@ijfw/memory-server 1.3.0

package/src/swarm-config.js

@@ -0,0 +1,80 @@
+// --- swarm.json schema + lazy init ---
+//
+// Knows what specialists belong on a project's swarm. On first use the
+// orchestrator calls loadSwarmConfig(projectDir); the result is written to
+// <projectDir>/.ijfw/swarm.json so the user can customize later.
+//
+// Never writes at require/install time. ESM. Zero external deps.
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+export const SCHEMA = {
+  project_type: 'string',
+  specialists: [{ id: 'string', role: 'string', agent_type: 'string' }],
+};
+
+const BASE = [
+  { id: 'reviewer',    role: 'Code review',      agent_type: 'code-reviewer' },
+  { id: 'reliability', role: 'Silent failures',   agent_type: 'silent-failure-hunter' },
+];
+
+const TESTS_SPECIALIST = { id: 'tests', role: 'Test coverage', agent_type: 'pr-test-analyzer' };
+const TYPES_SPECIALIST = { id: 'types', role: 'Type invariants', agent_type: 'type-design-analyzer' };
+
+export const DEFAULT_SPECIALISTS = {
+  node:   [...BASE, TESTS_SPECIALIST],
+  python: [...BASE, TESTS_SPECIALIST],
+  typed:  [...BASE, TESTS_SPECIALIST, TYPES_SPECIALIST],
+  go:     [...BASE],
+  rust:   [...BASE],
+  other:  [...BASE],
+};
+
+// Detects project type from filesystem signals in projectDir.
+// Returns 'node' | 'python' | 'go' | 'rust' | 'typed' | 'other'.
+export function detectProjectType(projectDir) {
+  const has = (f) => existsSync(join(projectDir, f));
+
+  const isNode   = has('package.json');
+  const isPython = has('pyproject.toml') || has('requirements.txt');
+  const isGo     = has('go.mod');
+  const isRust   = has('Cargo.toml');
+  const isTyped  = has('tsconfig.json');
+
+  // TypeScript takes precedence: typed variant of node (or bare TS project).
+  if (isTyped)   return 'typed';
+  if (isNode)    return 'node';
+  if (isPython)  return 'python';
+  if (isGo)      return 'go';
+  if (isRust)    return 'rust';
+  return 'other';
+}
+
+// Returns a fresh default config object for the given project type.
+function buildDefault(projectType) {
+  const specialists = DEFAULT_SPECIALISTS[projectType] ?? DEFAULT_SPECIALISTS.other;
+  return { project_type: projectType, specialists: specialists.map(s => ({ ...s })) };
+}
+
+// Reads .ijfw/swarm.json if present, otherwise detects type, generates
+// default config, persists it, and returns it.
+export function loadSwarmConfig(projectDir) {
+  const swarmPath = join(projectDir, '.ijfw', 'swarm.json');
+
+  if (existsSync(swarmPath)) {
+    return JSON.parse(readFileSync(swarmPath, 'utf8'));
+  }
+
+  const projectType = detectProjectType(projectDir);
+  const config = buildDefault(projectType);
+
+  const ijfwDir = join(projectDir, '.ijfw');
+  if (!existsSync(ijfwDir)) mkdirSync(ijfwDir, { recursive: true });
+  writeFileSync(swarmPath, JSON.stringify(config, null, 2) + '\n', 'utf8');
+
+  return config;
+}
+
+// Convenience alias used by orchestrator (matches the spec name).
+export const getSwarmConfig = loadSwarmConfig;

package/src/trident/dispatch.js

@@ -0,0 +1,211 @@
+// --- Trident audit dispatcher (C9.7) ---
+//
+// Orchestrates a 3-lens Trident audit with degraded-mode handling:
+//
+//   3/3 live -> full Trident, can produce PASS verdict.
+//   2/3 live -> CONDITIONAL verdict possible; never auto-PASS.
+//   1/3 live -> single-lens degraded; returns WARN/FLAG only. NEVER PASS.
+//   0/3 live -> offline; throws DegradedTridentError unconditionally.
+//
+// Release-blocker gates (publish, tag, deploy) MUST pass `accept_degraded:
+// true` to bypass single-lens guard. Otherwise the dispatcher throws
+// DegradedTridentError so the calling release pipeline halts before doing
+// anything irreversible.
+//
+// The actual lens execution is pluggable via `executor` so tests can stub
+// without spawning real Codex/Gemini/Claude calls. Production executor lives
+// alongside cross-orchestrator.js (existing surface).
+//
+// Zero external deps. ESM. No emoji.
+
+import { probeLenses } from './lens-health.js';
+
+// Custom error so callers can distinguish degraded-rejection from a normal
+// audit failure. Carries the lens-health snapshot for diagnostic output.
+export class DegradedTridentError extends Error {
+  constructor(message, { lensHealth, gate, requested_accept_degraded } = {}) {
+    super(message);
+    this.name = 'DegradedTridentError';
+    this.code = 'TRIDENT_DEGRADED';
+    this.lensHealth = lensHealth || null;
+    this.gate = gate || null;
+    this.requested_accept_degraded = !!requested_accept_degraded;
+  }
+}
+
+// Gates that block on degraded mode unless explicitly overridden.
+// Kept in module scope so callers don't have to memorise the list.
+export const RELEASE_BLOCKER_GATES = new Set([
+  'publish',
+  'tag',
+  'deploy',
+  'release',
+]);
+
+// Severity ordering used to coerce verdicts down. Higher = more severe.
+const VERDICT_RANK = {
+  PASS:        0,
+  CONDITIONAL: 1,
+  WARN:        2,
+  FLAG:        3,
+  FAIL:        4,
+};
+
+function rankOf(v) {
+  if (v == null) return VERDICT_RANK.WARN;
+  const up = String(v).toUpperCase();
+  return VERDICT_RANK[up] != null ? VERDICT_RANK[up] : VERDICT_RANK.WARN;
+}
+
+// Coerce a verdict so it never sits below `floor`. Used to enforce the
+// single-lens NEVER-auto-PASS rule.
+function coerceVerdict(verdict, floor) {
+  const r = rankOf(verdict);
+  const f = rankOf(floor);
+  if (r >= f) return String(verdict || floor).toUpperCase();
+  return String(floor).toUpperCase();
+}
+
+// Default executor for tests / stubs. Production callers pass their own.
+// Receives ({ lens, brief }), returns { verdict, findings, latency_ms }.
+async function defaultExecutor({ lens }) {
+  return {
+    lens,
+    verdict: 'PASS',
+    findings: [],
+    latency_ms: 0,
+    note: 'default-stub-executor',
+  };
+}
+
+// runTrident -- top-level orchestrator.
+//
+//   opts:
+//     brief             -- string, the audit target/prompt. Required.
+//     accept_degraded   -- bool. Default false. If true, single-lens runs
+//                          may return non-PASS verdicts but are still
+//                          flagged with mode 'single-lens-accepted'.
+//     gate              -- string. If in RELEASE_BLOCKER_GATES, degraded
+//                          runs throw unless accept_degraded=true.
+//     executor          -- ({lens,brief}) -> Promise<{verdict, findings, ...}>
+//     probeOpts         -- forwarded to probeLenses (e.g. { fresh: true })
+//     which             -- which lenses to probe (default all three)
+//
+// Returns:
+//     { verdict, mode, live_lenses, dead_lenses, lens_results, lens_health }
+//
+// `mode` values:
+//     'full'                     -- 3/3 live, PASS allowed
+//     'partial'                  -- 2/3 live, CONDITIONAL ceiling
+//     'single-lens-degraded'     -- 1/3 live, WARN ceiling (caller didn't accept)
+//     'single-lens-accepted'     -- 1/3 live, accept_degraded=true, non-PASS verdicts
+//     'offline'                  -- 0/3 live (only reachable when not throwing)
+export async function runTrident(opts = {}) {
+  const {
+    brief,
+    accept_degraded = false,
+    gate = null,
+    executor = defaultExecutor,
+    probeOpts = {},
+    which = { codex: true, gemini: true, claude: true },
+  } = opts;
+
+  if (!brief || typeof brief !== 'string') {
+    throw new Error('runTrident: `brief` (string) is required');
+  }
+
+  // 1. Probe lens health.
+  const lensHealth = await probeLenses(which, probeOpts);
+  const summary = lensHealth.summary || { live_count: 0, total: 0, live_lenses: [], dead_lenses: [], mode: 'offline' };
+  const live = summary.live_lenses;
+  const dead = summary.dead_lenses;
+
+  // 2. Release-blocker gating: degraded + release-blocker + no override -> throw.
+  const isReleaseBlocker = gate && RELEASE_BLOCKER_GATES.has(String(gate).toLowerCase());
+  const isDegraded = summary.live_count <= 1;
+
+  if (isReleaseBlocker && isDegraded && !accept_degraded) {
+    throw new DegradedTridentError(
+      `Trident is degraded (${summary.live_count}/${summary.total} lenses live: ${live.join(', ') || 'none'}). ` +
+      `Release-blocker gate "${gate}" rejects single-lens verdicts. Pass accept_degraded:true to override after human review.`,
+      { lensHealth, gate, requested_accept_degraded: accept_degraded }
+    );
+  }
+
+  // 3. Offline -> always throw, regardless of gate. No lenses = no audit.
+  if (summary.live_count === 0) {
+    throw new DegradedTridentError(
+      'Trident offline: no lenses live. Cannot run audit.',
+      { lensHealth, gate, requested_accept_degraded: accept_degraded }
+    );
+  }
+
+  // 4. Run executor against each live lens in parallel.
+  const lensResults = await Promise.all(
+    live.map(async (lens) => {
+      try {
+        const r = await executor({ lens, brief });
+        return { lens, ok: true, ...r };
+      } catch (err) {
+        return {
+          lens,
+          ok: false,
+          verdict: 'FAIL',
+          findings: [],
+          error: err && err.message ? err.message : String(err),
+        };
+      }
+    })
+  );
+
+  // 5. Determine effective mode + verdict floor.
+  let mode;
+  let floor;
+  if (summary.live_count >= 3) {
+    mode = 'full';
+    floor = 'PASS';
+  } else if (summary.live_count === 2) {
+    mode = 'partial';
+    // 2/3 can return CONDITIONAL at best; PASS is reserved for 3/3.
+    floor = 'CONDITIONAL';
+  } else { // single-lens
+    if (accept_degraded) {
+      mode = 'single-lens-accepted';
+      // Caller accepted reduced confidence. Verdict floor = CONDITIONAL.
+      // PASS is still impossible -- one lens cannot produce 3-lens consensus.
+      floor = 'CONDITIONAL';
+    } else {
+      mode = 'single-lens-degraded';
+      // Hard ceiling: WARN. Never PASS, never CONDITIONAL.
+      floor = 'WARN';
+    }
+  }
+
+  // 6. Aggregate verdict: take the max severity reported by any lens, then
+  //    coerce up to the floor for the current mode.
+  let aggregateVerdict = 'PASS';
+  for (const r of lensResults) {
+    if (rankOf(r.verdict) > rankOf(aggregateVerdict)) {
+      aggregateVerdict = String(r.verdict || 'WARN').toUpperCase();
+    }
+  }
+  const finalVerdict = coerceVerdict(aggregateVerdict, floor);
+
+  return {
+    verdict: finalVerdict,
+    mode,
+    live_lenses: live,
+    dead_lenses: dead,
+    lens_results: lensResults,
+    lens_health: lensHealth,
+    accept_degraded: !!accept_degraded,
+    gate: gate || null,
+  };
+}
+
+// Convenience: surface a one-line health string for narration.
+export function summariseLensHealth(lensHealth) {
+  const s = lensHealth && lensHealth.summary;
+  if (!s) return 'lens health: unknown';
+  return `lens health: ${s.live_count}/${s.total} live (${s.live_lenses.join(', ') || 'none'})`;
+}

package/src/trident/lens-health.js

@@ -0,0 +1,253 @@
+// --- Trident lens-health (C9.7) ---
+//
+// Lightweight liveness probes for the three Trident lineages.
+//
+//   codex  -- runs `codex --version` (no API call, fast).
+//   gemini -- runs `gemini --version`.
+//   claude -- always live: this code IS the Anthropic-lineage caller.
+//
+// Per C9.7 the probe must stay fast and cheap. We never gate on actual API
+// reachability here -- a `--version` exit-0 means the CLI binary is on PATH
+// and responsive. Quota / auth failures surface later in the dispatcher when
+// the lens actually fires.
+//
+// Cache: results are memoised for 60s by default. Callers can force a fresh
+// probe via { fresh: true } or change the TTL via { ttlMs }.
+//
+// Zero external deps. ESM. No emoji. LC_ALL=C.
+
+import { spawn } from 'node:child_process';
+
+// Per-process cache. Reset by tests via _resetCache().
+const _cache = new Map(); // lens id -> { result, ts }
+
+// Default cache TTL (ms). Overridable per-call.
+export const DEFAULT_TTL_MS = 60_000;
+
+// Default per-probe timeout (ms). `--version` for codex returns ~50-100ms;
+// gemini's CLI cold-start can take 400-600ms before printing the version
+// (Node startup + module load). 1500ms covers gemini cold-start with margin
+// while staying ~80x cheaper than an actual audit call. Override per-call
+// via { timeoutMs }.
+export const PROBE_TIMEOUT_MS = 1500;
+
+// Map a lens id to the binary + args used for liveness probing.
+// `--version` is universal across CLI tools; exit 0 means alive.
+const PROBE_COMMAND = {
+  codex:  { bin: 'codex',  args: ['--version'] },
+  gemini: { bin: 'gemini', args: ['--version'] },
+};
+
+// runProbe -- spawn a single probe child process with a hard timeout.
+// Resolves with { live: bool, latency_ms: number, error: string|null }.
+// Never throws; spawn errors / timeouts collapse into { live: false, error }.
+function runProbe(bin, args, timeoutMs) {
+  return new Promise((resolve) => {
+    const t0 = Date.now();
+    let settled = false;
+    const settle = (val) => { if (settled) return; settled = true; resolve(val); };
+
+    let proc;
+    const timer = setTimeout(() => {
+      if (proc) {
+        try { proc.kill('SIGKILL'); } catch { /* ignore */ }
+        try { if (proc.stdout) proc.stdout.destroy(); } catch { /* ignore */ }
+        try { if (proc.stderr) proc.stderr.destroy(); } catch { /* ignore */ }
+      }
+      settle({ live: false, latency_ms: Date.now() - t0, error: 'timeout' });
+    }, timeoutMs);
+
+    try {
+      // LC_ALL=C: deterministic, locale-independent output. We don't read the
+      // version string itself -- we only care about exit 0 -- but pinning the
+      // locale costs nothing and matches the rest of the codebase.
+      proc = spawn(bin, args, {
+        stdio: ['ignore', 'pipe', 'pipe'],
+        env: { ...process.env, LC_ALL: 'C' },
+      });
+    } catch (err) {
+      clearTimeout(timer);
+      settle({ live: false, latency_ms: Date.now() - t0, error: 'spawn_error: ' + (err && err.message ? err.message : String(err)) });
+      return;
+    }
+
+    // Drain stdio so the child doesn't hang on a full pipe.
+    proc.stdout.on('data', () => { /* discard */ });
+    proc.stderr.on('data', () => { /* discard */ });
+
+    proc.on('error', (err) => {
+      clearTimeout(timer);
+      // ENOENT -> binary not on PATH. Treat as not live, not as a probe error.
+      if (err && err.code === 'ENOENT') {
+        settle({ live: false, latency_ms: Date.now() - t0, error: 'not_installed' });
+      } else {
+        settle({ live: false, latency_ms: Date.now() - t0, error: 'spawn_error: ' + (err && err.message ? err.message : String(err)) });
+      }
+    });
+
+    proc.on('close', (code) => {
+      clearTimeout(timer);
+      const latency_ms = Date.now() - t0;
+      if (code === 0) {
+        settle({ live: true, latency_ms, error: null });
+      } else {
+        settle({ live: false, latency_ms, error: `exit_${code}` });
+      }
+    });
+  });
+}
+
+// probeOne -- public single-lens probe with cache.
+//
+//   lens     -- 'codex' | 'gemini' | 'claude'
+//   opts     -- { fresh, ttlMs, timeoutMs }
+//
+// Returns the same shape stored in the cache.
+export async function probeOne(lens, opts = {}) {
+  if (lens === 'claude') {
+    // We ARE the Anthropic lineage. No external probe needed; the dispatcher
+    // is running in this process. Always live.
+    const result = { live: true, latency_ms: 0, error: null, source: 'in_process' };
+    return result;
+  }
+
+  const cmd = PROBE_COMMAND[lens];
+  if (!cmd) {
+    return { live: false, latency_ms: 0, error: 'unknown_lens', source: 'invalid' };
+  }
+
+  const ttlMs = typeof opts.ttlMs === 'number' ? opts.ttlMs : DEFAULT_TTL_MS;
+  const fresh = Boolean(opts.fresh);
+  const timeoutMs = typeof opts.timeoutMs === 'number' ? opts.timeoutMs : PROBE_TIMEOUT_MS;
+  const now = Date.now();
+
+  if (!fresh) {
+    const cached = _cache.get(lens);
+    if (cached && (now - cached.ts) < ttlMs) {
+      return { ...cached.result, source: 'cache', cached_age_ms: now - cached.ts };
+    }
+  }
+
+  const result = await runProbe(cmd.bin, cmd.args, timeoutMs);
+  _cache.set(lens, { result, ts: Date.now() });
+  return { ...result, source: 'probe' };
+}
+
+// probeLenses -- run liveness checks across multiple lenses in parallel.
+//
+//   { codex: bool, gemini: bool, claude: bool }  -- which lenses to probe.
+//   opts is forwarded to probeOne (fresh, ttlMs, timeoutMs).
+//
+// Default: probe all three. Returns:
+//   {
+//     codex:  { live, latency_ms, error, source }    (only if requested)
+//     gemini: { live, latency_ms, error, source }    (only if requested)
+//     claude: { live: true, ... }                    (only if requested)
+//     summary: { live_count, total, live_lenses, dead_lenses, mode }
+//   }
+// where mode is one of: 'full' (3/3), 'partial' (2/3), 'degraded' (1/3),
+// 'offline' (0/3).
+export async function probeLenses(which = { codex: true, gemini: true, claude: true }, opts = {}) {
+  const targets = [];
+  if (which.codex)  targets.push('codex');
+  if (which.gemini) targets.push('gemini');
+  if (which.claude) targets.push('claude');
+
+  const results = await Promise.all(targets.map(t => probeOne(t, opts)));
+
+  const out = {};
+  targets.forEach((t, i) => { out[t] = results[i]; });
+
+  const live_lenses = targets.filter((t) => out[t] && out[t].live);
+  const dead_lenses = targets.filter((t) => !(out[t] && out[t].live));
+  const mode = computeMode(live_lenses.length, targets.length);
+
+  out.summary = {
+    live_count: live_lenses.length,
+    total: targets.length,
+    live_lenses,
+    dead_lenses,
+    mode,
+    probed_at: Date.now(),
+  };
+  return out;
+}
+
+// Mode classifier. Used by dashboard tile + dispatcher gating.
+function computeMode(live, total) {
+  if (live === total && total >= 3) return 'full';
+  if (live === total && total === 2) return 'partial';
+  if (live === total && total === 1) return 'degraded';
+  if (live === 0) return 'offline';
+  if (live >= 2) return 'partial';
+  if (live === 1) return 'degraded';
+  return 'offline';
+}
+
+// Health-tile shape: per-lens last-probe, plus an alert flag if any lens
+// has been dead for longer than alertThresholdMs (default 24h).
+export function healthTileShape(probeResult, opts = {}) {
+  const alertThresholdMs = typeof opts.alertThresholdMs === 'number'
+    ? opts.alertThresholdMs
+    : 24 * 60 * 60 * 1000; // 24h
+  const now = Date.now();
+
+  const lenses = ['codex', 'gemini', 'claude'].filter(l => probeResult[l]);
+  const tile = {
+    mode: probeResult.summary && probeResult.summary.mode,
+    live_count: probeResult.summary && probeResult.summary.live_count,
+    total: probeResult.summary && probeResult.summary.total,
+    lenses: {},
+    alert: false,
+    alert_reason: null,
+  };
+
+  // Track dead-since timestamps in cache so we can compute duration.
+  for (const l of lenses) {
+    const r = probeResult[l];
+    const live = !!(r && r.live);
+    const deadSince = _deadSinceTracker.get(l);
+
+    if (!live) {
+      if (!deadSince) {
+        _deadSinceTracker.set(l, now);
+      }
+      const since = _deadSinceTracker.get(l);
+      const duration_ms = now - since;
+      tile.lenses[l] = {
+        live: false,
+        latency_ms: r ? r.latency_ms : null,
+        error: r ? r.error : null,
+        dead_since_ms: since,
+        dead_for_ms: duration_ms,
+      };
+      if (duration_ms >= alertThresholdMs) {
+        tile.alert = true;
+        tile.alert_reason = `${l} dead for ${Math.floor(duration_ms / 3_600_000)}h`;
+      }
+    } else {
+      _deadSinceTracker.delete(l);
+      tile.lenses[l] = {
+        live: true,
+        latency_ms: r.latency_ms,
+        error: null,
+      };
+    }
+  }
+  return tile;
+}
+
+// Outage-duration tracker: lens id -> first-seen-dead timestamp.
+const _deadSinceTracker = new Map();
+
+// Test hooks. Not part of the stable API.
+export function _resetCache() {
+  _cache.clear();
+  _deadSinceTracker.clear();
+}
+export function _setCache(lens, result, ts = Date.now()) {
+  _cache.set(lens, { result, ts });
+}
+export function _setDeadSince(lens, ts) {
+  _deadSinceTracker.set(lens, ts);
+}

package/src/update-apply.js

@@ -0,0 +1,79 @@
+// MCP tool: ijfw_update_apply
+//
+// Does NOT execute the update. Validates the token, writes (or overwrites)
+// the pending sentinel, returns instruction telling the user to run the
+// terminal-side confirm command. Idempotent against a matching sentinel
+// already written by ijfw_update_check -- the sentinel + token are the
+// same artifact, so re-writing with the same values is a no-op.
+// Air-gaps the MCP path from actual code execution -- per v3 sec 16 blocker fix.
+
+import { validateToken, writePendingSentinel } from './lib/token.js';
+import { isVersionStringValid } from './lib/npm-view.js';
+
+export function ijfwUpdateApply(args = {}) {
+  const { target_version, confirmation_token } = args || {};
+  const sessionId = args.session_id || process.env.IJFW_SESSION_ID || 'default-session';
+
+  if (!target_version || !isVersionStringValid(target_version)) {
+    return {
+      status: 'error',
+      message: 'target_version is required and must be a valid semver string',
+    };
+  }
+  if (!confirmation_token || typeof confirmation_token !== 'string') {
+    return {
+      status: 'error',
+      message:
+        'confirmation_token is required. Run ijfw_update_check first to receive a token, then ' +
+        "the user must run 'ijfw update --confirm <token>' in their TERMINAL to proceed.",
+    };
+  }
+
+  const v = validateToken(sessionId, confirmation_token);
+  if (!v.ok) {
+    return {
+      status: 'error',
+      reason: v.error,
+      message:
+        v.error === 'expired' ? 'Token expired. Re-run ijfw_update_check to issue a fresh one.' :
+        v.error === 'mismatch' ? 'Token mismatch. The token must match the one issued by the most recent ijfw_update_check.' :
+        v.error === 'already-consumed' ? 'Token already consumed -- the update either ran or was attempted.' :
+        'No active token. Run ijfw_update_check first.',
+    };
+  }
+  if (v.target_version !== target_version) {
+    return {
+      status: 'error',
+      reason: 'target-mismatch',
+      message: `Token was issued for v${v.target_version}, not v${target_version}. Re-run ijfw_update_check.`,
+    };
+  }
+
+  const path = writePendingSentinel(sessionId, target_version, confirmation_token);
+
+  return {
+    status: 'pending_user_confirmation',
+    target_version,
+    sentinel_path: path,
+    instruction:
+      `Run in your TERMINAL: ijfw update --confirm ${confirmation_token}\n` +
+      `This MCP tool cannot execute the update -- only a terminal command can.`,
+  };
+}
+
+export const TOOL_DEF = {
+  name: 'ijfw_update_apply',
+  description:
+    'Stage an IJFW update behind out-of-band terminal confirmation. Writes a pending sentinel; ' +
+    "actual update only runs when the user types 'ijfw update --confirm <token>' in their terminal. " +
+    'This MCP tool NEVER executes the update directly.',
+  inputSchema: {
+    type: 'object',
+    required: ['target_version', 'confirmation_token'],
+    properties: {
+      target_version: { type: 'string', description: 'Target semver to install' },
+      confirmation_token: { type: 'string', description: 'Token from ijfw_update_check' },
+      session_id: { type: 'string', description: 'Session ID for token scoping (optional)' },
+    },
+  },
+};