@edictum/core 0.1.0

package/dist/index.cjs

@@ -0,0 +1,3774 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/errors.ts
+var EdictumDenied, EdictumConfigError, EdictumToolError;
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+    EdictumDenied = class extends Error {
+      reason;
+      decisionSource;
+      decisionName;
+      constructor(reason, decisionSource = null, decisionName = null) {
+        super(reason);
+        this.name = "EdictumDenied";
+        this.reason = reason;
+        this.decisionSource = decisionSource;
+        this.decisionName = decisionName;
+      }
+    };
+    EdictumConfigError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "EdictumConfigError";
+      }
+    };
+    EdictumToolError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "EdictumToolError";
+      }
+    };
+  }
+});
+
+// src/envelope.ts
+function createPrincipal(partial = {}) {
+  const p = {
+    userId: partial.userId ?? null,
+    serviceId: partial.serviceId ?? null,
+    orgId: partial.orgId ?? null,
+    role: partial.role ?? null,
+    ticketRef: partial.ticketRef ?? null,
+    claims: partial.claims ?? {}
+  };
+  return deepFreeze(p);
+}
+function _validateToolName(toolName) {
+  if (!toolName) {
+    throw new EdictumConfigError(`Invalid tool_name: ${JSON.stringify(toolName)}`);
+  }
+  for (let i = 0; i < toolName.length; i++) {
+    const code = toolName.charCodeAt(i);
+    const ch = toolName[i];
+    if (code < 32 || code === 127 || ch === "/" || ch === "\\") {
+      throw new EdictumConfigError(`Invalid tool_name: ${JSON.stringify(toolName)}`);
+    }
+  }
+}
+function deepFreeze(obj) {
+  if (obj === null || obj === void 0 || typeof obj !== "object") {
+    return obj;
+  }
+  if (obj instanceof Date) {
+    return obj;
+  }
+  if (obj instanceof RegExp) {
+    return obj;
+  }
+  Object.freeze(obj);
+  for (const value of Object.values(obj)) {
+    if (value !== null && value !== void 0 && typeof value === "object" && !Object.isFrozen(value)) {
+      deepFreeze(value);
+    }
+  }
+  return obj;
+}
+function safeDeepCopy(value) {
+  try {
+    return structuredClone(value);
+  } catch {
+    return JSON.parse(JSON.stringify(value));
+  }
+}
+function createEnvelope(toolName, toolInput, options = {}) {
+  _validateToolName(toolName);
+  const safeArgs = safeDeepCopy(toolInput);
+  const safeMetadata = options.metadata ? safeDeepCopy(options.metadata) : {};
+  let safePrincipal = null;
+  if (options.principal != null) {
+    const p = options.principal;
+    safePrincipal = createPrincipal({
+      userId: p.userId,
+      serviceId: p.serviceId,
+      orgId: p.orgId,
+      role: p.role,
+      ticketRef: p.ticketRef,
+      claims: p.claims ? safeDeepCopy(p.claims) : {}
+    });
+  }
+  const registry = options.registry ?? null;
+  let sideEffect = options.sideEffect ?? SideEffect.IRREVERSIBLE;
+  let idempotent = options.idempotent ?? false;
+  let bashCommand = null;
+  let filePath = null;
+  if (registry) {
+    const [regEffect, regIdempotent] = registry.classify(toolName, safeArgs);
+    if (options.sideEffect == null) sideEffect = regEffect;
+    if (options.idempotent == null) idempotent = regIdempotent;
+  }
+  if (toolName === "Bash") {
+    bashCommand = safeArgs.command ?? "";
+    if (options.sideEffect == null) {
+      sideEffect = BashClassifier.classify(bashCommand);
+    }
+  } else if (toolName === "Read" || toolName === "Glob" || toolName === "Grep") {
+    filePath = safeArgs.file_path ?? safeArgs.filePath ?? safeArgs.path ?? null;
+  } else if (toolName === "Write" || toolName === "Edit") {
+    filePath = safeArgs.file_path ?? safeArgs.filePath ?? safeArgs.path ?? null;
+  }
+  const envelope = {
+    toolName,
+    args: safeArgs,
+    callId: options.callId ?? (0, import_node_crypto.randomUUID)(),
+    runId: options.runId ?? "",
+    callIndex: options.callIndex ?? 0,
+    parentCallId: options.parentCallId ?? null,
+    sideEffect,
+    idempotent,
+    environment: options.environment ?? "production",
+    timestamp: options.timestamp ?? /* @__PURE__ */ new Date(),
+    caller: options.caller ?? "",
+    toolUseId: options.toolUseId ?? null,
+    principal: safePrincipal,
+    bashCommand,
+    filePath,
+    metadata: safeMetadata
+  };
+  return deepFreeze(envelope);
+}
+var import_node_crypto, SideEffect, ToolRegistry, BashClassifier;
+var init_envelope = __esm({
+  "src/envelope.ts"() {
+    "use strict";
+    import_node_crypto = require("crypto");
+    init_errors();
+    SideEffect = {
+      PURE: "pure",
+      READ: "read",
+      WRITE: "write",
+      IRREVERSIBLE: "irreversible"
+    };
+    ToolRegistry = class {
+      _tools = /* @__PURE__ */ new Map();
+      register(name, sideEffect = SideEffect.WRITE, idempotent = false) {
+        this._tools.set(name, { name, sideEffect, idempotent });
+      }
+      classify(toolName, _args) {
+        const cfg = this._tools.get(toolName);
+        if (cfg) {
+          return [cfg.sideEffect, cfg.idempotent];
+        }
+        return [SideEffect.IRREVERSIBLE, false];
+      }
+    };
+    BashClassifier = {
+      READ_ALLOWLIST: [
+        "ls",
+        "cat",
+        "head",
+        "tail",
+        "wc",
+        "find",
+        "grep",
+        "rg",
+        "git status",
+        "git log",
+        "git diff",
+        "git show",
+        "git branch",
+        "git remote",
+        "git tag",
+        "echo",
+        "pwd",
+        "whoami",
+        "date",
+        "which",
+        "file",
+        "stat",
+        "du",
+        "df",
+        "tree",
+        "less",
+        "more"
+      ],
+      SHELL_OPERATORS: [
+        "\n",
+        "\r",
+        "<(",
+        "<<",
+        "$",
+        "${",
+        ">",
+        ">>",
+        "|",
+        ";",
+        "&&",
+        "||",
+        "$(",
+        "`",
+        "#{"
+      ],
+      classify(command) {
+        const stripped = command.trim();
+        if (!stripped) {
+          return SideEffect.READ;
+        }
+        for (const op of BashClassifier.SHELL_OPERATORS) {
+          if (stripped.includes(op)) {
+            return SideEffect.IRREVERSIBLE;
+          }
+        }
+        for (const allowed of BashClassifier.READ_ALLOWLIST) {
+          if (stripped === allowed || stripped.startsWith(allowed + " ")) {
+            return SideEffect.READ;
+          }
+        }
+        return SideEffect.IRREVERSIBLE;
+      }
+    };
+  }
+});
+
+// src/contracts.ts
+var Verdict;
+var init_contracts = __esm({
+  "src/contracts.ts"() {
+    "use strict";
+    Verdict = {
+      /**
+       * Contract passed — tool call is acceptable.
+       */
+      pass_() {
+        return Object.freeze({ passed: true, message: null, metadata: Object.freeze({}) });
+      },
+      /**
+       * Contract failed with an actionable message (truncated to 500 chars).
+       *
+       * Make it SPECIFIC and INSTRUCTIVE — the agent uses it to self-correct.
+       */
+      fail(message, metadata = {}) {
+        const truncated = message.length > 500 ? message.slice(0, 497) + "..." : message;
+        return Object.freeze({
+          passed: false,
+          message: truncated,
+          metadata: Object.freeze({ ...metadata })
+        });
+      }
+    };
+  }
+});
+
+// src/hooks.ts
+var HookResult, HookDecision;
+var init_hooks = __esm({
+  "src/hooks.ts"() {
+    "use strict";
+    HookResult = {
+      ALLOW: "allow",
+      DENY: "deny"
+    };
+    HookDecision = {
+      allow() {
+        return Object.freeze({ result: HookResult.ALLOW, reason: null });
+      },
+      deny(reason) {
+        const truncated = reason.length > 500 ? reason.slice(0, 497) + "..." : reason;
+        return Object.freeze({ result: HookResult.DENY, reason: truncated });
+      }
+    };
+  }
+});
+
+// src/session.ts
+function hasBatchGet(backend) {
+  return "batchGet" in backend;
+}
+function _validateStorageKeyComponent(value, label) {
+  if (!value) {
+    throw new EdictumConfigError(`Invalid ${label}: ${JSON.stringify(value)}`);
+  }
+  if (value.length > MAX_ID_LENGTH) {
+    throw new EdictumConfigError(`Invalid ${label}: exceeds ${MAX_ID_LENGTH} characters`);
+  }
+  for (let i = 0; i < value.length; i++) {
+    const code = value.charCodeAt(i);
+    if (code < 32 || code === 127) {
+      throw new EdictumConfigError(`Invalid ${label}: ${JSON.stringify(value)}`);
+    }
+  }
+}
+var MAX_ID_LENGTH, Session;
+var init_session = __esm({
+  "src/session.ts"() {
+    "use strict";
+    init_errors();
+    MAX_ID_LENGTH = 1e4;
+    Session = class {
+      _sid;
+      _backend;
+      constructor(sessionId, backend) {
+        _validateStorageKeyComponent(sessionId, "session_id");
+        this._sid = sessionId;
+        this._backend = backend;
+      }
+      get sessionId() {
+        return this._sid;
+      }
+      /** Increment attempt counter. Called in PreToolUse (before governance). */
+      async incrementAttempts() {
+        return await this._backend.increment(`s:${this._sid}:attempts`);
+      }
+      async attemptCount() {
+        return Number(await this._backend.get(`s:${this._sid}:attempts`) ?? 0);
+      }
+      /** Record a tool execution. Called in PostToolUse. */
+      async recordExecution(toolName, success) {
+        _validateStorageKeyComponent(toolName, "tool_name");
+        await this._backend.increment(`s:${this._sid}:execs`);
+        await this._backend.increment(`s:${this._sid}:tool:${toolName}`);
+        if (success) {
+          await this._backend.delete(`s:${this._sid}:consec_fail`);
+        } else {
+          await this._backend.increment(`s:${this._sid}:consec_fail`);
+        }
+      }
+      async executionCount() {
+        return Number(await this._backend.get(`s:${this._sid}:execs`) ?? 0);
+      }
+      async toolExecutionCount(tool) {
+        _validateStorageKeyComponent(tool, "tool_name");
+        return Number(
+          await this._backend.get(`s:${this._sid}:tool:${tool}`) ?? 0
+        );
+      }
+      async consecutiveFailures() {
+        return Number(
+          await this._backend.get(`s:${this._sid}:consec_fail`) ?? 0
+        );
+      }
+      /**
+       * Pre-fetch multiple session counters in a single backend call.
+       *
+       * Returns a record with keys: "attempts", "execs", and optionally
+       * "tool:{name}" if includeTool is provided.
+       *
+       * Uses batchGet() on the backend when available (single HTTP round
+       * trip for ServerBackend). Falls back to individual get() calls for
+       * backends without batchGet support.
+       */
+      async batchGetCounters(options) {
+        const keys = [
+          `s:${this._sid}:attempts`,
+          `s:${this._sid}:execs`
+        ];
+        const keyLabels = ["attempts", "execs"];
+        if (options?.includeTool != null) {
+          _validateStorageKeyComponent(options.includeTool, "tool_name");
+          keys.push(`s:${this._sid}:tool:${options.includeTool}`);
+          keyLabels.push(`tool:${options.includeTool}`);
+        }
+        let raw;
+        if (hasBatchGet(this._backend)) {
+          raw = await this._backend.batchGet(keys);
+        } else {
+          raw = {};
+          for (const key of keys) {
+            raw[key] = await this._backend.get(key);
+          }
+        }
+        const result = {};
+        for (let i = 0; i < keys.length; i++) {
+          const label = keyLabels[i] ?? "";
+          const key = keys[i] ?? "";
+          result[label] = Number(raw[key] ?? 0);
+        }
+        return result;
+      }
+    };
+  }
+});
+
+// src/redaction.ts
+var RedactionPolicy;
+var init_redaction = __esm({
+  "src/redaction.ts"() {
+    "use strict";
+    init_errors();
+    RedactionPolicy = class _RedactionPolicy {
+      static DEFAULT_SENSITIVE_KEYS = /* @__PURE__ */ new Set([
+        "password",
+        "secret",
+        "token",
+        "api_key",
+        "apikey",
+        "api-key",
+        "authorization",
+        "auth",
+        "credentials",
+        "private_key",
+        "privatekey",
+        "access_token",
+        "refresh_token",
+        "client_secret",
+        "connection_string",
+        "database_url",
+        "db_password",
+        "ssh_key",
+        "passphrase"
+      ]);
+      static BASH_REDACTION_PATTERNS = [
+        [
+          String.raw`(export\s+\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)\w*=)\S+`,
+          "$1[REDACTED]"
+        ],
+        [String.raw`(-p\s*|--password[= ])\S+`, "$1[REDACTED]"],
+        [String.raw`(://\w+:)\S+(@)`, "$1[REDACTED]$2"]
+      ];
+      static SECRET_VALUE_PATTERNS = [
+        String.raw`^(sk-[a-zA-Z0-9]{20,})`,
+        String.raw`^(AKIA[A-Z0-9]{16})`,
+        String.raw`^(eyJ[a-zA-Z0-9_-]{20,}\.)`,
+        String.raw`^(ghp_[a-zA-Z0-9]{36})`,
+        String.raw`^(xox[bpas]-[a-zA-Z0-9-]{10,})`
+      ];
+      static MAX_PAYLOAD_SIZE = 32768;
+      static MAX_REGEX_INPUT = 1e4;
+      static MAX_PATTERN_LENGTH = 1e4;
+      _keys;
+      _patterns;
+      _compiledPatterns;
+      _compiledSecretPatterns;
+      _detectValues;
+      constructor(sensitiveKeys, customPatterns, detectSecretValues = true) {
+        const baseKeys = sensitiveKeys ? /* @__PURE__ */ new Set([..._RedactionPolicy.DEFAULT_SENSITIVE_KEYS, ...sensitiveKeys]) : new Set(_RedactionPolicy.DEFAULT_SENSITIVE_KEYS);
+        this._keys = new Set([...baseKeys].map((k) => k.toLowerCase()));
+        if (customPatterns) {
+          for (const [pattern] of customPatterns) {
+            if (pattern.length > _RedactionPolicy.MAX_PATTERN_LENGTH) {
+              throw new EdictumConfigError(
+                `Custom redaction pattern exceeds ${_RedactionPolicy.MAX_PATTERN_LENGTH} characters`
+              );
+            }
+          }
+        }
+        this._patterns = [
+          ...customPatterns ?? [],
+          ..._RedactionPolicy.BASH_REDACTION_PATTERNS
+        ];
+        this._compiledPatterns = this._patterns.map(
+          ([pattern, replacement]) => [new RegExp(pattern, "g"), replacement]
+        );
+        this._compiledSecretPatterns = _RedactionPolicy.SECRET_VALUE_PATTERNS.map(
+          (p) => new RegExp(p)
+        );
+        this._detectValues = detectSecretValues;
+      }
+      /** Recursively redact sensitive data from tool arguments. */
+      redactArgs(args) {
+        if (args !== null && typeof args === "object" && !Array.isArray(args)) {
+          const result = {};
+          for (const [key, value] of Object.entries(
+            args
+          )) {
+            result[key] = this._isSensitiveKey(key) ? "[REDACTED]" : this.redactArgs(value);
+          }
+          return result;
+        }
+        if (Array.isArray(args)) {
+          return args.map((item) => this.redactArgs(item));
+        }
+        if (typeof args === "string") {
+          if (this._detectValues && this._looksLikeSecret(args)) {
+            return "[REDACTED]";
+          }
+          if (args.length > 1e3) {
+            return args.slice(0, 997) + "...";
+          }
+          return args;
+        }
+        return args;
+      }
+      /** Check if a key name indicates sensitive data. */
+      _isSensitiveKey(key) {
+        const k = key.toLowerCase();
+        if (this._keys.has(k)) return true;
+        const normalized = key.replace(/([a-z])([A-Z])/g, "$1_$2").toLowerCase();
+        if (normalized !== k && this._keys.has(normalized)) return true;
+        const parts = normalized.split(/[_\-]/);
+        return parts.some(
+          (part) => part === "token" || part === "key" || part === "secret" || part === "password" || part === "credential"
+        );
+      }
+      /** Check if a string value looks like a known secret format. */
+      _looksLikeSecret(value) {
+        const capped = value.length > _RedactionPolicy.MAX_REGEX_INPUT ? value.slice(0, _RedactionPolicy.MAX_REGEX_INPUT) : value;
+        for (const regex of this._compiledSecretPatterns) {
+          if (regex.test(capped)) {
+            return true;
+          }
+        }
+        return false;
+      }
+      /** Apply redaction patterns to a bash command string. */
+      redactBashCommand(command) {
+        const capped = command.length > _RedactionPolicy.MAX_REGEX_INPUT ? command.slice(0, _RedactionPolicy.MAX_REGEX_INPUT) : command;
+        let result = capped;
+        for (const [regex, replacement] of this._compiledPatterns) {
+          regex.lastIndex = 0;
+          result = result.replace(regex, replacement);
+        }
+        return result;
+      }
+      /** Apply redaction patterns and truncate a result string. */
+      redactResult(result, maxLength = 500) {
+        const capped = result.length > _RedactionPolicy.MAX_REGEX_INPUT ? result.slice(0, _RedactionPolicy.MAX_REGEX_INPUT) : result;
+        let redacted = capped;
+        for (const [regex, replacement] of this._compiledPatterns) {
+          regex.lastIndex = 0;
+          redacted = redacted.replace(regex, replacement);
+        }
+        if (redacted.length > maxLength) {
+          redacted = redacted.slice(0, maxLength - 3) + "...";
+        }
+        return redacted;
+      }
+      /** Cap total serialized size of audit payload. Returns a new object if truncated. */
+      capPayload(data) {
+        const serialized = JSON.stringify(data);
+        if (serialized.length > _RedactionPolicy.MAX_PAYLOAD_SIZE) {
+          const { resultSummary: _rs, toolArgs: _ta, ...rest } = data;
+          void _rs;
+          void _ta;
+          return {
+            ...rest,
+            _truncated: true,
+            toolArgs: { _redacted: "payload exceeded 32KB" }
+          };
+        }
+        return data;
+      }
+    };
+  }
+});
+
+// src/approval.ts
+function sanitizeForTerminal(s) {
+  return s.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, "").replace(/[\x00-\x1f\x7f]/g, "");
+}
+function createApprovalRequest(fields) {
+  const request = {
+    approvalId: fields.approvalId,
+    toolName: fields.toolName,
+    toolArgs: Object.freeze({ ...fields.toolArgs }),
+    message: fields.message,
+    timeout: fields.timeout,
+    timeoutEffect: fields.timeoutEffect,
+    principal: fields.principal !== null ? Object.freeze({ ...fields.principal }) : null,
+    metadata: Object.freeze({ ...fields.metadata }),
+    createdAt: fields.createdAt ?? /* @__PURE__ */ new Date()
+  };
+  return Object.freeze(request);
+}
+function createApprovalDecision(fields) {
+  const decision = {
+    approved: fields.approved,
+    approver: fields.approver ?? null,
+    reason: fields.reason ?? null,
+    status: fields.status ?? ApprovalStatus.PENDING,
+    timestamp: fields.timestamp ?? /* @__PURE__ */ new Date()
+  };
+  return Object.freeze(decision);
+}
+var import_node_crypto2, readline, ApprovalStatus, LocalApprovalBackend;
+var init_approval = __esm({
+  "src/approval.ts"() {
+    "use strict";
+    import_node_crypto2 = require("crypto");
+    readline = __toESM(require("readline"), 1);
+    init_redaction();
+    ApprovalStatus = {
+      PENDING: "pending",
+      APPROVED: "approved",
+      DENIED: "denied",
+      TIMEOUT: "timeout"
+    };
+    LocalApprovalBackend = class {
+      _pending = /* @__PURE__ */ new Map();
+      async requestApproval(toolName, toolArgs, message, options) {
+        const approvalId = (0, import_node_crypto2.randomUUID)();
+        const request = createApprovalRequest({
+          approvalId,
+          toolName,
+          toolArgs,
+          message,
+          timeout: options?.timeout ?? 300,
+          timeoutEffect: options?.timeoutEffect ?? "deny",
+          principal: options?.principal ?? null,
+          metadata: options?.metadata ?? {}
+        });
+        this._pending.set(approvalId, request);
+        const redaction = new RedactionPolicy();
+        const safeArgs = redaction.redactArgs(toolArgs);
+        process.stdout.write(`[APPROVAL REQUIRED] ${sanitizeForTerminal(message)}
+`);
+        process.stdout.write(`  Tool: ${sanitizeForTerminal(toolName)}
+`);
+        process.stdout.write(`  Args: ${sanitizeForTerminal(JSON.stringify(safeArgs))}
+`);
+        process.stdout.write(`  ID:   ${approvalId}
+`);
+        return request;
+      }
+      async waitForDecision(approvalId, timeout) {
+        const request = this._pending.get(approvalId);
+        const effectiveTimeout = timeout ?? (request ? request.timeout : 300);
+        try {
+          const response = await this._readStdin(approvalId, effectiveTimeout);
+          const approved = ["y", "yes", "approve"].includes(
+            response.trim().toLowerCase()
+          );
+          const status = approved ? ApprovalStatus.APPROVED : ApprovalStatus.DENIED;
+          return createApprovalDecision({
+            approved,
+            approver: "local",
+            status
+          });
+        } catch {
+          const timeoutEffect = request ? request.timeoutEffect : "deny";
+          const approved = timeoutEffect === "allow";
+          return createApprovalDecision({
+            approved,
+            status: ApprovalStatus.TIMEOUT
+          });
+        }
+      }
+      /** Read a single line from stdin with a timeout. */
+      _readStdin(approvalId, timeoutSeconds) {
+        return new Promise((resolve, reject) => {
+          const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout
+          });
+          const timer = setTimeout(() => {
+            rl.close();
+            reject(new Error("Approval timed out"));
+          }, timeoutSeconds * 1e3);
+          rl.question(`Approve? [y/N] (id: ${approvalId}): `, (answer) => {
+            clearTimeout(timer);
+            rl.close();
+            resolve(answer);
+          });
+        });
+      }
+    };
+  }
+});
+
+// src/audit.ts
+function createAuditEvent(f = {}) {
+  return {
+    schemaVersion: f.schemaVersion ?? "0.3.0",
+    timestamp: f.timestamp ?? /* @__PURE__ */ new Date(),
+    runId: f.runId ?? "",
+    callId: f.callId ?? "",
+    callIndex: f.callIndex ?? 0,
+    parentCallId: f.parentCallId ?? null,
+    toolName: f.toolName ?? "",
+    toolArgs: f.toolArgs ?? {},
+    sideEffect: f.sideEffect ?? "",
+    environment: f.environment ?? "",
+    principal: f.principal ?? null,
+    action: f.action ?? AuditAction.CALL_DENIED,
+    decisionSource: f.decisionSource ?? null,
+    decisionName: f.decisionName ?? null,
+    reason: f.reason ?? null,
+    hooksEvaluated: f.hooksEvaluated ?? [],
+    contractsEvaluated: f.contractsEvaluated ?? [],
+    toolSuccess: f.toolSuccess ?? null,
+    postconditionsPassed: f.postconditionsPassed ?? null,
+    durationMs: f.durationMs ?? 0,
+    error: f.error ?? null,
+    resultSummary: f.resultSummary ?? null,
+    sessionAttemptCount: f.sessionAttemptCount ?? 0,
+    sessionExecutionCount: f.sessionExecutionCount ?? 0,
+    mode: f.mode ?? "enforce",
+    policyVersion: f.policyVersion ?? null,
+    policyError: f.policyError ?? false
+  };
+}
+function _toPlain(event) {
+  const { timestamp, ...rest } = event;
+  return { ...rest, timestamp: timestamp.toISOString() };
+}
+var import_promises, AuditAction, MarkEvictedError, CompositeSink, StdoutAuditSink, FileAuditSink, CollectingAuditSink;
+var init_audit = __esm({
+  "src/audit.ts"() {
+    "use strict";
+    import_promises = require("fs/promises");
+    init_redaction();
+    AuditAction = {
+      CALL_DENIED: "call_denied",
+      CALL_WOULD_DENY: "call_would_deny",
+      CALL_ALLOWED: "call_allowed",
+      CALL_EXECUTED: "call_executed",
+      CALL_FAILED: "call_failed",
+      POSTCONDITION_WARNING: "postcondition_warning",
+      CALL_APPROVAL_REQUESTED: "call_approval_requested",
+      CALL_APPROVAL_GRANTED: "call_approval_granted",
+      CALL_APPROVAL_DENIED: "call_approval_denied",
+      CALL_APPROVAL_TIMEOUT: "call_approval_timeout"
+    };
+    MarkEvictedError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "MarkEvictedError";
+      }
+    };
+    CompositeSink = class {
+      _sinks;
+      constructor(sinks) {
+        if (sinks.length === 0) throw new Error("CompositeSink requires at least one sink");
+        this._sinks = [...sinks];
+      }
+      get sinks() {
+        return [...this._sinks];
+      }
+      async emit(event) {
+        const errors = [];
+        for (const sink of this._sinks) {
+          try {
+            await sink.emit(event);
+          } catch (err) {
+            errors.push(err instanceof Error ? err : new Error(String(err)));
+          }
+        }
+        if (errors.length > 0) {
+          throw new AggregateError(errors, "CompositeSink: one or more sinks failed");
+        }
+      }
+    };
+    StdoutAuditSink = class {
+      _redaction;
+      constructor(redaction) {
+        this._redaction = redaction ?? new RedactionPolicy();
+      }
+      async emit(event) {
+        process.stdout.write(JSON.stringify(this._redaction.capPayload(_toPlain(event))) + "\n");
+      }
+    };
+    FileAuditSink = class {
+      _path;
+      _redaction;
+      constructor(path, redaction) {
+        this._path = path;
+        this._redaction = redaction ?? new RedactionPolicy();
+      }
+      async emit(event) {
+        const data = this._redaction.capPayload(_toPlain(event));
+        await (0, import_promises.appendFile)(this._path, JSON.stringify(data) + "\n", "utf-8");
+      }
+    };
+    CollectingAuditSink = class {
+      _events = [];
+      _maxEvents;
+      _totalEmitted = 0;
+      constructor(maxEvents = 5e4) {
+        if (maxEvents < 1) throw new Error(`max_events must be >= 1, got ${maxEvents}`);
+        this._maxEvents = maxEvents;
+      }
+      async emit(event) {
+        this._events.push(event);
+        this._totalEmitted += 1;
+        if (this._events.length > this._maxEvents) this._events = this._events.slice(-this._maxEvents);
+      }
+      get events() {
+        return [...this._events];
+      }
+      mark() {
+        return this._totalEmitted;
+      }
+      sinceMark(m) {
+        if (m > this._totalEmitted) {
+          throw new Error(`Mark ${m} is ahead of total emitted (${this._totalEmitted})`);
+        }
+        const evictedCount = this._totalEmitted - this._events.length;
+        if (m < evictedCount) {
+          throw new MarkEvictedError(
+            `Mark ${m} references evicted events (buffer starts at ${evictedCount}, max_events=${this._maxEvents})`
+          );
+        }
+        return [...this._events.slice(m - evictedCount)];
+      }
+      last() {
+        if (this._events.length === 0) throw new Error("No events collected");
+        const last = this._events[this._events.length - 1];
+        if (!last) throw new Error("No events collected");
+        return last;
+      }
+      filter(action) {
+        return this._events.filter((e) => e.action === action);
+      }
+      clear() {
+        this._events = [];
+      }
+    };
+  }
+});
+
+// src/evaluation.ts
+function createContractResult(fields) {
+  return Object.freeze({
+    contractId: fields.contractId,
+    contractType: fields.contractType,
+    passed: fields.passed,
+    message: fields.message ?? null,
+    tags: Object.freeze([...fields.tags ?? []]),
+    observed: fields.observed ?? false,
+    effect: fields.effect ?? "warn",
+    policyError: fields.policyError ?? false
+  });
+}
+function createEvaluationResult(fields) {
+  return Object.freeze({
+    verdict: fields.verdict,
+    toolName: fields.toolName,
+    contracts: Object.freeze([...fields.contracts ?? []]),
+    denyReasons: Object.freeze([...fields.denyReasons ?? []]),
+    warnReasons: Object.freeze([...fields.warnReasons ?? []]),
+    contractsEvaluated: fields.contractsEvaluated ?? 0,
+    policyError: fields.policyError ?? false
+  });
+}
+var init_evaluation = __esm({
+  "src/evaluation.ts"() {
+    "use strict";
+  }
+});
+
+// src/pipeline.ts
+function createPreDecision(partial) {
+  return {
+    action: partial.action,
+    reason: partial.reason ?? null,
+    decisionSource: partial.decisionSource ?? null,
+    decisionName: partial.decisionName ?? null,
+    hooksEvaluated: partial.hooksEvaluated ?? [],
+    contractsEvaluated: partial.contractsEvaluated ?? [],
+    observed: partial.observed ?? false,
+    policyError: partial.policyError ?? false,
+    observeResults: partial.observeResults ?? [],
+    approvalTimeout: partial.approvalTimeout ?? 300,
+    approvalTimeoutEffect: partial.approvalTimeoutEffect ?? "deny",
+    approvalMessage: partial.approvalMessage ?? null
+  };
+}
+function createPostDecision(partial) {
+  return {
+    toolSuccess: partial.toolSuccess,
+    postconditionsPassed: partial.postconditionsPassed ?? true,
+    warnings: partial.warnings ?? [],
+    contractsEvaluated: partial.contractsEvaluated ?? [],
+    policyError: partial.policyError ?? false,
+    redactedResponse: partial.redactedResponse ?? null,
+    outputSuppressed: partial.outputSuppressed ?? false
+  };
+}
+function hasPolicyError(contractsEvaluated) {
+  return contractsEvaluated.some((c) => {
+    const meta = c["metadata"];
+    return meta?.["policy_error"] === true;
+  });
+}
+var GovernancePipeline;
+var init_pipeline = __esm({
+  "src/pipeline.ts"() {
+    "use strict";
+    init_contracts();
+    init_envelope();
+    init_hooks();
+    init_redaction();
+    GovernancePipeline = class {
+      _guard;
+      constructor(guard) {
+        this._guard = guard;
+      }
+      async preExecute(envelope, session) {
+        const hooksEvaluated = [];
+        const contractsEvaluated = [];
+        let hasObservedDeny = false;
+        let toolNameForBatch;
+        if (envelope.toolName in this._guard.limits.maxCallsPerTool) {
+          toolNameForBatch = envelope.toolName;
+        }
+        const counters = await session.batchGetCounters({
+          includeTool: toolNameForBatch
+        });
+        const attemptCount = counters["attempts"] ?? 0;
+        if (attemptCount >= this._guard.limits.maxAttempts) {
+          return createPreDecision({
+            action: "deny",
+            reason: `Attempt limit reached (${this._guard.limits.maxAttempts}). Agent may be stuck in a retry loop. Stop and reassess.`,
+            decisionSource: "attempt_limit",
+            decisionName: "max_attempts",
+            hooksEvaluated,
+            contractsEvaluated
+          });
+        }
+        for (const hookReg of this._guard.getHooks("before", envelope)) {
+          if (hookReg.when && !hookReg.when(envelope)) {
+            continue;
+          }
+          let decision;
+          try {
+            decision = await hookReg.callback(envelope);
+          } catch (exc) {
+            decision = HookDecision.deny(`Hook error: ${exc}`);
+          }
+          const hookRecord = {
+            name: hookReg.callback.name || "anonymous",
+            result: decision.result,
+            reason: decision.reason
+          };
+          hooksEvaluated.push(hookRecord);
+          if (decision.result === HookResult.DENY) {
+            return createPreDecision({
+              action: "deny",
+              reason: decision.reason,
+              decisionSource: "hook",
+              decisionName: hookRecord["name"],
+              hooksEvaluated,
+              contractsEvaluated,
+              policyError: (decision.reason ?? "").includes("Hook error:")
+            });
+          }
+        }
+        for (const contract of this._guard.getPreconditions(envelope)) {
+          let verdict;
+          try {
+            verdict = await contract.check(envelope);
+          } catch (exc) {
+            verdict = Verdict.fail(`Precondition error: ${exc}`, {
+              policy_error: true
+            });
+          }
+          const contractRecord = {
+            name: contract.name,
+            type: "precondition",
+            passed: verdict.passed,
+            message: verdict.message
+          };
+          if (verdict.metadata && Object.keys(verdict.metadata).length > 0) {
+            contractRecord["metadata"] = verdict.metadata;
+          }
+          contractsEvaluated.push(contractRecord);
+          if (!verdict.passed) {
+            if (contract.mode === "observe") {
+              contractRecord["observed"] = true;
+              hasObservedDeny = true;
+              continue;
+            }
+            const source = contract.source ?? "precondition";
+            const pe2 = hasPolicyError(contractsEvaluated);
+            const effect = contract.effect ?? "deny";
+            if (effect === "approve") {
+              return createPreDecision({
+                action: "pending_approval",
+                reason: verdict.message,
+                decisionSource: source,
+                decisionName: contract.name,
+                hooksEvaluated,
+                contractsEvaluated,
+                policyError: pe2,
+                approvalTimeout: contract.timeout ?? 300,
+                approvalTimeoutEffect: contract.timeoutEffect ?? "deny",
+                approvalMessage: verdict.message
+              });
+            }
+            return createPreDecision({
+              action: "deny",
+              reason: verdict.message,
+              decisionSource: source,
+              decisionName: contract.name,
+              hooksEvaluated,
+              contractsEvaluated,
+              policyError: pe2
+            });
+          }
+        }
+        for (const contract of this._guard.getSandboxContracts(envelope)) {
+          let verdict;
+          try {
+            verdict = await contract.check(envelope);
+          } catch (exc) {
+            verdict = Verdict.fail(`Sandbox contract error: ${exc}`, {
+              policy_error: true
+            });
+          }
+          const contractRecord = {
+            name: contract.name,
+            type: "sandbox",
+            passed: verdict.passed,
+            message: verdict.message
+          };
+          if (verdict.metadata && Object.keys(verdict.metadata).length > 0) {
+            contractRecord["metadata"] = verdict.metadata;
+          }
+          contractsEvaluated.push(contractRecord);
+          if (!verdict.passed) {
+            if (contract.mode === "observe") {
+              contractRecord["observed"] = true;
+              hasObservedDeny = true;
+              continue;
+            }
+            const source = contract.source ?? "yaml_sandbox";
+            const pe2 = hasPolicyError(contractsEvaluated);
+            const effect = contract.effect ?? "deny";
+            if (effect === "approve") {
+              return createPreDecision({
+                action: "pending_approval",
+                reason: verdict.message,
+                decisionSource: source,
+                decisionName: contract.name,
+                hooksEvaluated,
+                contractsEvaluated,
+                policyError: pe2,
+                approvalTimeout: contract.timeout ?? 300,
+                approvalTimeoutEffect: contract.timeoutEffect ?? "deny",
+                approvalMessage: verdict.message
+              });
+            }
+            return createPreDecision({
+              action: "deny",
+              reason: verdict.message,
+              decisionSource: source,
+              decisionName: contract.name,
+              hooksEvaluated,
+              contractsEvaluated,
+              policyError: pe2
+            });
+          }
+        }
+        for (const contract of this._guard.getSessionContracts()) {
+          let verdict;
+          try {
+            verdict = await contract.check(session);
+          } catch (exc) {
+            verdict = Verdict.fail(`Session contract error: ${exc}`, {
+              policy_error: true
+            });
+          }
+          const contractRecord = {
+            name: contract.name,
+            type: "session_contract",
+            passed: verdict.passed,
+            message: verdict.message
+          };
+          if (verdict.metadata && Object.keys(verdict.metadata).length > 0) {
+            contractRecord["metadata"] = verdict.metadata;
+          }
+          contractsEvaluated.push(contractRecord);
+          if (!verdict.passed) {
+            const source = contract.source ?? "session_contract";
+            const pe2 = hasPolicyError(contractsEvaluated);
+            return createPreDecision({
+              action: "deny",
+              reason: verdict.message,
+              decisionSource: source,
+              decisionName: contract.name,
+              hooksEvaluated,
+              contractsEvaluated,
+              policyError: pe2
+            });
+          }
+        }
+        const execCount = counters["execs"] ?? 0;
+        if (execCount >= this._guard.limits.maxToolCalls) {
+          return createPreDecision({
+            action: "deny",
+            reason: `Execution limit reached (${this._guard.limits.maxToolCalls} calls). Summarize progress and stop.`,
+            decisionSource: "operation_limit",
+            decisionName: "max_tool_calls",
+            hooksEvaluated,
+            contractsEvaluated
+          });
+        }
+        if (envelope.toolName in this._guard.limits.maxCallsPerTool) {
+          const toolKey = `tool:${envelope.toolName}`;
+          const toolCount = counters[toolKey] ?? 0;
+          const toolLimit = this._guard.limits.maxCallsPerTool[envelope.toolName] ?? 0;
+          if (toolCount >= toolLimit) {
+            return createPreDecision({
+              action: "deny",
+              reason: `Per-tool limit: ${envelope.toolName} called ${toolCount} times (limit: ${toolLimit}).`,
+              decisionSource: "operation_limit",
+              decisionName: `max_calls_per_tool:${envelope.toolName}`,
+              hooksEvaluated,
+              contractsEvaluated
+            });
+          }
+        }
+        const pe = hasPolicyError(contractsEvaluated);
+        const observeResults = await this._evaluateObserveContracts(
+          envelope,
+          session
+        );
+        return createPreDecision({
+          action: "allow",
+          hooksEvaluated,
+          contractsEvaluated,
+          observed: hasObservedDeny,
+          policyError: pe,
+          observeResults
+        });
+      }
+      async postExecute(envelope, toolResponse, toolSuccess) {
+        const warnings = [];
+        const contractsEvaluated = [];
+        let redactedResponse = null;
+        let outputSuppressed = false;
+        for (const contract of this._guard.getPostconditions(envelope)) {
+          let verdict;
+          try {
+            verdict = await contract.check(envelope, toolResponse);
+          } catch (exc) {
+            verdict = Verdict.fail(`Postcondition error: ${exc}`, {
+              policy_error: true
+            });
+          }
+          const contractRecord = {
+            name: contract.name,
+            type: "postcondition",
+            passed: verdict.passed,
+            message: verdict.message
+          };
+          if (verdict.metadata && Object.keys(verdict.metadata).length > 0) {
+            contractRecord["metadata"] = verdict.metadata;
+          }
+          contractsEvaluated.push(contractRecord);
+          if (!verdict.passed) {
+            const effect = contract.effect ?? "warn";
+            const contractMode = contract.mode;
+            const isSafe = envelope.sideEffect === SideEffect.PURE || envelope.sideEffect === SideEffect.READ;
+            if (contractMode === "observe") {
+              contractRecord["observed"] = true;
+              warnings.push(`\u26A0\uFE0F [observe] ${verdict.message}`);
+            } else if (effect === "redact" && isSafe) {
+              const patterns = contract.redactPatterns ?? [];
+              const source = redactedResponse !== null ? redactedResponse : toolResponse;
+              let text = source != null ? String(source) : "";
+              if (patterns.length > 0) {
+                for (const pat of patterns) {
+                  const globalPat = pat.global ? pat : new RegExp(pat.source, pat.flags + "g");
+                  text = text.replace(globalPat, "[REDACTED]");
+                }
+              } else {
+                const policy = new RedactionPolicy();
+                text = policy.redactResult(text, text.length + 100);
+              }
+              redactedResponse = text;
+              warnings.push(
+                `\u26A0\uFE0F Content redacted by ${contract.name}.`
+              );
+            } else if (effect === "deny" && isSafe) {
+              redactedResponse = `[OUTPUT SUPPRESSED] ${verdict.message}`;
+              outputSuppressed = true;
+              warnings.push(
+                `\u26A0\uFE0F Output suppressed by ${contract.name}.`
+              );
+            } else if ((effect === "redact" || effect === "deny") && !isSafe) {
+              warnings.push(
+                `\u26A0\uFE0F ${verdict.message} Tool already executed \u2014 assess before proceeding.`
+              );
+            } else if (isSafe) {
+              warnings.push(
+                `\u26A0\uFE0F ${verdict.message} Consider retrying.`
+              );
+            } else {
+              warnings.push(
+                `\u26A0\uFE0F ${verdict.message} Tool already executed \u2014 assess before proceeding.`
+              );
+            }
+          }
+        }
+        for (const hookReg of this._guard.getHooks("after", envelope)) {
+          if (hookReg.when && !hookReg.when(envelope)) {
+            continue;
+          }
+          try {
+            await hookReg.callback(envelope, toolResponse);
+          } catch {
+          }
+        }
+        for (const contract of this._guard.getObservePostconditions(envelope)) {
+          let verdict;
+          try {
+            verdict = await contract.check(envelope, toolResponse);
+          } catch (exc) {
+            verdict = Verdict.fail(
+              `Observe-mode postcondition error: ${exc}`,
+              { policy_error: true }
+            );
+          }
+          const record = {
+            name: contract.name,
+            type: "postcondition",
+            passed: verdict.passed,
+            message: verdict.message,
+            observed: true,
+            source: contract.source ?? "yaml_postcondition"
+          };
+          if (verdict.metadata && Object.keys(verdict.metadata).length > 0) {
+            record["metadata"] = verdict.metadata;
+          }
+          contractsEvaluated.push(record);
+          if (!verdict.passed) {
+            warnings.push(`\u26A0\uFE0F [observe] ${verdict.message}`);
+          }
+        }
+        const postconditionsPassed = contractsEvaluated.length > 0 ? contractsEvaluated.every(
+          (c) => c["passed"] === true || c["observed"] === true
+        ) : true;
+        const pe = hasPolicyError(contractsEvaluated);
+        return createPostDecision({
+          toolSuccess,
+          postconditionsPassed,
+          warnings,
+          contractsEvaluated,
+          policyError: pe,
+          redactedResponse,
+          outputSuppressed
+        });
+      }
+      /**
+       * Evaluate observe-mode contracts without affecting the real decision.
+       *
+       * Observe-mode contracts are identified by mode === "observe" on the
+       * internal contract. Results are returned as dicts for audit emission
+       * but never block calls.
+       */
+      async _evaluateObserveContracts(envelope, session) {
+        const results = [];
+        for (const contract of this._guard.getObservePreconditions(
+          envelope
+        )) {
+          let verdict;
+          try {
+            verdict = await contract.check(envelope);
+          } catch (exc) {
+            verdict = Verdict.fail(
+              `Observe-mode precondition error: ${exc}`,
+              { policy_error: true }
+            );
+          }
+          results.push({
+            name: contract.name,
+            type: "precondition",
+            passed: verdict.passed,
+            message: verdict.message,
+            source: contract.source ?? "yaml_precondition"
+          });
+        }
+        for (const contract of this._guard.getObserveSandboxContracts(
+          envelope
+        )) {
+          let verdict;
+          try {
+            verdict = await contract.check(envelope);
+          } catch (exc) {
+            verdict = Verdict.fail(
+              `Observe-mode sandbox error: ${exc}`,
+              { policy_error: true }
+            );
+          }
+          results.push({
+            name: contract.name,
+            type: "sandbox",
+            passed: verdict.passed,
+            message: verdict.message,
+            source: contract.source ?? "yaml_sandbox"
+          });
+        }
+        for (const contract of this._guard.getObserveSessionContracts()) {
+          let verdict;
+          try {
+            verdict = await contract.check(session);
+          } catch (exc) {
+            verdict = Verdict.fail(
+              `Observe-mode session contract error: ${exc}`,
+              { policy_error: true }
+            );
+          }
+          results.push({
+            name: contract.name,
+            type: "session_contract",
+            passed: verdict.passed,
+            message: verdict.message,
+            source: contract.source ?? "yaml_session"
+          });
+        }
+        return results;
+      }
+    };
+  }
+});
+
+// src/runner.ts
+var runner_exports = {};
+__export(runner_exports, {
+  defaultSuccessCheck: () => defaultSuccessCheck,
+  run: () => run
+});
+function defaultSuccessCheck(_toolName, result) {
+  if (result == null) {
+    return true;
+  }
+  if (typeof result === "object" && !Array.isArray(result)) {
+    const dict = result;
+    if (dict["is_error"]) {
+      return false;
+    }
+  }
+  if (typeof result === "string") {
+    const lower = result.slice(0, 7).toLowerCase();
+    if (lower.startsWith("error:") || lower.startsWith("fatal:")) {
+      return false;
+    }
+  }
+  return true;
+}
+async function _emitRunPreAudit(guard, envelope, session, action, pre) {
+  const event = createAuditEvent({
+    action,
+    runId: envelope.runId,
+    callId: envelope.callId,
+    toolName: envelope.toolName,
+    toolArgs: guard.redaction.redactArgs(envelope.args),
+    sideEffect: envelope.sideEffect,
+    environment: envelope.environment,
+    principal: envelope.principal ? { ...envelope.principal } : null,
+    decisionSource: pre.decisionSource,
+    decisionName: pre.decisionName,
+    reason: pre.reason,
+    hooksEvaluated: pre.hooksEvaluated,
+    contractsEvaluated: pre.contractsEvaluated,
+    sessionAttemptCount: await session.attemptCount(),
+    sessionExecutionCount: await session.executionCount(),
+    mode: guard.mode,
+    policyVersion: guard.policyVersion,
+    policyError: pre.policyError
+  });
+  await guard.auditSink.emit(event);
+}
+async function run(guard, toolName, args, toolCallable, options) {
+  const sessionId = options?.sessionId ?? guard.sessionId;
+  const session = new Session(sessionId, guard.backend);
+  const pipeline = new GovernancePipeline(guard);
+  const env = options?.environment ?? guard.environment;
+  let principal = options?.principal ?? void 0;
+  if (principal === void 0) {
+    const resolved = guard._resolvePrincipal(toolName, args);
+    if (resolved != null) {
+      principal = resolved;
+    }
+  }
+  const envelope = createEnvelope(toolName, args, {
+    runId: sessionId,
+    environment: env,
+    registry: guard.toolRegistry,
+    principal: principal ?? null
+  });
+  await session.incrementAttempts();
+  try {
+    const pre = await pipeline.preExecute(envelope, session);
+    if (pre.action === "pending_approval") {
+      if (guard._approvalBackend == null) {
+        throw new EdictumDenied(
+          `Approval required but no approval backend configured: ${pre.reason}`,
+          pre.decisionSource,
+          pre.decisionName
+        );
+      }
+      const principalDict = envelope.principal ? { ...envelope.principal } : null;
+      const approvalRequest = await guard._approvalBackend.requestApproval(
+        envelope.toolName,
+        envelope.args,
+        pre.approvalMessage ?? pre.reason ?? "",
+        {
+          timeout: pre.approvalTimeout,
+          timeoutEffect: pre.approvalTimeoutEffect,
+          principal: principalDict
+        }
+      );
+      await _emitRunPreAudit(
+        guard,
+        envelope,
+        session,
+        AuditAction.CALL_APPROVAL_REQUESTED,
+        pre
+      );
+      const decision = await guard._approvalBackend.waitForDecision(
+        approvalRequest.approvalId,
+        pre.approvalTimeout
+      );
+      let approved = false;
+      if (decision.status === ApprovalStatus.TIMEOUT) {
+        await _emitRunPreAudit(
+          guard,
+          envelope,
+          session,
+          AuditAction.CALL_APPROVAL_TIMEOUT,
+          pre
+        );
+        if (pre.approvalTimeoutEffect === "allow") {
+          approved = true;
+        }
+      } else if (!decision.approved) {
+        await _emitRunPreAudit(
+          guard,
+          envelope,
+          session,
+          AuditAction.CALL_APPROVAL_DENIED,
+          pre
+        );
+      } else {
+        approved = true;
+        await _emitRunPreAudit(
+          guard,
+          envelope,
+          session,
+          AuditAction.CALL_APPROVAL_GRANTED,
+          pre
+        );
+      }
+      if (approved) {
+        if (guard._onAllow) {
+          try {
+            guard._onAllow(envelope);
+          } catch {
+          }
+        }
+      } else {
+        const denyReason = decision.reason ?? pre.reason ?? "";
+        if (guard._onDeny) {
+          try {
+            guard._onDeny(envelope, denyReason, pre.decisionName);
+          } catch {
+          }
+        }
+        throw new EdictumDenied(
+          decision.reason ?? pre.reason ?? "denied",
+          pre.decisionSource,
+          pre.decisionName
+        );
+      }
+    }
+    const realDeny = pre.action === "deny" && !pre.observed;
+    if (pre.action === "pending_approval") {
+    } else if (realDeny) {
+      const auditAction = guard.mode === "observe" ? AuditAction.CALL_WOULD_DENY : AuditAction.CALL_DENIED;
+      await _emitRunPreAudit(guard, envelope, session, auditAction, pre);
+      if (guard.mode === "enforce") {
+        if (guard._onDeny) {
+          try {
+            guard._onDeny(envelope, pre.reason ?? "", pre.decisionName);
+          } catch {
+          }
+        }
+        throw new EdictumDenied(
+          pre.reason ?? "denied",
+          pre.decisionSource,
+          pre.decisionName
+        );
+      }
+    } else {
+      for (const cr of pre.contractsEvaluated) {
+        if (cr["observed"] && !cr["passed"]) {
+          const observedEvent = createAuditEvent({
+            action: AuditAction.CALL_WOULD_DENY,
+            runId: envelope.runId,
+            callId: envelope.callId,
+            toolName: envelope.toolName,
+            toolArgs: guard.redaction.redactArgs(envelope.args),
+            sideEffect: envelope.sideEffect,
+            environment: envelope.environment,
+            principal: envelope.principal ? { ...envelope.principal } : null,
+            decisionSource: "precondition",
+            decisionName: cr["name"],
+            reason: cr["message"],
+            mode: "observe",
+            policyVersion: guard.policyVersion,
+            policyError: pre.policyError
+          });
+          await guard.auditSink.emit(observedEvent);
+        }
+      }
+      await _emitRunPreAudit(
+        guard,
+        envelope,
+        session,
+        AuditAction.CALL_ALLOWED,
+        pre
+      );
+      if (guard._onAllow) {
+        try {
+          guard._onAllow(envelope);
+        } catch {
+        }
+      }
+    }
+    for (const sr of pre.observeResults) {
+      const observeAction = sr["passed"] ? AuditAction.CALL_ALLOWED : AuditAction.CALL_WOULD_DENY;
+      const observeEvent = createAuditEvent({
+        action: observeAction,
+        runId: envelope.runId,
+        callId: envelope.callId,
+        toolName: envelope.toolName,
+        toolArgs: guard.redaction.redactArgs(envelope.args),
+        sideEffect: envelope.sideEffect,
+        environment: envelope.environment,
+        principal: envelope.principal ? { ...envelope.principal } : null,
+        decisionSource: sr["source"],
+        decisionName: sr["name"],
+        reason: sr["message"],
+        mode: "observe",
+        policyVersion: guard.policyVersion
+      });
+      await guard.auditSink.emit(observeEvent);
+    }
+    let result;
+    let toolSuccess;
+    try {
+      result = toolCallable(envelope.args);
+      if (result != null && typeof result === "object" && typeof result.then === "function") {
+        result = await result;
+      }
+      if (guard._successCheck) {
+        toolSuccess = guard._successCheck(toolName, result);
+      } else {
+        toolSuccess = defaultSuccessCheck(toolName, result);
+      }
+    } catch (e) {
+      result = String(e);
+      toolSuccess = false;
+    }
+    const post = await pipeline.postExecute(envelope, result, toolSuccess);
+    await session.recordExecution(toolName, toolSuccess);
+    const postAction = toolSuccess ? AuditAction.CALL_EXECUTED : AuditAction.CALL_FAILED;
+    const postEvent = createAuditEvent({
+      action: postAction,
+      runId: envelope.runId,
+      callId: envelope.callId,
+      toolName: envelope.toolName,
+      toolArgs: guard.redaction.redactArgs(envelope.args),
+      sideEffect: envelope.sideEffect,
+      environment: envelope.environment,
+      principal: envelope.principal ? { ...envelope.principal } : null,
+      toolSuccess,
+      postconditionsPassed: post.postconditionsPassed,
+      contractsEvaluated: post.contractsEvaluated,
+      sessionAttemptCount: await session.attemptCount(),
+      sessionExecutionCount: await session.executionCount(),
+      mode: guard.mode,
+      policyVersion: guard.policyVersion,
+      policyError: post.policyError
+    });
+    await guard.auditSink.emit(postEvent);
+    if (!toolSuccess) {
+      throw new EdictumToolError(String(result));
+    }
+    return post.redactedResponse != null ? post.redactedResponse : result;
+  } finally {
+  }
+}
+var init_runner = __esm({
+  "src/runner.ts"() {
+    "use strict";
+    init_approval();
+    init_audit();
+    init_envelope();
+    init_errors();
+    init_pipeline();
+    init_session();
+  }
+});
+
+// src/dry-run.ts
+var dry_run_exports = {};
+__export(dry_run_exports, {
+  evaluate: () => evaluate,
+  evaluateBatch: () => evaluateBatch
+});
+function safeTags(metadata) {
+  if (!metadata) return [];
+  const raw = metadata["tags"];
+  if (!Array.isArray(raw)) return [];
+  return raw.filter((t) => typeof t === "string");
+}
+async function evaluate(guard, toolName, args, options) {
+  const env = options?.environment ?? guard.environment;
+  const envelope = createEnvelope(toolName, args, {
+    environment: env,
+    principal: options?.principal ?? null,
+    registry: guard.toolRegistry
+  });
+  const contracts = [];
+  const denyReasons = [];
+  const warnReasons = [];
+  for (const contract of guard.getPreconditions(envelope)) {
+    const contractId = contract.name ?? "unknown";
+    let verdict;
+    try {
+      verdict = await contract.check(envelope);
+    } catch (exc) {
+      const contractResult2 = createContractResult({
+        contractId,
+        contractType: "precondition",
+        passed: false,
+        message: `Precondition error: ${exc}`,
+        policyError: true
+      });
+      contracts.push(contractResult2);
+      denyReasons.push(contractResult2.message ?? "");
+      continue;
+    }
+    const tags = safeTags(verdict.metadata);
+    const isObserved = contract.mode === "observe" && !verdict.passed;
+    const pe = verdict.metadata ? verdict.metadata["policy_error"] ?? false : false;
+    const contractResult = createContractResult({
+      contractId,
+      contractType: "precondition",
+      passed: verdict.passed,
+      message: verdict.message,
+      tags,
+      observed: isObserved,
+      policyError: pe
+    });
+    contracts.push(contractResult);
+    if (!verdict.passed && !isObserved) {
+      denyReasons.push(verdict.message ?? "");
+    }
+  }
+  for (const contract of guard.getSandboxContracts(envelope)) {
+    const contractId = contract.name ?? "unknown";
+    let verdict;
+    try {
+      verdict = await contract.check(envelope);
+    } catch (exc) {
+      const contractResult2 = createContractResult({
+        contractId,
+        contractType: "sandbox",
+        passed: false,
+        message: `Sandbox error: ${exc}`,
+        policyError: true
+      });
+      contracts.push(contractResult2);
+      denyReasons.push(contractResult2.message ?? "");
+      continue;
+    }
+    const tags = safeTags(verdict.metadata);
+    const isObserved = contract.mode === "observe" && !verdict.passed;
+    const pe = verdict.metadata ? verdict.metadata["policy_error"] ?? false : false;
+    const contractResult = createContractResult({
+      contractId,
+      contractType: "sandbox",
+      passed: verdict.passed,
+      message: verdict.message,
+      tags,
+      observed: isObserved,
+      policyError: pe
+    });
+    contracts.push(contractResult);
+    if (!verdict.passed && !isObserved) {
+      denyReasons.push(verdict.message ?? "");
+    }
+  }
+  if (options?.output != null) {
+    for (const contract of guard.getPostconditions(envelope)) {
+      const contractId = contract.name ?? "unknown";
+      let verdict;
+      try {
+        verdict = await contract.check(envelope, options.output);
+      } catch (exc) {
+        const contractResult2 = createContractResult({
+          contractId,
+          contractType: "postcondition",
+          passed: false,
+          message: `Postcondition error: ${exc}`,
+          policyError: true
+        });
+        contracts.push(contractResult2);
+        const excEffect = contract.effect ?? "warn";
+        if (excEffect === "deny") {
+          denyReasons.push(contractResult2.message ?? "");
+        } else {
+          warnReasons.push(contractResult2.message ?? "");
+        }
+        continue;
+      }
+      const tags = safeTags(verdict.metadata);
+      const isObserved = contract.mode === "observe" && !verdict.passed;
+      const pe = verdict.metadata ? verdict.metadata["policy_error"] ?? false : false;
+      const effect = contract.effect ?? "warn";
+      const contractResult = createContractResult({
+        contractId,
+        contractType: "postcondition",
+        passed: verdict.passed,
+        message: verdict.message,
+        tags,
+        observed: isObserved,
+        effect,
+        policyError: pe
+      });
+      contracts.push(contractResult);
+      if (!verdict.passed && !isObserved) {
+        if (effect === "deny") {
+          denyReasons.push(verdict.message ?? "");
+        } else {
+          warnReasons.push(verdict.message ?? "");
+        }
+      }
+    }
+  }
+  let verdictStr;
+  if (denyReasons.length > 0) {
+    verdictStr = "deny";
+  } else if (warnReasons.length > 0) {
+    verdictStr = "warn";
+  } else {
+    verdictStr = "allow";
+  }
+  return createEvaluationResult({
+    verdict: verdictStr,
+    toolName,
+    contracts,
+    denyReasons,
+    warnReasons,
+    contractsEvaluated: contracts.length,
+    policyError: contracts.some((r) => r.policyError)
+  });
+}
+async function evaluateBatch(guard, calls) {
+  const results = [];
+  for (const call of calls) {
+    const callArgs = call.args ?? {};
+    let principal;
+    if (call.principal != null && typeof call.principal === "object") {
+      principal = createPrincipal({
+        role: call.principal["role"] ?? void 0,
+        userId: call.principal["userId"] ?? void 0,
+        ticketRef: call.principal["ticketRef"] ?? void 0,
+        claims: typeof call.principal["claims"] === "object" && call.principal["claims"] != null && !Array.isArray(call.principal["claims"]) ? call.principal["claims"] : {}
+      });
+    }
+    let output;
+    if (call.output != null) {
+      if (typeof call.output === "object") {
+        try {
+          output = JSON.stringify(call.output);
+        } catch {
+          output = "[unserializable output]";
+        }
+      } else {
+        output = call.output;
+      }
+    }
+    results.push(
+      await evaluate(guard, call.tool, callArgs, {
+        principal,
+        output,
+        environment: call.environment
+      })
+    );
+  }
+  return results;
+}
+var init_dry_run = __esm({
+  "src/dry-run.ts"() {
+    "use strict";
+    init_envelope();
+    init_evaluation();
+  }
+});
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ApprovalStatus: () => ApprovalStatus,
+  AuditAction: () => AuditAction,
+  BUILTIN_OPERATOR_NAMES: () => BUILTIN_OPERATOR_NAMES,
+  BUILTIN_SELECTOR_PREFIXES: () => BUILTIN_SELECTOR_PREFIXES,
+  BashClassifier: () => BashClassifier,
+  CollectingAuditSink: () => CollectingAuditSink,
+  CompositeSink: () => CompositeSink,
+  DEFAULT_LIMITS: () => DEFAULT_LIMITS,
+  Edictum: () => Edictum,
+  EdictumConfigError: () => EdictumConfigError,
+  EdictumDenied: () => EdictumDenied,
+  EdictumToolError: () => EdictumToolError,
+  FileAuditSink: () => FileAuditSink,
+  GovernancePipeline: () => GovernancePipeline,
+  HookDecision: () => HookDecision,
+  HookResult: () => HookResult,
+  LocalApprovalBackend: () => LocalApprovalBackend,
+  MAX_BUNDLE_SIZE: () => MAX_BUNDLE_SIZE,
+  MAX_REGEX_INPUT: () => MAX_REGEX_INPUT,
+  MarkEvictedError: () => MarkEvictedError,
+  MemoryBackend: () => MemoryBackend,
+  PolicyError: () => PolicyError,
+  RedactionPolicy: () => RedactionPolicy,
+  Session: () => Session,
+  SideEffect: () => SideEffect,
+  StdoutAuditSink: () => StdoutAuditSink,
+  ToolRegistry: () => ToolRegistry,
+  VERSION: () => VERSION,
+  Verdict: () => Verdict,
+  _validateToolName: () => _validateToolName,
+  buildFindings: () => buildFindings,
+  classifyFinding: () => classifyFinding,
+  compileContracts: () => compileContracts,
+  composeBundles: () => composeBundles,
+  computeHash: () => computeHash,
+  createAuditEvent: () => createAuditEvent,
+  createCompiledState: () => createCompiledState,
+  createContractResult: () => createContractResult,
+  createEnvelope: () => createEnvelope,
+  createEvaluationResult: () => createEvaluationResult,
+  createFinding: () => createFinding,
+  createPostCallResult: () => createPostCallResult,
+  createPostDecision: () => createPostDecision,
+  createPreDecision: () => createPreDecision,
+  createPrincipal: () => createPrincipal,
+  deepFreeze: () => deepFreeze,
+  defaultSuccessCheck: () => defaultSuccessCheck,
+  evaluateExpression: () => evaluateExpression,
+  expandMessage: () => expandMessage,
+  fnmatch: () => fnmatch,
+  fromYaml: () => fromYaml,
+  fromYamlString: () => fromYamlString,
+  loadBundle: () => loadBundle,
+  loadBundleString: () => loadBundleString,
+  reload: () => reload,
+  run: () => run,
+  validateOperators: () => validateOperators
+});
+module.exports = __toCommonJS(index_exports);
+init_errors();
+init_envelope();
+init_contracts();
+init_hooks();
+
+// src/limits.ts
+var DEFAULT_LIMITS = Object.freeze({
+  maxAttempts: 500,
+  maxToolCalls: 200,
+  maxCallsPerTool: Object.freeze({})
+});
+
+// src/storage.ts
+var MemoryBackend = class {
+  _data = /* @__PURE__ */ new Map();
+  _counters = /* @__PURE__ */ new Map();
+  async get(key) {
+    const strVal = this._data.get(key);
+    if (strVal !== void 0) {
+      return strVal;
+    }
+    const numVal = this._counters.get(key);
+    if (numVal !== void 0) {
+      return numVal === Math.trunc(numVal) ? String(Math.trunc(numVal)) : String(numVal);
+    }
+    return null;
+  }
+  async set(key, value) {
+    this._data.set(key, value);
+  }
+  async delete(key) {
+    this._data.delete(key);
+    this._counters.delete(key);
+  }
+  async increment(key, amount = 1) {
+    const current = this._counters.get(key) ?? 0;
+    const next = current + amount;
+    this._counters.set(key, next);
+    return next;
+  }
+  /**
+   * Retrieve multiple values in a single operation.
+   *
+   * In-memory implementation: multiple Map lookups, no network overhead.
+   */
+  async batchGet(keys) {
+    const result = {};
+    for (const key of keys) {
+      result[key] = await this.get(key);
+    }
+    return result;
+  }
+};
+
+// src/index.ts
+init_session();
+init_approval();
+init_audit();
+init_redaction();
+init_evaluation();
+
+// src/findings.ts
+function createFinding(fields) {
+  return Object.freeze({
+    type: fields.type,
+    contractId: fields.contractId,
+    field: fields.field,
+    message: fields.message,
+    metadata: Object.freeze({ ...fields.metadata ?? {} })
+  });
+}
+function createPostCallResult(fields) {
+  return Object.freeze({
+    result: fields.result,
+    postconditionsPassed: fields.postconditionsPassed ?? true,
+    findings: Object.freeze([...fields.findings ?? []]),
+    outputSuppressed: fields.outputSuppressed ?? false
+  });
+}
+function classifyFinding(contractId, verdictMessage) {
+  const contractLower = contractId.toLowerCase();
+  const messageLower = (verdictMessage || "").toLowerCase();
+  const piiTerms = ["pii", "ssn", "patient", "name", "dob"];
+  if (piiTerms.some(
+    (term) => contractLower.includes(term) || messageLower.includes(term)
+  )) {
+    return "pii_detected";
+  }
+  const secretTerms = ["secret", "token", "key", "credential", "password"];
+  if (secretTerms.some(
+    (term) => contractLower.includes(term) || messageLower.includes(term)
+  )) {
+    return "secret_detected";
+  }
+  const limitTerms = ["session", "limit", "max_calls", "budget"];
+  if (limitTerms.some(
+    (term) => contractLower.includes(term) || messageLower.includes(term)
+  )) {
+    return "limit_exceeded";
+  }
+  return "policy_violation";
+}
+function buildFindings(postDecision) {
+  const findings = [];
+  for (const cr of postDecision.contractsEvaluated) {
+    if (!cr.passed) {
+      const meta = cr.metadata ?? {};
+      findings.push(
+        createFinding({
+          type: classifyFinding(cr.name, cr.message ?? ""),
+          contractId: cr.name,
+          field: meta.field ?? "output",
+          message: cr.message ?? "",
+          metadata: meta
+        })
+      );
+    }
+  }
+  return findings;
+}
+
+// src/compiled-state.ts
+init_envelope();
+function createCompiledState(partial = {}) {
+  return deepFreeze({
+    preconditions: partial.preconditions ?? [],
+    postconditions: partial.postconditions ?? [],
+    sessionContracts: partial.sessionContracts ?? [],
+    sandboxContracts: partial.sandboxContracts ?? [],
+    observePreconditions: partial.observePreconditions ?? [],
+    observePostconditions: partial.observePostconditions ?? [],
+    observeSessionContracts: partial.observeSessionContracts ?? [],
+    observeSandboxContracts: partial.observeSandboxContracts ?? [],
+    limits: partial.limits ?? DEFAULT_LIMITS,
+    policyVersion: partial.policyVersion ?? null
+  });
+}
+
+// src/index.ts
+init_pipeline();
+
+// src/guard.ts
+var import_node_crypto5 = require("crypto");
+
+// src/factory.ts
+var import_node_crypto4 = require("crypto");
+init_errors();
+
+// src/yaml-engine/composer.ts
+init_errors();
+function deepCopyBundle(data) {
+  return structuredClone(data);
+}
+function composeBundles(...bundles) {
+  if (bundles.length === 0) {
+    throw new Error("composeBundles() requires at least one bundle");
+  }
+  if (bundles.length === 1) {
+    const entry = bundles[0];
+    return {
+      bundle: deepCopyBundle(entry[0]),
+      report: { overriddenContracts: [], observeContracts: [] }
+    };
+  }
+  const overrides = [];
+  const observes = [];
+  const first = bundles[0];
+  const merged = deepCopyBundle(first[0]);
+  const firstLabel = first[1];
+  const contractSources = /* @__PURE__ */ new Map();
+  for (const c of merged.contracts ?? []) {
+    contractSources.set(c.id, firstLabel);
+  }
+  for (let i = 1; i < bundles.length; i++) {
+    const entry = bundles[i];
+    const [data, label] = entry;
+    const isObserveAlongside = Boolean(data.observe_alongside);
+    if (isObserveAlongside) {
+      mergeObserveAlongside(merged, data, label, contractSources, observes);
+    } else {
+      mergeStandard(merged, data, label, contractSources, overrides);
+    }
+  }
+  return {
+    bundle: merged,
+    report: { overriddenContracts: overrides, observeContracts: observes }
+  };
+}
+function mergeStandard(merged, layer, label, contractSources, overrides) {
+  if ("defaults" in layer) {
+    const ld = layer.defaults;
+    const md = merged.defaults ?? {};
+    if ("mode" in ld) md.mode = ld.mode;
+    if ("environment" in ld) md.environment = ld.environment;
+    merged.defaults = md;
+  }
+  if ("limits" in layer) merged.limits = deepCopyBundle(layer.limits);
+  if ("tools" in layer) {
+    const mt = merged.tools ?? {};
+    for (const [name, cfg] of Object.entries(layer.tools)) {
+      mt[name] = { ...cfg };
+    }
+    merged.tools = mt;
+  }
+  if ("metadata" in layer) {
+    const mm = merged.metadata ?? {};
+    for (const [k, v] of Object.entries(layer.metadata)) mm[k] = v;
+    merged.metadata = mm;
+  }
+  if ("observability" in layer) {
+    merged.observability = deepCopyBundle(layer.observability);
+  }
+  if ("contracts" in layer) {
+    const existingById = /* @__PURE__ */ new Map();
+    const mc = merged.contracts ?? [];
+    for (let j = 0; j < mc.length; j++) {
+      const c = mc[j];
+      existingById.set(c.id, j);
+    }
+    for (const contract of layer.contracts ?? []) {
+      const cid = contract.id;
+      const newContract = deepCopyBundle(contract);
+      if (existingById.has(cid)) {
+        const idx = existingById.get(cid);
+        overrides.push({
+          contractId: cid,
+          overriddenBy: label,
+          originalSource: contractSources.get(cid) ?? "unknown"
+        });
+        mc[idx] = newContract;
+      } else {
+        mc.push(newContract);
+        existingById.set(cid, mc.length - 1);
+      }
+      contractSources.set(cid, label);
+    }
+    merged.contracts = mc;
+  }
+}
+function mergeObserveAlongside(merged, layer, label, contractSources, observes) {
+  const mc = merged.contracts ?? [];
+  for (const contract of layer.contracts ?? []) {
+    const cid = contract.id;
+    const observeId = `${cid}:candidate`;
+    const existingIds = new Set(
+      mc.map((c) => c.id)
+    );
+    if (existingIds.has(observeId)) {
+      throw new EdictumConfigError(
+        `observe_alongside collision: generated ID "${observeId}" already exists in the bundle. Rename the conflicting contract or use a different ID for "${cid}".`
+      );
+    }
+    const observeContract = deepCopyBundle(contract);
+    observeContract.id = observeId;
+    observeContract.mode = "observe";
+    observeContract._observe = true;
+    mc.push(observeContract);
+    observes.push({
+      contractId: cid,
+      enforcedSource: contractSources.get(cid) ?? "",
+      observedSource: label
+    });
+  }
+  merged.contracts = mc;
+  if ("tools" in layer) {
+    const mt = merged.tools ?? {};
+    for (const [name, cfg] of Object.entries(layer.tools)) {
+      mt[name] = { ...cfg };
+    }
+    merged.tools = mt;
+  }
+  if ("metadata" in layer) {
+    const mm = merged.metadata ?? {};
+    for (const [k, v] of Object.entries(layer.metadata)) mm[k] = v;
+    merged.metadata = mm;
+  }
+}
+
+// src/yaml-engine/compiler.ts
+init_errors();
+
+// src/yaml-engine/compiler-utils.ts
+init_errors();
+init_redaction();
+
+// src/yaml-engine/operators.ts
+var MAX_REGEX_INPUT = 1e4;
+function opEquals(fieldValue, opValue) {
+  return fieldValue === opValue;
+}
+function opNotEquals(fieldValue, opValue) {
+  return fieldValue !== opValue;
+}
+function opIn(fieldValue, opValue) {
+  return opValue.includes(fieldValue);
+}
+function opNotIn(fieldValue, opValue) {
+  return !opValue.includes(fieldValue);
+}
+function opContains(fieldValue, opValue) {
+  if (typeof fieldValue !== "string") throw new TypeError();
+  return fieldValue.includes(opValue);
+}
+function opContainsAny(fieldValue, opValue) {
+  if (typeof fieldValue !== "string") throw new TypeError();
+  return opValue.some((v) => fieldValue.includes(v));
+}
+function opStartsWith(fieldValue, opValue) {
+  if (typeof fieldValue !== "string") throw new TypeError();
+  return fieldValue.startsWith(opValue);
+}
+function opEndsWith(fieldValue, opValue) {
+  if (typeof fieldValue !== "string") throw new TypeError();
+  return fieldValue.endsWith(opValue);
+}
+function opMatches(fieldValue, opValue) {
+  if (typeof fieldValue !== "string") throw new TypeError();
+  const truncated = fieldValue.slice(0, MAX_REGEX_INPUT);
+  if (opValue instanceof RegExp) {
+    return opValue.test(truncated);
+  }
+  return new RegExp(opValue).test(truncated);
+}
+function opMatchesAny(fieldValue, opValue) {
+  if (typeof fieldValue !== "string") throw new TypeError();
+  const truncated = fieldValue.slice(0, MAX_REGEX_INPUT);
+  return opValue.some(
+    (p) => p instanceof RegExp ? p.test(truncated) : new RegExp(p).test(truncated)
+  );
+}
+function opGt(fieldValue, opValue) {
+  if (typeof fieldValue !== "number") throw new TypeError();
+  return fieldValue > opValue;
+}
+function opGte(fieldValue, opValue) {
+  if (typeof fieldValue !== "number") throw new TypeError();
+  return fieldValue >= opValue;
+}
+function opLt(fieldValue, opValue) {
+  if (typeof fieldValue !== "number") throw new TypeError();
+  return fieldValue < opValue;
+}
+function opLte(fieldValue, opValue) {
+  if (typeof fieldValue !== "number") throw new TypeError();
+  return fieldValue <= opValue;
+}
+var OPERATORS = {
+  equals: opEquals,
+  not_equals: opNotEquals,
+  in: opIn,
+  not_in: opNotIn,
+  contains: opContains,
+  contains_any: opContainsAny,
+  starts_with: opStartsWith,
+  ends_with: opEndsWith,
+  matches: opMatches,
+  matches_any: opMatchesAny,
+  gt: opGt,
+  gte: opGte,
+  lt: opLt,
+  lte: opLte
+};
+var BUILTIN_OPERATOR_NAMES = /* @__PURE__ */ new Set([
+  ...Object.keys(OPERATORS),
+  "exists"
+]);
+
+// src/yaml-engine/selectors.ts
+var _MISSING = /* @__PURE__ */ Symbol("MISSING");
+var BUILTIN_SELECTOR_PREFIXES = /* @__PURE__ */ new Set([
+  "environment",
+  "tool",
+  "args",
+  "principal",
+  "output",
+  "env",
+  "metadata"
+]);
+function resolveSelector(selector, envelope, outputText, customSelectors) {
+  if (selector === "environment") return envelope.environment;
+  if (selector === "tool.name") return envelope.toolName;
+  if (selector.startsWith("args.")) {
+    return resolveNested(selector.slice(5), envelope.args);
+  }
+  if (selector.startsWith("principal.")) {
+    if (envelope.principal == null) return _MISSING;
+    const rest = selector.slice(10);
+    if (rest === "user_id") return envelope.principal.userId;
+    if (rest === "service_id") return envelope.principal.serviceId;
+    if (rest === "org_id") return envelope.principal.orgId;
+    if (rest === "role") return envelope.principal.role;
+    if (rest === "ticket_ref") return envelope.principal.ticketRef;
+    if (rest.startsWith("claims.")) {
+      return resolveNested(
+        rest.slice(7),
+        envelope.principal.claims
+      );
+    }
+    return _MISSING;
+  }
+  if (selector === "output.text") {
+    return outputText == null ? _MISSING : outputText;
+  }
+  if (selector.startsWith("env.")) {
+    const varName = selector.slice(4);
+    const raw = process.env[varName];
+    if (raw == null) return _MISSING;
+    return coerceEnvValue(raw);
+  }
+  if (selector.startsWith("metadata.")) {
+    return resolveNested(
+      selector.slice(9),
+      envelope.metadata
+    );
+  }
+  if (customSelectors) {
+    const dotPos = selector.indexOf(".");
+    if (dotPos > 0) {
+      const prefix = selector.slice(0, dotPos);
+      if (Object.hasOwn(customSelectors, prefix)) {
+        const resolver = customSelectors[prefix];
+        const data = resolver(envelope);
+        const rest = selector.slice(dotPos + 1);
+        return resolveNested(rest, data);
+      }
+    }
+  }
+  return _MISSING;
+}
+function resolveNested(path, data) {
+  const parts = path.split(".");
+  let current = data;
+  for (const part of parts) {
+    if (current == null || typeof current !== "object") return _MISSING;
+    const obj = current;
+    if (!Object.hasOwn(obj, part)) return _MISSING;
+    current = obj[part];
+  }
+  return current;
+}
+function coerceEnvValue(raw) {
+  const low = raw.toLowerCase();
+  if (low === "true") return true;
+  if (low === "false") return false;
+  const asInt = parseInt(raw, 10);
+  if (!isNaN(asInt) && String(asInt) === raw) return asInt;
+  const asFloat = parseFloat(raw);
+  if (!isNaN(asFloat) && String(asFloat) === raw) return asFloat;
+  return raw;
+}
+
+// src/yaml-engine/evaluator.ts
+var PolicyError = class {
+  message;
+  constructor(message) {
+    this.message = message;
+  }
+};
+function evaluateExpression(expr, envelope, outputText, options) {
+  const customOps = options?.customOperators ?? null;
+  const customSels = options?.customSelectors ?? null;
+  if ("all" in expr) {
+    return _evalAll(expr.all, envelope, outputText, customOps, customSels);
+  }
+  if ("any" in expr) {
+    return _evalAny(expr.any, envelope, outputText, customOps, customSels);
+  }
+  if ("not" in expr) {
+    return _evalNot(expr.not, envelope, outputText, customOps, customSels);
+  }
+  const leafKeys = Object.keys(expr);
+  if (leafKeys.length !== 1) {
+    return new PolicyError(
+      `Leaf expression must have exactly one selector key, got ${leafKeys.length}: [${leafKeys.join(", ")}]`
+    );
+  }
+  return _evalLeaf(expr, envelope, outputText, customOps, customSels);
+}
+function _evalAll(exprs, envelope, outputText, customOps, customSels) {
+  for (const expr of exprs) {
+    const result = evaluateExpression(expr, envelope, outputText, {
+      customOperators: customOps,
+      customSelectors: customSels
+    });
+    if (result instanceof PolicyError) return result;
+    if (!result) return false;
+  }
+  return true;
+}
+function _evalAny(exprs, envelope, outputText, customOps, customSels) {
+  for (const expr of exprs) {
+    const result = evaluateExpression(expr, envelope, outputText, {
+      customOperators: customOps,
+      customSelectors: customSels
+    });
+    if (result instanceof PolicyError) return result;
+    if (result) return true;
+  }
+  return false;
+}
+function _evalNot(expr, envelope, outputText, customOps, customSels) {
+  const result = evaluateExpression(expr, envelope, outputText, {
+    customOperators: customOps,
+    customSelectors: customSels
+  });
+  if (result instanceof PolicyError) return result;
+  return !result;
+}
+function _evalLeaf(leaf, envelope, outputText, customOps, customSels) {
+  const selector = Object.keys(leaf)[0];
+  const operatorBlock = leaf[selector];
+  const value = resolveSelector(selector, envelope, outputText, customSels);
+  const opName = Object.keys(operatorBlock)[0];
+  const opValue = operatorBlock[opName];
+  return _applyOperator(opName, value, opValue, selector, customOps);
+}
+function _applyOperator(op, fieldValue, opValue, selector, customOperators) {
+  if (op === "exists") {
+    const isPresent = fieldValue !== _MISSING && fieldValue != null;
+    return isPresent === opValue;
+  }
+  if (fieldValue === _MISSING || fieldValue == null) return false;
+  try {
+    if (Object.hasOwn(OPERATORS, op)) return OPERATORS[op](fieldValue, opValue);
+    if (customOperators && Object.hasOwn(customOperators, op)) {
+      return Boolean(customOperators[op](fieldValue, opValue));
+    }
+    return new PolicyError(`Unknown operator: '${op}'`);
+  } catch {
+    return new PolicyError(
+      `Type mismatch: operator '${op}' cannot be applied to selector '${selector}' value ${typeof fieldValue}`
+    );
+  }
+}
+
+// src/yaml-engine/compiler-utils.ts
+var _PLACEHOLDER_RE = /\{([^}]+)\}/g;
+var _PLACEHOLDER_CAP = 200;
+function expandMessage(template, envelope, outputText, customSelectors) {
+  const redaction = new RedactionPolicy();
+  return template.replace(_PLACEHOLDER_RE, (match, selectorRaw) => {
+    const value = resolveSelector(selectorRaw, envelope, outputText, customSelectors);
+    if (value === _MISSING || value == null) return match;
+    let text = String(value);
+    if (redaction._looksLikeSecret(text)) text = "[REDACTED]";
+    if (text.length > _PLACEHOLDER_CAP) text = text.slice(0, _PLACEHOLDER_CAP - 3) + "...";
+    return text;
+  });
+}
+function validateOperators(bundle, customOperators) {
+  const known = /* @__PURE__ */ new Set([
+    ...BUILTIN_OPERATOR_NAMES,
+    ...Object.keys(customOperators ?? {})
+  ]);
+  const contracts = bundle.contracts ?? [];
+  for (const contract of contracts) {
+    const when = contract.when;
+    if (when) {
+      _validateExpressionOperators(when, known, contract.id);
+    }
+  }
+}
+function _validateExpressionOperators(expr, known, contractId) {
+  if (expr == null || typeof expr !== "object") return;
+  const e = expr;
+  if ("all" in e) {
+    for (const sub of e.all) {
+      _validateExpressionOperators(sub, known, contractId);
+    }
+    return;
+  }
+  if ("any" in e) {
+    for (const sub of e.any) {
+      _validateExpressionOperators(sub, known, contractId);
+    }
+    return;
+  }
+  if ("not" in e) {
+    _validateExpressionOperators(e.not, known, contractId);
+    return;
+  }
+  for (const [, operator] of Object.entries(e)) {
+    if (operator != null && typeof operator === "object") {
+      for (const opName of Object.keys(operator)) {
+        if (!known.has(opName)) {
+          throw new EdictumConfigError(
+            `Contract '${contractId}': unknown operator '${opName}'`
+          );
+        }
+      }
+    }
+  }
+}
+function precompileRegexes(expr) {
+  if (expr == null || typeof expr !== "object") return expr;
+  const e = expr;
+  if ("all" in e) {
+    return { all: e.all.map(precompileRegexes) };
+  }
+  if ("any" in e) {
+    return { any: e.any.map(precompileRegexes) };
+  }
+  if ("not" in e) {
+    return { not: precompileRegexes(e.not) };
+  }
+  const compiled = {};
+  for (const [selector, operator] of Object.entries(e)) {
+    if (operator == null || typeof operator !== "object") {
+      compiled[selector] = operator;
+      continue;
+    }
+    const newOp = { ...operator };
+    if ("matches" in newOp && typeof newOp.matches === "string") {
+      newOp.matches = new RegExp(newOp.matches);
+    }
+    if ("matches_any" in newOp && Array.isArray(newOp.matches_any)) {
+      newOp.matches_any = newOp.matches_any.map(
+        (p) => typeof p === "string" ? new RegExp(p) : p
+      );
+    }
+    compiled[selector] = newOp;
+  }
+  return compiled;
+}
+function extractOutputPatterns(expr) {
+  if (expr == null || typeof expr !== "object") return [];
+  const e = expr;
+  if ("all" in e) {
+    const patterns = [];
+    for (const sub of e.all) {
+      patterns.push(...extractOutputPatterns(sub));
+    }
+    return patterns;
+  }
+  if ("any" in e) {
+    const patterns = [];
+    for (const sub of e.any) {
+      patterns.push(...extractOutputPatterns(sub));
+    }
+    return patterns;
+  }
+  if ("not" in e) {
+    return extractOutputPatterns(e.not);
+  }
+  const collected = [];
+  for (const [selector, operator] of Object.entries(e)) {
+    if (selector !== "output.text" || operator == null || typeof operator !== "object") continue;
+    const op = operator;
+    if ("matches" in op && op.matches instanceof RegExp) {
+      collected.push(op.matches);
+    }
+    if ("matches_any" in op && Array.isArray(op.matches_any)) {
+      for (const p of op.matches_any) {
+        if (p instanceof RegExp) collected.push(p);
+      }
+    }
+  }
+  return collected;
+}
+
+// src/yaml-engine/compile-contracts.ts
+init_contracts();
+init_errors();
+function _evalAndVerdict(whenExpr, envelope, outputText, messageTemplate, tags, thenMetadata, customOps, customSels) {
+  try {
+    const result = evaluateExpression(whenExpr, envelope, outputText, {
+      customOperators: customOps,
+      customSelectors: customSels
+    });
+    if (result instanceof PolicyError) {
+      const msg = expandMessage(messageTemplate, envelope, outputText, customSels);
+      return Verdict.fail(msg, { tags, policyError: true, ...thenMetadata });
+    }
+    if (result) {
+      const msg = expandMessage(messageTemplate, envelope, outputText, customSels);
+      return Verdict.fail(msg, { tags, ...thenMetadata });
+    }
+    return Verdict.pass_();
+  } catch (exc) {
+    const msg = expandMessage(messageTemplate, envelope, outputText, customSels);
+    return Verdict.fail(msg, { tags, policyError: true, errorDetail: String(exc), ...thenMetadata });
+  }
+}
+function _maybeObserve(result, contract) {
+  if (contract._observe === true || contract._shadow === true) result._edictum_observe = true;
+}
+function compilePre(contract, mode, customOps, customSels) {
+  const contractId = contract.id;
+  const tool = contract.tool;
+  const whenExpr = precompileRegexes(contract.when);
+  const then = contract.then;
+  const msgTpl = then.message;
+  const tags = then.tags ?? [];
+  const meta = then.metadata ?? {};
+  const check = (envelope) => _evalAndVerdict(whenExpr, envelope, void 0, msgTpl, tags, meta, customOps, customSels);
+  const result = {
+    check,
+    name: contractId,
+    tool,
+    type: "precondition",
+    mode,
+    _edictum_type: "precondition",
+    _edictum_tool: tool,
+    _edictum_when: null,
+    _edictum_mode: mode,
+    _edictum_id: contractId,
+    _edictum_source: "yaml_precondition",
+    _edictum_effect: then.effect ?? "deny",
+    _edictum_timeout: then.timeout ?? 300,
+    _edictum_timeout_effect: then.timeout_effect ?? "deny"
+  };
+  _maybeObserve(result, contract);
+  return result;
+}
+function compilePost(contract, mode, customOps, customSels) {
+  const contractId = contract.id;
+  const tool = contract.tool;
+  const whenExpr = precompileRegexes(contract.when);
+  const then = contract.then;
+  const msgTpl = then.message;
+  const tags = then.tags ?? [];
+  const meta = then.metadata ?? {};
+  const check = (envelope, response) => {
+    const outputText = response != null ? String(response) : void 0;
+    return _evalAndVerdict(whenExpr, envelope, outputText, msgTpl, tags, meta, customOps, customSels);
+  };
+  const effectValue = then.effect ?? "warn";
+  const result = {
+    check,
+    name: contractId,
+    tool,
+    type: "postcondition",
+    mode,
+    effect: effectValue,
+    _edictum_type: "postcondition",
+    _edictum_tool: tool,
+    _edictum_when: null,
+    _edictum_mode: mode,
+    _edictum_id: contractId,
+    _edictum_source: "yaml_postcondition",
+    _edictum_effect: effectValue,
+    _edictum_redact_patterns: extractOutputPatterns(whenExpr)
+  };
+  _maybeObserve(result, contract);
+  return result;
+}
+function compileSession(contract, mode, limits) {
+  const contractId = contract.id;
+  const then = contract.then;
+  const messageTemplate = then.message;
+  const tags = then.tags ?? [];
+  const thenMetadata = then.metadata ?? {};
+  const capturedLimits = { ...limits };
+  const check = async (session) => {
+    const execCount = await session.executionCount();
+    if (execCount >= capturedLimits.maxToolCalls) {
+      return Verdict.fail(messageTemplate, { tags, ...thenMetadata });
+    }
+    const attemptCount = await session.attemptCount();
+    if (attemptCount >= capturedLimits.maxAttempts) {
+      return Verdict.fail(messageTemplate, { tags, ...thenMetadata });
+    }
+    return Verdict.pass_();
+  };
+  const result = {
+    check,
+    name: contractId,
+    type: "session_contract",
+    _edictum_type: "session_contract",
+    _edictum_mode: mode,
+    _edictum_id: contractId,
+    _edictum_message: messageTemplate,
+    _edictum_tags: tags,
+    _edictum_then_metadata: thenMetadata,
+    _edictum_source: "yaml_session"
+  };
+  if (contract._observe === true || contract._shadow === true) {
+    result._edictum_observe = true;
+  }
+  return result;
+}
+function mergeSessionLimits(contract, existing) {
+  const sessionLimits = contract.limits;
+  let maxToolCalls = existing.maxToolCalls;
+  let maxAttempts = existing.maxAttempts;
+  const maxCallsPerTool = { ...existing.maxCallsPerTool };
+  if ("max_tool_calls" in sessionLimits) {
+    const raw = sessionLimits.max_tool_calls;
+    if (typeof raw !== "number" || !Number.isFinite(raw)) {
+      throw new EdictumConfigError(`Session limit max_tool_calls must be a finite number, got: ${String(raw)}`);
+    }
+    maxToolCalls = Math.min(maxToolCalls, raw);
+  }
+  if ("max_attempts" in sessionLimits) {
+    const raw = sessionLimits.max_attempts;
+    if (typeof raw !== "number" || !Number.isFinite(raw)) {
+      throw new EdictumConfigError(`Session limit max_attempts must be a finite number, got: ${String(raw)}`);
+    }
+    maxAttempts = Math.min(maxAttempts, raw);
+  }
+  if ("max_calls_per_tool" in sessionLimits) {
+    const perTool = sessionLimits.max_calls_per_tool;
+    for (const [tool, limit] of Object.entries(perTool)) {
+      if (typeof limit !== "number" || !Number.isFinite(limit)) {
+        throw new EdictumConfigError(
+          `Session limit max_calls_per_tool['${tool}'] must be a finite number, got: ${String(limit)}`
+        );
+      }
+      if (Object.hasOwn(maxCallsPerTool, tool)) {
+        maxCallsPerTool[tool] = Math.min(maxCallsPerTool[tool], limit);
+      } else {
+        maxCallsPerTool[tool] = limit;
+      }
+    }
+  }
+  return { maxAttempts, maxToolCalls, maxCallsPerTool };
+}
+
+// src/yaml-engine/sandbox-compile-fn.ts
+init_contracts();
+
+// src/yaml-engine/sandbox-compiler.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+
+// src/fnmatch.ts
+function fnmatch(name, pattern) {
+  if (pattern === "*") return true;
+  if (!pattern.includes("*") && !pattern.includes("?")) {
+    return name === pattern;
+  }
+  const safeName = name.length > 1e4 ? name.slice(0, 1e4) : name;
+  const safePattern = pattern.length > 1e4 ? pattern.slice(0, 1e4) : pattern;
+  let regex = "";
+  for (let i = 0; i < safePattern.length; i++) {
+    const ch = safePattern[i] ?? "";
+    if (ch === "*") {
+      regex += ".*";
+    } else if (ch === "?") {
+      regex += ".";
+    } else if (".+^${}()|[]\\".includes(ch)) {
+      regex += "\\" + ch;
+    } else {
+      regex += ch;
+    }
+  }
+  return new RegExp("^" + regex + "$").test(safeName);
+}
+
+// src/yaml-engine/sandbox-compiler.ts
+var _REDIRECT_PREFIX_RE = /^(?:\d*>>|>>|\d*>|>|<<|<)/;
+var _SHELL_SEPARATOR_RE = /[;|&\n\r`]|\$\(|\$\{|<\(/;
+function tokenizeCommand(cmd) {
+  const rawTokens = _shlexSplit(cmd);
+  const tokens = [];
+  for (const t of rawTokens) {
+    const stripped = t.replace(_REDIRECT_PREFIX_RE, "");
+    if (stripped) tokens.push(stripped);
+  }
+  return tokens;
+}
+function _shlexSplit(s) {
+  const tokens = [];
+  let current = "";
+  let inSingle = false;
+  let inDouble = false;
+  let i = 0;
+  try {
+    while (i < s.length) {
+      const ch = s.charAt(i);
+      if (inSingle) {
+        if (ch === "'") {
+          inSingle = false;
+        } else {
+          current += ch;
+        }
+      } else if (inDouble) {
+        if (ch === "\\" && i + 1 < s.length) {
+          const next = s.charAt(i + 1);
+          if (next === '"' || next === "\\" || next === "$" || next === "`" || next === "\n") {
+            current += next;
+            i++;
+          } else {
+            current += ch;
+          }
+        } else if (ch === '"') {
+          inDouble = false;
+        } else {
+          current += ch;
+        }
+      } else if (ch === "'") {
+        inSingle = true;
+      } else if (ch === '"') {
+        inDouble = true;
+      } else if (ch === " " || ch === "	") {
+        if (current) {
+          tokens.push(current);
+          current = "";
+        }
+      } else {
+        current += ch;
+      }
+      i++;
+    }
+    if (inSingle || inDouble) {
+      return s.split(/\s+/).filter(Boolean).map((t) => t.replace(/^['"]|['"]$/g, ""));
+    }
+    if (current) tokens.push(current);
+    return tokens;
+  } catch {
+    return s.split(/\s+/).filter(Boolean).map((t) => t.replace(/^['"]|['"]$/g, ""));
+  }
+}
+var _PATH_ARG_KEYS = /* @__PURE__ */ new Set([
+  "path",
+  "file_path",
+  "filePath",
+  "directory",
+  "dir",
+  "folder",
+  "target",
+  "destination",
+  "source",
+  "src",
+  "dst"
+]);
+function _realpath(p) {
+  try {
+    return (0, import_node_fs.realpathSync)(p);
+  } catch {
+    return (0, import_node_path.resolve)(p);
+  }
+}
+function extractPaths(envelope) {
+  const paths = [];
+  const seen = /* @__PURE__ */ new Set();
+  function add(p) {
+    if (!p) return;
+    const resolved = _realpath(p);
+    if (!seen.has(resolved)) {
+      seen.add(resolved);
+      paths.push(resolved);
+    }
+  }
+  if (envelope.filePath) add(envelope.filePath);
+  const args = envelope.args;
+  for (const [key, value] of Object.entries(args)) {
+    if (typeof value === "string" && _PATH_ARG_KEYS.has(key)) add(value);
+  }
+  for (const [key, value] of Object.entries(args)) {
+    if (typeof value === "string" && value.startsWith("/") && !_PATH_ARG_KEYS.has(key)) add(value);
+  }
+  const cmd = envelope.bashCommand ?? args.command ?? "";
+  if (cmd) {
+    for (const token of tokenizeCommand(cmd)) {
+      if (token.startsWith("/")) add(token);
+    }
+  }
+  return paths;
+}
+function extractCommand(envelope) {
+  const cmd = envelope.bashCommand ?? envelope.args.command;
+  if (!cmd || typeof cmd !== "string") return null;
+  const stripped = cmd.trim();
+  if (!stripped) return null;
+  if (_SHELL_SEPARATOR_RE.test(stripped)) return "\0";
+  const rawFirst = stripped.split(/\s/)[0] ?? "";
+  if (_REDIRECT_PREFIX_RE.test(rawFirst)) return "\0";
+  const tokens = tokenizeCommand(stripped);
+  return tokens.length > 0 ? tokens[0] ?? null : null;
+}
+function extractUrls(envelope) {
+  const urls = [];
+  const seen = /* @__PURE__ */ new Set();
+  function addUrl(u) {
+    if (!seen.has(u)) {
+      seen.add(u);
+      urls.push(u);
+    }
+  }
+  for (const value of Object.values(envelope.args)) {
+    if (typeof value !== "string" || !value.includes("://")) continue;
+    if (extractHostname(value) !== null) {
+      addUrl(value);
+    } else {
+      for (const token of tokenizeCommand(value)) {
+        if (token.includes("://") && extractHostname(token) !== null) addUrl(token);
+      }
+    }
+  }
+  return urls;
+}
+function extractHostname(url) {
+  try {
+    return new URL(url).hostname || null;
+  } catch {
+    return null;
+  }
+}
+function domainMatches(hostname, patterns) {
+  return patterns.some((p) => fnmatch(hostname, p));
+}
+
+// src/yaml-engine/sandbox-compile-fn.ts
+var import_node_fs2 = require("fs");
+var import_node_path2 = require("path");
+function _realpath2(p) {
+  try {
+    return (0, import_node_fs2.realpathSync)(p);
+  } catch {
+    return (0, import_node_path2.resolve)(p);
+  }
+}
+function _pathWithin(filePath, prefix) {
+  return filePath === prefix || filePath.startsWith(prefix.replace(/\/+$/, "") + "/");
+}
+function compileSandbox(contract, mode) {
+  const contractId = contract.id;
+  const toolPatterns = "tools" in contract ? contract.tools : [contract.tool];
+  const within = (contract.within ?? []).map(_realpath2);
+  const notWithin = (contract.not_within ?? []).map(_realpath2);
+  const allows = contract.allows ?? {};
+  const notAllows = contract.not_allows ?? {};
+  const allowedCommands = allows.commands ?? [];
+  const allowedDomains = allows.domains ?? [];
+  const blockedDomains = notAllows.domains ?? [];
+  const outside = contract.outside ?? "deny";
+  const messageTemplate = contract.message ?? "Tool call outside sandbox boundary.";
+  const timeout = contract.timeout ?? 300;
+  const timeoutEffect = contract.timeout_effect ?? "deny";
+  const check = (envelope) => {
+    if (within.length > 0 || notWithin.length > 0) {
+      const paths = extractPaths(envelope);
+      if (paths.length > 0) {
+        for (const p of paths) {
+          for (const excluded of notWithin) {
+            if (_pathWithin(p, excluded)) {
+              return Verdict.fail(expandMessage(messageTemplate, envelope));
+            }
+          }
+        }
+        if (within.length > 0) {
+          for (const p of paths) {
+            if (!within.some((allowed) => _pathWithin(p, allowed))) {
+              return Verdict.fail(expandMessage(messageTemplate, envelope));
+            }
+          }
+        }
+      }
+    }
+    if (allowedCommands.length > 0) {
+      const firstToken = extractCommand(envelope);
+      if (firstToken !== null && !allowedCommands.includes(firstToken)) {
+        return Verdict.fail(expandMessage(messageTemplate, envelope));
+      }
+    }
+    const urls = extractUrls(envelope);
+    if (urls.length > 0) {
+      for (const url of urls) {
+        const hostname = extractHostname(url);
+        if (hostname) {
+          if (blockedDomains.length > 0 && domainMatches(hostname, blockedDomains)) {
+            return Verdict.fail(expandMessage(messageTemplate, envelope));
+          }
+          if (allowedDomains.length > 0 && !domainMatches(hostname, allowedDomains)) {
+            return Verdict.fail(expandMessage(messageTemplate, envelope));
+          }
+        } else if (allowedDomains.length > 0) {
+          return Verdict.fail(expandMessage(messageTemplate, envelope));
+        }
+      }
+    }
+    return Verdict.pass_();
+  };
+  const result = {
+    check,
+    name: contractId,
+    tool: toolPatterns.length === 1 ? toolPatterns[0] : void 0,
+    _edictum_type: "sandbox",
+    _edictum_tools: toolPatterns,
+    _edictum_mode: mode,
+    _edictum_id: contractId,
+    _edictum_source: "yaml_sandbox",
+    _edictum_effect: outside,
+    _edictum_timeout: timeout,
+    _edictum_timeout_effect: timeoutEffect
+  };
+  if (contract._observe === true || contract._shadow === true) {
+    result._edictum_observe = true;
+  }
+  return result;
+}
+
+// src/yaml-engine/compiler.ts
+function compileContracts(bundle, options = {}) {
+  const customOps = options?.customOperators ?? null;
+  const customSels = options?.customSelectors ?? null;
+  validateOperators(bundle, customOps);
+  if (bundle.defaults == null || typeof bundle.defaults !== "object") {
+    throw new EdictumConfigError(
+      "Bundle missing required 'defaults' section with 'mode' field"
+    );
+  }
+  const defaults = bundle.defaults;
+  const defaultMode = defaults.mode;
+  const preconditions = [];
+  const postconditions = [];
+  const sessionContracts = [];
+  const sandboxContracts = [];
+  let limits = { ...DEFAULT_LIMITS };
+  const contracts = bundle.contracts ?? [];
+  for (const contract of contracts) {
+    if (contract.enabled === false) continue;
+    const contractType = contract.type;
+    const contractMode = contract.mode ?? defaultMode;
+    if (contractType === "pre") {
+      preconditions.push(compilePre(contract, contractMode, customOps, customSels));
+    } else if (contractType === "post") {
+      postconditions.push(compilePost(contract, contractMode, customOps, customSels));
+    } else if (contractType === "session") {
+      const isObserve = contract._observe ?? contract._shadow ?? false;
+      if (!isObserve) {
+        limits = mergeSessionLimits(contract, limits);
+      }
+      sessionContracts.push(compileSession(contract, contractMode, limits));
+    } else if (contractType === "sandbox") {
+      sandboxContracts.push(compileSandbox(contract, contractMode));
+    } else {
+      throw new EdictumConfigError(
+        `Unknown contract type "${contractType}" in contract "${contract.id ?? "unknown"}". Expected "pre", "post", "session", or "sandbox".`
+      );
+    }
+  }
+  const tools = bundle.tools ?? {};
+  return {
+    preconditions,
+    postconditions,
+    sessionContracts,
+    sandboxContracts,
+    limits,
+    defaultMode,
+    tools
+  };
+}
+
+// src/yaml-engine/loader.ts
+var import_node_crypto3 = require("crypto");
+var import_node_fs3 = require("fs");
+init_errors();
+
+// src/yaml-engine/loader-validators.ts
+init_errors();
+function validateSchema(data) {
+  if (data.apiVersion !== "edictum/v1") {
+    throw new EdictumConfigError(
+      `Schema validation failed: apiVersion must be 'edictum/v1', got '${String(data.apiVersion)}'`
+    );
+  }
+  if (data.kind !== "ContractBundle") {
+    throw new EdictumConfigError(
+      `Schema validation failed: kind must be 'ContractBundle', got '${String(data.kind)}'`
+    );
+  }
+  if (data.metadata != null && typeof data.metadata !== "object") {
+    throw new EdictumConfigError("Schema validation failed: metadata must be an object");
+  }
+  if (!Array.isArray(data.contracts)) {
+    throw new EdictumConfigError("Schema validation failed: contracts must be an array");
+  }
+}
+var CONTROL_CHAR_RE = /[\x00-\x1f\x7f-\x9f]/;
+function validateContractId(contractId) {
+  if (CONTROL_CHAR_RE.test(contractId)) {
+    throw new EdictumConfigError(
+      `Contract id contains control characters: '${contractId.replace(CONTROL_CHAR_RE, "\\x??")}'`
+    );
+  }
+}
+function validateUniqueIds(data) {
+  const ids = /* @__PURE__ */ new Set();
+  const contracts = data.contracts ?? [];
+  for (const contract of contracts) {
+    const contractId = contract.id;
+    if (contractId != null) {
+      validateContractId(contractId);
+      if (ids.has(contractId)) {
+        throw new EdictumConfigError(`Duplicate contract id: '${contractId}'`);
+      }
+      ids.add(contractId);
+    }
+  }
+}
+function validateRegexes(data) {
+  const contracts = data.contracts ?? [];
+  for (const contract of contracts) {
+    const when = contract.when;
+    if (when != null) {
+      validateExpressionRegexes(when);
+    }
+  }
+}
+function validateExpressionRegexes(expr) {
+  if (expr == null || typeof expr !== "object") return;
+  const e = expr;
+  if ("all" in e) {
+    for (const sub of e.all) validateExpressionRegexes(sub);
+    return;
+  }
+  if ("any" in e) {
+    for (const sub of e.any) validateExpressionRegexes(sub);
+    return;
+  }
+  if ("not" in e) {
+    validateExpressionRegexes(e.not);
+    return;
+  }
+  for (const operator of Object.values(e)) {
+    if (operator == null || typeof operator !== "object") continue;
+    const op = operator;
+    if ("matches" in op) tryCompileRegex(op.matches);
+    if ("matches_any" in op) {
+      for (const pattern of op.matches_any) tryCompileRegex(pattern);
+    }
+  }
+}
+function tryCompileRegex(pattern) {
+  try {
+    new RegExp(pattern);
+  } catch (e) {
+    throw new EdictumConfigError(`Invalid regex pattern '${pattern}': ${String(e)}`);
+  }
+}
+function validatePreSelectors(data) {
+  const contracts = data.contracts ?? [];
+  for (const contract of contracts) {
+    if (contract.type !== "pre") continue;
+    const when = contract.when;
+    if (when != null && expressionHasSelector(when, "output.text")) {
+      throw new EdictumConfigError(
+        `Contract '${contract.id ?? "?"}': output.text selector is not available in type: pre contracts`
+      );
+    }
+  }
+}
+function expressionHasSelector(expr, target) {
+  if (expr == null || typeof expr !== "object") return false;
+  const e = expr;
+  if ("all" in e) return e.all.some((sub) => expressionHasSelector(sub, target));
+  if ("any" in e) return e.any.some((sub) => expressionHasSelector(sub, target));
+  if ("not" in e) return expressionHasSelector(e.not, target);
+  return target in e;
+}
+function validateSandboxContracts(data) {
+  const contracts = data.contracts ?? [];
+  for (const contract of contracts) {
+    if (contract.type !== "sandbox") continue;
+    const cid = contract.id ?? "?";
+    if ("not_within" in contract && !("within" in contract)) {
+      throw new EdictumConfigError(`Contract '${cid}': not_within requires within to also be set`);
+    }
+    if ("not_allows" in contract && !("allows" in contract)) {
+      throw new EdictumConfigError(`Contract '${cid}': not_allows requires allows to also be set`);
+    }
+    if ("not_allows" in contract) {
+      const notAllows = contract.not_allows ?? {};
+      if ("domains" in notAllows) {
+        const allows = contract.allows ?? {};
+        if (!("domains" in allows)) {
+          throw new EdictumConfigError(
+            `Contract '${cid}': not_allows.domains requires allows.domains to also be set`
+          );
+        }
+      }
+    }
+  }
+}
+
+// src/yaml-engine/loader.ts
+var MAX_BUNDLE_SIZE = 1048576;
+function computeHash(rawBytes) {
+  return { hex: (0, import_node_crypto3.createHash)("sha256").update(rawBytes).digest("hex") };
+}
+function requireYaml() {
+  try {
+    const yaml = require("js-yaml");
+    return yaml;
+  } catch {
+    throw new EdictumConfigError(
+      "The YAML engine requires js-yaml. Install it with: npm install js-yaml"
+    );
+  }
+}
+function parseYaml(content) {
+  const yaml = requireYaml();
+  let data;
+  try {
+    data = yaml.load(content);
+  } catch (e) {
+    throw new EdictumConfigError(`YAML parse error: ${String(e)}`);
+  }
+  if (data == null || typeof data !== "object" || Array.isArray(data)) {
+    throw new EdictumConfigError("YAML document must be a mapping");
+  }
+  return data;
+}
+function validateBundle(data) {
+  validateSchema(data);
+  validateUniqueIds(data);
+  validateRegexes(data);
+  validatePreSelectors(data);
+  validateSandboxContracts(data);
+}
+function loadBundle(source) {
+  const resolved = (0, import_node_fs3.realpathSync)(source);
+  const fileSize = (0, import_node_fs3.statSync)(resolved).size;
+  if (fileSize > MAX_BUNDLE_SIZE) {
+    throw new EdictumConfigError(
+      `Bundle file too large (${fileSize} bytes, max ${MAX_BUNDLE_SIZE})`
+    );
+  }
+  const rawBytes = (0, import_node_fs3.readFileSync)(resolved);
+  const bundleHash = computeHash(rawBytes);
+  const data = parseYaml(rawBytes.toString("utf-8"));
+  validateBundle(data);
+  return [data, bundleHash];
+}
+function loadBundleString(content) {
+  const rawBytes = typeof content === "string" ? new TextEncoder().encode(content) : content;
+  if (rawBytes.length > MAX_BUNDLE_SIZE) {
+    throw new EdictumConfigError(
+      `Bundle content too large (${rawBytes.length} bytes, max ${MAX_BUNDLE_SIZE})`
+    );
+  }
+  const bundleHash = computeHash(rawBytes);
+  const text = typeof content === "string" ? content : new TextDecoder().decode(rawBytes);
+  const data = parseYaml(text);
+  validateBundle(data);
+  return [data, bundleHash];
+}
+
+// src/factory.ts
+function fromYaml(...args) {
+  let paths;
+  let options;
+  const last = args[args.length - 1];
+  if (typeof last === "object" && last !== null && !Array.isArray(last)) {
+    paths = args.slice(0, -1);
+    options = last;
+  } else {
+    paths = args;
+    options = {};
+  }
+  if (paths.length === 0) {
+    throw new EdictumConfigError("fromYaml() requires at least one path");
+  }
+  const loaded = [];
+  for (const p of paths) {
+    loaded.push(loadBundle(p));
+  }
+  let bundleData;
+  let policyVersion;
+  let report;
+  if (loaded.length === 1) {
+    const entry = loaded[0];
+    bundleData = entry[0];
+    policyVersion = entry[1].hex;
+    report = { overriddenContracts: [], observeContracts: [] };
+  } else {
+    const bundleTuples = loaded.map(
+      ([data], i) => [data, paths[i]]
+    );
+    const composed = composeBundles(...bundleTuples);
+    bundleData = composed.bundle;
+    report = composed.report;
+    policyVersion = (0, import_node_crypto4.createHash)("sha256").update(loaded.map(([, h]) => h.hex).join(":")).digest("hex");
+  }
+  const compiled = compileContracts(bundleData, {
+    customOperators: options.customOperators ?? null,
+    customSelectors: options.customSelectors ?? null
+  });
+  const guard = _buildGuard(compiled, policyVersion, options);
+  if (options.returnReport) {
+    return [guard, report];
+  }
+  return guard;
+}
+function fromYamlString(content, options = {}) {
+  const [bundleData, bundleHash] = loadBundleString(content);
+  const policyVersion = bundleHash.hex;
+  const compiled = compileContracts(bundleData, {
+    customOperators: options.customOperators ?? null,
+    customSelectors: options.customSelectors ?? null
+  });
+  return _buildGuard(compiled, policyVersion, options);
+}
+function reload(guard, yamlContent, options = {}) {
+  const [bundleData, bundleHash] = loadBundleString(yamlContent);
+  const compiled = compileContracts(bundleData, {
+    customOperators: options.customOperators ?? null,
+    customSelectors: options.customSelectors ?? null
+  });
+  const allContracts = [
+    ...compiled.preconditions,
+    ...compiled.postconditions,
+    ...compiled.sessionContracts,
+    ...compiled.sandboxContracts
+  ];
+  const temp = new Edictum({
+    contracts: allContracts,
+    limits: compiled.limits,
+    policyVersion: bundleHash.hex
+  });
+  guard._replaceState(temp._getState());
+}
+function _buildGuard(compiled, policyVersion, options) {
+  const effectiveMode = options.mode ?? compiled.defaultMode;
+  const allContracts = [
+    ...compiled.preconditions,
+    ...compiled.postconditions,
+    ...compiled.sessionContracts,
+    ...compiled.sandboxContracts
+  ];
+  const mergedTools = {};
+  for (const [name, cfg] of Object.entries(compiled.tools)) {
+    mergedTools[name] = cfg;
+  }
+  if (options.tools) {
+    for (const [name, cfg] of Object.entries(options.tools)) {
+      mergedTools[name] = cfg;
+    }
+  }
+  return new Edictum({
+    environment: options.environment ?? "production",
+    mode: effectiveMode,
+    limits: compiled.limits,
+    tools: Object.keys(mergedTools).length > 0 ? mergedTools : void 0,
+    contracts: allContracts,
+    auditSink: options.auditSink,
+    redaction: options.redaction,
+    backend: options.backend,
+    policyVersion,
+    onDeny: options.onDeny,
+    onAllow: options.onAllow,
+    successCheck: options.successCheck,
+    principal: options.principal,
+    principalResolver: options.principalResolver,
+    approvalBackend: options.approvalBackend
+  });
+}
+
+// src/guard.ts
+init_audit();
+init_errors();
+init_envelope();
+init_redaction();
+function isSessionContract(c) {
+  return !("tool" in c);
+}
+var Edictum = class _Edictum {
+  environment;
+  mode;
+  backend;
+  redaction;
+  toolRegistry;
+  auditSink;
+  _localSink;
+  _state;
+  _beforeHooks;
+  _afterHooks;
+  _sessionId;
+  // Callbacks and resolution — not private because _runner.ts needs access
+  // (Python's _runner.py accesses self._on_deny etc. directly)
+  /** @internal */
+  _onDeny;
+  /** @internal */
+  _onAllow;
+  /** @internal */
+  _successCheck;
+  _principal;
+  _principalResolver;
+  /** @internal */
+  _approvalBackend;
+  constructor(options = {}) {
+    this.environment = options.environment ?? "production";
+    this.mode = options.mode ?? "enforce";
+    this.backend = options.backend ?? new MemoryBackend();
+    this.redaction = options.redaction ?? new RedactionPolicy();
+    this._onDeny = options.onDeny ?? null;
+    this._onAllow = options.onAllow ?? null;
+    this._successCheck = options.successCheck ?? null;
+    this._principal = options.principal ?? null;
+    this._principalResolver = options.principalResolver ?? null;
+    this._approvalBackend = options.approvalBackend ?? null;
+    this._localSink = new CollectingAuditSink();
+    if (Array.isArray(options.auditSink)) {
+      this.auditSink = new CompositeSink([
+        this._localSink,
+        ...options.auditSink
+      ]);
+    } else if (options.auditSink != null) {
+      this.auditSink = new CompositeSink([
+        this._localSink,
+        options.auditSink
+      ]);
+    } else {
+      this.auditSink = this._localSink;
+    }
+    this.toolRegistry = new ToolRegistry();
+    if (options.tools) {
+      for (const [name, config] of Object.entries(options.tools)) {
+        this.toolRegistry.register(
+          name,
+          config.side_effect ?? SideEffect.IRREVERSIBLE,
+          config.idempotent ?? false
+        );
+      }
+    }
+    this._state = _Edictum._classifyContracts(
+      options.contracts ?? [],
+      options.limits ?? DEFAULT_LIMITS,
+      options.policyVersion ?? null
+    );
+    this._beforeHooks = [];
+    this._afterHooks = [];
+    for (const item of options.hooks ?? []) {
+      this._registerHook(item);
+    }
+    this._sessionId = (0, import_node_crypto5.randomUUID)();
+  }
+  // -----------------------------------------------------------------------
+  // Properties
+  // -----------------------------------------------------------------------
+  /** The local in-memory audit event collector. Always present. */
+  get localSink() {
+    return this._localSink;
+  }
+  /** Operation limits for the current contract set. */
+  get limits() {
+    return this._state.limits;
+  }
+  /** Update operation limits (replaces compiled state atomically). */
+  set limits(value) {
+    this._state = createCompiledState({ ...this._state, limits: value });
+  }
+  /** SHA256 hash identifying the active contract bundle. */
+  get policyVersion() {
+    return this._state.policyVersion;
+  }
+  /**
+   * Replace the compiled state atomically.
+   *
+   * @internal — used by factory.ts reload(). Not part of the public API.
+   */
+  _replaceState(newState) {
+    this._state = newState;
+  }
+  /**
+   * Read the current compiled state.
+   *
+   * @internal — used by factory.ts reload(). Not part of the public API.
+   */
+  _getState() {
+    return this._state;
+  }
+  /** Update policy version (replaces compiled state atomically). */
+  set policyVersion(value) {
+    this._state = createCompiledState({
+      ...this._state,
+      policyVersion: value
+    });
+  }
+  /** The persistent session ID for this guard instance. */
+  get sessionId() {
+    return this._sessionId;
+  }
+  // -----------------------------------------------------------------------
+  // Principal
+  // -----------------------------------------------------------------------
+  /** Update the principal used for subsequent tool calls. */
+  setPrincipal(principal) {
+    this._principal = principal;
+  }
+  /** Resolve the principal for a tool call. */
+  _resolvePrincipal(toolName, toolInput) {
+    if (this._principalResolver != null) {
+      return this._principalResolver(toolName, toolInput);
+    }
+    return this._principal;
+  }
+  // -----------------------------------------------------------------------
+  // Hooks
+  // -----------------------------------------------------------------------
+  _registerHook(item) {
+    if (item.phase === "before") {
+      this._beforeHooks.push(item);
+    } else {
+      this._afterHooks.push(item);
+    }
+  }
+  getHooks(phase, envelope) {
+    const hooks = phase === "before" ? this._beforeHooks : this._afterHooks;
+    return hooks.filter(
+      (h) => h.tool === "*" || fnmatch(envelope.toolName, h.tool)
+    );
+  }
+  // -----------------------------------------------------------------------
+  // Contract accessors -- enforce mode
+  // -----------------------------------------------------------------------
+  getPreconditions(envelope) {
+    return _Edictum._filterByTool(
+      this._state.preconditions,
+      envelope
+    );
+  }
+  getPostconditions(envelope) {
+    return _Edictum._filterByTool(
+      this._state.postconditions,
+      envelope
+    );
+  }
+  getSessionContracts() {
+    return [...this._state.sessionContracts];
+  }
+  getSandboxContracts(envelope) {
+    return _Edictum._filterSandbox(
+      this._state.sandboxContracts,
+      envelope
+    );
+  }
+  // -----------------------------------------------------------------------
+  // Contract accessors -- observe mode
+  // -----------------------------------------------------------------------
+  getObservePreconditions(envelope) {
+    return _Edictum._filterByTool(
+      this._state.observePreconditions,
+      envelope
+    );
+  }
+  getObservePostconditions(envelope) {
+    return _Edictum._filterByTool(
+      this._state.observePostconditions,
+      envelope
+    );
+  }
+  getObserveSessionContracts() {
+    return [...this._state.observeSessionContracts];
+  }
+  getObserveSandboxContracts(envelope) {
+    return _Edictum._filterSandbox(
+      this._state.observeSandboxContracts,
+      envelope
+    );
+  }
+  // -----------------------------------------------------------------------
+  // Private helpers
+  // -----------------------------------------------------------------------
+  /**
+   * Classify user-facing and internal contracts into enforce/observe lists.
+   *
+   * User-facing contracts (Precondition, Postcondition, SessionContract)
+   * are converted to internal representations. Internal contracts (from
+   * YAML compiler) carry _edictum_* metadata and are classified by their
+   * _edictum_observe flag (Python uses _edictum_shadow — wire-format parity).
+   */
+  static _classifyContracts(contracts, limits, policyVersion) {
+    const pre = [];
+    const post = [];
+    const session = [];
+    const sandbox = [];
+    const oPre = [];
+    const oPost = [];
+    const oSession = [];
+    const oSandbox = [];
+    for (const item of contracts) {
+      const raw = item;
+      const edictumType = raw._edictum_type;
+      const isObserve = raw._edictum_observe ?? raw._edictum_shadow ?? false;
+      if (edictumType != null) {
+        _Edictum._classifyInternal(
+          raw,
+          edictumType,
+          isObserve,
+          { pre, post, session, sandbox, oPre, oPost, oSession, oSandbox }
+        );
+      } else if (isSessionContract(item)) {
+        const name = raw.name ?? "anonymous";
+        session.push({
+          type: "session_contract",
+          name,
+          check: item.check
+        });
+      } else if ("tool" in item && item.contractType === "post") {
+        const postItem = item;
+        const name = raw.name ?? "anonymous";
+        post.push({
+          type: "postcondition",
+          name,
+          tool: postItem.tool,
+          check: postItem.check,
+          when: postItem.when
+        });
+      } else if ("tool" in item) {
+        const ct = raw.contractType;
+        if (ct != null && ct !== "pre") {
+          throw new EdictumConfigError(
+            `Contract with tool "${item.tool}" has unknown contractType "${String(ct)}". Expected "pre" or omitted for Precondition, "post" for Postcondition.`
+          );
+        }
+        if (ct == null && item.check.length >= 2) {
+          throw new EdictumConfigError(
+            `Contract with tool "${item.tool}" has a check function with ${item.check.length} parameters (looks like a Postcondition) but is missing contractType: "post". Add it to prevent misclassification.`
+          );
+        }
+        const preItem = item;
+        const name = raw.name ?? "anonymous";
+        pre.push({
+          type: "precondition",
+          name,
+          tool: preItem.tool,
+          check: preItem.check,
+          when: preItem.when
+        });
+      }
+    }
+    return createCompiledState({
+      preconditions: pre,
+      postconditions: post,
+      sessionContracts: session,
+      sandboxContracts: sandbox,
+      observePreconditions: oPre,
+      observePostconditions: oPost,
+      observeSessionContracts: oSession,
+      observeSandboxContracts: oSandbox,
+      limits,
+      policyVersion
+    });
+  }
+  /** Route an internal contract to the appropriate enforce/observe list. */
+  static _classifyInternal(raw, edictumType, isObserve, lists) {
+    const target = isObserve ? { pre: lists.oPre, post: lists.oPost, session: lists.oSession, sandbox: lists.oSandbox } : { pre: lists.pre, post: lists.post, session: lists.session, sandbox: lists.sandbox };
+    if (edictumType === "precondition") target.pre.push(raw);
+    else if (edictumType === "postcondition") target.post.push(raw);
+    else if (edictumType === "session_contract") target.session.push(raw);
+    else if (edictumType === "sandbox") target.sandbox.push(raw);
+    else {
+      throw new EdictumConfigError(
+        `Unknown _edictum_type "${edictumType}". Expected "precondition", "postcondition", "session_contract", or "sandbox".`
+      );
+    }
+  }
+  /** Filter contracts by tool pattern and optional `when` guard. */
+  static _filterByTool(contracts, envelope) {
+    const result = [];
+    for (const p of contracts) {
+      const tool = p.tool ?? "*";
+      const when = p.when ?? null;
+      if (tool !== "*" && !fnmatch(envelope.toolName, tool)) {
+        continue;
+      }
+      if (when != null) {
+        try {
+          if (!when(envelope)) continue;
+        } catch {
+        }
+      }
+      result.push(p);
+    }
+    return result;
+  }
+  /** Filter sandbox contracts by tool patterns array. */
+  static _filterSandbox(contracts, envelope) {
+    const result = [];
+    for (const s of contracts) {
+      const tools = s.tools ?? ["*"];
+      if (tools.some((p) => fnmatch(envelope.toolName, p))) {
+        result.push(s);
+      }
+    }
+    return result;
+  }
+  // -----------------------------------------------------------------------
+  // Delegated methods — run, evaluate, evaluateBatch
+  // -----------------------------------------------------------------------
+  /** Execute a tool call with full governance pipeline. */
+  async run(toolName, args, toolCallable, options) {
+    const { run: run2 } = await Promise.resolve().then(() => (init_runner(), runner_exports));
+    return run2(this, toolName, args, toolCallable, options);
+  }
+  /**
+   * Dry-run evaluation of a tool call against all matching contracts.
+   *
+   * Never executes the tool. Evaluates exhaustively (no short-circuit).
+   * Session contracts are skipped.
+   */
+  evaluate(toolName, args, options) {
+    return Promise.resolve().then(() => (init_dry_run(), dry_run_exports)).then(
+      ({ evaluate: evaluate2 }) => evaluate2(this, toolName, args, options)
+    );
+  }
+  /** Evaluate a batch of tool calls. Thin wrapper over evaluate(). */
+  evaluateBatch(calls) {
+    return Promise.resolve().then(() => (init_dry_run(), dry_run_exports)).then(
+      ({ evaluateBatch: evaluateBatch2 }) => evaluateBatch2(this, calls)
+    );
+  }
+  static fromYaml(...args) {
+    return fromYaml(...args);
+  }
+  /**
+   * Create an Edictum instance from a YAML string or Uint8Array.
+   */
+  static fromYamlString(content, options) {
+    return fromYamlString(content, options);
+  }
+  /**
+   * Atomically replace this guard's contracts from a YAML string.
+   *
+   * Pass customOperators/customSelectors if the new YAML uses custom
+   * operators or selectors that were passed to fromYaml/fromYamlString.
+   */
+  reload(yamlContent, options) {
+    reload(this, yamlContent, options);
+  }
+};
+
+// src/index.ts
+init_runner();
+var VERSION = "0.1.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ApprovalStatus,
+  AuditAction,
+  BUILTIN_OPERATOR_NAMES,
+  BUILTIN_SELECTOR_PREFIXES,
+  BashClassifier,
+  CollectingAuditSink,
+  CompositeSink,
+  DEFAULT_LIMITS,
+  Edictum,
+  EdictumConfigError,
+  EdictumDenied,
+  EdictumToolError,
+  FileAuditSink,
+  GovernancePipeline,
+  HookDecision,
+  HookResult,
+  LocalApprovalBackend,
+  MAX_BUNDLE_SIZE,
+  MAX_REGEX_INPUT,
+  MarkEvictedError,
+  MemoryBackend,
+  PolicyError,
+  RedactionPolicy,
+  Session,
+  SideEffect,
+  StdoutAuditSink,
+  ToolRegistry,
+  VERSION,
+  Verdict,
+  _validateToolName,
+  buildFindings,
+  classifyFinding,
+  compileContracts,
+  composeBundles,
+  computeHash,
+  createAuditEvent,
+  createCompiledState,
+  createContractResult,
+  createEnvelope,
+  createEvaluationResult,
+  createFinding,
+  createPostCallResult,
+  createPostDecision,
+  createPreDecision,
+  createPrincipal,
+  deepFreeze,
+  defaultSuccessCheck,
+  evaluateExpression,
+  expandMessage,
+  fnmatch,
+  fromYaml,
+  fromYamlString,
+  loadBundle,
+  loadBundleString,
+  reload,
+  run,
+  validateOperators
+});
+//# sourceMappingURL=index.cjs.map