@groundnuty/macf 0.2.10 → 0.2.12

package/dist/plugin/bin/macf-plugin-cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"macf-plugin-cli.js","sourceRoot":"","sources":["../../../src/plugin/bin/macf-plugin-cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AACH,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACtG,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAG1D,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAEhC,SAAS,iBAAiB;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChD,IAAI,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClD,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACvD,mBAAmB;IACnB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC7D,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC;IAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC;IACtD,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;IAE3C,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1E,mEAAmE;YACnE,gEAAgE;YAChE,6DAA6D;YAC7D,MAAM,CAAC,eAAe,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBACjD,kBAAkB,CAAC,SAAS,EAAE,QAAQ,CAAC;gBACvC,SAAS,CAAC,QAAQ,CAAC;aACpB,CAAC,CAAC;YACH,gEAAgE;YAChE,sEAAsE;YACtE,OAAO,CAAC,GAAG,CAAC,eAAe,CACzB,SAAS,EACT,eAAe,EACf,IAAI,EACJ,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CACjD,CAAC,CAAC;YACH,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1E,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACvE,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,oEAAoE;YACpE,sEAAsE;YACtE,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;gBAC1D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YACD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YACrD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YACnD,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnD,OAAO,CAAC,KAAK,CACX,uEAAuE;oBACvE,4FAA4F,CAC7F,CAAC;gBACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1E,gEAAgE;YAChE,8DAA8D;YAC9D,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,eAAe,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;YAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,KAAK,CAAC,iBAAiB,UAAU,yBAAyB,CAAC,CAAC;gBACpE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC;gBAC7B,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACtB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACtB,SAAS;gBACT,QAAQ,EAAE,aAAa;gBACvB,OAAO,EAAE,YAAY;aACtB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;YACjE,IAAI,CAAC,MAAM;gBAAE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YAClC,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,iBAAiB,CAAC;YACpE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,YAAY,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YAClC,MAAM;QACR,CAAC;QAED;YACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YAC/D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACzB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IAC1B,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"macf-plugin-cli.js","sourceRoot":"","sources":["../../../src/plugin/bin/macf-plugin-cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AACH,OAAO,kBAAkB,CAAC;AAC1B,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACtG,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACnE,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,wBAAwB,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAG1D,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAEhC,SAAS,iBAAiB;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChD,IAAI,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClD,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACvD,mBAAmB;IACnB,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC7D,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC;IAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC;IACtD,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;IAE3C,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1E,mEAAmE;YACnE,gEAAgE;YAChE,6DAA6D;YAC7D,MAAM,CAAC,eAAe,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBACjD,kBAAkB,CAAC,SAAS,EAAE,QAAQ,CAAC;gBACvC,SAAS,CAAC,QAAQ,CAAC;aACpB,CAAC,CAAC;YACH,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,GAAG,MAAM,oBAAoB,CAC/D,eAAe,EACf,KAAK,EACL,eAAe,CAChB,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC;YACrF,MAAM;QACR,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1E,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,GAAG,CACvC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAC,CAAC,EAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CACnE,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC,CAAC;YAC9C,MAAM;QACR,CAAC;QAED,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,oEAAoE;YACpE,sEAAsE;YACtE,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;gBAC1D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YACD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YACrD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;YACnD,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnD,OAAO,CAAC,KAAK,CACX,uEAAuE;oBACvE,4FAA4F,CAC7F,CAAC;gBACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;YAC1E,gEAAgE;YAChE,8DAA8D;YAC9D,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,eAAe,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;YAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,KAAK,CAAC,iBAAiB,UAAU,yBAAyB,CAAC,CAAC;gBACpE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC;gBAC7B,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACtB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACtB,SAAS;gBACT,QAAQ,EAAE,aAAa;gBACvB,OAAO,EAAE,YAAY;aACtB,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;YACjE,IAAI,CAAC,MAAM;gBAAE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;YAClC,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,KAAK,GAAG,MAAM,aAAa,EAAE,CAAC;YACpC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,iBAAiB,CAAC;YACpE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,YAAY,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;YAClC,MAAM;QACR,CAAC;QAED;YACE,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YAC/D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACzB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAU,EAAE,EAAE;IAC1B,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC"}

package/dist/plugin/lib/build-dashboard-health.d.ts

@@ -0,0 +1,23 @@
+import type { HealthResponse } from '@groundnuty/macf-core';
+import type { OwnRegistration, PeerEntry } from './registry.js';
+/**
+ * Build the `ownHealth` + `peersWithHealth` arguments for `formatDashboard`
+ * by probing each registered peer (and self if registered) over mTLS via
+ * the injected probe function.
+ *
+ * Extracted from `macf-plugin-cli.ts` `status` case to make the wiring
+ * testable without spawning the full binary. Probe dependency is injected
+ * so tests can supply a stub instead of `probePeerHealth`.
+ *
+ * Surfaced by macf#327 — `status` case was previously a stub mapping
+ * every peer to `health: null` (sister-class to the `peers` stub fixed in
+ * macf#325 / PR #326).
+ */
+export declare function buildDashboardHealth(ownRegistration: OwnRegistration | null, peers: readonly PeerEntry[], probe: (peer: PeerEntry) => Promise<HealthResponse | null>): Promise<{
+    readonly ownHealth: HealthResponse | null;
+    readonly peersWithHealth: ReadonlyArray<{
+        readonly name: string;
+        readonly health: HealthResponse | null;
+    }>;
+}>;
+//# sourceMappingURL=build-dashboard-health.d.ts.map

package/dist/plugin/lib/build-dashboard-health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-dashboard-health.d.ts","sourceRoot":"","sources":["../../../src/plugin/lib/build-dashboard-health.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,wBAAsB,oBAAoB,CACxC,eAAe,EAAE,eAAe,GAAG,IAAI,EACvC,KAAK,EAAE,SAAS,SAAS,EAAE,EAC3B,KAAK,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,GACzD,OAAO,CAAC;IACT,QAAQ,CAAC,SAAS,EAAE,cAAc,GAAG,IAAI,CAAC;IAC1C,QAAQ,CAAC,eAAe,EAAE,aAAa,CAAC;QAAE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CAAA;KAAE,CAAC,CAAC;CAC5G,CAAC,CAQD"}

package/dist/plugin/lib/build-dashboard-health.js

@@ -0,0 +1,23 @@
+/**
+ * Build the `ownHealth` + `peersWithHealth` arguments for `formatDashboard`
+ * by probing each registered peer (and self if registered) over mTLS via
+ * the injected probe function.
+ *
+ * Extracted from `macf-plugin-cli.ts` `status` case to make the wiring
+ * testable without spawning the full binary. Probe dependency is injected
+ * so tests can supply a stub instead of `probePeerHealth`.
+ *
+ * Surfaced by macf#327 — `status` case was previously a stub mapping
+ * every peer to `health: null` (sister-class to the `peers` stub fixed in
+ * macf#325 / PR #326).
+ */
+export async function buildDashboardHealth(ownRegistration, peers, probe) {
+    const [ownHealth, peersWithHealth] = await Promise.all([
+        ownRegistration
+            ? probe({ name: ownRegistration.name, info: ownRegistration.info })
+            : Promise.resolve(null),
+        Promise.all(peers.map(async (p) => ({ name: p.name, health: await probe(p) }))),
+    ]);
+    return { ownHealth, peersWithHealth };
+}
+//# sourceMappingURL=build-dashboard-health.js.map

package/dist/plugin/lib/build-dashboard-health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-dashboard-health.js","sourceRoot":"","sources":["../../../src/plugin/lib/build-dashboard-health.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,eAAuC,EACvC,KAA2B,EAC3B,KAA0D;IAK1D,MAAM,CAAC,SAAS,EAAE,eAAe,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACrD,eAAe;YACb,CAAC,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,EAAE,IAAI,EAAE,eAAe,CAAC,IAAI,EAAE,CAAC;YACnE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAC,CAAC,EAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;KAC9E,CAAC,CAAC;IACH,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC;AACxC,CAAC"}

package/dist/plugin/lib/index.d.ts

@@ -1,6 +1,8 @@
 export { getOwnRegistration, listPeers } from './registry.js';
 export type { OwnRegistration, PeerEntry } from './registry.js';
 export { pingAgent } from './health.js';
+export { probePeerHealth } from './probe-peer-health.js';
+export { buildDashboardHealth } from './build-dashboard-health.js';
 export { checkIssues } from './work.js';
 export type { PendingIssue } from './work.js';
 export { formatDashboard, formatPeerTable, formatIssues } from './format.js';

package/dist/plugin/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/plugin/lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC9D,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/plugin/lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC9D,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,YAAY,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/dist/plugin/lib/index.js

@@ -1,5 +1,7 @@
 export { getOwnRegistration, listPeers } from './registry.js';
 export { pingAgent } from './health.js';
+export { probePeerHealth } from './probe-peer-health.js';
+export { buildDashboardHealth } from './build-dashboard-health.js';
 export { checkIssues } from './work.js';
 export { formatDashboard, formatPeerTable, formatIssues } from './format.js';
 //# sourceMappingURL=index.js.map

package/dist/plugin/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugin/lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE9D,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugin/lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE9D,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/dist/plugin/lib/probe-peer-health.d.ts

@@ -0,0 +1,20 @@
+import type { PeerEntry } from './registry.js';
+import type { HealthResponse } from '@groundnuty/macf-core';
+/**
+ * Probe a peer's `/health` endpoint over mTLS using the cert paths set by
+ * `claude.sh` (MACF_CA_CERT / MACF_AGENT_CERT / MACF_AGENT_KEY env vars).
+ *
+ * Returns `null` when env vars are missing or CA-cert read fails — caller's
+ * UI layer renders that as "offline" (matches `formatPeerTable` behaviour).
+ *
+ * Used by the `peers` and `status` cases in `macf-plugin-cli.ts`. The `ping`
+ * case keeps its own inline copy because it has a different UX contract:
+ * operator-invoked `/macf-ping` should fail loudly when env is incomplete,
+ * not silently render "offline".
+ *
+ * Surfaced by macf#325 — `peers` case was previously a stub mapping every
+ * peer to `health: null`, producing misleading "all offline" output even
+ * when channel-servers were running. This helper is the structural fix.
+ */
+export declare function probePeerHealth(peer: PeerEntry): Promise<HealthResponse | null>;
+//# sourceMappingURL=probe-peer-health.d.ts.map

package/dist/plugin/lib/probe-peer-health.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"probe-peer-health.d.ts","sourceRoot":"","sources":["../../../src/plugin/lib/probe-peer-health.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE5D;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAkBrF"}

package/dist/plugin/lib/probe-peer-health.js

@@ -0,0 +1,40 @@
+import { readFileSync } from 'node:fs';
+import { pingAgent } from './health.js';
+/**
+ * Probe a peer's `/health` endpoint over mTLS using the cert paths set by
+ * `claude.sh` (MACF_CA_CERT / MACF_AGENT_CERT / MACF_AGENT_KEY env vars).
+ *
+ * Returns `null` when env vars are missing or CA-cert read fails — caller's
+ * UI layer renders that as "offline" (matches `formatPeerTable` behaviour).
+ *
+ * Used by the `peers` and `status` cases in `macf-plugin-cli.ts`. The `ping`
+ * case keeps its own inline copy because it has a different UX contract:
+ * operator-invoked `/macf-ping` should fail loudly when env is incomplete,
+ * not silently render "offline".
+ *
+ * Surfaced by macf#325 — `peers` case was previously a stub mapping every
+ * peer to `health: null`, producing misleading "all offline" output even
+ * when channel-servers were running. This helper is the structural fix.
+ */
+export async function probePeerHealth(peer) {
+    const caCertPath = process.env['MACF_CA_CERT'];
+    const agentCertPath = process.env['MACF_AGENT_CERT'];
+    const agentKeyPath = process.env['MACF_AGENT_KEY'];
+    if (!caCertPath || !agentCertPath || !agentKeyPath)
+        return null;
+    let caCertPem;
+    try {
+        caCertPem = readFileSync(caCertPath, 'utf-8');
+    }
+    catch {
+        return null;
+    }
+    return await pingAgent({
+        host: peer.info.host,
+        port: peer.info.port,
+        caCertPem,
+        certPath: agentCertPath,
+        keyPath: agentKeyPath,
+    });
+}
+//# sourceMappingURL=probe-peer-health.js.map

package/dist/plugin/lib/probe-peer-health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"probe-peer-health.js","sourceRoot":"","sources":["../../../src/plugin/lib/probe-peer-health.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAIxC;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAe;IACnD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACrD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAChE,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,SAAS,CAAC;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;QACpB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;QACpB,SAAS;QACT,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,YAAY;KACtB,CAAC,CAAC;AACL,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groundnuty/macf",
-  "version": "0.2.10",
+  "version": "0.2.12",
   "description": "Multi-Agent Coordination Framework CLI — coordinate Claude Code agents via GitHub. Installs as `macf` binary; use `macf init` to set up an agent workspace, `macf update` to refresh rules + version pins.",
   "type": "module",
   "main": "dist/index.js",
@@ -35,7 +35,7 @@
     "test:watch": "vitest"
   },
   "dependencies": {
-    "@groundnuty/macf-core": "0.2.10",
+    "@groundnuty/macf-core": "0.2.12",
     "commander": "^14.0.3",
     "reflect-metadata": "^0.2.2",
     "zod": "^4.0.0"

package/plugin/rules/gh-token-attribution-traps.md

@@ -143,6 +143,18 @@ When intentionally bypassing the hook for a knowingly user-attributed op (e.g.,
 
 ---
 
+## Structural backstop: in-runner token refresh in macf-channel-server (macf#317)
+
+The 6 failure modes above all describe **token-acquisition** (the new token coming back wrong); macf#317 surfaced a 7th class — **token-expiry** during long-running sessions. Bot installation tokens have a 1-hour TTL by design; `claude.sh` mints a fresh token at session start and exports `GH_TOKEN`, but **macf-channel-server inherits this fixed token via `process.env` and has no in-runner refresh** absent the macf#317 fix. After 1 hour, every gh-API-using handler (notify_peer's registry lookups, /sign's varsClient calls) 401s. Witnessed 2026-05-01: cv-architect Stop hook 401 at ~67min uptime.
+
+The expiry sub-case is **shape-distinct** from modes 1–6: the token is `ghs_*` (right prefix), it was generated correctly, the helper script is installed, the path resolves — it's just stale. Helper-prefix-checking + PreToolUse hooks don't catch it; the structural fix is in-process refresh.
+
+**v0.2.11+ defense:** macf-channel-server's `token-refresh.ts` + `refresh-aware-client.ts` modules. The token-refresher caches the current token in-process for ~50 minutes (10-min safety margin under 1hr TTL); on every gh-API call, the refresh-aware client gets a current token (cached or fresh); on 401, the wrapper force-refreshes + retries once. Refresh failures throw with diagnostic — channel-server fails loud rather than silently using a stale token. Implementation cites `silent-fallback-hazards.md Instance 1 (expiry sub-case)` in the diagnostic message so 401s in the field surface the canonical reference.
+
+**Operator note:** the structural defense is automatic for consumer-fleet workspaces (npm-installed `@groundnuty/macf-channel-server@0.2.11+`). Substrate workspaces / bash-terminal sessions still need the operator-discipline pattern in `gh-token-refresh.md` ("refresh before every `gh` or `git push`").
+
+---
+
 ## How this relates to other canonical rules
 
 - `coordination.md` § "Token & Git Hygiene" documents the canonical helper invocation; this rule provides the failure-mode catalog the helper is designed to defend against.

package/plugin/rules/pr-discipline.md

@@ -350,6 +350,38 @@ changed.
 
 ---
 
+## Structural enforcement — `check-lgtm-gate.sh` PreToolUse hook
+
+Per `groundnuty/macf#270` (DR-023 UC-2), the "no LGTM = no merge" rule (codified above in §"How to submit LGTM" + §"When the reviewer is absent or unreachable" + §"Merge-by-implementer") is enforced by a Claude Code PreToolUse hook on `Bash` tool calls. The hook intercepts `gh pr merge` invocations, queries the target PR's review state via `gh pr view --json author,reviews`, and BLOCKs (`exit 2` with stderr explanation) when no APPROVED review from a non-author exists.
+
+**Architectural shape (DR-023 amendment 2026-04-27):** this is a bash command-type hook, NOT `type: "mcp_tool"`. PreToolUse-blocking semantics + mcp_tool's non-blocking-on-disconnect failure mode are structurally incompatible — a missing or transiently-disconnected MCP server would silently allow the merge. Bash form fires uniformly across substrate workspaces (where the `macf-agent` MCP server is permanently off per operator directive 2026-04-27) AND consumer workspaces (startup window + transient disconnect periods produce silent-fail paths under mcp_tool). Same reasoning UC-4 (`check-mention-routing.sh`, PR #275) demonstrated empirically.
+
+**The hook is the same shape as `check-gh-token.sh` (#140) + `check-mention-routing.sh` (#244 + #272):** a bash script distributed via `macf init` / `macf update` / `macf rules refresh` to every workspace's `.claude/scripts/check-lgtm-gate.sh` with the entry registered in `.claude/settings.json` `hooks.PreToolUse`. Substrate workspaces, tester agents, CV consumers, and future MACF-consumer projects all get the protection uniformly.
+
+**Decision rule** (subject to refinement; documented for transparency):
+
+- Command does NOT match `gh pr merge` (exact subcommand, wrapper-aware) → allow (other gh subcommands pass through unchanged)
+- Command matches but no PR number can be extracted → allow (defense-in-depth; gh itself surfaces the usage error)
+- Command matches AND `gh pr view --json author,reviews` returns at least one APPROVED review where reviewer login != author login (after normalizing `app/` prefix + `[bot]` suffix) → allow
+- Command matches AND no non-author APPROVED review exists → BLOCK with stderr citing this rule + the missing-LGTM diagnosis + the `MACF_SKIP_LGTM_CHECK=1` operator override
+- Any infrastructure failure (gh missing, network 404/5xx, malformed JSON) → fail-open (allow). Same defense-in-depth posture as `check-gh-token.sh` and `check-mention-routing.sh` — the hook closes residual policy slips, not all merge paths
+
+**Wrapper coverage:** the regex matches `gh pr merge` preceded by `sudo`, `env VAR=...`, `watch`, `ionice`, `setsid`, `nice`, `time`, bare-`VAR=...` env-prefix forms, and shell wrappers (`bash -c "gh pr merge ..."`, `sh -c`, `zsh -c`, including flag-prefixed forms like `bash -lc`). Same wrapper allow-list as `check-gh-token.sh` + `check-mention-routing.sh`. Chained-form leadins `;` `|` `&&` covered.
+
+**False-positive trade-off:** the hook leans toward false-positive over false-negative on parse-failure paths. PR-number extraction tolerates URL form (`https://github.com/owner/repo/pull/N`), `owner/repo#N` shorthand, and quoted positionals. Bare `gh pr merge` (no positional, gh prompts interactively) passes through unblocked — the operator's discipline catches it because the prompt is visible.
+
+**Override (`MACF_SKIP_LGTM_CHECK=1`)** is the escape hatch for legitimate exceptions documented in §"When the reviewer is absent or unreachable":
+
+- Reporter-sanctioned self-merge after extended reviewer absence
+- The "PR author offline → reviewer merges with hand-off comment" exception
+- Urgent reverts where waiting for review is itself a hazard
+
+Per the `check-gh-token.sh` precedent, structural enforcement plus an escape hatch outperforms behavioral discipline alone.
+
+**Empirical motivation:** `groundnuty/macf-testbed#229` Phase C iter 4 sweep (2026-04-26) recorded a self-merge-without-LGTM incident — a tester self-merged when its harness driver (acting as the de-facto reviewer) was killed mid-poll. Codified in §"When the reviewer is absent or unreachable" same day. The hook closes the residual: rule-discipline catches most cases; structural enforcement catches the slips that remain.
+
+---
+
 ## When to modify this rule
 
 - **Read:** every session start.

package/plugin/rules/silent-fallback-hazards.md

@@ -30,6 +30,12 @@ The trap is that defensive programming targets exit codes, but exit-code success
 **Recurrence:** 5+ confirmed instances across multiple agents
 **Canonical defense:** `gh-token-attribution-traps.md` (sister canonical rule) — 6 specific failure modes + result-invariant defenses (`[[ "$GH_TOKEN" == ghs_* ]]` prefix check, `macf-whoami.sh` spot-check, PreToolUse hook intercepts `gh` and `git push` invocations)
 
+**Sub-case (expiry, macf#317, 2026-05-01):** Bot installation tokens have a **1-hour TTL by design** (GitHub App contract). `claude.sh` mints a fresh token at session start and exports `GH_TOKEN`; the macf-channel-server child process inherits that same env var via standard Node `process.env` pass-through. **Without an in-runner refresh, every gh-API-using handler 401s after ~60 minutes of session uptime.** Detection: 401 (`Bad credentials`) on `listVariables` / `readVariable` / `writeVariable` calls 60+ min after server start. Witnessed 2026-05-01 ~14:30Z on cv-architect's Stop hook at ~67min uptime — the operator-witnessed incident motivating macf#317.
+
+This is a distinct sub-case from the missing-helper / mis-pipefail / wrong-prefix attribution-trap modes catalogued in `gh-token-attribution-traps.md`: the agent has the right token *shape* (`ghs_*`) but it's stale. The hazard is structural — session lifetime ≠ token lifetime by design (1hr vs ∞), so any long-running agent eventually hits this.
+
+**Defense (macf#317, v0.2.11):** in-process token-refresh helper in macf-channel-server (`src/token-refresh.ts`) caches `{token, mintedAt}`; on every `getRefreshedToken()` call, returns cached if `age < 50min` (10-min safety margin under 1hr TTL), else mints fresh via `macf-gh-token.sh`. The refresh-aware client wrapper (`src/refresh-aware-client.ts`) decorates `GitHubVariablesClient`: every method call gets a refreshed token; on 401, force-refreshes + retries once. Refresh failures throw with diagnostic — never silently fall back to the stale env-var token. Sister-shape: `macf-testbed#135` (sweep-harness in-runner refresh between iterations; closed/deferred for testbed but the channel-server class needed structural defense).
+
 ### Instance 2 — GitHub auto-close negation-blindness
 
 **Surface:** PR / issue body markdown parsing
@@ -245,7 +251,7 @@ For coordination-system safety analysis: this is a class of hazards multi-agent
 
 | Instance | Surface | Structural defense | Pattern |
 |---|---|---|---|
-| 1 — gh-token attribution traps | `gh` ops + bot tokens | PreToolUse hook + helper-with-fail-loud-prefix-check | Pattern B |
+| 1 — gh-token attribution traps | `gh` ops + bot tokens | PreToolUse hook + helper-with-fail-loud-prefix-check; expiry sub-case (macf#317) adds in-runner token refresh in macf-channel-server (`token-refresh.ts` + `refresh-aware-client.ts`) — caches token ~50min, force-refreshes on 401 | Pattern B (acquisition) + Pattern A (expiry retry) |
 | 2 — GitHub auto-close negation-blindness | PR/issue body markdown | Pattern B candidate; structural defense via PreToolUse hook on body content per #275 precedent — not yet shipped | Pattern B (latent) |
 | 3 — Remote Control IPC blocking tmux send-keys | Claude Code TUI input | Two-tier: consumer fleet structurally retired via channel-server primitive (DR-020 mTLS HTTPS POST); substrate fleet permanent operational reality — defense = rule-discipline + Pattern C fragility detector | Pattern C deployable as fragility detector |
 | 4 — Loki/CH-logs pipeline divergence | OTLP logs routing | manifest warnings + shape-aware diagnostic | Pattern A |

package/scripts/check-lgtm-gate.sh

@@ -0,0 +1,274 @@
+#!/usr/bin/env bash
+#
+# check-lgtm-gate.sh — Claude Code PreToolUse hook that blocks
+# `gh pr merge` invocations when no non-author APPROVED review exists
+# on the target PR. Implements `pr-discipline.md` §"How to submit
+# LGTM — formal review, not comment" + §"When the reviewer is absent
+# or unreachable" structurally.
+#
+# Hook contract: JSON on stdin, exit 0 = allow, exit 2 = block (stderr
+# is fed back to Claude as the error). Same shape as #140's
+# check-gh-token.sh + #244/#272's check-mention-routing.sh per
+# groundnuty/macf#270 design alignment.
+#
+# Architectural note (DR-023 amendment 2026-04-27, PR #279): this is a
+# bash command-type hook, NOT `type: "mcp_tool"`. PreToolUse-blocking
+# semantics + mcp_tool's non-blocking-on-disconnect failure mode are
+# structurally incompatible — bash form fires uniformly across substrate
+# (no macf-agent MCP server) AND consumer workspaces (startup window,
+# transient disconnect). Same reasoning UC-4 (PR #275) demonstrated.
+#
+# Override: MACF_SKIP_LGTM_CHECK=1 bypasses (for legitimate operator-
+# allowed exceptions per pr-discipline.md §"When the reviewer is absent
+# or unreachable" — reporter-sanctioned self-merge, urgent revert, etc.).
+#
+# Refs: groundnuty/macf#270 (this hook); pr-discipline.md (canonical
+#       rule, distributed via `macf rules refresh`); DR-023 amendment
+#       (bash-form decision rule); macf#262 / PR #263 (LGTM rule
+#       codification); PR #275 / macf#244+#272 (empirical pattern).
+set -euo pipefail
+
+# Cheap exit on operator override — no stdin read, no parsing.
+if [[ "${MACF_SKIP_LGTM_CHECK:-}" == "1" ]]; then
+  exit 0
+fi
+
+# Read PreToolUse payload. Fall through to allow on parse error — a
+# broken hook must not brick the harness. Same defense-in-depth as
+# check-gh-token.sh.
+INPUT_JSON="$(cat 2>/dev/null || echo "")"
+COMMAND="$(jq -r '.tool_input.command // ""' <<<"$INPUT_JSON" 2>/dev/null || echo "")"
+
+if [[ -z "$COMMAND" ]]; then
+  # No command extractable — allow (defense-in-depth).
+  exit 0
+fi
+
+# Wrapper-aware match for `gh pr merge`. Mirrors check-mention-routing.sh's
+# pattern shape — covers sudo, env VAR=, watch, ionice, setsid, nice,
+# time prefix wrappers + chained-form leadins `;` `|` `&`. Subcommand
+# match: `gh pr merge` ONLY (NOT `gh pr view`, `gh pr list`, etc.) —
+# trailing whitespace or end-of-string forces exact-subcommand match.
+GH_MERGE_PATTERN='(^|[[:space:];|&])(sudo[[:space:]]+|env[[:space:]]+([A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*|watch[[:space:]]+|ionice[[:space:]]+|setsid[[:space:]]+|nice[[:space:]]+|time[[:space:]]+|[A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*gh[[:space:]]+pr[[:space:]]+merge([[:space:]]|$)'
+
+# Shell-wrapper bypass: catches `bash -c "gh pr merge ..."` and variants.
+# Same flag-handling logic as check-gh-token.sh + check-mention-routing.sh.
+SHELL_C_GH_MERGE_PATTERN='(^|[[:space:];|&])(sudo[[:space:]]+|env[[:space:]]+([A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*|[A-Za-z_][A-Za-z_0-9]*=[^[:space:]]*[[:space:]]+)*(bash|sh|zsh)[[:space:]]+(-[a-zA-Z]+[[:space:]]+)*-[a-zA-Z]*c[[:space:]]+[^[:space:]].*gh[[:space:]]+pr[[:space:]]+merge([[:space:]]|$)'
+
+if [[ ! "$COMMAND" =~ $GH_MERGE_PATTERN ]] && [[ ! "$COMMAND" =~ $SHELL_C_GH_MERGE_PATTERN ]]; then
+  # Not a `gh pr merge` command — allow.
+  exit 0
+fi
+
+# Extract PR number from the matched command. The PR number is the
+# first non-flag positional argument after `gh pr merge`. Examples:
+#   gh pr merge 123 --squash
+#   gh pr merge --squash 123
+#   gh pr merge 123 --repo owner/repo --squash --delete-branch
+#   bash -c "gh pr merge 123 --squash"
+# We scan the whole command for `gh pr merge` then walk forward to find
+# the first bare integer token (not preceded by `=` so it's not a flag
+# value like `--retries=3`).
+PR_NUMBER=""
+# Strip leading wrappers up to and including `gh pr merge`. Use sed
+# with extended regex to find the gh-pr-merge prefix and remove it.
+TAIL="$(sed -E 's/^.*gh[[:space:]]+pr[[:space:]]+merge[[:space:]]+//' <<<"$COMMAND" 2>/dev/null || echo "")"
+if [[ -z "$TAIL" ]]; then
+  # No tail after `gh pr merge` — likely the operator is invoking with
+  # no args (interactive prompt). Allow; the command will fail at gh
+  # itself with a usage error, not silently merge anything.
+  exit 0
+fi
+
+# Find the first bare-integer token. Skip flags (`--foo`, `-x`) and
+# their values (handled via `[[ $prev == --* ]]` lookback for non-`=`
+# flag-value form). We only need the FIRST PR number — `gh pr merge`
+# only takes one positional.
+PREV_FLAG=""
+# shellcheck disable=SC2086
+for tok in $TAIL; do
+  # Flags introducing a value with a separate-arg form (e.g. `--repo X`)
+  # — set PREV_FLAG so the next token is consumed as a value.
+  if [[ -n "$PREV_FLAG" ]]; then
+    PREV_FLAG=""
+    continue
+  fi
+  # `--flag=value` form — single token, no lookahead needed.
+  if [[ "$tok" =~ ^--[a-zA-Z0-9-]+= ]]; then
+    continue
+  fi
+  # `--flag` without `=` — set PREV_FLAG to consume next token as value.
+  # Boolean flags (e.g. `--squash`, `--delete-branch`) don't consume a
+  # value, but we can't tell from the command alone — heuristic: the
+  # first non-flag token AFTER any flags is the PR number, even if we
+  # mistakenly skip a boolean's "value." If that "value" is the PR
+  # number itself, we miss it; mitigation: gh's canonical positional
+  # ordering is `gh pr merge <N> [flags]`, so PR-first is the common
+  # form. The few cases that put flags first AND use boolean flags
+  # without `=` are rare; fail-open is acceptable per defense-in-depth.
+  if [[ "$tok" =~ ^-- ]]; then
+    # Known value-taking flags from `gh pr merge --help`:
+    #   --repo, --body, --body-file, --match-head-commit, --subject,
+    #   --author-email
+    # Boolean flags don't consume a value:
+    #   --squash, --merge, --rebase, --delete-branch, --auto, --admin,
+    #   --disable-auto
+    case "$tok" in
+      --repo|--body|--body-file|--match-head-commit|--subject|--author-email)
+        PREV_FLAG="$tok"
+        ;;
+      *) ;;
+    esac
+    continue
+  fi
+  # Short flag — `-X`. Same boolean-vs-value ambiguity. `gh pr merge`
+  # short flags from --help: `-s` (squash), `-m` (merge), `-r` (rebase),
+  # `-d` (delete-branch), `-R` (repo, value-taking), `-b` (body, value),
+  # `-F` (body-file, value), `-t` (subject, value).
+  if [[ "$tok" =~ ^-[a-zA-Z]$ ]]; then
+    case "$tok" in
+      -R|-b|-F|-t)
+        PREV_FLAG="$tok"
+        ;;
+      *) ;;
+    esac
+    continue
+  fi
+  # Bare integer — this is our PR number.
+  if [[ "$tok" =~ ^[0-9]+$ ]]; then
+    PR_NUMBER="$tok"
+    break
+  fi
+  # URL form: `https://github.com/owner/repo/pull/<N>` — gh accepts
+  # this as a positional. Extract the trailing integer.
+  if [[ "$tok" =~ /pull/([0-9]+) ]]; then
+    PR_NUMBER="${BASH_REMATCH[1]}"
+    break
+  fi
+  # `owner/repo#N` shorthand — also accepted by gh.
+  if [[ "$tok" =~ \#([0-9]+) ]]; then
+    PR_NUMBER="${BASH_REMATCH[1]}"
+    break
+  fi
+  # Quoted forms — strip surrounding quotes before re-checking.
+  STRIPPED="${tok#\"}"
+  STRIPPED="${STRIPPED%\"}"
+  STRIPPED="${STRIPPED#\'}"
+  STRIPPED="${STRIPPED%\'}"
+  if [[ "$STRIPPED" =~ ^[0-9]+$ ]]; then
+    PR_NUMBER="$STRIPPED"
+    break
+  fi
+done
+
+if [[ -z "$PR_NUMBER" ]]; then
+  # Couldn't extract a PR number — allow per defense-in-depth.
+  # gh itself will fail with a usage error if the command is malformed,
+  # OR if it succeeds, the merge happens against the current branch's
+  # PR (gh auto-detects) — the LGTM gate is a structural guard, not a
+  # 100% catcher. Operator discipline + the canonical rule remain the
+  # primary defenses; the hook closes the residual.
+  exit 0
+fi
+
+# Extract --repo if present so the api call targets the right repo.
+# Without it, `gh api` falls back to the current git remote's repo,
+# which works in most agent-shell flows but breaks for cross-repo merges.
+REPO_FLAG=""
+# Check for `--repo X` (separate-arg form)
+if [[ "$COMMAND" =~ --repo[[:space:]]+([^[:space:]]+) ]]; then
+  REPO_FLAG="--repo ${BASH_REMATCH[1]}"
+elif [[ "$COMMAND" =~ --repo=([^[:space:]]+) ]]; then
+  REPO_FLAG="--repo ${BASH_REMATCH[1]}"
+elif [[ "$COMMAND" =~ (^|[[:space:]])-R[[:space:]]+([^[:space:]]+) ]]; then
+  REPO_FLAG="--repo ${BASH_REMATCH[2]}"
+fi
+
+# Query PR author + reviews. Use `gh pr view --json author,reviews`
+# rather than two separate `gh api` calls — single round-trip, gh
+# handles repo detection if --repo was on the original command.
+# Defense-in-depth: any failure (gh missing, network, 404, auth) →
+# fail-open. Same posture as check-gh-token.sh.
+#
+# Strip surrounding quotes from REPO_FLAG's value if quoted.
+PR_JSON=""
+# shellcheck disable=SC2086
+if ! PR_JSON="$(gh pr view "$PR_NUMBER" $REPO_FLAG --json author,reviews 2>/dev/null)"; then
+  exit 0
+fi
+if [[ -z "$PR_JSON" ]]; then
+  exit 0
+fi
+
+# author.login from `gh pr view --json author` returns either the bare
+# login (e.g. "octocat") for users or `app/<name>` for bots (e.g.
+# "app/macf-code-agent"). reviews[].author.login returns the bare
+# login form (e.g. "octocat" or "macf-science-agent" — no `app/`
+# prefix and no `[bot]` suffix). Normalize both to compare reliably:
+# strip `app/` prefix from author and `[bot]` suffix from both sides.
+PR_AUTHOR="$(jq -r '.author.login // ""' <<<"$PR_JSON" 2>/dev/null || echo "")"
+PR_AUTHOR="${PR_AUTHOR#app/}"
+PR_AUTHOR="${PR_AUTHOR%\[bot\]}"
+
+if [[ -z "$PR_AUTHOR" ]]; then
+  # Couldn't parse author — fail-open.
+  exit 0
+fi
+
+# Look for at least one APPROVED review where reviewer != author.
+# `gh pr view --json reviews` returns `[{author: {login: "..."}, state: "APPROVED"}, ...]`.
+NON_AUTHOR_APPROVALS="$(
+  jq -r --arg author "$PR_AUTHOR" '
+    [.reviews[]? |
+      select(.state == "APPROVED") |
+      (.author.login // "" | sub("^app/"; "") | sub("\\[bot\\]$"; "")) as $reviewer |
+      select($reviewer != "" and $reviewer != $author) |
+      $reviewer
+    ] | length
+  ' <<<"$PR_JSON" 2>/dev/null || echo "0"
+)"
+
+if [[ -z "$NON_AUTHOR_APPROVALS" ]] || ! [[ "$NON_AUTHOR_APPROVALS" =~ ^[0-9]+$ ]]; then
+  # Parse error — fail-open.
+  exit 0
+fi
+
+if [[ "$NON_AUTHOR_APPROVALS" -ge 1 ]]; then
+  # At least one non-author APPROVED review — allow merge.
+  exit 0
+fi
+
+# No non-author APPROVED review — block.
+cat >&2 <<ERR
+BLOCKED by MACF lgtm-gate hook: PR #${PR_NUMBER} has no non-author APPROVED
+review on record. Per pr-discipline.md "no LGTM = no merge" (canonical rule
+distributed via \`macf rules refresh\`):
+
+  "Without an explicit LGTM from the reviewer, the implementer does NOT
+  merge — even if waiting indefinitely."
+
+PR author: ${PR_AUTHOR}
+Non-author APPROVED reviews: 0
+
+The LGTM gate is structural — it ensures someone other than the implementer
+has read the diff in context. Self-merge without LGTM bypasses that quality
+gate even if the work is correct.
+
+Fix — request a formal review from a peer agent via state-change-firing
+mechanism (NOT a plain comment, per pr-discipline.md §"How to submit LGTM"):
+
+  gh pr review ${PR_NUMBER} --approve --body "LGTM"   # reviewer side
+  gh pr review ${PR_NUMBER} --request-changes --body "..."   # changes needed
+
+Then the reviewer @mentions you on the originating issue with the LGTM
+state-change as the wake signal.
+
+Override (ONLY for reporter-sanctioned exceptions per pr-discipline.md
+§"When the reviewer is absent or unreachable"):
+  export MACF_SKIP_LGTM_CHECK=1
+
+Refs: groundnuty/macf#270 (this hook); pr-discipline.md (canonical rule);
+DR-023 amendment (bash-form decision rule); macf#262 / PR #263 (rule
+codification origin).
+ERR
+exit 2