@kleroterion/koine 0.0.1

package/README.md

@@ -0,0 +1,32 @@
+# Koine
+
+> *The common tongue.* Shared building blocks for [Boule](https://github.com/kleroterionlabs/boule) and [Praktor](https://github.com/kleroterionlabs/praktor).
+
+**Koine** (Greek κοινή, "the common [dialect]" — the shared standard Greek everyone spoke) is the library both Kleroterion tools depend on, so the contract between them can never drift. Boule writes the artifacts; Praktor reads them; **koine** is the single definition they share.
+
+## What it provides
+
+| Module | Exports |
+|---|---|
+| **taxonomy** | `ISSUE_TYPE_NAMES`, `kindLabel`, `STATUS_LABELS`, `PRIORITY_LABELS`, `OPERATIONAL_LABELS`, `PRAKTOR_LABELS`, `PROJECT_FIELDS`, `STATUS_OPTIONS`, `DISCUSSION_CATEGORIES`, `allBootstrapLabels()` — the GitHub label/field contract |
+| **identity** | `bouleId`, `contentHash`, `idLabel`, `parseBouleBlock`/`renderBouleBlock`/`withBouleBlock`/`stripBouleBlock`, `parseVerifies` — the `boule:v1` block + content addressing |
+| **github** | `createGitHubClient` (octokit + throttling + retry/backoff), `mintToken` (PAT or GitHub App), `AuthConfig`/`GitHubAuth` |
+| **agent** | `runQuery` — the resilient Claude Agent SDK run-loop (survives subprocess teardown noise) |
+| **security** | `cleanOutbound`, `scrubSecrets`, `sanitizeMentions` — redact credentials + neutralize @-mentions before anything reaches GitHub |
+| **observability** | `createLogger` — structured pino logging with credential redaction |
+
+## Design notes
+
+- **Identity-agnostic.** koine never reads `process.env`. Each tool resolves its *own* credentials (Boule's App, Praktor's App) into an `AuthConfig` and passes it to `createGitHubClient`.
+- **On-wire strings are stable.** Label values stay `boule:*` / `kind:*` / `status:*` — they're the format already on live GitHub issues. koine is their code home, not a rename.
+- `@anthropic-ai/claude-agent-sdk` is a **peer dependency** — the consuming tool owns the version.
+
+## Usage
+
+```ts
+import { createGitHubClient, parseBouleBlock, kindLabel, runQuery } from "@kleroterion/koine";
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,157 @@
+import { Octokit } from '@octokit/rest';
+import { Logger } from 'pino';
+export { Logger } from 'pino';
+import { Options } from '@anthropic-ai/claude-agent-sdk';
+
+type ArtifactKind = "design" | "requirement" | "competitor" | "market" | "gap" | "epic" | "feature" | "task" | "spike";
+/** Content-addressable fingerprint of an artifact body (e.g. "sha256:abcd1234..."). */
+type Fingerprint = string;
+
+declare const ISSUE_TYPE_NAMES: {
+    readonly design: "Design";
+    readonly requirement: "Requirement";
+    readonly competitor: "Competitor";
+    readonly market: "Market";
+    readonly gap: "Gap";
+    readonly epic: "Epic";
+    readonly feature: "Feature";
+    readonly task: "Task";
+    readonly spike: "Spike";
+};
+/** Fallback kind label used when native Issue Types are unavailable. */
+declare const kindLabel: (kind: ArtifactKind) => string;
+declare const OPERATIONAL_LABELS: {
+    readonly managed: "boule:managed";
+    readonly needsHuman: "boule:needs-human";
+    readonly superseded: "boule:superseded";
+    /** Kill-switch: an OPEN issue carrying this label halts all autonomous writes. */
+    readonly halt: "boule:halt";
+};
+/** An artifact's ACCEPTANCE lifecycle, carried on the Issue as a label. */
+declare const STATUS_LABELS: readonly ["status:draft", "status:needs-review", "status:accepted", "status:superseded"];
+type StatusLabel = (typeof STATUS_LABELS)[number];
+declare const PRIORITY_LABELS: readonly ["priority:must", "priority:should", "priority:could", "priority:wont"];
+/** Praktor's own progress labels — namespaced so they never collide with Boule's lifecycle. */
+declare const PRAKTOR_LABELS: {
+    readonly inProgress: "praktor:in-progress";
+    readonly done: "praktor:done";
+    readonly blocked: "praktor:blocked";
+};
+/** Projects v2 custom field names (canonical keys for field values). */
+declare const PROJECT_FIELDS: {
+    readonly status: "Status";
+    readonly kind: "Kind";
+    readonly priority: "Priority";
+    readonly rice: "RICE";
+    readonly wsjf: "WSJF";
+    readonly moscow: "MoSCoW";
+    readonly iteration: "Iteration";
+};
+/** Projects v2 Status column options (the board workflow state). */
+declare const STATUS_OPTIONS: readonly ["Triage", "In Design", "In Review", "Ready", "In Progress", "Blocked", "Done"];
+declare const DISCUSSION_CATEGORIES: {
+    readonly dailyStatus: "Daily Status";
+    readonly handoff: "Agent Handoffs";
+    readonly designReview: "Design Review";
+};
+/** Every repo label the tools bootstrap (kinds + operational + status + priority). */
+declare function allBootstrapLabels(): string[];
+
+interface BouleBlock {
+    kind: ArtifactKind;
+    bouleId: string;
+    contentHash: Fingerprint;
+    parent?: string;
+    runId?: string;
+    generatedBy?: string;
+}
+/** Stable, content-independent slug. Same natural key ⇒ same id (NOT random). */
+declare function bouleId(kind: ArtifactKind, naturalKey: string): string;
+/** sha256 over the normalized semantic body, EXCLUDING any boule block. */
+declare function contentHash(body: string): Fingerprint;
+/** A unique, deterministic dedup label (hashed to stay under GitHub's 50-char label limit). */
+declare function idLabel(id: string): string;
+declare function renderBouleBlock(b: BouleBlock): string;
+/** Append the block to a body, recomputing the hash over the body sans-block. */
+declare function withBouleBlock(body: string, meta: Omit<BouleBlock, "contentHash">): string;
+declare function parseBouleBlock(body: string): BouleBlock | null;
+declare function stripBouleBlock(body: string): string;
+/** Requirement issue numbers referenced by a `Verifies: #110, #112` link line (Task → Requirement). */
+declare function parseVerifies(body: string): number[];
+
+interface ScrubResult {
+    clean: string;
+    found: string[];
+}
+/** Replace any credential-looking substrings with `[REDACTED:<kind>]`; report the kinds found. */
+declare function scrubSecrets(text: string): ScrubResult;
+
+interface MentionResult {
+    clean: string;
+    stripped: string[];
+}
+declare function sanitizeMentions(text: string): MentionResult;
+
+interface Outbound {
+    clean: string;
+    secrets: string[];
+    mentions: string[];
+}
+declare function cleanOutbound(text: string): Outbound;
+
+type GitHubAuth = {
+    kind: "pat";
+    token: string;
+} | {
+    kind: "app";
+    appId: string;
+    installationId: string;
+    privateKey: string;
+};
+interface AuthConfig {
+    github: GitHubAuth;
+}
+/** Decode a base64-or-PEM private key (CI usually stores a single-line base64 blob). */
+declare function decodePrivateKey(raw: string): string;
+/** Mint a usable token: a PAT passes through; an App mints a short-lived installation token. */
+declare function mintToken(auth: GitHubAuth): Promise<string>;
+
+type OpKind = "read" | "write";
+interface GitHubClient {
+    rest: Octokit;
+    /** Run a REST call through the retry/backoff gate. */
+    withRest<T>(op: OpKind, fn: (o: Octokit) => Promise<T>): Promise<T>;
+    /** Run a GraphQL document through the gate. */
+    graphql<T = unknown>(op: OpKind, query: string, vars?: Record<string, unknown>): Promise<T>;
+}
+interface ClientOptions {
+    maxRetries?: number;
+}
+declare function createGitHubClient(auth: AuthConfig, log: Logger, opts?: ClientOptions): Promise<GitHubClient>;
+
+type StopReason = "success" | "error_max_turns" | "error_max_budget_usd" | "error_during_execution";
+interface RunOutcome {
+    ok: boolean;
+    stopReason: StopReason;
+    sessionId: string;
+    numTurns: number;
+    costUsd: number;
+    modelUsage: Record<string, unknown>;
+    errors: string[];
+}
+interface RunHooks {
+    log: Logger;
+    /** Called once with the SDK session id (at init) — e.g. to checkpoint for resume. */
+    onSession?: (sessionId: string) => void;
+}
+/** Drive one query() to completion, returning a normalized outcome. Never throws on transport noise. */
+declare function runQuery(prompt: string, options: Options, hooks: RunHooks): Promise<RunOutcome>;
+
+interface LoggerOptions {
+    level?: string;
+    service?: string;
+    runId?: string;
+}
+declare function createLogger(opts?: LoggerOptions): Logger;
+
+export { type ArtifactKind, type AuthConfig, type BouleBlock, type ClientOptions, DISCUSSION_CATEGORIES, type Fingerprint, type GitHubAuth, type GitHubClient, ISSUE_TYPE_NAMES, type LoggerOptions, type MentionResult, OPERATIONAL_LABELS, type Outbound, PRAKTOR_LABELS, PRIORITY_LABELS, PROJECT_FIELDS, type RunHooks, type RunOutcome, STATUS_LABELS, STATUS_OPTIONS, type ScrubResult, type StatusLabel, type StopReason, allBootstrapLabels, bouleId, cleanOutbound, contentHash, createGitHubClient, createLogger, decodePrivateKey, idLabel, kindLabel, mintToken, parseBouleBlock, parseVerifies, renderBouleBlock, runQuery, sanitizeMentions, scrubSecrets, stripBouleBlock, withBouleBlock };

package/dist/index.js

@@ -0,0 +1,355 @@
+// src/taxonomy.ts
+var ISSUE_TYPE_NAMES = {
+  design: "Design",
+  requirement: "Requirement",
+  competitor: "Competitor",
+  market: "Market",
+  gap: "Gap",
+  epic: "Epic",
+  feature: "Feature",
+  task: "Task",
+  spike: "Spike"
+};
+var kindLabel = (kind) => `kind:${kind}`;
+var OPERATIONAL_LABELS = {
+  managed: "boule:managed",
+  needsHuman: "boule:needs-human",
+  superseded: "boule:superseded",
+  /** Kill-switch: an OPEN issue carrying this label halts all autonomous writes. */
+  halt: "boule:halt"
+};
+var STATUS_LABELS = [
+  "status:draft",
+  "status:needs-review",
+  "status:accepted",
+  "status:superseded"
+];
+var PRIORITY_LABELS = [
+  "priority:must",
+  "priority:should",
+  "priority:could",
+  "priority:wont"
+];
+var PRAKTOR_LABELS = {
+  inProgress: "praktor:in-progress",
+  done: "praktor:done",
+  blocked: "praktor:blocked"
+};
+var PROJECT_FIELDS = {
+  status: "Status",
+  kind: "Kind",
+  priority: "Priority",
+  rice: "RICE",
+  wsjf: "WSJF",
+  moscow: "MoSCoW",
+  iteration: "Iteration"
+};
+var STATUS_OPTIONS = [
+  "Triage",
+  "In Design",
+  "In Review",
+  "Ready",
+  "In Progress",
+  "Blocked",
+  "Done"
+];
+var DISCUSSION_CATEGORIES = {
+  dailyStatus: "Daily Status",
+  handoff: "Agent Handoffs",
+  designReview: "Design Review"
+};
+function allBootstrapLabels() {
+  const kinds = Object.keys(ISSUE_TYPE_NAMES);
+  return [
+    ...kinds.map(kindLabel),
+    ...Object.values(OPERATIONAL_LABELS),
+    ...STATUS_LABELS,
+    ...PRIORITY_LABELS
+  ];
+}
+
+// src/identity.ts
+import { createHash } from "crypto";
+var BOULE_BEGIN = "<!-- boule:v1";
+var BOULE_END = "-->";
+function bouleId(kind, naturalKey) {
+  const slug = naturalKey.toLowerCase().normalize("NFKD").replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
+  return `${kind}:${slug}`;
+}
+function contentHash(body) {
+  const normalized = stripBouleBlock(body).replace(/\r\n/g, "\n").replace(/[ \t]+$/gm, "").trim();
+  const hex = createHash("sha256").update(normalized, "utf8").digest("hex");
+  return `sha256:${hex.slice(0, 16)}`;
+}
+function idLabel(id) {
+  const hex = createHash("sha256").update(id, "utf8").digest("hex");
+  return `boule-id-${hex.slice(0, 12)}`;
+}
+function renderBouleBlock(b) {
+  return [
+    BOULE_BEGIN,
+    `kind: ${b.kind}`,
+    `boule-id: ${b.bouleId}`,
+    `content-hash: ${b.contentHash}`,
+    b.parent ? `parent: ${b.parent}` : "parent:",
+    b.runId ? `run-id: ${b.runId}` : null,
+    b.generatedBy ? `generated-by: ${b.generatedBy}` : null,
+    BOULE_END
+  ].filter((l) => l !== null).join("\n");
+}
+function withBouleBlock(body, meta) {
+  const clean = stripBouleBlock(body).trimEnd();
+  const block = renderBouleBlock({ ...meta, contentHash: contentHash(clean) });
+  return `${clean}
+
+${block}
+`;
+}
+function parseBouleBlock(body) {
+  const start = body.indexOf(BOULE_BEGIN);
+  if (start === -1) return null;
+  const end = body.indexOf(BOULE_END, start);
+  if (end === -1) return null;
+  const inner = body.slice(start + BOULE_BEGIN.length, end);
+  const get = (k) => {
+    const m = inner.match(new RegExp(`^${k}:\\s*(.+)$`, "m"));
+    return m?.[1]?.trim() || void 0;
+  };
+  const kind = get("kind");
+  const id = get("boule-id");
+  const hash = get("content-hash");
+  if (!kind || !id || !hash) return null;
+  return {
+    kind,
+    bouleId: id,
+    contentHash: hash,
+    parent: get("parent"),
+    runId: get("run-id"),
+    generatedBy: get("generated-by")
+  };
+}
+function stripBouleBlock(body) {
+  const start = body.indexOf(BOULE_BEGIN);
+  if (start === -1) return body;
+  const end = body.indexOf(BOULE_END, start);
+  if (end === -1) return body;
+  return body.slice(0, start) + body.slice(end + BOULE_END.length);
+}
+function parseVerifies(body) {
+  const m = body.match(/^\s*Verifies:\s*(.+)$/im);
+  if (!m?.[1]) return [];
+  return [...m[1].matchAll(/#(\d+)/g)].map((x) => Number(x[1])).filter((n) => Number.isInteger(n));
+}
+
+// src/security/secrets.ts
+var PATTERNS = [
+  { name: "github-token", re: /\b(?:gh[pousr]_[A-Za-z0-9]{20,}|github_pat_[A-Za-z0-9_]{20,})\b/g },
+  { name: "anthropic-key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
+  { name: "aws-access-key", re: /\bAKIA[0-9A-Z]{16}\b/g },
+  { name: "private-key", re: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g },
+  { name: "openai-key", re: /\bsk-[A-Za-z0-9]{32,}\b/g }
+];
+function scrubSecrets(text) {
+  let clean = text;
+  const found = /* @__PURE__ */ new Set();
+  for (const { name, re } of PATTERNS) {
+    clean = clean.replace(re, () => {
+      found.add(name);
+      return `[REDACTED:${name}]`;
+    });
+  }
+  return { clean, found: [...found] };
+}
+
+// src/security/mentions.ts
+var MENTION_RE = /(^|[^A-Za-z0-9_`@/])@([A-Za-z0-9](?:[A-Za-z0-9-]{0,37}[A-Za-z0-9])?)\b/g;
+function sanitizeMentions(text) {
+  const stripped = [];
+  const clean = text.replace(MENTION_RE, (_m, pre, handle) => {
+    stripped.push(handle);
+    return `${pre}\`@${handle}\``;
+  });
+  return { clean, stripped };
+}
+
+// src/security/outbound.ts
+function cleanOutbound(text) {
+  const s = scrubSecrets(text);
+  const m = sanitizeMentions(s.clean);
+  return { clean: m.clean, secrets: s.found, mentions: m.stripped };
+}
+
+// src/github/auth.ts
+import { createAppAuth } from "@octokit/auth-app";
+function decodePrivateKey(raw) {
+  const v = raw.trim();
+  if (v.includes("BEGIN") && v.includes("PRIVATE KEY")) return v;
+  try {
+    return Buffer.from(v, "base64").toString("utf8");
+  } catch {
+    return v;
+  }
+}
+async function mintToken(auth) {
+  if (auth.kind === "pat") return auth.token;
+  const appAuth = createAppAuth({
+    appId: auth.appId,
+    privateKey: auth.privateKey,
+    installationId: Number(auth.installationId)
+  });
+  const { token } = await appAuth({ type: "installation" });
+  return token;
+}
+
+// src/github/client.ts
+import { graphql as octokitGraphql } from "@octokit/graphql";
+import { throttling } from "@octokit/plugin-throttling";
+import { Octokit } from "@octokit/rest";
+import pRetry, { AbortError } from "p-retry";
+var ThrottledOctokit = Octokit.plugin(throttling);
+var sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+var jitter = (ms) => ms * (0.5 + Math.random());
+function classifyWait(err, attempt) {
+  const e = err;
+  const status = e.status ?? e.response?.status;
+  const headers = e.response?.headers ?? {};
+  if (status === 403 || status === 429) {
+    const ra = Number(headers["retry-after"]);
+    if (Number.isFinite(ra)) return ra * 1e3;
+    const reset = Number(headers["x-ratelimit-reset"]);
+    if (Number.isFinite(reset)) return Math.max(0, reset * 1e3 - Date.now());
+    return Math.max(6e4, jitter(2 ** attempt * 1e3));
+  }
+  if (status && status >= 500) return jitter(2 ** attempt * 500);
+  throw new AbortError(err);
+}
+async function createGitHubClient(auth, log, opts = {}) {
+  const token = await mintToken(auth.github);
+  const rest = new ThrottledOctokit({
+    auth: token,
+    throttle: {
+      onRateLimit: (after, _o, _ok, retryCount) => {
+        log.warn({ after, retryCount }, "primary rate limit");
+        return retryCount < 3;
+      },
+      onSecondaryRateLimit: (after) => {
+        log.warn({ after }, "secondary rate limit; honoring retry-after");
+        return true;
+      }
+    }
+  });
+  const gql = octokitGraphql.defaults({
+    headers: {
+      authorization: `token ${token}`,
+      "GraphQL-Features": "issue_types,sub_issues"
+    }
+  });
+  const run = (_op, task) => pRetry(
+    async (attempt) => {
+      try {
+        return await task();
+      } catch (err) {
+        await sleep(classifyWait(err, attempt));
+        throw err;
+      }
+    },
+    { retries: opts.maxRetries ?? 6, minTimeout: 1e3, factor: 2 }
+  );
+  return {
+    rest,
+    withRest: (op, fn) => run(op, () => fn(rest)),
+    graphql: (op, query2, vars) => run(op, () => gql(query2, vars))
+  };
+}
+
+// src/agent/run.ts
+import { query } from "@anthropic-ai/claude-agent-sdk";
+function stopReasonOf(subtype) {
+  if (subtype === "success") return "success";
+  if (subtype === "error_max_turns") return "error_max_turns";
+  if (subtype === "error_max_budget_usd") return "error_max_budget_usd";
+  return "error_during_execution";
+}
+async function runQuery(prompt, options, hooks) {
+  const { log } = hooks;
+  let stopReason = "error_during_execution";
+  let numTurns = 0;
+  let costUsd = 0;
+  let sessionId = "";
+  let modelUsage = {};
+  const errors = [];
+  let gotResult = false;
+  try {
+    for await (const msg of query({ prompt, options })) {
+      if (msg.type === "system" && msg.subtype === "init") {
+        sessionId = msg.session_id;
+        log.info({ sessionId }, "agent run started");
+        hooks.onSession?.(sessionId);
+      }
+      if (msg.type === "result") {
+        stopReason = stopReasonOf(msg.subtype);
+        numTurns = msg.num_turns;
+        costUsd = msg.total_cost_usd;
+        modelUsage = msg.modelUsage ?? {};
+        if (msg.subtype !== "success") errors.push(...msg.errors ?? []);
+        gotResult = true;
+        log.info({ stopReason, costUsd, numTurns }, "agent run finished");
+      }
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    if (gotResult) {
+      log.warn({ err: message }, "agent transport error after result; keeping captured outcome");
+    } else {
+      log.error({ err: message }, "agent run failed before producing a result");
+      errors.push(message);
+      stopReason = "error_during_execution";
+    }
+  }
+  return { ok: stopReason === "success", stopReason, sessionId, numTurns, costUsd, modelUsage, errors };
+}
+
+// src/observability/logger.ts
+import pino from "pino";
+function createLogger(opts = {}) {
+  const base = pino({
+    level: opts.level ?? "info",
+    redact: {
+      paths: ["token", "privateKey", "*.token", "*.privateKey", "headers.authorization"],
+      censor: "[redacted]"
+    }
+  });
+  const bindings = {};
+  if (opts.service) bindings.service = opts.service;
+  if (opts.runId) bindings.runId = opts.runId;
+  return Object.keys(bindings).length ? base.child(bindings) : base;
+}
+export {
+  DISCUSSION_CATEGORIES,
+  ISSUE_TYPE_NAMES,
+  OPERATIONAL_LABELS,
+  PRAKTOR_LABELS,
+  PRIORITY_LABELS,
+  PROJECT_FIELDS,
+  STATUS_LABELS,
+  STATUS_OPTIONS,
+  allBootstrapLabels,
+  bouleId,
+  cleanOutbound,
+  contentHash,
+  createGitHubClient,
+  createLogger,
+  decodePrivateKey,
+  idLabel,
+  kindLabel,
+  mintToken,
+  parseBouleBlock,
+  parseVerifies,
+  renderBouleBlock,
+  runQuery,
+  sanitizeMentions,
+  scrubSecrets,
+  stripBouleBlock,
+  withBouleBlock
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/taxonomy.ts","../src/identity.ts","../src/security/secrets.ts","../src/security/mentions.ts","../src/security/outbound.ts","../src/github/auth.ts","../src/github/client.ts","../src/agent/run.ts","../src/observability/logger.ts"],"sourcesContent":["// src/taxonomy.ts — THE shared label/field contract written to GitHub. Boule produces it; Praktor reads\n// it; both import it here so it can never drift. The string VALUES are the on-wire format (already on\n// live issues) — change them only with a migration.\nimport type { ArtifactKind } from \"./types.js\";\n\nexport const ISSUE_TYPE_NAMES = {\n  design: \"Design\",\n  requirement: \"Requirement\",\n  competitor: \"Competitor\",\n  market: \"Market\",\n  gap: \"Gap\",\n  epic: \"Epic\",\n  feature: \"Feature\",\n  task: \"Task\",\n  spike: \"Spike\",\n} as const;\n\n/** Fallback kind label used when native Issue Types are unavailable. */\nexport const kindLabel = (kind: ArtifactKind): string => `kind:${kind}`;\n\nexport const OPERATIONAL_LABELS = {\n  managed: \"boule:managed\",\n  needsHuman: \"boule:needs-human\",\n  superseded: \"boule:superseded\",\n  /** Kill-switch: an OPEN issue carrying this label halts all autonomous writes. */\n  halt: \"boule:halt\",\n} as const;\n\n/** An artifact's ACCEPTANCE lifecycle, carried on the Issue as a label. */\nexport const STATUS_LABELS = [\n  \"status:draft\",\n  \"status:needs-review\",\n  \"status:accepted\",\n  \"status:superseded\",\n] as const;\nexport type StatusLabel = (typeof STATUS_LABELS)[number];\n\nexport const PRIORITY_LABELS = [\n  \"priority:must\",\n  \"priority:should\",\n  \"priority:could\",\n  \"priority:wont\",\n] as const;\n\n/** Praktor's own progress labels — namespaced so they never collide with Boule's lifecycle. */\nexport const PRAKTOR_LABELS = {\n  inProgress: \"praktor:in-progress\",\n  done: \"praktor:done\",\n  blocked: \"praktor:blocked\",\n} as const;\n\n/** Projects v2 custom field names (canonical keys for field values). */\nexport const PROJECT_FIELDS = {\n  status: \"Status\",\n  kind: \"Kind\",\n  priority: \"Priority\",\n  rice: \"RICE\",\n  wsjf: \"WSJF\",\n  moscow: \"MoSCoW\",\n  iteration: \"Iteration\",\n} as const;\n\n/** Projects v2 Status column options (the board workflow state). */\nexport const STATUS_OPTIONS = [\n  \"Triage\",\n  \"In Design\",\n  \"In Review\",\n  \"Ready\",\n  \"In Progress\",\n  \"Blocked\",\n  \"Done\",\n] as const;\n\nexport const DISCUSSION_CATEGORIES = {\n  dailyStatus: \"Daily Status\",\n  handoff: \"Agent Handoffs\",\n  designReview: \"Design Review\",\n} as const;\n\n/** Every repo label the tools bootstrap (kinds + operational + status + priority). */\nexport function allBootstrapLabels(): string[] {\n  const kinds = Object.keys(ISSUE_TYPE_NAMES) as ArtifactKind[];\n  return [\n    ...kinds.map(kindLabel),\n    ...Object.values(OPERATIONAL_LABELS),\n    ...STATUS_LABELS,\n    ...PRIORITY_LABELS,\n  ];\n}\n","// src/identity.ts — the boule:v1 identity block + content addressing. The crux of safe autonomy:\n// pure, deterministic, network-free. Same logical work ⇒ same id ⇒ idempotent re-runs.\nimport { createHash } from \"node:crypto\";\nimport type { ArtifactKind, Fingerprint } from \"./types.js\";\n\nconst BOULE_BEGIN = \"<!-- boule:v1\";\nconst BOULE_END = \"-->\";\n\nexport interface BouleBlock {\n  kind: ArtifactKind;\n  bouleId: string;\n  contentHash: Fingerprint;\n  parent?: string;\n  runId?: string;\n  generatedBy?: string;\n}\n\n/** Stable, content-independent slug. Same natural key ⇒ same id (NOT random). */\nexport function bouleId(kind: ArtifactKind, naturalKey: string): string {\n  const slug = naturalKey\n    .toLowerCase()\n    .normalize(\"NFKD\")\n    .replace(/[^a-z0-9]+/g, \"-\")\n    .replace(/^-+|-+$/g, \"\")\n    .slice(0, 64);\n  return `${kind}:${slug}`;\n}\n\n/** sha256 over the normalized semantic body, EXCLUDING any boule block. */\nexport function contentHash(body: string): Fingerprint {\n  const normalized = stripBouleBlock(body)\n    .replace(/\\r\\n/g, \"\\n\")\n    .replace(/[ \\t]+$/gm, \"\")\n    .trim();\n  const hex = createHash(\"sha256\").update(normalized, \"utf8\").digest(\"hex\");\n  return `sha256:${hex.slice(0, 16)}`;\n}\n\n/** A unique, deterministic dedup label (hashed to stay under GitHub's 50-char label limit). */\nexport function idLabel(id: string): string {\n  const hex = createHash(\"sha256\").update(id, \"utf8\").digest(\"hex\");\n  return `boule-id-${hex.slice(0, 12)}`;\n}\n\nexport function renderBouleBlock(b: BouleBlock): string {\n  return [\n    BOULE_BEGIN,\n    `kind: ${b.kind}`,\n    `boule-id: ${b.bouleId}`,\n    `content-hash: ${b.contentHash}`,\n    b.parent ? `parent: ${b.parent}` : \"parent:\",\n    b.runId ? `run-id: ${b.runId}` : null,\n    b.generatedBy ? `generated-by: ${b.generatedBy}` : null,\n    BOULE_END,\n  ]\n    .filter((l): l is string => l !== null)\n    .join(\"\\n\");\n}\n\n/** Append the block to a body, recomputing the hash over the body sans-block. */\nexport function withBouleBlock(body: string, meta: Omit<BouleBlock, \"contentHash\">): string {\n  const clean = stripBouleBlock(body).trimEnd();\n  const block = renderBouleBlock({ ...meta, contentHash: contentHash(clean) });\n  return `${clean}\\n\\n${block}\\n`;\n}\n\nexport function parseBouleBlock(body: string): BouleBlock | null {\n  const start = body.indexOf(BOULE_BEGIN);\n  if (start === -1) return null;\n  const end = body.indexOf(BOULE_END, start);\n  if (end === -1) return null;\n  const inner = body.slice(start + BOULE_BEGIN.length, end);\n  const get = (k: string): string | undefined => {\n    const m = inner.match(new RegExp(`^${k}:\\\\s*(.+)$`, \"m\"));\n    return m?.[1]?.trim() || undefined;\n  };\n  const kind = get(\"kind\") as ArtifactKind | undefined;\n  const id = get(\"boule-id\");\n  const hash = get(\"content-hash\");\n  if (!kind || !id || !hash) return null;\n  return {\n    kind,\n    bouleId: id,\n    contentHash: hash,\n    parent: get(\"parent\"),\n    runId: get(\"run-id\"),\n    generatedBy: get(\"generated-by\"),\n  };\n}\n\nexport function stripBouleBlock(body: string): string {\n  const start = body.indexOf(BOULE_BEGIN);\n  if (start === -1) return body;\n  const end = body.indexOf(BOULE_END, start);\n  if (end === -1) return body;\n  return body.slice(0, start) + body.slice(end + BOULE_END.length);\n}\n\n/** Requirement issue numbers referenced by a `Verifies: #110, #112` link line (Task → Requirement). */\nexport function parseVerifies(body: string): number[] {\n  const m = body.match(/^\\s*Verifies:\\s*(.+)$/im);\n  if (!m?.[1]) return [];\n  return [...m[1].matchAll(/#(\\d+)/g)].map((x) => Number(x[1])).filter((n) => Number.isInteger(n));\n}\n","// src/security/secrets.ts — last-line defense: redact credential-looking strings before any\n// agent-authored text reaches GitHub (a public issue/discussion/PR must never leak a token).\nconst PATTERNS: ReadonlyArray<{ name: string; re: RegExp }> = [\n  { name: \"github-token\", re: /\\b(?:gh[pousr]_[A-Za-z0-9]{20,}|github_pat_[A-Za-z0-9_]{20,})\\b/g },\n  { name: \"anthropic-key\", re: /\\bsk-ant-[A-Za-z0-9_-]{20,}\\b/g },\n  { name: \"aws-access-key\", re: /\\bAKIA[0-9A-Z]{16}\\b/g },\n  { name: \"private-key\", re: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\\s\\S]*?-----END [A-Z ]*PRIVATE KEY-----/g },\n  { name: \"openai-key\", re: /\\bsk-[A-Za-z0-9]{32,}\\b/g },\n];\n\nexport interface ScrubResult {\n  clean: string;\n  found: string[]; // distinct credential kinds redacted\n}\n\n/** Replace any credential-looking substrings with `[REDACTED:<kind>]`; report the kinds found. */\nexport function scrubSecrets(text: string): ScrubResult {\n  let clean = text;\n  const found = new Set<string>();\n  for (const { name, re } of PATTERNS) {\n    clean = clean.replace(re, () => {\n      found.add(name);\n      return `[REDACTED:${name}]`;\n    });\n  }\n  return { clean, found: [...found] };\n}\n","// src/security/mentions.ts — neutralize @-mentions so autonomous artifacts never ping people.\n// Wrapping a handle in a backtick code span stops GitHub from sending a notification.\n\n// @handle not preceded by a word char/backtick and not part of an email; 1-39 chars, GitHub rules.\nconst MENTION_RE = /(^|[^A-Za-z0-9_`@/])@([A-Za-z0-9](?:[A-Za-z0-9-]{0,37}[A-Za-z0-9])?)\\b/g;\n\nexport interface MentionResult {\n  clean: string;\n  stripped: string[]; // handles neutralized\n}\n\nexport function sanitizeMentions(text: string): MentionResult {\n  const stripped: string[] = [];\n  const clean = text.replace(MENTION_RE, (_m, pre: string, handle: string) => {\n    stripped.push(handle);\n    return `${pre}\\`@${handle}\\``;\n  });\n  return { clean, stripped };\n}\n","// src/security/outbound.ts — the single cleanup applied to every agent-authored string before it\n// reaches GitHub: redact credentials, then neutralize @-mentions.\nimport { sanitizeMentions } from \"./mentions.js\";\nimport { scrubSecrets } from \"./secrets.js\";\n\nexport interface Outbound {\n  clean: string;\n  secrets: string[]; // kinds of credential redacted\n  mentions: string[]; // handles neutralized\n}\n\nexport function cleanOutbound(text: string): Outbound {\n  const s = scrubSecrets(text);\n  const m = sanitizeMentions(s.clean);\n  return { clean: m.clean, secrets: s.found, mentions: m.stripped };\n}\n","// src/github/auth.ts — credential TYPES + token minting only. Each tool resolves its OWN env names\n// into an AuthConfig (Boule uses BOULE_APP_*, Praktor uses PRAKTOR_APP_*) and passes it to the client;\n// koine never reads process.env, so it stays identity-agnostic.\nimport { createAppAuth } from \"@octokit/auth-app\";\n\nexport type GitHubAuth =\n  | { kind: \"pat\"; token: string }\n  | { kind: \"app\"; appId: string; installationId: string; privateKey: string };\n\nexport interface AuthConfig {\n  github: GitHubAuth;\n}\n\n/** Decode a base64-or-PEM private key (CI usually stores a single-line base64 blob). */\nexport function decodePrivateKey(raw: string): string {\n  const v = raw.trim();\n  if (v.includes(\"BEGIN\") && v.includes(\"PRIVATE KEY\")) return v;\n  try {\n    return Buffer.from(v, \"base64\").toString(\"utf8\");\n  } catch {\n    return v;\n  }\n}\n\n/** Mint a usable token: a PAT passes through; an App mints a short-lived installation token. */\nexport async function mintToken(auth: GitHubAuth): Promise<string> {\n  if (auth.kind === \"pat\") return auth.token;\n  const appAuth = createAppAuth({\n    appId: auth.appId,\n    privateKey: auth.privateKey,\n    installationId: Number(auth.installationId),\n  });\n  const { token } = await appAuth({ type: \"installation\" });\n  return token;\n}\n","// src/github/client.ts — THE only path to the GitHub API. All backoff/retry + auth live here so both\n// tools share one hardened transport. Reads are concurrency-friendly; writes serialize via p-retry.\nimport { graphql as octokitGraphql } from \"@octokit/graphql\";\nimport { throttling } from \"@octokit/plugin-throttling\";\nimport { Octokit } from \"@octokit/rest\";\nimport pRetry, { AbortError } from \"p-retry\";\nimport type { Logger } from \"pino\";\nimport { type AuthConfig, mintToken } from \"./auth.js\";\n\nconst ThrottledOctokit = Octokit.plugin(throttling);\ntype OpKind = \"read\" | \"write\";\n\nexport interface GitHubClient {\n  rest: Octokit;\n  /** Run a REST call through the retry/backoff gate. */\n  withRest<T>(op: OpKind, fn: (o: Octokit) => Promise<T>): Promise<T>;\n  /** Run a GraphQL document through the gate. */\n  graphql<T = unknown>(op: OpKind, query: string, vars?: Record<string, unknown>): Promise<T>;\n}\n\nconst sleep = (ms: number): Promise<void> => new Promise((r) => setTimeout(r, ms));\nconst jitter = (ms: number): number => ms * (0.5 + Math.random());\n\nfunction classifyWait(err: unknown, attempt: number): number {\n  const e = err as { status?: number; response?: { status?: number; headers?: Record<string, string> } };\n  const status = e.status ?? e.response?.status;\n  const headers = e.response?.headers ?? {};\n  if (status === 403 || status === 429) {\n    const ra = Number(headers[\"retry-after\"]);\n    if (Number.isFinite(ra)) return ra * 1000;\n    const reset = Number(headers[\"x-ratelimit-reset\"]);\n    if (Number.isFinite(reset)) return Math.max(0, reset * 1000 - Date.now());\n    return Math.max(60_000, jitter(2 ** attempt * 1000));\n  }\n  if (status && status >= 500) return jitter(2 ** attempt * 500);\n  throw new AbortError(err as Error); // 4xx (non-rate) ⇒ don't retry\n}\n\nexport interface ClientOptions {\n  maxRetries?: number;\n}\n\nexport async function createGitHubClient(\n  auth: AuthConfig,\n  log: Logger,\n  opts: ClientOptions = {},\n): Promise<GitHubClient> {\n  const token = await mintToken(auth.github);\n  const rest = new ThrottledOctokit({\n    auth: token,\n    throttle: {\n      onRateLimit: (after, _o, _ok, retryCount) => {\n        log.warn({ after, retryCount }, \"primary rate limit\");\n        return retryCount < 3;\n      },\n      onSecondaryRateLimit: (after) => {\n        log.warn({ after }, \"secondary rate limit; honoring retry-after\");\n        return true;\n      },\n    },\n  });\n  const gql = octokitGraphql.defaults({\n    headers: {\n      authorization: `token ${token}`,\n      \"GraphQL-Features\": \"issue_types,sub_issues\",\n    },\n  });\n\n  const run = <T>(_op: OpKind, task: () => Promise<T>): Promise<T> =>\n    pRetry(\n      async (attempt) => {\n        try {\n          return await task();\n        } catch (err) {\n          await sleep(classifyWait(err, attempt));\n          throw err;\n        }\n      },\n      { retries: opts.maxRetries ?? 6, minTimeout: 1000, factor: 2 },\n    );\n\n  return {\n    rest,\n    withRest: (op, fn) => run(op, () => fn(rest)),\n    graphql: <T>(op: OpKind, query: string, vars?: Record<string, unknown>) =>\n      run<T>(op, () => gql(query, vars) as Promise<T>),\n  };\n}\n","// src/agent/run.ts — the shared Claude Agent SDK run-loop. Resilient to transport noise: the SDK's\n// subprocess can exit non-zero on teardown AFTER emitting a terminal result; that must not override a\n// run whose outcome is already known. A failure BEFORE any result is real and reported as such.\nimport { type Options, query } from \"@anthropic-ai/claude-agent-sdk\";\nimport type { Logger } from \"pino\";\n\nexport type StopReason = \"success\" | \"error_max_turns\" | \"error_max_budget_usd\" | \"error_during_execution\";\n\nexport interface RunOutcome {\n  ok: boolean;\n  stopReason: StopReason;\n  sessionId: string;\n  numTurns: number;\n  costUsd: number;\n  modelUsage: Record<string, unknown>;\n  errors: string[];\n}\n\nexport interface RunHooks {\n  log: Logger;\n  /** Called once with the SDK session id (at init) — e.g. to checkpoint for resume. */\n  onSession?: (sessionId: string) => void;\n}\n\nfunction stopReasonOf(subtype: string): StopReason {\n  if (subtype === \"success\") return \"success\";\n  if (subtype === \"error_max_turns\") return \"error_max_turns\";\n  if (subtype === \"error_max_budget_usd\") return \"error_max_budget_usd\";\n  return \"error_during_execution\";\n}\n\n/** Drive one query() to completion, returning a normalized outcome. Never throws on transport noise. */\nexport async function runQuery(prompt: string, options: Options, hooks: RunHooks): Promise<RunOutcome> {\n  const { log } = hooks;\n  let stopReason: StopReason = \"error_during_execution\";\n  let numTurns = 0;\n  let costUsd = 0;\n  let sessionId = \"\";\n  let modelUsage: Record<string, unknown> = {};\n  const errors: string[] = [];\n  let gotResult = false;\n\n  try {\n    for await (const msg of query({ prompt, options })) {\n      if (msg.type === \"system\" && msg.subtype === \"init\") {\n        sessionId = msg.session_id;\n        log.info({ sessionId }, \"agent run started\");\n        hooks.onSession?.(sessionId);\n      }\n      if (msg.type === \"result\") {\n        stopReason = stopReasonOf(msg.subtype);\n        numTurns = msg.num_turns;\n        costUsd = msg.total_cost_usd;\n        modelUsage = (msg.modelUsage ?? {}) as Record<string, unknown>;\n        if (msg.subtype !== \"success\") errors.push(...(msg.errors ?? []));\n        gotResult = true;\n        log.info({ stopReason, costUsd, numTurns }, \"agent run finished\");\n      }\n    }\n  } catch (err) {\n    const message = err instanceof Error ? err.message : String(err);\n    if (gotResult) {\n      log.warn({ err: message }, \"agent transport error after result; keeping captured outcome\");\n    } else {\n      log.error({ err: message }, \"agent run failed before producing a result\");\n      errors.push(message);\n      stopReason = \"error_during_execution\";\n    }\n  }\n\n  return { ok: stopReason === \"success\", stopReason, sessionId, numTurns, costUsd, modelUsage, errors };\n}\n","// src/observability/logger.ts — structured pino logger with credential redaction. Each tool passes its\n// own level + service name; a run-scoped child carries the runId.\nimport pino, { type Logger } from \"pino\";\n\nexport type { Logger };\n\nexport interface LoggerOptions {\n  level?: string;\n  service?: string;\n  runId?: string;\n}\n\nexport function createLogger(opts: LoggerOptions = {}): Logger {\n  const base = pino({\n    level: opts.level ?? \"info\",\n    redact: {\n      paths: [\"token\", \"privateKey\", \"*.token\", \"*.privateKey\", \"headers.authorization\"],\n      censor: \"[redacted]\",\n    },\n  });\n  const bindings: Record<string, string> = {};\n  if (opts.service) bindings.service = opts.service;\n  if (opts.runId) bindings.runId = opts.runId;\n  return Object.keys(bindings).length ? base.child(bindings) : base;\n}\n"],"mappings":";AAKO,IAAM,mBAAmB;AAAA,EAC9B,QAAQ;AAAA,EACR,aAAa;AAAA,EACb,YAAY;AAAA,EACZ,QAAQ;AAAA,EACR,KAAK;AAAA,EACL,MAAM;AAAA,EACN,SAAS;AAAA,EACT,MAAM;AAAA,EACN,OAAO;AACT;AAGO,IAAM,YAAY,CAAC,SAA+B,QAAQ,IAAI;AAE9D,IAAM,qBAAqB;AAAA,EAChC,SAAS;AAAA,EACT,YAAY;AAAA,EACZ,YAAY;AAAA;AAAA,EAEZ,MAAM;AACR;AAGO,IAAM,gBAAgB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAGO,IAAM,kBAAkB;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAGO,IAAM,iBAAiB;AAAA,EAC5B,YAAY;AAAA,EACZ,MAAM;AAAA,EACN,SAAS;AACX;AAGO,IAAM,iBAAiB;AAAA,EAC5B,QAAQ;AAAA,EACR,MAAM;AAAA,EACN,UAAU;AAAA,EACV,MAAM;AAAA,EACN,MAAM;AAAA,EACN,QAAQ;AAAA,EACR,WAAW;AACb;AAGO,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAM,wBAAwB;AAAA,EACnC,aAAa;AAAA,EACb,SAAS;AAAA,EACT,cAAc;AAChB;AAGO,SAAS,qBAA+B;AAC7C,QAAM,QAAQ,OAAO,KAAK,gBAAgB;AAC1C,SAAO;AAAA,IACL,GAAG,MAAM,IAAI,SAAS;AAAA,IACtB,GAAG,OAAO,OAAO,kBAAkB;AAAA,IACnC,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AACF;;;ACtFA,SAAS,kBAAkB;AAG3B,IAAM,cAAc;AACpB,IAAM,YAAY;AAYX,SAAS,QAAQ,MAAoB,YAA4B;AACtE,QAAM,OAAO,WACV,YAAY,EACZ,UAAU,MAAM,EAChB,QAAQ,eAAe,GAAG,EAC1B,QAAQ,YAAY,EAAE,EACtB,MAAM,GAAG,EAAE;AACd,SAAO,GAAG,IAAI,IAAI,IAAI;AACxB;AAGO,SAAS,YAAY,MAA2B;AACrD,QAAM,aAAa,gBAAgB,IAAI,EACpC,QAAQ,SAAS,IAAI,EACrB,QAAQ,aAAa,EAAE,EACvB,KAAK;AACR,QAAM,MAAM,WAAW,QAAQ,EAAE,OAAO,YAAY,MAAM,EAAE,OAAO,KAAK;AACxE,SAAO,UAAU,IAAI,MAAM,GAAG,EAAE,CAAC;AACnC;AAGO,SAAS,QAAQ,IAAoB;AAC1C,QAAM,MAAM,WAAW,QAAQ,EAAE,OAAO,IAAI,MAAM,EAAE,OAAO,KAAK;AAChE,SAAO,YAAY,IAAI,MAAM,GAAG,EAAE,CAAC;AACrC;AAEO,SAAS,iBAAiB,GAAuB;AACtD,SAAO;AAAA,IACL;AAAA,IACA,SAAS,EAAE,IAAI;AAAA,IACf,aAAa,EAAE,OAAO;AAAA,IACtB,iBAAiB,EAAE,WAAW;AAAA,IAC9B,EAAE,SAAS,WAAW,EAAE,MAAM,KAAK;AAAA,IACnC,EAAE,QAAQ,WAAW,EAAE,KAAK,KAAK;AAAA,IACjC,EAAE,cAAc,iBAAiB,EAAE,WAAW,KAAK;AAAA,IACnD;AAAA,EACF,EACG,OAAO,CAAC,MAAmB,MAAM,IAAI,EACrC,KAAK,IAAI;AACd;AAGO,SAAS,eAAe,MAAc,MAA+C;AAC1F,QAAM,QAAQ,gBAAgB,IAAI,EAAE,QAAQ;AAC5C,QAAM,QAAQ,iBAAiB,EAAE,GAAG,MAAM,aAAa,YAAY,KAAK,EAAE,CAAC;AAC3E,SAAO,GAAG,KAAK;AAAA;AAAA,EAAO,KAAK;AAAA;AAC7B;AAEO,SAAS,gBAAgB,MAAiC;AAC/D,QAAM,QAAQ,KAAK,QAAQ,WAAW;AACtC,MAAI,UAAU,GAAI,QAAO;AACzB,QAAM,MAAM,KAAK,QAAQ,WAAW,KAAK;AACzC,MAAI,QAAQ,GAAI,QAAO;AACvB,QAAM,QAAQ,KAAK,MAAM,QAAQ,YAAY,QAAQ,GAAG;AACxD,QAAM,MAAM,CAAC,MAAkC;AAC7C,UAAM,IAAI,MAAM,MAAM,IAAI,OAAO,IAAI,CAAC,cAAc,GAAG,CAAC;AACxD,WAAO,IAAI,CAAC,GAAG,KAAK,KAAK;AAAA,EAC3B;AACA,QAAM,OAAO,IAAI,MAAM;AACvB,QAAM,KAAK,IAAI,UAAU;AACzB,QAAM,OAAO,IAAI,cAAc;AAC/B,MAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAM,QAAO;AAClC,SAAO;AAAA,IACL;AAAA,IACA,SAAS;AAAA,IACT,aAAa;AAAA,IACb,QAAQ,IAAI,QAAQ;AAAA,IACpB,OAAO,IAAI,QAAQ;AAAA,IACnB,aAAa,IAAI,cAAc;AAAA,EACjC;AACF;AAEO,SAAS,gBAAgB,MAAsB;AACpD,QAAM,QAAQ,KAAK,QAAQ,WAAW;AACtC,MAAI,UAAU,GAAI,QAAO;AACzB,QAAM,MAAM,KAAK,QAAQ,WAAW,KAAK;AACzC,MAAI,QAAQ,GAAI,QAAO;AACvB,SAAO,KAAK,MAAM,GAAG,KAAK,IAAI,KAAK,MAAM,MAAM,UAAU,MAAM;AACjE;AAGO,SAAS,cAAc,MAAwB;AACpD,QAAM,IAAI,KAAK,MAAM,yBAAyB;AAC9C,MAAI,CAAC,IAAI,CAAC,EAAG,QAAO,CAAC;AACrB,SAAO,CAAC,GAAG,EAAE,CAAC,EAAE,SAAS,SAAS,CAAC,EAAE,IAAI,CAAC,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,OAAO,UAAU,CAAC,CAAC;AACjG;;;ACrGA,IAAM,WAAwD;AAAA,EAC5D,EAAE,MAAM,gBAAgB,IAAI,mEAAmE;AAAA,EAC/F,EAAE,MAAM,iBAAiB,IAAI,iCAAiC;AAAA,EAC9D,EAAE,MAAM,kBAAkB,IAAI,wBAAwB;AAAA,EACtD,EAAE,MAAM,eAAe,IAAI,8EAA8E;AAAA,EACzG,EAAE,MAAM,cAAc,IAAI,2BAA2B;AACvD;AAQO,SAAS,aAAa,MAA2B;AACtD,MAAI,QAAQ;AACZ,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,EAAE,MAAM,GAAG,KAAK,UAAU;AACnC,YAAQ,MAAM,QAAQ,IAAI,MAAM;AAC9B,YAAM,IAAI,IAAI;AACd,aAAO,aAAa,IAAI;AAAA,IAC1B,CAAC;AAAA,EACH;AACA,SAAO,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,EAAE;AACpC;;;ACtBA,IAAM,aAAa;AAOZ,SAAS,iBAAiB,MAA6B;AAC5D,QAAM,WAAqB,CAAC;AAC5B,QAAM,QAAQ,KAAK,QAAQ,YAAY,CAAC,IAAI,KAAa,WAAmB;AAC1E,aAAS,KAAK,MAAM;AACpB,WAAO,GAAG,GAAG,MAAM,MAAM;AAAA,EAC3B,CAAC;AACD,SAAO,EAAE,OAAO,SAAS;AAC3B;;;ACPO,SAAS,cAAc,MAAwB;AACpD,QAAM,IAAI,aAAa,IAAI;AAC3B,QAAM,IAAI,iBAAiB,EAAE,KAAK;AAClC,SAAO,EAAE,OAAO,EAAE,OAAO,SAAS,EAAE,OAAO,UAAU,EAAE,SAAS;AAClE;;;ACZA,SAAS,qBAAqB;AAWvB,SAAS,iBAAiB,KAAqB;AACpD,QAAM,IAAI,IAAI,KAAK;AACnB,MAAI,EAAE,SAAS,OAAO,KAAK,EAAE,SAAS,aAAa,EAAG,QAAO;AAC7D,MAAI;AACF,WAAO,OAAO,KAAK,GAAG,QAAQ,EAAE,SAAS,MAAM;AAAA,EACjD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,UAAU,MAAmC;AACjE,MAAI,KAAK,SAAS,MAAO,QAAO,KAAK;AACrC,QAAM,UAAU,cAAc;AAAA,IAC5B,OAAO,KAAK;AAAA,IACZ,YAAY,KAAK;AAAA,IACjB,gBAAgB,OAAO,KAAK,cAAc;AAAA,EAC5C,CAAC;AACD,QAAM,EAAE,MAAM,IAAI,MAAM,QAAQ,EAAE,MAAM,eAAe,CAAC;AACxD,SAAO;AACT;;;AChCA,SAAS,WAAW,sBAAsB;AAC1C,SAAS,kBAAkB;AAC3B,SAAS,eAAe;AACxB,OAAO,UAAU,kBAAkB;AAInC,IAAM,mBAAmB,QAAQ,OAAO,UAAU;AAWlD,IAAM,QAAQ,CAAC,OAA8B,IAAI,QAAQ,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;AACjF,IAAM,SAAS,CAAC,OAAuB,MAAM,MAAM,KAAK,OAAO;AAE/D,SAAS,aAAa,KAAc,SAAyB;AAC3D,QAAM,IAAI;AACV,QAAM,SAAS,EAAE,UAAU,EAAE,UAAU;AACvC,QAAM,UAAU,EAAE,UAAU,WAAW,CAAC;AACxC,MAAI,WAAW,OAAO,WAAW,KAAK;AACpC,UAAM,KAAK,OAAO,QAAQ,aAAa,CAAC;AACxC,QAAI,OAAO,SAAS,EAAE,EAAG,QAAO,KAAK;AACrC,UAAM,QAAQ,OAAO,QAAQ,mBAAmB,CAAC;AACjD,QAAI,OAAO,SAAS,KAAK,EAAG,QAAO,KAAK,IAAI,GAAG,QAAQ,MAAO,KAAK,IAAI,CAAC;AACxE,WAAO,KAAK,IAAI,KAAQ,OAAO,KAAK,UAAU,GAAI,CAAC;AAAA,EACrD;AACA,MAAI,UAAU,UAAU,IAAK,QAAO,OAAO,KAAK,UAAU,GAAG;AAC7D,QAAM,IAAI,WAAW,GAAY;AACnC;AAMA,eAAsB,mBACpB,MACA,KACA,OAAsB,CAAC,GACA;AACvB,QAAM,QAAQ,MAAM,UAAU,KAAK,MAAM;AACzC,QAAM,OAAO,IAAI,iBAAiB;AAAA,IAChC,MAAM;AAAA,IACN,UAAU;AAAA,MACR,aAAa,CAAC,OAAO,IAAI,KAAK,eAAe;AAC3C,YAAI,KAAK,EAAE,OAAO,WAAW,GAAG,oBAAoB;AACpD,eAAO,aAAa;AAAA,MACtB;AAAA,MACA,sBAAsB,CAAC,UAAU;AAC/B,YAAI,KAAK,EAAE,MAAM,GAAG,4CAA4C;AAChE,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF,CAAC;AACD,QAAM,MAAM,eAAe,SAAS;AAAA,IAClC,SAAS;AAAA,MACP,eAAe,SAAS,KAAK;AAAA,MAC7B,oBAAoB;AAAA,IACtB;AAAA,EACF,CAAC;AAED,QAAM,MAAM,CAAI,KAAa,SAC3B;AAAA,IACE,OAAO,YAAY;AACjB,UAAI;AACF,eAAO,MAAM,KAAK;AAAA,MACpB,SAAS,KAAK;AACZ,cAAM,MAAM,aAAa,KAAK,OAAO,CAAC;AACtC,cAAM;AAAA,MACR;AAAA,IACF;AAAA,IACA,EAAE,SAAS,KAAK,cAAc,GAAG,YAAY,KAAM,QAAQ,EAAE;AAAA,EAC/D;AAEF,SAAO;AAAA,IACL;AAAA,IACA,UAAU,CAAC,IAAI,OAAO,IAAI,IAAI,MAAM,GAAG,IAAI,CAAC;AAAA,IAC5C,SAAS,CAAI,IAAYA,QAAe,SACtC,IAAO,IAAI,MAAM,IAAIA,QAAO,IAAI,CAAe;AAAA,EACnD;AACF;;;ACpFA,SAAuB,aAAa;AAqBpC,SAAS,aAAa,SAA6B;AACjD,MAAI,YAAY,UAAW,QAAO;AAClC,MAAI,YAAY,kBAAmB,QAAO;AAC1C,MAAI,YAAY,uBAAwB,QAAO;AAC/C,SAAO;AACT;AAGA,eAAsB,SAAS,QAAgB,SAAkB,OAAsC;AACrG,QAAM,EAAE,IAAI,IAAI;AAChB,MAAI,aAAyB;AAC7B,MAAI,WAAW;AACf,MAAI,UAAU;AACd,MAAI,YAAY;AAChB,MAAI,aAAsC,CAAC;AAC3C,QAAM,SAAmB,CAAC;AAC1B,MAAI,YAAY;AAEhB,MAAI;AACF,qBAAiB,OAAO,MAAM,EAAE,QAAQ,QAAQ,CAAC,GAAG;AAClD,UAAI,IAAI,SAAS,YAAY,IAAI,YAAY,QAAQ;AACnD,oBAAY,IAAI;AAChB,YAAI,KAAK,EAAE,UAAU,GAAG,mBAAmB;AAC3C,cAAM,YAAY,SAAS;AAAA,MAC7B;AACA,UAAI,IAAI,SAAS,UAAU;AACzB,qBAAa,aAAa,IAAI,OAAO;AACrC,mBAAW,IAAI;AACf,kBAAU,IAAI;AACd,qBAAc,IAAI,cAAc,CAAC;AACjC,YAAI,IAAI,YAAY,UAAW,QAAO,KAAK,GAAI,IAAI,UAAU,CAAC,CAAE;AAChE,oBAAY;AACZ,YAAI,KAAK,EAAE,YAAY,SAAS,SAAS,GAAG,oBAAoB;AAAA,MAClE;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,UAAM,UAAU,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC/D,QAAI,WAAW;AACb,UAAI,KAAK,EAAE,KAAK,QAAQ,GAAG,8DAA8D;AAAA,IAC3F,OAAO;AACL,UAAI,MAAM,EAAE,KAAK,QAAQ,GAAG,4CAA4C;AACxE,aAAO,KAAK,OAAO;AACnB,mBAAa;AAAA,IACf;AAAA,EACF;AAEA,SAAO,EAAE,IAAI,eAAe,WAAW,YAAY,WAAW,UAAU,SAAS,YAAY,OAAO;AACtG;;;ACrEA,OAAO,UAA2B;AAU3B,SAAS,aAAa,OAAsB,CAAC,GAAW;AAC7D,QAAM,OAAO,KAAK;AAAA,IAChB,OAAO,KAAK,SAAS;AAAA,IACrB,QAAQ;AAAA,MACN,OAAO,CAAC,SAAS,cAAc,WAAW,gBAAgB,uBAAuB;AAAA,MACjF,QAAQ;AAAA,IACV;AAAA,EACF,CAAC;AACD,QAAM,WAAmC,CAAC;AAC1C,MAAI,KAAK,QAAS,UAAS,UAAU,KAAK;AAC1C,MAAI,KAAK,MAAO,UAAS,QAAQ,KAAK;AACtC,SAAO,OAAO,KAAK,QAAQ,EAAE,SAAS,KAAK,MAAM,QAAQ,IAAI;AAC/D;","names":["query"]}

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@kleroterion/koine",
+  "version": "0.0.1",
+  "description": "The common tongue of the Kleroterion tools — shared building blocks for Boule and Praktor: GitHub-artifact taxonomy, the boule:v1 identity block, a gated GitHub client (App/PAT), the resilient Claude Agent SDK run-loop, structured logging, and outbound secret/mention scrubbing.",
+  "keywords": ["kleroterion", "boule", "praktor", "github", "claude", "agent-sdk", "shared", "library"],
+  "homepage": "https://github.com/kleroterionlabs/koine#readme",
+  "bugs": {
+    "url": "https://github.com/kleroterionlabs/koine/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/kleroterionlabs/koine.git"
+  },
+  "license": "MIT",
+  "author": "Bill Schumacher <34168009+BillSchumacher@users.noreply.github.com>",
+  "type": "module",
+  "engines": {
+    "node": ">=20.11"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": ["dist"],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "lint": "biome ci .",
+    "prepublishOnly": "npm run build"
+  },
+  "peerDependencies": {
+    "@anthropic-ai/claude-agent-sdk": "^0.1.0"
+  },
+  "dependencies": {
+    "@octokit/rest": "^21.0.0",
+    "@octokit/graphql": "^8.1.0",
+    "@octokit/auth-app": "^7.1.0",
+    "@octokit/plugin-throttling": "^9.3.0",
+    "p-retry": "^6.2.0",
+    "pino": "^9.4.0"
+  },
+  "devDependencies": {
+    "@anthropic-ai/claude-agent-sdk": "^0.1.0",
+    "typescript": "^5.6.0",
+    "tsup": "^8.3.0",
+    "vitest": "^2.1.0",
+    "@vitest/coverage-v8": "^2.1.0",
+    "@biomejs/biome": "^1.9.0",
+    "@types/node": "^22.5.0"
+  }
+}