 +1,13 @@
+import type { ReversaEvidenceBundle } from './reversa-evidence.js';
+export interface ReversaSurfaceSource {
+    path: string;
+    content: string;
+}
+export interface BuildReversaSurfaceInventoryInput {
+    featureRef: string;
+    operationId: string;
+    generatedAt: string;
+    sources: ReversaSurfaceSource[];
+}
+export declare function buildReversaSurfaceInventory(input: BuildReversaSurfaceInventoryInput): ReversaEvidenceBundle;
+//# sourceMappingURL=reversa-surface-scout.d.ts.map

package/dist/core/sdd/reversa-surface-scout.js

@@ -0,0 +1,85 @@
+import { attestReversaSource } from './reversa-source-safety.js';
+export function buildReversaSurfaceInventory(input) {
+    const attestations = input.sources.map((source) => attestReversaSource({
+        sourcePath: source.path,
+        content: source.content,
+    }));
+    const accepted = attestations.filter((entry) => entry.status === 'accepted' && entry.attestation);
+    const blocked = attestations.filter((entry) => entry.status === 'blocked');
+    const findings = accepted.flatMap((entry) => {
+        const source = input.sources.find((candidate) => entry.normalized_path === candidate.path.replace(/^\.\//u, ''));
+        return source ? scanSurface(entry.normalized_path, source.content) : [];
+    });
+    return {
+        schema_version: 1,
+        contract: 'reversa-evidence-bundle/v1',
+        operation_id: input.operationId,
+        generated_at: input.generatedAt,
+        feature_ref: input.featureRef,
+        mode: 'read-only',
+        source_attestations: accepted.map((entry) => entry.attestation),
+        findings,
+        artifacts: [
+            {
+                path: `.sdd/evidence/reversa/${input.featureRef}/surface-inventory.yaml`,
+                artifact_type: 'inventory',
+                phase: 'surface',
+                produced_by: 'codesdd reversa surface scout',
+                write_scope: 'read_only',
+            },
+        ],
+        validations: [
+            {
+                id: 'REV-VAL-SURFACE-SAFETY',
+                phase: 'surface',
+                command: 'buildReversaSurfaceInventory',
+                status: blocked.length === 0 ? 'passed' : 'blocked',
+                issue_codes: blocked.length === 0 ? [] : ['UNSAFE_SOURCE_BLOCKED'],
+            },
+        ],
+        contradictions: [],
+        human_questions: [],
+        quality_refs: [`.sdd/active/${input.featureRef}/5-quality.yaml`],
+        residual_risks: blocked.map((entry) => ({
+            code: 'UNSAFE_SOURCE_BLOCKED',
+            severity: 'medium',
+            description: entry.reason ?? 'A legacy source was blocked by Reversa intake safety.',
+            mitigation: 'Review source path and provide a safe project-relative source before extraction.',
+        })),
+        metadata: {
+            counts: summarizeSurface(findings),
+        },
+    };
+}
+function scanSurface(sourceRef, content) {
+    const findings = [];
+    const routeMatches = [...content.matchAll(/\b(?:app|router)\.(get|post|put|patch|delete)\s*\(\s*['"`]([^'"`]+)['"`]/giu)];
+    const controllerMatches = [...content.matchAll(/@(Controller|Get|Post|Put|Patch|Delete)\s*\(\s*['"`]?([^'"`)]*)['"`]?\s*\)/giu)];
+    const jobMatches = [...content.matchAll(/\b(?:cron|schedule|job|queue|worker)\b/giu)];
+    const commandMatches = [...content.matchAll(/\b(?:command|program\.command|Command)\b/gu)];
+    const screenMatches = [...content.matchAll(/(?:component|screen|page|route)/giu)];
+    pushFinding(findings, 'API', 'API endpoints', routeMatches.length + controllerMatches.length, sourceRef);
+    pushFinding(findings, 'JOB', 'Jobs and workers', jobMatches.length, sourceRef);
+    pushFinding(findings, 'COMMAND', 'CLI commands', commandMatches.length, sourceRef);
+    pushFinding(findings, 'SCREEN', 'Screens and routes', screenMatches.length, sourceRef);
+    return findings;
+}
+function pushFinding(findings, suffix, title, count, sourceRef) {
+    if (count === 0)
+        return;
+    findings.push({
+        id: `REV-FIND-SURFACE-${suffix}`,
+        phase: 'surface',
+        title,
+        summary: `${title} detected in ${sourceRef}: ${count}.`,
+        confidence: 'medium',
+        source_refs: [sourceRef],
+        contradiction_refs: [],
+        promoted_refs: [],
+        metadata: { count },
+    });
+}
+function summarizeSurface(findings) {
+    return Object.fromEntries(findings.map((finding) => [finding.id, Number(finding.metadata.count ?? 0)]));
+}
+//# sourceMappingURL=reversa-surface-scout.js.map

package/dist/core/sdd/reversa-ux-mapper.d.ts

@@ -0,0 +1,11 @@
+import type { ReversaEvidenceBundle } from './reversa-evidence.js';
+export declare function buildReversaUxPermissionMap(input: {
+    featureRef: string;
+    operationId: string;
+    generatedAt: string;
+    sources: Array<{
+        path: string;
+        content: string;
+    }>;
+}): ReversaEvidenceBundle;
+//# sourceMappingURL=reversa-ux-mapper.d.ts.map

package/dist/core/sdd/reversa-ux-mapper.js

@@ -0,0 +1,73 @@
+import { attestReversaSource } from './reversa-source-safety.js';
+export function buildReversaUxPermissionMap(input) {
+    const accepted = input.sources
+        .map((source) => ({ source, attestation: attestReversaSource({ sourcePath: source.path, content: source.content }) }))
+        .filter((entry) => entry.attestation.status === 'accepted' && entry.attestation.attestation);
+    const screens = accepted.flatMap(({ source, attestation }) => scanScreens(attestation.normalized_path, source.content));
+    const permissions = accepted.flatMap(({ source, attestation }) => scanPermissions(attestation.normalized_path, source.content));
+    const findings = [];
+    if (screens.length > 0) {
+        findings.push({
+            id: 'REV-FIND-UX-SCREENS',
+            phase: 'ux',
+            title: 'Screens and UI routes',
+            summary: `Detected ${screens.length} screen, component or route candidates.`,
+            confidence: 'medium',
+            source_refs: [...new Set(screens.map((entry) => entry.source_ref))],
+            contradiction_refs: [],
+            promoted_refs: [],
+            metadata: { screens },
+        });
+    }
+    if (permissions.length > 0) {
+        findings.push({
+            id: 'REV-FIND-UX-PERMISSIONS',
+            phase: 'ux',
+            title: 'Permission and guard flows',
+            summary: `Detected ${permissions.length} permission or guard candidates.`,
+            confidence: 'medium',
+            source_refs: [...new Set(permissions.map((entry) => entry.source_ref))],
+            contradiction_refs: [],
+            promoted_refs: [],
+            metadata: { permissions },
+        });
+    }
+    return {
+        schema_version: 1,
+        contract: 'reversa-evidence-bundle/v1',
+        operation_id: input.operationId,
+        generated_at: input.generatedAt,
+        feature_ref: input.featureRef,
+        mode: 'read-only',
+        source_attestations: accepted.map((entry) => entry.attestation.attestation),
+        findings,
+        artifacts: [{
+                path: `.sdd/evidence/reversa/${input.featureRef}/ux-permission-map.yaml`,
+                artifact_type: 'ux_map',
+                phase: 'ux',
+                produced_by: 'codesdd reversa ux mapper',
+                write_scope: 'read_only',
+            }],
+        validations: [{
+                id: 'REV-VAL-UX-SAFETY',
+                phase: 'ux',
+                command: 'buildReversaUxPermissionMap',
+                status: accepted.length === input.sources.length ? 'passed' : 'blocked',
+                issue_codes: accepted.length === input.sources.length ? [] : ['UNSAFE_SOURCE_BLOCKED'],
+            }],
+        contradictions: [],
+        human_questions: [],
+        quality_refs: [`.sdd/active/${input.featureRef}/5-quality.yaml`],
+        residual_risks: [],
+        metadata: { screen_count: screens.length, permission_count: permissions.length },
+    };
+}
+function scanScreens(sourceRef, content) {
+    return [...content.matchAll(/\b(?:component|screen|page|route|path)\b\s*[:=]?\s*['"]?([A-Za-z0-9_/-]*)/giu)]
+        .map((match) => ({ name: match[1] || match[0], source_ref: sourceRef }));
+}
+function scanPermissions(sourceRef, content) {
+    return [...content.matchAll(/\b(?:guard|canActivate|permission|role|rbac|auth)\b/giu)]
+        .map((match) => ({ signal: match[0].toLowerCase(), source_ref: sourceRef }));
+}
+//# sourceMappingURL=reversa-ux-mapper.js.map

package/dist/core/sdd/runtime-boundary-contract.d.ts

@@ -0,0 +1,45 @@
+export declare const PROJECT_STATE_DIR_NAME = ".sdd";
+export declare const FORBIDDEN_PROJECT_RUNTIME_DIR_NAME = ".codesdd";
+export type CodesddStorageBoundary = 'project-state' | 'global-config' | 'global-cache' | 'global-runtime' | 'legacy-read-fallback' | 'invalid-project-runtime' | 'external';
+export interface CodesddStorageBoundaryClassification {
+    boundary: CodesddStorageBoundary;
+    path: string;
+    valid: boolean;
+    canonical: boolean;
+    versioned: boolean;
+    cacheable: boolean;
+    reason: string;
+}
+export interface CodesddStorageBoundaryReport {
+    schema_version: 1;
+    project_root: string;
+    project_state_dir: string;
+    global_runtime_dir: string;
+    global_config_path: string;
+    global_cache_dir: string;
+    global_cache_tiers: Record<string, string>;
+    legacy_config_path: string;
+    rules: {
+        versioned_project_state: string;
+        global_runtime: string;
+        global_cache: string;
+        forbidden_project_runtime: string;
+    };
+}
+export interface CodesddStorageBoundaryValidation {
+    valid: boolean;
+    findings: Array<{
+        path: string;
+        boundary: CodesddStorageBoundary;
+        message: string;
+    }>;
+    classifications: CodesddStorageBoundaryClassification[];
+}
+export declare function buildCodesddStorageBoundaryReport(projectRoot?: string): CodesddStorageBoundaryReport;
+export declare function classifyCodesddStoragePath(targetPath: string, options?: {
+    projectRoot?: string;
+}): CodesddStorageBoundaryClassification;
+export declare function validateCodesddStoragePaths(targetPaths: string[], options?: {
+    projectRoot?: string;
+}): CodesddStorageBoundaryValidation;
+//# sourceMappingURL=runtime-boundary-contract.d.ts.map

package/dist/core/sdd/runtime-boundary-contract.js

@@ -0,0 +1,90 @@
+import * as path from 'node:path';
+import { getGlobalCacheDir, getGlobalCacheTierDirs, getGlobalConfigDir, getGlobalConfigPath, getLegacyGlobalConfigDir, getLegacyGlobalConfigPath, } from '../global-config.js';
+export const PROJECT_STATE_DIR_NAME = '.sdd';
+export const FORBIDDEN_PROJECT_RUNTIME_DIR_NAME = '.codesdd';
+export function buildCodesddStorageBoundaryReport(projectRoot = process.cwd()) {
+    const normalizedProjectRoot = normalizePath(projectRoot);
+    return {
+        schema_version: 1,
+        project_root: normalizedProjectRoot,
+        project_state_dir: path.join(normalizedProjectRoot, PROJECT_STATE_DIR_NAME),
+        global_runtime_dir: getGlobalConfigDir(),
+        global_config_path: getGlobalConfigPath(),
+        global_cache_dir: getGlobalCacheDir(),
+        global_cache_tiers: getGlobalCacheTierDirs(),
+        legacy_config_path: getLegacyGlobalConfigPath(),
+        rules: {
+            versioned_project_state: 'Project decisions, backlog state, active/planned/archived features, ADRs, and docs live under .sdd and are versioned with the repository.',
+            global_runtime: 'Machine-level config, shell integration, provider settings, and reusable runtime files live under ~/.codesdd and are not repository state.',
+            global_cache: 'Cacheable derived data lives under ~/.codesdd/cache with project fingerprint isolation and can be discarded.',
+            forbidden_project_runtime: 'A project-local .codesdd directory is not canonical; use .sdd for project state and ~/.codesdd for runtime/cache.',
+        },
+    };
+}
+export function classifyCodesddStoragePath(targetPath, options = {}) {
+    const normalizedPath = normalizePath(targetPath);
+    const projectRoot = normalizePath(options.projectRoot ?? process.cwd());
+    const projectStateDir = path.join(projectRoot, PROJECT_STATE_DIR_NAME);
+    const forbiddenProjectRuntimeDir = path.join(projectRoot, FORBIDDEN_PROJECT_RUNTIME_DIR_NAME);
+    const globalConfigPath = normalizePath(getGlobalConfigPath());
+    const globalConfigDir = normalizePath(getGlobalConfigDir());
+    const globalCacheDir = normalizePath(getGlobalCacheDir());
+    const legacyConfigPath = normalizePath(getLegacyGlobalConfigPath());
+    const legacyConfigDir = normalizePath(getLegacyGlobalConfigDir());
+    if (isSameOrInside(normalizedPath, forbiddenProjectRuntimeDir)) {
+        return classification('invalid-project-runtime', normalizedPath, false, false, false, false, 'Project-local .codesdd is not canonical; use .sdd for project state or ~/.codesdd for runtime/cache.');
+    }
+    if (isSameOrInside(normalizedPath, projectStateDir)) {
+        return classification('project-state', normalizedPath, true, true, true, false, 'Versioned project governance, docs, decisions, and lifecycle state belong under .sdd.');
+    }
+    if (normalizedPath === globalConfigPath) {
+        return classification('global-config', normalizedPath, true, true, false, false, 'Machine-level CodeSDD configuration belongs in ~/.codesdd/config.toml and is not project state.');
+    }
+    if (isSameOrInside(normalizedPath, globalCacheDir)) {
+        return classification('global-cache', normalizedPath, true, true, false, true, 'Cacheable derived data belongs under ~/.codesdd/cache and must remain discardable.');
+    }
+    if (isSameOrInside(normalizedPath, globalConfigDir)) {
+        return classification('global-runtime', normalizedPath, true, true, false, false, 'Reusable machine runtime files belong under ~/.codesdd and are not repository state.');
+    }
+    if (normalizedPath === legacyConfigPath || isSameOrInside(normalizedPath, legacyConfigDir)) {
+        return classification('legacy-read-fallback', normalizedPath, true, false, false, false, 'Legacy global config is read only as a compatibility fallback; new runtime state belongs under ~/.codesdd.');
+    }
+    return classification('external', normalizedPath, true, false, false, false, 'Path is outside CodeSDD project state and global runtime boundaries.');
+}
+export function validateCodesddStoragePaths(targetPaths, options = {}) {
+    const classifications = targetPaths.map((targetPath) => classifyCodesddStoragePath(targetPath, options));
+    const findings = classifications
+        .filter((entry) => !entry.valid)
+        .map((entry) => ({
+        path: entry.path,
+        boundary: entry.boundary,
+        message: entry.reason,
+    }));
+    return {
+        valid: findings.length === 0,
+        findings,
+        classifications,
+    };
+}
+function classification(boundary, targetPath, valid, canonical, versioned, cacheable, reason) {
+    return {
+        boundary,
+        path: targetPath,
+        valid,
+        canonical,
+        versioned,
+        cacheable,
+        reason,
+    };
+}
+function normalizePath(input) {
+    return path.resolve(input);
+}
+function isSameOrInside(candidate, parent) {
+    if (candidate === parent) {
+        return true;
+    }
+    const relative = path.relative(parent, candidate);
+    return relative.length > 0 && !relative.startsWith('..') && !path.isAbsolute(relative);
+}
+//# sourceMappingURL=runtime-boundary-contract.js.map