@holoscript/holoscript-agent 2.0.0

package/dist/index.js

@@ -0,0 +1,2101 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { homedir as homedir3 } from "os";
+import { join as join4 } from "path";
+import {
+  createAnthropicProvider,
+  createOpenAIProvider,
+  createGeminiProvider,
+  createMockProvider,
+  createLocalLLMProvider
+} from "@holoscript/llm-provider";
+
+// src/identity.ts
+var VALID_PROVIDERS = /* @__PURE__ */ new Set([
+  "anthropic",
+  "openai",
+  "gemini",
+  "mock",
+  "bitnet",
+  "local-llm"
+]);
+function loadIdentity(env = process.env) {
+  const handle = required(env, "HOLOSCRIPT_AGENT_HANDLE");
+  const provider = required(env, "HOLOSCRIPT_AGENT_PROVIDER");
+  if (!VALID_PROVIDERS.has(provider)) {
+    throw new Error(
+      `HOLOSCRIPT_AGENT_PROVIDER=${provider} not in [${[...VALID_PROVIDERS].join(", ")}]`
+    );
+  }
+  const x402Bearer = required(env, "HOLOSCRIPT_AGENT_X402_BEARER");
+  const wallet = required(env, "HOLOSCRIPT_AGENT_WALLET");
+  if (!/^0x[0-9a-fA-F]{40}$/.test(wallet)) {
+    throw new Error(`HOLOSCRIPT_AGENT_WALLET is not a 0x-prefixed 40-hex address: ${wallet}`);
+  }
+  const budgetRaw = env.HOLOSCRIPT_AGENT_BUDGET_USD_DAY ?? "5";
+  const budget = Number(budgetRaw);
+  if (!Number.isFinite(budget) || budget < 0) {
+    throw new Error(`HOLOSCRIPT_AGENT_BUDGET_USD_DAY must be >= 0 (0 = unlimited), got ${budgetRaw}`);
+  }
+  return {
+    handle,
+    surface: env.HOLOSCRIPT_AGENT_SURFACE ?? handle,
+    wallet,
+    x402Bearer,
+    llmProvider: provider,
+    llmModel: required(env, "HOLOSCRIPT_AGENT_MODEL"),
+    brainPath: required(env, "HOLOSCRIPT_AGENT_BRAIN"),
+    budgetUsdPerDay: budget,
+    teamId: required(env, "HOLOMESH_TEAM_ID"),
+    meshApiBase: env.HOLOMESH_API_BASE ?? "https://mcp.holoscript.net/api/holomesh"
+  };
+}
+function required(env, key) {
+  const v = env[key];
+  if (!v || v.trim().length === 0) {
+    throw new Error(`Missing required env var: ${key}`);
+  }
+  return v.trim();
+}
+function identityForLog(id) {
+  return {
+    handle: id.handle,
+    surface: id.surface,
+    wallet: `${id.wallet.slice(0, 6)}\u2026${id.wallet.slice(-4)}`,
+    bearer: `${id.x402Bearer.slice(0, 6)}\u2026`,
+    provider: id.llmProvider,
+    model: id.llmModel,
+    brain: id.brainPath,
+    budgetUsdPerDay: id.budgetUsdPerDay
+  };
+}
+
+// src/brain.ts
+import { readFile } from "fs/promises";
+async function loadBrain(brainPath, scopeTier = "warm") {
+  const systemPrompt = await readFile(brainPath, "utf8");
+  const { domain, capabilityTags } = extractIdentity(systemPrompt);
+  return { brainPath, systemPrompt, capabilityTags, domain, scopeTier };
+}
+function extractIdentity(brain) {
+  const identityBlock = sliceNamedBlock(brain, "identity");
+  if (!identityBlock) return { domain: "unknown", capabilityTags: [] };
+  const domain = scalarField(identityBlock, "domain") ?? "unknown";
+  const capabilityTags = listField(identityBlock, "capability_tags") ?? [];
+  return { domain, capabilityTags };
+}
+function sliceNamedBlock(src, name) {
+  const re = new RegExp(`\\b${name}\\s*:?\\s*\\{`, "g");
+  const match = re.exec(src);
+  if (!match) return void 0;
+  const headerEnd = match.index + match[0].length;
+  let depth = 1;
+  for (let i = headerEnd; i < src.length; i++) {
+    const ch = src[i];
+    if (ch === "{") depth++;
+    else if (ch === "}") {
+      depth--;
+      if (depth === 0) return src.slice(headerEnd, i);
+    }
+  }
+  return void 0;
+}
+function scalarField(block, key) {
+  const idx = block.indexOf(`${key}:`);
+  if (idx < 0) return void 0;
+  const after = block.slice(idx + key.length + 1).trimStart();
+  if (after.startsWith('"')) {
+    const end = after.indexOf('"', 1);
+    if (end > 0) return after.slice(1, end);
+  }
+  const eol = after.indexOf("\n");
+  return after.slice(0, eol < 0 ? void 0 : eol).trim();
+}
+function listField(block, key) {
+  const idx = block.indexOf(`${key}:`);
+  if (idx < 0) return void 0;
+  const after = block.slice(idx + key.length + 1).trimStart();
+  if (!after.startsWith("[")) return void 0;
+  let depth = 0;
+  let end = -1;
+  for (let i = 0; i < after.length; i++) {
+    if (after[i] === "[") depth++;
+    else if (after[i] === "]") {
+      depth--;
+      if (depth === 0) {
+        end = i;
+        break;
+      }
+    }
+  }
+  if (end < 0) return void 0;
+  const inner = after.slice(1, end);
+  return inner.split(",").map((s) => s.trim().replace(/^["']|["']$/g, "")).filter((s) => s.length > 0);
+}
+
+// src/cost-guard.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { dirname } from "path";
+var ANTHROPIC_PRICING_USD_PER_MTOK = {
+  "claude-opus-4-7": { input: 15, output: 75 },
+  "claude-opus-4-6": { input: 15, output: 75 },
+  "claude-sonnet-4-6": { input: 3, output: 15 },
+  "claude-haiku-4-5-20251001": { input: 1, output: 5 },
+  "claude-haiku-4-5": { input: 1, output: 5 }
+};
+function defaultAnthropicPricer(model, usage) {
+  const price = ANTHROPIC_PRICING_USD_PER_MTOK[model];
+  if (!price) {
+    throw new Error(
+      `No pricing configured for model "${model}" \u2014 add to ANTHROPIC_PRICING_USD_PER_MTOK or pass a custom pricer`
+    );
+  }
+  return (usage.promptTokens * price.input + usage.completionTokens * price.output) / 1e6;
+}
+function defaultLocalLlmPricer(_model, _usage) {
+  return 0;
+}
+function defaultPricerForProvider(provider) {
+  if (provider === "local-llm" || provider === "mock") return defaultLocalLlmPricer;
+  return defaultAnthropicPricer;
+}
+var CostGuard = class {
+  constructor(opts) {
+    this.statePath = opts.statePath;
+    this.dailyBudgetUsd = opts.dailyBudgetUsd;
+    this.pricer = opts.pricer ?? defaultAnthropicPricer;
+    this.state = this.loadOrInit();
+  }
+  recordUsage(model, usage) {
+    this.rolloverIfNewDay();
+    const costUsd = this.pricer(model, usage);
+    this.state.spentUsd += costUsd;
+    this.state.promptTokens += usage.promptTokens;
+    this.state.completionTokens += usage.completionTokens;
+    this.state.callCount += 1;
+    this.persist();
+    return {
+      costUsd,
+      spentUsd: this.state.spentUsd,
+      remainingUsd: Math.max(0, this.dailyBudgetUsd - this.state.spentUsd)
+    };
+  }
+  isOverBudget() {
+    if (this.dailyBudgetUsd === 0) return false;
+    this.rolloverIfNewDay();
+    return this.state.spentUsd >= this.dailyBudgetUsd;
+  }
+  getRemainingUsd() {
+    if (this.dailyBudgetUsd === 0) return Number.POSITIVE_INFINITY;
+    this.rolloverIfNewDay();
+    return Math.max(0, this.dailyBudgetUsd - this.state.spentUsd);
+  }
+  getState() {
+    this.rolloverIfNewDay();
+    return { ...this.state };
+  }
+  rolloverIfNewDay() {
+    const today = todayUtc();
+    if (this.state.date !== today) {
+      this.state = { date: today, spentUsd: 0, promptTokens: 0, completionTokens: 0, callCount: 0 };
+      this.persist();
+    }
+  }
+  loadOrInit() {
+    if (existsSync(this.statePath)) {
+      const raw = readFileSync(this.statePath, "utf8");
+      const parsed = JSON.parse(raw);
+      if (parsed.date === todayUtc()) return parsed;
+    }
+    return { date: todayUtc(), spentUsd: 0, promptTokens: 0, completionTokens: 0, callCount: 0 };
+  }
+  persist() {
+    mkdirSync(dirname(this.statePath), { recursive: true });
+    writeFileSync(this.statePath, JSON.stringify(this.state, null, 2), "utf8");
+  }
+};
+function todayUtc() {
+  return (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
+}
+
+// src/holomesh-client.ts
+var HolomeshClient = class {
+  constructor(opts) {
+    this.apiBase = opts.apiBase.replace(/\/$/, "");
+    this.bearer = opts.bearer;
+    this.teamId = opts.teamId;
+    this.fetchImpl = opts.fetchImpl ?? fetch;
+  }
+  async heartbeat(payload) {
+    await this.req("POST", `/team/${this.teamId}/presence`, payload);
+  }
+  async getOpenTasks() {
+    const data = await this.req(
+      "GET",
+      `/team/${this.teamId}/board`
+    );
+    return data.tasks ?? data.open ?? [];
+  }
+  async claim(taskId) {
+    return this.req("PATCH", `/team/${this.teamId}/board/${taskId}`, { action: "claim" });
+  }
+  async joinTeam() {
+    return this.req(
+      "POST",
+      `/team/${this.teamId}/join`,
+      {}
+    );
+  }
+  async sendMessageOnTask(taskId, body) {
+    await this.req("POST", `/team/${this.teamId}/message`, {
+      to: "team",
+      subject: `task:${taskId}`,
+      content: body
+    });
+  }
+  async markDone(taskId, summary, commitHash) {
+    await this.req("PATCH", `/team/${this.teamId}/board/${taskId}`, {
+      action: "done",
+      summary,
+      commitHash
+    });
+  }
+  // POST CAEL audit records for this agent. Server validator at
+  // packages/mcp-server/src/holomesh/routes/core-routes.ts:472-533 requires
+  // bearer == handle owner OR founder; the per-surface x402 bearer is the
+  // handle owner so this resolves correctly. Records that fail shape
+  // validation (layer_hashes != 7 elements, missing tick_iso/operation/
+  // fnv1a_chain) are silently dropped server-side, not rejected as a batch.
+  async postAuditRecords(handle, records) {
+    return this.req(
+      "POST",
+      `/agent/${encodeURIComponent(handle)}/audit`,
+      { records }
+    );
+  }
+  async whoAmI() {
+    const raw = await this.req("GET", "/me");
+    return {
+      agentId: raw.agentId,
+      surface: deriveSurface(raw.name),
+      wallet: raw.wallet
+    };
+  }
+  async req(method, path, body) {
+    const url = `${this.apiBase}${path}`;
+    const res = await this.fetchImpl(url, {
+      method,
+      headers: {
+        Authorization: `Bearer ${this.bearer}`,
+        "content-type": "application/json"
+      },
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) {
+      const txt = await res.text().catch(() => "");
+      throw new Error(`HoloMesh ${method} ${path} ${res.status}: ${txt.slice(0, 300)}`);
+    }
+    if (res.status === 204) return void 0;
+    return await res.json();
+  }
+};
+function deriveSurface(seatName) {
+  if (!seatName) return "unknown";
+  const n = seatName.toLowerCase();
+  if (n.startsWith("claudecode")) return "claude-code";
+  if (n.startsWith("cursor")) return "claude-cursor";
+  if (n.startsWith("claudedesktop")) return "claude-desktop";
+  if (n.startsWith("vscode-claude") || n.startsWith("claude-vscode")) return "claude-vscode";
+  if (n.startsWith("gemini")) return "gemini-antigravity";
+  if (n.startsWith("copilot")) return "copilot-vscode";
+  return "unknown";
+}
+function pickClaimableTask(tasks, brainCapabilityTags) {
+  const wanted = new Set(brainCapabilityTags.map((t) => t.toLowerCase()));
+  const open = tasks.filter((t) => t.status === "open" && !t.claimedBy);
+  const scored = open.map((t) => ({ task: t, score: scoreTask(t, wanted) })).filter((s) => s.score > 0).sort((a, b) => b.score - a.score || priority(a.task) - priority(b.task));
+  return scored[0]?.task;
+}
+function scoreTask(task, wanted) {
+  const tags = (task.tags ?? []).map((t) => t.toLowerCase());
+  const text = `${task.title} ${task.description ?? ""}`.toLowerCase();
+  let score = 0;
+  for (const tag of tags) if (wanted.has(tag)) score += 2;
+  for (const w of wanted) if (text.includes(w)) score += 1;
+  return score;
+}
+function priority(t) {
+  if (typeof t.priority === "number") return t.priority;
+  const map = { critical: 1, high: 2, medium: 4, low: 6 };
+  return map[String(t.priority).toLowerCase()] ?? 5;
+}
+
+// src/cael-builder.ts
+import { createHash } from "crypto";
+function sha(input) {
+  return createHash("sha256").update(input, "utf8").digest("hex");
+}
+function brainClassOf(brain) {
+  const p = String(brain.brainPath ?? "");
+  let m = p.match(/compositions[\\/]([\w-]+)-brain\.hsplus$/);
+  if (m) return m[1];
+  m = p.match(/([\w-]+)-brain\.hsplus$/);
+  if (m) return m[1];
+  m = p.match(/([\w-]+)\.hsplus$/);
+  if (m) return m[1];
+  const domain = String(brain.domain ?? "").trim();
+  if (domain && domain !== "unknown") return domain;
+  return "unknown";
+}
+function buildCaelRecord(input) {
+  const { identity, brain, task, messages, finalText, usage, costUsd, spentUsd, prevChain, runtimeVersion } = input;
+  const l0 = sha(brain.systemPrompt);
+  const l1 = sha(`${task.id}|${task.title}|${task.description ?? ""}`);
+  const l2 = sha(JSON.stringify(messages));
+  const l3 = sha(finalText);
+  const l4 = sha(JSON.stringify(usage));
+  const l5 = sha(`${costUsd.toFixed(6)}|${spentUsd.toFixed(6)}`);
+  const l6 = sha([l0, l1, l2, l3, l4, l5].join("|"));
+  const fnv1a_chain = sha(`${prevChain ?? ""}|${l6}`);
+  return {
+    tick_iso: (/* @__PURE__ */ new Date()).toISOString(),
+    layer_hashes: [l0, l1, l2, l3, l4, l5, l6],
+    operation: `task-executed:${task.id}`,
+    prev_hash: prevChain,
+    fnv1a_chain,
+    version_vector_fingerprint: `agent@${runtimeVersion}|brain@${brainClassOf(brain)}|provider@${identity.llmProvider}|model@${identity.llmModel}`,
+    brain_class: brainClassOf(brain)
+  };
+}
+
+// src/tools.ts
+import { readFile as readFile2, writeFile, readdir, mkdir, stat } from "fs/promises";
+import { resolve, dirname as dirname2 } from "path";
+import { spawn } from "child_process";
+var ALLOWED_READ_ROOTS = [
+  "/root/msc-paper-22",
+  // Paper 22 mechanization inputs (scp'd by deploy)
+  "/root/holoscript-mesh",
+  // Read-only repo view (clone path on instance)
+  "/root/agent-output"
+  // Read back what we wrote
+];
+var ALLOWED_WRITE_ROOTS = [
+  "/root/agent-output"
+  // Single write sink — keeps deliverables in one place
+];
+var BASH_WHITELIST = [
+  "lake build",
+  "lake env",
+  "lake clean",
+  "lean ",
+  "ls ",
+  "ls\n",
+  "ls$",
+  "cat ",
+  "grep ",
+  "rg ",
+  "find ",
+  "wc ",
+  "head ",
+  "tail ",
+  "git status",
+  "git log",
+  "git diff",
+  "git show",
+  "pnpm --filter",
+  "pnpm vitest",
+  "vitest run",
+  "pwd",
+  "echo "
+];
+var MESH_TOOLS = [
+  {
+    name: "read_file",
+    description: "Read a file from the agent sandbox. Allowed roots: /root/msc-paper-22, /root/holoscript-mesh, /root/agent-output. Returns the file content as text. Use this to inspect inputs scp'd to the instance (e.g. MSC/Invariants.lean).",
+    input_schema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Absolute path under an allowed read root" }
+      },
+      required: ["path"]
+    }
+  },
+  {
+    name: "list_dir",
+    description: "List entries in a directory under the agent sandbox. Same root restrictions as read_file. Returns a newline-separated list of entries.",
+    input_schema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Absolute path under an allowed read root" }
+      },
+      required: ["path"]
+    }
+  },
+  {
+    name: "write_file",
+    description: "Write a file to /root/agent-output/. This is the deliverable sink \u2014 anything you want to emit as task output (a Lean proof, a markdown report, a JSON dataset) goes here. Creates parent directories. Will refuse paths outside the write root.",
+    input_schema: {
+      type: "object",
+      properties: {
+        path: { type: "string", description: "Absolute path under /root/agent-output/" },
+        content: { type: "string", description: "File content to write (UTF-8)" }
+      },
+      required: ["path", "content"]
+    }
+  },
+  {
+    name: "bash",
+    description: "Run a shell command. Whitelisted prefixes only: lake build, lean, ls, cat, grep, find, wc, head, tail, git status/log/diff/show, pnpm --filter, vitest run, pwd, echo. Hard 60s wall timeout, 1MB stdout cap. Use for lake build / lean kernel-checks, git inspection, repo greps. Refuses rm, curl, ssh, sudo, eval.",
+    input_schema: {
+      type: "object",
+      properties: {
+        cmd: { type: "string", description: "Whitelisted shell command" },
+        cwd: { type: "string", description: "Optional working directory (defaults to /root)" }
+      },
+      required: ["cmd"]
+    }
+  }
+];
+function isUnderRoot(absPath, root) {
+  const resolved = resolve(absPath);
+  const rootResolved = resolve(root);
+  return resolved === rootResolved || resolved.startsWith(rootResolved + "/");
+}
+function checkReadAllowed(path) {
+  if (!path.startsWith("/")) return `path must be absolute, got "${path}"`;
+  for (const root of ALLOWED_READ_ROOTS) {
+    if (isUnderRoot(path, root)) return null;
+  }
+  return `read denied \u2014 path "${path}" not under allowed roots: ${ALLOWED_READ_ROOTS.join(", ")}`;
+}
+function checkWriteAllowed(path) {
+  if (!path.startsWith("/")) return `path must be absolute, got "${path}"`;
+  for (const root of ALLOWED_WRITE_ROOTS) {
+    if (isUnderRoot(path, root)) return null;
+  }
+  return `write denied \u2014 path "${path}" not under allowed roots: ${ALLOWED_WRITE_ROOTS.join(", ")}`;
+}
+function checkBashAllowed(cmd) {
+  const trimmed = cmd.trim();
+  if (trimmed.length === 0) return "empty command";
+  if (/[;&|`$<>]|>>|\|\||&&/.test(trimmed)) {
+    return `command contains shell metachars (; & | \` $ < > >> || &&) \u2014 not allowed for safety`;
+  }
+  for (const prefix of BASH_WHITELIST) {
+    if (trimmed.startsWith(prefix.trim())) return null;
+  }
+  return `command not on whitelist. Allowed prefixes: ${BASH_WHITELIST.join(" / ")}`;
+}
+async function runTool(use) {
+  try {
+    if (use.name === "read_file") {
+      const path = use.input.path;
+      const denied = checkReadAllowed(path);
+      if (denied) return errResult(use.id, denied);
+      const text = await readFile2(path, "utf8");
+      const truncated = text.length > 2e5 ? text.slice(0, 2e5) + `
+\u2026[truncated, full file is ${text.length} bytes]` : text;
+      return okResult(use.id, truncated);
+    }
+    if (use.name === "list_dir") {
+      const path = use.input.path;
+      const denied = checkReadAllowed(path);
+      if (denied) return errResult(use.id, denied);
+      const entries = await readdir(path, { withFileTypes: true });
+      const lines = entries.map((e) => `${e.isDirectory() ? "d" : "-"} ${e.name}`);
+      return okResult(use.id, lines.join("\n"));
+    }
+    if (use.name === "write_file") {
+      const path = use.input.path;
+      const content = use.input.content;
+      const denied = checkWriteAllowed(path);
+      if (denied) return errResult(use.id, denied);
+      await mkdir(dirname2(path), { recursive: true });
+      await writeFile(path, content, "utf8");
+      const s = await stat(path);
+      return okResult(use.id, `wrote ${s.size} bytes to ${path}`);
+    }
+    if (use.name === "bash") {
+      const cmd = use.input.cmd;
+      const cwd = use.input.cwd ?? "/root";
+      const denied = checkBashAllowed(cmd);
+      if (denied) return errResult(use.id, denied);
+      const result = await runBash(cmd, cwd);
+      return result.code === 0 ? okResult(use.id, result.stdout) : errResult(use.id, `exit=${result.code}
+${result.stderr || result.stdout}`);
+    }
+    return errResult(use.id, `unknown tool: ${use.name}`);
+  } catch (err) {
+    return errResult(use.id, err instanceof Error ? err.message : String(err));
+  }
+}
+function runBash(cmd, cwd) {
+  return new Promise((resolveProm) => {
+    const child = spawn("bash", ["-c", cmd], { cwd, env: process.env });
+    let stdout = "";
+    let stderr = "";
+    let killed = false;
+    const STDOUT_CAP = 1e6;
+    const TIMEOUT_MS = 6e4;
+    const killer = setTimeout(() => {
+      killed = true;
+      child.kill("SIGKILL");
+    }, TIMEOUT_MS);
+    child.stdout.on("data", (d) => {
+      if (stdout.length < STDOUT_CAP) stdout += d.toString("utf8");
+    });
+    child.stderr.on("data", (d) => {
+      if (stderr.length < STDOUT_CAP) stderr += d.toString("utf8");
+    });
+    child.on("error", (err) => {
+      clearTimeout(killer);
+      resolveProm({ code: 1, stdout, stderr: stderr + "\nspawn-error: " + err.message });
+    });
+    child.on("exit", (code) => {
+      clearTimeout(killer);
+      const finalStdout = stdout.length >= STDOUT_CAP ? stdout + `
+\u2026[stdout truncated at ${STDOUT_CAP} bytes]` : stdout;
+      const note = killed ? `
+[bash killed after ${TIMEOUT_MS}ms timeout]` : "";
+      resolveProm({ code: code ?? 1, stdout: finalStdout + note, stderr });
+    });
+  });
+}
+function okResult(id, content) {
+  return { type: "tool_result", tool_use_id: id, content };
+}
+function errResult(id, message) {
+  return { type: "tool_result", tool_use_id: id, content: message, is_error: true };
+}
+
+// src/runner.ts
+var RUNTIME_VERSION = "1.0.0";
+var AgentRunner = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.stopped = false;
+    // CAEL audit hash chain — survives across ticks within a single runner
+    // process. On process restart it resets to null; the first post-restart
+    // record breaks the chain, which is honest (the runner has no memory of
+    // its prior chain state and shouldn't fake continuity). prev_hash=null
+    // is a valid value the audit-store accepts.
+    this.prevCaelChain = null;
+    // Self-recovery flag for the auto-rejoin path (task_1777112258989_eeyp).
+    // When the heartbeat returns 403 "Not a member of this team" — typical of
+    // a fresh Vast.ai worker whose provisioning didn't atomically /join, or of
+    // a worker whose membership was reaped — the runner calls mesh.joinTeam()
+    // ONCE per process and retries the heartbeat. After a successful rejoin
+    // we set this flag so subsequent 403s on the same process don't loop back
+    // into joinTeam (avoiding a retry storm if the team-cap is full or the
+    // join itself is permanently rejected). On process restart the flag
+    // resets, which is the correct semantics: a fresh process gets one fresh
+    // chance to self-rejoin. Discovered 2026-04-25 SSH-probing 5 fleet
+    // workers stuck in indefinite 403→tick-error→sleep→retry loops; without
+    // this, a fresh-deploy of an unjoined agent stays silent forever.
+    this.joinedThisProcess = false;
+  }
+  async tick() {
+    const { identity, brain, mesh, costGuard, provider, logger } = this.opts;
+    const log = logger ?? (() => void 0);
+    await this.heartbeatWithAutoRejoin();
+    if (costGuard.isOverBudget()) {
+      const state = costGuard.getState();
+      log({ ev: "over-budget", spentUsd: state.spentUsd, budget: identity.budgetUsdPerDay });
+      return {
+        action: "over-budget",
+        spentUsd: state.spentUsd,
+        remainingUsd: 0,
+        message: `daily budget $${identity.budgetUsdPerDay} exhausted`
+      };
+    }
+    const tasks = await mesh.getOpenTasks();
+    const target = pickClaimableTask(tasks, brain.capabilityTags);
+    if (!target) {
+      log({ ev: "no-claimable-task", open: tasks.length });
+      return {
+        action: "no-claimable-task",
+        spentUsd: costGuard.getState().spentUsd,
+        remainingUsd: costGuard.getRemainingUsd()
+      };
+    }
+    log({ ev: "claim", taskId: target.id, title: target.title });
+    await mesh.claim(target.id);
+    const start = Date.now();
+    const messages = [
+      { role: "system", content: brain.systemPrompt },
+      { role: "user", content: buildTaskPrompt(target) }
+    ];
+    let aggUsage = { promptTokens: 0, completionTokens: 0, totalTokens: 0 };
+    let finalText = "";
+    let iters = 0;
+    const MAX_TOOL_ITERS = 30;
+    let lastResponse;
+    const toolsCalled = /* @__PURE__ */ new Set();
+    while (true) {
+      iters++;
+      if (iters > MAX_TOOL_ITERS) {
+        log({ ev: "tool-loop-cap", taskId: target.id, iters });
+        finalText = finalText || `[tool-loop hit ${MAX_TOOL_ITERS}-iter cap before final text]`;
+        break;
+      }
+      const resp = await provider.complete(
+        {
+          messages,
+          maxTokens: 4096,
+          temperature: 0.4,
+          tools: MESH_TOOLS
+        },
+        identity.llmModel
+      );
+      lastResponse = resp;
+      aggUsage = {
+        promptTokens: aggUsage.promptTokens + resp.usage.promptTokens,
+        completionTokens: aggUsage.completionTokens + resp.usage.completionTokens,
+        totalTokens: aggUsage.totalTokens + resp.usage.totalTokens
+      };
+      if (resp.finishReason === "tool_use" && resp.toolUses && resp.toolUses.length > 0) {
+        log({ ev: "tool-call", taskId: target.id, iter: iters, tools: resp.toolUses.map((t) => t.name) });
+        for (const u of resp.toolUses) toolsCalled.add(u.name);
+        messages.push({
+          role: "assistant",
+          content: resp.assistantBlocks ?? []
+        });
+        const toolResults = await Promise.all(resp.toolUses.map((u) => runTool(u)));
+        messages.push({
+          role: "user",
+          content: toolResults
+        });
+        continue;
+      }
+      finalText = resp.content;
+      break;
+    }
+    const durationMs = Date.now() - start;
+    const SIDE_EFFECTING_TOOLS = /* @__PURE__ */ new Set(["write_file", "bash"]);
+    const sideEffectingCalled = [...toolsCalled].some((t) => SIDE_EFFECTING_TOOLS.has(t));
+    if (!sideEffectingCalled) {
+      log({
+        ev: "no-artifact",
+        taskId: target.id,
+        tool_iters: iters,
+        toolsCalled: [...toolsCalled],
+        message: "task execution called no side-effecting tool (write_file/bash) \u2014 refusing to mark executed. Likely a pure-text or read-only-inspection response. Task remains open for a grounded attempt."
+      });
+      return {
+        action: "no-artifact",
+        taskId: target.id,
+        spentUsd: costGuard.getState().spentUsd,
+        remainingUsd: costGuard.getRemainingUsd(),
+        message: `no side-effecting tool called (toolsCalled=[${[...toolsCalled].join(",")}], iters=${iters})`
+      };
+    }
+    const cost = costGuard.recordUsage(identity.llmModel, aggUsage);
+    log({
+      ev: "executed",
+      taskId: target.id,
+      costUsd: cost.costUsd.toFixed(4),
+      spentUsd: cost.spentUsd.toFixed(4),
+      tokens: aggUsage.totalTokens,
+      tool_iters: iters
+    });
+    const response = { ...lastResponse ?? { content: finalText, usage: aggUsage }, content: finalText, usage: aggUsage };
+    const execResult = {
+      taskId: target.id,
+      responseText: response.content,
+      usage: response.usage,
+      costUsd: cost.costUsd,
+      durationMs
+    };
+    if (this.opts.auditLog) {
+      try {
+        this.opts.auditLog.recordTaskExecuted({
+          identity,
+          task: target,
+          result: execResult
+        });
+      } catch (err) {
+        log({ ev: "audit-log-error", message: err instanceof Error ? err.message : String(err) });
+      }
+    }
+    try {
+      const caelRecord = buildCaelRecord({
+        identity,
+        brain,
+        task: target,
+        messages,
+        finalText,
+        usage: aggUsage,
+        costUsd: cost.costUsd,
+        spentUsd: cost.spentUsd,
+        prevChain: this.prevCaelChain,
+        runtimeVersion: RUNTIME_VERSION
+      });
+      const posted = await mesh.postAuditRecords(identity.handle, [caelRecord]);
+      this.prevCaelChain = caelRecord.fnv1a_chain;
+      log({ ev: "cael-posted", taskId: target.id, appended: posted.appended, rejected: posted.rejected });
+    } catch (err) {
+      log({ ev: "cael-post-error", message: err instanceof Error ? err.message : String(err) });
+    }
+    if (this.opts.onTaskExecuted) {
+      await this.opts.onTaskExecuted(execResult, target);
+    } else {
+      await mesh.sendMessageOnTask(
+        target.id,
+        `[${identity.handle}] response (${response.usage.totalTokens} tok, $${cost.costUsd.toFixed(4)}):
+
+${response.content}`
+      );
+    }
+    return {
+      action: "executed",
+      taskId: target.id,
+      spentUsd: cost.spentUsd,
+      remainingUsd: cost.remainingUsd
+    };
+  }
+  async runForever(opts = {}) {
+    const interval = opts.tickIntervalMs ?? 6e4;
+    while (!this.stopped) {
+      try {
+        await this.tick();
+      } catch (err) {
+        const log = this.opts.logger ?? (() => void 0);
+        log({ ev: "tick-error", message: err instanceof Error ? err.message : String(err) });
+      }
+      await sleep(interval + jitter(interval));
+    }
+  }
+  stop() {
+    this.stopped = true;
+  }
+  /**
+   * Heartbeat with one-shot self-rejoin on 403 "Not a member of this team".
+   *
+   * Pairs with task_1777112258989_eeyp: fresh-deploy fleet workers whose
+   * provisioning didn't atomically call /join (or whose membership was
+   * reaped) hit 403 every tick and never recover. We detect the specific
+   * server error string (see packages/mcp-server/src/holomesh/routes/
+   * team-routes.ts:903 → `{ error: 'Not a member' }` for /presence), call
+   * mesh.joinTeam() ONCE per runner process, and retry the heartbeat.
+   *
+   * Strict scope:
+   *  - Only retries on 403 + "Not a member" body. Any other 403 (insufficient
+   *    permissions, signing failure) re-throws unchanged.
+   *  - Only retries ONCE per process. If we already rejoined this process and
+   *    the heartbeat is *still* 403, the team is rejecting us for a reason
+   *    /join can't fix (e.g. capacity, ban) — surface the error.
+   *  - If joinTeam() itself throws, we DO mark joinedThisProcess=true before
+   *    re-throwing so we don't slam the join endpoint on every subsequent
+   *    tick. The next tick will surface the same heartbeat 403 and the
+   *    runner-level catch in runForever logs tick-error and sleeps. Operator
+   *    inspection (SSH/log) is the recovery path at that point.
+   */
+  async heartbeatWithAutoRejoin() {
+    const { identity, mesh, logger } = this.opts;
+    const log = logger ?? (() => void 0);
+    try {
+      await mesh.heartbeat({ agentName: identity.handle, surface: identity.surface });
+    } catch (err) {
+      if (!this.isNotAMemberError(err) || this.joinedThisProcess) {
+        throw err;
+      }
+      log({ ev: "auto-rejoin-attempt", reason: "heartbeat-403-not-a-member" });
+      this.joinedThisProcess = true;
+      try {
+        const joinResult = await mesh.joinTeam();
+        log({ ev: "auto-rejoin-success", role: joinResult.role, members: joinResult.members });
+      } catch (joinErr) {
+        log({
+          ev: "auto-rejoin-failed",
+          message: joinErr instanceof Error ? joinErr.message : String(joinErr)
+        });
+        throw joinErr;
+      }
+      await mesh.heartbeat({ agentName: identity.handle, surface: identity.surface });
+      log({ ev: "auto-rejoin-heartbeat-recovered" });
+    }
+  }
+  /**
+   * Detect the server's "Not a member" 403 error from HolomeshClient.req().
+   * The error message format is: `HoloMesh POST /team/<id>/presence 403: <body>`
+   * where body contains `{"error":"Not a member"}` (or "Not a member of this team").
+   * Match conservatively: BOTH a "403" status marker AND the "Not a member"
+   * substring must appear, so unrelated 403s (insufficient permissions,
+   * signing failures) do NOT trigger a rejoin.
+   */
+  isNotAMemberError(err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return / 403:/.test(msg) && /Not a member/i.test(msg);
+  }
+};
+function buildTaskPrompt(task) {
+  return [
+    `Board task to execute: ${task.id}`,
+    `Title: ${task.title}`,
+    `Priority: ${task.priority}`,
+    `Tags: ${(task.tags ?? []).join(", ")}`,
+    "",
+    "Description:",
+    task.description ?? "(no description)",
+    "",
+    "Produce the deliverable described in the task. Apply your brain composition rules \u2014 anti-patterns, decision loop, and scope tier all bind. Return the response as plain text suitable for posting to /room as a message on this task."
+  ].join("\n");
+}
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+function jitter(base) {
+  return Math.floor((Math.random() - 0.5) * base * 0.2);
+}
+
+// src/commit-hook.ts
+import { mkdirSync as mkdirSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname3, join, resolve as resolve2 } from "path";
+import { spawnSync } from "child_process";
+var SAFE_HANDLE = /^[a-z0-9_-]{1,64}$/i;
+function makeCommitHook(opts) {
+  if (!opts.outputDir || opts.outputDir.trim().length === 0) {
+    throw new Error("CommitHookOptions.outputDir is required");
+  }
+  const spawn2 = opts.spawn ?? spawnSync;
+  const cwd = opts.workingDir ?? process.cwd();
+  const outputDir = resolve2(cwd, opts.outputDir);
+  const now = opts.now ?? (() => /* @__PURE__ */ new Date());
+  const scope = opts.scope ?? "agent";
+  return async (result, task, identity) => {
+    if (!SAFE_HANDLE.test(identity.handle)) {
+      throw new Error(`Refusing to commit: handle "${identity.handle}" must match ${SAFE_HANDLE}`);
+    }
+    const date = now().toISOString().slice(0, 10);
+    const safeTaskId = task.id.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 80);
+    const fileName = `${date}_${safeTaskId}_${identity.handle}.md`;
+    const filePath = join(outputDir, fileName);
+    mkdirSync2(dirname3(filePath), { recursive: true });
+    writeFileSync2(filePath, renderMemo(result, task, identity, date), "utf8");
+    const relPath = relativeTo(cwd, filePath);
+    const addRes = spawn2("git", ["add", relPath], { cwd, encoding: "utf8" });
+    if (addRes.status !== 0) {
+      throw new Error(`git add failed: ${addRes.stderr || addRes.stdout || `exit ${addRes.status}`}`);
+    }
+    const message = renderCommitMessage({ scope, task, identity, result });
+    const commitArgs = ["commit", "-m", message];
+    if (opts.authorName && opts.authorEmail) {
+      commitArgs.push("--author", `${opts.authorName} <${opts.authorEmail}>`);
+    }
+    const commitRes = spawn2("git", commitArgs, { cwd, encoding: "utf8" });
+    if (commitRes.status !== 0) {
+      throw new Error(`git commit failed: ${commitRes.stderr || commitRes.stdout || `exit ${commitRes.status}`}`);
+    }
+    const hashRes = spawn2("git", ["rev-parse", "HEAD"], { cwd, encoding: "utf8" });
+    const commitHash = hashRes.status === 0 ? hashRes.stdout.trim() : void 0;
+    return { filePath, commitHash, staged: [relPath], message };
+  };
+}
+function renderMemo(result, task, identity, date) {
+  return [
+    "---",
+    `title: "${task.title.replace(/"/g, "'")}"`,
+    `task_id: ${task.id}`,
+    `agent: ${identity.handle}`,
+    `surface: ${identity.surface}`,
+    `provider: ${identity.llmProvider}`,
+    `model: ${identity.llmModel}`,
+    `wallet: ${identity.wallet}`,
+    `date: ${date}`,
+    `tokens: ${result.usage.totalTokens}`,
+    `cost_usd: ${result.costUsd.toFixed(4)}`,
+    `duration_ms: ${result.durationMs}`,
+    `tags: [${(task.tags ?? []).map((t) => JSON.stringify(t)).join(", ")}]`,
+    "---",
+    "",
+    `# ${task.title}`,
+    "",
+    "## Task description",
+    "",
+    task.description ?? "(no description)",
+    "",
+    "## Agent response",
+    "",
+    result.responseText.trim(),
+    ""
+  ].join("\n");
+}
+var SUBJECT_MAX = 72;
+function renderCommitMessage(opts) {
+  const suffix = ` [agent:${opts.identity.handle}]`;
+  const prefix = `${opts.scope}: `;
+  const titleBudget = Math.max(8, SUBJECT_MAX - prefix.length - suffix.length);
+  const subject = `${prefix}${truncate(opts.task.title, titleBudget)}${suffix}`;
+  const body = [
+    "",
+    `task: ${opts.task.id}`,
+    `agent: ${opts.identity.handle} (${opts.identity.llmProvider}/${opts.identity.llmModel})`,
+    `wallet: ${opts.identity.wallet}`,
+    `cost: $${opts.result.costUsd.toFixed(4)} / ${opts.result.usage.totalTokens} tok / ${opts.result.durationMs}ms`
+  ].join("\n");
+  return `${subject}
+${body}
+`;
+}
+function truncate(s, max) {
+  return s.length <= max ? s : `${s.slice(0, max - 1)}\u2026`;
+}
+function relativeTo(base, target) {
+  const b = base.replace(/\\/g, "/");
+  const t = target.replace(/\\/g, "/");
+  if (t.startsWith(b + "/")) return t.slice(b.length + 1);
+  if (t === b) return ".";
+  return t;
+}
+
+// src/ablation.ts
+import { createHash as createHash2 } from "crypto";
+async function runAblation(opts) {
+  const { task, providers, costGuard } = opts;
+  const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const promptHash = hashPrompt(task.systemPrompt, task.userPrompt);
+  const request = {
+    messages: [
+      { role: "system", content: task.systemPrompt },
+      { role: "user", content: task.userPrompt }
+    ],
+    maxTokens: task.maxTokens ?? 2048,
+    temperature: task.temperature ?? 0.4
+  };
+  const cells = [];
+  let budgetExhausted = false;
+  const matrixId = opts.matrixId ?? `mx_${promptHash}_${Date.now()}`;
+  for (const spec of providers) {
+    if (costGuard?.isOverBudget()) {
+      budgetExhausted = true;
+      cells.push({
+        label: spec.label,
+        provider: spec.provider,
+        model: spec.model,
+        responseText: "",
+        usage: { promptTokens: 0, completionTokens: 0, totalTokens: 0 },
+        costUsd: 0,
+        durationMs: 0,
+        finishReason: "error",
+        errorMessage: "budget-exhausted-before-cell"
+      });
+      continue;
+    }
+    const t0 = Date.now();
+    try {
+      const provider = await spec.build();
+      const cellPromise = provider.complete(request, spec.model);
+      const response = opts.timeoutPerCellMs ? await withTimeout(cellPromise, opts.timeoutPerCellMs, spec.label) : await cellPromise;
+      const durationMs = Date.now() - t0;
+      const costUsd = spec.pricer ? spec.pricer(response.usage) : costGuard?.recordUsage(spec.model, response.usage).costUsd ?? 0;
+      if (spec.pricer && costGuard) {
+        costGuard.recordUsage(spec.model, response.usage);
+      }
+      cells.push({
+        label: spec.label,
+        provider: spec.provider,
+        model: spec.model,
+        responseText: response.content,
+        usage: response.usage,
+        costUsd,
+        durationMs,
+        finishReason: response.finishReason
+      });
+      recordAblationCellIfWired(opts, spec, {
+        matrixId,
+        promptHash,
+        promptTokens: response.usage.promptTokens,
+        completionTokens: response.usage.completionTokens,
+        costUsd,
+        durationMs,
+        finishReason: response.finishReason
+      });
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : String(err);
+      cells.push({
+        label: spec.label,
+        provider: spec.provider,
+        model: spec.model,
+        responseText: "",
+        usage: { promptTokens: 0, completionTokens: 0, totalTokens: 0 },
+        costUsd: 0,
+        durationMs: Date.now() - t0,
+        finishReason: "error",
+        errorMessage
+      });
+      recordAblationCellIfWired(opts, spec, {
+        matrixId,
+        promptHash,
+        promptTokens: 0,
+        completionTokens: 0,
+        costUsd: 0,
+        durationMs: Date.now() - t0,
+        finishReason: "error",
+        errorMessage
+      });
+    }
+  }
+  return {
+    taskId: task.taskId,
+    taskTitle: task.taskTitle,
+    brainPath: task.brainPath,
+    promptHash,
+    cells,
+    totalCostUsd: cells.reduce((sum, c) => sum + c.costUsd, 0),
+    startedAt,
+    completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    budgetExhausted
+  };
+}
+function renderAblationMarkdown(matrix) {
+  const header = [
+    `# Ablation: ${matrix.taskTitle}`,
+    "",
+    `- task_id: \`${matrix.taskId}\``,
+    `- prompt_hash: \`${matrix.promptHash}\``,
+    matrix.brainPath ? `- brain: \`${matrix.brainPath}\`` : "- brain: _(none)_",
+    `- started: ${matrix.startedAt}`,
+    `- completed: ${matrix.completedAt}`,
+    `- total_cost_usd: $${matrix.totalCostUsd.toFixed(4)}`,
+    matrix.budgetExhausted ? `- **budget_exhausted: true** (some cells skipped)` : "",
+    "",
+    "| Label | Provider | Model | Tokens (in/out) | Cost (USD) | Duration (ms) | Finish | Excerpt |",
+    "|---|---|---|---|---|---|---|---|"
+  ].filter((line) => line !== "");
+  const rows = matrix.cells.map((c) => {
+    const tokens = `${c.usage.promptTokens}/${c.usage.completionTokens}`;
+    const excerpt = c.errorMessage ? `_error: ${truncate2(c.errorMessage, 80)}_` : truncate2(escapeMd(c.responseText.replace(/\n/g, " ")), 80);
+    return `| ${c.label} | ${c.provider} | ${c.model} | ${tokens} | $${c.costUsd.toFixed(4)} | ${c.durationMs} | ${c.finishReason} | ${excerpt} |`;
+  });
+  return [...header, ...rows, ""].join("\n");
+}
+function recordAblationCellIfWired(opts, spec, cell) {
+  if (!opts.auditLog) return;
+  const identity = opts.identityFor?.(spec) ?? {
+    handle: `ablation:${spec.label}`,
+    surface: `ablation:${spec.label}`,
+    wallet: "0x0000000000000000000000000000000000000000",
+    x402Bearer: "",
+    llmProvider: spec.provider,
+    llmModel: spec.model,
+    brainPath: opts.task.brainPath ?? "(none)",
+    budgetUsdPerDay: 0,
+    teamId: "(ablation)",
+    meshApiBase: "(ablation)"
+  };
+  try {
+    opts.auditLog.recordAblationCell({
+      identity,
+      matrixId: cell.matrixId,
+      label: spec.label,
+      taskId: opts.task.taskId,
+      taskTitle: opts.task.taskTitle,
+      promptHash: cell.promptHash,
+      promptTokens: cell.promptTokens,
+      completionTokens: cell.completionTokens,
+      costUsd: cell.costUsd,
+      durationMs: cell.durationMs,
+      finishReason: cell.finishReason,
+      errorMessage: cell.errorMessage
+    });
+  } catch {
+  }
+}
+function hashPrompt(system, user) {
+  return createHash2("sha256").update(`SYS:${system}
+USR:${user}`).digest("hex").slice(0, 16);
+}
+function withTimeout(p, ms, label) {
+  return new Promise((resolve4, reject) => {
+    const timer = setTimeout(() => reject(new Error(`ablation cell "${label}" timed out after ${ms}ms`)), ms);
+    p.then(
+      (v) => {
+        clearTimeout(timer);
+        resolve4(v);
+      },
+      (e) => {
+        clearTimeout(timer);
+        reject(e);
+      }
+    );
+  });
+}
+function truncate2(s, max) {
+  return s.length <= max ? s : `${s.slice(0, max - 1)}\u2026`;
+}
+function escapeMd(s) {
+  return s.replace(/\|/g, "\\|");
+}
+
+// src/supervisor.ts
+import { homedir } from "os";
+import { join as join2 } from "path";
+
+// src/audit-log.ts
+import { mkdirSync as mkdirSync3, appendFileSync, readFileSync as readFileSync2, existsSync as existsSync2, statSync, renameSync } from "fs";
+import { dirname as dirname4 } from "path";
+var AuditLog = class {
+  constructor(opts) {
+    this.logPath = opts.logPath;
+    this.maxBytes = opts.maxBytes ?? 50 * 1024 * 1024;
+    mkdirSync3(dirname4(this.logPath), { recursive: true });
+  }
+  record(event) {
+    this.rotateIfFull();
+    appendFileSync(this.logPath, `${JSON.stringify(event)}
+`, "utf8");
+  }
+  recordTaskExecuted(opts) {
+    this.record({
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      kind: "task-executed",
+      agent: agentFromIdentity(opts.identity),
+      task: { id: opts.task.id, title: opts.task.title, tags: opts.task.tags ?? [] },
+      execution: {
+        promptTokens: opts.result.usage.promptTokens,
+        completionTokens: opts.result.usage.completionTokens,
+        totalTokens: opts.result.usage.totalTokens,
+        costUsd: opts.result.costUsd,
+        durationMs: opts.result.durationMs
+      },
+      result: {
+        commitHash: opts.commitHash,
+        filePath: opts.filePath
+      }
+    });
+  }
+  recordAblationCell(opts) {
+    this.record({
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      kind: "ablation-cell",
+      agent: agentFromIdentity(opts.identity),
+      task: { id: opts.taskId, title: opts.taskTitle, tags: ["ablation"] },
+      execution: {
+        promptTokens: opts.promptTokens,
+        completionTokens: opts.completionTokens,
+        totalTokens: opts.promptTokens + opts.completionTokens,
+        costUsd: opts.costUsd,
+        durationMs: opts.durationMs,
+        finishReason: opts.finishReason,
+        promptHash: opts.promptHash
+      },
+      result: { errorMessage: opts.errorMessage },
+      ablation: { label: opts.label, matrixId: opts.matrixId }
+    });
+  }
+  query(filter = {}) {
+    if (!existsSync2(this.logPath)) return [];
+    const raw = readFileSync2(this.logPath, "utf8");
+    const lines = raw.split("\n").filter((l) => l.length > 0);
+    const events = [];
+    for (const line of lines) {
+      try {
+        events.push(JSON.parse(line));
+      } catch {
+      }
+    }
+    return applyFilter(events, filter);
+  }
+  rollup(filter = {}) {
+    const events = this.query(filter);
+    const byAgent = {};
+    const byProvider = {};
+    let totalCostUsd = 0;
+    let totalTokens = 0;
+    for (const e of events) {
+      const agent = e.agent.handle;
+      const provider = e.agent.provider;
+      const cost = e.execution?.costUsd ?? 0;
+      const tokens = e.execution?.totalTokens ?? 0;
+      byAgent[agent] = byAgent[agent] ?? { events: 0, costUsd: 0, tokens: 0 };
+      byAgent[agent].events += 1;
+      byAgent[agent].costUsd += cost;
+      byAgent[agent].tokens += tokens;
+      byProvider[provider] = byProvider[provider] ?? { events: 0, costUsd: 0, tokens: 0 };
+      byProvider[provider].events += 1;
+      byProvider[provider].costUsd += cost;
+      byProvider[provider].tokens += tokens;
+      totalCostUsd += cost;
+      totalTokens += tokens;
+    }
+    return { totalEvents: events.length, byAgent, byProvider, totalCostUsd, totalTokens };
+  }
+  rotateIfFull() {
+    if (!existsSync2(this.logPath)) return;
+    const size = statSync(this.logPath).size;
+    if (size < this.maxBytes) return;
+    const archived = `${this.logPath}.${(/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-")}.jsonl`;
+    renameSync(this.logPath, archived);
+  }
+};
+function agentFromIdentity(identity) {
+  return {
+    handle: identity.handle,
+    surface: identity.surface,
+    wallet: identity.wallet,
+    walletShort: `${identity.wallet.slice(0, 6)}\u2026${identity.wallet.slice(-4)}`,
+    provider: identity.llmProvider,
+    model: identity.llmModel,
+    brainPath: identity.brainPath
+  };
+}
+function applyFilter(events, filter) {
+  let result = events;
+  if (filter.agent) result = result.filter((e) => e.agent.handle === filter.agent);
+  if (filter.provider) result = result.filter((e) => e.agent.provider === filter.provider);
+  if (filter.task) result = result.filter((e) => e.task?.id === filter.task);
+  if (filter.kind) result = result.filter((e) => e.kind === filter.kind);
+  if (filter.since) result = result.filter((e) => e.ts >= filter.since);
+  if (filter.until) result = result.filter((e) => e.ts <= filter.until);
+  if (filter.limit != null) result = result.slice(-filter.limit);
+  return result;
+}
+
+// src/supervisor.ts
+var Supervisor = class {
+  constructor(opts) {
+    this.agents = /* @__PURE__ */ new Map();
+    this.stopped = false;
+    this.opts = opts;
+    this.globalBudgetUsdPerDay = opts.config.globalBudgetUsdPerDay;
+    this.auditLog = opts.auditLogPath ? new AuditLog({ logPath: opts.auditLogPath }) : void 0;
+  }
+  async start() {
+    const enabledAgents = this.opts.config.agents.filter((a) => a.enabled !== false);
+    for (const spec of enabledAgents) {
+      const managed = await this.bootAgent(spec);
+      this.agents.set(spec.handle, managed);
+    }
+    this.log({ ev: "supervisor-started", count: enabledAgents.length });
+    for (const managed of this.agents.values()) {
+      this.spawnLoop(managed);
+    }
+  }
+  async stop() {
+    this.stopped = true;
+    for (const managed of this.agents.values()) {
+      managed.runner.stop();
+      managed.status.state = "stopped";
+    }
+    this.log({ ev: "supervisor-stopped", count: this.agents.size });
+  }
+  status() {
+    const agents = [...this.agents.values()].map((m) => ({ ...m.status }));
+    const globalSpentUsd = agents.reduce((s, a) => s + a.spentUsd, 0);
+    const globalBudgetExhausted = this.globalBudgetUsdPerDay != null ? globalSpentUsd >= this.globalBudgetUsdPerDay : false;
+    const globalRemainingUsd = this.globalBudgetUsdPerDay != null ? Math.max(0, this.globalBudgetUsdPerDay - globalSpentUsd) : Infinity;
+    return { globalSpentUsd, globalRemainingUsd, globalBudgetExhausted, agents };
+  }
+  async tickOnce(handle) {
+    const managed = this.agents.get(handle);
+    if (!managed) throw new Error(`No agent: ${handle}`);
+    await this.runOneTick(managed);
+    return { ...managed.status };
+  }
+  async bootAgent(spec) {
+    const identity = this.identityFromSpec(spec);
+    const brain = await loadBrain(spec.brainPath, spec.scopeTier ?? "warm");
+    const provider = await this.opts.providerFactory(spec, identity);
+    const stateDir = this.opts.stateDir ?? join2(homedir(), ".holoscript-agent", "cost-state");
+    const isFree = spec.provider === "mock" || spec.provider === "local-llm" || spec.provider === "bitnet";
+    const costGuard = new CostGuard({
+      statePath: join2(stateDir, `${spec.handle}.json`),
+      dailyBudgetUsd: identity.budgetUsdPerDay,
+      pricer: isFree ? () => 0 : void 0
+    });
+    const mesh = new HolomeshClient({
+      apiBase: identity.meshApiBase,
+      bearer: identity.x402Bearer,
+      teamId: identity.teamId,
+      fetchImpl: this.opts.fetchImpl
+    });
+    const onTaskExecuted = spec.enableCommitHook ? this.buildCommitHook(spec, identity, mesh) : void 0;
+    const runner = new AgentRunner({
+      identity,
+      brain,
+      provider,
+      costGuard,
+      mesh,
+      onTaskExecuted,
+      auditLog: this.auditLog,
+      logger: (ev) => this.log({ agent: spec.handle, ...ev })
+    });
+    const status = {
+      handle: spec.handle,
+      state: "starting",
+      spentUsd: 0,
+      remainingUsd: identity.budgetUsdPerDay,
+      restarts: 0
+    };
+    return { spec, identity, brain, runner, costGuard, status };
+  }
+  buildCommitHook(spec, identity, mesh) {
+    const writer = makeCommitHook({
+      outputDir: spec.outputDir ?? "agent-out",
+      workingDir: spec.workingDir,
+      scope: `agent(${spec.handle})`
+    });
+    return async (result, task) => {
+      const out = await writer(result, task, identity);
+      if (out.commitHash) {
+        await mesh.markDone(task.id, `auto: ${task.title}`, out.commitHash);
+      }
+    };
+  }
+  identityFromSpec(spec) {
+    const bearer = process.env[spec.bearerEnvKey];
+    if (!bearer || bearer.trim().length === 0) {
+      throw new Error(`Missing bearer env var "${spec.bearerEnvKey}" for agent "${spec.handle}"`);
+    }
+    const wallet = process.env[spec.walletEnvKey];
+    if (!wallet || !/^0x[0-9a-fA-F]{40}$/.test(wallet)) {
+      throw new Error(`Missing or malformed wallet env var "${spec.walletEnvKey}" for agent "${spec.handle}"`);
+    }
+    return {
+      handle: spec.handle,
+      surface: spec.handle,
+      wallet,
+      x402Bearer: bearer,
+      llmProvider: spec.provider,
+      llmModel: spec.model,
+      brainPath: spec.brainPath,
+      budgetUsdPerDay: spec.budgetUsdPerDay ?? 5,
+      teamId: this.opts.teamId,
+      meshApiBase: this.opts.meshApiBase ?? "https://mcp.holoscript.net/api/holomesh"
+    };
+  }
+  async spawnLoop(managed) {
+    const interval = managed.spec.tickIntervalMs ?? this.opts.config.defaultTickIntervalMs ?? 6e4;
+    while (!this.stopped) {
+      try {
+        await this.runOneTick(managed);
+      } catch (err) {
+        managed.status.state = "crashed";
+        managed.status.lastError = err instanceof Error ? err.message : String(err);
+        managed.status.restarts += 1;
+        const backoffMs = Math.min(6e4, 2 ** Math.min(managed.status.restarts, 6) * 1e3);
+        this.log({
+          ev: "agent-crashed-restarting",
+          agent: managed.spec.handle,
+          backoffMs,
+          restarts: managed.status.restarts,
+          message: managed.status.lastError
+        });
+        await sleep2(backoffMs);
+        continue;
+      }
+      await sleep2(interval + jitter2(interval));
+    }
+  }
+  async runOneTick(managed) {
+    if (this.globalBudgetUsdPerDay != null) {
+      const totalSpent = [...this.agents.values()].reduce((s, a) => s + a.status.spentUsd, 0);
+      if (totalSpent >= this.globalBudgetUsdPerDay) {
+        managed.status.state = "over-budget";
+        this.log({ ev: "global-budget-exhausted", agent: managed.spec.handle, totalSpent });
+        return;
+      }
+    }
+    const result = await managed.runner.tick();
+    const cs = managed.costGuard.getState();
+    managed.status.spentUsd = cs.spentUsd;
+    managed.status.remainingUsd = managed.costGuard.getRemainingUsd();
+    managed.status.lastTickAt = (this.opts.now ?? (() => /* @__PURE__ */ new Date()))().toISOString();
+    managed.status.state = result.action === "over-budget" ? "over-budget" : "running";
+    if (result.action === "errored") {
+      managed.status.lastError = result.message;
+    }
+  }
+  log(event) {
+    if (this.opts.logger) {
+      this.opts.logger({ ts: (/* @__PURE__ */ new Date()).toISOString(), ...event });
+    }
+  }
+};
+function sleep2(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+function jitter2(base) {
+  return Math.floor((Math.random() - 0.5) * base * 0.2);
+}
+
+// src/supervisor-config.ts
+import { readFileSync as readFileSync3 } from "fs";
+var VALID_PROVIDERS2 = /* @__PURE__ */ new Set([
+  "anthropic",
+  "openai",
+  "gemini",
+  "mock",
+  "bitnet",
+  "local-llm"
+]);
+var VALID_TIERS = /* @__PURE__ */ new Set(["cold", "warm", "hot"]);
+var HANDLE_PATTERN = /^[a-z0-9_-]{1,64}$/i;
+function loadSupervisorConfig(path) {
+  return parseSupervisorConfig(readFileSync3(path, "utf8"));
+}
+function parseSupervisorConfig(raw) {
+  const data = JSON.parse(raw);
+  if (!isObject(data)) throw new Error("Supervisor config must be a JSON object");
+  if (!Array.isArray(data.agents)) throw new Error("Supervisor config.agents must be an array");
+  if (data.agents.length === 0) throw new Error("Supervisor config.agents must have at least one entry");
+  const seenHandles = /* @__PURE__ */ new Set();
+  const agents = data.agents.map((entry, idx) => validateAgent(entry, idx, seenHandles));
+  const globalBudgetUsdPerDay = optionalNumber(data, "globalBudgetUsdPerDay");
+  const defaultTickIntervalMs = optionalNumber(data, "defaultTickIntervalMs");
+  if (globalBudgetUsdPerDay != null && globalBudgetUsdPerDay <= 0) {
+    throw new Error(`globalBudgetUsdPerDay must be positive, got ${globalBudgetUsdPerDay}`);
+  }
+  if (defaultTickIntervalMs != null && defaultTickIntervalMs < 5e3) {
+    throw new Error(`defaultTickIntervalMs must be >= 5000ms (mesh-friendly), got ${defaultTickIntervalMs}`);
+  }
+  return { agents, globalBudgetUsdPerDay, defaultTickIntervalMs };
+}
+function validateAgent(entry, idx, seen) {
+  if (!isObject(entry)) throw new Error(`agents[${idx}] must be an object`);
+  const handle = requiredString(entry, "handle", `agents[${idx}].handle`);
+  if (!HANDLE_PATTERN.test(handle)) {
+    throw new Error(`agents[${idx}].handle "${handle}" must match ${HANDLE_PATTERN}`);
+  }
+  if (seen.has(handle)) throw new Error(`Duplicate agent handle: "${handle}"`);
+  seen.add(handle);
+  const provider = requiredString(entry, "provider", `agents[${idx}].provider`);
+  if (!VALID_PROVIDERS2.has(provider)) {
+    throw new Error(
+      `agents[${idx}].provider "${provider}" not in [${[...VALID_PROVIDERS2].join(", ")}]`
+    );
+  }
+  const scopeTier = optionalString(entry, "scopeTier");
+  if (scopeTier && !VALID_TIERS.has(scopeTier)) {
+    throw new Error(`agents[${idx}].scopeTier "${scopeTier}" must be cold | warm | hot`);
+  }
+  const budgetUsdPerDay = optionalNumber(entry, "budgetUsdPerDay");
+  if (budgetUsdPerDay != null && budgetUsdPerDay <= 0) {
+    throw new Error(`agents[${idx}].budgetUsdPerDay must be positive, got ${budgetUsdPerDay}`);
+  }
+  const tickIntervalMs = optionalNumber(entry, "tickIntervalMs");
+  if (tickIntervalMs != null && tickIntervalMs < 5e3) {
+    throw new Error(`agents[${idx}].tickIntervalMs must be >= 5000ms, got ${tickIntervalMs}`);
+  }
+  return {
+    handle,
+    brainPath: requiredString(entry, "brainPath", `agents[${idx}].brainPath`),
+    provider,
+    model: requiredString(entry, "model", `agents[${idx}].model`),
+    walletEnvKey: requiredString(entry, "walletEnvKey", `agents[${idx}].walletEnvKey`),
+    bearerEnvKey: requiredString(entry, "bearerEnvKey", `agents[${idx}].bearerEnvKey`),
+    budgetUsdPerDay,
+    scopeTier,
+    enabled: optionalBoolean(entry, "enabled"),
+    tickIntervalMs,
+    enableCommitHook: optionalBoolean(entry, "enableCommitHook"),
+    outputDir: optionalString(entry, "outputDir"),
+    workingDir: optionalString(entry, "workingDir")
+  };
+}
+function isObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function requiredString(obj, key, label) {
+  const v = obj[key];
+  if (typeof v !== "string" || v.trim().length === 0) {
+    throw new Error(`${label} is required and must be a non-empty string`);
+  }
+  return v.trim();
+}
+function optionalString(obj, key) {
+  const v = obj[key];
+  if (v === void 0 || v === null) return void 0;
+  if (typeof v !== "string") throw new Error(`${key} must be a string when present`);
+  return v.trim();
+}
+function optionalNumber(obj, key) {
+  const v = obj[key];
+  if (v === void 0 || v === null) return void 0;
+  if (typeof v !== "number" || !Number.isFinite(v)) {
+    throw new Error(`${key} must be a finite number when present`);
+  }
+  return v;
+}
+function optionalBoolean(obj, key) {
+  const v = obj[key];
+  if (v === void 0 || v === null) return void 0;
+  if (typeof v !== "boolean") throw new Error(`${key} must be a boolean when present`);
+  return v;
+}
+
+// src/provision.ts
+import { mkdirSync as mkdirSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync3, existsSync as existsSync3, chmodSync } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir2, hostname } from "os";
+import { randomBytes, createCipheriv, createHash as createHash3 } from "crypto";
+import { Wallet } from "ethers";
+var HANDLE_PATTERN2 = /^[a-z0-9_-]{1,64}$/i;
+var EIP712_DOMAIN = { name: "HoloMesh", version: "1" };
+var EIP712_TYPES = {
+  Registration: [{ name: "nonce", type: "string" }]
+};
+async function provisionAgent(req, opts = { execute: false }) {
+  if (!HANDLE_PATTERN2.test(req.handle)) {
+    throw new Error(`handle "${req.handle}" must match ${HANDLE_PATTERN2}`);
+  }
+  if (!req.founderBearer || req.founderBearer.trim().length === 0) {
+    throw new Error("founderBearer is required (HOLOMESH_API_KEY of an agent that can call /register)");
+  }
+  const meshApiBase = (req.meshApiBase ?? "https://mcp.holoscript.net/api/holomesh").replace(/\/$/, "");
+  const seatsRoot = req.seatsRoot ?? defaultSeatsRoot();
+  const surface = req.handle;
+  const seatId = makeSeatId(surface);
+  const seatDir = join3(seatsRoot, seatId);
+  const walletPath = join3(seatDir, "wallet.enc");
+  const regPath = join3(seatDir, "registration.json");
+  if (!opts.execute) {
+    return {
+      status: "dry-run",
+      handle: req.handle,
+      surface,
+      seatId,
+      seatDir,
+      willGenerateWallet: !existsSync3(walletPath),
+      willCallEndpoints: [
+        `POST ${meshApiBase}/register/challenge`,
+        `POST ${meshApiBase}/register`
+      ]
+    };
+  }
+  if (existsSync3(walletPath) && !opts.force) {
+    const blob = JSON.parse(readFileSync4(walletPath, "utf8"));
+    const reused = {
+      status: "reused",
+      handle: req.handle,
+      surface,
+      seatId,
+      seatDir,
+      walletAddress: blob.address,
+      envVarLines: envVarLinesFor(req.handle, blob.address, void 0)
+    };
+    return reused;
+  }
+  const wallet = Wallet.createRandom();
+  mkdirSync4(seatDir, { recursive: true });
+  const masterKey = ensureMasterKey(seatsRoot);
+  const encryptedBlob = {
+    seat_id: seatId,
+    surface,
+    handle: req.handle,
+    address: wallet.address,
+    encrypted_privkey: encryptPrivateKey(wallet.privateKey, masterKey),
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    source: "holoscript-agent.provision"
+  };
+  writeFileSync3(walletPath, JSON.stringify(encryptedBlob, null, 2), "utf8");
+  try {
+    chmodSync(walletPath, 384);
+  } catch {
+  }
+  const fetchImpl = req.fetchImpl ?? fetch;
+  const challenge = await postJson(
+    fetchImpl,
+    `${meshApiBase}/register/challenge`,
+    req.founderBearer,
+    { wallet_address: wallet.address }
+  );
+  if (!challenge.nonce) {
+    throw new Error(`/register/challenge returned no nonce: ${JSON.stringify(challenge)}`);
+  }
+  const signature = await wallet.signTypedData(EIP712_DOMAIN, EIP712_TYPES, { nonce: challenge.nonce });
+  const registration = await postJson(
+    fetchImpl,
+    `${meshApiBase}/register`,
+    req.founderBearer,
+    {
+      name: req.handle,
+      wallet_address: wallet.address,
+      nonce: challenge.nonce,
+      signature
+    }
+  );
+  writeFileSync3(
+    regPath,
+    JSON.stringify({ status: 201, response: registration, registered_at: (/* @__PURE__ */ new Date()).toISOString(), flow: "x402" }, null, 2),
+    "utf8"
+  );
+  const agentId = registration.agent?.id;
+  const bearer = registration.agent?.api_key;
+  if (!agentId || !bearer) {
+    throw new Error(`/register did not return agent.id + agent.api_key: ${JSON.stringify(registration).slice(0, 400)}`);
+  }
+  if (registration.wallet?.private_key) {
+    console.warn("[provision] WARN \u2014 server returned private_key despite x402 flow; ignoring (using local key).");
+  }
+  let joinedTeam;
+  if (req.autoJoinTeamId) {
+    try {
+      const joinRes = await postJson(
+        fetchImpl,
+        `${meshApiBase}/team/${req.autoJoinTeamId}/join`,
+        bearer,
+        {}
+      );
+      joinedTeam = {
+        teamId: req.autoJoinTeamId,
+        role: joinRes.role ?? "member",
+        members: joinRes.members ?? 0
+      };
+    } catch (err) {
+      joinedTeam = {
+        teamId: req.autoJoinTeamId,
+        error: err instanceof Error ? err.message : String(err)
+      };
+    }
+  }
+  return {
+    status: "executed",
+    handle: req.handle,
+    surface,
+    seatId,
+    seatDir,
+    walletAddress: wallet.address,
+    bearer,
+    agentId,
+    envVarLines: envVarLinesFor(req.handle, wallet.address, bearer),
+    joinedTeam
+  };
+}
+function defaultSeatsRoot() {
+  return process.env.HOLOSCRIPT_AGENT_SEATS_ROOT ?? join3(homedir2(), ".holoscript-agent", "seats");
+}
+function makeSeatId(surface) {
+  const fp = createHash3("sha256").update(hostname() + homedir2()).digest("hex").slice(0, 8);
+  return `holoscript-${surface}-${fp}-x402`;
+}
+function ensureMasterKey(seatsRoot) {
+  const keyPath = join3(seatsRoot, ".master-key");
+  if (!existsSync3(seatsRoot)) mkdirSync4(seatsRoot, { recursive: true });
+  if (!existsSync3(keyPath)) {
+    const k = randomBytes(32);
+    writeFileSync3(keyPath, k);
+    try {
+      chmodSync(keyPath, 384);
+    } catch {
+    }
+  }
+  return readFileSync4(keyPath);
+}
+function encryptPrivateKey(privKey, masterKey) {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
+  const ct = Buffer.concat([cipher.update(privKey, "utf8"), cipher.final()]);
+  return { iv: iv.toString("base64"), ct: ct.toString("base64"), tag: cipher.getAuthTag().toString("base64"), alg: "aes-256-gcm" };
+}
+async function postJson(fetchImpl, url, bearer, body) {
+  const res = await fetchImpl(url, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${bearer}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`POST ${url} ${res.status}: ${text.slice(0, 400)}`);
+  }
+  try {
+    return JSON.parse(text);
+  } catch {
+    throw new Error(`POST ${url} returned non-JSON: ${text.slice(0, 200)}`);
+  }
+}
+function envVarLinesFor(handle, walletAddress, bearer) {
+  const suffix = handle.toUpperCase().replace(/-/g, "_");
+  const lines = [`HOLOSCRIPT_AGENT_WALLET_${suffix}=${walletAddress}`];
+  if (bearer) {
+    lines.push(`HOLOMESH_API_KEY_${suffix}_X402=${bearer}`);
+  }
+  return lines;
+}
+
+// src/index.ts
+import { writeFileSync as writeFileSync4, readFileSync as readFileSync5, existsSync as existsSync4, mkdirSync as mkdirSync5 } from "fs";
+import { dirname as dirname5, resolve as resolve3 } from "path";
+async function main() {
+  const args = process.argv.slice(2);
+  const cmd = args[0] ?? "help";
+  switch (cmd) {
+    case "run":
+      await cmdRun({ once: false });
+      return;
+    case "tick":
+      await cmdRun({ once: true });
+      return;
+    case "whoami":
+      await cmdWhoami();
+      return;
+    case "ablate":
+      await cmdAblate(args.slice(1));
+      return;
+    case "supervise":
+      await cmdSupervise(args.slice(1));
+      return;
+    case "status":
+      await cmdStatus(args.slice(1));
+      return;
+    case "provision":
+      await cmdProvision(args.slice(1));
+      return;
+    case "audit":
+      await cmdAudit(args.slice(1));
+      return;
+    case "help":
+    case "--help":
+    case "-h":
+      printHelp();
+      return;
+    default:
+      console.error(`Unknown command: ${cmd}`);
+      printHelp();
+      process.exit(2);
+  }
+}
+async function cmdRun(opts) {
+  const identity = loadIdentity();
+  const brain = await loadBrain(identity.brainPath, scopeTierFromEnv());
+  const provider = await buildProvider(identity);
+  const costGuard = new CostGuard({
+    statePath: stateFilePath(identity),
+    dailyBudgetUsd: identity.budgetUsdPerDay,
+    pricer: defaultPricerForProvider(identity.llmProvider)
+  });
+  const mesh = new HolomeshClient({
+    apiBase: identity.meshApiBase,
+    bearer: identity.x402Bearer,
+    teamId: identity.teamId
+  });
+  const commitHook = buildCommitHook(identity, mesh);
+  const auditLog = buildAuditLog();
+  const runner = new AgentRunner({
+    identity,
+    brain,
+    provider,
+    costGuard,
+    mesh,
+    logger: (ev) => console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ...ev })),
+    onTaskExecuted: commitHook,
+    auditLog
+  });
+  console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "boot", identity: identityForLog(identity), brain: { domain: brain.domain, tags: brain.capabilityTags, tier: brain.scopeTier } }));
+  if (opts.once) {
+    const result = await runner.tick();
+    console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "tick-result", ...result }));
+    return;
+  }
+  const interval = Number(process.env.HOLOSCRIPT_AGENT_TICK_MS ?? "60000");
+  const onSig = () => {
+    console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "shutdown" }));
+    runner.stop();
+    setTimeout(() => process.exit(0), 250);
+  };
+  process.on("SIGINT", onSig);
+  process.on("SIGTERM", onSig);
+  await runner.runForever({ tickIntervalMs: interval });
+}
+function supervisorProviderFactory() {
+  return (spec) => {
+    switch (spec.provider) {
+      case "anthropic":
+        return createAnthropicProvider({ defaultModel: spec.model });
+      case "openai":
+        return createOpenAIProvider({ defaultModel: spec.model });
+      case "gemini":
+        return createGeminiProvider({ defaultModel: spec.model });
+      case "local-llm":
+        return createLocalLLMProvider({
+          baseURL: process.env.HOLOSCRIPT_AGENT_LOCAL_LLM_BASE_URL,
+          model: spec.model
+        });
+      case "mock":
+        return createMockProvider();
+      default:
+        throw new Error(`Provider "${spec.provider}" not yet wired in supervisor \u2014 Phase 2.5 deliverable.`);
+    }
+  };
+}
+async function cmdSupervise(rest) {
+  const cfgPath = rest.find((a) => a.startsWith("--config="))?.split("=")[1];
+  if (!cfgPath) {
+    throw new Error("Usage: holoscript-agent supervise --config=<path-to-agents.json>");
+  }
+  const teamId = process.env.HOLOMESH_TEAM_ID;
+  if (!teamId) throw new Error("HOLOMESH_TEAM_ID env var required for supervise command");
+  const config = loadSupervisorConfig(cfgPath);
+  const sup = new Supervisor({
+    config,
+    providerFactory: supervisorProviderFactory(),
+    teamId,
+    meshApiBase: process.env.HOLOMESH_API_BASE,
+    auditLogPath: auditLogPath(),
+    logger: (ev) => console.log(JSON.stringify(ev))
+  });
+  const onSig = async () => {
+    await sup.stop();
+    setTimeout(() => process.exit(0), 250);
+  };
+  process.on("SIGINT", onSig);
+  process.on("SIGTERM", onSig);
+  await sup.start();
+  console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "supervise-running", config: cfgPath }));
+  const reportEvery = Number(process.env.HOLOSCRIPT_AGENT_STATUS_REPORT_MS ?? "300000");
+  if (reportEvery > 0) {
+    setInterval(() => {
+      console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "supervisor-status", ...sup.status() }));
+    }, reportEvery);
+  }
+}
+async function cmdAudit(rest) {
+  const logPath = rest.find((a) => a.startsWith("--log="))?.split("=")[1] ?? process.env.HOLOSCRIPT_AGENT_AUDIT_LOG ?? join4(homedir3(), ".holoscript-agent", "audit", "audit.jsonl");
+  const sub = rest.find((a) => !a.startsWith("--")) ?? "rollup";
+  const filter = {};
+  for (const arg of rest) {
+    if (arg.startsWith("--agent=")) filter.agent = arg.split("=")[1];
+    if (arg.startsWith("--provider=")) filter.provider = arg.split("=")[1];
+    if (arg.startsWith("--task=")) filter.task = arg.split("=")[1];
+    if (arg.startsWith("--kind=")) filter.kind = arg.split("=")[1];
+    if (arg.startsWith("--limit=")) filter.limit = Number(arg.split("=")[1]);
+  }
+  const log = new AuditLog({ logPath });
+  if (sub === "rollup") {
+    console.log(JSON.stringify(log.rollup(filter), null, 2));
+  } else if (sub === "tail" || sub === "query") {
+    const events = log.query(filter);
+    for (const e of events) console.log(JSON.stringify(e));
+  } else {
+    throw new Error("Usage: holoscript-agent audit [rollup|query|tail] [--agent=<h>] [--provider=<p>] [--task=<id>] [--kind=<k>] [--limit=<n>] [--log=<path>]");
+  }
+}
+async function cmdProvision(rest) {
+  const handle = rest.find((a) => a.startsWith("--handle="))?.split("=")[1];
+  if (!handle) {
+    throw new Error("Usage: holoscript-agent provision --handle=<name> [--execute] [--force]");
+  }
+  const execute = rest.includes("--execute");
+  const force = rest.includes("--force");
+  const founderBearer = process.env.HOLOMESH_API_KEY;
+  if (!founderBearer) {
+    throw new Error("HOLOMESH_API_KEY env var required for provisioning (founder-tier bearer for /register endpoints)");
+  }
+  const result = await provisionAgent(
+    {
+      handle,
+      founderBearer,
+      meshApiBase: process.env.HOLOMESH_API_BASE,
+      seatsRoot: process.env.HOLOSCRIPT_AGENT_SEATS_ROOT,
+      autoJoinTeamId: rest.includes("--no-join") ? void 0 : process.env.HOLOMESH_TEAM_ID
+    },
+    { execute, force }
+  );
+  console.log(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "provision-result", ...result }, null, 2));
+  if (result.status === "executed" || result.status === "reused") {
+    console.log("\n# Add these lines to your .env to use this seat:");
+    for (const line of result.envVarLines) console.log(line);
+  }
+}
+async function cmdStatus(rest) {
+  const cfgPath = rest.find((a) => a.startsWith("--config="))?.split("=")[1];
+  if (!cfgPath) {
+    throw new Error("Usage: holoscript-agent status --config=<path-to-agents.json>");
+  }
+  const config = loadSupervisorConfig(cfgPath);
+  console.log(JSON.stringify({
+    config: cfgPath,
+    agentCount: config.agents.length,
+    enabled: config.agents.filter((a) => a.enabled !== false).map((a) => a.handle),
+    disabled: config.agents.filter((a) => a.enabled === false).map((a) => a.handle),
+    globalBudgetUsdPerDay: config.globalBudgetUsdPerDay ?? null,
+    defaultTickIntervalMs: config.defaultTickIntervalMs ?? null
+  }, null, 2));
+}
+async function cmdAblate(rest) {
+  const specPath = rest.find((a) => a.startsWith("--spec="))?.split("=")[1];
+  if (!specPath) {
+    throw new Error("Usage: holoscript-agent ablate --spec=<path-to-ablation.json> [--out-md=<path>] [--out-json=<path>]");
+  }
+  const outMd = rest.find((a) => a.startsWith("--out-md="))?.split("=")[1];
+  const outJson = rest.find((a) => a.startsWith("--out-json="))?.split("=")[1];
+  if (!existsSync4(specPath)) throw new Error(`Spec file not found: ${specPath}`);
+  const spec = JSON.parse(readFileSync5(specPath, "utf8"));
+  const providers = spec.providers.map((p) => ({
+    label: p.label,
+    provider: p.provider,
+    model: p.model,
+    build: () => {
+      switch (p.provider) {
+        case "anthropic":
+          return createAnthropicProvider({ defaultModel: p.model });
+        case "openai":
+          return createOpenAIProvider({ defaultModel: p.model });
+        case "gemini":
+          return createGeminiProvider({ defaultModel: p.model });
+        case "local-llm":
+          return createLocalLLMProvider({
+            baseURL: process.env.HOLOSCRIPT_AGENT_LOCAL_LLM_BASE_URL,
+            model: p.model
+          });
+        case "mock":
+          return createMockProvider();
+      }
+    },
+    pricer: p.pricePerCallUsd != null ? () => p.pricePerCallUsd : p.pricePerMtokInput != null && p.pricePerMtokOutput != null ? (u) => (u.promptTokens * p.pricePerMtokInput + u.completionTokens * p.pricePerMtokOutput) / 1e6 : void 0
+  }));
+  const startMsg = JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "ablation-start", task: spec.task.taskId, cells: providers.length });
+  console.log(startMsg);
+  const matrix = await runAblation({
+    task: spec.task,
+    providers,
+    timeoutPerCellMs: spec.timeoutPerCellMs
+  });
+  if (outJson) {
+    mkdirSync5(dirname5(resolve3(outJson)), { recursive: true });
+    writeFileSync4(outJson, JSON.stringify(matrix, null, 2), "utf8");
+  }
+  if (outMd) {
+    mkdirSync5(dirname5(resolve3(outMd)), { recursive: true });
+    writeFileSync4(outMd, renderAblationMarkdown(matrix), "utf8");
+  }
+  if (!outMd && !outJson) {
+    console.log(renderAblationMarkdown(matrix));
+  }
+  console.log(JSON.stringify({
+    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    ev: "ablation-done",
+    task: matrix.taskId,
+    cells: matrix.cells.length,
+    errors: matrix.cells.filter((c) => c.errorMessage).length,
+    totalCostUsd: matrix.totalCostUsd,
+    promptHash: matrix.promptHash,
+    outMd: outMd ?? null,
+    outJson: outJson ?? null
+  }));
+}
+async function cmdWhoami() {
+  const identity = loadIdentity();
+  const mesh = new HolomeshClient({
+    apiBase: identity.meshApiBase,
+    bearer: identity.x402Bearer,
+    teamId: identity.teamId
+  });
+  const me = await mesh.whoAmI();
+  console.log(JSON.stringify({ identity: identityForLog(identity), me }, null, 2));
+}
+async function buildProvider(identity) {
+  const p = identity.llmProvider;
+  switch (p) {
+    case "anthropic":
+      return createAnthropicProvider({ defaultModel: identity.llmModel });
+    case "openai":
+      return createOpenAIProvider({ defaultModel: identity.llmModel });
+    case "gemini":
+      return createGeminiProvider({ defaultModel: identity.llmModel });
+    case "mock":
+      return createMockProvider();
+    case "local-llm":
+      return createLocalLLMProvider({
+        baseURL: process.env.HOLOSCRIPT_AGENT_LOCAL_LLM_BASE_URL,
+        model: identity.llmModel
+      });
+    default:
+      throw new Error(
+        `Provider "${p}" not yet wired in CLI \u2014 Phase 2 deliverable. Use anthropic | openai | gemini | local-llm | mock for now.`
+      );
+  }
+}
+function buildCommitHook(identity, mesh) {
+  const enabled = (process.env.HOLOSCRIPT_AGENT_COMMIT_RESPONSES ?? "").toLowerCase();
+  if (enabled !== "1" && enabled !== "true") return void 0;
+  const outputDir = process.env.HOLOSCRIPT_AGENT_OUTPUT_DIR ?? "agent-out";
+  const workingDir = process.env.HOLOSCRIPT_AGENT_WORKING_DIR ?? process.cwd();
+  const scope = process.env.HOLOSCRIPT_AGENT_COMMIT_SCOPE ?? `agent(${identity.handle})`;
+  const writer = makeCommitHook({ outputDir, workingDir, scope });
+  return async (result, task) => {
+    const out = await writer(result, task, identity);
+    await mesh.sendMessageOnTask(
+      task.id,
+      `[${identity.handle}] response committed at ${out.commitHash?.slice(0, 12) ?? "(no-hash)"} -> ${out.filePath}`
+    );
+    if (out.commitHash) {
+      await mesh.markDone(task.id, `auto: ${task.title}`, out.commitHash);
+    }
+  };
+}
+function scopeTierFromEnv() {
+  const t = (process.env.HOLOSCRIPT_AGENT_SCOPE_TIER ?? "warm").toLowerCase();
+  if (t === "cold" || t === "warm" || t === "hot") return t;
+  throw new Error(`HOLOSCRIPT_AGENT_SCOPE_TIER must be cold|warm|hot, got: ${t}`);
+}
+function stateFilePath(identity) {
+  const dir = process.env.HOLOSCRIPT_AGENT_STATE_DIR ?? join4(homedir3(), ".holoscript-agent", "cost-state");
+  return join4(dir, `${identity.handle}.json`);
+}
+function auditLogPath() {
+  return process.env.HOLOSCRIPT_AGENT_AUDIT_LOG ?? join4(homedir3(), ".holoscript-agent", "audit", "audit.jsonl");
+}
+function buildAuditLog() {
+  const enabled = (process.env.HOLOSCRIPT_AGENT_AUDIT_ENABLED ?? "1").toLowerCase();
+  if (enabled === "0" || enabled === "false") return void 0;
+  return new AuditLog({ logPath: auditLogPath() });
+}
+function printHelp() {
+  console.log(`holoscript-agent \u2014 headless agent runtime
+
+USAGE
+  holoscript-agent run                              start the daemon (heartbeat + claim + execute loop)
+  holoscript-agent tick                             single tick, then exit (useful in CI / cron / smoke tests)
+  holoscript-agent whoami                           verify identity tuple resolves end-to-end (/me + env)
+  holoscript-agent ablate --spec=<path>             run a cross-LLM ablation; spec = JSON with task + providers
+                          [--out-md=<path>]         optional: write markdown ablation table
+                          [--out-json=<path>]       optional: write structured JSON matrix
+  holoscript-agent supervise --config=<path>        run N agents from agents.json (multi-agent daemon)
+  holoscript-agent status --config=<path>           print parsed config summary (validates schema)
+  holoscript-agent provision --handle=<name>        provision a fresh x402 seat for a brain (dry-run by default)
+                             [--execute]            actually generate wallet + register against production
+                             [--force]              re-register a handle whose seat already exists (dangerous)
+  holoscript-agent audit [rollup|query|tail]        query the per-agent audit log (default sub: rollup)
+                         [--agent=<h>]              filter by agent handle
+                         [--provider=<p>]           filter by LLM provider
+                         [--task=<id>]              filter by task id
+                         [--kind=<k>]               filter by kind (task-executed | ablation-cell | ...)
+                         [--limit=<n>]              keep last N events
+                         [--log=<path>]             override log path (default ~/.holoscript-agent/audit/audit.jsonl)
+  holoscript-agent help                             print this
+
+REQUIRED ENV
+  HOLOSCRIPT_AGENT_HANDLE            agent handle (e.g. "security-auditor")
+  HOLOSCRIPT_AGENT_PROVIDER          anthropic | openai | gemini | local-llm | mock
+  HOLOSCRIPT_AGENT_MODEL             model id (e.g. "claude-opus-4-7")
+  HOLOSCRIPT_AGENT_BRAIN             path to .hsplus brain composition
+  HOLOSCRIPT_AGENT_WALLET            0x\u2026 wallet address
+  HOLOSCRIPT_AGENT_X402_BEARER       per-surface mesh bearer (W.087 vertex B)
+  HOLOMESH_TEAM_ID                   target team id
+  ANTHROPIC_API_KEY | OPENAI_API_KEY | GEMINI_API_KEY  per provider
+
+OPTIONAL ENV
+  HOLOSCRIPT_AGENT_BUDGET_USD_DAY    default 5
+  HOLOSCRIPT_AGENT_SCOPE_TIER        cold | warm | hot (default warm)
+  HOLOSCRIPT_AGENT_TICK_MS           daemon tick interval, default 60000
+  HOLOSCRIPT_AGENT_STATE_DIR         where to persist cost state (default ~/.holoscript-agent/cost-state)
+  HOLOSCRIPT_AGENT_SURFACE           label for handoffs / presence (default = handle)
+  HOLOMESH_API_BASE                  default https://mcp.holoscript.net/api/holomesh
+  HOLOSCRIPT_AGENT_COMMIT_RESPONSES  "1" or "true" \u2192 write responses as memos and git-commit them
+  HOLOSCRIPT_AGENT_OUTPUT_DIR        memo output dir (rel to working dir, default "agent-out")
+  HOLOSCRIPT_AGENT_WORKING_DIR       git repo to commit into (default process.cwd())
+  HOLOSCRIPT_AGENT_COMMIT_SCOPE      commit subject scope (default "agent(<handle>)")
+  HOLOSCRIPT_AGENT_LOCAL_LLM_BASE_URL  local-llm provider base URL (default http://localhost:8080)
+`);
+}
+main().catch((err) => {
+  console.error(JSON.stringify({ ts: (/* @__PURE__ */ new Date()).toISOString(), ev: "fatal", message: err instanceof Error ? err.message : String(err) }));
+  process.exit(1);
+});
+//# sourceMappingURL=index.js.map