@kognai/orchestrator-core 0.1.0

package/dist/lib/omel/credential-vault.js

@@ -0,0 +1,324 @@
+"use strict";
+// OMEL Credential Vault — Sprint 177 + Sprint 182 Hardening (AMD-13)
+// Controlled access to secrets from process.env.
+// NEVER logs secret values — only key names and masked representations.
+//
+// Public API:
+//   getSecret(key)        — reads from process.env, NEVER logs value
+//   listSecrets()         — returns key NAMES only, never values
+//   hasSecret(key)        — boolean presence check
+//   maskForLog(value)     — "sk-****...****" pattern for safe logging
+//   scanForLeaks(line)    — detect verbatim secret values in a log line
+//   audit()               — CTO pre-check report: all secrets status
+//
+// Sprint 182 hardening additions:
+//   - Secret rotation detection: alert if key unchanged for >90 days
+//   - Passive log scanner: scan last 100 log lines per orchestrator run
+//   - Access rate limiting: same key accessed >50× in 60s → alert
+//   - Required secrets check: startup validation of critical env vars
+//   - audit() report method for CTO approval gate
+//
+// Audit log: logs/omel/vault-access-YYYY-MM-DD.jsonl (key name + agent_id, never value)
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.credentialVault = exports.CredentialVault = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const engine_paths_1 = require("../engine-paths");
+const https = __importStar(require("https"));
+const LOGS_DIR = path.join((0, engine_paths_1.resolveEnginePaths)().root, 'logs', 'omel');
+const VAULT_META = path.join(LOGS_DIR, 'vault-rotation-meta.json');
+const AUDIT_FILE = () => {
+    const date = new Date().toISOString().slice(0, 10);
+    return path.join(LOGS_DIR, `vault-access-${date}.jsonl`);
+};
+fs.mkdirSync(LOGS_DIR, { recursive: true });
+// ── Telegram fire-and-forget ──────────────────────────────────────────────────
+function sendTelegramAlert(message) {
+    const botToken = process.env.TELEGRAM_BOT_TOKEN || '';
+    const chatId = process.env.OWNER_TELEGRAM_CHAT_ID || '';
+    if (!botToken || !chatId)
+        return;
+    const payload = JSON.stringify({ chat_id: chatId, text: message, parse_mode: 'Markdown' });
+    try {
+        const req = https.request({
+            hostname: 'api.telegram.org',
+            path: `/bot${botToken}/sendMessage`,
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) },
+        });
+        req.on('error', () => { });
+        req.write(payload);
+        req.end();
+    }
+    catch { /* silent */ }
+}
+// ── Known secret key prefixes for passive leak scanner ───────────────────────
+const SECRET_KEY_PATTERNS = [
+    /^ANTHROPIC_API_KEY$/,
+    /^OPENAI_API_KEY$/,
+    /^TELEGRAM_BOT_TOKEN$/,
+    /^CEO_TELEGRAM_BOT_TOKEN$/,
+    /^STRIPE_SECRET_KEY$/,
+    /^STRIPE_WEBHOOK_SECRET$/,
+    /^TIKTOK_ACCESS_TOKEN$/,
+    /.*_API_KEY$/,
+    /.*_SECRET$/,
+    /.*_TOKEN$/,
+    /.*_PASSWORD$/,
+    /.*_PRIVATE_KEY$/,
+];
+// Required secrets that must be present at startup
+const REQUIRED_SECRETS = [
+    'TELEGRAM_BOT_TOKEN',
+    'OWNER_TELEGRAM_CHAT_ID',
+];
+// ── Collect known secret keys ─────────────────────────────────────────────────
+function collectSecretKeys() {
+    return Object.keys(process.env).filter(k => SECRET_KEY_PATTERNS.some(p => p.test(k)));
+}
+// ── Audit log ─────────────────────────────────────────────────────────────────
+function auditLog(key, agentId, action) {
+    const entry = {
+        ts: new Date().toISOString(),
+        key,
+        agent_id: agentId,
+        action,
+    };
+    try {
+        fs.appendFileSync(AUDIT_FILE(), JSON.stringify(entry) + '\n');
+    }
+    catch { /* if log write fails, never crash caller */ }
+}
+function loadRotationMeta() {
+    try {
+        if (fs.existsSync(VAULT_META)) {
+            return JSON.parse(fs.readFileSync(VAULT_META, 'utf-8'));
+        }
+    }
+    catch { /* ignore */ }
+    return {};
+}
+function saveRotationMeta(meta) {
+    try {
+        fs.writeFileSync(VAULT_META, JSON.stringify(meta, null, 2), 'utf-8');
+    }
+    catch { /* non-fatal */ }
+}
+function hashSecret(value) {
+    // Simple FNV-1a hash for rotation detection (not cryptographic, just drift detection)
+    let h = 2166136261;
+    for (let i = 0; i < value.length; i++) {
+        h ^= value.charCodeAt(i);
+        h = (h * 16777619) >>> 0;
+    }
+    return h.toString(16);
+}
+const RATE_LIMIT_MAX = 50; // accesses per window
+const RATE_LIMIT_WINDOW = 60_000; // 60 seconds
+// ── CredentialVault class ─────────────────────────────────────────────────────
+class CredentialVault {
+    rateCounters = new Map();
+    // ── Rate limiting helper ────────────────────────────────────────────────────
+    checkRateLimit(key, agentId) {
+        const now = Date.now();
+        const win = this.rateCounters.get(key);
+        if (!win || now - win.windowStart > RATE_LIMIT_WINDOW) {
+            // Start fresh window
+            this.rateCounters.set(key, { count: 1, windowStart: now });
+            return;
+        }
+        win.count++;
+        if (win.count > RATE_LIMIT_MAX) {
+            auditLog(key, agentId, 'rate_limit');
+            sendTelegramAlert(`⚠️ *[OMEL Vault] Rate Limit Alert*\n` +
+                `Key: \`${key}\` accessed ${win.count}× in 60s by \`${agentId}\`\n` +
+                `Possible infinite loop or runaway agent.`);
+        }
+    }
+    // ── Rotation detection ──────────────────────────────────────────────────────
+    checkRotation(key, value) {
+        const today = new Date().toISOString().slice(0, 10);
+        const meta = loadRotationMeta();
+        const h = hashSecret(value);
+        if (!meta[key]) {
+            meta[key] = { last_seen_date: today, hash: h };
+            saveRotationMeta(meta);
+            return;
+        }
+        if (meta[key].hash !== h) {
+            // Secret rotated — update record
+            meta[key] = { last_seen_date: today, hash: h };
+            saveRotationMeta(meta);
+            return;
+        }
+        // Same hash — check age
+        const daysSince = Math.floor((Date.now() - new Date(meta[key].last_seen_date).getTime()) / 86_400_000);
+        if (daysSince > 90) {
+            auditLog(key, 'system', 'rotation_alert');
+            sendTelegramAlert(`🔑 *[OMEL Vault] Rotation Alert*\n` +
+                `Key: \`${key}\` has not been rotated in *${daysSince} days* (threshold: 90)\n` +
+                `Consider rotating this secret.`);
+        }
+    }
+    /**
+     * Read a secret from process.env.
+     * The value is returned to the caller but NEVER written to logs.
+     */
+    getSecret(key, agentId = 'orchestrator') {
+        auditLog(key, agentId, 'get');
+        this.checkRateLimit(key, agentId);
+        const value = process.env[key] ?? '';
+        if (value)
+            this.checkRotation(key, value);
+        return value;
+    }
+    /**
+     * Return the NAMES of all env variables matching known secret patterns.
+     * Values are NEVER returned.
+     */
+    listSecrets(agentId = 'orchestrator') {
+        const keys = collectSecretKeys();
+        auditLog('__all__', agentId, 'list');
+        return keys;
+    }
+    /**
+     * Check if a secret is present (non-empty).
+     */
+    hasSecret(key, agentId = 'orchestrator') {
+        auditLog(key, agentId, 'check');
+        return Boolean(process.env[key]);
+    }
+    /**
+     * Mask a secret value for safe inclusion in logs or Telegram messages.
+     * Format: first 4 chars + "****...****" + last 4 chars.
+     */
+    maskForLog(value) {
+        if (!value)
+            return '****';
+        if (value.length <= 8)
+            return '****';
+        const prefix = value.slice(0, 4);
+        const suffix = value.slice(-4);
+        return `${prefix}****...****${suffix}`;
+    }
+    /**
+     * Passive leak scanner: check if any known secret value appears verbatim
+     * in the given log line. Returns the leaked key names (never the values).
+     */
+    scanForLeaks(line) {
+        const leaked = [];
+        for (const key of collectSecretKeys()) {
+            const value = process.env[key];
+            if (value && value.length >= 8 && line.includes(value)) {
+                leaked.push(key);
+                process.stderr.write(`[OMEL-VAULT] ⚠️  Secret value for ${key} detected in log line — redact before writing!\n`);
+            }
+        }
+        return leaked;
+    }
+    /**
+     * Scan last N lines of a log file for secret leaks.
+     * Returns list of (key, line_number) tuples where leaks were detected.
+     * Intended for use by CTO gate pre-check and orchestrator run startup.
+     */
+    scanLogFile(logFilePath, lastNLines = 100) {
+        const results = [];
+        try {
+            if (!fs.existsSync(logFilePath))
+                return results;
+            const lines = fs.readFileSync(logFilePath, 'utf-8')
+                .split('\n').filter(l => l.trim());
+            const slice = lines.slice(-lastNLines);
+            slice.forEach((line, i) => {
+                const leaked = this.scanForLeaks(line);
+                for (const key of leaked)
+                    results.push({ key, lineIndex: i });
+            });
+        }
+        catch { /* non-fatal */ }
+        return results;
+    }
+    /**
+     * Startup required-secrets validation.
+     * Logs + throws if any required key is missing.
+     * Call once at orchestrator startup.
+     */
+    validateRequired(requiredKeys = REQUIRED_SECRETS) {
+        const missing = requiredKeys.filter(k => !process.env[k]);
+        if (missing.length === 0)
+            return;
+        const msg = `[OMEL-VAULT] Missing required secrets: ${missing.join(', ')}`;
+        process.stderr.write(msg + '\n');
+        try {
+            fs.appendFileSync(AUDIT_FILE(), JSON.stringify({
+                ts: new Date().toISOString(),
+                action: 'startup_validation_failed',
+                missing,
+            }) + '\n');
+        }
+        catch { /* ignore */ }
+        throw new Error(msg);
+    }
+    /**
+     * CTO approval gate audit report.
+     * Returns a summary of vault state: which secrets are present, rotation status.
+     * Values are NEVER included.
+     */
+    audit() {
+        const keys = collectSecretKeys();
+        const present = keys.filter(k => Boolean(process.env[k]));
+        const missing = REQUIRED_SECRETS.filter(k => !process.env[k]);
+        const rotationWarnings = [];
+        const meta = loadRotationMeta();
+        for (const key of present) {
+            if (meta[key]) {
+                const daysSince = Math.floor((Date.now() - new Date(meta[key].last_seen_date).getTime()) / 86_400_000);
+                if (daysSince > 90)
+                    rotationWarnings.push(`${key} (${daysSince}d)`);
+            }
+        }
+        return {
+            total_secrets: keys.length,
+            present,
+            missing,
+            rotation_warnings: rotationWarnings,
+            generated_at: new Date().toISOString(),
+        };
+    }
+}
+exports.CredentialVault = CredentialVault;
+// Exported singleton
+exports.credentialVault = new CredentialVault();

package/dist/lib/omel/human-brake.d.ts

@@ -0,0 +1,32 @@
+export type HighRiskOp = 'file_delete' | 'git_reset_hard' | 'env_change' | 'schema_migration' | 'bulk_overwrite' | 'new_file';
+export interface ApprovalResult {
+    approved: boolean;
+    approvedBy?: string;
+    reason?: string;
+    ts: string;
+    risk_score?: number;
+    response_ms?: number;
+}
+export declare class HumanBrake {
+    /**
+     * Returns true if operation is a known HighRiskOp type,
+     * OR if context.filePath touches protected files.
+     */
+    isHighRisk(operation: string, context?: any): boolean;
+    /**
+     * Returns a risk score 1-10 for the given operation + context.
+     * High (8-10): requires approval. Medium (5-7): log only. Low (1-4): silent pass.
+     *
+     * Context fields considered:
+     *   - filePath: if it's an orchestrator core file, score bumped to max
+     *   - size: bulk ops on large files get higher score
+     */
+    getRiskScore(operation: string, context?: any): number;
+    /**
+     * Send Telegram approval request and poll for up to 5 minutes.
+     * Returns ApprovalResult: approved on 'yes'/'approve', rejected on other reply or timeout.
+     * Logs response time and emits AAR entry (Sprint 184).
+     */
+    requireApproval(operation: HighRiskOp, context?: any): Promise<ApprovalResult>;
+}
+export declare const humanBrake: HumanBrake;

package/dist/lib/omel/human-brake.js

@@ -0,0 +1,289 @@
+"use strict";
+// OMEL Human Brake — Sprint 179 + Sprint 184 Hardening (AMD-13)
+// Human-in-the-loop safety gate for high-risk operations.
+// Telegram approval flow: send notification → poll getUpdates up to 5 min.
+// ABORT on timeout or non-approval reply. JSONL audit trail.
+//
+// API:
+//   requireApproval(operation: HighRiskOp): Promise<ApprovalResult>
+//   isHighRisk(operation: string, context: any): boolean
+//   getRiskScore(operation: string, context: any): number  (Sprint 184)
+//
+// Sprint 184 hardening additions:
+//   - Risk scoring: getRiskScore() → 1-10 scale
+//   - Operation risk table: file_delete=9, git_reset_hard=10, new_file=2, etc.
+//   - Approval response time logged per operation
+//   - HUMAN_BRAKE_DISABLED=true triggers daily Telegram reminder
+//   - AARMiddleware integration: approved/rejected ops get AAR entry
+//
+// Audit log: logs/omel/human-brake-YYYY-MM-DD.jsonl
+// Env: TELEGRAM_BOT_TOKEN, OWNER_TELEGRAM_CHAT_ID, HUMAN_BRAKE_DISABLED
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.humanBrake = exports.HumanBrake = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const engine_paths_1 = require("../engine-paths");
+const https = __importStar(require("https"));
+// ── Risk score table (Sprint 184) ─────────────────────────────────────────────
+const RISK_SCORES = {
+    git_reset_hard: 10,
+    file_delete: 9,
+    env_change: 8,
+    schema_migration: 8,
+    bulk_overwrite: 7,
+    new_file: 2,
+};
+// ── Logging ───────────────────────────────────────────────────────────────────
+const LOGS_DIR = path.join((0, engine_paths_1.resolveEnginePaths)().root, 'logs', 'omel');
+fs.mkdirSync(LOGS_DIR, { recursive: true });
+function logFile() {
+    const date = new Date().toISOString().slice(0, 10);
+    return path.join(LOGS_DIR, `human-brake-${date}.jsonl`);
+}
+function appendLog(entry) {
+    try {
+        fs.appendFileSync(logFile(), JSON.stringify(entry) + '\n');
+    }
+    catch { /* never crash caller */ }
+}
+// ── AARMiddleware integration (Sprint 184) ────────────────────────────────────
+// Lazy import to avoid circular dependency — AARMiddleware may import OMEL
+function writeAAREntry(operation, approved, risk_score, response_ms) {
+    try {
+        const aarDir = path.join((0, engine_paths_1.resolveEnginePaths)().root, 'logs', 'aar');
+        fs.mkdirSync(aarDir, { recursive: true });
+        const date = new Date().toISOString().slice(0, 10);
+        const aarFile = path.join(aarDir, `${date}.jsonl`);
+        const entry = {
+            ts: new Date().toISOString(),
+            source: 'omel_human_brake',
+            operation,
+            approved,
+            risk_score,
+            response_ms,
+            receipt_hash: Buffer.from(`${operation}${Date.now()}`).toString('base64').slice(0, 32),
+        };
+        fs.appendFileSync(aarFile, JSON.stringify(entry) + '\n');
+    }
+    catch { /* non-fatal */ }
+}
+// ── Telegram helpers ──────────────────────────────────────────────────────────
+const HIGH_RISK_OP_SET = new Set([
+    'file_delete', 'git_reset_hard', 'env_change', 'schema_migration', 'bulk_overwrite',
+]);
+const HIGH_RISK_PATH_FRAGMENTS = ['orchestrate-agents', 'clawrouter', '.env'];
+function sendTelegram(message) {
+    const botToken = process.env.TELEGRAM_BOT_TOKEN || '';
+    const chatId = process.env.OWNER_TELEGRAM_CHAT_ID || '';
+    if (!botToken || !chatId)
+        return;
+    const payload = JSON.stringify({ chat_id: chatId, text: message, parse_mode: 'Markdown' });
+    try {
+        const req = https.request({
+            hostname: 'api.telegram.org',
+            path: `/bot${botToken}/sendMessage`,
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) },
+        });
+        req.on('error', () => { }); // fire-and-forget, never crash
+        req.write(payload);
+        req.end();
+    }
+    catch { /* silent */ }
+}
+function getUpdates(offset, longPollSeconds) {
+    return new Promise((resolve) => {
+        const botToken = process.env.TELEGRAM_BOT_TOKEN || '';
+        if (!botToken) {
+            resolve([]);
+            return;
+        }
+        const req = https.request({
+            hostname: 'api.telegram.org',
+            path: `/bot${botToken}/getUpdates?offset=${offset}&timeout=${longPollSeconds}`,
+            method: 'GET',
+        }, (res) => {
+            let raw = '';
+            res.on('data', (chunk) => { raw += chunk; });
+            res.on('end', () => {
+                try {
+                    const parsed = JSON.parse(raw);
+                    resolve(parsed.ok ? parsed.result : []);
+                }
+                catch {
+                    resolve([]);
+                }
+            });
+        });
+        req.on('error', () => resolve([]));
+        req.setTimeout((longPollSeconds + 10) * 1000, () => { req.destroy(); resolve([]); });
+        req.end();
+    });
+}
+// ── HUMAN_BRAKE_DISABLED daily reminder (Sprint 184) ─────────────────────────
+const DISABLED_REMINDER_FILE = path.join(LOGS_DIR, 'brake-disabled-reminder.json');
+function sendDisabledReminderIfNeeded() {
+    const today = new Date().toISOString().slice(0, 10);
+    try {
+        let lastSent = '';
+        if (fs.existsSync(DISABLED_REMINDER_FILE)) {
+            lastSent = JSON.parse(fs.readFileSync(DISABLED_REMINDER_FILE, 'utf-8')).last_sent ?? '';
+        }
+        if (lastSent === today)
+            return; // already sent today
+        sendTelegram(`⚠️ *[OMEL HumanBrake] Brake DISABLED*\n` +
+            `\`HUMAN_BRAKE_DISABLED=true\` is set in your environment.\n` +
+            `High-risk operations will NOT require approval.\n` +
+            `This reminder fires daily until the flag is removed.`);
+        fs.writeFileSync(DISABLED_REMINDER_FILE, JSON.stringify({ last_sent: today }), 'utf-8');
+    }
+    catch { /* non-fatal */ }
+}
+// ── HumanBrake class ──────────────────────────────────────────────────────────
+class HumanBrake {
+    /**
+     * Returns true if operation is a known HighRiskOp type,
+     * OR if context.filePath touches protected files.
+     */
+    isHighRisk(operation, context = {}) {
+        // Gate by the score-threshold the docstring on getRiskScore already
+        // promises ("High (8-10): requires approval"). Catches file_delete (9),
+        // git_reset_hard (10), env_change (8), schema_migration (8), and any
+        // op bumped to ≥8 by HIGH_RISK_PATH_FRAGMENTS or size context.
+        // Drops bulk_overwrite (7) — was sweep-catching every routine source
+        // edit and forcing a 5-min Telegram approval wait per task, blocking
+        // autonomous swarm runs.
+        return this.getRiskScore(operation, context) >= 8;
+    }
+    /**
+     * Returns a risk score 1-10 for the given operation + context.
+     * High (8-10): requires approval. Medium (5-7): log only. Low (1-4): silent pass.
+     *
+     * Context fields considered:
+     *   - filePath: if it's an orchestrator core file, score bumped to max
+     *   - size: bulk ops on large files get higher score
+     */
+    getRiskScore(operation, context = {}) {
+        let score = RISK_SCORES[operation] ?? 5; // default 5 (medium) for unknown ops
+        // Bump to 10 if touching core orchestrator or config files
+        const filePath = String(context.filePath || '');
+        if (HIGH_RISK_PATH_FRAGMENTS.some(f => filePath.includes(f))) {
+            score = Math.max(score, 9);
+        }
+        // Bump for large file bulk ops
+        const sizeBytes = Number(context.sizeBytes || 0);
+        if (operation === 'bulk_overwrite' && sizeBytes > 50_000) {
+            score = Math.max(score, 9);
+        }
+        return Math.min(10, Math.max(1, score));
+    }
+    /**
+     * Send Telegram approval request and poll for up to 5 minutes.
+     * Returns ApprovalResult: approved on 'yes'/'approve', rejected on other reply or timeout.
+     * Logs response time and emits AAR entry (Sprint 184).
+     */
+    async requireApproval(operation, context = {}) {
+        const ts = new Date().toISOString();
+        const risk_score = this.getRiskScore(operation, context);
+        const requestedAt = Date.now();
+        // ── HUMAN_BRAKE_DISABLED bypass ──────────────────────────────────────────
+        if (process.env.HUMAN_BRAKE_DISABLED === 'true') {
+            sendDisabledReminderIfNeeded();
+            const response_ms = Date.now() - requestedAt;
+            appendLog({ event: 'brake_disabled', operation, risk_score, response_ms, ts });
+            writeAAREntry(operation, true, risk_score, response_ms);
+            return { approved: true, approvedBy: 'HUMAN_BRAKE_DISABLED', risk_score, response_ms, ts };
+        }
+        // ── Notify operator via Telegram ─────────────────────────────────────────
+        sendTelegram(`🛑 *[OMEL HumanBrake] Approval Required*\n` +
+            `Operation: \`${operation}\`\n` +
+            `Risk Score: *${risk_score}/10*\n` +
+            `Requested: ${ts}\n\n` +
+            `Reply *yes* or *approve* to allow.\n` +
+            `Any other reply or 5-minute timeout = ABORT.`);
+        appendLog({ event: 'approval_requested', operation, risk_score, ts });
+        // ── Poll Telegram for up to 5 minutes ────────────────────────────────────
+        const chatId = process.env.OWNER_TELEGRAM_CHAT_ID || '';
+        const deadline = Date.now() + 5 * 60 * 1000;
+        let offset = 0;
+        while (Date.now() < deadline) {
+            const remainingMs = deadline - Date.now();
+            if (remainingMs <= 0)
+                break;
+            const pollSecs = Math.min(30, Math.floor(remainingMs / 1000));
+            if (pollSecs <= 0)
+                break;
+            const updates = await getUpdates(offset, pollSecs);
+            for (const update of updates) {
+                if (typeof update.update_id === 'number') {
+                    offset = update.update_id + 1;
+                }
+                const msg = update.message || update.edited_message;
+                if (!msg)
+                    continue;
+                if (chatId && String(msg.chat?.id) !== chatId)
+                    continue;
+                const text = String(msg.text || '').trim().toLowerCase();
+                if (text === 'yes' || text === 'approve') {
+                    const approvedTs = new Date().toISOString();
+                    const response_ms = Date.now() - requestedAt;
+                    appendLog({ event: 'approved', operation, risk_score, approvedBy: 'telegram', response_ms, ts: approvedTs });
+                    writeAAREntry(operation, true, risk_score, response_ms);
+                    return { approved: true, approvedBy: 'telegram', risk_score, response_ms, ts: approvedTs };
+                }
+                // Any non-approval reply → reject immediately
+                const rejectedTs = new Date().toISOString();
+                const response_ms = Date.now() - requestedAt;
+                appendLog({ event: 'rejected', operation, risk_score, reason: 'rejected', replyText: text, response_ms, ts: rejectedTs });
+                writeAAREntry(operation, false, risk_score, response_ms);
+                sendTelegram(`❌ *[OMEL HumanBrake] ABORTED*\nOperation \`${operation}\` rejected by operator.`);
+                return { approved: false, reason: 'rejected', risk_score, response_ms, ts: rejectedTs };
+            }
+        }
+        // ── Timeout ──────────────────────────────────────────────────────────────
+        const timeoutTs = new Date().toISOString();
+        const response_ms = Date.now() - requestedAt;
+        appendLog({ event: 'timeout_abort', operation, risk_score, reason: 'timeout', response_ms, ts: timeoutTs });
+        writeAAREntry(operation, false, risk_score, response_ms);
+        sendTelegram(`⏰ *[OMEL HumanBrake] TIMEOUT — ABORTED*\n` +
+            `Operation \`${operation}\` aborted — no response within 5 minutes.\n` +
+            `Risk Score: *${risk_score}/10*`);
+        return { approved: false, reason: 'timeout', risk_score, response_ms, ts: timeoutTs };
+    }
+}
+exports.HumanBrake = HumanBrake;
+// ── Singleton export ──────────────────────────────────────────────────────────
+exports.humanBrake = new HumanBrake();

package/dist/lib/omel/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * OMEL (Operational Memory & Execution Ledger) safety cluster — Phase 3b-3 Wave B.
+ * Summer Yu §8 measures: credential vault, human-brake kill switch, phantom
+ * workspace sandbox, wipe-witness tamper ledger. Self-contained, stdlib-only;
+ * roots resolved via engine-paths (<root>/logs/omel, <root>/logs/aar).
+ */
+export * from './credential-vault';
+export * from './human-brake';
+export * from './phantom-workspace';
+export * from './wipe-witness';

package/dist/lib/omel/index.js

@@ -0,0 +1,26 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * OMEL (Operational Memory & Execution Ledger) safety cluster — Phase 3b-3 Wave B.
+ * Summer Yu §8 measures: credential vault, human-brake kill switch, phantom
+ * workspace sandbox, wipe-witness tamper ledger. Self-contained, stdlib-only;
+ * roots resolved via engine-paths (<root>/logs/omel, <root>/logs/aar).
+ */
+__exportStar(require("./credential-vault"), exports);
+__exportStar(require("./human-brake"), exports);
+__exportStar(require("./phantom-workspace"), exports);
+__exportStar(require("./wipe-witness"), exports);