@holoscript/core 6.0.3 → 6.0.4

package/dist/chunk-QWKUKVRE.js

@@ -1,2026 +0,0 @@
-import { init_AgentRBAC, init_CapabilityToken, init_CapabilityTokenIssuer, init_AgentTokenIssuer, getRBAC, getCapabilityTokenIssuer, HoloScriptCapabilitySemantics, getTokenIssuer, HOLOSCRIPT_RESOURCE_SCHEME } from './chunk-V42NTCFH.js';
-import { __esm } from './chunk-32TWR3HE.js';
-
-// src/compiler/identity/ANSNamespace.ts
-function isValidCompilerName(name) {
-  return ALL_COMPILER_NAMES.includes(name);
-}
-var ANSDomain, RiskTier, ANSCapabilityPath, COMPILER_DOMAIN_MAP, COMPILER_ANS_MAP, ALL_COMPILER_NAMES;
-var init_ANSNamespace = __esm({
-  "src/compiler/identity/ANSNamespace.ts"() {
-    ANSDomain = {
-      GAMEDEV: "gamedev",
-      SOCIAL_VR: "social-vr",
-      XR: "xr",
-      MOBILE: "mobile",
-      WEB3D: "web3d",
-      RUNTIME: "runtime",
-      SHADER: "shader",
-      ROBOTICS: "robotics",
-      INTERCHANGE: "interchange",
-      IOT: "iot",
-      WEB3: "web3",
-      AI: "ai",
-      NEUROMORPHIC: "neuromorphic",
-      META: "meta",
-      MIXIN: "mixin"
-    };
-    RiskTier = {
-      STANDARD: "STANDARD",
-      HIGH: "HIGH",
-      CRITICAL: "CRITICAL"
-    };
-    ({
-      [ANSDomain.GAMEDEV]: RiskTier.STANDARD,
-      [ANSDomain.SOCIAL_VR]: RiskTier.HIGH,
-      [ANSDomain.XR]: RiskTier.HIGH,
-      [ANSDomain.MOBILE]: RiskTier.HIGH,
-      [ANSDomain.WEB3D]: RiskTier.STANDARD,
-      [ANSDomain.RUNTIME]: RiskTier.HIGH,
-      [ANSDomain.SHADER]: RiskTier.STANDARD,
-      [ANSDomain.ROBOTICS]: RiskTier.CRITICAL,
-      [ANSDomain.INTERCHANGE]: RiskTier.STANDARD,
-      [ANSDomain.IOT]: RiskTier.HIGH,
-      [ANSDomain.WEB3]: RiskTier.CRITICAL,
-      [ANSDomain.AI]: RiskTier.HIGH,
-      [ANSDomain.NEUROMORPHIC]: RiskTier.HIGH,
-      [ANSDomain.META]: RiskTier.STANDARD,
-      [ANSDomain.MIXIN]: RiskTier.STANDARD
-    });
-    ANSCapabilityPath = {
-      // ── gamedev ──────────────────────────────────────────────────────────
-      UNITY: "/compile/gamedev/unity",
-      UNREAL: "/compile/gamedev/unreal",
-      GODOT: "/compile/gamedev/godot",
-      // ── social-vr ────────────────────────────────────────────────────────
-      VRCHAT: "/compile/social-vr/vrchat",
-      // ── xr ───────────────────────────────────────────────────────────────
-      OPENXR: "/compile/xr/openxr",
-      OPENXR_SPATIAL_ENTITIES: "/compile/xr/openxr-spatial-entities",
-      VISIONOS: "/compile/xr/visionos",
-      AR: "/compile/xr/ar",
-      ANDROID_XR: "/compile/xr/android-xr",
-      AI_GLASSES: "/compile/xr/ai-glasses",
-      QUILT: "/compile/xr/quilt",
-      MV_HEVC: "/compile/xr/mv-hevc",
-      // ── mobile ───────────────────────────────────────────────────────────
-      ANDROID: "/compile/mobile/android",
-      IOS: "/compile/mobile/ios",
-      // ── web3d ────────────────────────────────────────────────────────────
-      BABYLON: "/compile/web3d/babylon",
-      WEBGPU: "/compile/web3d/webgpu",
-      R3F: "/compile/web3d/r3f",
-      PLAYCANVAS: "/compile/web3d/playcanvas",
-      // ── runtime ──────────────────────────────────────────────────────────
-      WASM: "/compile/runtime/wasm",
-      NODE_SERVICE: "/compile/runtime/node-service",
-      // ── shader ───────────────────────────────────────────────────────────
-      TSL: "/compile/shader/tsl",
-      // ── robotics ─────────────────────────────────────────────────────────
-      URDF: "/compile/robotics/urdf",
-      SDF: "/compile/robotics/sdf",
-      // ── interchange ──────────────────────────────────────────────────────
-      USD: "/compile/interchange/usd",
-      GLTF: "/compile/interchange/gltf",
-      // ── iot ──────────────────────────────────────────────────────────────
-      DTDL: "/compile/iot/dtdl",
-      // ── web3 ─────────────────────────────────────────────────────────────
-      NFT_MARKETPLACE: "/compile/web3/nft-marketplace",
-      // ── ai ───────────────────────────────────────────────────────────────
-      SCM: "/compile/ai/scm",
-      VRR: "/compile/ai/vrr",
-      A2A_AGENT_CARD: "/compile/ai/a2a-agent-card",
-      AGENT_INFERENCE: "/compile/ai/agent-inference",
-      // ── neuromorphic ─────────────────────────────────────────────────────
-      NIR: "/compile/neuromorphic/nir",
-      // ── meta ─────────────────────────────────────────────────────────────
-      MULTI_LAYER: "/compile/meta/multi-layer",
-      INCREMENTAL: "/compile/meta/incremental",
-      STATE: "/compile/meta/state",
-      TRAIT_COMPOSITION: "/compile/meta/trait-composition",
-      // ── mixin ────────────────────────────────────────────────────────────
-      DOMAIN_BLOCK: "/compile/mixin/domain-block"
-    };
-    COMPILER_DOMAIN_MAP = {
-      // gamedev
-      unity: ANSDomain.GAMEDEV,
-      unreal: ANSDomain.GAMEDEV,
-      godot: ANSDomain.GAMEDEV,
-      // social-vr
-      vrchat: ANSDomain.SOCIAL_VR,
-      // xr
-      openxr: ANSDomain.XR,
-      "openxr-spatial-entities": ANSDomain.XR,
-      visionos: ANSDomain.XR,
-      ar: ANSDomain.XR,
-      "android-xr": ANSDomain.XR,
-      "ai-glasses": ANSDomain.XR,
-      quilt: ANSDomain.XR,
-      "mv-hevc": ANSDomain.XR,
-      // mobile
-      android: ANSDomain.MOBILE,
-      ios: ANSDomain.MOBILE,
-      // web3d
-      babylon: ANSDomain.WEB3D,
-      webgpu: ANSDomain.WEB3D,
-      r3f: ANSDomain.WEB3D,
-      playcanvas: ANSDomain.WEB3D,
-      // runtime
-      wasm: ANSDomain.RUNTIME,
-      "node-service": ANSDomain.RUNTIME,
-      // shader
-      tsl: ANSDomain.SHADER,
-      // robotics
-      urdf: ANSDomain.ROBOTICS,
-      sdf: ANSDomain.ROBOTICS,
-      // interchange
-      usd: ANSDomain.INTERCHANGE,
-      gltf: ANSDomain.INTERCHANGE,
-      // iot
-      dtdl: ANSDomain.IOT,
-      // web3
-      "nft-marketplace": ANSDomain.WEB3,
-      // ai
-      scm: ANSDomain.AI,
-      vrr: ANSDomain.AI,
-      "a2a-agent-card": ANSDomain.AI,
-      "agent-inference": ANSDomain.AI,
-      // neuromorphic
-      nir: ANSDomain.NEUROMORPHIC,
-      // meta
-      "multi-layer": ANSDomain.META,
-      incremental: ANSDomain.META,
-      state: ANSDomain.META,
-      "trait-composition": ANSDomain.META,
-      // mixin
-      "domain-block": ANSDomain.MIXIN
-    };
-    COMPILER_ANS_MAP = {
-      unity: ANSCapabilityPath.UNITY,
-      unreal: ANSCapabilityPath.UNREAL,
-      godot: ANSCapabilityPath.GODOT,
-      vrchat: ANSCapabilityPath.VRCHAT,
-      openxr: ANSCapabilityPath.OPENXR,
-      "openxr-spatial-entities": ANSCapabilityPath.OPENXR_SPATIAL_ENTITIES,
-      visionos: ANSCapabilityPath.VISIONOS,
-      ar: ANSCapabilityPath.AR,
-      "android-xr": ANSCapabilityPath.ANDROID_XR,
-      "ai-glasses": ANSCapabilityPath.AI_GLASSES,
-      quilt: ANSCapabilityPath.QUILT,
-      "mv-hevc": ANSCapabilityPath.MV_HEVC,
-      android: ANSCapabilityPath.ANDROID,
-      ios: ANSCapabilityPath.IOS,
-      babylon: ANSCapabilityPath.BABYLON,
-      webgpu: ANSCapabilityPath.WEBGPU,
-      r3f: ANSCapabilityPath.R3F,
-      playcanvas: ANSCapabilityPath.PLAYCANVAS,
-      wasm: ANSCapabilityPath.WASM,
-      "node-service": ANSCapabilityPath.NODE_SERVICE,
-      tsl: ANSCapabilityPath.TSL,
-      urdf: ANSCapabilityPath.URDF,
-      sdf: ANSCapabilityPath.SDF,
-      usd: ANSCapabilityPath.USD,
-      gltf: ANSCapabilityPath.GLTF,
-      dtdl: ANSCapabilityPath.DTDL,
-      "nft-marketplace": ANSCapabilityPath.NFT_MARKETPLACE,
-      scm: ANSCapabilityPath.SCM,
-      vrr: ANSCapabilityPath.VRR,
-      "a2a-agent-card": ANSCapabilityPath.A2A_AGENT_CARD,
-      "agent-inference": ANSCapabilityPath.AGENT_INFERENCE,
-      nir: ANSCapabilityPath.NIR,
-      "multi-layer": ANSCapabilityPath.MULTI_LAYER,
-      incremental: ANSCapabilityPath.INCREMENTAL,
-      state: ANSCapabilityPath.STATE,
-      "trait-composition": ANSCapabilityPath.TRAIT_COMPOSITION,
-      "domain-block": ANSCapabilityPath.DOMAIN_BLOCK
-    };
-    ALL_COMPILER_NAMES = Object.keys(
-      COMPILER_DOMAIN_MAP
-    );
-    Object.values(ANSDomain);
-  }
-});
-
-// src/compiler/CompilerDocumentationGenerator.ts
-var CompilerDocumentationGenerator;
-var init_CompilerDocumentationGenerator = __esm({
-  "src/compiler/CompilerDocumentationGenerator.ts"() {
-    CompilerDocumentationGenerator = class {
-      constructor(options = {}) {
-        this.options = {
-          serviceUrl: options.serviceUrl ?? "http://localhost:3000",
-          serviceVersion: options.serviceVersion ?? "1.0.0",
-          maxLlmsTxtTokens: options.maxLlmsTxtTokens ?? 800,
-          includeTraitDocs: options.includeTraitDocs ?? true,
-          includeExamples: options.includeExamples ?? true,
-          mcpTransportType: options.mcpTransportType ?? "streamable-http",
-          contactRepository: options.contactRepository ?? "",
-          contactDocumentation: options.contactDocumentation ?? ""
-        };
-      }
-      getObjectType(obj) {
-        const typeProperty = obj.properties?.find(
-          (property) => property.key === "geometry" || property.key === "shape" || property.key === "type"
-        )?.value;
-        return typeof typeProperty === "string" ? typeProperty : "Object";
-      }
-      /**
-       * Generate all three documentation outputs for a compilation
-       *
-       * @param composition - Parsed HoloScript composition AST
-       * @param targetName - Compiler target (e.g., 'r3f', 'unity', 'unreal')
-       * @param compiledCode - The compiled output code
-       * @returns Triple-output documentation bundle
-       */
-      generate(composition, targetName, compiledCode) {
-        return {
-          llmsTxt: this.generateLlmsTxt(composition, targetName, compiledCode),
-          wellKnownMcp: this.generateMCPServerCard(composition, targetName),
-          markdownDocs: this.generateMarkdownDocs(composition, targetName, compiledCode)
-        };
-      }
-      // ===========================================================================
-      // LLMS.TXT GENERATION
-      // ===========================================================================
-      /**
-       * Generate llms.txt format documentation (max 800 tokens)
-       *
-       * llms.txt is a standardized format for AI-readable project documentation.
-       * It provides a concise overview optimized for LLM context windows.
-       *
-       * Includes: scene description, trait list, export targets, API surface,
-       * MCP tool manifest summary, and state management.
-       *
-       * @see https://llmstxt.org/
-       */
-      generateLlmsTxt(composition, targetName, compiledCode) {
-        const sections = [];
-        sections.push(`# ${composition.name || "HoloScript Composition"}`);
-        sections.push("");
-        sections.push("## Scene Description");
-        sections.push(`Compiled for: ${targetName}`);
-        sections.push(`Objects: ${composition.objects?.length || 0}`);
-        sections.push(`Lights: ${composition.lights?.length || 0}`);
-        sections.push(`Spatial Groups: ${composition.spatialGroups?.length || 0}`);
-        sections.push(`Templates: ${composition.templates?.length || 0}`);
-        sections.push("");
-        const traits = this.extractTraits(composition);
-        if (traits.length > 0) {
-          sections.push("## Traits Used");
-          const traitsByCategory = this.groupTraitsByCategory(traits);
-          for (const [category, categoryTraits] of Object.entries(traitsByCategory)) {
-            sections.push(`- ${category}: ${categoryTraits.join(", ")}`);
-          }
-          sections.push("");
-        }
-        sections.push("## Export Capabilities");
-        sections.push(`Primary target: ${targetName}`);
-        sections.push(
-          "Compatible targets: unity, unreal, godot, r3f, webgpu, babylon, openxr, vrchat, wasm, gltf, usd"
-        );
-        sections.push("");
-        if (typeof compiledCode === "object") {
-          sections.push("## API Surface");
-          const files = Object.keys(compiledCode);
-          sections.push(`Generated files: ${files.length}`);
-          sections.push(`- ${files.slice(0, 5).join("\n- ")}`);
-          if (files.length > 5) {
-            sections.push(`- ... and ${files.length - 5} more`);
-          }
-          sections.push("");
-        }
-        const mcpTools = this.extractMCPTools(composition, targetName);
-        if (mcpTools.length > 0) {
-          sections.push("## MCP Tools");
-          sections.push(`Available tools: ${mcpTools.length}`);
-          for (const tool of mcpTools.slice(0, 8)) {
-            sections.push(`- ${tool.name}: ${tool.description}`);
-          }
-          if (mcpTools.length > 8) {
-            sections.push(`- ... and ${mcpTools.length - 8} more`);
-          }
-          sections.push("");
-        }
-        if (composition.state) {
-          const stateObj = composition.state;
-          let stateProps = [];
-          if (stateObj.properties && Array.isArray(stateObj.properties)) {
-            stateProps = stateObj.properties.map((p) => p.key);
-          } else {
-            stateProps = Object.keys(stateObj);
-          }
-          if (stateProps.length > 0) {
-            sections.push("## State Management");
-            sections.push(`State properties: ${stateProps.length}`);
-            sections.push(`- ${stateProps.slice(0, 5).join(", ")}`);
-            if (stateProps.length > 5) {
-              sections.push(`  ... and ${stateProps.length - 5} more`);
-            }
-            sections.push("");
-          }
-        }
-        if (composition.environment) {
-          const env = composition.environment;
-          sections.push("## Environment");
-          sections.push(`Background: ${env.background || "default"}`);
-          if (env.fog) {
-            sections.push("Fog: enabled");
-          }
-          sections.push("");
-        }
-        const fullText = sections.join("\n");
-        const maxChars = this.options.maxLlmsTxtTokens * 4;
-        if (fullText.length > maxChars) {
-          return fullText.substring(0, maxChars) + "\n\n... (truncated to fit token limit)";
-        }
-        return fullText;
-      }
-      // ===========================================================================
-      // .WELL-KNOWN/MCP GENERATION
-      // ===========================================================================
-      /**
-       * Generate MCP server card conforming to SEP-1649 and SEP-1960
-       *
-       * Produces a server card that satisfies both specification proposals:
-       * - SEP-1649: serverInfo nested object, transport with endpoint, protocolVersion
-       * - SEP-1960: endpoints object, authentication, capabilities as booleans
-       *
-       * The card includes legacy compatibility fields (name, version at root)
-       * for backward compatibility with v1.0.0 consumers.
-       */
-      generateMCPServerCard(composition, targetName) {
-        const tools = this.extractMCPTools(composition, targetName);
-        const sanitizedName = this.sanitizeServiceName(composition.name || "holoscript-composition");
-        const compositionTitle = composition.name || "Untitled";
-        const traitCount = this.extractTraits(composition).length;
-        const objectCount = composition.objects?.length || 0;
-        const endpoints = {};
-        const transportType = this.options.mcpTransportType;
-        const mcpUrl = `${this.options.serviceUrl}/mcp`;
-        if (transportType === "streamable-http" || transportType === "http") {
-          endpoints.streamable_http = mcpUrl;
-        } else if (transportType === "sse") {
-          endpoints.sse = mcpUrl;
-        } else if (transportType === "websocket" || transportType === "ws") {
-          endpoints.websocket = mcpUrl;
-        } else {
-          endpoints.streamable_http = mcpUrl;
-        }
-        endpoints.health = `${this.options.serviceUrl}/health`;
-        endpoints.render = `${this.options.serviceUrl}/api/render`;
-        return {
-          // SEP-1960 fields
-          mcpVersion: "2025-03-26",
-          // SEP-1649 fields
-          protocolVersion: "2025-06-18",
-          serverInfo: {
-            name: sanitizedName,
-            title: `HoloScript: ${compositionTitle}`,
-            version: this.options.serviceVersion
-          },
-          description: `HoloScript composition "${compositionTitle}" compiled for ${targetName} \u2014 ${objectCount} objects, ${traitCount} unique traits`,
-          transport: {
-            type: transportType,
-            endpoint: mcpUrl,
-            authentication: null
-          },
-          capabilities: {
-            tools: {
-              count: tools.length
-            },
-            resources: false,
-            prompts: false,
-            sampling: false,
-            roots: false
-          },
-          tools,
-          endpoints,
-          authentication: {
-            required: false,
-            methods: ["none"]
-          },
-          contact: {
-            repository: this.options.contactRepository || void 0,
-            documentation: this.options.contactDocumentation || void 0
-          },
-          documentation: this.options.contactDocumentation || void 0,
-          // Legacy compatibility (v1.0.0)
-          name: sanitizedName,
-          version: this.options.serviceVersion
-        };
-      }
-      /**
-       * Extract MCP tool manifest from composition
-       */
-      extractMCPTools(composition, targetName) {
-        const tools = [];
-        tools.push({
-          name: "compile_composition",
-          description: `Compile this HoloScript composition to ${targetName} format`,
-          inputSchema: {
-            type: "object",
-            properties: {
-              options: {
-                type: "object",
-                description: "Compiler options"
-              }
-            }
-          }
-        });
-        tools.push({
-          name: "render_preview",
-          description: `Render a preview of this composition as PNG/JPEG`,
-          inputSchema: {
-            type: "object",
-            properties: {
-              width: { type: "number", description: "Image width in pixels" },
-              height: { type: "number", description: "Image height in pixels" },
-              format: { type: "string", enum: ["png", "jpeg", "webp"] }
-            }
-          }
-        });
-        if (composition.templates && composition.templates.length > 0) {
-          for (const template of composition.templates.slice(0, 10)) {
-            tools.push({
-              name: `instantiate_${this.sanitizeToolName(template.name)}`,
-              description: `Instantiate the "${template.name}" template with custom properties`,
-              inputSchema: {
-                type: "object",
-                properties: {
-                  properties: {
-                    type: "object",
-                    description: "Template properties to override"
-                  },
-                  position: {
-                    type: "object",
-                    description: "Spatial position",
-                    properties: {
-                      x: { type: "number" },
-                      y: { type: "number" },
-                      z: { type: "number" }
-                    }
-                  }
-                }
-              }
-            });
-          }
-        }
-        if (composition.state) {
-          tools.push({
-            name: "update_state",
-            description: "Update composition state properties",
-            inputSchema: {
-              type: "object",
-              properties: {
-                updates: {
-                  type: "object",
-                  description: "State property updates"
-                }
-              }
-            }
-          });
-        }
-        tools.push({
-          name: "list_traits",
-          description: "List all traits used in this composition with their configurations",
-          inputSchema: {
-            type: "object",
-            properties: {
-              category: {
-                type: "string",
-                description: "Filter by trait category (visual, physics, audio, etc.)"
-              }
-            }
-          }
-        });
-        if (composition.objects && composition.objects.length > 0) {
-          tools.push({
-            name: "query_objects",
-            description: `Query scene objects by name, type, or trait (${composition.objects.length} objects available)`,
-            inputSchema: {
-              type: "object",
-              properties: {
-                name: { type: "string", description: "Filter by object name (glob pattern)" },
-                trait: { type: "string", description: "Filter by trait name" }
-              }
-            }
-          });
-        }
-        return tools;
-      }
-      // ===========================================================================
-      // MARKDOWN DOCUMENTATION GENERATION
-      // ===========================================================================
-      /**
-       * Generate comprehensive markdown documentation bundle
-       *
-       * Includes: composition metadata, scene graph, trait documentation,
-       * state management, logic handlers, MCP tool manifests, and compilation output.
-       */
-      generateMarkdownDocs(composition, targetName, compiledCode) {
-        const sections = [];
-        sections.push(`# ${composition.name || "HoloScript Composition"}`);
-        sections.push("");
-        sections.push(`**Target:** ${targetName}`);
-        sections.push(`**Generated:** ${(/* @__PURE__ */ new Date()).toISOString()}`);
-        sections.push(`**Version:** ${this.options.serviceVersion}`);
-        sections.push("");
-        sections.push("## Table of Contents");
-        sections.push("");
-        sections.push("- [Overview](#overview)");
-        sections.push("- [Scene Graph](#scene-graph)");
-        sections.push("- [Traits](#traits)");
-        if (composition.state) {
-          sections.push("- [State Management](#state-management)");
-        }
-        if (composition.logic) {
-          sections.push("- [Logic Handlers](#logic-handlers)");
-        }
-        sections.push("- [MCP Tool Manifest](#mcp-tool-manifest)");
-        sections.push("- [Compilation Output](#compilation-output)");
-        sections.push("");
-        sections.push("## Overview");
-        sections.push("");
-        sections.push(
-          `This composition contains ${composition.objects?.length || 0} objects, ${composition.lights?.length || 0} lights, and ${composition.spatialGroups?.length || 0} spatial groups.`
-        );
-        sections.push("");
-        if (composition.templates && composition.templates.length > 0) {
-          sections.push(`**Templates:** ${composition.templates.length}`);
-        }
-        if (composition.imports && composition.imports.length > 0) {
-          sections.push(`**Imports:** ${composition.imports.length}`);
-        }
-        if (composition.traitDefinitions && composition.traitDefinitions.length > 0) {
-          sections.push(`**Custom Traits:** ${composition.traitDefinitions.length}`);
-        }
-        sections.push("");
-        sections.push("## Scene Graph");
-        sections.push("");
-        if (composition.objects && composition.objects.length > 0) {
-          sections.push("### Objects");
-          sections.push("");
-          sections.push("| Name | Type | Position | Traits |");
-          sections.push("|------|------|----------|--------|");
-          for (const obj of composition.objects.slice(0, 20)) {
-            const objRec = obj;
-            const transform = objRec.transform;
-            const pos = objRec.position || transform?.position;
-            const posStr = pos ? `(${pos.x}, ${pos.y}, ${pos.z})` : "N/A";
-            const traitNames = obj.traits ? this.extractTraitNames(obj.traits).join(", ") || "none" : "none";
-            sections.push(`| ${obj.name} | ${this.getObjectType(obj)} | ${posStr} | ${traitNames} |`);
-          }
-          if (composition.objects.length > 20) {
-            sections.push(`| ... | ... | ... | *${composition.objects.length - 20} more objects* |`);
-          }
-          sections.push("");
-        }
-        if (composition.lights && composition.lights.length > 0) {
-          sections.push("### Lights");
-          sections.push("");
-          sections.push("| Name | Type |");
-          sections.push("|------|------|");
-          for (const light of composition.lights) {
-            const lightRec = light;
-            sections.push(`| ${light.name || "unnamed"} | ${lightRec.lightType || "unknown"} |`);
-          }
-          sections.push("");
-        }
-        const traits = this.extractTraits(composition);
-        if (traits.length > 0) {
-          sections.push("## Traits");
-          sections.push("");
-          sections.push(`This composition uses ${traits.length} unique traits:`);
-          sections.push("");
-          const traitsByCategory = this.groupTraitsByCategory(traits);
-          for (const [category, categoryTraits] of Object.entries(traitsByCategory)) {
-            sections.push(`### ${category}`);
-            sections.push("");
-            for (const trait of categoryTraits) {
-              sections.push(`- **${trait}**`);
-              if (this.options.includeTraitDocs) {
-                const doc = this.getTraitDocumentation(trait);
-                if (doc) {
-                  sections.push(`  ${doc}`);
-                }
-              }
-            }
-            sections.push("");
-          }
-        }
-        if (composition.traitDefinitions && composition.traitDefinitions.length > 0) {
-          sections.push("### Custom Trait Definitions");
-          sections.push("");
-          for (const traitDef of composition.traitDefinitions) {
-            const traitDefRec = traitDef;
-            const extendsClause = traitDefRec.extends ? ` extends ${traitDefRec.extends}` : "";
-            sections.push(`- **${traitDef.name}**${extendsClause}`);
-          }
-          sections.push("");
-        }
-        if (composition.state) {
-          sections.push("## State Management");
-          sections.push("");
-          sections.push("### State Properties");
-          sections.push("");
-          sections.push("| Property | Type | Default Value |");
-          sections.push("|----------|------|---------------|");
-          const stateObj = composition.state;
-          if (stateObj.properties) {
-            for (const prop of stateObj.properties) {
-              const typeOf = typeof prop.value;
-              const defaultValue = JSON.stringify(prop.value).substring(0, 50);
-              sections.push(`| ${prop.key} | ${typeOf} | ${defaultValue} |`);
-            }
-          } else {
-            for (const [key, value] of Object.entries(stateObj)) {
-              const typeOf = typeof value;
-              const defaultValue = JSON.stringify(value).substring(0, 50);
-              sections.push(`| ${key} | ${typeOf} | ${defaultValue} |`);
-            }
-          }
-          sections.push("");
-        }
-        if (composition.logic) {
-          sections.push("## Logic Handlers");
-          sections.push("");
-          const logic = composition.logic;
-          if (logic.on_start) {
-            sections.push("### on_start");
-            sections.push("");
-            sections.push("Executed when the composition initializes.");
-            sections.push("");
-          }
-          if (logic.on_update) {
-            sections.push("### on_update");
-            sections.push("");
-            sections.push("Executed every frame.");
-            sections.push("");
-          }
-        }
-        const mcpTools = this.extractMCPTools(composition, targetName);
-        sections.push("## MCP Tool Manifest");
-        sections.push("");
-        sections.push(
-          `This compilation exposes ${mcpTools.length} MCP tools for programmatic interaction:`
-        );
-        sections.push("");
-        sections.push("| Tool | Description | Input Schema |");
-        sections.push("|------|-------------|-------------|");
-        for (const tool of mcpTools) {
-          const schemaStr = tool.inputSchema ? "`" + JSON.stringify(Object.keys(tool.inputSchema.properties || {})) + "`" : "none";
-          sections.push(`| \`${tool.name}\` | ${tool.description} | ${schemaStr} |`);
-        }
-        sections.push("");
-        sections.push("### Discovery");
-        sections.push("");
-        sections.push(`Server card available at: \`${this.options.serviceUrl}/.well-known/mcp\``);
-        sections.push("");
-        sections.push("```json");
-        sections.push(`{`);
-        sections.push(`  "mcpVersion": "2025-03-26",`);
-        sections.push(`  "protocolVersion": "2025-06-18",`);
-        sections.push(`  "serverInfo": {`);
-        sections.push(
-          `    "name": "${this.sanitizeServiceName(composition.name || "holoscript-composition")}",`
-        );
-        sections.push(`    "version": "${this.options.serviceVersion}"`);
-        sections.push(`  }`);
-        sections.push(`}`);
-        sections.push("```");
-        sections.push("");
-        sections.push("## Compilation Output");
-        sections.push("");
-        if (typeof compiledCode === "string") {
-          const lineCount = compiledCode.split("\n").length;
-          sections.push(`Generated ${lineCount} lines of ${targetName} code.`);
-        } else {
-          sections.push(`Generated ${Object.keys(compiledCode).length} files:`);
-          sections.push("");
-          for (const [filename, content] of Object.entries(compiledCode)) {
-            const lineCount = content.split("\n").length;
-            sections.push(`- **${filename}** (${lineCount} lines)`);
-          }
-        }
-        sections.push("");
-        sections.push("---");
-        sections.push("");
-        sections.push("*Generated by HoloScript Compiler Documentation Generator v2.0.0*");
-        sections.push("");
-        return sections.join("\n");
-      }
-      // ===========================================================================
-      // HELPER METHODS
-      // ===========================================================================
-      /**
-       * Extract trait names from a traits field.
-       *
-       * Handles both formats:
-       * - HoloObjectTrait[] (canonical parser output: array of { name, config })
-       * - Map<string, unknown> (R3F compiler output: Map with trait names as keys)
-       */
-      extractTraitNames(traits) {
-        if (!traits) return [];
-        if (traits instanceof Map) {
-          return Array.from(traits.keys());
-        }
-        if (Array.isArray(traits)) {
-          return traits.map((t) => typeof t === "string" ? t : t?.name).filter((name) => typeof name === "string");
-        }
-        return [];
-      }
-      /**
-       * Extract all unique traits from a composition
-       */
-      extractTraits(composition) {
-        const traitSet = /* @__PURE__ */ new Set();
-        if (composition.objects) {
-          for (const obj of composition.objects) {
-            for (const name of this.extractTraitNames(obj.traits)) {
-              traitSet.add(name);
-            }
-          }
-        }
-        if (composition.templates) {
-          for (const template of composition.templates) {
-            for (const name of this.extractTraitNames(template.traits)) {
-              traitSet.add(name);
-            }
-          }
-        }
-        return Array.from(traitSet).sort();
-      }
-      /**
-       * Group traits by category (visual, physics, audio, etc.)
-       */
-      groupTraitsByCategory(traits) {
-        const categories = {
-          Visual: [],
-          Physics: [],
-          Audio: [],
-          Interaction: [],
-          AI: [],
-          Animation: [],
-          Network: [],
-          Other: []
-        };
-        for (const trait of traits) {
-          const category = this.categorizeTrait(trait);
-          categories[category].push(trait);
-        }
-        return Object.fromEntries(
-          Object.entries(categories).filter(([_, traits2]) => traits2.length > 0)
-        );
-      }
-      /**
-       * Categorize a trait by name pattern
-       */
-      categorizeTrait(trait) {
-        if (!trait) return "Other";
-        const lower = trait.toLowerCase();
-        if (lower.includes("material") || lower.includes("color") || lower.includes("texture") || lower.includes("glow") || lower.includes("emissive") || lower.includes("shader") || lower.includes("pbr") || lower.includes("light") || lower.includes("shadow") || lower.includes("fog") || lower.includes("transparency") || lower.includes("opacity")) {
-          return "Visual";
-        }
-        if (lower.includes("physics") || lower.includes("collider") || lower.includes("rigidbody") || lower.includes("gravity") || lower.includes("fluid") || lower.includes("constraint") || lower.includes("joint")) {
-          return "Physics";
-        }
-        if (lower.includes("audio") || lower.includes("sound") || lower.includes("music") || lower.includes("spatial_audio")) {
-          return "Audio";
-        }
-        if (lower.includes("clickable") || lower.includes("draggable") || lower.includes("interactive") || lower.includes("hover") || lower.includes("grab") || lower.includes("pointer") || lower.includes("selectable")) {
-          return "Interaction";
-        }
-        if (lower.includes("ai") || lower.includes("npc") || lower.includes("behavior") || lower.includes("pathfinding") || lower.includes("agent") || lower.includes("decision")) {
-          return "AI";
-        }
-        if (lower.includes("anim") || lower.includes("rotate") || lower.includes("move") || lower.includes("orbit") || lower.includes("keyframe") || lower.includes("tween") || lower.includes("spring")) {
-          return "Animation";
-        }
-        if (lower.includes("network") || lower.includes("sync") || lower.includes("multiplayer") || lower.includes("replicated") || lower.includes("authority") || lower.includes("lobby")) {
-          return "Network";
-        }
-        return "Other";
-      }
-      /**
-       * Get documentation string for a trait (stub - can be extended with trait metadata)
-       */
-      getTraitDocumentation(_trait) {
-        return null;
-      }
-      /**
-       * Sanitize composition name for use as a service name
-       */
-      sanitizeServiceName(name) {
-        return name.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
-      }
-      /**
-       * Sanitize template name for use as a tool name
-       */
-      sanitizeToolName(name) {
-        return name.toLowerCase().replace(/[^a-z0-9_]/g, "_").replace(/_+/g, "_").replace(/^_|_$/g, "");
-      }
-    };
-  }
-});
-
-// src/compiler/identity/CapabilityRBAC.ts
-function getCapabilityRBAC(config) {
-  if (!globalCapabilityRBAC) {
-    globalCapabilityRBAC = new CapabilityRBAC(config);
-  }
-  return globalCapabilityRBAC;
-}
-var RESOURCE_TYPE_TO_URI, OPERATION_TO_ACTION_SUFFIX, CapabilityRBAC, globalCapabilityRBAC;
-var init_CapabilityRBAC = __esm({
-  "src/compiler/identity/CapabilityRBAC.ts"() {
-    init_AgentRBAC();
-    init_CapabilityToken();
-    init_CapabilityTokenIssuer();
-    RESOURCE_TYPE_TO_URI = {
-      ["source_file" /* SOURCE_FILE */]: `${HOLOSCRIPT_RESOURCE_SCHEME}source`,
-      ["ast" /* AST */]: `${HOLOSCRIPT_RESOURCE_SCHEME}ast`,
-      ["ir" /* IR */]: `${HOLOSCRIPT_RESOURCE_SCHEME}ir`,
-      ["code" /* CODE */]: `${HOLOSCRIPT_RESOURCE_SCHEME}code`,
-      ["output" /* OUTPUT */]: `${HOLOSCRIPT_RESOURCE_SCHEME}output`,
-      ["config" /* CONFIG */]: `${HOLOSCRIPT_RESOURCE_SCHEME}config`
-    };
-    OPERATION_TO_ACTION_SUFFIX = {
-      read: "read",
-      write: "write",
-      execute: "execute",
-      transform: "transform"
-    };
-    CapabilityRBAC = class {
-      constructor(config = {}) {
-        this.denialCounter = 0;
-        this.rbac = config.rbac ?? getRBAC();
-        this.capabilityIssuer = config.capabilityIssuer ?? getCapabilityTokenIssuer();
-        this.strategy = config.strategy ?? "capability-first";
-        this.semantics = new HoloScriptCapabilitySemantics();
-      }
-      buildDenialReceipt(request, deniedBy, opts) {
-        const resourceUri = request.resourceType ? this.buildResourceUri(request.resourceType, request.resourcePath) : "unknown";
-        const action = request.resourceType && request.operation ? this.buildAction(request.resourceType, request.operation) : request.operation || "unknown";
-        return {
-          auditId: `deny-${++this.denialCounter}-${Date.now()}`,
-          deniedAction: action,
-          requestedResource: resourceUri,
-          deniedBy,
-          requiredCapability: opts?.requiredCapability,
-          suggestedFix: opts?.suggestedFix,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        };
-      }
-      // -----------------------------------------------------------------------
-      // Core access check
-      // -----------------------------------------------------------------------
-      /**
-       * Check access using dual-mode resolution.
-       *
-       * Depending on the configured strategy, this will try JWT and/or UCAN
-       * verification and return the result.
-       */
-      checkAccess(request) {
-        const hasCapability = !!request.capabilityToken && !!request.issuerPublicKey;
-        const hasJwt = !!request.token;
-        switch (this.strategy) {
-          case "capability-only":
-            if (!hasCapability) {
-              return {
-                allowed: false,
-                reason: "Capability token required (strategy: capability-only)",
-                mode: "capability",
-                denial: this.buildDenialReceipt(request, "no-token", {
-                  suggestedFix: "Provide a UCAN capability token with issuerPublicKey"
-                })
-              };
-            }
-            return this.checkCapability(request);
-          case "rbac-only":
-            if (!hasJwt) {
-              return {
-                allowed: false,
-                reason: "JWT token required (strategy: rbac-only)",
-                mode: "rbac",
-                denial: this.buildDenialReceipt(request, "no-token", {
-                  suggestedFix: "Provide a JWT RBAC token"
-                })
-              };
-            }
-            return this.checkRBAC(request);
-          case "rbac-first":
-            if (hasJwt) {
-              const rbacResult = this.checkRBAC(request);
-              if (rbacResult.allowed) return rbacResult;
-            }
-            if (hasCapability) {
-              return this.checkCapability(request);
-            }
-            return {
-              allowed: false,
-              reason: "No valid token provided",
-              mode: "rbac",
-              denial: this.buildDenialReceipt(request, "no-token", {
-                suggestedFix: "Provide a JWT token or UCAN capability token"
-              })
-            };
-          case "capability-first":
-          default:
-            if (hasCapability) {
-              const capResult = this.checkCapability(request);
-              if (capResult.allowed) return capResult;
-            }
-            if (hasJwt) {
-              return this.checkRBAC(request);
-            }
-            return {
-              allowed: false,
-              reason: "No valid token provided",
-              mode: "capability",
-              denial: this.buildDenialReceipt(request, "no-token", {
-                suggestedFix: "Provide a UCAN capability token or JWT token"
-              })
-            };
-        }
-      }
-      // -----------------------------------------------------------------------
-      // UCAN capability check
-      // -----------------------------------------------------------------------
-      /**
-       * Verify access using a UCAN capability token.
-       */
-      checkCapability(request) {
-        const { capabilityToken, issuerPublicKey, resourceType, operation, resourcePath } = request;
-        if (!capabilityToken || !issuerPublicKey) {
-          return {
-            allowed: false,
-            reason: "Missing capability token or issuer public key",
-            mode: "capability",
-            denial: this.buildDenialReceipt(request, "capability", {
-              suggestedFix: "Provide both capabilityToken and issuerPublicKey"
-            })
-          };
-        }
-        const verification = this.capabilityIssuer.verify(capabilityToken, issuerPublicKey);
-        if (!verification.valid) {
-          return {
-            allowed: false,
-            reason: `Capability token verification failed: ${verification.error}`,
-            mode: "capability",
-            capabilityVerification: verification,
-            denial: this.buildDenialReceipt(request, "capability", {
-              requiredCapability: "valid-signature",
-              suggestedFix: `Re-issue capability token: ${verification.error}`
-            })
-          };
-        }
-        if (verification.chain && !verification.chain.verified) {
-          return {
-            allowed: false,
-            reason: "Capability token chain verification failed (attenuation invariant violation)",
-            mode: "capability",
-            capabilityVerification: verification,
-            errorCode: "ATTENUATION_VIOLATION",
-            denial: this.buildDenialReceipt(request, "capability", {
-              requiredCapability: "valid-attenuation-chain",
-              suggestedFix: "Ensure delegated capabilities do not exceed parent scope"
-            })
-          };
-        }
-        const resourceUri = this.buildResourceUri(resourceType, resourcePath);
-        const action = this.buildAction(resourceType, operation);
-        const matchedCapability = capabilityToken.payload.att.find(
-          (cap) => this.semantics.canAccess(cap, resourceUri, action)
-        );
-        if (!matchedCapability) {
-          return {
-            allowed: false,
-            reason: `No capability grants access to resource "${resourceUri}" with action "${action}"`,
-            mode: "capability",
-            capabilityVerification: verification,
-            denial: this.buildDenialReceipt(request, "capability", {
-              requiredCapability: `${resourceUri}#${action}`,
-              suggestedFix: `Add capability { with: "${resourceUri}", can: "${action}" } to token`
-            })
-          };
-        }
-        return {
-          allowed: true,
-          mode: "capability",
-          matchedCapability,
-          capabilityVerification: verification
-        };
-      }
-      // -----------------------------------------------------------------------
-      // Legacy JWT RBAC check (delegates to existing AgentRBAC)
-      // -----------------------------------------------------------------------
-      /**
-       * Verify access using the legacy JWT RBAC system.
-       */
-      checkRBAC(request) {
-        const decision = this.rbac.checkAccess(request);
-        const result = {
-          ...decision,
-          mode: "rbac"
-        };
-        if (!decision.allowed) {
-          result.denial = this.buildDenialReceipt(request, "rbac", {
-            requiredCapability: `${request.resourceType}/${request.operation}`,
-            suggestedFix: decision.reason ? `RBAC denied: ${decision.reason}` : "Ensure JWT token grants the required role/permission"
-          });
-        }
-        return result;
-      }
-      // -----------------------------------------------------------------------
-      // URI / action building
-      // -----------------------------------------------------------------------
-      /**
-       * Build a UCAN resource URI from a ResourceType and optional path.
-       */
-      buildResourceUri(resourceType, resourcePath) {
-        const base = RESOURCE_TYPE_TO_URI[resourceType];
-        if (resourcePath) {
-          return `${base}/${resourcePath}`;
-        }
-        return base;
-      }
-      /**
-       * Build a UCAN action string from a ResourceType and operation.
-       */
-      buildAction(resourceType, operation) {
-        const prefixMap = {
-          ["source_file" /* SOURCE_FILE */]: "source",
-          ["ast" /* AST */]: "ast",
-          ["ir" /* IR */]: "ir",
-          ["code" /* CODE */]: "code",
-          ["output" /* OUTPUT */]: "output",
-          ["config" /* CONFIG */]: "config"
-        };
-        const prefix = prefixMap[resourceType];
-        const suffix = OPERATION_TO_ACTION_SUFFIX[operation] ?? operation;
-        return `${prefix}/${suffix}`;
-      }
-      // -----------------------------------------------------------------------
-      // Convenience methods (matching AgentRBAC API)
-      // -----------------------------------------------------------------------
-      /**
-       * Check if agent can read source (dual-mode).
-       */
-      canReadSource(tokenOrCapability, filePath) {
-        if (typeof tokenOrCapability === "string") {
-          return this.checkAccess({
-            token: tokenOrCapability,
-            resourceType: "source_file" /* SOURCE_FILE */,
-            operation: "read",
-            resourcePath: filePath
-          });
-        }
-        return this.checkAccess({
-          token: "",
-          capabilityToken: tokenOrCapability.token,
-          issuerPublicKey: tokenOrCapability.publicKey,
-          resourceType: "source_file" /* SOURCE_FILE */,
-          operation: "read",
-          resourcePath: filePath
-        });
-      }
-      /**
-       * Check if agent can modify AST (dual-mode).
-       */
-      canModifyAST(tokenOrCapability) {
-        if (typeof tokenOrCapability === "string") {
-          return this.checkAccess({
-            token: tokenOrCapability,
-            resourceType: "ast" /* AST */,
-            operation: "write"
-          });
-        }
-        return this.checkAccess({
-          token: "",
-          capabilityToken: tokenOrCapability.token,
-          issuerPublicKey: tokenOrCapability.publicKey,
-          resourceType: "ast" /* AST */,
-          operation: "write"
-        });
-      }
-      /**
-       * Check if agent can generate code (dual-mode).
-       */
-      canGenerateCode(tokenOrCapability) {
-        if (typeof tokenOrCapability === "string") {
-          return this.checkAccess({
-            token: tokenOrCapability,
-            resourceType: "code" /* CODE */,
-            operation: "write"
-          });
-        }
-        return this.checkAccess({
-          token: "",
-          capabilityToken: tokenOrCapability.token,
-          issuerPublicKey: tokenOrCapability.publicKey,
-          resourceType: "code" /* CODE */,
-          operation: "write"
-        });
-      }
-      /**
-       * Check if agent can export output (dual-mode).
-       */
-      canExport(tokenOrCapability, outputPath) {
-        if (typeof tokenOrCapability === "string") {
-          return this.checkAccess({
-            token: tokenOrCapability,
-            resourceType: "output" /* OUTPUT */,
-            operation: "write",
-            resourcePath: outputPath
-          });
-        }
-        return this.checkAccess({
-          token: "",
-          capabilityToken: tokenOrCapability.token,
-          issuerPublicKey: tokenOrCapability.publicKey,
-          resourceType: "output" /* OUTPUT */,
-          operation: "write",
-          resourcePath: outputPath
-        });
-      }
-      // -----------------------------------------------------------------------
-      // Accessors
-      // -----------------------------------------------------------------------
-      /**
-       * Get the underlying AgentRBAC instance.
-       */
-      getRBAC() {
-        return this.rbac;
-      }
-      /**
-       * Get the CapabilityTokenIssuer instance.
-       */
-      getCapabilityIssuer() {
-        return this.capabilityIssuer;
-      }
-      /**
-       * Get the current resolution strategy.
-       */
-      getStrategy() {
-        return this.strategy;
-      }
-    };
-    globalCapabilityRBAC = null;
-  }
-});
-
-// src/compiler/identity/SpatialMemoryZones.ts
-function getSpatialZoneEnforcer(config) {
-  if (!globalSpatialZoneEnforcer) {
-    globalSpatialZoneEnforcer = new SpatialZoneEnforcer(config);
-  }
-  return globalSpatialZoneEnforcer;
-}
-var SpatialZoneEnforcer, globalSpatialZoneEnforcer;
-var init_SpatialMemoryZones = __esm({
-  "src/compiler/identity/SpatialMemoryZones.ts"() {
-    init_AgentTokenIssuer();
-    SpatialZoneEnforcer = class {
-      constructor(config = {}) {
-        this.zones = /* @__PURE__ */ new Map();
-        this.policies = /* @__PURE__ */ new Map();
-        this.auditLog = [];
-        this.tokenIssuer = config.tokenIssuer ?? getTokenIssuer();
-        this.maxAuditEntries = config.maxAuditEntries ?? 1e4;
-      }
-      // -----------------------------------------------------------------------
-      // Zone Management
-      // -----------------------------------------------------------------------
-      /**
-       * Register a spatial zone.
-       */
-      registerZone(zone) {
-        this.zones.set(zone.id, zone);
-      }
-      /**
-       * Get a registered zone by ID.
-       */
-      getZone(zoneId) {
-        return this.zones.get(zoneId);
-      }
-      /**
-       * Remove a registered zone and its policy.
-       */
-      removeZone(zoneId) {
-        this.policies.delete(zoneId);
-        return this.zones.delete(zoneId);
-      }
-      /**
-       * Get all registered zone IDs.
-       */
-      getRegisteredZoneIds() {
-        return Array.from(this.zones.keys());
-      }
-      // -----------------------------------------------------------------------
-      // Policy Management
-      // -----------------------------------------------------------------------
-      /**
-       * Set the access policy for a zone.
-       */
-      setPolicy(policy) {
-        if (!this.zones.has(policy.zoneId)) {
-          throw new Error(`Cannot set policy for unregistered zone: ${policy.zoneId}`);
-        }
-        this.policies.set(policy.zoneId, policy);
-      }
-      /**
-       * Get the policy for a zone.
-       */
-      getPolicy(zoneId) {
-        return this.policies.get(zoneId);
-      }
-      // -----------------------------------------------------------------------
-      // Access Checks
-      // -----------------------------------------------------------------------
-      /**
-       * Check if an agent (identified by JWT token) can perform a spatial
-       * operation in a given zone.
-       *
-       * @param agentToken  JWT token issued by `AgentTokenIssuer`
-       * @param zoneId      Target zone identifier
-       * @param operation   The spatial permission required
-       * @returns           Access decision with reason
-       */
-      checkZoneAccess(agentToken, zoneId, operation) {
-        const verificationResult = this.tokenIssuer.verifyToken(agentToken);
-        if (!verificationResult.valid || !verificationResult.payload) {
-          const decision2 = {
-            allowed: false,
-            reason: `Token verification failed: ${verificationResult.error ?? "unknown error"}`
-          };
-          this.recordAudit("unknown", "unknown", zoneId, operation, false, decision2.reason);
-          return decision2;
-        }
-        const payload = verificationResult.payload;
-        const agentId = payload.sub;
-        const agentRole = payload.agent_role;
-        const zone = this.zones.get(zoneId);
-        if (!zone) {
-          const decision2 = {
-            allowed: false,
-            reason: `Zone not found: ${zoneId}`,
-            agentRole,
-            agentId
-          };
-          this.recordAudit(agentId, agentRole, zoneId, operation, false, decision2.reason);
-          return decision2;
-        }
-        const grantedPermissions = this.resolvePermissions(agentId, agentRole, zoneId, zone);
-        const allowed = grantedPermissions.includes(operation);
-        const reason = allowed ? `Access granted: agent ${agentId} has ${operation} in zone ${zoneId}` : `Access denied: agent ${agentId} lacks ${operation} in zone ${zoneId}`;
-        const decision = {
-          allowed,
-          reason,
-          agentRole,
-          agentId
-        };
-        this.recordAudit(agentId, agentRole, zoneId, operation, allowed, reason);
-        return decision;
-      }
-      /**
-       * Get all zone IDs that an agent can access (for at least one operation).
-       *
-       * @param agentToken  JWT token
-       * @returns           Array of accessible zone IDs
-       */
-      getAccessibleZones(agentToken) {
-        const verificationResult = this.tokenIssuer.verifyToken(agentToken);
-        if (!verificationResult.valid || !verificationResult.payload) {
-          return [];
-        }
-        const payload = verificationResult.payload;
-        const agentId = payload.sub;
-        const agentRole = payload.agent_role;
-        const accessibleZones = [];
-        for (const [zoneId, zone] of this.zones) {
-          const permissions = this.resolvePermissions(agentId, agentRole, zoneId, zone);
-          if (permissions.length > 0) {
-            accessibleZones.push(zoneId);
-          }
-        }
-        return accessibleZones;
-      }
-      /**
-       * Validate whether an agent can perform a spatial operation at a
-       * specific 3D position. The position is checked against all registered
-       * zones to find the enclosing zone(s), then permissions are evaluated.
-       *
-       * @param agentToken  JWT token
-       * @param position    3D position to check
-       * @param operation   Required spatial permission
-       * @returns           Access decision (aggregated across matching zones)
-       */
-      validateSpatialOperation(agentToken, position, operation) {
-        const verificationResult = this.tokenIssuer.verifyToken(agentToken);
-        if (!verificationResult.valid || !verificationResult.payload) {
-          const decision2 = {
-            allowed: false,
-            reason: `Token verification failed: ${verificationResult.error ?? "unknown error"}`
-          };
-          this.recordAudit("unknown", "unknown", "*position*", operation, false, decision2.reason);
-          return decision2;
-        }
-        const payload = verificationResult.payload;
-        const agentId = payload.sub;
-        const agentRole = payload.agent_role;
-        const containingZones = this.findZonesContainingPosition(position);
-        if (containingZones.length === 0) {
-          const decision2 = {
-            allowed: false,
-            reason: `No registered zone contains position (${position.x}, ${position.y}, ${position.z})`,
-            agentRole,
-            agentId
-          };
-          this.recordAudit(agentId, agentRole, "*no-zone*", operation, false, decision2.reason);
-          return decision2;
-        }
-        for (const zone of containingZones) {
-          const permissions = this.resolvePermissions(agentId, agentRole, zone.id, zone);
-          if (permissions.includes(operation)) {
-            const decision2 = {
-              allowed: true,
-              reason: `Access granted via zone ${zone.id} at position (${position.x}, ${position.y}, ${position.z})`,
-              agentRole,
-              agentId
-            };
-            this.recordAudit(agentId, agentRole, zone.id, operation, true, decision2.reason);
-            return decision2;
-          }
-        }
-        const zoneIds = containingZones.map((z) => z.id).join(", ");
-        const decision = {
-          allowed: false,
-          reason: `Access denied in all containing zones [${zoneIds}] at position (${position.x}, ${position.y}, ${position.z})`,
-          agentRole,
-          agentId
-        };
-        this.recordAudit(agentId, agentRole, containingZones[0].id, operation, false, decision.reason);
-        return decision;
-      }
-      // -----------------------------------------------------------------------
-      // Audit Trail
-      // -----------------------------------------------------------------------
-      /**
-       * Get the full GDPR audit trail.
-       */
-      getAuditLog() {
-        return this.auditLog;
-      }
-      /**
-       * Get audit entries for a specific agent (GDPR data subject access).
-       */
-      getAuditEntriesForAgent(agentId) {
-        return this.auditLog.filter((entry) => entry.agentId === agentId);
-      }
-      /**
-       * Get audit entries for a specific zone.
-       */
-      getAuditEntriesForZone(zoneId) {
-        return this.auditLog.filter((entry) => entry.zoneId === zoneId);
-      }
-      /**
-       * Clear audit entries for a specific agent (GDPR right-to-erasure).
-       *
-       * @returns Number of entries removed
-       */
-      eraseAuditEntriesForAgent(agentId) {
-        const before = this.auditLog.length;
-        this.auditLog = this.auditLog.filter((entry) => entry.agentId !== agentId);
-        return before - this.auditLog.length;
-      }
-      /**
-       * Clear all audit entries.
-       */
-      clearAuditLog() {
-        this.auditLog = [];
-      }
-      // -----------------------------------------------------------------------
-      // Internal Helpers
-      // -----------------------------------------------------------------------
-      /**
-       * Resolve the effective spatial permissions for an agent in a zone.
-       *
-       * Resolution order:
-       * 1. Agent-specific overrides (highest priority)
-       * 2. Role-based permissions from policy
-       * 3. Policy default permissions
-       * 4. Classification-based fallback (if no policy exists)
-       */
-      resolvePermissions(agentId, agentRole, zoneId, zone) {
-        const policy = this.policies.get(zoneId);
-        if (policy) {
-          if (policy.agentOverrides[agentId]) {
-            return policy.agentOverrides[agentId];
-          }
-          if (policy.rolePermissions[agentRole]) {
-            return policy.rolePermissions[agentRole];
-          }
-          return policy.defaultPermissions;
-        }
-        return this.getClassificationDefaults(zone.classification);
-      }
-      /**
-       * Get default permissions based on zone classification.
-       */
-      getClassificationDefaults(classification) {
-        switch (classification) {
-          case "public":
-            return ["spatial:read" /* SPATIAL_READ */];
-          case "restricted":
-            return ["spatial:read" /* SPATIAL_READ */];
-          case "private":
-            return [];
-          case "sensitive":
-            return [];
-          default:
-            return [];
-        }
-      }
-      /**
-       * Find all zones whose bounds contain the given position.
-       *
-       * Named zones (no explicit bounds) are NOT included in positional
-       * lookups because their bounds are resolved at runtime.
-       */
-      findZonesContainingPosition(position) {
-        const result = [];
-        for (const zone of this.zones.values()) {
-          if (!zone.bounds) continue;
-          if (this.isPositionInBounds(position, zone.bounds)) {
-            result.push(zone);
-          }
-        }
-        return result;
-      }
-      /**
-       * Check if a 3D position is within the given bounds.
-       *
-       * For geospatial bounds: x=lat, y=lon, z=alt
-       * For local bounds: x=X, y=Y, z=Z
-       * Named bounds always return false (resolved at runtime).
-       */
-      isPositionInBounds(position, bounds) {
-        switch (bounds.type) {
-          case "geospatial": {
-            const inLat = position.x >= bounds.minLat && position.x <= bounds.maxLat;
-            const inLon = position.y >= bounds.minLon && position.y <= bounds.maxLon;
-            let inAlt = true;
-            if (bounds.minAlt !== void 0 && bounds.maxAlt !== void 0) {
-              inAlt = position.z >= bounds.minAlt && position.z <= bounds.maxAlt;
-            }
-            return inLat && inLon && inAlt;
-          }
-          case "local": {
-            return position.x >= bounds.minX && position.x <= bounds.maxX && position.y >= bounds.minY && position.y <= bounds.maxY && position.z >= bounds.minZ && position.z <= bounds.maxZ;
-          }
-          case "named":
-            return false;
-          default:
-            return false;
-        }
-      }
-      /**
-       * Record a GDPR audit entry.
-       */
-      recordAudit(agentId, agentRole, zoneId, operation, allowed, reason) {
-        const entry = {
-          timestamp: Date.now(),
-          agentId,
-          agentRole,
-          zoneId,
-          operation,
-          allowed,
-          reason
-        };
-        this.auditLog.push(entry);
-        if (this.auditLog.length > this.maxAuditEntries) {
-          this.auditLog = this.auditLog.slice(-this.maxAuditEntries);
-        }
-      }
-    };
-    globalSpatialZoneEnforcer = null;
-  }
-});
-
-// src/compiler/CompilerBase.ts
-function isCapabilityTokenCredential(token) {
-  if (!token || typeof token === "string") return false;
-  return typeof token === "object" && "capabilityToken" in token && "issuerPublicKey" in token && token.capabilityToken != null && typeof token.issuerPublicKey === "string";
-}
-function escapeCStyle(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/\0/g, "\\0");
-}
-function escapeGDScript(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\n/g, "\\n").replace(/\t/g, "\\t").replace(/\0/g, "");
-}
-function escapeJSX(value) {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;").replace(/\{/g, "&#123;").replace(/\}/g, "&#125;");
-}
-function escapeXML(value) {
-  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
-}
-function escapeShader(value) {
-  return value.replace(/\\/g, "").replace(/\*/g, "").replace(/\//g, "").replace(/#/g, "").replace(/\n/g, " ").replace(/\r/g, "");
-}
-function escapePython(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/\0/g, "\\x00");
-}
-function escapeLua(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/'/g, "\\'").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\0/g, "\\0");
-}
-function escapeUSD(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r");
-}
-function escapeJSON(value) {
-  return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/[\x00-\x1f]/g, (ch) => "\\u" + ch.charCodeAt(0).toString(16).padStart(4, "0"));
-}
-function escapeStringValue(value, target) {
-  if (!value) return value;
-  switch (target) {
-    case "Solidity":
-    case "CSharp":
-    case "Swift":
-    case "Kotlin":
-    case "TypeScript":
-    case "Rust":
-      return escapeCStyle(value);
-    case "GDScript":
-      return escapeGDScript(value);
-    case "JSX":
-      return escapeJSX(value);
-    case "XML":
-      return escapeXML(value);
-    case "GLSL":
-    case "HLSL":
-    case "WGSL":
-      return escapeShader(value);
-    case "Python":
-      return escapePython(value);
-    case "Lua":
-      return escapeLua(value);
-    case "USD":
-      return escapeUSD(value);
-    case "JSON":
-      return escapeJSON(value);
-    default:
-      return value;
-  }
-}
-function createTestCompilerToken() {
-  return "";
-}
-var COMPILER_CLASS_TO_ANS_NAME, UnauthorizedCompilerAccessError, CompilerBase;
-var init_CompilerBase = __esm({
-  "src/compiler/CompilerBase.ts"() {
-    init_AgentRBAC();
-    init_CapabilityRBAC();
-    init_ANSNamespace();
-    init_SpatialMemoryZones();
-    init_CompilerDocumentationGenerator();
-    COMPILER_CLASS_TO_ANS_NAME = {
-      UnityCompiler: "unity",
-      UnrealCompiler: "unreal",
-      GodotCompiler: "godot",
-      VRChatCompiler: "vrchat",
-      OpenXRCompiler: "openxr",
-      OpenXRSpatialEntitiesCompiler: "openxr-spatial-entities",
-      VisionOSCompiler: "visionos",
-      ARCompiler: "ar",
-      AndroidXRCompiler: "android-xr",
-      AIGlassesCompiler: "ai-glasses",
-      AndroidCompiler: "android",
-      IOSCompiler: "ios",
-      BabylonCompiler: "babylon",
-      WebGPUCompiler: "webgpu",
-      R3FCompiler: "r3f",
-      PlayCanvasCompiler: "playcanvas",
-      WASMCompiler: "wasm",
-      TSLCompiler: "tsl",
-      URDFCompiler: "urdf",
-      SDFCompiler: "sdf",
-      USDPhysicsCompiler: "usd",
-      GLTFPipeline: "gltf",
-      DTDLCompiler: "dtdl",
-      NFTMarketplaceCompiler: "nft-marketplace",
-      SCMCompiler: "scm",
-      VRRCompiler: "vrr",
-      A2AAgentCardCompiler: "a2a-agent-card",
-      MultiLayerCompiler: "multi-layer",
-      IncrementalCompiler: "incremental",
-      StateCompiler: "state",
-      TraitCompositionCompiler: "trait-composition",
-      DomainBlockCompilerMixin: "domain-block",
-      NIRCompiler: "nir",
-      URDFToUSDZConverter: "urdf",
-      QuiltCompiler: "quilt",
-      MVHEVCCompiler: "mv-hevc",
-      NodeServiceCompiler: "node-service",
-      AgentInferenceCompiler: "agent-inference"
-    };
-    UnauthorizedCompilerAccessError = class extends Error {
-      constructor(decision, operation, compilerName) {
-        super(
-          `[${compilerName}] Unauthorized ${operation}: ${decision.reason || "Access denied"}
-Agent Role: ${decision.agentRole || "unknown"}
-Required Permission: ${decision.requiredPermission || "unknown"}`
-        );
-        this.decision = decision;
-        this.operation = operation;
-        this.compilerName = compilerName;
-        this.name = "UnauthorizedCompilerAccessError";
-      }
-    };
-    CompilerBase = class {
-      constructor() {
-        this.rbac = getRBAC();
-        /**
-         * Lazy-initialized CapabilityRBAC adapter for UCAN token verification.
-         * Only created when a UCAN capability token is first encountered.
-         */
-        this._capabilityRBAC = null;
-        /**
-         * Lazy-initialized SpatialZoneEnforcer for compile-time spatial zone checks.
-         * Only created when spatial zone validation is first invoked.
-         */
-        this._spatialZoneEnforcer = null;
-        /**
-         * Lazy-initialized documentation generator for triple-output compilation.
-         * Only created when generateDocs option is enabled.
-         */
-        this._documentationGenerator = null;
-      }
-      /**
-       * Sanitizes a string value for injection into a specific compiler target language.
-       * Mitigates Cross-Agent Compilation Injection attacks (e.g. CWE-94).
-       *
-       * @param value The raw string value from the AST
-       * @param target The compilation target language
-       * @returns The escaped/sanitized string safe for interpolation
-       */
-      escapeStringValue(value, target) {
-        return escapeStringValue(value, target);
-      }
-      // =========================================================================
-      // P3 Migration Bridge: Dual-mode token support
-      // =========================================================================
-      /**
-       * Get or create the CapabilityRBAC adapter instance.
-       *
-       * Lazily initialized to avoid overhead when only JWT tokens are used.
-       */
-      getCapabilityRBAC() {
-        if (!this._capabilityRBAC) {
-          this._capabilityRBAC = getCapabilityRBAC();
-        }
-        return this._capabilityRBAC;
-      }
-      /**
-       * Get or create the SpatialZoneEnforcer instance.
-       *
-       * Lazily initialized to avoid overhead when spatial zones are not in use.
-       */
-      getSpatialZoneEnforcer() {
-        if (!this._spatialZoneEnforcer) {
-          this._spatialZoneEnforcer = getSpatialZoneEnforcer();
-        }
-        return this._spatialZoneEnforcer;
-      }
-      /**
-       * Get or create the CompilerDocumentationGenerator instance.
-       *
-       * Lazily initialized to avoid overhead when documentation generation is disabled.
-       *
-       * @param options - Documentation generator options
-       */
-      getDocumentationGenerator(options) {
-        if (!this._documentationGenerator) {
-          this._documentationGenerator = new CompilerDocumentationGenerator(options);
-        }
-        return this._documentationGenerator;
-      }
-      /**
-       * Generate triple-output documentation for a compilation result.
-       *
-       * This is a utility method that subclasses can call after successful compilation
-       * to generate llms.txt, .well-known/mcp, and markdown documentation.
-       *
-       * @param composition - Parsed HoloScript composition AST
-       * @param compiledCode - The compiled output code
-       * @param options - Documentation generator options
-       * @returns Triple-output documentation bundle
-       *
-       * @example
-       * ```typescript
-       * compile(composition: HoloComposition, agentToken: string, options?: MyCompilerOptions): CompilationResult {
-       *   this.validateCompilerAccess(agentToken);
-       *   const code = this.performCompilation(composition);
-       *
-       *   if (options?.generateDocs) {
-       *     const docs = this.generateDocumentation(composition, code, options.docsOptions);
-       *     return { output: code, documentation: docs };
-       *   }
-       *
-       *   return { output: code };
-       * }
-       * ```
-       */
-      generateDocumentation(composition, compiledCode, options) {
-        const generator = this.getDocumentationGenerator(options);
-        return generator.generate(composition, this.compilerName, compiledCode);
-      }
-      /**
-       * Get the ANS capability namespace path for this compiler.
-       *
-       * Subclasses MAY override this to specify their exact ANS namespace.
-       * The default implementation derives it from `compilerName` using the
-       * `COMPILER_CLASS_TO_ANS_NAME` lookup table.
-       *
-       * @returns The ANS capability path (e.g., "/compile/web3d/r3f"), or
-       *          `undefined` if the compiler has no registered ANS namespace.
-       *
-       * @example
-       * ```typescript
-       * // Default: derives from compilerName
-       * class R3FCompiler extends CompilerBase {
-       *   protected readonly compilerName = 'R3FCompiler';
-       *   // getRequiredCapability() returns '/compile/web3d/r3f' automatically
-       * }
-       *
-       * // Override: explicit namespace
-       * class CustomCompiler extends CompilerBase {
-       *   protected readonly compilerName = 'CustomCompiler';
-       *   protected getRequiredCapability(): string | undefined {
-       *     return '/compile/web3d/r3f';
-       *   }
-       * }
-       * ```
-       */
-      getRequiredCapability() {
-        const ansName = COMPILER_CLASS_TO_ANS_NAME[this.compilerName];
-        if (ansName && isValidCompilerName(ansName)) {
-          return COMPILER_ANS_MAP[ansName];
-        }
-        if (process.env["NODE_ENV"] !== "test") {
-          console.warn(
-            `[CompilerBase] Compiler '${this.compilerName}' has no ANS namespace entry. Add it to COMPILER_CLASS_TO_ANS_NAME to enable UCAN capability enforcement.`
-          );
-        }
-        return void 0;
-      }
-      // =========================================================================
-      // Legacy JWT RBAC validation (unchanged from v1.0.0)
-      // =========================================================================
-      /**
-       * Validate agent can read AST
-       * Skips validation when no token is provided.
-       * In production (`NODE_ENV=production`) a warning is emitted when no token is
-       * supplied — callers should always authenticate compiler access in production.
-       *
-       * @param agentToken - Agent JWT token (optional)
-       * @throws UnauthorizedCompilerAccessError if token is provided but invalid
-       */
-      validateASTAccess(agentToken) {
-        if (!agentToken) {
-          if (process.env["NODE_ENV"] === "production") {
-            console.warn(
-              `[${this.compilerName}] validateASTAccess called without a token in production. All compiler calls should be authenticated. Pass an agent token to enforce RBAC.`
-            );
-          }
-          return;
-        }
-        const decision = this.rbac.checkAccess({
-          token: agentToken,
-          resourceType: "ast" /* AST */,
-          operation: "read",
-          expectedWorkflowStep: "generate_assembly" /* GENERATE_ASSEMBLY */
-        });
-        if (!decision.allowed) {
-          throw new UnauthorizedCompilerAccessError(decision, "AST access", this.compilerName);
-        }
-      }
-      /**
-       * Validate agent can generate code
-       * Skips validation when no token is provided.
-       * In production (`NODE_ENV=production`) a warning is emitted when no token is
-       * supplied — callers should always authenticate compiler access in production.
-       *
-       * @param agentToken - Agent JWT token (optional)
-       * @throws UnauthorizedCompilerAccessError if token is provided but invalid
-       */
-      validateCodeGeneration(agentToken) {
-        if (!agentToken) {
-          if (process.env["NODE_ENV"] === "production") {
-            console.warn(
-              `[${this.compilerName}] validateCodeGeneration called without a token in production. All compiler calls should be authenticated. Pass an agent token to enforce RBAC.`
-            );
-          }
-          return;
-        }
-        const decision = this.rbac.checkAccess({
-          token: agentToken,
-          resourceType: "code" /* CODE */,
-          operation: "write",
-          expectedWorkflowStep: "generate_assembly" /* GENERATE_ASSEMBLY */
-        });
-        if (!decision.allowed) {
-          throw new UnauthorizedCompilerAccessError(decision, "code generation", this.compilerName);
-        }
-      }
-      /**
-       * Validate agent can write to output path
-       * Skips validation when no token is provided.
-       * In production (`NODE_ENV=production`) a warning is emitted when no token is
-       * supplied — callers should always authenticate compiler access in production.
-       *
-       * @param agentToken - Agent JWT token (optional)
-       * @param outputPath - Target output file path
-       * @throws UnauthorizedCompilerAccessError if token is provided but invalid
-       */
-      validateOutputPath(agentToken, outputPath) {
-        if (!agentToken) {
-          if (process.env["NODE_ENV"] === "production") {
-            console.warn(
-              `[${this.compilerName}] validateOutputPath called without a token in production. All compiler calls should be authenticated. Pass an agent token to enforce RBAC.`
-            );
-          }
-          return;
-        }
-        const decision = this.rbac.checkAccess({
-          token: agentToken,
-          resourceType: "output" /* OUTPUT */,
-          operation: "write",
-          resourcePath: outputPath,
-          expectedWorkflowStep: "serialize" /* SERIALIZE */
-        });
-        if (!decision.allowed) {
-          throw new UnauthorizedCompilerAccessError(
-            decision,
-            `output write to '${outputPath}'`,
-            this.compilerName
-          );
-        }
-      }
-      // =========================================================================
-      // UCAN Capability Token validation (P3 Migration Bridge)
-      // =========================================================================
-      /**
-       * Validate compiler access using a UCAN capability token.
-       *
-       * Checks that the capability token grants access to the required resources
-       * (AST read, CODE write, and optionally OUTPUT write) using the
-       * CapabilityRBAC adapter.
-       *
-       * @param credential - UCAN capability token credential
-       * @param outputPath - Optional output path for scope validation
-       * @throws UnauthorizedCompilerAccessError if any capability check fails
-       */
-      validateCapabilityAccess(credential, outputPath) {
-        const capRBAC = this.getCapabilityRBAC();
-        const astDecision = capRBAC.checkAccess({
-          token: "",
-          capabilityToken: credential.capabilityToken,
-          issuerPublicKey: credential.issuerPublicKey,
-          resourceType: "ast" /* AST */,
-          operation: "read"
-        });
-        if (!astDecision.allowed) {
-          throw new UnauthorizedCompilerAccessError(astDecision, "AST access", this.compilerName);
-        }
-        const codeDecision = capRBAC.checkAccess({
-          token: "",
-          capabilityToken: credential.capabilityToken,
-          issuerPublicKey: credential.issuerPublicKey,
-          resourceType: "code" /* CODE */,
-          operation: "write"
-        });
-        if (!codeDecision.allowed) {
-          throw new UnauthorizedCompilerAccessError(codeDecision, "code generation", this.compilerName);
-        }
-        if (outputPath) {
-          const outputDecision = capRBAC.checkAccess({
-            token: "",
-            capabilityToken: credential.capabilityToken,
-            issuerPublicKey: credential.issuerPublicKey,
-            resourceType: "output" /* OUTPUT */,
-            operation: "write",
-            resourcePath: outputPath
-          });
-          if (!outputDecision.allowed) {
-            throw new UnauthorizedCompilerAccessError(
-              outputDecision,
-              `output write to '${outputPath}'`,
-              this.compilerName
-            );
-          }
-        }
-      }
-      // =========================================================================
-      // Spatial Memory Zone validation
-      // =========================================================================
-      /**
-       * Validate spatial zone access for the current compilation.
-       *
-       * This step runs **after** RBAC/UCAN token verification and enforces
-       * compile-time spatial zone permissions when zones are registered.
-       *
-       * **Backward compatible**: When no zones are registered in the global
-       * SpatialZoneEnforcer, this method is a no-op.
-       *
-       * **Non-blocking**: Zone enforcement failures are logged as warnings
-       * but do NOT throw or block compilation. This allows gradual rollout
-       * of spatial zone policies without breaking existing pipelines.
-       *
-       * @param agentToken - JWT token string (spatial zones use JWT verification)
-       */
-      validateSpatialZoneAccess(agentToken) {
-        if (!agentToken) return;
-        const enforcer = this.getSpatialZoneEnforcer();
-        const zoneIds = enforcer.getRegisteredZoneIds();
-        if (zoneIds.length === 0) return;
-        for (const zoneId of zoneIds) {
-          const decision = enforcer.checkZoneAccess(
-            agentToken,
-            zoneId,
-            "spatial:read" /* SPATIAL_READ */
-          );
-          if (!decision.allowed) {
-            console.warn(
-              `[${this.compilerName}] Spatial zone access warning: agent ${decision.agentId ?? "unknown"} denied SPATIAL_READ in zone "${zoneId}": ${decision.reason}`
-            );
-          }
-        }
-      }
-      // =========================================================================
-      // Dual-mode access validation (P3 Migration Bridge)
-      // =========================================================================
-      /**
-       * Validate all compiler permissions in single call (dual-mode).
-       *
-       * **P3 Migration Bridge**: This method now accepts both JWT RBAC tokens
-       * (string) and UCAN capability tokens (CapabilityTokenCredential).
-       *
-       * Token routing:
-       * - `undefined` / `null` / empty string: Skip all validation (backwards compatibility)
-       * - `string` (non-empty): Route to legacy JWT RBAC via AgentRBAC.checkAccess()
-       * - `CapabilityTokenCredential`: Route to UCAN via CapabilityRBAC.checkAccess()
-       *
-       * Convenience method combining AST access + code generation + optional output validation.
-       * Skips ALL validation when no token is provided (backwards compatibility / testing).
-       *
-       * @param agentToken - JWT token string OR UCAN CapabilityTokenCredential (optional)
-       * @param outputPath - Optional output path
-       * @throws UnauthorizedCompilerAccessError if any validation fails
-       */
-      validateCompilerAccess(agentToken, outputPath) {
-        if (!agentToken) return;
-        if (isCapabilityTokenCredential(agentToken)) {
-          this.validateCapabilityAccess(agentToken, outputPath);
-          return;
-        }
-        this.validateASTAccess(agentToken);
-        this.validateCodeGeneration(agentToken);
-        if (outputPath) {
-          this.validateOutputPath(agentToken, outputPath);
-        }
-        this.validateSpatialZoneAccess(agentToken);
-      }
-      // =========================================================================
-      // Cultural compatibility validation
-      // =========================================================================
-      /**
-       * Extract cultural profile from an agent token.
-       *
-       * @param agentToken - JWT token string (capability tokens do not carry cultural profiles)
-       * @returns The cultural profile if present, or null
-       */
-      extractCulturalProfile(agentToken) {
-        if (!agentToken) return null;
-        return this.rbac.extractCulturalProfile(agentToken);
-      }
-      /**
-       * Validate cultural compatibility across multiple agent tokens.
-       *
-       * Subclasses can call this during multi-agent compilation to ensure
-       * all participating agents have compatible cultural profiles before
-       * proceeding with code generation.
-       *
-       * @param agentTokens - Map of agent name to JWT token
-       * @param normSets    - Optional map of agent name to norm_set arrays
-       * @returns Cultural compatibility result, or null if fewer than 2 agents
-       *          have cultural profiles
-       */
-      validateCulturalCompatibility(agentTokens, normSets) {
-        return this.rbac.validateCulturalCompatibility(agentTokens, normSets);
-      }
-    };
-  }
-});
-
-export { ANSCapabilityPath, CompilerBase, CompilerDocumentationGenerator, UnauthorizedCompilerAccessError, createTestCompilerToken, escapeStringValue, init_ANSNamespace, init_CompilerBase, init_CompilerDocumentationGenerator, isCapabilityTokenCredential };
-//# sourceMappingURL=chunk-QWKUKVRE.js.map
-//# sourceMappingURL=chunk-QWKUKVRE.js.map