@groundnuty/macf 0.2.36 → 0.2.38

package/dist/cli/monitor/digest.js

@@ -0,0 +1,232 @@
+const DAY_MS = 24 * 60 * 60 * 1000;
+/** Assignment-label heuristic: labels ending in `-agent` are who-owns-it. */
+function isAssignmentLabel(label) {
+    return label.endsWith('-agent');
+}
+function ageInDays(createdAtIso, nowMs) {
+    const created = Date.parse(createdAtIso);
+    if (!Number.isFinite(created))
+        return 0;
+    return Math.floor((nowMs - created) / DAY_MS);
+}
+/** Compute the stale-issue set: open issues older than `sinceDays`. */
+export function computeStaleIssues(issues, sinceDays, nowMs) {
+    const stale = [];
+    for (const issue of issues) {
+        const ageDays = ageInDays(issue.createdAt, nowMs);
+        if (ageDays <= sinceDays)
+            continue;
+        const owner = issue.labels.find(isAssignmentLabel) ?? 'unassigned';
+        stale.push({ number: issue.number, title: issue.title, ageDays, owner });
+    }
+    // Oldest first — the operator's attention should go to the longest-stalled.
+    return stale.sort((a, b) => b.ageDays - a.ageDays);
+}
+/** Bucket open PRs by the action they need. */
+export function computePrBuckets(prs) {
+    const awaitingReview = [];
+    const approvedUnmerged = [];
+    const changesRequested = [];
+    const drafts = [];
+    for (const pr of prs) {
+        if (pr.isDraft) {
+            drafts.push(pr);
+            continue;
+        }
+        switch (pr.reviewDecision) {
+            case 'APPROVED':
+                approvedUnmerged.push(pr);
+                break;
+            case 'CHANGES_REQUESTED':
+                changesRequested.push(pr);
+                break;
+            // REVIEW_REQUIRED, null, or any other state → still needs a review.
+            default:
+                awaitingReview.push(pr);
+                break;
+        }
+    }
+    return { awaitingReview, approvedUnmerged, changesRequested, drafts };
+}
+/**
+ * Aggregate rule-evolution signals across every reflection record, grouped by
+ * (proposed_tier, dedup-handle). The dedup handle is the signal's `key` when
+ * present (the cross-agent dedup handle per the F2 schema) and the signal text
+ * otherwise. `count` is the number of DISTINCT AGENTS that raised the signal —
+ * the cross-agent corroboration count, NOT raw occurrences (five hits from one
+ * agent count as one). This is the occurrence-vs-distinct-agent distinction the
+ * auditor's N>1 promotion gate hinges on (macf#503/#514); the digest's "×N
+ * agents" label must reflect distinct agents, not it would imply a corroboration
+ * it never measured. `occurrences` keeps the raw record count for context.
+ */
+export function aggregateSignals(records) {
+    const byHandle = new Map();
+    for (const rec of records) {
+        const agentName = rec.agent.name;
+        for (const sig of rec.rule_evolution_signals) {
+            const hasKey = typeof sig.key === 'string' && sig.key.length > 0;
+            const handle = hasKey ? sig.key : sig.signal;
+            // Tier is part of the grouping key so the same handle proposed at two
+            // tiers shows up as two distinct candidate signals.
+            const mapKey = JSON.stringify([sig.proposed_tier, handle]);
+            const existing = byHandle.get(mapKey);
+            if (existing) {
+                existing.agents.add(agentName);
+                existing.occurrences += 1;
+            }
+            else {
+                byHandle.set(mapKey, {
+                    handle,
+                    proposedTier: sig.proposed_tier,
+                    signal: sig.signal,
+                    agents: new Set([agentName]),
+                    occurrences: 1,
+                    hasKey,
+                });
+            }
+        }
+    }
+    // Strongest cross-agent corroboration (distinct agents) first, then by tier.
+    return [...byHandle.values()]
+        .map((g) => ({
+        handle: g.handle,
+        proposedTier: g.proposedTier,
+        signal: g.signal,
+        count: g.agents.size,
+        occurrences: g.occurrences,
+        hasKey: g.hasKey,
+    }))
+        .sort((a, b) => b.count - a.count || a.proposedTier.localeCompare(b.proposedTier));
+}
+function countBreaches(records) {
+    return records.reduce((n, r) => n + r.breaches.length, 0);
+}
+function countUnresolved(records) {
+    return records.reduce((n, r) => n + r.unresolved.length, 0);
+}
+/** ISO8601 UTC, seconds precision (matches the reflection schema's timestamp). */
+function isoUtc(ms) {
+    return new Date(ms).toISOString().replace(/\.\d{3}Z$/, 'Z');
+}
+/**
+ * Build the full Markdown protocol-health digest.
+ *
+ * Sections: header → Stale issues → PRs awaiting action → Aggregated reflection
+ * signals → Summary. Drift / stale state / candidate signals are SURFACED, not
+ * acted on; a one-line note records that proposing/actuation is gated (G1).
+ */
+export function buildDigest(input) {
+    const nowMs = input.now();
+    const stale = computeStaleIssues(input.issues, input.sinceDays, nowMs);
+    const buckets = computePrBuckets(input.prs);
+    const signals = aggregateSignals(input.reflections);
+    const breachCount = countBreaches(input.reflections);
+    const unresolvedCount = countUnresolved(input.reflections);
+    const lines = [];
+    // --- Header ---
+    lines.push(`# Protocol-Health Digest — ${input.project}`);
+    lines.push('');
+    lines.push(`- Repo: \`${input.repo}\``);
+    lines.push(`- Generated at: ${isoUtc(nowMs)}`);
+    lines.push(`- Stale threshold: ${input.sinceDays} days`);
+    lines.push(`- Read-only auditor (DR-026 F4). Drift + candidate signals below are ` +
+        `**surfaced, not acted on** — proposing/actuation is gated (DR-026 G1).`);
+    lines.push('');
+    // --- Stale issues ---
+    lines.push('## Stale issues');
+    lines.push('');
+    if (stale.length === 0) {
+        lines.push(`_No open issues older than ${input.sinceDays} days._`);
+    }
+    else {
+        const byOwner = new Map();
+        for (const s of stale) {
+            const arr = byOwner.get(s.owner) ?? [];
+            arr.push(s);
+            byOwner.set(s.owner, arr);
+        }
+        for (const owner of [...byOwner.keys()].sort()) {
+            lines.push(`### ${owner}`);
+            lines.push('');
+            for (const s of byOwner.get(owner)) {
+                lines.push(`- #${s.number} — ${s.title} (${s.ageDays}d open)`);
+            }
+            lines.push('');
+        }
+        // Trailing blank from the loop is fine; normalize below.
+    }
+    lines.push('');
+    // --- PRs awaiting action ---
+    lines.push('## PRs awaiting action');
+    lines.push('');
+    const prSection = (heading, prs) => {
+        lines.push(`### ${heading}`);
+        lines.push('');
+        if (prs.length === 0) {
+            lines.push('_none_');
+        }
+        else {
+            for (const pr of prs) {
+                lines.push(`- #${pr.number} — ${pr.title}`);
+            }
+        }
+        lines.push('');
+    };
+    prSection('Awaiting review', buckets.awaitingReview);
+    prSection('Approved, unmerged', buckets.approvedUnmerged);
+    prSection('Changes requested', buckets.changesRequested);
+    if (buckets.drafts.length > 0) {
+        prSection('Drafts', buckets.drafts);
+    }
+    // --- Aggregated reflection signals ---
+    lines.push('## Aggregated reflection signals');
+    lines.push('');
+    lines.push(`_Candidate rule-evolution signals harvested from F2 reflections — ` +
+        `surfaced for operator awareness, not proposed (G1)._`);
+    lines.push('');
+    if (signals.length === 0) {
+        lines.push('_No rule-evolution signals in the reflection ledgers._');
+        lines.push('');
+    }
+    else {
+        const byTier = new Map();
+        for (const sig of signals) {
+            const arr = byTier.get(sig.proposedTier) ?? [];
+            arr.push(sig);
+            byTier.set(sig.proposedTier, arr);
+        }
+        for (const tier of [...byTier.keys()].sort()) {
+            lines.push(`### proposed_tier: ${tier}`);
+            lines.push('');
+            for (const sig of byTier.get(tier)) {
+                const dedup = sig.hasKey
+                    ? ` [key: \`${sig.handle}\`]`
+                    : '';
+                const corroboration = sig.count > 1 ? ` (×${sig.count} agents)` : '';
+                lines.push(`- ${sig.signal}${dedup}${corroboration}`);
+            }
+            lines.push('');
+        }
+    }
+    // --- Summary ---
+    lines.push('## Summary');
+    lines.push('');
+    lines.push(`- Open issues: ${input.issues.length} (stale: ${stale.length})`);
+    lines.push(`- Open PRs: ${input.prs.length} ` +
+        `(awaiting review: ${buckets.awaitingReview.length}, ` +
+        `approved-unmerged: ${buckets.approvedUnmerged.length}, ` +
+        `changes-requested: ${buckets.changesRequested.length})`);
+    lines.push(`- Reflection records: ${input.reflections.length} ` +
+        `across ${input.reflectionFiles} ledger file(s) ` +
+        `(skipped malformed lines: ${input.reflectionsSkipped})`);
+    lines.push(`- Candidate signals: ${signals.length} | ` +
+        `breaches: ${breachCount} | unresolved: ${unresolvedCount}`);
+    lines.push(`- Project-tier rules present: ${input.projectRulesCount}`);
+    lines.push('');
+    lines.push(`> This is a read-only protocol-health report. No issues were created, ` +
+        `commented on, closed, or merged. Proposing rule changes / actuation is a ` +
+        `separate, ratification-gated step (DR-026 G1).`);
+    // Collapse any accidental 3+ blank-line runs to a single blank line.
+    return lines.join('\n').replace(/\n{3,}/g, '\n\n') + '\n';
+}
+//# sourceMappingURL=digest.js.map

package/dist/cli/monitor/digest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"digest.js","sourceRoot":"","sources":["../../../src/cli/monitor/digest.ts"],"names":[],"mappings":"AAoBA,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnC,6EAA6E;AAC7E,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAoDD,SAAS,SAAS,CAAC,YAAoB,EAAE,KAAa;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,CAAC,CAAC;IACxC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;AAChD,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,kBAAkB,CAChC,MAA+B,EAC/B,SAAiB,EACjB,KAAa;IAEb,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAClD,IAAI,OAAO,IAAI,SAAS;YAAE,SAAS;QACnC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,YAAY,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,4EAA4E;IAC5E,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC;AACrD,CAAC;AAED,+CAA+C;AAC/C,MAAM,UAAU,gBAAgB,CAAC,GAAyB;IACxD,MAAM,cAAc,GAAgB,EAAE,CAAC;IACvC,MAAM,gBAAgB,GAAgB,EAAE,CAAC;IACzC,MAAM,gBAAgB,GAAgB,EAAE,CAAC;IACzC,MAAM,MAAM,GAAgB,EAAE,CAAC;IAE/B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChB,SAAS;QACX,CAAC;QACD,QAAQ,EAAE,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,UAAU;gBACb,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,mBAAmB;gBACtB,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC1B,MAAM;YACR,oEAAoE;YACpE;gBACE,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACxB,MAAM;QACV,CAAC;IACH,CAAC;IACD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,EAAE,CAAC;AACxE,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAoC;IAYpC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAiB,CAAC;IAE1C,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;QACjC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,sBAAwD,EAAE,CAAC;YAC/E,MAAM,MAAM,GAAG,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAI,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;YAC9C,sEAAsE;YACtE,oDAAoD;YACpD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC;YAC3D,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACtC,IAAI,QAAQ,EAAE,CAAC;gBACb,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC/B,QAAQ,CAAC,WAAW,IAAI,CAAC,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE;oBACnB,MAAM;oBACN,YAAY,EAAE,GAAG,CAAC,aAAa;oBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;oBAC5B,WAAW,EAAE,CAAC;oBACd,MAAM;iBACP,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,OAAO,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;SAC1B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,YAAY,EAAE,CAAC,CAAC,YAAY;QAC5B,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI;QACpB,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC;SACF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;AACvF,CAAC;AAED,SAAS,aAAa,CAAC,OAAoC;IACzD,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,eAAe,CAAC,OAAoC;IAC3D,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,kFAAkF;AAClF,SAAS,MAAM,CAAC,EAAU;IACxB,OAAO,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;AAC9D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,KAAkB;IAC5C,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,kBAAkB,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACvE,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACpD,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACrD,MAAM,eAAe,GAAG,eAAe,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAE3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,iBAAiB;IACjB,KAAK,CAAC,IAAI,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,sBAAsB,KAAK,CAAC,SAAS,OAAO,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CACR,uEAAuE;QACvE,wEAAwE,CACzE,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,uBAAuB;IACvB,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,8BAA8B,KAAK,CAAC,SAAS,SAAS,CAAC,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,IAAI,GAAG,EAAwB,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACvC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5B,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YAC/C,KAAK,CAAC,IAAI,CAAC,OAAO,KAAK,EAAE,CAAC,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAE,EAAE,CAAC;gBACpC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,OAAO,SAAS,CAAC,CAAC;YACjE,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,yDAAyD;IAC3D,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,8BAA8B;IAC9B,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACrC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,MAAM,SAAS,GAAG,CAAC,OAAe,EAAE,GAAyB,EAAQ,EAAE;QACrE,KAAK,CAAC,IAAI,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;gBACrB,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,MAAM,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC,CAAC;IACF,SAAS,CAAC,iBAAiB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACrD,SAAS,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC1D,SAAS,CAAC,mBAAmB,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACzD,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,wCAAwC;IACxC,KAAK,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC/C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,oEAAoE;QACpE,sDAAsD,CACvD,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;QACrE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,IAAI,GAAG,EAA8B,CAAC;QACrD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;YAC/C,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACd,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;QACpC,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YAC7C,KAAK,CAAC,IAAI,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,CAAE,EAAE,CAAC;gBACpC,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM;oBACtB,CAAC,CAAC,YAAY,GAAG,CAAC,MAAM,KAAK;oBAC7B,CAAC,CAAC,EAAE,CAAC;gBACP,MAAM,aAAa,GAAG,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrE,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,MAAM,GAAG,KAAK,GAAG,aAAa,EAAE,CAAC,CAAC;YACxD,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,KAAK,CAAC,MAAM,CAAC,MAAM,YAAY,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7E,KAAK,CAAC,IAAI,CACR,eAAe,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG;QAClC,qBAAqB,OAAO,CAAC,cAAc,CAAC,MAAM,IAAI;QACtD,sBAAsB,OAAO,CAAC,gBAAgB,CAAC,MAAM,IAAI;QACzD,sBAAsB,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CACzD,CAAC;IACF,KAAK,CAAC,IAAI,CACR,yBAAyB,KAAK,CAAC,WAAW,CAAC,MAAM,GAAG;QACpD,UAAU,KAAK,CAAC,eAAe,kBAAkB;QACjD,6BAA6B,KAAK,CAAC,kBAAkB,GAAG,CACzD,CAAC;IACF,KAAK,CAAC,IAAI,CACR,wBAAwB,OAAO,CAAC,MAAM,KAAK;QAC3C,aAAa,WAAW,kBAAkB,eAAe,EAAE,CAC5D,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,iCAAiC,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAC;IACvE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,wEAAwE;QACxE,2EAA2E;QAC3E,gDAAgD,CACjD,CAAC;IAEF,qEAAqE;IACrE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;AAC5D,CAAC"}

package/dist/cli/monitor/github-reader.d.ts

@@ -0,0 +1,38 @@
+/** A single open issue, as read from `gh issue list --json`. */
+export interface MonitorIssue {
+    readonly number: number;
+    readonly title: string;
+    /** ISO8601 creation timestamp (for stale detection). */
+    readonly createdAt: string;
+    /** Assignment + status labels (we group stale issues by assignment label). */
+    readonly labels: readonly string[];
+}
+/** A single open PR, as read from `gh pr list --json`. */
+export interface MonitorPR {
+    readonly number: number;
+    readonly title: string;
+    readonly createdAt: string;
+    /** GitHub's review decision: APPROVED / CHANGES_REQUESTED / REVIEW_REQUIRED / null. */
+    readonly reviewDecision: string | null;
+    /** GitHub's mergeable state string (e.g. CLEAN, BLOCKED, DIRTY, UNKNOWN). */
+    readonly mergeStateStatus: string | null;
+    readonly isDraft: boolean;
+}
+/**
+ * The read-only GitHub seam. Implementations MUST perform only reads. The
+ * Monitor command depends on this interface (not on `gh` directly) so tests can
+ * inject a fake + assert no mutation ever happens.
+ */
+export interface GitHubReader {
+    listOpenIssues(repo: string): Promise<readonly MonitorIssue[]>;
+    listOpenPRs(repo: string): Promise<readonly MonitorPR[]>;
+}
+/**
+ * The production GitHub reader: shells out to `gh` for issue/PR LISTS only.
+ *
+ * `token` is forwarded as `GH_TOKEN` in the subprocess env — the canonical bot
+ * auth posture. Both calls are pure reads (`gh issue list`, `gh pr list`); this
+ * class has no write path at all.
+ */
+export declare function createGhReader(token: string): GitHubReader;
+//# sourceMappingURL=github-reader.d.ts.map

package/dist/cli/monitor/github-reader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-reader.d.ts","sourceRoot":"","sources":["../../../src/cli/monitor/github-reader.ts"],"names":[],"mappings":"AAoBA,gEAAgE;AAChE,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,wDAAwD;IACxD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,8EAA8E;IAC9E,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC;AAED,0DAA0D;AAC1D,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,uFAAuF;IACvF,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IACvC,6EAA6E;IAC7E,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;CAC3B;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,YAAY,EAAE,CAAC,CAAC;IAC/D,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,SAAS,EAAE,CAAC,CAAC;CAC1D;AAoBD;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,YAAY,CAgD1D"}

package/dist/cli/monitor/github-reader.js

@@ -0,0 +1,65 @@
+/**
+ * Read-only GitHub seam for the auditor Monitor (groundnuty/macf#502, DR-026 F4).
+ *
+ * THE LOAD-BEARING INVARIANT: the Monitor is strictly READ-ONLY. This interface
+ * exposes ONLY read operations — `listOpenIssues` + `listOpenPRs`. There is
+ * deliberately NO create/comment/close/merge/edit method on the seam, so a
+ * mutation is not merely "discouraged" but *unrepresentable* through the type.
+ * Tests inject a fake implementation and assert it received reads only.
+ *
+ * The default implementation shells out to the `gh` CLI via `execFile` — the
+ * same canonical read pattern as `src/plugin/lib/work.ts#checkIssues`. It only
+ * ever invokes `gh issue list` / `gh pr list` (both pure reads). The token is
+ * passed via the `GH_TOKEN` env (the house auth posture), never baked into a
+ * remote or used for a write.
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+/**
+ * The production GitHub reader: shells out to `gh` for issue/PR LISTS only.
+ *
+ * `token` is forwarded as `GH_TOKEN` in the subprocess env — the canonical bot
+ * auth posture. Both calls are pure reads (`gh issue list`, `gh pr list`); this
+ * class has no write path at all.
+ */
+export function createGhReader(token) {
+    const env = { ...process.env, GH_TOKEN: token };
+    return {
+        async listOpenIssues(repo) {
+            const { stdout } = await execFileAsync('gh', [
+                'issue', 'list',
+                '--repo', repo,
+                '--state', 'open',
+                '--limit', '500',
+                '--json', 'number,title,createdAt,labels',
+            ], { encoding: 'utf-8', env, maxBuffer: 32 * 1024 * 1024 });
+            const rows = JSON.parse(stdout);
+            return rows.map((r) => ({
+                number: r.number,
+                title: r.title,
+                createdAt: r.createdAt,
+                labels: (r.labels ?? []).map((l) => l.name),
+            }));
+        },
+        async listOpenPRs(repo) {
+            const { stdout } = await execFileAsync('gh', [
+                'pr', 'list',
+                '--repo', repo,
+                '--state', 'open',
+                '--limit', '500',
+                '--json', 'number,title,createdAt,reviewDecision,mergeStateStatus,isDraft',
+            ], { encoding: 'utf-8', env, maxBuffer: 32 * 1024 * 1024 });
+            const rows = JSON.parse(stdout);
+            return rows.map((r) => ({
+                number: r.number,
+                title: r.title,
+                createdAt: r.createdAt,
+                reviewDecision: r.reviewDecision ?? null,
+                mergeStateStatus: r.mergeStateStatus ?? null,
+                isDraft: r.isDraft ?? false,
+            }));
+        },
+    };
+}
+//# sourceMappingURL=github-reader.js.map

package/dist/cli/monitor/github-reader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-reader.js","sourceRoot":"","sources":["../../../src/cli/monitor/github-reader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAoD1C;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAEhD,OAAO;QACL,KAAK,CAAC,cAAc,CAAC,IAAY;YAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,IAAI,EACJ;gBACE,OAAO,EAAE,MAAM;gBACf,QAAQ,EAAE,IAAI;gBACd,SAAS,EAAE,MAAM;gBACjB,SAAS,EAAE,KAAK;gBAChB,QAAQ,EAAE,+BAA+B;aAC1C,EACD,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACxD,CAAC;YACF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA0B,CAAC;YACzD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,MAAM,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;aAC5C,CAAC,CAAC,CAAC;QACN,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,IAAY;YAC5B,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,IAAI,EACJ;gBACE,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,IAAI;gBACd,SAAS,EAAE,MAAM;gBACjB,SAAS,EAAE,KAAK;gBAChB,QAAQ,EAAE,gEAAgE;aAC3E,EACD,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACxD,CAAC;YACF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAuB,CAAC;YACtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,cAAc,EAAE,CAAC,CAAC,cAAc,IAAI,IAAI;gBACxC,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,IAAI,IAAI;gBAC5C,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,KAAK;aAC5B,CAAC,CAAC,CAAC;QACN,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/cli/monitor/reflections.d.ts

@@ -0,0 +1,18 @@
+import { type ReflectionRecord } from '@groundnuty/macf-core';
+export interface ReflectionsReadResult {
+    /** All successfully-parsed reflection records across every ledger file. */
+    readonly records: readonly ReflectionRecord[];
+    /** Count of JSONL lines that failed to parse (surfaced, never fatal). */
+    readonly skipped: number;
+    /** Number of `*.jsonl` ledger files read. */
+    readonly files: number;
+}
+/**
+ * Read all reflection records from the JSONL ledgers under `dir`.
+ *
+ * Returns an empty result (no throw) when `dir` doesn't exist or contains no
+ * `*.jsonl` files — a project that hasn't compacted yet is a valid state, not
+ * an error.
+ */
+export declare function readReflections(dir: string): ReflectionsReadResult;
+//# sourceMappingURL=reflections.d.ts.map

package/dist/cli/monitor/reflections.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reflections.d.ts","sourceRoot":"","sources":["../../../src/cli/monitor/reflections.ts"],"names":[],"mappings":"AAcA,OAAO,EAA0B,KAAK,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAEtF,MAAM,WAAW,qBAAqB;IACpC,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,EAAE,SAAS,gBAAgB,EAAE,CAAC;IAC9C,yEAAyE;IACzE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,qBAAqB,CA+ClE"}

package/dist/cli/monitor/reflections.js

@@ -0,0 +1,72 @@
+/**
+ * Read + parse F2 reflection JSONL ledgers for the auditor Monitor
+ * (groundnuty/macf#502, DR-026 F4).
+ *
+ * Reads every `*.jsonl` file under the reflections directory, parses each line
+ * with `ReflectionRecordSchema`, and skips malformed lines DEFENSIVELY — a
+ * single bad line (truncated write, hand-edit, schema drift) must never make the
+ * whole digest fatal. Skipped-line counts are surfaced in the result so the
+ * digest can note them rather than hide them.
+ *
+ * This is a pure read: it only opens files for reading. No mutation.
+ */
+import { readdirSync, readFileSync, existsSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { ReflectionRecordSchema } from '@groundnuty/macf-core';
+/**
+ * Read all reflection records from the JSONL ledgers under `dir`.
+ *
+ * Returns an empty result (no throw) when `dir` doesn't exist or contains no
+ * `*.jsonl` files — a project that hasn't compacted yet is a valid state, not
+ * an error.
+ */
+export function readReflections(dir) {
+    if (!existsSync(dir)) {
+        return { records: [], skipped: 0, files: 0 };
+    }
+    let entries;
+    try {
+        entries = readdirSync(dir).filter((f) => f.endsWith('.jsonl'));
+    }
+    catch {
+        return { records: [], skipped: 0, files: 0 };
+    }
+    const records = [];
+    let skipped = 0;
+    let files = 0;
+    for (const entry of entries) {
+        const path = join(dir, entry);
+        let raw;
+        try {
+            if (!statSync(path).isFile())
+                continue;
+            raw = readFileSync(path, 'utf-8');
+        }
+        catch {
+            continue; // unreadable file — skip the whole file, not fatal
+        }
+        files += 1;
+        for (const line of raw.split('\n')) {
+            const trimmed = line.trim();
+            if (trimmed.length === 0)
+                continue; // blank lines are not failures
+            let parsedJson;
+            try {
+                parsedJson = JSON.parse(trimmed);
+            }
+            catch {
+                skipped += 1; // not valid JSON — skip defensively
+                continue;
+            }
+            const result = ReflectionRecordSchema.safeParse(parsedJson);
+            if (result.success) {
+                records.push(result.data);
+            }
+            else {
+                skipped += 1; // valid JSON but wrong shape — skip defensively
+            }
+        }
+    }
+    return { records, skipped, files };
+}
+//# sourceMappingURL=reflections.js.map

package/dist/cli/monitor/reflections.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reflections.js","sourceRoot":"","sources":["../../../src/cli/monitor/reflections.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,sBAAsB,EAAyB,MAAM,uBAAuB,CAAC;AAWtF;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC/C,CAAC;IAED,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IAC/C,CAAC;IAED,MAAM,OAAO,GAAuB,EAAE,CAAC;IACvC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC9B,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE;gBAAE,SAAS;YACvC,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,mDAAmD;QAC/D,CAAC;QACD,KAAK,IAAI,CAAC,CAAC;QAEX,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS,CAAC,+BAA+B;YACnE,IAAI,UAAmB,CAAC;YACxB,IAAI,CAAC;gBACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC,CAAC,CAAC,oCAAoC;gBAClD,SAAS;YACX,CAAC;YACD,MAAM,MAAM,GAAG,sBAAsB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;YAC5D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,OAAO,IAAI,CAAC,CAAC,CAAC,gDAAgD;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC"}

package/dist/cli/monitor/run.d.ts

@@ -0,0 +1,30 @@
+import { type Clock } from './digest.js';
+import type { GitHubReader } from './github-reader.js';
+export interface RunMonitorOptions {
+    readonly project: string;
+    readonly repo: string;
+    readonly sinceDays: number;
+    /** Directory holding the F2 reflection JSONL ledgers. */
+    readonly reflectionsDir: string;
+    /**
+     * Workspace root used to locate `.claude/rules/project/*.md` for the
+     * (optional, defensive) project-tier rule count. F3 (`project-rules.ts`) is
+     * not on this branch, so we check the filesystem directly rather than import.
+     */
+    readonly workspaceDir: string;
+    readonly reader: GitHubReader;
+    readonly now: Clock;
+}
+/**
+ * Count `.claude/rules/project/*.md` files. Defensive: returns 0 (never throws)
+ * when the directory is absent — F3 isn't merged, so its absence is normal.
+ */
+export declare function countProjectRules(workspaceDir: string): number;
+/**
+ * Run the Monitor: read everything, build the digest, return the Markdown.
+ *
+ * Only READS are performed. Any GitHub read failure is surfaced as a thrown
+ * error to the caller (the CLI command), which decides how to report it.
+ */
+export declare function runMonitor(opts: RunMonitorOptions): Promise<string>;
+//# sourceMappingURL=run.d.ts.map

package/dist/cli/monitor/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../../src/cli/monitor/run.ts"],"names":[],"mappings":"AAcA,OAAO,EAAe,KAAK,KAAK,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGvD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,yDAAyD;IACzD,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC;;;;OAIG;IACH,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAe9D;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBzE"}

package/dist/cli/monitor/run.js

@@ -0,0 +1,67 @@
+/**
+ * Read-only Monitor orchestrator for the auditor (groundnuty/macf#502, DR-026 F4).
+ *
+ * Aggregates a project's coordination substrate — GitHub (open issues + open
+ * PRs, via an injectable read-only seam), F2 reflection ledgers, and a defensive
+ * project-tier rule count — and renders a protocol-health digest via the pure
+ * `buildDigest`.
+ *
+ * Everything here is a READ. The GitHub seam is `GitHubReader` (list-only by
+ * type); reflections + project-rule counts are filesystem reads. The clock is
+ * injected so output is deterministic under test.
+ */
+import { readdirSync, existsSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { buildDigest } from './digest.js';
+import { readReflections } from './reflections.js';
+/**
+ * Count `.claude/rules/project/*.md` files. Defensive: returns 0 (never throws)
+ * when the directory is absent — F3 isn't merged, so its absence is normal.
+ */
+export function countProjectRules(workspaceDir) {
+    const dir = join(workspaceDir, '.claude', 'rules', 'project');
+    if (!existsSync(dir))
+        return 0;
+    try {
+        return readdirSync(dir).filter((f) => {
+            if (!f.endsWith('.md'))
+                return false;
+            try {
+                return statSync(join(dir, f)).isFile();
+            }
+            catch {
+                return false;
+            }
+        }).length;
+    }
+    catch {
+        return 0;
+    }
+}
+/**
+ * Run the Monitor: read everything, build the digest, return the Markdown.
+ *
+ * Only READS are performed. Any GitHub read failure is surfaced as a thrown
+ * error to the caller (the CLI command), which decides how to report it.
+ */
+export async function runMonitor(opts) {
+    const [issues, prs] = await Promise.all([
+        opts.reader.listOpenIssues(opts.repo),
+        opts.reader.listOpenPRs(opts.repo),
+    ]);
+    const reflections = readReflections(opts.reflectionsDir);
+    const projectRulesCount = countProjectRules(opts.workspaceDir);
+    return buildDigest({
+        project: opts.project,
+        repo: opts.repo,
+        sinceDays: opts.sinceDays,
+        issues,
+        prs,
+        reflections: reflections.records,
+        reflectionsSkipped: reflections.skipped,
+        reflectionFiles: reflections.files,
+        projectRulesCount,
+        now: opts.now,
+    });
+}
+//# sourceMappingURL=run.js.map

package/dist/cli/monitor/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../../src/cli/monitor/run.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAc,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAkBnD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,YAAoB;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACnC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACrC,IAAI,CAAC;gBACH,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;YACzC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC,CAAC,CAAC,MAAM,CAAC;IACZ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAuB;IACtD,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;KACnC,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACzD,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAE/D,OAAO,WAAW,CAAC;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,MAAM;QACN,GAAG;QACH,WAAW,EAAE,WAAW,CAAC,OAAO;QAChC,kBAAkB,EAAE,WAAW,CAAC,OAAO;QACvC,eAAe,EAAE,WAAW,CAAC,KAAK;QAClC,iBAAiB;QACjB,GAAG,EAAE,IAAI,CAAC,GAAG;KACd,CAAC,CAAC;AACL,CAAC"}

package/dist/cli/proc-scan.d.ts

@@ -0,0 +1,81 @@
+/** The MACF process kinds this scanner recognises. */
+export type MacfProcessKind = 'claude' | 'channel-server';
+/** Where an agent identity was sourced from (precedence high→low). */
+export type IdentitySource = 'otel' | 'env-name' | 'env-label';
+/**
+ * Injectable `/proc` reader. The default implementation reads the real
+ * filesystem; tests pass a synthetic one. Every accessor returns `null`
+ * rather than throwing so a PID vanishing mid-scan (ESRCH) or owned by
+ * another user (EACCES) degrades to "unknown", not a crash.
+ */
+export interface ProcReader {
+    /** Is `/proc`-based introspection available on this host? */
+    readonly available: () => boolean;
+    /** Numeric PID directory names under `/proc`. */
+    readonly listPids: () => readonly string[];
+    /** `readlink /proc/<pid>/cwd` — absolute path, or null. */
+    readonly readCwd: (pid: string) => string | null;
+    /** Raw NUL-separated `/proc/<pid>/cmdline`, or null. */
+    readonly readCmdline: (pid: string) => string | null;
+    /** Raw NUL-separated `/proc/<pid>/environ`, or null. */
+    readonly readEnviron: (pid: string) => string | null;
+}
+/** One discovered MACF process, keyed by its own cwd + identity. */
+export interface MacfProcess {
+    readonly pid: string;
+    readonly kind: MacfProcessKind;
+    /** Absolute cwd from `/proc/<pid>/cwd` (the disambiguation key). */
+    readonly cwd: string | null;
+    /** `basename(cwd)` for compact display. */
+    readonly cwdBasename: string | null;
+    /** Resolved agent identity (see `agentIdentityFromEnv`). */
+    readonly agentIdentity: string | null;
+    readonly identitySource: IdentitySource | null;
+    /** `MACF_PORT` from the process environment. */
+    readonly port: string | null;
+    /** `OTEL_EXPORTER_OTLP_ENDPOINT` from the process environment. */
+    readonly otelEndpoint: string | null;
+}
+/** Split a NUL-separated `/proc` blob (cmdline / environ) into tokens. */
+export declare function splitNul(raw: string): readonly string[];
+/**
+ * Parse a NUL-separated `/proc/<pid>/environ` blob into a key→value map.
+ * Splits each entry on the FIRST `=` (values may contain `=`).
+ */
+export declare function parseEnviron(raw: string): Readonly<Record<string, string>>;
+/**
+ * Parse an `OTEL_RESOURCE_ATTRIBUTES` value (`k1=v1,k2=v2`) into a map.
+ * Used to recover `gen_ai.agent.name`, the OTEL-canonical agent identity.
+ */
+export declare function parseOtelResourceAttributes(value: string): Readonly<Record<string, string>>;
+/**
+ * Resolve an agent identity from a process environment, in precedence order:
+ *   1. `gen_ai.agent.name` inside `OTEL_RESOURCE_ATTRIBUTES` (telemetry-canonical)
+ *   2. `MACF_AGENT_NAME`
+ *   3. `MACF_ROUTING_LABEL`
+ * Returns null when none is present.
+ */
+export declare function agentIdentityFromEnv(env: Readonly<Record<string, string>>): {
+    readonly identity: string;
+    readonly source: IdentitySource;
+} | null;
+/**
+ * Classify a raw cmdline blob as a MACF process kind, or null if it's neither.
+ * channel-server wins over claude (a server is a node process that never
+ * carries a `claude` argv0). claude matches when any argv token's basename is
+ * exactly `claude` (covers `claude`, `/usr/local/bin/claude`, `.../bin/claude`).
+ */
+export declare function classifyCmdline(raw: string): MacfProcessKind | null;
+/**
+ * Enumerate every MACF claude / channel-server process via the reader.
+ * PURE w.r.t. the reader: no real-process dependency. Each process is keyed by
+ * its OWN cwd + environment — never `head -1`. Returns a stable ordering
+ * (by cwd, then kind, then numeric pid) for readable, diffable output.
+ */
+export declare function scanMacfProcesses(reader: ProcReader): readonly MacfProcess[];
+/**
+ * Real `/proc` reader. Each accessor swallows errors → null so a PID racing
+ * away mid-scan or an unreadable (other-user) process degrades gracefully.
+ */
+export declare const defaultProcReader: ProcReader;
+//# sourceMappingURL=proc-scan.d.ts.map