@fusionkit/ensemble 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,30 @@
+export { createCommandHarness } from "./command.js";
+export type { CommandHarnessOptions } from "./command.js";
+export { claudeCodeHarness, claudeCodeHarnessCredentialSkipReason, createClaudeCodeHarness } from "./claude-code.js";
+export type { ClaudeCodeHarnessEnv, ClaudeCodeHarnessOptions } from "./claude-code.js";
+export { codexConfigToml, codexHarnessCredentialSkipReason, codexHarness, createCodexHarness } from "./codex.js";
+export type { CodexAmbientProvider, CodexApprovalPolicy, CodexConfigTomlInput, CodexExecInput, CodexExecResult, CodexExecRunner, CodexHarnessEnv, CodexHarnessOptions, CodexOpenAiCompatibleProvider, CodexProvider, CodexResponsesProvider, CodexSandboxMode } from "./codex.js";
+export { createArtifactStore } from "./artifacts.js";
+export type { ArtifactStore } from "./artifacts.js";
+export { createHarnessCapabilityMatrix, harnessDashboard, runHarnessSmokeDashboard } from "./dashboard.js";
+export type { HarnessAdapterReadiness, HarnessAvailability, HarnessCapabilityMatrix, HarnessCapabilityMatrixRow, HarnessCapabilityTarget, HarnessLiveSmokeTarget, HarnessSmokeDashboard, HarnessSmokeDashboardOptions, HarnessSmokeOutcome, HarnessSmokePurpose, HarnessSmokeRecord } from "./dashboard.js";
+export { createMockJudgeSynthesizer } from "./judge.js";
+export type { JudgeCandidateEvidence, JudgeInput, JudgePatch, JudgeRepairInput, JudgeSynthesizer, JudgeSynthesisOutput, JudgeVerificationInput, MockJudgeSynthesizerOptions, SynthesisFailureSummary, SynthesisRepairAttempt, SynthesisVerificationResult } from "./judge.js";
+export { ensemble, runEnsemble } from "./run.js";
+export { createFusionKitJudgeSynthesizer, runFusionPanels, runUnifiedHarnessE2E } from "./unified.js";
+export type { CursorHarnessRunnerInput, CursorHarnessRunnerResult, FusionPanelOptions, UnifiedHarnessE2EOptions, UnifiedHarnessE2EResult, UnifiedHarnessKind, UnifiedHarnessMatrixResult } from "./unified.js";
+export { ambientTraceId, emitTrace, getTraceEmitter, newSpanId, newTraceId, TRACE_CANDIDATE_HEADER, TRACE_ID_HEADER, TRACE_PARENT_SPAN_HEADER, TRACE_SPAN_HEADER, TraceEmitter } from "./trace.js";
+export type { EmitInput, FusionTraceComponent, FusionTraceEvent, FusionTraceEventType } from "./trace.js";
+export { runJudgeSynthesis } from "./synthesis.js";
+export type { RunSynthesisInput, SynthesisResult } from "./synthesis.js";
+export { createMockHarness } from "./mock.js";
+export type { MockCandidateFixture, MockHarnessOptions } from "./mock.js";
+export { createToolExecutor, registerDemoTools, sideEffectsForTool } from "./tool-executor.js";
+export type { ToolExecutor, ToolImplementation } from "./tool-executor.js";
+export { executeFusionKitToolBatch, FusionKitToolExecutorClient, FusionKitToolExecutorClientError, FusionKitToolExecutorError, startFusionKitToolExecutorServer } from "./external-executor.js";
+export { createCliContainerDriver, runCandidateCommandWithIsolation, secretAbsenceMetadata, secretValueHash } from "./isolation.js";
+export type { FusionKitToolExecutionBatch, FusionKitToolExecutionRequest, FusionKitToolExecutionResponse, FusionKitToolExecutionResult, FusionKitToolExecutorServer, FusionKitToolExecutorServerOptions } from "./external-executor.js";
+export type { CandidateCommandIsolationInput, CandidateCommandIsolationResult } from "./isolation.js";
+export { cleanupCandidateWorktree, cleanupWorktreePlan, createWorktreePlan, defaultOutputRoot, diffCandidateWorktree, sealCandidateWorktree } from "./worktree.js";
+export type { CandidateWorktree, WorktreePlan } from "./worktree.js";
+export type { EnsembleCandidateSummary, EnsembleDescriptor, EnsembleJudge, EnsembleModel, EnsemblePolicy, EnsembleRunResult, EnsembleRuntime, CandidateContainerDriver, CandidateContainerDriverInput, CandidateContainerDriverResult, CandidateHardeningMetadata, CandidateIsolationConfig, CandidateIsolationKind, CandidateIsolationMountPolicy, CandidateIsolationNetworkPolicy, CandidateIsolationSecretPolicy, HarnessAdapter, HarnessArtifact, HarnessCapabilities, HarnessCandidateOutput, HarnessCollectInput, HarnessPrepareInput, HarnessRunInput, HarnessToolRecord, ReviewEvidence, EnsembleRunSummary, VerificationProfile } from "./harness.js";

package/dist/index.js

@@ -0,0 +1,15 @@
+export { createCommandHarness } from "./command.js";
+export { claudeCodeHarness, claudeCodeHarnessCredentialSkipReason, createClaudeCodeHarness } from "./claude-code.js";
+export { codexConfigToml, codexHarnessCredentialSkipReason, codexHarness, createCodexHarness } from "./codex.js";
+export { createArtifactStore } from "./artifacts.js";
+export { createHarnessCapabilityMatrix, harnessDashboard, runHarnessSmokeDashboard } from "./dashboard.js";
+export { createMockJudgeSynthesizer } from "./judge.js";
+export { ensemble, runEnsemble } from "./run.js";
+export { createFusionKitJudgeSynthesizer, runFusionPanels, runUnifiedHarnessE2E } from "./unified.js";
+export { ambientTraceId, emitTrace, getTraceEmitter, newSpanId, newTraceId, TRACE_CANDIDATE_HEADER, TRACE_ID_HEADER, TRACE_PARENT_SPAN_HEADER, TRACE_SPAN_HEADER, TraceEmitter } from "./trace.js";
+export { runJudgeSynthesis } from "./synthesis.js";
+export { createMockHarness } from "./mock.js";
+export { createToolExecutor, registerDemoTools, sideEffectsForTool } from "./tool-executor.js";
+export { executeFusionKitToolBatch, FusionKitToolExecutorClient, FusionKitToolExecutorClientError, FusionKitToolExecutorError, startFusionKitToolExecutorServer } from "./external-executor.js";
+export { createCliContainerDriver, runCandidateCommandWithIsolation, secretAbsenceMetadata, secretValueHash } from "./isolation.js";
+export { cleanupCandidateWorktree, cleanupWorktreePlan, createWorktreePlan, defaultOutputRoot, diffCandidateWorktree, sealCandidateWorktree } from "./worktree.js";

package/dist/isolation.d.ts

@@ -0,0 +1,25 @@
+import type { CandidateContainerDriver, CandidateHardeningMetadata, CandidateIsolationConfig, CandidateIsolationSecretPolicy } from "./harness.js";
+export type CandidateCommandIsolationInput = {
+    command: string;
+    cwd: string;
+    timeoutMs?: number;
+    isolation?: CandidateIsolationConfig;
+    env?: Record<string, string | undefined>;
+};
+export type CandidateCommandIsolationResult = {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+    timedOut: boolean;
+    hardening: CandidateHardeningMetadata;
+};
+export declare function runCandidateCommandWithIsolation(input: CandidateCommandIsolationInput): Promise<CandidateCommandIsolationResult>;
+export declare function createCliContainerDriver(engine?: "docker" | "podman"): CandidateContainerDriver;
+export declare function secretAbsenceMetadata(input: {
+    cwd: string;
+    transcript: string;
+    secretPolicy?: CandidateIsolationSecretPolicy;
+    ignoredDirs?: readonly string[];
+    knownSecretValues?: readonly string[];
+}): CandidateHardeningMetadata["secret_absence"];
+export declare function secretValueHash(value: string): string;

package/dist/isolation.js

@@ -0,0 +1,509 @@
+import { execFile } from "node:child_process";
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join, relative } from "node:path";
+import { promisify } from "node:util";
+import { hashCanonicalSha256 } from "@fusionkit/protocol";
+const execFileAsync = promisify(execFile);
+const DEFAULT_CONTAINER_IMAGE = "node:22";
+const DEFAULT_CONTAINER_ENGINE = "docker";
+const DEFAULT_CONTAINER_WORKDIR = "/workspace";
+const DEFAULT_MICROVM_PROVIDER = "vercel-sandbox";
+const DEFAULT_MICROVM_RUNTIME = "node24";
+const UNKNOWN_RUNTIME_DIGEST = "unknown";
+const DEFAULT_IGNORED_DIRS = [".git", "node_modules", ".warrant"];
+const DEFAULT_MAX_SCAN_BYTES = 256 * 1024;
+export async function runCandidateCommandWithIsolation(input) {
+    const isolation = normalizeIsolation(input.isolation);
+    switch (isolation.kind) {
+        case "process":
+            return runProcessCommand(input, isolation);
+        case "container":
+            return runContainerCommand(input, isolation);
+        case "microvm":
+            return runMicrovmCommand(input, isolation);
+        default:
+            return assertNever(isolation);
+    }
+}
+export function createCliContainerDriver(engine = DEFAULT_CONTAINER_ENGINE) {
+    return {
+        id: engine,
+        supportsNetworkPolicy: false,
+        async execute(input) {
+            const args = [
+                "run",
+                "--rm",
+                "-v",
+                `${input.cwd}:${input.workdir}:rw`,
+                "-w",
+                input.workdir
+            ];
+            for (const cachePath of input.mountPolicy.readOnlyCachePaths) {
+                args.push("-v", `${cachePath}:${cachePath}:ro`);
+            }
+            if (input.networkPolicy.defaultDeny && input.networkPolicy.allowHosts.length === 0) {
+                args.push("--network", "none");
+            }
+            args.push(input.image, "sh", "-lc", input.command);
+            const result = await runHostCommand(engine, args, input.cwd, input.timeoutMs);
+            return {
+                stdout: result.stdout,
+                stderr: result.stderr,
+                exitCode: result.exitCode,
+                timedOut: result.timedOut,
+                cleanup: {
+                    attempted: true,
+                    succeeded: !result.timedOut,
+                    ...(result.timedOut
+                        ? { error: "container cleanup not confirmed after timeout" }
+                        : {})
+                }
+            };
+        }
+    };
+}
+export function secretAbsenceMetadata(input) {
+    const secretPolicy = normalizeSecretPolicy(input.secretPolicy);
+    const scanScope = ["transcript"];
+    const haystacks = [input.transcript];
+    for (const file of listScannableFiles(input.cwd, input.ignoredDirs ?? DEFAULT_IGNORED_DIRS)) {
+        scanScope.push(`file:${file.relativePath}`);
+        haystacks.push(file.content);
+    }
+    const leaks = countLeaks(haystacks, [
+        ...secretPolicy.secretNames,
+        ...secretPolicy.secretValueHashes,
+        ...(input.knownSecretValues ?? [])
+    ]);
+    return {
+        secret_names: secretPolicy.secretNames,
+        secret_value_hashes: secretPolicy.secretValueHashes,
+        injected_env_names: secretPolicy.injectedEnvNames,
+        scanned: true,
+        leaks_found: leaks > 0,
+        scan_scope: scanScope,
+        leak_count: leaks
+    };
+}
+async function runProcessCommand(input, isolation) {
+    const command = await runHostCommand("/bin/sh", ["-lc", input.command], input.cwd, input.timeoutMs, input.env);
+    const transcript = [command.stdout, command.stderr].filter(Boolean).join("\n");
+    return {
+        ...command,
+        hardening: hardeningMetadata({
+            requestedIsolation: isolation.kind,
+            actualIsolation: "process",
+            isolation,
+            secretAbsence: secretAbsenceMetadata({
+                cwd: input.cwd,
+                transcript,
+                secretPolicy: isolation.secretPolicy,
+                ignoredDirs: isolation.mountPolicy.ignoredDirs
+            }),
+            networkEnforced: false,
+            cleanup: {
+                attempted: false,
+                succeeded: true
+            }
+        })
+    };
+}
+async function runContainerCommand(input, isolation) {
+    const driver = isolation.driver ?? createCliContainerDriver(isolation.engine ?? DEFAULT_CONTAINER_ENGINE);
+    const image = isolation.image ?? DEFAULT_CONTAINER_IMAGE;
+    if (isolation.networkPolicy.enforce &&
+        isolation.networkPolicy.defaultDeny &&
+        isolation.networkPolicy.allowHosts.length > 0 &&
+        !driver.supportsNetworkPolicy) {
+        const stderr = "container driver cannot enforce host allowlist network policy";
+        const secretAbsence = secretAbsenceMetadata({
+            cwd: input.cwd,
+            transcript: stderr,
+            secretPolicy: isolation.secretPolicy,
+            ignoredDirs: isolation.mountPolicy.ignoredDirs
+        });
+        return {
+            stdout: "",
+            stderr,
+            exitCode: 1,
+            timedOut: false,
+            hardening: hardeningMetadata({
+                requestedIsolation: "container",
+                actualIsolation: "container",
+                isolation,
+                driverId: driver.id,
+                image,
+                secretAbsence,
+                networkEnforced: true,
+                cleanup: {
+                    attempted: true,
+                    succeeded: false,
+                    error: "network policy unsupported"
+                }
+            })
+        };
+    }
+    let result;
+    try {
+        result = await driver.execute({
+            command: input.command,
+            cwd: input.cwd,
+            timeoutMs: input.timeoutMs,
+            image,
+            workdir: isolation.mountPolicy.workdir,
+            mountPolicy: isolation.mountPolicy,
+            networkPolicy: isolation.networkPolicy
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        result = {
+            stdout: "",
+            stderr: message,
+            exitCode: 1,
+            timedOut: false,
+            cleanup: {
+                attempted: true,
+                succeeded: false,
+                error: message
+            }
+        };
+    }
+    const transcript = [result.stdout, result.stderr].filter(Boolean).join("\n");
+    return {
+        stdout: result.stdout,
+        stderr: result.stderr,
+        exitCode: result.exitCode,
+        timedOut: result.timedOut ?? false,
+        hardening: hardeningMetadata({
+            requestedIsolation: "container",
+            actualIsolation: "container",
+            isolation,
+            driverId: driver.id,
+            image,
+            secretAbsence: secretAbsenceMetadata({
+                cwd: input.cwd,
+                transcript,
+                secretPolicy: isolation.secretPolicy,
+                ignoredDirs: isolation.mountPolicy.ignoredDirs
+            }),
+            networkEnforced: isolation.networkPolicy.enforce &&
+                (driver.supportsNetworkPolicy ||
+                    (isolation.networkPolicy.defaultDeny &&
+                        isolation.networkPolicy.allowHosts.length === 0)),
+            cleanup: result.cleanup ?? {
+                attempted: true,
+                succeeded: true
+            }
+        })
+    };
+}
+async function runMicrovmCommand(input, isolation) {
+    const driver = isolation.driver;
+    if (driver === undefined) {
+        const stderr = "microVM isolation requires an execution driver";
+        return {
+            stdout: "",
+            stderr,
+            exitCode: 1,
+            timedOut: false,
+            hardening: hardeningMetadata({
+                requestedIsolation: "microvm",
+                actualIsolation: "process",
+                isolation,
+                runtimeFields: microvmRuntimeFields(isolation),
+                secretAbsence: secretAbsenceMetadata({
+                    cwd: input.cwd,
+                    transcript: stderr,
+                    secretPolicy: isolation.secretPolicy,
+                    ignoredDirs: isolation.mountPolicy.ignoredDirs
+                }),
+                networkEnforced: false,
+                cleanup: {
+                    attempted: false,
+                    succeeded: true
+                }
+            })
+        };
+    }
+    if (isolation.networkPolicy.enforce &&
+        isolation.networkPolicy.defaultDeny &&
+        isolation.networkPolicy.allowHosts.length > 0 &&
+        !driver.supportsNetworkPolicy) {
+        const stderr = "microVM driver cannot enforce host allowlist network policy";
+        return {
+            stdout: "",
+            stderr,
+            exitCode: 1,
+            timedOut: false,
+            hardening: hardeningMetadata({
+                requestedIsolation: "microvm",
+                actualIsolation: actualMicrovmIsolation(driver.provider),
+                isolation,
+                driverId: driver.id,
+                runtimeFields: microvmRuntimeFields(isolation, driver),
+                secretAbsence: secretAbsenceMetadata({
+                    cwd: input.cwd,
+                    transcript: stderr,
+                    secretPolicy: isolation.secretPolicy,
+                    ignoredDirs: isolation.mountPolicy.ignoredDirs
+                }),
+                networkEnforced: true,
+                cleanup: {
+                    attempted: true,
+                    succeeded: false,
+                    error: "network policy unsupported"
+                }
+            })
+        };
+    }
+    let result;
+    try {
+        result = await driver.execute({
+            command: input.command,
+            cwd: input.cwd,
+            timeoutMs: input.timeoutMs,
+            provider: isolation.provider,
+            runtime: isolation.runtime,
+            snapshotId: isolation.snapshotId,
+            workdir: isolation.mountPolicy.workdir,
+            mountPolicy: isolation.mountPolicy,
+            networkPolicy: isolation.networkPolicy,
+            secretPolicy: isolation.secretPolicy
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        result = {
+            stdout: "",
+            stderr: message,
+            exitCode: 1,
+            timedOut: false,
+            actualIsolation: actualMicrovmIsolation(driver.provider),
+            cleanup: {
+                attempted: true,
+                succeeded: false,
+                error: message
+            }
+        };
+    }
+    const transcript = [result.stdout, result.stderr].filter(Boolean).join("\n");
+    return {
+        stdout: result.stdout,
+        stderr: result.stderr,
+        exitCode: result.exitCode,
+        timedOut: result.timedOut ?? false,
+        hardening: hardeningMetadata({
+            requestedIsolation: "microvm",
+            actualIsolation: result.actualIsolation ?? actualMicrovmIsolation(driver.provider),
+            isolation,
+            driverId: driver.id,
+            runtimeFields: microvmRuntimeFields(isolation, driver, result.runtime),
+            secretAbsence: secretAbsenceMetadata({
+                cwd: input.cwd,
+                transcript,
+                secretPolicy: isolation.secretPolicy,
+                ignoredDirs: isolation.mountPolicy.ignoredDirs
+            }),
+            networkEnforced: isolation.networkPolicy.enforce && driver.supportsNetworkPolicy,
+            cleanup: result.cleanup ?? {
+                attempted: true,
+                succeeded: true
+            }
+        })
+    };
+}
+async function runHostCommand(command, args, cwd, timeoutMs, env) {
+    const mergedEnv = env === undefined
+        ? undefined
+        : {
+            ...process.env,
+            ...Object.fromEntries(Object.entries(env).filter((entry) => entry[1] !== undefined))
+        };
+    try {
+        const result = await execFileAsync(command, args, {
+            cwd,
+            ...(mergedEnv !== undefined ? { env: mergedEnv } : {}),
+            ...(timeoutMs !== undefined ? { timeout: timeoutMs } : {})
+        });
+        return {
+            stdout: result.stdout,
+            stderr: result.stderr,
+            exitCode: 0,
+            timedOut: false
+        };
+    }
+    catch (error) {
+        const failed = error;
+        const timedOut = failed.killed === true || failed.signal === "SIGTERM";
+        return {
+            stdout: failed.stdout ?? "",
+            stderr: failed.stderr ?? failed.message ?? "",
+            exitCode: typeof failed.code === "number" ? failed.code : 1,
+            timedOut
+        };
+    }
+}
+function normalizeIsolation(isolation) {
+    const kind = isolation?.kind ?? "process";
+    const mountPolicy = normalizeMountPolicy(isolation?.mountPolicy);
+    const networkPolicy = normalizeNetworkPolicy(isolation?.networkPolicy);
+    const secretPolicy = normalizeSecretPolicy(isolation?.secretPolicy);
+    if (isolation?.kind === "container") {
+        return {
+            kind: "container",
+            image: isolation?.image ?? DEFAULT_CONTAINER_IMAGE,
+            engine: isolation?.engine ?? DEFAULT_CONTAINER_ENGINE,
+            driver: isolation?.driver,
+            mountPolicy,
+            networkPolicy,
+            secretPolicy
+        };
+    }
+    if (isolation?.kind === "microvm") {
+        return {
+            kind: "microvm",
+            provider: isolation.provider ?? DEFAULT_MICROVM_PROVIDER,
+            runtime: isolation.runtime ?? DEFAULT_MICROVM_RUNTIME,
+            snapshotId: isolation.snapshotId,
+            sandboxId: isolation.sandboxId,
+            imageDigest: isolation.imageDigest,
+            runtimeDigest: isolation.runtimeDigest ?? UNKNOWN_RUNTIME_DIGEST,
+            driver: isolation.driver,
+            mountPolicy,
+            networkPolicy,
+            secretPolicy
+        };
+    }
+    return {
+        kind: "process",
+        mountPolicy,
+        networkPolicy,
+        secretPolicy
+    };
+}
+function normalizeMountPolicy(policy) {
+    return {
+        workdir: policy?.workdir ?? DEFAULT_CONTAINER_WORKDIR,
+        worktreeWritable: policy?.worktreeWritable ?? true,
+        readOnlyCachePaths: [...(policy?.readOnlyCachePaths ?? [])],
+        ignoredDirs: [...(policy?.ignoredDirs ?? DEFAULT_IGNORED_DIRS)]
+    };
+}
+function normalizeNetworkPolicy(policy) {
+    return {
+        defaultDeny: policy?.defaultDeny ?? true,
+        allowHosts: [...(policy?.allowHosts ?? [])],
+        enforce: policy?.enforce ?? true
+    };
+}
+function normalizeSecretPolicy(policy) {
+    return {
+        secretNames: [...(policy?.secretNames ?? [])],
+        secretValueHashes: [...(policy?.secretValueHashes ?? [])],
+        injectedEnvNames: [...(policy?.injectedEnvNames ?? [])]
+    };
+}
+function hardeningMetadata(input) {
+    return {
+        requested_isolation: input.requestedIsolation,
+        actual_isolation: input.actualIsolation,
+        runtime: {
+            ...(input.runtimeFields ?? {}),
+            ...(input.image !== undefined ? { image: input.image } : {}),
+            ...(input.driverId !== undefined ? { driver: input.driverId } : {}),
+            workdir: input.isolation.mountPolicy.workdir
+        },
+        mount_policy: {
+            worktree_writable: input.isolation.mountPolicy.worktreeWritable,
+            read_only_caches: input.isolation.mountPolicy.readOnlyCachePaths,
+            ignored_dirs: input.isolation.mountPolicy.ignoredDirs
+        },
+        network_policy: {
+            default_deny: input.isolation.networkPolicy.defaultDeny,
+            allow_hosts: input.isolation.networkPolicy.allowHosts,
+            enforced: input.networkEnforced
+        },
+        cleanup: {
+            attempted: input.cleanup.attempted,
+            succeeded: input.cleanup.succeeded,
+            status: cleanupStatus(input.cleanup),
+            ...(input.cleanup.timedOut === true ? { timed_out: true } : {}),
+            ...(input.cleanup.error !== undefined ? { error: input.cleanup.error } : {})
+        },
+        secret_absence: input.secretAbsence
+    };
+}
+function cleanupStatus(input) {
+    if (!input.attempted)
+        return "not_required";
+    if (input.succeeded)
+        return "succeeded";
+    if (input.timedOut === true)
+        return "timed_out";
+    return "failed";
+}
+function actualMicrovmIsolation(provider) {
+    return provider === "vercel-sandbox" ? "vercel-sandbox" : "microvm";
+}
+function microvmRuntimeFields(isolation, driver, runtime) {
+    return {
+        provider: runtime?.provider ?? driver?.provider ?? isolation.provider,
+        runtime: runtime?.runtime ?? isolation.runtime,
+        ...(runtime?.snapshotId ?? isolation.snapshotId
+            ? { snapshot_id: runtime?.snapshotId ?? isolation.snapshotId }
+            : {}),
+        ...(runtime?.sandboxId ?? isolation.sandboxId
+            ? { sandbox_id: runtime?.sandboxId ?? isolation.sandboxId }
+            : {}),
+        ...(runtime?.imageDigest ?? isolation.imageDigest
+            ? { image_digest: runtime?.imageDigest ?? isolation.imageDigest }
+            : {}),
+        runtime_digest: runtime?.runtimeDigest ?? isolation.runtimeDigest ?? UNKNOWN_RUNTIME_DIGEST
+    };
+}
+function assertNever(value) {
+    throw new Error(`unsupported candidate isolation kind: ${String(value)}`);
+}
+function listScannableFiles(root, ignoredDirs) {
+    if (!existsSync(root))
+        return [];
+    const ignored = new Set(ignoredDirs);
+    const files = [];
+    const walk = (dir) => {
+        for (const entry of readdirSync(dir, { withFileTypes: true })) {
+            if (ignored.has(entry.name))
+                continue;
+            const path = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                walk(path);
+                continue;
+            }
+            if (!entry.isFile())
+                continue;
+            const size = statSync(path).size;
+            if (size > DEFAULT_MAX_SCAN_BYTES)
+                continue;
+            files.push({
+                relativePath: relative(root, path),
+                content: readFileSync(path, "utf8")
+            });
+        }
+    };
+    walk(root);
+    return files;
+}
+function countLeaks(haystacks, needles) {
+    const activeNeedles = needles.filter((needle) => needle.length > 0);
+    let count = 0;
+    for (const haystack of haystacks) {
+        for (const needle of activeNeedles) {
+            if (haystack.includes(needle))
+                count += 1;
+        }
+    }
+    return count;
+}
+export function secretValueHash(value) {
+    return hashCanonicalSha256(value);
+}

package/dist/judge.d.ts

@@ -0,0 +1,77 @@
+import type { JudgeSynthesisDecision, ModelCallRecordV1, ModelFusionStatus } from "@fusionkit/protocol";
+import type { EnsembleDescriptor, HarnessArtifact, HarnessCandidateOutput, HarnessToolRecord, HarnessTrajectory, ReviewEvidence } from "./harness.js";
+export type JudgeCandidateEvidence = {
+    candidateId: string;
+    modelId: string;
+    model: string;
+    status: ModelFusionStatus;
+    artifacts: readonly HarnessArtifact[];
+    verification?: HarnessCandidateOutput["verification"];
+    trajectory?: HarnessTrajectory;
+};
+export type JudgeInput = {
+    descriptor: EnsembleDescriptor;
+    candidates: readonly JudgeCandidateEvidence[];
+    artifacts: readonly HarnessArtifact[];
+    toolRecords: readonly HarnessToolRecord[];
+    modelCallRecords: readonly ModelCallRecordV1[];
+    reviewEvidence?: ReviewEvidence;
+};
+export type JudgePatch = {
+    content: string;
+    sourceCandidateIds?: string[];
+    author?: "judge" | "candidate";
+};
+export type JudgeSynthesisOutput = {
+    decision: JudgeSynthesisDecision;
+    finalOutput: string;
+    rationale?: string;
+    selectedCandidateId?: string;
+    judgeModelCallId?: string;
+    score?: number;
+    patch?: JudgePatch;
+    contributions?: Array<{
+        candidateId: string;
+        reason: string;
+    }>;
+    rejections?: Array<{
+        candidateId: string;
+        reason: string;
+    }>;
+};
+export type JudgeRepairInput = JudgeInput & {
+    failureEvidence: SynthesisVerificationResult;
+    priorOutput: JudgeSynthesisOutput;
+};
+export type SynthesisVerificationResult = {
+    status: ModelFusionStatus;
+    evidence: string[];
+    exitCode?: number;
+};
+export type SynthesisFailureSummary = {
+    reason: string;
+    verification?: SynthesisVerificationResult;
+    repair?: SynthesisVerificationResult;
+};
+export type SynthesisRepairAttempt = {
+    round: number;
+    verification: SynthesisVerificationResult;
+    status: ModelFusionStatus;
+};
+export type JudgeVerificationInput = {
+    descriptor: EnsembleDescriptor;
+    worktreePath: string;
+    output: JudgeSynthesisOutput;
+    repairRound: number;
+};
+export type JudgeSynthesizer = {
+    synthesize(input: JudgeInput): Promise<JudgeSynthesisOutput> | JudgeSynthesisOutput;
+    repair?(input: JudgeRepairInput): Promise<JudgeSynthesisOutput> | JudgeSynthesisOutput;
+    verify?(input: JudgeVerificationInput): Promise<SynthesisVerificationResult> | SynthesisVerificationResult;
+};
+export type MockJudgeSynthesizerOptions = {
+    output: JudgeSynthesisOutput;
+    repairOutput?: JudgeSynthesisOutput;
+    verificationResults?: SynthesisVerificationResult[];
+};
+export declare function createMockJudgeSynthesizer(options: MockJudgeSynthesizerOptions): JudgeSynthesizer;

package/dist/judge.js

@@ -0,0 +1,16 @@
+export function createMockJudgeSynthesizer(options) {
+    let verificationIndex = 0;
+    return {
+        synthesize: () => options.output,
+        repair: options.repairOutput ? () => options.repairOutput : undefined,
+        verify: () => {
+            const result = options.verificationResults?.[verificationIndex];
+            verificationIndex += 1;
+            return (result ?? {
+                status: "succeeded",
+                evidence: ["mock judge verification passed"],
+                exitCode: 0
+            });
+        }
+    };
+}