@groundnuty/macf 0.2.36 → 0.2.38

package/dist/cli/propose/report.js

@@ -0,0 +1,227 @@
+/**
+ * Pure formatters for the auditor Plan membrane (groundnuty/macf#503, DR-026 G1).
+ *
+ * Two outputs, both deterministic (no I/O, no clock):
+ *   - `buildProposalBody` — the Markdown body of ONE ratifiable proposal issue,
+ *     assembled from the AGENT-AUTHORED signal content (signal text + rationales)
+ *     plus the mechanical metadata (tier, route, distinct-agent corroboration,
+ *     invariant touchpoints, HIGH-RISK flag).
+ *   - `buildReport` — the dry-run Markdown report printed to stdout/--output: the
+ *     promoted candidates (each rendered as a proposal preview) PLUS a separate,
+ *     visible "HELD (N<threshold)" section. The default mode opens NOTHING; this
+ *     report IS the default-mode artifact.
+ *
+ * Every proposal makes its non-actuation explicit: the operator ratifies; the
+ * auditor never merges/applies (invariants #8 + #9).
+ */
+import { PROPOSAL_LABEL } from './proposal-writer.js';
+/** Human-readable route label for the report + body. */
+function routeLabel(route) {
+    switch (route) {
+        case 'needs-confirmation':
+            return 'NEEDS-CONFIRMATION (universal/canonical — never auto-routed)';
+        case 'project-draft':
+            return 'project-rule draft';
+        case 'review':
+            return 'operator review (unrecognised tier hint)';
+    }
+}
+/** A short, stable proposal title from the candidate. */
+export function proposalTitle(c) {
+    const flag = c.highRisk ? '[HIGH-RISK] ' : '';
+    const oneLine = c.signal.replace(/\s+/g, ' ').trim();
+    const truncated = oneLine.length > 90 ? `${oneLine.slice(0, 87)}…` : oneLine;
+    return `auditor-proposal: ${flag}${truncated}`;
+}
+/** Render the invariant-touchpoints block (SURFACED — never a drop). */
+function invariantBlock(c) {
+    const lines = [];
+    lines.push('## Subordination check (protected invariants)');
+    lines.push('');
+    if (c.invariantTouches.length === 0) {
+        lines.push('_No protected invariant appears to be touched (heuristic match)._');
+    }
+    else {
+        lines.push('This candidate plausibly TOUCHES the following protected invariant(s). ' +
+            'Touched ≠ rejected: `protected-invariants.md` permits the auditor to ' +
+            '*propose* an operator-ratified amendment, so this is SURFACED for the ' +
+            'operator to judge weaken-vs-amend — it is never auto-dropped (DR-026 G1).');
+        lines.push('');
+        for (const t of c.invariantTouches) {
+            lines.push(`- **#${t.index} ${t.title}** (matched: ${t.matchedKeywords.join(', ')})`);
+        }
+    }
+    lines.push('');
+    if (c.highRisk) {
+        lines.push('> **HIGH-RISK — apparent relaxation.** The candidate text reads like it ' +
+            'WEAKENS a touched invariant. An invariant-weakening proposal is wrong by ' +
+            'construction (reject at ratification) UNLESS it is a deliberate ' +
+            'constitutional amendment — route it as one. The operator distinguishes ' +
+            '(v1-manual; the automated weaken-vs-amend call is DR-026 G3).');
+        lines.push('');
+    }
+    return lines;
+}
+/**
+ * Build the Markdown body for one ratifiable proposal issue. Pure assembly of
+ * agent-authored content + mechanical metadata; no LLM judgment is encoded.
+ */
+export function buildProposalBody(c) {
+    const lines = [];
+    lines.push('> **Auditor proposal (DR-026 G1).** Generated by `macf propose` ' +
+        'from corroborated F2 reflection signals. The auditor PROPOSES only — the ' +
+        'operator ratifies. This issue is **never auto-merged or auto-applied** ' +
+        '(invariants #8 auditor-never-acts + #9 operator-as-ratifier).');
+    lines.push('');
+    lines.push('## Proposed rule signal');
+    lines.push('');
+    lines.push(c.signal.trim());
+    lines.push('');
+    lines.push('## Tier + routing');
+    lines.push('');
+    lines.push(`- Proposed tier (agent hint): \`${c.proposedTier}\``);
+    lines.push(`- Routing: ${routeLabel(c.route)}`);
+    lines.push(`- Dedup handle: \`${c.handle}\`${c.hasKey ? ' (explicit key)' : ' (from signal text)'}`);
+    lines.push('');
+    lines.push('## Corroboration (GATE 1 — distinct agents)');
+    lines.push('');
+    lines.push(`- Distinct agents: **${c.distinctAgents}** ` +
+        `(${c.corroboratingAgents.join(', ')})`);
+    lines.push(`- Raw occurrences: ${c.occurrences}`);
+    lines.push('- Promotability is gated on DISTINCT AGENTS, not occurrences: ' +
+        'one agent reflecting N times is N=1 (reflection ≠ verification).');
+    lines.push('');
+    lines.push('## Rationale (agent-authored)');
+    lines.push('');
+    if (c.rationales.length === 0) {
+        lines.push('_No rationale supplied in the reflection signal(s)._');
+    }
+    else {
+        for (const r of c.rationales) {
+            lines.push(`- ${r.trim()}`);
+        }
+    }
+    lines.push('');
+    lines.push(...invariantBlock(c));
+    lines.push('---');
+    lines.push('');
+    lines.push('_Ratification is the operator\'s. To accept: distil into the appropriate ' +
+        'rule tier via a PR (universal → upstream; project → local project rule), ' +
+        'review + merge per `pr-discipline`. To reject: close with rationale. ' +
+        'A touched/HIGH-RISK invariant is an operator judgment call, not an ' +
+        'auto-drop (DR-026 G1; weaken-vs-amend automation is G3)._');
+    return lines.join('\n') + '\n';
+}
+/** Build the full `ProposalIssueInput` (title + body + labels) for a candidate. */
+export function buildProposalIssueInput(repo, c) {
+    const labels = [PROPOSAL_LABEL];
+    if (c.route === 'needs-confirmation')
+        labels.push('needs-confirmation');
+    if (c.highRisk)
+        labels.push('high-risk');
+    return {
+        repo,
+        title: proposalTitle(c),
+        body: buildProposalBody(c),
+        labels,
+    };
+}
+/** Render one promoted candidate as a compact preview in the report. */
+function candidatePreview(c) {
+    const lines = [];
+    const flag = c.highRisk ? ' **[HIGH-RISK]**' : '';
+    lines.push(`### ${proposalTitle(c)}${flag}`);
+    lines.push('');
+    lines.push(`- Tier hint: \`${c.proposedTier}\` → ${routeLabel(c.route)}`);
+    lines.push(`- Distinct agents: **${c.distinctAgents}** ` +
+        `(${c.corroboratingAgents.join(', ')}) | occurrences: ${c.occurrences}`);
+    if (c.invariantTouches.length > 0) {
+        const list = c.invariantTouches.map((t) => `#${t.index} ${t.title}`).join('; ');
+        lines.push(`- Touches invariant(s): ${list} _(surfaced, not dropped)_`);
+    }
+    else {
+        lines.push('- Touches invariant(s): none detected');
+    }
+    lines.push('- Signal:');
+    lines.push('');
+    for (const ln of c.signal.trim().split('\n')) {
+        lines.push(`  > ${ln}`);
+    }
+    lines.push('');
+    return lines;
+}
+/**
+ * Build the dry-run Markdown report. Promoted candidates render as previews; the
+ * HELD set renders in its own clearly-labelled section so a sub-threshold
+ * candidate is VISIBLE, never silently dropped.
+ */
+export function buildReport(input) {
+    const { candidates } = input;
+    const lines = [];
+    lines.push(`# Auditor proposal report — ${input.project}`);
+    lines.push('');
+    lines.push(`- Repo: \`${input.repo}\``);
+    lines.push(`- Min distinct agents (GATE 1 threshold): ${candidates.minAgents}`);
+    lines.push(`- Mode: ${input.fileMode ? '**--file (artifacts opened)**' : '**dry-run (default — opens nothing)**'}`);
+    if (!input.invariantsLoaded) {
+        lines.push('- ⚠ `design/protected-invariants.md` not found — subordination-check ' +
+            'surfaced no invariants (loud-but-proceeds).');
+    }
+    lines.push(`- Reflection records: ${input.reflectionRecords} across ` +
+        `${input.reflectionFiles} ledger file(s) ` +
+        `(skipped malformed: ${input.reflectionsSkipped})`);
+    lines.push('');
+    lines.push('> The auditor PROPOSES only (DR-026 G1). Candidates below are corroborated ' +
+        'across distinct agents; HELD candidates fell below the distinct-agent ' +
+        'threshold. Nothing is auto-applied — the operator ratifies (invariants ' +
+        '#8 + #9).');
+    lines.push('');
+    // --- Promoted candidates ---
+    lines.push('## Candidate proposals (promoted)');
+    lines.push('');
+    if (candidates.promoted.length === 0) {
+        lines.push('_No candidate cleared the distinct-agent threshold._');
+        lines.push('');
+    }
+    else {
+        for (const c of candidates.promoted) {
+            lines.push(...candidatePreview(c));
+        }
+    }
+    // --- HELD section (visible, never silently dropped) ---
+    lines.push(`## HELD (N < ${candidates.minAgents} distinct agents)`);
+    lines.push('');
+    lines.push('_These signals are real but under-corroborated — held, NOT dropped. ' +
+        'Reflection ≠ verification: one agent reflecting repeatedly is still N=1._');
+    lines.push('');
+    if (candidates.held.length === 0) {
+        lines.push('_None._');
+        lines.push('');
+    }
+    else {
+        for (const h of candidates.held) {
+            const dedup = h.hasKey ? ` [key: \`${h.handle}\`]` : '';
+            lines.push(`- (\`${h.proposedTier}\`) ${h.signal.replace(/\s+/g, ' ').trim()}${dedup} ` +
+                `— ${h.distinctAgents} distinct agent(s), ${h.occurrences} occurrence(s)`);
+        }
+        lines.push('');
+    }
+    // --- Summary ---
+    lines.push('## Summary');
+    lines.push('');
+    lines.push(`- Promoted: ${candidates.promoted.length}`);
+    lines.push(`- Held (N<${candidates.minAgents}): ${candidates.held.length}`);
+    const highRisk = candidates.promoted.filter((c) => c.highRisk).length;
+    const needsConfirm = candidates.promoted.filter((c) => c.route === 'needs-confirmation').length;
+    lines.push(`- HIGH-RISK (apparent invariant relaxation): ${highRisk}`);
+    lines.push(`- NEEDS-CONFIRMATION (universal/canonical): ${needsConfirm}`);
+    lines.push('');
+    lines.push(input.fileMode
+        ? `> \`--file\` mode: ${candidates.promoted.length} ratifiable ` +
+            `\`${PROPOSAL_LABEL}\` issue(s) opened (create-only; never merged/closed/edited). ` +
+            'The operator ratifies.'
+        : '> Dry-run: NOTHING was opened. Re-run with `--file` to open one ratifiable ' +
+            `\`${PROPOSAL_LABEL}\` issue per promoted candidate (create-only).`);
+    return lines.join('\n').replace(/\n{3,}/g, '\n\n') + '\n';
+}
+//# sourceMappingURL=report.js.map

package/dist/cli/propose/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/cli/propose/report.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,cAAc,EAA2B,MAAM,sBAAsB,CAAC;AAG/E,wDAAwD;AACxD,SAAS,UAAU,CAAC,KAAoB;IACtC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,oBAAoB;YACvB,OAAO,8DAA8D,CAAC;QACxE,KAAK,eAAe;YAClB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,QAAQ;YACX,OAAO,0CAA0C,CAAC;IACtD,CAAC;AACH,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,aAAa,CAAC,CAAoB;IAChD,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9C,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7E,OAAO,qBAAqB,IAAI,GAAG,SAAS,EAAE,CAAC;AACjD,CAAC;AAED,wEAAwE;AACxE,SAAS,cAAc,CAAC,CAAoB;IAC1C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IAC5D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,CAAC,CAAC,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IAClF,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CACR,yEAAyE;YACzE,uEAAuE;YACvE,wEAAwE;YACxE,2EAA2E,CAC5E,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,gBAAgB,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CACR,0EAA0E;YAC1E,2EAA2E;YAC3E,kEAAkE;YAClE,yEAAyE;YACzE,+DAA+D,CAChE,CAAC;QACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAoB;IACpD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,kEAAkE;QAC3E,2EAA2E;QAC3E,yEAAyE;QACzE,+DAA+D,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IACtC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,cAAc,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAChD,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,qBAAqB,EAAE,CAAC,CAAC;IACrG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,wBAAwB,CAAC,CAAC,cAAc,KAAK;QAC7C,IAAI,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACxC,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAClD,KAAK,CAAC,IAAI,CACR,gEAAgE;QAChE,kEAAkE,CACnE,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAC5C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,2EAA2E;QAC3E,2EAA2E;QAC3E,uEAAuE;QACvE,qEAAqE;QACrE,2DAA2D,CAC5D,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,uBAAuB,CACrC,IAAY,EACZ,CAAoB;IAEpB,MAAM,MAAM,GAAG,CAAC,cAAc,CAAC,CAAC;IAChC,IAAI,CAAC,CAAC,KAAK,KAAK,oBAAoB;QAAE,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACxE,IAAI,CAAC,CAAC,QAAQ;QAAE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACzC,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;QACvB,IAAI,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC1B,MAAM;KACP,CAAC;AACJ,CAAC;AAkBD,wEAAwE;AACxE,SAAS,gBAAgB,CAAC,CAAoB;IAC5C,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC;IAClD,KAAK,CAAC,IAAI,CAAC,OAAO,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC;IAC7C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,YAAY,QAAQ,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CACR,wBAAwB,CAAC,CAAC,cAAc,KAAK;QAC7C,IAAI,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,WAAW,EAAE,CACxE,CAAC;IACF,IAAI,CAAC,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChF,KAAK,CAAC,IAAI,CAAC,2BAA2B,IAAI,4BAA4B,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACtD,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,MAAM,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1B,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,KAAkB;IAC5C,MAAM,EAAE,UAAU,EAAE,GAAG,KAAK,CAAC;IAC7B,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,+BAA+B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC3D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,CAAC,6CAA6C,UAAU,CAAC,SAAS,EAAE,CAAC,CAAC;IAChF,KAAK,CAAC,IAAI,CACR,WAAW,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,uCAAuC,EAAE,CACxG,CAAC;IACF,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CACR,uEAAuE;YACvE,6CAA6C,CAC9C,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,IAAI,CACR,yBAAyB,KAAK,CAAC,iBAAiB,UAAU;QAC1D,GAAG,KAAK,CAAC,eAAe,kBAAkB;QAC1C,uBAAuB,KAAK,CAAC,kBAAkB,GAAG,CACnD,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,6EAA6E;QAC7E,wEAAwE;QACxE,yEAAyE;QACzE,WAAW,CACZ,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,8BAA8B;IAC9B,KAAK,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;IAChD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,IAAI,CAAC,gBAAgB,UAAU,CAAC,SAAS,mBAAmB,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,sEAAsE;QACtE,2EAA2E,CAC5E,CAAC;IACF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;YAChC,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACxD,KAAK,CAAC,IAAI,CACR,QAAQ,CAAC,CAAC,YAAY,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,KAAK,GAAG;gBAC5E,KAAK,CAAC,CAAC,cAAc,uBAAuB,CAAC,CAAC,WAAW,gBAAgB,CAC1E,CAAC;QACJ,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,eAAe,UAAU,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACxD,KAAK,CAAC,IAAI,CAAC,aAAa,UAAU,CAAC,SAAS,MAAM,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;IACtE,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,oBAAoB,CAAC,CAAC,MAAM,CAAC;IAChG,KAAK,CAAC,IAAI,CAAC,gDAAgD,QAAQ,EAAE,CAAC,CAAC;IACvE,KAAK,CAAC,IAAI,CAAC,+CAA+C,YAAY,EAAE,CAAC,CAAC;IAC1E,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CACR,KAAK,CAAC,QAAQ;QACZ,CAAC,CAAC,sBAAsB,UAAU,CAAC,QAAQ,CAAC,MAAM,cAAc;YAC9D,KAAK,cAAc,gEAAgE;YACnF,wBAAwB;QAC1B,CAAC,CAAC,6EAA6E;YAC7E,KAAK,cAAc,gDAAgD,CACxE,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;AAC5D,CAAC"}

package/dist/cli/propose/run.d.ts

@@ -0,0 +1,41 @@
+import type { ProposalIssueWriter } from './proposal-writer.js';
+export interface RunProposeOptions {
+    readonly project: string;
+    readonly repo: string;
+    /** Directory holding the F2 reflection JSONL ledgers. */
+    readonly reflectionsDir: string;
+    /**
+     * Framework-source repo root where `design/protected-invariants.md` lives.
+     * The subordination-check surfaces against this set; absence is loud-but-proceeds.
+     */
+    readonly repoRoot: string;
+    /** Distinct-agent threshold for GATE 1 (default `DEFAULT_MIN_AGENTS`). */
+    readonly minAgents?: number;
+    /** When true, OPEN ratifiable artifacts via the writer. Default false (dry-run). */
+    readonly fileMode: boolean;
+    /**
+     * Create-only writer seam. REQUIRED when `fileMode` is true; ignored in
+     * dry-run (and must never be invoked there — GATE 2).
+     */
+    readonly writer?: ProposalIssueWriter;
+}
+/** What a single `--file` create produced (or the error that aborted it). */
+export interface CreatedProposal {
+    readonly title: string;
+    readonly url: string;
+}
+export interface RunProposeResult {
+    /** The Markdown report (always produced, in both modes). */
+    readonly report: string;
+    /** Issues opened in `--file` mode (empty in dry-run). */
+    readonly created: readonly CreatedProposal[];
+}
+/**
+ * Run the Plan membrane. Returns the report + any created proposals.
+ *
+ * Read side is pure filesystem; the only write path is the injected writer,
+ * gated behind `fileMode` (GATE 2). A writer failure surfaces as a thrown error
+ * to the caller (the CLI command), which decides how to report it.
+ */
+export declare function runPropose(opts: RunProposeOptions): Promise<RunProposeResult>;
+//# sourceMappingURL=run.d.ts.map

package/dist/cli/propose/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../../src/cli/propose/run.ts"],"names":[],"mappings":"AAuBA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAEhE,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,yDAAyD;IACzD,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC;;;OAGG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,0EAA0E;IAC1E,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,oFAAoF;IACpF,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,mBAAmB,CAAC;CACvC;AAED,6EAA6E;AAC7E,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC/B,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,yDAAyD;IACzD,QAAQ,CAAC,OAAO,EAAE,SAAS,eAAe,EAAE,CAAC;CAC9C;AAED;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAqCnF"}

package/dist/cli/propose/run.js

@@ -0,0 +1,62 @@
+/**
+ * Plan-membrane orchestrator for the auditor (groundnuty/macf#503, DR-026 G1).
+ *
+ * Reads F2 reflection ledgers (reusing F4's reflections reader), loads the
+ * ratified protected-invariant set, runs the deterministic candidate pipeline
+ * (distinct-agent GATE 1 + tier-router + invariant subordination-check GATE 3),
+ * and then EITHER:
+ *
+ *   - dry-run (DEFAULT): returns a Markdown report (opens NOTHING); or
+ *   - `--file`: opens one ratifiable proposal issue per promoted candidate via
+ *     the injectable create-only writer seam, then returns the report.
+ *
+ * GATE 2 (dry-run-by-default) is enforced here: the writer is invoked ONLY when
+ * `fileMode` is true. In the default path the writer is never touched — tests
+ * inject a recording writer and assert zero creates by default.
+ *
+ * The writer is OPTIONAL in the options: dry-run callers pass none. When
+ * `fileMode` is true a writer MUST be supplied (the command wires the real one).
+ */
+import { readReflections } from '../monitor/reflections.js';
+import { loadInvariants } from './invariants.js';
+import { buildCandidates, DEFAULT_MIN_AGENTS } from './candidates.js';
+import { buildReport, buildProposalIssueInput } from './report.js';
+/**
+ * Run the Plan membrane. Returns the report + any created proposals.
+ *
+ * Read side is pure filesystem; the only write path is the injected writer,
+ * gated behind `fileMode` (GATE 2). A writer failure surfaces as a thrown error
+ * to the caller (the CLI command), which decides how to report it.
+ */
+export async function runPropose(opts) {
+    const minAgents = opts.minAgents ?? DEFAULT_MIN_AGENTS;
+    const reflections = readReflections(opts.reflectionsDir);
+    const invariants = loadInvariants(opts.repoRoot);
+    const candidates = buildCandidates(reflections.records, invariants, minAgents);
+    const report = buildReport({
+        project: opts.project,
+        repo: opts.repo,
+        candidates,
+        fileMode: opts.fileMode,
+        invariantsLoaded: invariants.length > 0,
+        reflectionRecords: reflections.records.length,
+        reflectionsSkipped: reflections.skipped,
+        reflectionFiles: reflections.files,
+    });
+    // GATE 2 — the writer is touched ONLY in --file mode. The default path never
+    // opens anything.
+    if (!opts.fileMode) {
+        return { report, created: [] };
+    }
+    if (!opts.writer) {
+        throw new Error('Internal error: --file mode requires a proposal writer but none was provided.');
+    }
+    const created = [];
+    for (const c of candidates.promoted) {
+        const input = buildProposalIssueInput(opts.repo, c);
+        const res = await opts.writer.createProposalIssue(input);
+        created.push({ title: input.title, url: res.url });
+    }
+    return { report, created };
+}
+//# sourceMappingURL=run.js.map

package/dist/cli/propose/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../../src/cli/propose/run.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAA0B,MAAM,iBAAiB,CAAC;AAC9F,OAAO,EAAE,WAAW,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAqCnE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAuB;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACvD,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,eAAe,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAE/E,MAAM,MAAM,GAAG,WAAW,CAAC;QACzB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,UAAU;QACV,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,gBAAgB,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC;QACvC,iBAAiB,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM;QAC7C,kBAAkB,EAAE,WAAW,CAAC,OAAO;QACvC,eAAe,EAAE,WAAW,CAAC,KAAK;KACnC,CAAC,CAAC;IAEH,6EAA6E;IAC7E,kBAAkB;IAClB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACjC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAsB,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,QAAwC,EAAE,CAAC;QACpE,MAAM,KAAK,GAAG,uBAAuB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC"}

package/dist/cli/role-settings-model.d.ts

@@ -0,0 +1,70 @@
+/**
+ * DR-028 — the canonical expected-`settings.json`-per-role model.
+ *
+ * A universal **floor** + per-role **deltas**: the single source of truth that
+ * BOTH `macf init` (emit) and `macf doctor` (validate / `--fix`) consume, so
+ * init-output and doctor-expectation can't diverge. See
+ * `design/decisions/DR-028-expected-settings-per-role.md`.
+ *
+ * **Doctrine** (DR-028 §Decision 1): the defense is the **`deny` list + the
+ * PreToolUse hooks**, NOT allow-enumeration — canonical macf commands embed
+ * `$GH_TOKEN`/`$MACF_WORKSPACE_DIR` ("Contains simple_expansion"), which defeat
+ * narrow `Bash(...)` patterns, so the floor uses broad `Bash(*)`.
+ *
+ * This module is the **data model only**. The `macf init` emit and the
+ * `macf doctor` validate/`--fix` wiring land in follow-up increments (gated on
+ * DR-028 ratification, macf#539). Importing the hook-command constants from
+ * `settings-writer` is one-directional (settings-writer does not import this),
+ * so there is no import cycle.
+ */
+import { ROLE_FLOOR_ALLOW, ROLE_FLOOR_DENY } from './settings-writer.js';
+/** A hook the model expects in `.claude/settings.json`. */
+export interface ExpectedHook {
+    readonly event: 'PreToolUse' | 'PostToolUse' | 'UserPromptSubmit' | 'PreCompact';
+    /** Tool matcher for tool-scoped events (e.g. `Bash`); omitted for prompt/compact hooks. */
+    readonly matcher?: string;
+    readonly command: string;
+    /**
+     * `true` → a missing/changed instance of this hook is an **error**, not
+     * drift (DR-028: the auditor's `never-acts` hook). `false` → recommended;
+     * absence is reported as drift the operator may `--fix`.
+     */
+    readonly required: boolean;
+}
+export { ROLE_FLOOR_ALLOW, ROLE_FLOOR_DENY };
+/** Universal floor hooks (every role) — DR-028 §Decision 1. */
+export declare const ROLE_FLOOR_HOOKS: readonly ExpectedHook[];
+/** Per-role additions beyond the floor (DR-028 §Decision 1, Per-role deltas). */
+export interface RoleSettingsDelta {
+    /** Hooks this role adds beyond the floor. */
+    readonly hooks?: readonly ExpectedHook[];
+    /** Extra `allow` entries (e.g. the role's MCP servers) beyond the floor. */
+    readonly allow?: readonly string[];
+}
+/**
+ * Per-role deltas. Roles not listed get the universal floor as-is
+ * (code / science / devops — they all file + review PRs).
+ */
+export declare const ROLE_SETTINGS_DELTAS: Readonly<Record<string, RoleSettingsDelta>>;
+/**
+ * The roles the framework recognizes — ships an agent template / model handling
+ * for (macf#551). The floor applies to ALL roles; only some carry deltas
+ * (`ROLE_SETTINGS_DELTAS`). An `agent_role` OUTSIDE this set is a custom role
+ * (legitimate — floor-only), but `macf doctor` surfaces it (INFO) so a typo on
+ * a delta-bearing SAFETY-critical role — e.g. `auditor-agent` instead of the
+ * exact `auditor`, which would silently skip the never-acts hook AND its doctor
+ * ERROR — becomes visible instead of degrading silently. NOTE: `auditor` has no
+ * `-agent` suffix (unlike `code-agent`); use the exact strings here.
+ */
+export declare const KNOWN_ROLES: readonly string[];
+/** True if `role` is a framework-recognized role (see `KNOWN_ROLES`). */
+export declare function isKnownRole(role: string): boolean;
+/** Expected hooks for a role = the floor + the role's delta hooks. */
+export declare function expectedHooksForRole(role: string): readonly ExpectedHook[];
+/**
+ * Expected base `allow` for a role = the floor + the role's extra allow
+ * entries. The emitter composes `PLUGIN_SKILL_PERMISSIONS` +
+ * `PLUGIN_MCP_TOOL_PERMISSIONS` onto this.
+ */
+export declare function expectedAllowForRole(role: string): readonly string[];
+//# sourceMappingURL=role-settings-model.d.ts.map

package/dist/cli/role-settings-model.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-settings-model.d.ts","sourceRoot":"","sources":["../../src/cli/role-settings-model.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EASL,gBAAgB,EAChB,eAAe,EAChB,MAAM,sBAAsB,CAAC;AAE9B,2DAA2D;AAC3D,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,YAAY,GAAG,aAAa,GAAG,kBAAkB,GAAG,YAAY,CAAC;IACjF,2FAA2F;IAC3F,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B;AAMD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;AAE7C,+DAA+D;AAC/D,eAAO,MAAM,gBAAgB,EAAE,SAAS,YAAY,EAQnD,CAAC;AAEF,iFAAiF;AACjF,MAAM,WAAW,iBAAiB;IAChC,6CAA6C;IAC7C,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,YAAY,EAAE,CAAC;IACzC,4EAA4E;IAC5E,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC;AAED;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAU5E,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,EAAE,SAAS,MAAM,EAUxC,CAAC;AAEF,yEAAyE;AACzE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED,sEAAsE;AACtE,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,YAAY,EAAE,CAG1E;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAGpE"}

package/dist/cli/role-settings-model.js

@@ -0,0 +1,90 @@
+/**
+ * DR-028 — the canonical expected-`settings.json`-per-role model.
+ *
+ * A universal **floor** + per-role **deltas**: the single source of truth that
+ * BOTH `macf init` (emit) and `macf doctor` (validate / `--fix`) consume, so
+ * init-output and doctor-expectation can't diverge. See
+ * `design/decisions/DR-028-expected-settings-per-role.md`.
+ *
+ * **Doctrine** (DR-028 §Decision 1): the defense is the **`deny` list + the
+ * PreToolUse hooks**, NOT allow-enumeration — canonical macf commands embed
+ * `$GH_TOKEN`/`$MACF_WORKSPACE_DIR` ("Contains simple_expansion"), which defeat
+ * narrow `Bash(...)` patterns, so the floor uses broad `Bash(*)`.
+ *
+ * This module is the **data model only**. The `macf init` emit and the
+ * `macf doctor` validate/`--fix` wiring land in follow-up increments (gated on
+ * DR-028 ratification, macf#539). Importing the hook-command constants from
+ * `settings-writer` is one-directional (settings-writer does not import this),
+ * so there is no import cycle.
+ */
+import { MACF_HOOK_COMMAND, MACF_MENTION_HOOK_COMMAND, MACF_LGTM_HOOK_COMMAND, MACF_CLOSE_HOOK_COMMAND, MACF_AUDITOR_HOOK_COMMAND, MACF_TURN_RECEIPT_HOOK_COMMAND, MACF_ATTRIBUTION_HOOK_COMMAND, MACF_REFLECTION_HOOK_COMMAND, ROLE_FLOOR_ALLOW, ROLE_FLOOR_DENY, } from './settings-writer.js';
+// DR-028 universal floor allow/deny live in settings-writer.ts (zero deps) to
+// avoid an import cycle — this module imports the hook constants FROM there, so
+// the floor data must not flow the other way. Re-exported below so the model's
+// public surface (what `macf doctor` validates against) stays in one place.
+export { ROLE_FLOOR_ALLOW, ROLE_FLOOR_DENY };
+/** Universal floor hooks (every role) — DR-028 §Decision 1. */
+export const ROLE_FLOOR_HOOKS = [
+    { event: 'PreToolUse', matcher: 'Bash', command: MACF_HOOK_COMMAND, required: false },
+    { event: 'PreToolUse', matcher: 'Bash', command: MACF_MENTION_HOOK_COMMAND, required: false },
+    { event: 'PreToolUse', matcher: 'Bash', command: MACF_LGTM_HOOK_COMMAND, required: false },
+    { event: 'PreToolUse', matcher: 'Bash', command: MACF_CLOSE_HOOK_COMMAND, required: false },
+    { event: 'PostToolUse', matcher: 'Bash', command: MACF_ATTRIBUTION_HOOK_COMMAND, required: false },
+    { event: 'UserPromptSubmit', command: MACF_TURN_RECEIPT_HOOK_COMMAND, required: false },
+    { event: 'PreCompact', command: MACF_REFLECTION_HOOK_COMMAND, required: false },
+];
+/**
+ * Per-role deltas. Roles not listed get the universal floor as-is
+ * (code / science / devops — they all file + review PRs).
+ */
+export const ROLE_SETTINGS_DELTAS = {
+    // The auditor (DR-026): the `never-acts` hook is REQUIRED — a missing one is
+    // an error, not drift. It STILL gets `Write`/`Edit` from the floor (it writes
+    // proposals/digests locally); never-acts is hook-enforced on `gh pr merge` /
+    // `issue close` (DR-026 §1/§4), not permission-removed.
+    auditor: {
+        hooks: [
+            { event: 'PreToolUse', matcher: 'Bash', command: MACF_AUDITOR_HOOK_COMMAND, required: true },
+        ],
+    },
+};
+/**
+ * The roles the framework recognizes — ships an agent template / model handling
+ * for (macf#551). The floor applies to ALL roles; only some carry deltas
+ * (`ROLE_SETTINGS_DELTAS`). An `agent_role` OUTSIDE this set is a custom role
+ * (legitimate — floor-only), but `macf doctor` surfaces it (INFO) so a typo on
+ * a delta-bearing SAFETY-critical role — e.g. `auditor-agent` instead of the
+ * exact `auditor`, which would silently skip the never-acts hook AND its doctor
+ * ERROR — becomes visible instead of degrading silently. NOTE: `auditor` has no
+ * `-agent` suffix (unlike `code-agent`); use the exact strings here.
+ */
+export const KNOWN_ROLES = [
+    'auditor',
+    'code-agent',
+    'science-agent',
+    'devops-agent',
+    'writing-agent',
+    'exp-code-agent',
+    'exp-science-code-aware',
+    'exp-science-domain-only',
+    'exp-single-agent',
+];
+/** True if `role` is a framework-recognized role (see `KNOWN_ROLES`). */
+export function isKnownRole(role) {
+    return KNOWN_ROLES.includes(role);
+}
+/** Expected hooks for a role = the floor + the role's delta hooks. */
+export function expectedHooksForRole(role) {
+    const delta = ROLE_SETTINGS_DELTAS[role];
+    return delta?.hooks ? [...ROLE_FLOOR_HOOKS, ...delta.hooks] : ROLE_FLOOR_HOOKS;
+}
+/**
+ * Expected base `allow` for a role = the floor + the role's extra allow
+ * entries. The emitter composes `PLUGIN_SKILL_PERMISSIONS` +
+ * `PLUGIN_MCP_TOOL_PERMISSIONS` onto this.
+ */
+export function expectedAllowForRole(role) {
+    const delta = ROLE_SETTINGS_DELTAS[role];
+    return delta?.allow ? [...ROLE_FLOOR_ALLOW, ...delta.allow] : ROLE_FLOOR_ALLOW;
+}
+//# sourceMappingURL=role-settings-model.js.map

package/dist/cli/role-settings-model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-settings-model.js","sourceRoot":"","sources":["../../src/cli/role-settings-model.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,OAAO,EACL,iBAAiB,EACjB,yBAAyB,EACzB,sBAAsB,EACtB,uBAAuB,EACvB,yBAAyB,EACzB,8BAA8B,EAC9B,6BAA6B,EAC7B,4BAA4B,EAC5B,gBAAgB,EAChB,eAAe,GAChB,MAAM,sBAAsB,CAAC;AAgB9B,8EAA8E;AAC9E,gFAAgF;AAChF,+EAA+E;AAC/E,4EAA4E;AAC5E,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;AAE7C,+DAA+D;AAC/D,MAAM,CAAC,MAAM,gBAAgB,GAA4B;IACvD,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE;IACrF,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,KAAK,EAAE;IAC7F,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE;IAC1F,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,KAAK,EAAE;IAC3F,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,KAAK,EAAE;IAClG,EAAE,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,8BAA8B,EAAE,QAAQ,EAAE,KAAK,EAAE;IACvF,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,KAAK,EAAE;CAChF,CAAC;AAUF;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAgD;IAC/E,6EAA6E;IAC7E,8EAA8E;IAC9E,6EAA6E;IAC7E,wDAAwD;IACxD,OAAO,EAAE;QACP,KAAK,EAAE;YACL,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,yBAAyB,EAAE,QAAQ,EAAE,IAAI,EAAE;SAC7F;KACF;CACF,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,WAAW,GAAsB;IAC5C,SAAS;IACT,YAAY;IACZ,eAAe;IACf,cAAc;IACd,eAAe;IACf,gBAAgB;IAChB,wBAAwB;IACxB,yBAAyB;IACzB,kBAAkB;CACnB,CAAC;AAEF,yEAAyE;AACzE,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,OAAO,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,gBAAgB,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;AACjF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,gBAAgB,EAAE,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;AACjF,CAAC"}