@kodax-ai/kodax 0.7.49 → 0.7.51

package/dist/types-chunks/{bash-prefix-extractor.d-CI_xcPhn.d.ts → bash-prefix-extractor.d-DTOiDMlG.d.ts}

@@ -1,10 +1,7 @@
-import { M as McpConnectMode, a as McpServerConfig, b as McpServersConfig, c as McpTransportKind } from './config.d-CJy1WENT.js';
-import { g as KodaXGoalState, s as KodaXSessionLineage, x as KodaXSessionScope, y as KodaXSessionStorage, i as KodaXJsonValue, k as KodaXSessionArtifactLedgerEntry, S as SessionErrorMetadata } from './types.d-BnjX2Gn4.js';
-import { X as KodaXTokenUsage, n as KodaXMessage, E as KodaXReasoningMode, k as KodaXHarnessProfile, S as KodaXTaskWorkIntent, I as KodaXReviewScale, O as KodaXTaskComplexity, a as KodaXAmaFanoutClass, Q as KodaXTaskRoutingDecision, R as KodaXTaskType, J as KodaXRiskLevel, i as KodaXExecutionMode, c as KodaXAmaProfile, d as KodaXAmaTactic, b as KodaXAmaFanoutPolicy } from './types.d-rPRl2LSB.js';
-import { f as AgentMessage, aE as StopHookFn, C as ChildTaskRegistry, s as CompactionUpdate, m as AskUserQuestionOptions, k as AskUserMultiOptions, B as Guardrail, b1 as WorkflowIsolation, w as DiscoveredInstance, aI as TaskAbortRegistry, aj as RunnerToolCall, aN as ToolGuardrail } from './types.d-BR9oNWup.js';
+import { U as KodaXGoalState, f as AgentMessage, b0 as StopHookFn, a4 as KodaXSessionLineage, a9 as KodaXSessionScope, aa as KodaXSessionStorage, W as KodaXJsonValue, C as ChildTaskRegistry, bl as WorkflowEventCorrelation, s as CompactionUpdate, bx as WorkflowProcessEvent, m as AskUserQuestionOptions, k as AskUserMultiOptions, y as Guardrail, bo as WorkflowIsolation, Y as KodaXSessionArtifactLedgerEntry, aN as SessionErrorMetadata, v as DiscoveredInstance, b4 as TaskAbortRegistry } from './process.d-B8kEBnQD.js';
+import { _ as KodaXTokenUsage, o as KodaXMessage, G as KodaXReasoningMode, l as KodaXHarnessProfile, V as KodaXTaskWorkIntent, M as KodaXReviewScale, R as KodaXTaskComplexity, a as KodaXAmaFanoutClass, T as KodaXTaskRoutingDecision, U as KodaXTaskType, N as KodaXRiskLevel, j as KodaXExecutionMode, c as KodaXAmaProfile, d as KodaXAmaTactic, b as KodaXAmaFanoutPolicy, f as KodaXBaseProvider } from './base.d-GZ6jvICS.js';
 import { Diagnostic, Position, Location, Hover, DocumentSymbol, SymbolInformation } from 'vscode-languageserver-protocol';
 import { C as CapabilityKind, b as CapabilityResult } from './capability.d-3C62G8Eq.js';
-import { K as KodaXBaseProvider } from './base.d-C4jYVjJh.js';
 import { a as CostTracker } from './cost-tracker.d-wRtyEW9d.js';
 
 /**
@@ -409,6 +406,32 @@ interface TodoStore {
     reset(): void;
 }
 
+type WorkflowInvocationSource = 'natural-language' | 'command';
+type WorkflowInvocationAction = 'none' | 'suggest' | 'auto-start';
+type WorkflowInvocationTrigger = 'explicit' | 'complexity' | 'negated' | 'none';
+type WorkflowStartOutcome = 'started' | 'declined' | 'cancelled' | 'failed';
+interface WorkflowHostPolicy {
+    readonly autoStart?: 'off' | 'confirm' | 'on';
+    readonly maxAgents?: number;
+    readonly maxConcurrency?: number;
+    readonly tokenBudget?: number;
+}
+interface WorkflowInvocationPolicyInput {
+    readonly agentMode: KodaXAgentMode;
+    readonly source: WorkflowInvocationSource;
+    readonly input: string;
+    readonly hostPolicy?: WorkflowHostPolicy;
+}
+interface WorkflowInvocationPolicyDecision {
+    readonly action: WorkflowInvocationAction;
+    readonly trigger: WorkflowInvocationTrigger;
+    readonly reason: string;
+}
+declare function decideWorkflowInvocation(input: WorkflowInvocationPolicyInput): WorkflowInvocationPolicyDecision;
+declare function workflowStartOutcomeConsumesTurn(input: {
+    readonly outcome: WorkflowStartOutcome;
+}): boolean;
+
 /**
  * FEATURE_132 — language-server registry + discovery (cascade step ①).
  *
@@ -1054,18 +1077,6 @@ interface ProviderResiliencePolicy extends ProviderResilienceConfig {
     provider: string;
 }
 
-/**
- * FEATURE_200 Phase F (v0.7.45) — MCP domain types extracted from types.ts.
- * Thin KodaX-facing aliases over the @kodax-ai/agent MCP types. Re-exported
- * from ../types.ts so all `../types` importers are unaffected.
- */
-
-type KodaXMcpTransport = McpTransportKind;
-type KodaXMcpConnectMode = McpConnectMode;
-type KodaXMcpServerConfig = McpServerConfig;
-/** Flat map of MCP server configs, keyed under `mcpServers` in config.json. */
-type KodaXMcpServersConfig = McpServersConfig;
-
 /**
  * FEATURE_200 Phase F (v0.7.45) — Todo domain types extracted from types.ts.
  * Self-contained (no other coding-type deps); re-exported from ../types.ts
@@ -1210,29 +1221,43 @@ interface KodaXRepoIntelligenceTraceEvent {
     trace?: KodaXRepoIntelligenceTrace;
 }
 
+interface KodaXWorkflowEventMeta {
+    readonly workflowCorrelation?: WorkflowEventCorrelation;
+}
+interface KodaXActivityEventMeta extends KodaXWorkflowEventMeta {
+    readonly childAgentId?: string;
+    readonly childAgentName?: string;
+    readonly parentToolId?: string;
+    readonly liveOnly?: boolean;
+}
+interface KodaXToolEventMeta extends KodaXActivityEventMeta {
+    readonly toolId?: string;
+}
 interface KodaXEvents {
-    onTextDelta?: (text: string) => void;
-    onThinkingDelta?: (text: string) => void;
-    onThinkingEnd?: (thinking: string) => void;
+    /** FEATURE_229: correlates child-agent SDK callbacks back to a workflow run/item. */
+    workflowCorrelation?: WorkflowEventCorrelation;
+    onTextDelta?: (text: string, meta?: KodaXActivityEventMeta) => void;
+    onThinkingDelta?: (text: string, meta?: KodaXActivityEventMeta) => void;
+    onThinkingEnd?: (thinking: string, meta?: KodaXActivityEventMeta) => void;
     onToolUseStart?: (tool: {
         name: string;
         id: string;
         input?: Record<string, unknown>;
-    }) => void;
+    }, meta?: KodaXToolEventMeta) => void;
     onToolResult?: (result: {
         id: string;
         name: string;
         content: string;
-    }) => void;
+    }, meta?: KodaXToolEventMeta) => void;
     /** FEATURE_067 v2: Real-time tool execution progress update. Updates the tool's display in the REPL transcript. */
     onToolProgress?: (update: {
         id: string;
         message: string;
-    }) => void;
-    onToolInputDelta?: (toolName: string, partialJson: string, meta?: {
-        toolId?: string;
-    }) => void;
-    onStreamEnd?: () => void;
+    }, meta?: KodaXToolEventMeta) => void;
+    onToolInputDelta?: (toolName: string, partialJson: string, meta?: KodaXToolEventMeta) => void;
+    onStreamEnd?: (meta?: KodaXActivityEventMeta) => void;
+    /** Fired once when a child-agent run fully leaves the child executor. */
+    onChildActivityEnd?: (meta?: KodaXActivityEventMeta) => void;
     onSessionStart?: (info: {
         provider: string;
         sessionId: string;
@@ -1294,8 +1319,8 @@ interface KodaXEvents {
      * prompt contents in queue order. Empty arrays are not surfaced.
      */
     onMidTurnUserMessages?: (contents: readonly string[]) => void;
-    onRetry?: (reason: string, attempt: number, maxAttempts: number) => void;
-    onProviderRateLimit?: (attempt: number, maxRetries: number, delayMs: number) => void;
+    onRetry?: (reason: string, attempt: number, maxAttempts: number, meta?: KodaXActivityEventMeta) => void;
+    onProviderRateLimit?: (attempt: number, maxRetries: number, delayMs: number, meta?: KodaXActivityEventMeta) => void;
     /**
      * FEATURE_130 (v0.7.36) — structured retry-after notification.
      *
@@ -1320,7 +1345,7 @@ interface KodaXEvents {
         source: 'retry-after-seconds' | 'retry-after-date' | 'retry-after-ms' | 'exponential-backoff';
         attempt: number;
         maxAttempts: number;
-    }) => void;
+    }, meta?: KodaXActivityEventMeta) => void;
     onRepoIntelligenceTrace?: (event: KodaXRepoIntelligenceTraceEvent) => void;
     /**
      * FEATURE_097 (v0.7.34): emitted whenever the Scout-seeded todo list
@@ -1333,10 +1358,12 @@ interface KodaXEvents {
      */
     onTodoUpdate?: (items: TodoList) => void;
     /** Structured provider recovery event (Feature 045) */
-    onProviderRecovery?: (event: ProviderRecoveryEvent) => void;
+    onProviderRecovery?: (event: ProviderRecoveryEvent, meta?: KodaXActivityEventMeta) => void;
     onComplete?: () => void;
     onError?: (error: Error) => void;
     onManagedTaskStatus?: (status: KodaXManagedTaskStatusEvent) => void;
+    /** FEATURE_229: workflow process snapshot stream for SDK/host panels. */
+    onWorkflowProcessEvent?: (event: WorkflowProcessEvent) => void;
     /**
      * Fired when Scout's managed-task completion is inferred but the harness
      * detected suspicious signals (mutation expected but none happened, budget
@@ -1373,18 +1400,16 @@ interface KodaXEvents {
         current: (() => string) | null;
     };
     /** Tool execution hook - called before tool execution, return false to block - 工具执行前回调 */
-    beforeToolExecute?: (tool: string, input: Record<string, unknown>, meta?: {
-        toolId?: string;
-    }) => Promise<boolean | string>;
+    beforeToolExecute?: (tool: string, input: Record<string, unknown>, meta?: KodaXToolEventMeta) => Promise<boolean | string>;
     /** Ask user a question interactively - Issue 069 - 交互式向用户提问 */
-    askUser?: (options: AskUserQuestionOptions) => Promise<string>;
+    askUser?: (options: AskUserQuestionOptions, meta?: KodaXToolEventMeta) => Promise<string>;
     /** Ask user multiple independent questions sequentially - 多问题顺序提问 */
-    askUserMulti?: (options: AskUserMultiOptions) => Promise<Record<string, string> | undefined>;
+    askUserMulti?: (options: AskUserMultiOptions, meta?: KodaXToolEventMeta) => Promise<Record<string, string> | undefined>;
     /** Ask user for free-text input - 自由文本输入 (Issue 112) */
     askUserInput?: (options: {
         question: string;
         default?: string;
-    }) => Promise<string | undefined>;
+    }, meta?: KodaXToolEventMeta) => Promise<string | undefined>;
     /**
      * FEATURE_074: Exit plan mode with user approval. Called by the `exit_plan_mode` tool.
      * Returns:
@@ -1630,10 +1655,17 @@ interface KodaXChildAgentResult {
     digest?: string;
     /** True when a workflow child digest was attempted but failed (error/timeout/empty distillation). */
     digestFailed?: boolean;
+    /** True when a workflow child digest is running asynchronously and may arrive later. */
+    digestPending?: boolean;
+    /** Actual provider/model selected for this child run, when known. */
+    provider?: string;
+    model?: string;
     /** Actual iterations consumed by this child agent. */
     actualIterations?: number;
     /** Best-known token usage for this child run. Used by workflow budget accounting. */
     totalTokensUsed?: number;
+    /** True when the child exhausted its iteration budget before completing. */
+    limitReached?: boolean;
     /**
      * True when the child's `runKodaX` exited via CAP-083 AbortError silent
      * terminal (`KodaXResult.interrupted === true`). Surfaces the
@@ -2022,6 +2054,8 @@ interface KodaXOptions {
     context?: KodaXContextOptions;
     events?: KodaXEvents;
     extensionRuntime?: ExtensionRuntimeContract;
+    /** FEATURE_229: host-owned policy for workflow auto-start and ceilings. */
+    workflowHostPolicy?: WorkflowHostPolicy;
     /** FEATURE_221: SDK-consumer self-manual injection (product name + topics). */
     selfManual?: KodaXSelfManualConfig;
     /**
@@ -2302,6 +2336,11 @@ interface KodaXToolExecutionContext {
     selfManual?: KodaXSelfManualConfig;
     /** Working directory used to resolve relative paths and execute shell commands. */
     executionCwd?: string;
+    /**
+     * Active skill invocation for the current managed run. Child dispatch uses
+     * this to preserve the skill's support-file roots in sub-agent briefings.
+     */
+    skillInvocation?: KodaXSkillInvocationContext;
     /**
      * FEATURE_217 (v0.7.49): parent dir for `isolation:'worktree'` workflow child
      * worktrees. Workflow runs point this at `<runDir>/worktrees` so worktrees are
@@ -2356,6 +2395,12 @@ interface KodaXToolExecutionContext {
         readonly model?: string;
         readonly reasoningMode?: KodaXReasoningMode;
     };
+    /**
+     * Parent SDK/REPL callback surface available to child-dispatch tools.
+     * `dispatch_child_task` uses this to preserve live child telemetry without
+     * copying every callback onto KodaXToolExecutionContext as a separate field.
+     */
+    parentEvents?: KodaXEvents;
     /**
      * FEATURE_123 v0.7.44 — agentId of the agent whose tool call this
      * context backs. `undefined` for the top-level Worker (main runtime
@@ -2587,504 +2632,6 @@ interface KodaXToolExecutionContext {
     goalContext?: GoalToolsContext;
 }
 
-/**
- * AGENTS.md - Project-level AI Context Rules Loader
- *
- * This module implements loading of project-level context rules from AGENTS.md files,
- * inspired by pi-mono's implementation.
- *
- * Priority: global < root < ... < current directory < .kodax/
- */
-interface AgentsFile {
-    path: string;
-    content: string;
-    scope: 'global' | 'project' | 'directory';
-}
-interface LoadAgentsOptions {
-    /** Pass cwd explicitly for deterministic prompt building; process.cwd() is only a legacy fallback. */
-    cwd?: string;
-    kodaxDir?: string;
-    projectRoot?: string;
-}
-/**
- * Get KodaX global directory.
- *
- * Routes through {@link getAgentConfigHome} (v0.7.35.1 FEATURE_145 3-tier
- * resolution: programmatic override > KODAX_HOME env > ~/.kodax default).
- */
-declare function getKodaxGlobalDir(): string;
-/**
- * Load all AGENTS files
- * Priority: global < root < ... < current directory < .kodax/
- */
-declare function loadAgentsFiles(options?: LoadAgentsOptions): AgentsFile[];
-/**
- * Format AGENTS files for system prompt
- */
-declare function formatAgentsForPrompt(files: AgentsFile[]): string;
-
-/**
- * Auto-Mode Rules Loader — FEATURE_092 Phase 2b.2 (v0.7.33).
- *
- * Three-layer trust model for `auto-rules.jsonc` files consumed by the
- * auto-mode classifier:
- *
- *   1. ~/.kodax/auto-rules.jsonc                  — user-level, always trusted
- *   2. <project>/.kodax/auto-rules.jsonc          — shared, opt-in (sha256 fingerprint)
- *   3. <project>/.kodax/auto-rules.local.jsonc    — workspace-local, gitignored, trusted
- *
- * Why opt-in for the shared file: a malicious PR could land an
- * `auto-rules.jsonc` claiming "allow any curl" and the user wouldn't
- * notice. First-checkout opt-in via fingerprint forces the user to
- * acknowledge the file by content. If the fingerprint changes later,
- * the file is silently skipped until re-trusted — failures favor safety.
- *
- * Schema (each field optional, defaults to []):
- *   {
- *     "allow":       string[],   // patterns the classifier defaults to allowing
- *     "soft_deny":   string[],   // patterns the classifier defaults to blocking
- *     "environment": string[]    // background context the classifier sees verbatim
- *   }
- *
- * Merge: layers concatenated in order (user → project → local). Identical
- * strings deduplicated by stable insertion (later layers win position only
- * when the string is unique per layer).
- */
-interface AutoRules {
-    readonly allow: readonly string[];
-    readonly soft_deny: readonly string[];
-    readonly environment: readonly string[];
-}
-type RulesOrigin = 'user' | 'project' | 'local';
-interface LoadedRulesSource {
-    readonly origin: RulesOrigin;
-    readonly path: string;
-    readonly fingerprint: string;
-}
-interface SkippedRulesSource {
-    readonly origin: 'project';
-    readonly path: string;
-    readonly fingerprint: string;
-    readonly reason: 'untrusted' | 'fingerprint-changed';
-}
-interface RulesLoadError {
-    readonly path: string;
-    readonly message: string;
-}
-interface RulesLoadResult {
-    readonly merged: AutoRules;
-    readonly sources: readonly LoadedRulesSource[];
-    readonly skipped: readonly SkippedRulesSource[];
-    readonly errors: readonly RulesLoadError[];
-}
-interface LoadAutoRulesOptions {
-    readonly userKodaxDir: string;
-    readonly projectRoot: string;
-}
-interface TrustState {
-    readonly trusted: Readonly<Record<string, string>>;
-}
-declare function computeRulesFingerprint(content: string): string;
-declare function readTrustState(userKodaxDir: string): Promise<TrustState>;
-interface TrustOptions {
-    readonly userKodaxDir: string;
-}
-declare function trustProjectRules(rulesPath: string, fingerprint: string, opts: TrustOptions): Promise<void>;
-type ParseAutoRulesResult = {
-    readonly ok: true;
-    readonly rules: AutoRules;
-} | {
-    readonly ok: false;
-    readonly error: string;
-};
-declare function parseAutoRules(src: string): ParseAutoRulesResult;
-declare function loadAutoRules(opts: LoadAutoRulesOptions): Promise<RulesLoadResult>;
-
-/**
- * Tool-Call Signals — FEATURE_158 Step 2 (v0.7.39).
- *
- * Mechanical pattern matches over a tool call. Signals are NOT verdicts;
- * the classifier consumes them as informational input alongside transcript
- * + user rules and produces the final decision (allow / block / escalate).
- *
- * Two invariants the producers must hold:
- *
- *   1. **Pure**: same `call` + `projectRoot` ⇒ same signals. No I/O, no
- *      timestamps, no env reads inside collectors. Collectors run on every
- *      non-Tier-1 tool call, so they must be cheap and deterministic.
- *
- *   2. **Fact-only**: a `protected_path` signal says "this command names
- *      path X which is under ~/.kodax/", not "this should be blocked".
- *      Severity stays on the producer side (e.g. `dangerous_pattern.severity`)
- *      so the classifier can weight signals, but the verdict is not encoded
- *      here.
- *
- * Tier 0 (absolute deny) is a separate module — signals are pre-verdict
- * material consumed by Tier 2 (LLM classifier). The two paths are not
- * coupled: Tier 0 catches a fixed catastrophic-pattern set; signals
- * describe a wider surface for the classifier to reason about.
- *
- * Design ref: ADR-025, FEATURE_158 (docs/features/v0.7.39.md).
- */
-
-/**
- * One mechanical signal about a tool call. Discriminated union — consumers
- * narrow on `kind` to access the kind-specific fields.
- */
-type ToolCallSignal = {
-    readonly kind: 'dangerous_pattern';
-    /** Pattern source (e.g. regex .source) that matched. */
-    readonly pattern: string;
-    /**
-     * Severity hint for the classifier.
-     *   `high`   — destructive intent typical (e.g. `git push --force`,
-     *              `chmod 777`, `curl | bash`). Classifier should lean
-     *              toward escalate/block.
-     *   `medium` — risk-shaped but contextual (e.g. broad `rm`, `sudo`).
-     *              Classifier weighs against transcript context.
-     */
-    readonly severity: 'high' | 'medium';
-} | {
-    readonly kind: 'protected_path';
-    /** Path token that triggered the match (as it appeared in the call). */
-    readonly path: string;
-    /**
-     *   `project-kodax` — under `<projectRoot>/.kodax/`
-     *   `user-kodax`    — under `~/.kodax/` (credentials zone)
-     */
-    readonly zone: 'project-kodax' | 'user-kodax';
-} | {
-    readonly kind: 'outside_project';
-    readonly path: string;
-} | {
-    readonly kind: 'shell_redirect_outside';
-    /** Redirection target path (`>`, `>>`, `tee` etc.). */
-    readonly target: string;
-} | {
-    readonly kind: 'package_install';
-    readonly manager: 'npm' | 'pnpm' | 'yarn' | 'pip' | 'cargo' | 'apt' | 'brew';
-} | {
-    readonly kind: 'git_write';
-    readonly verb: 'commit' | 'push' | 'reset' | 'clean' | 'rebase' | 'cherry-pick' | 'revert';
-} | {
-    readonly kind: 'network';
-    readonly tool: 'curl' | 'wget' | 'fetch';
-} | {
-    readonly kind: 'file_modification';
-    readonly targets: readonly string[];
-};
-/**
- * Pulls signals from one tool call. A collector declares which tool names
- * it applies to via `toolNames`; the dispatcher in `collectAllSignals`
- * skips non-matching collectors so each one only sees calls it was
- * designed for.
- *
- * `collect` returns the signals; an empty array is fine and the common
- * case for benign calls.
- */
-interface SignalCollector {
-    /**
-     * Tool names this collector reacts to (lowercase). Other tool names
-     * never reach `collect`. Empty set = matches nothing (effectively
-     * disabled — useful only for tests).
-     */
-    readonly toolNames: ReadonlySet<string>;
-    /**
-     * Inspect the call and produce zero or more signals.
-     *
-     * Must be pure: no I/O, no timing, no global state reads. The
-     * `projectRoot` argument is the only environmental context — pass
-     * the same value through every call site to keep results stable.
-     */
-    collect(call: RunnerToolCall, projectRoot: string): readonly ToolCallSignal[];
-}
-/**
- * Run every applicable collector on `call` and return the merged signal
- * list. Order preserved: collectors run in array order; per-collector
- * signal order preserved within their slice.
- *
- * Duplicates intentionally not deduped here — different collectors may
- * legitimately surface the same kind for different reasons (e.g. a
- * `protected_path` from a bash redirect target AND a `protected_path`
- * from an argv token in the same command). The classifier prompt
- * tolerates duplicates; dedup would risk dropping load-bearing context.
- */
-declare function collectAllSignals(call: RunnerToolCall, projectRoot: string, collectors: readonly SignalCollector[]): readonly ToolCallSignal[];
-
-/**
- * Denial Tracker — FEATURE_092 Phase 2b.4 (v0.7.33).
- *
- * Tracks classifier blocks per session. When either threshold is crossed,
- * the auto-mode engine downgrades from `llm` to `rules` (mode stays `auto`).
- *
- *   - 3 consecutive blocks → likely an unproductive loop (agent not adapting)
- *   - 20 cumulative blocks → broader classifier-noise pattern in this session
- *
- * Both are session-scoped, shared with subagents (per design doc, to defend
- * against threshold-bypass via spawning).
- *
- * Pure functional API: each operation returns a new tracker. No mutation.
- */
-declare const CONSECUTIVE_THRESHOLD = 3;
-declare const CUMULATIVE_THRESHOLD = 20;
-interface DenialTracker {
-    readonly consecutive: number;
-    readonly cumulative: number;
-}
-declare function createDenialTracker(): DenialTracker;
-declare function recordBlock(t: DenialTracker): DenialTracker;
-declare function recordAllow(t: DenialTracker): DenialTracker;
-declare function shouldFallback$1(t: DenialTracker): boolean;
-
-/**
- * Circuit Breaker — FEATURE_092 Phase 2b.4 (v0.7.33).
- *
- * Sliding-window error counter for classifier failures (timeouts, 5xx, 429,
- * unparseable outputs). When ≥ 5 errors land within a 10-minute window, the
- * auto-mode engine downgrades from `llm` to `rules` (mode stays `auto`) so
- * the user is not blocked by a degraded classifier path.
- *
- * Pure functional API: each operation returns a new breaker. No mutation.
- * Memory bound: stale timestamps are pruned on each recordError call so
- * the timestamps array never grows unbounded.
- */
-declare const ERROR_THRESHOLD = 5;
-declare const WINDOW_MS: number;
-interface CircuitBreaker {
-    readonly timestamps: readonly number[];
-}
-declare function createCircuitBreaker(): CircuitBreaker;
-declare function recordError(b: CircuitBreaker, now: number): CircuitBreaker;
-declare function shouldFallback(b: CircuitBreaker, now: number): boolean;
-
-/**
- * AutoModeToolGuardrail — FEATURE_092 Phase 2b.6 (v0.7.33).
- *
- * Assembles the auto-mode classifier modules (rules + projection +
- * classify + denial-tracker + circuit-breaker + model-resolver) into a
- * `ToolGuardrail` that the Runner calls via `beforeTool` on every
- * tool invocation.
- *
- * Decision flow (per design doc "三层权限金字塔"):
- *
- *   1. Tool projection is '' (Tier 1)        → allow (zero token cost)
- *   2. Engine has been downgraded to rules   → escalate (user confirms)
- *   3. denialTracker.shouldFallback (3/20)   → engine downgrade, then escalate
- *   4. circuitBreaker.shouldFallback (5/10m) → engine downgrade, then escalate
- *   5. classify(...) sideQuery
- *        allow                               → allow (record allow → reset consecutive)
- *        block                               → block + reason (record block)
- *        escalate                            → escalate + reason (record error)
- *        AbortError thrown                   → re-throw (propagate user cancel)
- *
- * State (mutable, session-scoped):
- *   - engine: 'llm' | 'rules' (starts at 'llm', downgrades on threshold)
- *   - denialTracker (immutable type, swapped on each event)
- *   - circuitBreaker (immutable type, swapped on each event)
- *
- * Subagent sharing:
- *   The factory accepts an optional `sharedState` ref; passing the same ref
- *   to a subagent's guardrail means denial / circuit / engine state is
- *   shared (per design doc "防绕阈值"). Without it each guardrail is
- *   independent.
- *
- * Capability check, Tier 2 path-shortcuts, and the explicit
- * `supportsAutoModeClassifier` provider flag are deferred to follow-up
- * phases — v1 of the guardrail relies on Tier 1 (projection==='') as the
- * structural opt-out and forwards everything else to the classifier.
- */
-
-type AutoModeEngine = 'llm' | 'rules';
-interface AutoModeSharedState {
-    engine: AutoModeEngine;
-    denials: DenialTracker;
-    breaker: CircuitBreaker;
-}
-/**
- * User answer for an escalated tool-call. The guardrail translates this into
- * the actual `GuardrailVerdict` returned to the Runner. `'block'` preserves
- * the original escalation reason as the verdict reason so downstream consumers
- * see why the tool was blocked.
- */
-type AutoModeAskUserVerdict = 'allow' | 'block';
-/**
- * Optional REPL-supplied prompt callback for the 6 escalate paths in
- * `beforeTool` (engine-downgraded, denial-threshold-just-crossed,
- * breaker-just-tripped, classifier-error, classifier-decision-escalate,
- * provider-not-configured). When supplied, the guardrail calls this and
- * translates the user's answer into `'allow'` or `'block'`. When NOT
- * supplied, the guardrail returns `'escalate'` as before — the Runner will
- * then throw `GuardrailEscalateError` (preserves backward compat with
- * SDK-side guardrail consumers that have no askUser surface).
- *
- * Rejection propagates: if the user cancels (Ctrl-C in the prompt), throw
- * an AbortError-shaped exception and the Runner aborts the run cleanly.
- */
-type AutoModeAskUser = (call: RunnerToolCall, reason: string, 
-/**
- * FEATURE_158 (v0.7.39): static-analysis signals collected for this tool
- * call. Optional + readonly so existing callers without signal-aware UI
- * keep working. REPL uses these to render Scope/Risk labels on the
- * confirm dialog (replacing the input-marker path from FEATURE_066).
- */
-signals?: readonly ToolCallSignal[]) => Promise<AutoModeAskUserVerdict>;
-interface AutoModeGuardrailConfig {
-    readonly rules: AutoRules;
-    readonly claudeMd?: string;
-    /**
-     * FEATURE_092 phase 2b.7b: optional user-prompt callback for escalate
-     * paths. See `AutoModeAskUser` for semantics.
-     */
-    readonly askUser?: AutoModeAskUser;
-    /**
-     * Look up a tool's `toClassifierInput` projection by tool name.
-     * Returns `undefined` when the tool isn't in the registry — guardrail
-     * treats that as "no projection ⇒ Tier 1 skip" (conservative for
-     * unknown tools is debatable; v1 favors not blocking on noise).
-     */
-    readonly getToolProjection: (toolName: string) => ((input: unknown) => string) | undefined;
-    /**
-     * Resolve a provider name to an instance. Returns `undefined` when
-     * unconfigured / unknown — the guardrail then escalates.
-     */
-    readonly resolveProvider: (providerName: string) => KodaXBaseProvider | undefined;
-    readonly defaultProvider: string;
-    readonly defaultModel: string;
-    /**
-     * FEATURE_092 v0.7.34 hotfix-3 — defaultProvider/defaultModel staleness fix.
-     *
-     * When supplied, these are called on EVERY classify() invocation, so the
-     * classifier follows the user's current main session provider/model even
-     * after `/model` or `/provider` mid-session swaps. Falls back to
-     * `defaultProvider` / `defaultModel` (static strings) when unset, preserving
-     * backward compatibility for SDK consumers that pass string literals.
-     */
-    readonly getDefaultProvider?: () => string;
-    readonly getDefaultModel?: () => string;
-    readonly cliFlag?: string;
-    readonly envVar?: string;
-    readonly sessionOverride?: string;
-    readonly userSettings?: string;
-    /**
-     * Optional cost-tracker accessors. The classifier writes its tokens to
-     * the tracker under `querySource: 'auto_mode'` (handled inside sideQuery).
-     */
-    readonly getCostTracker?: () => CostTracker | undefined;
-    readonly setCostTracker?: (t: CostTracker) => void;
-    /** Optional logger for engine-downgrade and config warnings. */
-    readonly log?: (level: 'info' | 'warn', msg: string) => void;
-    /**
-     * Fired whenever the active engine changes — both on automatic downgrades
-     * (denial threshold / circuit breaker) AND on manual `setEngine(...)`
-     * calls. UI surfaces (status bar engine indicator, slash-command
-     * confirmations) subscribe here so the displayed engine stays in sync
-     * with the guardrail's internal state without the user having to trigger
-     * another mode toggle just to refresh the bar.
-     */
-    readonly onEngineChange?: (engine: AutoModeEngine) => void;
-    /**
-     * Optional shared state for subagent threshold-bypass defense
-     * (design doc "防绕阈值"). When supplied, the parent and child
-     * guardrails reference the SAME object — engine downgrades and
-     * tracker advances are visible across the session boundary.
-     */
-    readonly sharedState?: AutoModeSharedState;
-    /**
-     * FEATURE_092 phase 2b.7b slice C: starting engine. Defaults to `'llm'`.
-     * Set to `'rules'` to skip the classifier entirely from session start
-     * (the rules-mode escalate path runs immediately on the first non-Tier-1
-     * tool call). Resolved by the REPL from `~/.kodax/config.json`
-     * `autoMode.engine` and the `KODAX_AUTO_MODE_ENGINE` env var.
-     */
-    readonly initialEngine?: AutoModeEngine;
-    /**
-     * FEATURE_092 phase 2b.7b slice C: classifier sideQuery timeout in ms.
-     * Defaults to 8000. Resolved by the REPL from `~/.kodax/config.json`
-     * `autoMode.timeoutMs`.
-     */
-    readonly timeoutMs?: number;
-    /**
-     * Project root for signal collectors. File-tool collector uses this to
-     * detect `outside_project` vs project-relative paths. Bash collector
-     * doesn't use it (command-string-level) but threads it for uniform
-     * collector contract.
-     *
-     * Required by FEATURE_158: if omitted, the default coding-side
-     * collectors produce no `outside_project` signal (degrades gracefully),
-     * but **REPL-injected `extraCollectors` will likely require it**.
-     * SDK consumers without a project root should set `projectRoot: ''`
-     * and supply no `extraCollectors`.
-     */
-    readonly projectRoot?: string;
-    /**
-     * Override the default signal-collector set. When unset, defaults to
-     * `[bashSignalCollector, fileSignalCollector]` — coding-side
-     * command-string + file-tool collectors that don't depend on REPL
-     * path utilities.
-     *
-     * Use `extraCollectors` instead if you want to **add** collectors
-     * without replacing the defaults.
-     */
-    readonly signalCollectors?: readonly SignalCollector[];
-    /**
-     * Additional signal collectors to merge with `signalCollectors`.
-     * Primary use: REPL injects a path-aware bash collector built on its
-     * own `extractPathsFromCommand` / `isAlwaysConfirmPath` utilities
-     * (those live in `@kodax/repl` for historical reasons; lifting them
-     * is out-of-scope for FEATURE_158 — see design doc layer-boundary
-     * decision).
-     *
-     * Order: defaults run first, then extras (preserves per-collector
-     * signal order).
-     */
-    readonly extraCollectors?: readonly SignalCollector[];
-    /**
-     * Speculative-classify quiet window (ms). When a classifier promise
-     * settles within this window, the guardrail uses the verdict directly
-     * (no confirm dialog). When the window expires, the call escalates to
-     * the user; the background classifier is left running for cost-tracker
-     * settlement but its eventual result is discarded in v1 (UI doesn't
-     * adopt late verdicts yet).
-     *
-     * Precedence: explicit arg > `KODAX_AUTO_SPECULATIVE_WINDOW_MS` env >
-     * `DEFAULT_WINDOW_MS = 500`. Set to 0 to disable speculative race
-     * (degrades to synchronous classify).
-     */
-    readonly speculativeWindowMs?: number;
-}
-/**
- * Snapshot of the auto-mode guardrail's session-scoped state. Returned by
- * `getStats()` for diagnostic surfaces (`/auto-denials`) and the status bar
- * engine indicator. The DenialTracker / CircuitBreaker types are immutable
- * value objects, so this is a copy of the references — caller cannot mutate
- * guardrail state through it.
- */
-interface AutoModeStats {
-    readonly engine: AutoModeEngine;
-    readonly denials: DenialTracker;
-    readonly breaker: CircuitBreaker;
-}
-interface AutoModeToolGuardrail extends ToolGuardrail {
-    /** Current engine for this session. */
-    getEngine(): AutoModeEngine;
-    /** Snapshot of engine + denial tracker + circuit breaker. */
-    getStats(): AutoModeStats;
-    /**
-     * Manually set the engine. Used by `/auto-engine` slash command to flip
-     * back to 'llm' after an automatic downgrade or to flip to 'rules' for
-     * manual testing. The downgrade thresholds still operate normally — a
-     * subsequent threshold cross will downgrade again.
-     */
-    setEngine(engine: AutoModeEngine): void;
-    /** Test-only alias for getEngine(). Backward-compat for test files. */
-    getEngineForTest(): AutoModeEngine;
-    /** Test-only alias for getStats(). Backward-compat for test files. */
-    getStatsForTest(): AutoModeStats;
-    /** Test-only override: swap the provider mid-test (for downgrade scenarios). */
-    setProviderForTest(provider: KodaXBaseProvider): void;
-}
-declare function createAutoModeToolGuardrail(config: AutoModeGuardrailConfig): AutoModeToolGuardrail;
-
 /**
  * Bash Command Prefix Extractor — FEATURE_153 (v0.7.38).
  *
@@ -3234,5 +2781,5 @@ interface CreateBashPrefixExtractorOptions {
  */
 declare function createBashPrefixExtractor(opts: CreateBashPrefixExtractorOptions): BashPrefixExtractor;
 
-export { BASH_POLICY_SPEC as B, CONSECUTIVE_THRESHOLD as C, ERROR_THRESHOLD as E, LSP_SERVERS as aE, LspService as aI, WINDOW_MS as b4, buildGoalRuntimeBinding as b5, collectAllSignals as b6, computeRulesFingerprint as b7, createAutoModeToolGuardrail as b8, createBashPrefixExtractor as b9, createCircuitBreaker as ba, createDenialTracker as bb, extractCommandPrefix as bc, formatAgentsForPrompt as bd, getDefaultLspService as be, getKodaxGlobalDir as bf, loadAgentsFiles as bg, loadAutoRules as bh, makeDisabledGoalToolsContext as bi, parseAutoRules as bj, readTrustState as bk, recordAllow as bl, recordBlock as bm, recordError as bn, shouldFallback$1 as bo, shouldFallback as bp, shutdownDefaultLspService as bq, trustProjectRules as br, withGoalBeforeNextTurn as bs, withGoalStopHook as bt, CUMULATIVE_THRESHOLD as k };
-export type { KodaXMcpConnectMode as $, AgentsFile as A, DenialTracker as D, FailureStage as F, GoalBlockedResult as G, KodaXChildContextBundle as H, KodaXChildExecutionResult as I, KodaXCompactionOverride as J, KodaXAgentMode as K, KodaXContextOptions as L, KodaXContextTokenSnapshot as M, KodaXEvents as N, KodaXFanoutBranchLifecycle as O, KodaXFanoutBranchRecord as P, KodaXFanoutBranchTransition as Q, KodaXFanoutSchedulerInput as R, KodaXFanoutSchedulerPlan as S, KodaXInputArtifact as T, KodaXManagedBudgetSnapshot as U, KodaXManagedProtocolPayload as V, KodaXManagedTask as W, KodaXManagedTaskRuntimeState as X, KodaXManagedTaskStatusEvent as Y, KodaXManualTopicId as Z, KodaXManualTopicInput as _, AutoModeAskUser as a, TodoItem as a$, KodaXMcpServerConfig as a0, KodaXMcpServersConfig as a1, KodaXMcpTransport as a2, KodaXMemoryStrategy as a3, KodaXOptions as a4, KodaXOrchestrationVerdict as a5, KodaXParentReductionContract as a6, KodaXProviderPolicyHints as a7, KodaXRepoIntelligenceCapability as a8, KodaXRepoIntelligenceMode as a9, KodaXTaskWorkItem as aA, KodaXToolExecutionContext as aB, KodaXVerificationScorecard as aC, KodaXVerificationScorecardCriterion as aD, LoadAgentsOptions as aF, LoadedRulesSource as aG, LspServerInfo as aH, LspServiceConfig as aJ, ProviderExecutionState as aK, ProviderRecoveryEvent as aL, ProviderResilienceConfig as aM, ProviderResiliencePolicy as aN, RecoveryAction as aO, RecoveryDecision as aP, RecoveryLadderStep as aQ, RecoveryResult as aR, ResilienceClassification as aS, ResilienceErrorClass as aT, ResolveKodaXManualInput as aU, ResolveKodaXManualOptions as aV, ResolveKodaXManualResult as aW, RulesLoadError as aX, RulesLoadResult as aY, SignalCollector as aZ, SkippedRulesSource as a_, KodaXRepoIntelligenceResolvedMode as aa, KodaXRepoIntelligenceTrace as ab, KodaXRepoIntelligenceTraceEvent as ac, KodaXRepoRoutingSignals as ad, KodaXResult as ae, KodaXRoleRoundSummary as af, KodaXRuntimeVerificationContract as ag, KodaXSelfManualConfig as ah, KodaXSessionControl as ai, KodaXSessionMutators as aj, KodaXSessionOptions as ak, KodaXSkillInvocationContext as al, KodaXSkillMap as am, KodaXSkillProjectionConfidence as an, KodaXTaskCapabilityHint as ao, KodaXTaskContract as ap, KodaXTaskEvidenceArtifact as aq, KodaXTaskEvidenceBundle as ar, KodaXTaskEvidenceEntry as as, KodaXTaskRole as at, KodaXTaskRoleAssignment as au, KodaXTaskStatus as av, KodaXTaskSurface as aw, KodaXTaskToolPolicy as ax, KodaXTaskVerificationContract as ay, KodaXTaskVerificationCriterion as az, AutoModeAskUserVerdict as b, TodoList as b0, TodoStatus as b1, ToolCallSignal as b2, TrustState as b3, AutoModeEngine as c, AutoModeGuardrailConfig as d, AutoModeSharedState as e, AutoModeStats as f, AutoModeToolGuardrail as g, AutoRules as h, BashPrefixExtractor as i, BashPrefixResult as j, ChildSnapshotEvent as l, CircuitBreaker as m, CreateBashPrefixExtractorOptions as n, DiagnosticsRequest as o, ExtensionRuntimeContract as p, ExtractCommandPrefixOptions as q, GoalCompleteResult as r, GoalCreateInput as s, GoalLifecycleContext as t, GoalRuntimeBinding as u, GoalRuntimeBindingDeps as v, GoalToolsContext as w, KodaXBudgetDisclosureZone as x, KodaXBudgetExtensionRequest as y, KodaXChildAgentResult as z };
+export { BASH_POLICY_SPEC as B, buildGoalRuntimeBinding as aQ, createBashPrefixExtractor as aR, decideWorkflowInvocation as aS, extractCommandPrefix as aT, getDefaultLspService as aU, makeDisabledGoalToolsContext as aV, shutdownDefaultLspService as aW, withGoalBeforeNextTurn as aX, withGoalStopHook as aY, workflowStartOutcomeConsumesTurn as aZ, LSP_SERVERS as ap, LspService as ar };
+export type { KodaXRuntimeVerificationContract as $, KodaXManagedBudgetSnapshot as A, ChildSnapshotEvent as C, DiagnosticsRequest as D, ExtensionRuntimeContract as E, FailureStage as F, GoalBlockedResult as G, KodaXManagedProtocolPayload as H, KodaXManagedTask as I, KodaXManagedTaskRuntimeState as J, KodaXActivityEventMeta as K, KodaXManagedTaskStatusEvent as L, KodaXManualTopicId as M, KodaXManualTopicInput as N, KodaXMemoryStrategy as O, KodaXOptions as P, KodaXOrchestrationVerdict as Q, KodaXParentReductionContract as R, KodaXProviderPolicyHints as S, KodaXRepoIntelligenceCapability as T, KodaXRepoIntelligenceMode as U, KodaXRepoIntelligenceResolvedMode as V, KodaXRepoIntelligenceTrace as W, KodaXRepoIntelligenceTraceEvent as X, KodaXRepoRoutingSignals as Y, KodaXResult as Z, KodaXRoleRoundSummary as _, BashPrefixExtractor as a, KodaXSelfManualConfig as a0, KodaXSessionControl as a1, KodaXSessionMutators as a2, KodaXSessionOptions as a3, KodaXSkillInvocationContext as a4, KodaXSkillMap as a5, KodaXSkillProjectionConfidence as a6, KodaXTaskCapabilityHint as a7, KodaXTaskContract as a8, KodaXTaskEvidenceArtifact as a9, RecoveryResult as aA, ResilienceClassification as aB, ResilienceErrorClass as aC, ResolveKodaXManualInput as aD, ResolveKodaXManualOptions as aE, ResolveKodaXManualResult as aF, TodoItem as aG, TodoList as aH, TodoStatus as aI, WorkflowHostPolicy as aJ, WorkflowInvocationAction as aK, WorkflowInvocationPolicyDecision as aL, WorkflowInvocationPolicyInput as aM, WorkflowInvocationSource as aN, WorkflowInvocationTrigger as aO, WorkflowStartOutcome as aP, KodaXTaskEvidenceBundle as aa, KodaXTaskEvidenceEntry as ab, KodaXTaskRole as ac, KodaXTaskRoleAssignment as ad, KodaXTaskStatus as ae, KodaXTaskSurface as af, KodaXTaskToolPolicy as ag, KodaXTaskVerificationContract as ah, KodaXTaskVerificationCriterion as ai, KodaXTaskWorkItem as aj, KodaXToolEventMeta as ak, KodaXToolExecutionContext as al, KodaXVerificationScorecard as am, KodaXVerificationScorecardCriterion as an, KodaXWorkflowEventMeta as ao, LspServerInfo as aq, LspServiceConfig as as, ProviderExecutionState as at, ProviderRecoveryEvent as au, ProviderResilienceConfig as av, ProviderResiliencePolicy as aw, RecoveryAction as ax, RecoveryDecision as ay, RecoveryLadderStep as az, BashPrefixResult as b, CreateBashPrefixExtractorOptions as c, ExtractCommandPrefixOptions as d, GoalCompleteResult as e, GoalCreateInput as f, GoalLifecycleContext as g, GoalRuntimeBinding as h, GoalRuntimeBindingDeps as i, GoalToolsContext as j, KodaXAgentMode as k, KodaXBudgetDisclosureZone as l, KodaXBudgetExtensionRequest as m, KodaXChildAgentResult as n, KodaXChildContextBundle as o, KodaXChildExecutionResult as p, KodaXCompactionOverride as q, KodaXContextOptions as r, KodaXContextTokenSnapshot as s, KodaXEvents as t, KodaXFanoutBranchLifecycle as u, KodaXFanoutBranchRecord as v, KodaXFanoutBranchTransition as w, KodaXFanoutSchedulerInput as x, KodaXFanoutSchedulerPlan as y, KodaXInputArtifact as z };