npm - @flowdesk/core - Versions diffs - 0.1.0 → 0.1.3 - Mend

@flowdesk/core 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/LICENSE +21 -0
package/README.md +44 -0
package/dist/authority-promotion.d.ts +70 -0
package/dist/authority-promotion.d.ts.map +1 -0
package/dist/authority-promotion.js +388 -0
package/dist/authority-promotion.js.map +1 -0
package/dist/chat-control-authority.d.ts +83 -0
package/dist/chat-control-authority.d.ts.map +1 -0
package/dist/chat-control-authority.js +238 -0
package/dist/chat-control-authority.js.map +1 -0
package/dist/chat-hook-authority-probe.d.ts +39 -0
package/dist/chat-hook-authority-probe.d.ts.map +1 -0
package/dist/chat-hook-authority-probe.js +153 -0
package/dist/chat-hook-authority-probe.js.map +1 -0
package/dist/chat-routing.d.ts.map +1 -1
package/dist/chat-routing.js +18 -15
package/dist/chat-routing.js.map +1 -1
package/dist/connector-gateway.d.ts +34 -0
package/dist/connector-gateway.d.ts.map +1 -0
package/dist/connector-gateway.js +147 -0
package/dist/connector-gateway.js.map +1 -0
package/dist/connector-profile.d.ts +41 -0
package/dist/connector-profile.d.ts.map +1 -0
package/dist/connector-profile.js +125 -0
package/dist/connector-profile.js.map +1 -0
package/dist/controlled-conformance-doc-write.d.ts +44 -0
package/dist/controlled-conformance-doc-write.d.ts.map +1 -0
package/dist/controlled-conformance-doc-write.js +142 -0
package/dist/controlled-conformance-doc-write.js.map +1 -0
package/dist/controlled-redacted-audit-export-write.d.ts +45 -0
package/dist/controlled-redacted-audit-export-write.d.ts.map +1 -0
package/dist/controlled-redacted-audit-export-write.js +145 -0
package/dist/controlled-redacted-audit-export-write.js.map +1 -0
package/dist/core-completion-safety-contracts.d.ts +35 -0
package/dist/core-completion-safety-contracts.d.ts.map +1 -0
package/dist/core-completion-safety-contracts.js +98 -0
package/dist/core-completion-safety-contracts.js.map +1 -0
package/dist/dispatch-attempt-manifest.d.ts +59 -0
package/dist/dispatch-attempt-manifest.d.ts.map +1 -0
package/dist/dispatch-attempt-manifest.js +294 -0
package/dist/dispatch-attempt-manifest.js.map +1 -0
package/dist/dispatch-idempotency.d.ts +89 -0
package/dist/dispatch-idempotency.d.ts.map +1 -0
package/dist/dispatch-idempotency.js +275 -0
package/dist/dispatch-idempotency.js.map +1 -0
package/dist/external-auth-policy.d.ts +49 -0
package/dist/external-auth-policy.d.ts.map +1 -0
package/dist/external-auth-policy.js +166 -0
package/dist/external-auth-policy.js.map +1 -0
package/dist/fake-remote-connector-adapter.d.ts +37 -0
package/dist/fake-remote-connector-adapter.d.ts.map +1 -0
package/dist/fake-remote-connector-adapter.js +162 -0
package/dist/fake-remote-connector-adapter.js.map +1 -0
package/dist/fallback-decision.d.ts +29 -0
package/dist/fallback-decision.d.ts.map +1 -0
package/dist/fallback-decision.js +93 -0
package/dist/fallback-decision.js.map +1 -0
package/dist/fallback-regate-plan.d.ts +34 -0
package/dist/fallback-regate-plan.d.ts.map +1 -0
package/dist/fallback-regate-plan.js +122 -0
package/dist/fallback-regate-plan.js.map +1 -0
package/dist/fds1-schema-probe-result.d.ts +37 -0
package/dist/fds1-schema-probe-result.d.ts.map +1 -0
package/dist/fds1-schema-probe-result.js +115 -0
package/dist/fds1-schema-probe-result.js.map +1 -0
package/dist/index.d.ts +25 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +25 -0
package/dist/index.js.map +1 -1
package/dist/lane-heartbeat.d.ts +49 -0
package/dist/lane-heartbeat.d.ts.map +1 -0
package/dist/lane-heartbeat.js +149 -0
package/dist/lane-heartbeat.js.map +1 -0
package/dist/lane-lifecycle-record.d.ts +32 -0
package/dist/lane-lifecycle-record.d.ts.map +1 -0
package/dist/lane-lifecycle-record.js +134 -0
package/dist/lane-lifecycle-record.js.map +1 -0
package/dist/lane-stall-projection.d.ts +43 -0
package/dist/lane-stall-projection.d.ts.map +1 -0
package/dist/lane-stall-projection.js +272 -0
package/dist/lane-stall-projection.js.map +1 -0
package/dist/model-availability-cache.d.ts +286 -0
package/dist/model-availability-cache.d.ts.map +1 -0
package/dist/model-availability-cache.js +1109 -0
package/dist/model-availability-cache.js.map +1 -0
package/dist/operational-intelligence.d.ts +38 -0
package/dist/operational-intelligence.d.ts.map +1 -0
package/dist/operational-intelligence.js +107 -0
package/dist/operational-intelligence.js.map +1 -0
package/dist/production-approval-source.d.ts +61 -0
package/dist/production-approval-source.d.ts.map +1 -0
package/dist/production-approval-source.js +226 -0
package/dist/production-approval-source.js.map +1 -0
package/dist/production-enablement.d.ts +92 -1
package/dist/production-enablement.d.ts.map +1 -1
package/dist/production-enablement.js +421 -8
package/dist/production-enablement.js.map +1 -1
package/dist/production-verification.d.ts +31 -0
package/dist/production-verification.d.ts.map +1 -0
package/dist/production-verification.js +126 -0
package/dist/production-verification.js.map +1 -0
package/dist/provider-usage-collector.d.ts +7 -0
package/dist/provider-usage-collector.d.ts.map +1 -1
package/dist/provider-usage-collector.js +64 -10
package/dist/provider-usage-collector.js.map +1 -1
package/dist/release1-contracts.d.ts +8 -2
package/dist/release1-contracts.d.ts.map +1 -1
package/dist/release1-contracts.js +2 -1
package/dist/release1-contracts.js.map +1 -1
package/dist/remote-write-connector-gate.d.ts +91 -0
package/dist/remote-write-connector-gate.d.ts.map +1 -0
package/dist/remote-write-connector-gate.js +291 -0
package/dist/remote-write-connector-gate.js.map +1 -0
package/dist/runtime-lane-productization.d.ts +78 -0
package/dist/runtime-lane-productization.d.ts.map +1 -0
package/dist/runtime-lane-productization.js +270 -0
package/dist/runtime-lane-productization.js.map +1 -0
package/dist/sanitized-auth-capture.d.ts +50 -0
package/dist/sanitized-auth-capture.d.ts.map +1 -0
package/dist/sanitized-auth-capture.js +164 -0
package/dist/sanitized-auth-capture.js.map +1 -0
package/dist/schema-artifacts.d.ts.map +1 -1
package/dist/schema-artifacts.js +37 -6
package/dist/schema-artifacts.js.map +1 -1
package/dist/schema-registry.d.ts.map +1 -1
package/dist/schema-registry.js +21 -0
package/dist/schema-registry.js.map +1 -1
package/dist/session-evidence.d.ts +117 -0
package/dist/session-evidence.d.ts.map +1 -1
package/dist/session-evidence.js +581 -1
package/dist/session-evidence.js.map +1 -1
package/dist/state-paths.d.ts +1 -1
package/dist/state-paths.d.ts.map +1 -1
package/dist/state-paths.js +56 -6
package/dist/state-paths.js.map +1 -1
package/dist/status.d.ts +7 -0
package/dist/status.d.ts.map +1 -1
package/dist/status.js +89 -1
package/dist/status.js.map +1 -1
package/dist/validators.d.ts +1 -0
package/dist/validators.d.ts.map +1 -1
package/dist/validators.js +30 -7
package/dist/validators.js.map +1 -1
package/package.json +11 -2

package/dist/session-evidence.js CHANGED Viewed

@@ -1,11 +1,45 @@
 import { existsSync, lstatSync, mkdirSync, readdirSync, readFileSync, renameSync, writeFileSync, } from "node:fs";
 import { dirname, resolve, sep } from "node:path";
+import { validateFlowDeskControlledConformanceDocWriteRecordV1 } from "./controlled-conformance-doc-write.js";
+import { validateFlowDeskControlledRedactedAuditExportWriteRecordV1 } from "./controlled-redacted-audit-export-write.js";
+import { validateFlowDeskDispatchIdempotencySnapshotV1 } from "./dispatch-idempotency.js";
+import { validateFlowDeskExternalAuthProviderPolicyResultV1 } from "./external-auth-policy.js";
+import { validateFlowDeskFallbackRegatePlanV1 } from "./fallback-regate-plan.js";
+import { validateFlowDeskLaneHeartbeatRecordV1 } from "./lane-heartbeat.js";
+import { validateFlowDeskLaneLifecycleRecordV1 } from "./lane-lifecycle-record.js";
+import { validateFlowDeskProductionApprovalDecisionV1 } from "./production-enablement.js";
+import { validateFlowDeskConfiguredVerificationResultV1 } from "./production-verification.js";
+import { validateFlowDeskSanitizedAuthCaptureResultV1 } from "./sanitized-auth-capture.js";
+import { materializeFlowDeskExactModelAvailabilityCacheFromProviderAcquisitionResultV1, planFlowDeskExactModelAvailabilityCacheRefreshV1, planFlowDeskReviewerFanoutV1, revalidateFlowDeskReviewerAssignmentsFromCacheEvidenceV1, validateFlowDeskExactModelAvailabilityCacheAcquisitionPlanV1, validateFlowDeskExactModelAvailabilityCacheProviderAcquisitionResultV1, validateFlowDeskExactModelAvailabilityCacheRefreshPlanV1, validateFlowDeskExactModelAvailabilityCacheV1, validateFlowDeskReviewerFanoutPlanV1, } from "./model-availability-cache.js";
+import { validateFlowDeskProductionApprovalSourceV1 } from "./production-approval-source.js";
+import { validateFlowDeskReviewerLaneConformanceObservationV1 } from "./reviewer-lane-conformance.js";
+import { planFlowDeskRuntimeLaneLaunchV1, validateFlowDeskRuntimeLaneLaunchPlanV1, } from "./runtime-lane-productization.js";
 import { FLOWDESK_SESSION_EVIDENCE_CLASSES, sessionEvidenceDirectoryPath, sessionEvidenceRecordPath, } from "./state-paths.js";
-import { invalid, valid, validateNoForbiddenRawPayloads, validateOpaqueId, validateOpaqueRef, } from "./validators.js";
+import { invalid, valid, validateNoForbiddenRawPayloads, validateOpaqueId, validateOpaqueRef, validateTopTierReviewVerdictV1, } from "./validators.js";
 const EVIDENCE_SCHEMA_BY_CLASS = {
     usage_authority: "flowdesk.managed_dispatch_beta.usage_authority_evidence.v1",
     runtime_echo: "flowdesk.managed_dispatch_beta.runtime_echo_evidence.v1",
     telemetry_correlation: "flowdesk.managed_dispatch_beta.telemetry_correlation.v1",
+    configured_verification: "flowdesk.configured_verification_result.v1",
+    sanitized_auth_capture: "flowdesk.sanitized_auth_capture_result.v1",
+    external_auth_provider_policy: "flowdesk.external_auth_provider_policy_result.v1",
+    production_approval: "flowdesk.production_approval_decision.v1",
+    production_approval_source: "flowdesk.production_approval_source.v1",
+    dispatch_idempotency: "flowdesk.dispatch_idempotency_snapshot.v1",
+    pre_dispatch_audit: "flowdesk.pre_dispatch_audit_record.v1",
+    exact_model_availability_cache: "flowdesk.exact_model_availability_cache.v1",
+    exact_model_availability_cache_refresh_plan: "flowdesk.exact_model_availability_cache_refresh_plan.v1",
+    exact_model_availability_cache_acquisition_plan: "flowdesk.exact_model_availability_cache_acquisition_plan.v1",
+    exact_model_availability_cache_provider_acquisition_result: "flowdesk.exact_model_availability_cache_provider_acquisition_result.v1",
+    reviewer_verdict: "flowdesk.top_tier_review_verdict.v1",
+    reviewer_fanout_plan: "flowdesk.reviewer_fanout_plan.v1",
+    runtime_lane_launch_plan: "flowdesk.runtime_lane_launch_plan.v1",
+    lane_lifecycle: "flowdesk.lane_lifecycle_record.v1",
+    reviewer_lane_conformance: "flowdesk.top_tier_reviewer_lane_conformance_observation.v1",
+    controlled_conformance_doc_write: "flowdesk.controlled_conformance_doc_write.v1",
+    controlled_redacted_audit_export_write: "flowdesk.controlled_redacted_audit_export_write.v1",
+    fallback_regate_plan: "flowdesk.fallback_regate_plan.v1",
+    lane_heartbeat: "flowdesk.lane_heartbeat.v1",
 };
 const CLASS_BY_SCHEMA = Object.fromEntries(Object.entries(EVIDENCE_SCHEMA_BY_CLASS).map(([cls, schema]) => [schema, cls]));
 const disabledEvidenceAuthority = {
@@ -17,6 +51,426 @@ const disabledEvidenceAuthority = {
 function isRecordObject(value) {
     return typeof value === "object" && value !== null && !Array.isArray(value);
 }
+function exactModelCacheRefreshPlanMatchesContext(plan, input) {
+    return plan.state === "cache_hit" &&
+        plan.cache_usable_for_assignment === true &&
+        plan.expected_local_date === input.localDate &&
+        plan.expected_active_profile_ref === input.activeProfileRef &&
+        plan.expected_opencode_version_ref === input.opencodeVersionRef &&
+        plan.expected_flowdesk_package_version_ref === input.flowdeskPackageVersionRef &&
+        plan.expected_registry_hash === input.registryHash &&
+        plan.expected_policy_pack_hash === input.policyPackHash &&
+        plan.expected_auth_account_boundary_ref === input.authAccountBoundaryRef;
+}
+function exactModelCacheMatchesRefreshPlan(cache, plan) {
+    return plan.cache_id === cache.cache_id &&
+        plan.cache_local_date === cache.local_date &&
+        plan.cache_active_profile_ref === cache.active_profile_ref &&
+        plan.cache_opencode_version_ref === cache.opencode_version_ref &&
+        plan.cache_flowdesk_package_version_ref === cache.flowdesk_package_version_ref &&
+        plan.cache_registry_hash === cache.registry_hash &&
+        plan.cache_policy_pack_hash === cache.policy_pack_hash &&
+        plan.cache_auth_account_boundary_ref === cache.auth_account_boundary_ref;
+}
+export function selectFlowDeskExactModelCacheEvidencePairV1(input) {
+    const errors = [...input.reloadedEvidence.errors];
+    const blockedLabels = [];
+    if (!input.reloadedEvidence.ok)
+        blockedLabels.push("session_evidence_reload_invalid");
+    const refreshPlans = input.reloadedEvidence.entries
+        .filter((entry) => entry.evidenceClass === "exact_model_availability_cache_refresh_plan")
+        .map((entry) => entry.record)
+        .filter((record) => validateFlowDeskExactModelAvailabilityCacheRefreshPlanV1(record).ok)
+        .map((record) => record)
+        .filter((plan) => exactModelCacheRefreshPlanMatchesContext(plan, input));
+    if (refreshPlans.length === 0)
+        blockedLabels.push("cache_refresh_pair_missing");
+    if (refreshPlans.length > 1)
+        blockedLabels.push("cache_refresh_pair_ambiguous");
+    const cacheRefreshPlan = refreshPlans.length === 1 ? refreshPlans[0] : undefined;
+    const caches = cacheRefreshPlan === undefined ? [] : input.reloadedEvidence.entries
+        .filter((entry) => entry.evidenceClass === "exact_model_availability_cache")
+        .map((entry) => entry.record)
+        .filter((record) => validateFlowDeskExactModelAvailabilityCacheV1(record).ok)
+        .map((record) => record)
+        .filter((cache) => exactModelCacheMatchesRefreshPlan(cache, cacheRefreshPlan));
+    if (cacheRefreshPlan !== undefined && caches.length === 0)
+        blockedLabels.push("cache_pair_missing");
+    if (caches.length > 1)
+        blockedLabels.push("cache_pair_ambiguous");
+    const cache = caches.length === 1 ? caches[0] : undefined;
+    const ready = blockedLabels.length === 0 && cache !== undefined && cacheRefreshPlan !== undefined;
+    return {
+        ok: ready && errors.length === 0,
+        errors,
+        state: ready ? "pair_ready" : "blocked",
+        blocked_labels: [...new Set(blockedLabels)],
+        ...(cache === undefined ? {} : { cache }),
+        ...(cacheRefreshPlan === undefined ? {} : { cacheRefreshPlan }),
+        ...disabledEvidenceAuthority,
+    };
+}
+function blockedReviewerAssignmentRevalidationFromSelection(input, selection) {
+    return {
+        schema_version: "flowdesk.reviewer_assignment_revalidation.v1",
+        ok: false,
+        errors: selection.errors,
+        state: "blocked",
+        blocked_labels: [...new Set(["cache_evidence_pair_selection_blocked", ...selection.blocked_labels])],
+        expected_local_date: input.localDate,
+        expected_active_profile_ref: input.activeProfileRef,
+        expected_opencode_version_ref: input.opencodeVersionRef,
+        expected_flowdesk_package_version_ref: input.flowdeskPackageVersionRef,
+        expected_registry_hash: input.registryHash,
+        expected_policy_pack_hash: input.policyPackHash,
+        expected_auth_account_boundary_ref: input.authAccountBoundaryRef,
+        eligible_bindings: [],
+        dispatch_authority_enabled: false,
+        providerCall: false,
+        actualLaneLaunch: false,
+        runtimeExecution: false,
+    };
+}
+export function planFlowDeskReviewerFanoutFromReloadedCacheEvidenceV1(input) {
+    const selection = selectFlowDeskExactModelCacheEvidencePairV1(input);
+    const revalidation = selection.state === "pair_ready" && selection.cache !== undefined && selection.cacheRefreshPlan !== undefined
+        ? revalidateFlowDeskReviewerAssignmentsFromCacheEvidenceV1({
+            cache: selection.cache,
+            cacheRefreshPlan: selection.cacheRefreshPlan,
+            localDate: input.localDate,
+            activeProfileRef: input.activeProfileRef,
+            opencodeVersionRef: input.opencodeVersionRef,
+            flowdeskPackageVersionRef: input.flowdeskPackageVersionRef,
+            registryHash: input.registryHash,
+            policyPackHash: input.policyPackHash,
+            authAccountBoundaryRef: input.authAccountBoundaryRef,
+        })
+        : blockedReviewerAssignmentRevalidationFromSelection(input, selection);
+    const fanoutPlan = planFlowDeskReviewerFanoutV1({
+        revalidation,
+        workflowId: input.workflowId,
+        attemptId: input.attemptId,
+        parentSessionRef: input.parentSessionRef,
+        agentRef: input.agentRef,
+        requestedAt: input.requestedAt,
+        requestedPerspectives: input.requestedPerspectives,
+        maxConcurrentLaneCount: input.maxConcurrentLaneCount,
+        timeoutMs: input.timeoutMs,
+        orphanMaxAgeMs: input.orphanMaxAgeMs,
+        retryBudget: input.retryBudget,
+        preLaunchAuditRef: input.preLaunchAuditRef,
+        laneLaunchApprovalRef: input.laneLaunchApprovalRef,
+    });
+    const ready = selection.state === "pair_ready" && revalidation.state === "revalidated" && fanoutPlan.state === "fanout_ready";
+    return {
+        ok: ready && selection.ok && revalidation.ok && fanoutPlan.ok,
+        errors: [...selection.errors, ...revalidation.errors, ...fanoutPlan.errors],
+        state: ready ? "fanout_ready" : "blocked",
+        blocked_labels: [...new Set([...selection.blocked_labels, ...revalidation.blocked_labels, ...fanoutPlan.blocked_labels])],
+        selection,
+        revalidation,
+        fanoutPlan,
+        dispatch_authority_enabled: false,
+        ...disabledEvidenceAuthority,
+    };
+}
+function sessionEvidenceAlreadyContainsId(reloadedEvidence, evidenceClass, evidenceId) {
+    return reloadedEvidence.entries.some((entry) => entry.evidenceClass === evidenceClass && entry.evidenceId === evidenceId) ||
+        reloadedEvidence.blocked.some((entry) => entry.evidenceClass === evidenceClass && entry.evidenceId === evidenceId);
+}
+function providerAcquisitionResultMatchesStrictContext(result, input) {
+    return result.local_date === input.localDate &&
+        result.active_profile_ref === input.activeProfileRef &&
+        result.opencode_version_ref === input.opencodeVersionRef &&
+        result.flowdesk_package_version_ref === input.flowdeskPackageVersionRef &&
+        result.registry_hash === input.registryHash &&
+        result.policy_pack_hash === input.policyPackHash &&
+        result.auth_account_boundary_ref === input.authAccountBoundaryRef;
+}
+function exactModelMaterializationExpectedContext(input) {
+    return {
+        localDate: input.localDate,
+        activeProfileRef: input.activeProfileRef,
+        opencodeVersionRef: input.opencodeVersionRef,
+        flowdeskPackageVersionRef: input.flowdeskPackageVersionRef,
+        registryHash: input.registryHash,
+        policyPackHash: input.policyPackHash,
+        authAccountBoundaryRef: input.authAccountBoundaryRef,
+    };
+}
+export function materializeFlowDeskExactModelCacheEvidenceFromProviderAcquisitionEvidenceV1(input) {
+    const errors = [...input.reloadedEvidence.errors];
+    const blockedLabels = [];
+    if (!input.reloadedEvidence.ok)
+        blockedLabels.push("session_evidence_reload_invalid");
+    if (sessionEvidenceAlreadyContainsId(input.reloadedEvidence, "exact_model_availability_cache", input.targetCacheEvidenceId))
+        blockedLabels.push("target_cache_evidence_duplicate");
+    if (sessionEvidenceAlreadyContainsId(input.reloadedEvidence, "exact_model_availability_cache_refresh_plan", input.targetCacheRefreshPlanEvidenceId))
+        blockedLabels.push("target_cache_refresh_evidence_duplicate");
+    const acquisitionEntries = input.reloadedEvidence.entries
+        .filter((entry) => entry.evidenceClass === "exact_model_availability_cache_provider_acquisition_result")
+        .filter((entry) => input.providerAcquisitionEvidenceId === undefined || entry.evidenceId === input.providerAcquisitionEvidenceId)
+        .map((entry) => ({
+        ...entry,
+        validation: validateFlowDeskExactModelAvailabilityCacheProviderAcquisitionResultV1(entry.record),
+    }))
+        .filter((entry) => entry.validation.ok)
+        .map((entry) => ({
+        ...entry,
+        record: entry.record,
+    }))
+        .filter((entry) => input.providerAcquisitionEvidenceId !== undefined || providerAcquisitionResultMatchesStrictContext(entry.record, input));
+    if (acquisitionEntries.length === 0)
+        blockedLabels.push("provider_acquisition_evidence_missing");
+    if (acquisitionEntries.length > 1)
+        blockedLabels.push("provider_acquisition_evidence_ambiguous");
+    const acquisition = acquisitionEntries.length === 1 ? acquisitionEntries[0].record : undefined;
+    const materialized = materializeFlowDeskExactModelAvailabilityCacheFromProviderAcquisitionResultV1({
+        providerAcquisitionResult: acquisition,
+        cacheId: input.cacheId,
+        entryId: input.entryId,
+        expectedContext: exactModelMaterializationExpectedContext(input),
+    });
+    if (!materialized.ok) {
+        errors.push(...materialized.errors);
+        blockedLabels.push(...materialized.blocked_labels);
+    }
+    const cache = materialized.cache;
+    const cacheRefreshPlan = cache === undefined ? undefined : planFlowDeskExactModelAvailabilityCacheRefreshV1({
+        cache,
+        localDate: input.localDate,
+        activeProfileRef: input.activeProfileRef,
+        opencodeVersionRef: input.opencodeVersionRef,
+        flowdeskPackageVersionRef: input.flowdeskPackageVersionRef,
+        registryHash: input.registryHash,
+        policyPackHash: input.policyPackHash,
+        authAccountBoundaryRef: input.authAccountBoundaryRef,
+    });
+    if (cacheRefreshPlan !== undefined) {
+        const refreshValidation = validateFlowDeskExactModelAvailabilityCacheRefreshPlanV1(cacheRefreshPlan);
+        if (!refreshValidation.ok) {
+            errors.push(...refreshValidation.errors.map((error) => `cache_refresh_plan: ${error}`));
+            blockedLabels.push("materialized_cache_refresh_plan_invalid");
+        }
+        if (cacheRefreshPlan.state !== "cache_hit")
+            blockedLabels.push("materialized_cache_refresh_not_cache_hit");
+    }
+    if (cache !== undefined) {
+        const existingRefreshPlans = input.reloadedEvidence.entries
+            .filter((entry) => entry.evidenceClass === "exact_model_availability_cache_refresh_plan")
+            .map((entry) => entry.record)
+            .filter((record) => validateFlowDeskExactModelAvailabilityCacheRefreshPlanV1(record).ok)
+            .map((record) => record)
+            .filter((plan) => exactModelCacheRefreshPlanMatchesContext(plan, input));
+        if (existingRefreshPlans.length > 0)
+            blockedLabels.push("cache_refresh_context_already_exists");
+        const existingCachesForPlannedRefresh = cacheRefreshPlan === undefined ? [] : input.reloadedEvidence.entries
+            .filter((entry) => entry.evidenceClass === "exact_model_availability_cache")
+            .map((entry) => entry.record)
+            .filter((record) => validateFlowDeskExactModelAvailabilityCacheV1(record).ok)
+            .map((record) => record)
+            .filter((existingCache) => exactModelCacheMatchesRefreshPlan(existingCache, cacheRefreshPlan));
+        if (existingCachesForPlannedRefresh.length > 0)
+            blockedLabels.push("cache_context_already_exists");
+    }
+    if (blockedLabels.length > 0 || cache === undefined || cacheRefreshPlan === undefined)
+        return {
+            ok: false,
+            errors,
+            state: "blocked",
+            blocked_labels: [...new Set(blockedLabels)],
+            ...(cache === undefined ? {} : { cache }),
+            ...(cacheRefreshPlan === undefined ? {} : { cacheRefreshPlan }),
+            writeIntents: [],
+            ...disabledEvidenceAuthority,
+        };
+    const cacheIntent = prepareFlowDeskSessionEvidenceWriteIntentV1({
+        workflowId: input.workflowId,
+        evidenceId: input.targetCacheEvidenceId,
+        record: cache,
+    });
+    const refreshIntent = prepareFlowDeskSessionEvidenceWriteIntentV1({
+        workflowId: input.workflowId,
+        evidenceId: input.targetCacheRefreshPlanEvidenceId,
+        record: cacheRefreshPlan,
+    });
+    if (!cacheIntent.ok || cacheIntent.writeIntent === undefined || !refreshIntent.ok || refreshIntent.writeIntent === undefined)
+        return {
+            ok: false,
+            errors: [...errors, ...cacheIntent.errors, ...refreshIntent.errors],
+            state: "blocked",
+            blocked_labels: [...new Set([...blockedLabels, "cache_materialization_write_intent_invalid"])],
+            cache,
+            cacheRefreshPlan,
+            writeIntents: [],
+            ...disabledEvidenceAuthority,
+        };
+    const writeIntents = [cacheIntent.writeIntent, refreshIntent.writeIntent];
+    if (input.rootDir === undefined)
+        return {
+            ok: true,
+            errors,
+            state: "materialized",
+            blocked_labels: [],
+            cache,
+            cacheRefreshPlan,
+            writeIntents,
+            ...disabledEvidenceAuthority,
+        };
+    const applyResult = applyFlowDeskSessionEvidenceWriteIntentsV1(input.rootDir, writeIntents);
+    if (!applyResult.ok)
+        return {
+            ok: false,
+            errors: [...errors, ...applyResult.errors],
+            state: "blocked",
+            blocked_labels: [...new Set([...blockedLabels, "cache_materialization_apply_failed"])],
+            cache,
+            cacheRefreshPlan,
+            writeIntents,
+            applyResult,
+            ...disabledEvidenceAuthority,
+        };
+    const reloadedEvidence = reloadFlowDeskSessionEvidenceV1({ workflowId: input.workflowId, rootDir: input.rootDir });
+    const selection = selectFlowDeskExactModelCacheEvidencePairV1({
+        reloadedEvidence,
+        localDate: input.localDate,
+        activeProfileRef: input.activeProfileRef,
+        opencodeVersionRef: input.opencodeVersionRef,
+        flowdeskPackageVersionRef: input.flowdeskPackageVersionRef,
+        registryHash: input.registryHash,
+        policyPackHash: input.policyPackHash,
+        authAccountBoundaryRef: input.authAccountBoundaryRef,
+    });
+    const ready = reloadedEvidence.ok && selection.state === "pair_ready";
+    return {
+        ok: ready,
+        errors: [...errors, ...reloadedEvidence.errors, ...selection.errors],
+        state: ready ? "materialized" : "blocked",
+        blocked_labels: ready ? [] : [...new Set([...blockedLabels, "cache_materialization_reload_verification_failed", ...selection.blocked_labels])],
+        cache,
+        cacheRefreshPlan,
+        writeIntents,
+        applyResult,
+        reloadedEvidence,
+        selection,
+        ...disabledEvidenceAuthority,
+    };
+}
+export function materializeFlowDeskRuntimeLaneLaunchPlansFromReviewerFanoutEvidenceV1(input) {
+    const errors = [...input.reloadedEvidence.errors];
+    const blockedLabels = [];
+    if (!input.reloadedEvidence.ok)
+        blockedLabels.push("session_evidence_reload_invalid");
+    const targetIds = input.targetLaunchPlanEvidenceIds;
+    if (targetIds.length === 0)
+        blockedLabels.push("target_launch_plan_ids_missing");
+    if (new Set(targetIds).size !== targetIds.length)
+        blockedLabels.push("target_launch_plan_ids_duplicate");
+    for (const targetId of targetIds) {
+        if (sessionEvidenceAlreadyContainsId(input.reloadedEvidence, "runtime_lane_launch_plan", targetId))
+            blockedLabels.push("target_runtime_launch_plan_evidence_duplicate");
+    }
+    const fanoutEntries = input.reloadedEvidence.entries
+        .filter((entry) => entry.evidenceClass === "reviewer_fanout_plan")
+        .filter((entry) => input.reviewerFanoutEvidenceId === undefined || entry.evidenceId === input.reviewerFanoutEvidenceId)
+        .map((entry) => ({ ...entry, validation: validateFlowDeskReviewerFanoutPlanV1(entry.record) }))
+        .filter((entry) => entry.validation.ok)
+        .map((entry) => ({ ...entry, record: entry.record }))
+        .filter((entry) => entry.record.workflow_id === input.workflowId);
+    if (fanoutEntries.length === 0)
+        blockedLabels.push("reviewer_fanout_evidence_missing");
+    if (fanoutEntries.length > 1)
+        blockedLabels.push("reviewer_fanout_evidence_ambiguous");
+    const fanoutPlan = fanoutEntries.length === 1 ? fanoutEntries[0].record : undefined;
+    if (fanoutPlan !== undefined && (fanoutPlan.state !== "fanout_ready" || !fanoutPlan.ok))
+        blockedLabels.push("reviewer_fanout_not_ready");
+    const launchRequests = fanoutPlan?.runtime_lane_launch_requests ?? [];
+    if (fanoutPlan !== undefined && targetIds.length !== launchRequests.length)
+        blockedLabels.push("target_launch_plan_count_mismatch");
+    const launchPlans = launchRequests.map((request) => planFlowDeskRuntimeLaneLaunchV1({
+        request,
+        sdkClientAvailable: input.sdkClientAvailable,
+        durableEvidenceRootRef: input.durableEvidenceRootRef,
+    }));
+    for (const [index, plan] of launchPlans.entries()) {
+        errors.push(...plan.errors.map((error) => `launch_plans[${index}]: ${error}`));
+        if (plan.state !== "launch_ready")
+            blockedLabels.push(...(plan.blocked_labels.length > 0 ? plan.blocked_labels : ["runtime_launch_plan_blocked"]));
+    }
+    if (blockedLabels.length > 0 || fanoutPlan === undefined || launchPlans.length === 0)
+        return {
+            ok: false,
+            errors,
+            state: "blocked",
+            blocked_labels: [...new Set(blockedLabels)],
+            ...(fanoutPlan === undefined ? {} : { fanoutPlan }),
+            launchPlans,
+            writeIntents: [],
+            ...disabledEvidenceAuthority,
+        };
+    const prepared = launchPlans.map((plan, index) => prepareFlowDeskSessionEvidenceWriteIntentV1({
+        workflowId: input.workflowId,
+        evidenceId: targetIds[index],
+        record: plan,
+    }));
+    const prepareErrors = prepared.flatMap((result) => result.errors);
+    const writeIntents = prepared
+        .map((result) => result.writeIntent)
+        .filter((intent) => intent !== undefined);
+    if (prepareErrors.length > 0 || writeIntents.length !== launchPlans.length)
+        return {
+            ok: false,
+            errors: [...errors, ...prepareErrors],
+            state: "blocked",
+            blocked_labels: ["runtime_launch_plan_write_intent_invalid"],
+            fanoutPlan,
+            launchPlans,
+            writeIntents: [],
+            ...disabledEvidenceAuthority,
+        };
+    if (input.rootDir === undefined)
+        return {
+            ok: true,
+            errors,
+            state: "materialized",
+            blocked_labels: [],
+            fanoutPlan,
+            launchPlans,
+            writeIntents,
+            ...disabledEvidenceAuthority,
+        };
+    const applyResult = applyFlowDeskSessionEvidenceWriteIntentsV1(input.rootDir, writeIntents);
+    if (!applyResult.ok)
+        return {
+            ok: false,
+            errors: [...errors, ...applyResult.errors],
+            state: "blocked",
+            blocked_labels: ["runtime_launch_plan_apply_failed"],
+            fanoutPlan,
+            launchPlans,
+            writeIntents,
+            applyResult,
+            ...disabledEvidenceAuthority,
+        };
+    const reloadedEvidence = reloadFlowDeskSessionEvidenceV1({ workflowId: input.workflowId, rootDir: input.rootDir });
+    const reloadedIds = new Set(reloadedEvidence.entries
+        .filter((entry) => entry.evidenceClass === "runtime_lane_launch_plan")
+        .map((entry) => entry.evidenceId));
+    const allReloaded = targetIds.every((targetId) => reloadedIds.has(targetId));
+    const ready = reloadedEvidence.ok && allReloaded;
+    return {
+        ok: ready,
+        errors: [...errors, ...reloadedEvidence.errors],
+        state: ready ? "materialized" : "blocked",
+        blocked_labels: ready ? [] : ["runtime_launch_plan_reload_verification_failed"],
+        fanoutPlan,
+        launchPlans,
+        writeIntents,
+        applyResult,
+        reloadedEvidence,
+        ...disabledEvidenceAuthority,
+    };
+}
 function validateSchemaVersionForClass(record, evidenceClass) {
     const expected = EVIDENCE_SCHEMA_BY_CLASS[evidenceClass];
     return record.schema_version === expected
@@ -27,12 +481,76 @@ function validateEvidenceShape(record, evidenceClass) {
     const schemaCheck = validateSchemaVersionForClass(record, evidenceClass);
     if (!schemaCheck.ok)
         return schemaCheck;
+    if (evidenceClass === "dispatch_idempotency")
+        return validateFlowDeskDispatchIdempotencySnapshotV1(record);
+    if (evidenceClass === "production_approval_source")
+        return validateFlowDeskProductionApprovalSourceV1(record);
+    if (evidenceClass === "reviewer_verdict")
+        return validateTopTierReviewVerdictV1(record);
+    if (evidenceClass === "exact_model_availability_cache")
+        return validateFlowDeskExactModelAvailabilityCacheV1(record);
+    if (evidenceClass === "exact_model_availability_cache_refresh_plan")
+        return validateFlowDeskExactModelAvailabilityCacheRefreshPlanV1(record);
+    if (evidenceClass === "exact_model_availability_cache_acquisition_plan")
+        return validateFlowDeskExactModelAvailabilityCacheAcquisitionPlanV1(record);
+    if (evidenceClass === "exact_model_availability_cache_provider_acquisition_result")
+        return validateFlowDeskExactModelAvailabilityCacheProviderAcquisitionResultV1(record);
+    if (evidenceClass === "reviewer_fanout_plan")
+        return validateFlowDeskReviewerFanoutPlanV1(record);
+    if (evidenceClass === "runtime_lane_launch_plan")
+        return validateFlowDeskRuntimeLaneLaunchPlanV1(record);
+    if (evidenceClass === "lane_lifecycle")
+        return validateFlowDeskLaneLifecycleRecordV1(record);
+    if (evidenceClass === "lane_heartbeat")
+        return validateFlowDeskLaneHeartbeatRecordV1(record);
+    if (evidenceClass === "reviewer_lane_conformance")
+        return validateFlowDeskReviewerLaneConformanceObservationV1(record);
+    if (evidenceClass === "controlled_conformance_doc_write")
+        return validateFlowDeskControlledConformanceDocWriteRecordV1(record);
+    if (evidenceClass === "controlled_redacted_audit_export_write")
+        return validateFlowDeskControlledRedactedAuditExportWriteRecordV1(record);
+    if (evidenceClass === "fallback_regate_plan")
+        return validateFlowDeskFallbackRegatePlanV1(record);
+    if (evidenceClass === "configured_verification")
+        return validateFlowDeskConfiguredVerificationResultV1(record);
+    if (evidenceClass === "sanitized_auth_capture")
+        return validateFlowDeskSanitizedAuthCaptureResultV1(record);
+    if (evidenceClass === "external_auth_provider_policy")
+        return validateFlowDeskExternalAuthProviderPolicyResultV1(record);
+    if (evidenceClass === "production_approval")
+        return validateFlowDeskProductionApprovalDecisionV1(record);
     const requiredCommon = ["schema_version"];
     for (const key of requiredCommon)
         if (!(key in record))
             return invalid(`evidence is missing required field: ${key}`);
     return validateNoForbiddenRawPayloads(record, "session_evidence_record");
 }
+function validateOptionalTimestampFreshness(record, rejectStaleAt) {
+    if (rejectStaleAt === undefined || !("expires_at" in record))
+        return valid();
+    const checkedAt = Date.parse(rejectStaleAt);
+    if (!Number.isFinite(checkedAt))
+        return invalid("rejectStaleAt must be a parseable timestamp");
+    if (typeof record.expires_at !== "string")
+        return invalid("evidence expires_at must be a timestamp string");
+    const expiresAt = Date.parse(record.expires_at);
+    if (!Number.isFinite(expiresAt))
+        return invalid("evidence expires_at must be parseable");
+    return expiresAt > checkedAt ? valid() : invalid("evidence is stale");
+}
+function validateOptionalProfileAlignment(record, expectedProfileRef) {
+    if (expectedProfileRef === undefined)
+        return valid();
+    const expected = validateOpaqueRef(expectedProfileRef, "expected_profile_ref");
+    if (!expected.ok)
+        return expected;
+    const profileRef = record.profile_ref ?? record.auth_profile_ref;
+    if (profileRef === undefined)
+        return valid();
+    return profileRef === expectedProfileRef
+        ? valid()
+        : invalid("evidence profile_ref mismatch");
+}
 function ensureWorkflowAlignment(record, workflowId) {
     if (!("workflow_id" in record))
         return valid();
@@ -147,6 +665,8 @@ export function applyFlowDeskSessionEvidenceWriteIntentsV1(rootDir, intents) {
     const writtenPaths = [];
     const root = resolve(rootDir);
     try {
+        const seenTargets = new Set();
+        const seenTemps = new Set();
         for (const intent of intents) {
             const intentResult = validateSessionEvidenceWriteIntent(intent);
             if (!intentResult.ok)
@@ -158,6 +678,20 @@ export function applyFlowDeskSessionEvidenceWriteIntentsV1(rootDir, intents) {
                 };
             const target = safeJoin(root, intent.path);
             const temp = safeJoin(root, intent.tempPath);
+            if (seenTargets.has(target))
+                return {
+                    ...invalid("session evidence batch contains duplicate target path"),
+                    rootDir: root,
+                    writtenPaths,
+                    ...disabledEvidenceAuthority,
+                };
+            if (seenTemps.has(temp))
+                return {
+                    ...invalid("session evidence batch contains duplicate temp path"),
+                    rootDir: root,
+                    writtenPaths,
+                    ...disabledEvidenceAuthority,
+                };
             if (dirname(target) !== dirname(temp))
                 return {
                     ...invalid("session evidence tempPath must stay beside target path"),
@@ -165,6 +699,12 @@ export function applyFlowDeskSessionEvidenceWriteIntentsV1(rootDir, intents) {
                     writtenPaths,
                     ...disabledEvidenceAuthority,
                 };
+            seenTargets.add(target);
+            seenTemps.add(temp);
+        }
+        for (const intent of intents) {
+            const target = safeJoin(root, intent.path);
+            const temp = safeJoin(root, intent.tempPath);
             mkdirSync(dirname(target), { recursive: true });
             writeFileSync(temp, JSON.stringify(intent.record), "utf8");
             renameSync(temp, target);
@@ -316,6 +856,26 @@ export function reloadFlowDeskSessionEvidenceV1(options) {
                 });
                 continue;
             }
+            const profileAlignment = validateOptionalProfileAlignment(parsed, options.expectedProfileRef);
+            if (!profileAlignment.ok) {
+                blocked.push({
+                    evidenceClass,
+                    evidenceId,
+                    reason: profileAlignment.errors.join("; "),
+                    path: expectedRelative,
+                });
+                continue;
+            }
+            const freshness = validateOptionalTimestampFreshness(parsed, options.rejectStaleAt);
+            if (!freshness.ok) {
+                blocked.push({
+                    evidenceClass,
+                    evidenceId,
+                    reason: freshness.errors.join("; "),
+                    path: expectedRelative,
+                });
+                continue;
+            }
             entries.push({
                 evidenceClass,
                 evidenceId,
@@ -333,4 +893,24 @@ export function reloadFlowDeskSessionEvidenceV1(options) {
     };
     return reloadResult;
 }
+export function summarizeFlowDeskSessionEvidenceInventoryV1(workflowId, reload) {
+    return {
+        schema_version: "flowdesk.session_evidence_inventory.v1",
+        workflow_id: workflowId,
+        total_entries: reload.entries.length,
+        total_blocked: reload.blocked.length,
+        classes: FLOWDESK_SESSION_EVIDENCE_CLASSES.map((evidenceClass) => {
+            const blocked = reload.blocked.filter((entry) => entry.evidenceClass === evidenceClass);
+            return {
+                evidenceClass,
+                valid: reload.entries.filter((entry) => entry.evidenceClass === evidenceClass).length,
+                blocked: blocked.length,
+                ...(blocked.length === 0
+                    ? {}
+                    : { lastBlockedReason: blocked[blocked.length - 1].reason }),
+            };
+        }),
+        ...disabledEvidenceAuthority,
+    };
+}
 //# sourceMappingURL=session-evidence.js.map