@fenglimg/fabric-server 1.6.0 → 1.7.0

package/dist/chunk-TZCE2K4D.js

@@ -1,1447 +0,0 @@
-// src/constants.ts
-var AGENTS_MD_RESOURCE_URI = "fabric://bootstrap-readme";
-
-// src/cache.ts
-var ContextCache = class {
-  constructor(defaultTtlMs = 5e3) {
-    this.defaultTtlMs = defaultTtlMs;
-  }
-  defaultTtlMs;
-  // Slot 1: raw AgentsMeta keyed by projectRoot
-  metaSlot = /* @__PURE__ */ new Map();
-  // Slot 2: GetRulesContext keyed by projectRoot
-  contextSlot = /* @__PURE__ */ new Map();
-  // Slot 3: audit sliding-window cursor keyed by projectRoot
-  auditSlot = /* @__PURE__ */ new Map();
-  // ---------------------------------------------------------------------------
-  // Generic get / set / invalidate
-  // ---------------------------------------------------------------------------
-  get(slot, key) {
-    const store = this.slotStore(slot);
-    const entry = store.get(key);
-    if (entry === void 0) {
-      return void 0;
-    }
-    if (entry.expiresAt !== 0 && Date.now() > entry.expiresAt) {
-      store.delete(key);
-      return void 0;
-    }
-    return entry.value;
-  }
-  set(slot, key, value, ttlMs) {
-    const store = this.slotStore(slot);
-    const resolvedTtl = ttlMs ?? this.defaultTtlMs;
-    const expiresAt = resolvedTtl > 0 ? Date.now() + resolvedTtl : 0;
-    store.set(key, { value, expiresAt });
-  }
-  // ---------------------------------------------------------------------------
-  // Audit cursor (separate API — not TTL-based)
-  // ---------------------------------------------------------------------------
-  getAuditCursor(projectRoot) {
-    return this.auditSlot.get(projectRoot);
-  }
-  setAuditCursor(projectRoot, cursor) {
-    this.auditSlot.set(projectRoot, cursor);
-  }
-  resetAuditCursor(projectRoot) {
-    this.auditSlot.delete(projectRoot);
-  }
-  // ---------------------------------------------------------------------------
-  // Invalidation
-  // ---------------------------------------------------------------------------
-  /**
-   * Invalidate cache slots based on what changed.
-   *
-   * @param reason  "meta_write"  — only the meta slot for this projectRoot
-   *                "file_watch"  — meta + context slots (AGENTS.md may have changed)
-   * @param projectRoot  Optional; if omitted, clears ALL keys in affected slots.
-   */
-  invalidate(reason, projectRoot) {
-    if (reason === "meta_write") {
-      if (projectRoot !== void 0) {
-        this.metaSlot.delete(projectRoot);
-      } else {
-        this.metaSlot.clear();
-      }
-      return;
-    }
-    if (projectRoot !== void 0) {
-      this.metaSlot.delete(projectRoot);
-      this.contextSlot.delete(projectRoot);
-    } else {
-      this.metaSlot.clear();
-      this.contextSlot.clear();
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Helpers
-  // ---------------------------------------------------------------------------
-  slotStore(slot) {
-    return slot === "meta" ? this.metaSlot : this.contextSlot;
-  }
-};
-var contextCache = new ContextCache(5e3);
-
-// src/services/_shared.ts
-import { dirname, join, resolve, sep } from "path";
-import { createHash } from "crypto";
-import { mkdir, rename, writeFile } from "fs/promises";
-var FABRIC_DIR = ".fabric";
-var HUMAN_LOCK_FILE = "human-lock.json";
-var LEDGER_FILE = ".intent-ledger.jsonl";
-var LEDGER_PATH = `${FABRIC_DIR}/${LEDGER_FILE}`;
-var LEGACY_LEDGER_PATH = LEDGER_FILE;
-async function atomicWriteText(path, content) {
-  const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
-  await writeFile(tempPath, content, "utf8");
-  await rename(tempPath, path);
-}
-function getLedgerPath(projectRoot) {
-  return join(projectRoot, LEDGER_PATH);
-}
-function getLegacyLedgerPath(projectRoot) {
-  return join(projectRoot, LEGACY_LEDGER_PATH);
-}
-async function ensureParentDirectory(path) {
-  await mkdir(dirname(path), { recursive: true });
-}
-function sha256(content) {
-  return `sha256:${createHash("sha256").update(content).digest("hex")}`;
-}
-function isNodeError(error) {
-  return error instanceof Error;
-}
-function assertPathWithinProjectRoot(projectRoot, file) {
-  const normalizedProjectRoot = resolve(projectRoot);
-  const absolutePath = resolve(normalizedProjectRoot, file);
-  const rootPrefix = normalizedProjectRoot.endsWith(sep) ? normalizedProjectRoot : `${normalizedProjectRoot}${sep}`;
-  if (!absolutePath.startsWith(rootPrefix)) {
-    throw new Error(`Path escapes project root: ${file}`);
-  }
-  return absolutePath;
-}
-
-// src/services/read-human-lock.ts
-import { readFile } from "fs/promises";
-import { join as join2 } from "path";
-import { humanLockEntrySchema } from "@fenglimg/fabric-shared";
-async function readHumanLock(projectRoot) {
-  const document = await readHumanLockDocument(projectRoot);
-  return await Promise.all(
-    document.locked.map(async (entry) => {
-      const currentHash = await hashHumanLockedContent(projectRoot, entry);
-      return {
-        ...entry,
-        drift: currentHash !== entry.hash,
-        current_hash: currentHash
-      };
-    })
-  );
-}
-async function readHumanLockEntry(projectRoot, file) {
-  const entries = await readHumanLock(projectRoot);
-  return entries.find((entry) => entry.file === file) ?? null;
-}
-async function readHumanLockDocument(projectRoot) {
-  const humanLockPath = join2(projectRoot, FABRIC_DIR, HUMAN_LOCK_FILE);
-  const raw = await readFile(humanLockPath, "utf8");
-  const parsed = JSON.parse(raw);
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error(`Fabric human lock file is invalid: ${humanLockPath}`);
-  }
-  const rawObject = parsed;
-  const lockedResult = humanLockEntrySchema.array().safeParse(rawObject.locked ?? []);
-  if (!lockedResult.success) {
-    throw new Error(`Fabric human lock file is invalid: ${humanLockPath}`);
-  }
-  return {
-    path: humanLockPath,
-    rawObject,
-    locked: lockedResult.data
-  };
-}
-async function hashHumanLockedContent(projectRoot, entry) {
-  const targetPath = assertPathWithinProjectRoot(projectRoot, entry.file);
-  let content;
-  try {
-    content = await readFile(targetPath, "utf8");
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") {
-      return "missing";
-    }
-    throw error;
-  }
-  const lines = content.split(/\r?\n/);
-  const slice = lines.slice(Math.max(entry.start_line - 1, 0), Math.max(entry.end_line, 0)).join("\n");
-  return sha256(slice);
-}
-
-// src/services/doctor.ts
-import { createHash as createHash2 } from "crypto";
-import { existsSync, readFileSync, readdirSync, statSync } from "fs";
-import { readFile as readFile4 } from "fs/promises";
-import { isAbsolute as isAbsolute2, join as join5, posix as posix2, resolve as resolve3 } from "path";
-import { forensicReportSchema } from "@fenglimg/fabric-shared";
-import { detectFramework } from "@fenglimg/fabric-shared/node";
-
-// src/meta-reader.ts
-import { readFile as readFile2 } from "fs/promises";
-import { join as join3 } from "path";
-import { agentsMetaSchema } from "@fenglimg/fabric-shared";
-import { agentsMetaNodeSchema, agentsMetaSchema as agentsMetaSchema2 } from "@fenglimg/fabric-shared";
-var AgentsMetaFileMissingError = class extends Error {
-  constructor(metaPath) {
-    super(`Fabric agents metadata file is missing: ${metaPath}`);
-    this.metaPath = metaPath;
-    this.name = "AgentsMetaFileMissingError";
-  }
-  metaPath;
-  code = "FABRIC_META_MISSING";
-};
-var AgentsMetaInvalidError = class extends Error {
-  constructor(metaPath, cause) {
-    const detail = cause instanceof Error ? cause.message : String(cause);
-    super(`Fabric agents metadata file is invalid: ${metaPath}. ${detail}`);
-    this.metaPath = metaPath;
-    this.name = "AgentsMetaInvalidError";
-  }
-  metaPath;
-  code = "FABRIC_META_INVALID";
-};
-function getAgentsMetaPath(projectRoot) {
-  return join3(projectRoot, ".fabric", "agents.meta.json");
-}
-function resolveProjectRoot() {
-  return process.env.FABRIC_PROJECT_ROOT ?? process.cwd();
-}
-async function readAgentsMeta(projectRoot) {
-  const cached = contextCache.get("meta", projectRoot);
-  if (cached !== void 0) {
-    return cached;
-  }
-  const metaPath = getAgentsMetaPath(projectRoot);
-  let raw;
-  try {
-    raw = await readFile2(metaPath, "utf8");
-  } catch (error) {
-    if (error && typeof error === "object" && "code" in error && error.code === "ENOENT") {
-      throw new AgentsMetaFileMissingError(metaPath);
-    }
-    throw error;
-  }
-  let parsed;
-  try {
-    parsed = agentsMetaSchema.parse(JSON.parse(raw));
-  } catch (error) {
-    throw new AgentsMetaInvalidError(metaPath, error);
-  }
-  contextCache.set("meta", projectRoot, parsed);
-  return parsed;
-}
-
-// src/services/audit-log.ts
-import { appendFile, mkdir as mkdir2, open, stat } from "fs/promises";
-import { isAbsolute, join as join4, posix, relative, resolve as resolve2 } from "path";
-var AUDIT_LOG_FILE = `${FABRIC_DIR}/audit.jsonl`;
-var DEFAULT_AUDIT_WINDOW_MS = 5 * 60 * 1e3;
-async function appendGetRulesAuditEvent(projectRoot, input) {
-  const entry = {
-    kind: "audit-event",
-    event: "get_rules",
-    ts: input.ts ?? Date.now(),
-    path: normalizeAuditPath(projectRoot, input.path),
-    client_hash: input.client_hash
-  };
-  await appendAuditLogEntries(projectRoot, [entry]);
-  return entry;
-}
-async function appendRuleSelectionAuditEvent(projectRoot, input) {
-  const entry = {
-    kind: "audit-event",
-    event: "rule_selection",
-    ts: input.ts ?? Date.now(),
-    path: normalizeAuditPath(projectRoot, input.path),
-    selection_token: input.selection_token,
-    target_paths: input.target_paths.map((path) => normalizeAuditPath(projectRoot, path)),
-    required_stable_ids: input.required_stable_ids,
-    ai_selectable_stable_ids: input.ai_selectable_stable_ids,
-    ai_selected_stable_ids: input.ai_selected_stable_ids,
-    final_stable_ids: input.final_stable_ids,
-    ai_selection_reasons: input.ai_selection_reasons,
-    rejected_stable_ids: input.rejected_stable_ids,
-    ignored_stable_ids: input.ignored_stable_ids
-  };
-  await appendAuditLogEntries(projectRoot, [entry]);
-  return entry;
-}
-async function appendEditIntentAuditEvents(projectRoot, input) {
-  const ts = input.ts ?? Date.now();
-  const windowMs = input.window_ms ?? DEFAULT_AUDIT_WINDOW_MS;
-  const getRulesEntries = (await readAuditLog(projectRoot, { windowMs, ts })).filter(
-    isGetRulesAuditEntry
-  );
-  const entries = input.affected_paths.map((affectedPath) => {
-    const path = normalizeAuditPath(projectRoot, affectedPath);
-    const matchedGetRules = findPrecedingGetRulesEvent(getRulesEntries, path, ts, windowMs);
-    return {
-      kind: "audit-event",
-      event: "edit_intent",
-      ts,
-      path,
-      compliant: matchedGetRules !== null,
-      intent: input.intent,
-      ledger_entry_id: input.ledger_entry_id,
-      matched_get_rules_ts: matchedGetRules?.ts ?? null,
-      window_ms: windowMs
-    };
-  });
-  const compliance = {
-    compliant: entries.length === 0 || entries.every((e) => e.compliant),
-    matched_get_rules_ts: entries.length > 0 && entries[0].matched_get_rules_ts !== null ? new Date(entries[0].matched_get_rules_ts).toISOString() : null,
-    window_ms: windowMs
-  };
-  if (entries.length === 0) {
-    return { entries, compliance };
-  }
-  await appendAuditLogEntries(projectRoot, entries);
-  return { entries, compliance };
-}
-async function readAuditLog(projectRoot, opts) {
-  if (opts === void 0) {
-    return readAuditLogFull(projectRoot);
-  }
-  return readAuditLogWindowed(projectRoot, opts.ts, opts.windowMs);
-}
-async function readAuditLogFull(projectRoot) {
-  const auditPath = join4(projectRoot, AUDIT_LOG_FILE);
-  let raw;
-  try {
-    const fileStat = await stat(auditPath);
-    const handle = await open(auditPath, "r");
-    try {
-      const buffer = Buffer.alloc(fileStat.size);
-      await handle.read(buffer, 0, fileStat.size, 0);
-      raw = buffer.toString("utf8");
-    } finally {
-      await handle.close();
-    }
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") {
-      return [];
-    }
-    throw error;
-  }
-  return parseAuditLogText(raw);
-}
-async function readAuditLogWindowed(projectRoot, ts, windowMs) {
-  const auditPath = join4(projectRoot, AUDIT_LOG_FILE);
-  let fileSize;
-  try {
-    const fileStat = await stat(auditPath);
-    fileSize = fileStat.size;
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") {
-      return [];
-    }
-    throw error;
-  }
-  const cursor = contextCache.getAuditCursor(projectRoot);
-  const startOffset = cursor !== void 0 && cursor.offset <= fileSize ? cursor.offset : 0;
-  const priorRemainder = startOffset > 0 && cursor !== void 0 ? cursor.remainder : "";
-  const priorWindowEntries = startOffset > 0 && cursor !== void 0 ? cursor.windowEntries : [];
-  const effectiveStart = cursor !== void 0 && cursor.offset > fileSize ? 0 : startOffset;
-  let newEntries = [];
-  if (fileSize > effectiveStart) {
-    const length = fileSize - effectiveStart;
-    let chunk;
-    try {
-      const handle = await open(auditPath, "r");
-      try {
-        const buffer = Buffer.alloc(length);
-        await handle.read(buffer, 0, length, effectiveStart);
-        chunk = `${priorRemainder}${buffer.toString("utf8")}`;
-      } finally {
-        await handle.close();
-      }
-    } catch (error) {
-      contextCache.resetAuditCursor(projectRoot);
-      return (await readAuditLogFull(projectRoot)).filter((entry) => ts - entry.ts <= windowMs && entry.ts <= ts);
-    }
-    const lines = chunk.split(/\r?\n/);
-    const remainder = chunk.endsWith("\n") ? "" : lines.pop() ?? "";
-    const windowEntries = [...priorWindowEntries, ...parseAuditLogText(lines.join("\n"))].filter(
-      (entry) => ts - entry.ts <= windowMs && entry.ts <= ts
-    );
-    contextCache.setAuditCursor(projectRoot, { offset: fileSize, remainder, windowEntries });
-    newEntries = windowEntries;
-  } else {
-    const windowEntries = priorWindowEntries.filter((entry) => ts - entry.ts <= windowMs && entry.ts <= ts);
-    contextCache.setAuditCursor(projectRoot, {
-      offset: fileSize,
-      remainder: cursor?.remainder ?? "",
-      windowEntries
-    });
-    newEntries = windowEntries;
-  }
-  if (effectiveStart === 0 && cursor !== void 0 && cursor.offset > fileSize) {
-    return newEntries.filter((entry) => ts - entry.ts <= windowMs && entry.ts <= ts);
-  }
-  return newEntries;
-}
-function parseAuditLogText(raw) {
-  return raw.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).map(parseAuditLogLine).filter((entry) => entry !== null);
-}
-function findPrecedingGetRulesEvent(entries, path, ts, windowMs) {
-  let matched = null;
-  for (const entry of entries) {
-    if (entry.path !== path) {
-      continue;
-    }
-    if (entry.ts > ts) {
-      continue;
-    }
-    if (ts - entry.ts > windowMs) {
-      continue;
-    }
-    if (matched === null || entry.ts > matched.ts) {
-      matched = entry;
-    }
-  }
-  return matched;
-}
-function normalizeAuditPath(projectRoot, value) {
-  const normalizedProjectRoot = resolve2(projectRoot);
-  const candidate = isAbsolute(value) ? resolve2(value) : resolve2(normalizedProjectRoot, value);
-  const relativePath = relative(normalizedProjectRoot, candidate);
-  if (relativePath.length > 0 && relativePath !== "." && !relativePath.startsWith("..") && !isAbsolute(relativePath)) {
-    return posix.normalize(relativePath.split("\\").join("/"));
-  }
-  return posix.normalize(value.replaceAll("\\", "/"));
-}
-function isGetRulesAuditEntry(entry) {
-  return entry.event === "get_rules";
-}
-async function appendAuditLogEntries(projectRoot, entries) {
-  const auditPath = join4(projectRoot, AUDIT_LOG_FILE);
-  const auditDir = join4(projectRoot, FABRIC_DIR);
-  await mkdir2(auditDir, { recursive: true });
-  await appendFile(auditPath, `${entries.map((entry) => JSON.stringify(entry)).join("\n")}
-`, "utf8");
-}
-function parseAuditLogLine(line) {
-  try {
-    const parsed = JSON.parse(line);
-    if (parsed.kind !== "audit-event" || typeof parsed.ts !== "number" || typeof parsed.path !== "string") {
-      return null;
-    }
-    if (parsed.event === "get_rules") {
-      return {
-        kind: "audit-event",
-        event: "get_rules",
-        ts: parsed.ts,
-        path: parsed.path,
-        client_hash: typeof parsed.client_hash === "string" ? parsed.client_hash : void 0
-      };
-    }
-    if (parsed.event === "edit_intent" && typeof parsed.compliant === "boolean" && typeof parsed.intent === "string" && typeof parsed.ledger_entry_id === "string" && (typeof parsed.matched_get_rules_ts === "number" || parsed.matched_get_rules_ts === null) && typeof parsed.window_ms === "number") {
-      return {
-        kind: "audit-event",
-        event: "edit_intent",
-        ts: parsed.ts,
-        path: parsed.path,
-        compliant: parsed.compliant,
-        intent: parsed.intent,
-        ledger_entry_id: parsed.ledger_entry_id,
-        matched_get_rules_ts: parsed.matched_get_rules_ts,
-        window_ms: parsed.window_ms
-      };
-    }
-    if (parsed.event === "rule_selection" && typeof parsed.selection_token === "string" && Array.isArray(parsed.target_paths) && Array.isArray(parsed.required_stable_ids) && Array.isArray(parsed.ai_selectable_stable_ids) && Array.isArray(parsed.ai_selected_stable_ids) && Array.isArray(parsed.final_stable_ids) && isStringRecord(parsed.ai_selection_reasons) && Array.isArray(parsed.rejected_stable_ids) && Array.isArray(parsed.ignored_stable_ids)) {
-      return {
-        kind: "audit-event",
-        event: "rule_selection",
-        ts: parsed.ts,
-        path: parsed.path,
-        selection_token: parsed.selection_token,
-        target_paths: parsed.target_paths.filter(isString),
-        required_stable_ids: parsed.required_stable_ids.filter(isString),
-        ai_selectable_stable_ids: parsed.ai_selectable_stable_ids.filter(isString),
-        ai_selected_stable_ids: parsed.ai_selected_stable_ids.filter(isString),
-        final_stable_ids: parsed.final_stable_ids.filter(isString),
-        ai_selection_reasons: parsed.ai_selection_reasons,
-        rejected_stable_ids: parsed.rejected_stable_ids.filter(isString),
-        ignored_stable_ids: parsed.ignored_stable_ids.filter(isString)
-      };
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-function isString(value) {
-  return typeof value === "string";
-}
-function isStringRecord(value) {
-  if (typeof value !== "object" || value === null || Array.isArray(value)) {
-    return false;
-  }
-  return Object.values(value).every((entry) => typeof entry === "string");
-}
-
-// src/services/read-ledger.ts
-import { randomUUID } from "crypto";
-import { access, appendFile as appendFile2, copyFile, readFile as readFile3, rm } from "fs/promises";
-import { ledgerEntrySchema } from "@fenglimg/fabric-shared";
-async function resolveLedgerPaths(projectRoot) {
-  const primaryPath = getLedgerPath(projectRoot);
-  const legacyPath = getLegacyLedgerPath(projectRoot);
-  const [primaryExists, legacyExists] = await Promise.all([
-    pathExists(primaryPath),
-    pathExists(legacyPath)
-  ]);
-  return {
-    primaryPath,
-    legacyPath,
-    readPath: primaryExists ? primaryPath : legacyPath,
-    usingLegacy: !primaryExists && legacyExists
-  };
-}
-async function readLedger(projectRoot, options = {}) {
-  const { readPath } = await resolveLedgerPaths(projectRoot);
-  let raw;
-  try {
-    raw = await readFile3(readPath, "utf8");
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") {
-      return [];
-    }
-    throw error;
-  }
-  return raw.split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0).map((line, index) => parseLedgerLine(line, index)).filter((entry) => entry !== null).filter((entry) => options.source === void 0 || entry.source === options.source).filter((entry) => options.since === void 0 || entry.ts >= options.since);
-}
-async function appendLedgerEntry(projectRoot, entry) {
-  const ledgerPath = getLedgerPath(projectRoot);
-  const nextEntry = ledgerEntrySchema.parse({
-    ...entry,
-    id: entry.id ?? `ledger:${randomUUID()}`
-  });
-  await ensureParentDirectory(ledgerPath);
-  await appendFile2(ledgerPath, `${JSON.stringify(nextEntry)}
-`, "utf8");
-  return nextEntry;
-}
-async function migrateLegacyLedger(projectRoot) {
-  const { primaryPath, legacyPath } = await resolveLedgerPaths(projectRoot);
-  const [primaryExists, legacyExists] = await Promise.all([
-    pathExists(primaryPath),
-    pathExists(legacyPath)
-  ]);
-  if (!legacyExists) {
-    return {
-      migrated: false,
-      from: null,
-      to: primaryPath
-    };
-  }
-  if (!primaryExists) {
-    await ensureParentDirectory(primaryPath);
-    await copyFile(legacyPath, primaryPath);
-  }
-  await rm(legacyPath, { force: true });
-  return {
-    migrated: true,
-    from: legacyPath,
-    to: primaryPath
-  };
-}
-function parseLedgerLine(line, index) {
-  try {
-    const parsed = JSON.parse(line);
-    if (parsed.kind === "mcp-event") {
-      return null;
-    }
-    const result = ledgerEntrySchema.safeParse(parsed);
-    if (!result.success) {
-      return null;
-    }
-    return {
-      ...result.data,
-      id: result.data.id ?? createDerivedId(index, line)
-    };
-  } catch {
-    return null;
-  }
-}
-function createDerivedId(index, line) {
-  return `ledger:${index + 1}:${sha256(line).slice("sha256:".length)}`;
-}
-async function pathExists(path) {
-  try {
-    await access(path);
-    return true;
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") {
-      return false;
-    }
-    throw error;
-  }
-}
-
-// src/services/doctor.ts
-var SCRIPT_EXTENSIONS = /* @__PURE__ */ new Set([".js", ".jsx", ".ts", ".tsx"]);
-var IGNORED_DIRECTORIES = /* @__PURE__ */ new Set([
-  ".fabric",
-  ".git",
-  ".next",
-  ".turbo",
-  "Library",
-  "Temp",
-  "build",
-  "coverage",
-  "dist",
-  "node_modules"
-]);
-var LEDGER_WARN_AFTER_MS = 3 * 24 * 60 * 60 * 1e3;
-var LEDGER_ERROR_AFTER_MS = 7 * 24 * 60 * 60 * 1e3;
-async function runDoctorReport(target) {
-  const projectRoot = normalizeTarget(target);
-  const framework = detectFramework(projectRoot);
-  const entryPoints = collectEntryPoints(projectRoot);
-  const [savedForensic, metaSnapshot, humanLockSnapshot, ledgerSnapshot, auditReport] = await Promise.all([
-    readSavedForensic(projectRoot),
-    inspectMetaRevision(projectRoot),
-    inspectHumanLock(projectRoot),
-    inspectLedger(projectRoot),
-    runDoctorAuditReport(projectRoot)
-  ]);
-  const checks = [
-    createForensicCheck(savedForensic, framework, entryPoints),
-    createFrameworkCheck(savedForensic, framework, entryPoints),
-    createMetaRevisionCheck(metaSnapshot),
-    createProtectedPathsCheck(humanLockSnapshot),
-    createLedgerCheck(ledgerSnapshot)
-  ];
-  if (!auditReport.skipped) {
-    checks.push(createAuditCheck(auditReport));
-  }
-  return {
-    status: reduceStatus(checks.map((check) => check.status)),
-    checks,
-    summary: {
-      target: projectRoot,
-      framework: {
-        kind: framework.kind,
-        version: framework.version,
-        subkind: framework.subkind
-      },
-      entryPoints,
-      driftCount: humanLockSnapshot.driftCount,
-      protectedPathCount: humanLockSnapshot.protectedPathCount,
-      protectedPathsIntact: humanLockSnapshot.present && humanLockSnapshot.driftCount === 0,
-      lastLedgerEntryTs: ledgerSnapshot.lastEntryTs,
-      lastLedgerEntryAgeMs: ledgerSnapshot.lastEntryAgeMs,
-      metaRevision: metaSnapshot.revision,
-      ledgerPath: ledgerSnapshot.primaryPath,
-      legacyLedgerPath: ledgerSnapshot.legacyPath,
-      legacyLedgerDetected: ledgerSnapshot.usingLegacy,
-      audit: auditReport.skipped ? null : {
-        enabled: true,
-        mode: auditReport.mode,
-        checkedPathCount: auditReport.checkedPathCount,
-        violationCount: auditReport.violationCount,
-        windowMs: auditReport.windowMs
-      }
-    },
-    audit: auditReport.skipped ? null : auditReport
-  };
-}
-async function runDoctorFix(target) {
-  const projectRoot = normalizeTarget(target);
-  const migration = await migrateLegacyLedger(projectRoot);
-  const report = await runDoctorReport(projectRoot);
-  return {
-    changed: migration.migrated,
-    migratedLedger: migration.migrated,
-    message: migration.migrated ? `Migrated legacy ledger from ${migration.from} to ${migration.to}.` : `No legacy ledger migration needed. Canonical ledger path: ${migration.to}.`,
-    report
-  };
-}
-async function runDoctorAuditReport(target, options = {}) {
-  const projectRoot = normalizeTarget(target);
-  const mode = options.mode ?? readDoctorAuditMode(projectRoot);
-  const windowMs = options.windowMs ?? DEFAULT_AUDIT_WINDOW_MS;
-  if (mode === "off" && options.force !== true) {
-    return {
-      mode,
-      skipped: true,
-      windowMs,
-      checkedPathCount: 0,
-      violationCount: 0,
-      violations: []
-    };
-  }
-  const [ledgerEntries, auditEntries] = await Promise.all([
-    readLedger(projectRoot, { source: "ai" }),
-    readAuditLog(projectRoot)
-  ]);
-  const ruleAccessEntries = auditEntries.filter(
-    (entry) => entry.event === "get_rules" || entry.event === "rule_selection"
-  );
-  const { checkedPathCount, violations } = collectAuditViolations(
-    projectRoot,
-    ledgerEntries,
-    ruleAccessEntries,
-    windowMs
-  );
-  return {
-    mode,
-    skipped: false,
-    windowMs,
-    checkedPathCount,
-    violationCount: violations.length,
-    violations
-  };
-}
-function createForensicCheck(forensic, framework, entryPoints) {
-  if (!forensic.present) {
-    return {
-      name: "Forensic snapshot",
-      status: "error",
-      message: `${forensic.reason} Live scan detects ${formatFramework(framework)} with ${entryPoints.length} entry point${entryPoints.length === 1 ? "" : "s"}.`
-    };
-  }
-  return {
-    name: "Forensic snapshot",
-    status: "ok",
-    message: `Loaded .fabric/forensic.json for ${formatFramework(forensic.report.framework)} with ${forensic.report.entry_points.length} recorded entry point${forensic.report.entry_points.length === 1 ? "" : "s"}.`
-  };
-}
-function createFrameworkCheck(forensic, framework, entryPoints) {
-  if (framework.kind === "unknown") {
-    return {
-      name: "Framework fingerprint",
-      status: "warn",
-      message: "Unable to identify the project framework from current files."
-    };
-  }
-  if (!forensic.present) {
-    return {
-      name: "Framework fingerprint",
-      status: "warn",
-      message: `Live detection sees ${formatFramework(framework)} and ${entryPoints.length} entry point${entryPoints.length === 1 ? "" : "s"}, but no forensic baseline exists yet.`
-    };
-  }
-  const matches = forensic.report.framework.kind === framework.kind && forensic.report.framework.version === framework.version && forensic.report.framework.subkind === framework.subkind;
-  if (!matches) {
-    return {
-      name: "Framework fingerprint",
-      status: "warn",
-      message: `Forensic baseline says ${formatFramework(forensic.report.framework)}; live scan says ${formatFramework(framework)}.`
-    };
-  }
-  return {
-    name: "Framework fingerprint",
-    status: "ok",
-    message: `Framework baseline matches live scan: ${formatFramework(framework)} \xB7 ${entryPoints.length} current entry point${entryPoints.length === 1 ? "" : "s"}.`
-  };
-}
-function createMetaRevisionCheck(snapshot) {
-  if (!snapshot.present) {
-    return {
-      name: "Meta revision",
-      status: "error",
-      message: snapshot.unexpectedError ?? "agents.meta.json is missing."
-    };
-  }
-  if (snapshot.driftCount > 0 || snapshot.missingFiles.length > 0) {
-    const parts = [
-      `${snapshot.driftCount} tracked AGENTS file drift`,
-      snapshot.missingFiles.length > 0 ? `${snapshot.missingFiles.length} missing tracked file` : null
-    ].filter((part) => part !== null);
-    return {
-      name: "Meta revision",
-      status: "error",
-      message: `agents.meta.json revision ${snapshot.revision} is stale: ${parts.join(" \xB7 ")}.`
-    };
-  }
-  if (snapshot.derivedIdentityFiles.length > 0) {
-    const [firstFile] = snapshot.derivedIdentityFiles;
-    const suffix = snapshot.derivedIdentityFiles.length > 1 ? ` (+${snapshot.derivedIdentityFiles.length - 1} more)` : "";
-    return {
-      name: "Meta revision",
-      status: "warn",
-      message: `agents.meta.json revision ${snapshot.revision} matches ${snapshot.nodeCount} tracked AGENTS files, but ${snapshot.derivedIdentityFiles.length} rule node${snapshot.derivedIdentityFiles.length === 1 ? "" : "s"} still use derived identities. Add \`<!-- fab:rule-id ... -->\` to the rule file header instead of editing meta directly (${firstFile}${suffix}).`
-    };
-  }
-  return {
-    name: "Meta revision",
-    status: "ok",
-    message: `agents.meta.json revision ${snapshot.revision} matches ${snapshot.nodeCount} tracked AGENTS file${snapshot.nodeCount === 1 ? "" : "s"}.`
-  };
-}
-function createProtectedPathsCheck(snapshot) {
-  if (!snapshot.present) {
-    return {
-      name: "Protected paths",
-      status: "warn",
-      message: snapshot.reason
-    };
-  }
-  if (snapshot.driftCount > 0) {
-    return {
-      name: "Protected paths",
-      status: "warn",
-      message: `${snapshot.driftCount} of ${snapshot.protectedPathCount} protected path${snapshot.protectedPathCount === 1 ? "" : "s"} drifted from approved hashes.`
-    };
-  }
-  return {
-    name: "Protected paths",
-    status: "ok",
-    message: `${snapshot.protectedPathCount} protected path${snapshot.protectedPathCount === 1 ? "" : "s"} intact with zero hash drift.`
-  };
-}
-function createLedgerCheck(snapshot) {
-  if (snapshot.usingLegacy) {
-    return {
-      name: "Intent ledger",
-      status: "warn",
-      message: `Legacy ledger path detected at ${snapshot.legacyPath}. Fabric now reads ${snapshot.primaryPath} by default; run fab doctor --fix to migrate.`
-    };
-  }
-  if (snapshot.lastEntryTs === null || snapshot.lastEntryAgeMs === null) {
-    return {
-      name: "Intent ledger",
-      status: "warn",
-      message: "No ledger entries recorded yet."
-    };
-  }
-  if (snapshot.lastEntryAgeMs >= LEDGER_ERROR_AFTER_MS) {
-    return {
-      name: "Intent ledger",
-      status: "error",
-      message: `Last ledger entry is ${formatAge(snapshot.lastEntryAgeMs)} old (${new Date(snapshot.lastEntryTs).toISOString()}).`
-    };
-  }
-  if (snapshot.lastEntryAgeMs >= LEDGER_WARN_AFTER_MS) {
-    return {
-      name: "Intent ledger",
-      status: "warn",
-      message: `Last ledger entry is ${formatAge(snapshot.lastEntryAgeMs)} old (${new Date(snapshot.lastEntryTs).toISOString()}).`
-    };
-  }
-  return {
-    name: "Intent ledger",
-    status: "ok",
-    message: `Last ledger entry is ${formatAge(snapshot.lastEntryAgeMs)} old (${snapshot.count} total entr${snapshot.count === 1 ? "y" : "ies"}).`
-  };
-}
-function createAuditCheck(report) {
-  if (report.checkedPathCount === 0) {
-    return {
-      name: "Rules fetch audit",
-      status: "warn",
-      message: "No AI edit intents recorded yet for compliance audit."
-    };
-  }
-  if (report.violationCount > 0) {
-    return {
-      name: "Rules fetch audit",
-      status: report.mode === "strict" ? "error" : "warn",
-      message: `${report.violationCount} edit path${report.violationCount === 1 ? "" : "s"} lack a preceding rule_selection or get_rules event within ${formatDuration(report.windowMs)}.`
-    };
-  }
-  return {
-    name: "Rules fetch audit",
-    status: "ok",
-    message: `All ${report.checkedPathCount} audited edit path${report.checkedPathCount === 1 ? "" : "s"} have a preceding rule_selection or get_rules event within ${formatDuration(report.windowMs)}.`
-  };
-}
-async function readSavedForensic(projectRoot) {
-  const forensicPath = join5(projectRoot, ".fabric", "forensic.json");
-  try {
-    const raw = await readFile4(forensicPath, "utf8");
-    const parsed = forensicReportSchema.safeParse(JSON.parse(raw));
-    if (!parsed.success) {
-      return {
-        present: false,
-        reason: "forensic.json is invalid."
-      };
-    }
-    return {
-      present: true,
-      report: parsed.data
-    };
-  } catch (error) {
-    if (isMissingFileError(error)) {
-      return {
-        present: false,
-        reason: ".fabric/forensic.json is missing."
-      };
-    }
-    return {
-      present: false,
-      reason: error instanceof Error ? error.message : String(error)
-    };
-  }
-}
-async function inspectMetaRevision(projectRoot) {
-  try {
-    const meta = await readAgentsMeta(projectRoot);
-    const entries = Object.entries(meta.nodes).sort(([left], [right]) => left.localeCompare(right));
-    const missingFiles = [];
-    const derivedIdentityFiles = [];
-    let driftCount = 0;
-    const revisionSource = entries.map(([id, node]) => {
-      const absolutePath = join5(projectRoot, node.file);
-      if (!existsSync(absolutePath)) {
-        missingFiles.push(node.file);
-        driftCount += 1;
-        return "missing";
-      }
-      const actualHash = sha2562(readFileSync(absolutePath, "utf8"));
-      if (actualHash !== node.hash) {
-        driftCount += 1;
-      }
-      if (node.file !== ".fabric/bootstrap/README.md" && node.identity_source !== "declared") {
-        derivedIdentityFiles.push(node.file);
-      }
-      return [id, actualHash, node.stable_id ?? "", node.identity_source ?? ""].join("|");
-    }).join("\n");
-    const revision = sha2562(revisionSource);
-    return {
-      present: true,
-      revision: meta.revision,
-      nodeCount: entries.length,
-      driftCount: revision === meta.revision ? driftCount : Math.max(driftCount, 1),
-      missingFiles,
-      derivedIdentityFiles
-    };
-  } catch (error) {
-    return {
-      present: false,
-      revision: null,
-      nodeCount: 0,
-      driftCount: 0,
-      missingFiles: [],
-      derivedIdentityFiles: [],
-      unexpectedError: error instanceof Error ? error.message : String(error)
-    };
-  }
-}
-async function inspectHumanLock(projectRoot) {
-  try {
-    const entries = await readHumanLock(projectRoot);
-    return {
-      present: true,
-      driftCount: entries.filter((entry) => entry.drift).length,
-      protectedPathCount: entries.length
-    };
-  } catch (error) {
-    if (isMissingFileError(error)) {
-      return {
-        present: false,
-        driftCount: 0,
-        protectedPathCount: 0,
-        reason: ".fabric/human-lock.json is missing; no protected paths are being tracked."
-      };
-    }
-    return {
-      present: false,
-      driftCount: 0,
-      protectedPathCount: 0,
-      reason: error instanceof Error ? error.message : String(error)
-    };
-  }
-}
-async function inspectLedger(projectRoot) {
-  const paths = await resolveLedgerPaths(projectRoot);
-  const entries = await readLedger(projectRoot);
-  const lastEntry = entries.reduce(
-    (latest, entry) => latest === null || entry.ts > latest ? entry.ts : latest,
-    null
-  );
-  return {
-    count: entries.length,
-    lastEntryTs: lastEntry,
-    lastEntryAgeMs: lastEntry === null ? null : Math.max(Date.now() - lastEntry, 0),
-    primaryPath: paths.primaryPath,
-    legacyPath: paths.legacyPath,
-    usingLegacy: paths.usingLegacy
-  };
-}
-function collectAuditViolations(projectRoot, ledgerEntries, ruleAccessEntries, windowMs) {
-  let checkedPathCount = 0;
-  const violations = [];
-  for (const entry of ledgerEntries) {
-    for (const affectedPath of entry.affected_paths) {
-      const normalizedPath = normalizeAuditPath(projectRoot, affectedPath);
-      const matched = findPrecedingRuleAccessEvent(ruleAccessEntries, normalizedPath, entry.ts, windowMs);
-      checkedPathCount += 1;
-      if (matched !== null) {
-        continue;
-      }
-      violations.push({
-        editTs: entry.ts,
-        entryId: entry.id,
-        intent: entry.intent,
-        lastRuleAccessTs: findLatestRuleAccessTs(ruleAccessEntries, normalizedPath, entry.ts),
-        path: normalizedPath
-      });
-    }
-  }
-  return {
-    checkedPathCount,
-    violations
-  };
-}
-function findPrecedingRuleAccessEvent(entries, path, ts, windowMs) {
-  const getRulesMatch = findPrecedingGetRulesEvent(entries.filter(isGetRulesAuditEntry2), path, ts, windowMs);
-  const ruleSelectionMatch = findPrecedingRuleSelectionEvent(entries.filter(isRuleSelectionAuditEntry), path, ts, windowMs);
-  if (getRulesMatch === null) {
-    return ruleSelectionMatch;
-  }
-  if (ruleSelectionMatch === null) {
-    return getRulesMatch;
-  }
-  return getRulesMatch.ts >= ruleSelectionMatch.ts ? getRulesMatch : ruleSelectionMatch;
-}
-function findPrecedingRuleSelectionEvent(entries, path, ts, windowMs) {
-  let matched = null;
-  for (const entry of entries) {
-    if (!entry.target_paths.includes(path) && entry.path !== path) {
-      continue;
-    }
-    if (entry.ts > ts || ts - entry.ts > windowMs) {
-      continue;
-    }
-    if (matched === null || entry.ts > matched.ts) {
-      matched = entry;
-    }
-  }
-  return matched;
-}
-function findLatestRuleAccessTs(entries, path, ts) {
-  let latest = null;
-  for (const entry of entries) {
-    const matchesPath = entry.event === "rule_selection" ? entry.path === path || entry.target_paths.includes(path) : entry.path === path;
-    if (!matchesPath || entry.ts > ts) {
-      continue;
-    }
-    latest = latest === null || entry.ts > latest ? entry.ts : latest;
-  }
-  return latest;
-}
-function isGetRulesAuditEntry2(entry) {
-  return entry.event === "get_rules";
-}
-function isRuleSelectionAuditEntry(entry) {
-  return entry.event === "rule_selection";
-}
-function readDoctorAuditMode(projectRoot) {
-  const configPath = join5(projectRoot, "fabric.config.json");
-  try {
-    const parsed = JSON.parse(readFileSync(configPath, "utf8"));
-    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
-      return "off";
-    }
-    const configuredMode = readAuditModeValue(parsed.auditMode) ?? readAuditModeValue(parsed.audit_mode);
-    return configuredMode ?? "off";
-  } catch (error) {
-    if (isMissingFileError(error)) {
-      return "off";
-    }
-    return "off";
-  }
-}
-function normalizeTarget(targetInput) {
-  return isAbsolute2(targetInput) ? targetInput : resolve3(process.cwd(), targetInput);
-}
-function collectEntryPoints(root) {
-  if (!existsSync(root) || !statSync(root).isDirectory()) {
-    return [];
-  }
-  const entries = [];
-  const stack = [root];
-  while (stack.length > 0) {
-    const current = stack.pop();
-    if (current === void 0) {
-      continue;
-    }
-    for (const entry of readdirSync(current, { withFileTypes: true })) {
-      const absolutePath = join5(current, entry.name);
-      const relativePath = posix2.normalize(absolutePath.slice(root.length + 1).split("\\").join("/"));
-      if (relativePath.length === 0) {
-        continue;
-      }
-      if (entry.isDirectory()) {
-        if (IGNORED_DIRECTORIES.has(entry.name)) {
-          continue;
-        }
-        stack.push(absolutePath);
-        continue;
-      }
-      if (!entry.isFile()) {
-        continue;
-      }
-      const reason = getEntryPointReason(relativePath);
-      if (reason !== null) {
-        entries.push({
-          path: relativePath,
-          reason
-        });
-      }
-    }
-  }
-  return entries.sort((left, right) => left.path.localeCompare(right.path));
-}
-function getEntryPointReason(relativePath) {
-  const extension = relativePath.slice(relativePath.lastIndexOf("."));
-  if (!SCRIPT_EXTENSIONS.has(extension)) {
-    return null;
-  }
-  const directory = posix2.dirname(relativePath);
-  const fileName = posix2.basename(relativePath);
-  const fileBase = fileName.slice(0, Math.max(fileName.lastIndexOf("."), 0));
-  if (directory === "assets/scripts" || directory === "scripts") {
-    return "top-level script";
-  }
-  if (directory === "src" && /^(App|app|index|main)$/.test(fileBase)) {
-    return "application entry";
-  }
-  if ((directory === "app" || directory.startsWith("app/")) && /^(layout|page|route)$/.test(fileBase)) {
-    return "next app route";
-  }
-  if ((directory === "pages" || directory.startsWith("pages/")) && fileName !== "_app.d.ts") {
-    return "next page route";
-  }
-  return null;
-}
-function reduceStatus(statuses) {
-  if (statuses.includes("error")) {
-    return "error";
-  }
-  if (statuses.includes("warn")) {
-    return "warn";
-  }
-  return "ok";
-}
-function formatFramework(framework) {
-  const pieces = [framework.kind, framework.version !== "unknown" ? framework.version : null, framework.subkind].filter((piece) => piece !== null && piece !== "unknown");
-  return pieces.length > 0 ? pieces.join(" \xB7 ") : "unknown";
-}
-function formatAge(ageMs) {
-  const seconds = Math.floor(ageMs / 1e3);
-  if (seconds < 60) {
-    return `${seconds}s`;
-  }
-  const minutes = Math.floor(seconds / 60);
-  if (minutes < 60) {
-    return `${minutes}m`;
-  }
-  const hours = Math.floor(minutes / 60);
-  if (hours < 48) {
-    return `${hours}h`;
-  }
-  const days = Math.floor(hours / 24);
-  if (days < 14) {
-    return `${days}d`;
-  }
-  return `${Math.floor(days / 7)}w`;
-}
-function formatDuration(durationMs) {
-  const minutes = Math.floor(durationMs / (60 * 1e3));
-  if (minutes < 1) {
-    return `${Math.max(Math.floor(durationMs / 1e3), 1)}s`;
-  }
-  if (minutes < 60) {
-    return `${minutes}m`;
-  }
-  const hours = Math.floor(minutes / 60);
-  if (hours < 24) {
-    return `${hours}h`;
-  }
-  return `${Math.floor(hours / 24)}d`;
-}
-function readAuditModeValue(value) {
-  if (value === "strict" || value === "warn" || value === "off") {
-    return value;
-  }
-  return null;
-}
-function sha2562(content) {
-  return `sha256:${createHash2("sha256").update(content).digest("hex")}`;
-}
-function isMissingFileError(error) {
-  return error instanceof Error && "code" in error && error.code === "ENOENT";
-}
-
-// src/services/approve-human-lock.ts
-async function approveHumanLock(projectRoot, input) {
-  assertPathWithinProjectRoot(projectRoot, input.file);
-  const document = await readHumanLockDocument(projectRoot);
-  const index = document.locked.findIndex(
-    (entry) => entry.file === input.file && entry.start_line === input.start_line && entry.end_line === input.end_line
-  );
-  if (index === -1) {
-    throw new Error(`Cannot find human lock entry: ${input.file}:${input.start_line}-${input.end_line}`);
-  }
-  const currentEntry = document.locked[index];
-  if (currentEntry === void 0) {
-    throw new Error(`Cannot find human lock entry: ${input.file}:${input.start_line}-${input.end_line}`);
-  }
-  const nextEntry = {
-    ...currentEntry,
-    hash: input.new_hash
-  };
-  if (currentEntry.hash === input.new_hash) {
-    const currentHash2 = await hashHumanLockedContent(projectRoot, nextEntry);
-    return {
-      updated: false,
-      entry: {
-        ...nextEntry,
-        drift: currentHash2 !== nextEntry.hash,
-        current_hash: currentHash2
-      }
-    };
-  }
-  const nextLocked = document.locked.slice();
-  nextLocked[index] = nextEntry;
-  const nextRawObject = {
-    ...document.rawObject,
-    locked: nextLocked
-  };
-  await atomicWriteText(document.path, `${JSON.stringify(nextRawObject, null, 2)}
-`);
-  const currentHash = await hashHumanLockedContent(projectRoot, nextEntry);
-  const ledgerEntry = await appendLedgerEntry(projectRoot, createApproveLedgerEntry(input));
-  return {
-    updated: true,
-    entry: {
-      ...nextEntry,
-      drift: currentHash !== nextEntry.hash,
-      current_hash: currentHash
-    },
-    ledger_entry: ledgerEntry
-  };
-}
-function createApproveLedgerEntry(input) {
-  return {
-    ts: Date.now(),
-    source: "human",
-    parent_sha: "human-lock:approve",
-    intent: `approve human lock ${input.file}:${input.start_line}-${input.end_line}`,
-    affected_paths: [input.file, ".fabric/human-lock.json"],
-    diff_stat: `updated approved hash to ${input.new_hash}`
-  };
-}
-
-// src/services/get-rules.ts
-import { readFile as readFile5 } from "fs/promises";
-import { join as join6 } from "path";
-import { minimatch } from "minimatch";
-var PRIORITY_ORDER = {
-  high: 0,
-  medium: 1,
-  low: 2
-};
-async function getRules(projectRoot, input) {
-  const context = await loadGetRulesContext(projectRoot);
-  const stale = input.client_hash !== void 0 && input.client_hash !== context.meta.revision;
-  const rules = await resolveRulesForPath(projectRoot, context, input.path);
-  const result = {
-    revision_hash: context.meta.revision,
-    stale,
-    rules
-  };
-  try {
-    await appendGetRulesAuditEvent(projectRoot, {
-      path: input.path,
-      client_hash: input.client_hash
-    });
-  } catch {
-  }
-  return result;
-}
-async function loadGetRulesContext(projectRoot) {
-  const cached = contextCache.get("context", projectRoot);
-  if (cached !== void 0) {
-    return cached;
-  }
-  const meta = await readAgentsMeta(projectRoot);
-  const l0Content = await readFile5(join6(projectRoot, ".fabric", "bootstrap", "README.md"), "utf8");
-  const humanLockedNearby = (await readHumanLock(projectRoot)).map((entry) => ({
-    file: entry.file,
-    excerpt: JSON.stringify(entry)
-  }));
-  const context = {
-    meta,
-    l0Content,
-    humanLockedNearby
-  };
-  contextCache.set("context", projectRoot, context);
-  return context;
-}
-async function resolveRulesForPath(projectRoot, context, path, options = {}) {
-  const matchedNodes = matchRuleNodes(context.meta, path);
-  const loaded = await loadMatchedRules(projectRoot, matchedNodes);
-  return buildRulesPayload(context, loaded, options);
-}
-function normalizeRulesPath(value) {
-  return value.replaceAll("\\", "/");
-}
-function matchRuleNodes(meta, path) {
-  const requestedPath = normalizeRulesPath(path);
-  return Object.entries(meta.nodes).filter(([, node]) => shouldLoadNodeForPath(requestedPath, node)).sort((left, right) => {
-    const [leftId, leftNode] = left;
-    const [rightId, rightNode] = right;
-    const priorityDelta = PRIORITY_ORDER[leftNode.priority] - PRIORITY_ORDER[rightNode.priority];
-    return priorityDelta !== 0 ? priorityDelta : leftId.localeCompare(rightId);
-  }).map(([nodeId, node]) => ({
-    node_id: nodeId,
-    level: classifyNode(nodeId, node),
-    stable_id: node.stable_id ?? nodeId,
-    identity_source: node.identity_source ?? "derived",
-    node
-  }));
-}
-async function loadMatchedRules(projectRoot, matchedNodes, fileContentCache = /* @__PURE__ */ new Map()) {
-  const rules = [];
-  const stubs = [];
-  for (const matchedNode of matchedNodes) {
-    if (matchedNode.level === null) {
-      continue;
-    }
-    if (matchedNode.node.activation?.tier === "description") {
-      stubs.push({
-        stable_id: matchedNode.stable_id,
-        identity_source: matchedNode.identity_source,
-        level: matchedNode.level,
-        path: matchedNode.node.file,
-        description: matchedNode.node.activation.description ?? ""
-      });
-      continue;
-    }
-    rules.push({
-      level: matchedNode.level,
-      stable_id: matchedNode.stable_id,
-      identity_source: matchedNode.identity_source,
-      entry: {
-        path: matchedNode.node.file,
-        content: await readRuleContent(projectRoot, matchedNode.node.file, fileContentCache)
-      }
-    });
-  }
-  return { rules, stubs };
-}
-function buildRulesPayload(context, loaded, options = {}) {
-  const { L1, L2 } = partitionRulesByLevel(loaded.rules, options.dedupeByPath ?? false);
-  return {
-    L0: context.l0Content,
-    L1,
-    L2,
-    human_locked_nearby: context.humanLockedNearby,
-    description_stubs: loaded.stubs.length > 0 ? dedupeDescriptionStubsByPath(loaded.stubs).map(toDescriptionStub) : void 0
-  };
-}
-function classifyNode(nodeId, node) {
-  if (nodeId.startsWith("L1/")) {
-    return "L1";
-  }
-  if (nodeId.startsWith("L2/")) {
-    return "L2";
-  }
-  return node.layer === "L0" ? null : node.layer;
-}
-function partitionRulesByLevel(loadedRules, dedupeByPath) {
-  const l1 = [];
-  const l2 = [];
-  for (const rule of loadedRules) {
-    if (rule.level === "L1") {
-      l1.push(rule.entry);
-      continue;
-    }
-    if (rule.level === "L2") {
-      l2.push(rule.entry);
-    }
-  }
-  return {
-    L1: dedupeByPath ? dedupeEntriesByPath(l1) : l1,
-    L2: dedupeByPath ? dedupeEntriesByPath(l2) : l2
-  };
-}
-function dedupeEntriesByPath(entries) {
-  const seenPaths = /* @__PURE__ */ new Set();
-  return entries.filter((entry) => {
-    if (seenPaths.has(entry.path)) {
-      return false;
-    }
-    seenPaths.add(entry.path);
-    return true;
-  });
-}
-function shouldLoadNodeForPath(requestedPath, node) {
-  switch (node.activation?.tier) {
-    case "always":
-      return true;
-    case "description":
-      return true;
-    case "path":
-    case void 0:
-      return minimatch(requestedPath, normalizeRulesPath(node.scope_glob), { dot: true });
-  }
-}
-function dedupeDescriptionStubsByPath(stubs) {
-  const seenPaths = /* @__PURE__ */ new Set();
-  return stubs.filter((stub) => {
-    if (seenPaths.has(stub.path)) {
-      return false;
-    }
-    seenPaths.add(stub.path);
-    return true;
-  });
-}
-function toDescriptionStub(stub) {
-  return {
-    path: stub.path,
-    description: stub.description
-  };
-}
-async function readRuleContent(projectRoot, file, fileContentCache) {
-  const cached = fileContentCache.get(file);
-  if (cached !== void 0) {
-    return await cached;
-  }
-  const pending = readFile5(join6(projectRoot, file), "utf8");
-  fileContentCache.set(file, pending);
-  return await pending;
-}
-
-export {
-  AGENTS_MD_RESOURCE_URI,
-  contextCache,
-  AgentsMetaFileMissingError,
-  AgentsMetaInvalidError,
-  resolveProjectRoot,
-  readAgentsMeta,
-  FABRIC_DIR,
-  LEDGER_PATH,
-  LEGACY_LEDGER_PATH,
-  atomicWriteText,
-  getLedgerPath,
-  getLegacyLedgerPath,
-  ensureParentDirectory,
-  sha256,
-  appendRuleSelectionAuditEvent,
-  appendEditIntentAuditEvents,
-  resolveLedgerPaths,
-  readLedger,
-  appendLedgerEntry,
-  readHumanLock,
-  readHumanLockEntry,
-  getRules,
-  normalizeRulesPath,
-  runDoctorReport,
-  runDoctorFix,
-  runDoctorAuditReport,
-  approveHumanLock
-};