@lumenflow/cli 3.14.0 → 3.16.0

package/dist/chunk-HRGSYNLM.js

@@ -0,0 +1,3511 @@
+import {
+  BASE64_ENCODING,
+  DEFAULT_KERNEL_RUNTIME_VERSION,
+  DEFAULT_WORKSPACE_CONFIG_HASH,
+  EXECUTION_METADATA_KEYS,
+  ExecutionContextSchema,
+  KERNEL_EVENT_KINDS,
+  KERNEL_POLICY_IDS,
+  KERNEL_RUNTIME_EVENTS_DIR_NAME,
+  KERNEL_RUNTIME_EVENTS_FILE_NAME,
+  KERNEL_RUNTIME_EVENTS_LOCK_FILE_NAME,
+  KERNEL_RUNTIME_EVIDENCE_DIR_NAME,
+  KERNEL_RUNTIME_ROOT_DIR_NAME,
+  KERNEL_RUNTIME_TASKS_DIR_NAME,
+  KernelEventSchema,
+  LUMENFLOW_DIR_NAME,
+  LUMENFLOW_SCOPE_NAME,
+  PACKAGES_DIR_NAME,
+  PACKS_DIR_NAME,
+  PACK_MANIFEST_FILE_NAME,
+  POLICY_TRIGGERS,
+  PackLoader,
+  PolicyEngine,
+  RESERVED_FRAMEWORK_SCOPE_GLOB,
+  RESERVED_FRAMEWORK_SCOPE_PREFIX,
+  RESERVED_FRAMEWORK_SCOPE_ROOT,
+  RUN_STATUSES,
+  RunSchema,
+  SHA256_ALGORITHM,
+  SHA256_HEX_REGEX,
+  TOOL_ERROR_CODES,
+  TOOL_HANDLER_KINDS,
+  TOOL_TRACE_KINDS,
+  TaskSpecSchema,
+  TaskStateSchema,
+  ToolCapabilitySchema,
+  ToolOutputSchema,
+  ToolScopeSchema,
+  ToolTraceEntrySchema,
+  UTF8_ENCODING,
+  WORKSPACE_CONFIG_HASH_CONTEXT_KEYS,
+  WORKSPACE_FILE_NAME,
+  WorkspaceSpecSchema,
+  isRunLifecycleEventKind,
+  isTaskEventKind,
+  resolvePackToolEntryPath,
+  validateWorkspaceRootKeys
+} from "./chunk-HANJXVKW.js";
+
+// ../kernel/dist/runtime/kernel-runtime.js
+import { randomBytes } from "crypto";
+import { access, mkdir as mkdir3, open as open3, readFile as readFile4, readdir as readdir2, rm as rm3 } from "fs/promises";
+import path4 from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+import YAML from "yaml";
+import { z as z4 } from "zod";
+
+// ../kernel/dist/canonical-json.js
+import { createHash } from "crypto";
+import { parse as parseYaml } from "yaml";
+function toCanonicalValue(value) {
+  let normalized;
+  if (value === null) {
+    normalized = null;
+  } else if (typeof value === "boolean" || typeof value === "number" || typeof value === "string") {
+    normalized = value;
+  } else if (value instanceof Date) {
+    normalized = value.toISOString();
+  } else if (Array.isArray(value)) {
+    normalized = value.map((item) => toCanonicalValue(item));
+  } else if (typeof value === "object") {
+    const objectValue = value;
+    const entries = Object.keys(objectValue).sort((left, right) => left.localeCompare(right)).map((key) => [key, toCanonicalValue(objectValue[key])]);
+    const sorted = {};
+    for (const [key, entryValue] of entries) {
+      sorted[key] = entryValue;
+    }
+    normalized = sorted;
+  } else {
+    throw new TypeError(`Unsupported value in canonical_json input: ${String(value)}`);
+  }
+  return normalized;
+}
+function canonicalStringify(source) {
+  const parsed = typeof source === "string" ? parseYaml(source) : source;
+  const canonical = toCanonicalValue(parsed);
+  return JSON.stringify(canonical);
+}
+function canonical_json(source) {
+  const canonical = canonicalStringify(source);
+  return createHash(SHA256_ALGORITHM).update(canonical, UTF8_ENCODING).digest("hex");
+}
+
+// ../kernel/dist/event-store/index.js
+import { mkdirSync, watch } from "fs";
+import { appendFile, mkdir, open, readFile, rm, stat } from "fs/promises";
+import { basename, dirname } from "path";
+var DEFAULT_LOCK_RETRY_DELAY_MS = 20;
+var DEFAULT_LOCK_MAX_RETRIES = 250;
+var PROCESS_EXISTS_SIGNAL = 0;
+var SUBSCRIPTION_DEBOUNCE_MS = 25;
+var SUBSCRIPTION_MAX_DRAIN_PASSES = 8;
+var DEFAULT_REPLAY_LIMIT = 100;
+var MAX_REPLAY_LIMIT = 500;
+function sleep(ms) {
+  return new Promise((resolve2) => {
+    setTimeout(resolve2, ms);
+  });
+}
+function toTimestampMillis(value) {
+  const parsed = Date.parse(value);
+  return Number.isNaN(parsed) ? 0 : parsed;
+}
+function hasTaskId(event) {
+  return "task_id" in event;
+}
+function isRunLifecycleEvent(event) {
+  return isRunLifecycleEventKind(event.kind);
+}
+function parseReplayFilter(filter) {
+  const kinds = Array.isArray(filter.kind) ? new Set(filter.kind) : filter.kind ? /* @__PURE__ */ new Set([filter.kind]) : null;
+  const since = filter.sinceTimestamp ? toTimestampMillis(filter.sinceTimestamp) : null;
+  const until = filter.untilTimestamp ? toTimestampMillis(filter.untilTimestamp) : null;
+  return { kinds, since, until };
+}
+function eventMatchesFilter(event, filter, parsedFilter) {
+  if (filter.taskId) {
+    if (!hasTaskId(event)) {
+      return false;
+    }
+    if (event.task_id !== filter.taskId) {
+      return false;
+    }
+  }
+  if (parsedFilter.kinds && !parsedFilter.kinds.has(event.kind)) {
+    return false;
+  }
+  const ts = toTimestampMillis(event.timestamp);
+  if (parsedFilter.since !== null && ts < parsedFilter.since) {
+    return false;
+  }
+  if (parsedFilter.until !== null && ts > parsedFilter.until) {
+    return false;
+  }
+  return true;
+}
+function createSyntheticTaskSpec(taskId) {
+  return {
+    id: taskId,
+    workspace_id: "workspace-default",
+    lane_id: "lane-default",
+    domain: "kernel",
+    title: `Task ${taskId}`,
+    description: `Synthetic projection seed for ${taskId}`,
+    acceptance: ["Synthetic projection"],
+    declared_scopes: [],
+    risk: "low",
+    type: "runtime",
+    priority: "P3",
+    created: "1970-01-01"
+  };
+}
+function verifyTaskSpecHash(taskSpec, events) {
+  const created = events.find((event) => event.kind === KERNEL_EVENT_KINDS.TASK_CREATED);
+  if (!created) {
+    return;
+  }
+  const expectedHash = created.spec_hash;
+  const actualHash = canonical_json(taskSpec);
+  if (expectedHash !== actualHash) {
+    throw new Error(`Spec hash mismatch for ${taskSpec.id}: expected ${expectedHash}, actual ${actualHash}`);
+  }
+}
+function reduceRunEvent(event, runs) {
+  const runId = event.run_id;
+  const existing = runs.get(runId) ?? {
+    run_id: runId,
+    task_id: event.task_id,
+    status: RUN_STATUSES.PLANNED,
+    started_at: event.timestamp,
+    by: "unknown",
+    session_id: "unknown"
+  };
+  let nextRun = { ...existing };
+  if (event.kind === KERNEL_EVENT_KINDS.RUN_STARTED) {
+    nextRun = RunSchema.parse({
+      run_id: runId,
+      task_id: event.task_id,
+      status: RUN_STATUSES.EXECUTING,
+      started_at: event.timestamp,
+      by: event.by,
+      session_id: event.session_id
+    });
+  } else if (event.kind === KERNEL_EVENT_KINDS.RUN_PAUSED) {
+    nextRun = RunSchema.parse({
+      ...existing,
+      status: RUN_STATUSES.PAUSED
+    });
+  } else if (event.kind === KERNEL_EVENT_KINDS.RUN_FAILED) {
+    nextRun = RunSchema.parse({
+      ...existing,
+      status: RUN_STATUSES.FAILED,
+      completed_at: event.timestamp
+    });
+  } else if (event.kind === KERNEL_EVENT_KINDS.RUN_SUCCEEDED) {
+    nextRun = RunSchema.parse({
+      ...existing,
+      status: RUN_STATUSES.SUCCEEDED,
+      completed_at: event.timestamp
+    });
+  }
+  runs.set(runId, nextRun);
+  return runId;
+}
+function projectTaskState(taskSpec, events) {
+  const sorted = [...events].sort((left, right) => toTimestampMillis(left.timestamp) - toTimestampMillis(right.timestamp));
+  const state = {
+    task_id: taskSpec.id,
+    status: "ready",
+    run_count: 0
+  };
+  const runs = /* @__PURE__ */ new Map();
+  let currentRunId;
+  for (const event of sorted) {
+    if (isTaskEventKind(event.kind)) {
+      if (event.kind === KERNEL_EVENT_KINDS.TASK_CREATED) {
+        state.status = "ready";
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_CLAIMED) {
+        state.status = "active";
+        state.claimed_at = event.timestamp;
+        state.claimed_by = event.by;
+        state.session_id = event.session_id;
+        state.blocked_reason = void 0;
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_BLOCKED) {
+        state.status = "blocked";
+        state.blocked_reason = event.reason;
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_UNBLOCKED) {
+        state.status = "active";
+        state.blocked_reason = void 0;
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_WAITING) {
+        state.status = "waiting";
+        state.blocked_reason = event.reason;
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_RESUMED) {
+        state.status = "active";
+        state.blocked_reason = void 0;
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_COMPLETED) {
+        state.status = "done";
+        state.completed_at = event.timestamp;
+      } else if (event.kind === KERNEL_EVENT_KINDS.TASK_RELEASED) {
+        state.status = "ready";
+        state.session_id = void 0;
+      }
+    }
+    if (isRunLifecycleEvent(event)) {
+      currentRunId = reduceRunEvent(event, runs);
+    }
+  }
+  state.run_count = runs.size;
+  state.current_run = currentRunId ? runs.get(currentRunId) : void 0;
+  return TaskStateSchema.parse(state);
+}
+var EventStore = class {
+  eventsFilePath;
+  lockFilePath;
+  lockRetryDelayMs;
+  lockMaxRetries;
+  taskSpecLoader;
+  indexesHydrated = false;
+  orderedEvents = [];
+  byTask = /* @__PURE__ */ new Map();
+  byKind = /* @__PURE__ */ new Map();
+  byTimestamp = /* @__PURE__ */ new Map();
+  constructor(options) {
+    this.eventsFilePath = options.eventsFilePath;
+    this.lockFilePath = options.lockFilePath;
+    this.lockRetryDelayMs = options.lockRetryDelayMs ?? DEFAULT_LOCK_RETRY_DELAY_MS;
+    this.lockMaxRetries = options.lockMaxRetries ?? DEFAULT_LOCK_MAX_RETRIES;
+    this.taskSpecLoader = options.taskSpecLoader;
+  }
+  async append(event) {
+    await this.appendAll([event]);
+  }
+  async appendAll(events) {
+    if (events.length === 0) {
+      return;
+    }
+    const validatedEvents = events.map((event) => {
+      const parsed = KernelEventSchema.safeParse(event);
+      if (!parsed.success) {
+        throw new Error(`KernelEvent validation failed: ${parsed.error.message}`);
+      }
+      return parsed.data;
+    });
+    const payload = validatedEvents.map((event) => `${JSON.stringify(event)}
+`).join("");
+    await this.withFileLock(async () => {
+      await mkdir(dirname(this.eventsFilePath), { recursive: true });
+      await appendFile(this.eventsFilePath, payload, UTF8_ENCODING);
+    });
+    if (!this.indexesHydrated) {
+      await this.reloadFromDisk();
+      return;
+    }
+    for (const event of validatedEvents) {
+      this.applyEventToIndexes(event);
+    }
+  }
+  async replay(filter = {}) {
+    await this.reloadFromDisk();
+    const parsedFilter = parseReplayFilter(filter);
+    const cursorMs = filter.cursor ? toTimestampMillis(filter.cursor) : null;
+    const effectiveLimit = Math.min(Math.max(1, filter.limit ?? DEFAULT_REPLAY_LIMIT), MAX_REPLAY_LIMIT);
+    const matched = [];
+    let totalMatchingAfterPage = 0;
+    for (const event of this.orderedEvents) {
+      if (!eventMatchesFilter(event, filter, parsedFilter)) {
+        continue;
+      }
+      if (cursorMs !== null && toTimestampMillis(event.timestamp) <= cursorMs) {
+        continue;
+      }
+      if (matched.length < effectiveLimit) {
+        matched.push(event);
+      } else {
+        totalMatchingAfterPage += 1;
+        break;
+      }
+    }
+    const hasMore = totalMatchingAfterPage > 0;
+    const lastEvent = matched[matched.length - 1];
+    const nextCursor = hasMore && lastEvent ? lastEvent.timestamp : null;
+    return { events: matched, nextCursor };
+  }
+  subscribe(filter = {}, callback) {
+    const parsedFilter = parseReplayFilter(filter);
+    const watchedDirectory = dirname(this.eventsFilePath);
+    const watchedFileName = basename(this.eventsFilePath);
+    let isDisposed = false;
+    let isDraining = false;
+    let shouldDrainAgain = false;
+    let drainTimer = null;
+    let initializedOffset = false;
+    let offset = 0;
+    let trailingPartialLine = "";
+    const initialOffsetPromise = this.getCurrentFileSize();
+    const safeInvoke = async (event) => {
+      try {
+        await callback(event);
+      } catch {
+      }
+    };
+    const processTextChunk = async (text, didTruncate) => {
+      if (didTruncate) {
+        trailingPartialLine = "";
+      }
+      const combinedText = trailingPartialLine + text;
+      const lines = combinedText.split("\n");
+      trailingPartialLine = lines.pop() ?? "";
+      for (const rawLine of lines) {
+        const line = rawLine.trim();
+        if (!line) {
+          continue;
+        }
+        let parsed;
+        try {
+          parsed = JSON.parse(line);
+        } catch {
+          continue;
+        }
+        const eventResult = KernelEventSchema.safeParse(parsed);
+        if (!eventResult.success) {
+          continue;
+        }
+        if (eventMatchesFilter(eventResult.data, filter, parsedFilter)) {
+          await safeInvoke(eventResult.data);
+        }
+      }
+    };
+    const drain = async () => {
+      if (isDisposed || isDraining) {
+        return;
+      }
+      isDraining = true;
+      try {
+        if (!initializedOffset) {
+          offset = await initialOffsetPromise;
+          initializedOffset = true;
+        }
+        let passes = 0;
+        do {
+          shouldDrainAgain = false;
+          const readResult = await this.readTailFromOffset(offset);
+          offset = readResult.nextOffset;
+          if (readResult.text.length > 0 || readResult.didTruncate) {
+            await processTextChunk(readResult.text, readResult.didTruncate);
+          }
+          passes += 1;
+          if (readResult.text.length === 0 && !readResult.didTruncate) {
+            break;
+          }
+        } while (!isDisposed && shouldDrainAgain && passes < SUBSCRIPTION_MAX_DRAIN_PASSES);
+      } finally {
+        isDraining = false;
+      }
+    };
+    const scheduleDrain = () => {
+      if (isDisposed) {
+        return;
+      }
+      shouldDrainAgain = true;
+      if (drainTimer) {
+        return;
+      }
+      drainTimer = setTimeout(() => {
+        drainTimer = null;
+        void drain();
+      }, SUBSCRIPTION_DEBOUNCE_MS);
+    };
+    mkdirSync(watchedDirectory, { recursive: true });
+    const watcher = watch(watchedDirectory, { persistent: false }, (eventType, filename) => {
+      if (isDisposed) {
+        return;
+      }
+      if (eventType !== "change" && eventType !== "rename") {
+        return;
+      }
+      if (filename && filename.toString() !== watchedFileName) {
+        return;
+      }
+      scheduleDrain();
+    });
+    watcher.on("error", () => {
+    });
+    return {
+      dispose: () => {
+        if (isDisposed) {
+          return;
+        }
+        isDisposed = true;
+        if (drainTimer) {
+          clearTimeout(drainTimer);
+          drainTimer = null;
+        }
+        watcher.close();
+      }
+    };
+  }
+  async project(taskId) {
+    await this.reloadFromDisk();
+    const taskEvents = this.byTask.get(taskId) ?? [];
+    let taskSpec = null;
+    if (this.taskSpecLoader) {
+      taskSpec = await this.taskSpecLoader(taskId);
+    }
+    const spec = taskSpec ?? createSyntheticTaskSpec(taskId);
+    verifyTaskSpecHash(spec, taskEvents);
+    return projectTaskState(spec, taskEvents);
+  }
+  getByTask(taskId) {
+    return [...this.byTask.get(taskId) ?? []];
+  }
+  getByKind(kind) {
+    return [...this.byKind.get(kind) ?? []];
+  }
+  getByTimestamp(timestamp) {
+    return [...this.byTimestamp.get(timestamp) ?? []];
+  }
+  buildLockMetadata() {
+    return {
+      pid: process.pid,
+      acquired_at: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  parseLockMetadata(raw) {
+    if (!raw.trim()) {
+      return null;
+    }
+    try {
+      const parsed = JSON.parse(raw);
+      if (typeof parsed.pid === "number" && Number.isInteger(parsed.pid) && parsed.pid > 0 && typeof parsed.acquired_at === "string" && parsed.acquired_at.length > 0) {
+        return {
+          pid: parsed.pid,
+          acquired_at: parsed.acquired_at
+        };
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  isProcessAlive(pid) {
+    try {
+      process.kill(pid, PROCESS_EXISTS_SIGNAL);
+      return true;
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ESRCH") {
+        return false;
+      }
+      if (nodeError.code === "EPERM") {
+        return true;
+      }
+      return true;
+    }
+  }
+  async recoverStaleLockIfNeeded() {
+    let metadataRaw;
+    try {
+      metadataRaw = await readFile(this.lockFilePath, UTF8_ENCODING);
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        return true;
+      }
+      throw error;
+    }
+    const metadata = this.parseLockMetadata(metadataRaw);
+    if (!metadata) {
+      return false;
+    }
+    if (this.isProcessAlive(metadata.pid)) {
+      return false;
+    }
+    await rm(this.lockFilePath, { force: true });
+    return true;
+  }
+  async cleanupLockHandle(handle) {
+    if (!handle) {
+      return;
+    }
+    try {
+      await handle.close();
+    } catch {
+    }
+    await rm(this.lockFilePath, { force: true });
+  }
+  async reloadFromDisk() {
+    let content;
+    try {
+      content = await readFile(this.eventsFilePath, UTF8_ENCODING);
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        this.resetIndexes();
+        this.indexesHydrated = true;
+        return;
+      }
+      throw error;
+    }
+    this.resetIndexes();
+    const lines = content.split("\n").map((line) => line.trim()).filter(Boolean);
+    for (let index = 0; index < lines.length; index += 1) {
+      const line = lines[index];
+      if (line === void 0) {
+        continue;
+      }
+      const parsed = (() => {
+        try {
+          return JSON.parse(line);
+        } catch (error) {
+          throw new Error(`Malformed JSON at line ${index + 1}: ${error.message}`, {
+            cause: error
+          });
+        }
+      })();
+      try {
+        const event = KernelEventSchema.parse(parsed);
+        this.applyEventToIndexes(event);
+      } catch (error) {
+        throw new Error(`KernelEvent parse failed at line ${index + 1}`, { cause: error });
+      }
+    }
+    this.indexesHydrated = true;
+  }
+  async getCurrentFileSize() {
+    try {
+      const fileStats = await stat(this.eventsFilePath);
+      return fileStats.size;
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        return 0;
+      }
+      throw error;
+    }
+  }
+  async readTailFromOffset(offset) {
+    let handle = null;
+    try {
+      handle = await open(this.eventsFilePath, "r");
+      const fileStats = await handle.stat();
+      const didTruncate = fileStats.size < offset;
+      const startOffset = didTruncate ? 0 : offset;
+      const bytesToRead = Math.max(0, fileStats.size - startOffset);
+      if (bytesToRead === 0) {
+        return {
+          text: "",
+          nextOffset: fileStats.size,
+          didTruncate
+        };
+      }
+      const buffer = Buffer.allocUnsafe(bytesToRead);
+      let totalBytesRead = 0;
+      while (totalBytesRead < bytesToRead) {
+        const { bytesRead } = await handle.read(buffer, totalBytesRead, bytesToRead - totalBytesRead, startOffset + totalBytesRead);
+        if (bytesRead === 0) {
+          break;
+        }
+        totalBytesRead += bytesRead;
+      }
+      return {
+        text: buffer.subarray(0, totalBytesRead).toString(UTF8_ENCODING),
+        nextOffset: startOffset + totalBytesRead,
+        didTruncate
+      };
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        return {
+          text: "",
+          nextOffset: 0,
+          didTruncate: offset > 0
+        };
+      }
+      throw error;
+    } finally {
+      if (handle) {
+        await handle.close().catch(() => {
+        });
+      }
+    }
+  }
+  resetIndexes() {
+    this.orderedEvents = [];
+    this.byTask = /* @__PURE__ */ new Map();
+    this.byKind = /* @__PURE__ */ new Map();
+    this.byTimestamp = /* @__PURE__ */ new Map();
+  }
+  applyEventToIndexes(event) {
+    this.orderedEvents.push(event);
+    if (hasTaskId(event)) {
+      const taskBucket = this.byTask.get(event.task_id) ?? [];
+      taskBucket.push(event);
+      this.byTask.set(event.task_id, taskBucket);
+    }
+    const kindBucket = this.byKind.get(event.kind) ?? [];
+    kindBucket.push(event);
+    this.byKind.set(event.kind, kindBucket);
+    const tsBucket = this.byTimestamp.get(event.timestamp) ?? [];
+    tsBucket.push(event);
+    this.byTimestamp.set(event.timestamp, tsBucket);
+  }
+  async withFileLock(operation) {
+    await mkdir(dirname(this.lockFilePath), { recursive: true });
+    for (let attempt = 0; attempt <= this.lockMaxRetries; attempt += 1) {
+      let handle = null;
+      try {
+        handle = await open(this.lockFilePath, "wx");
+        await handle.writeFile(JSON.stringify(this.buildLockMetadata()), UTF8_ENCODING);
+        const result = await operation();
+        await this.cleanupLockHandle(handle);
+        return result;
+      } catch (error) {
+        const nodeError = error;
+        await this.cleanupLockHandle(handle);
+        if (nodeError.code === "EEXIST" && attempt < this.lockMaxRetries) {
+          const recovered = await this.recoverStaleLockIfNeeded();
+          if (recovered) {
+            continue;
+          }
+          await sleep(this.lockRetryDelayMs);
+          continue;
+        }
+        throw error;
+      }
+    }
+    throw new Error(`Failed to acquire event-store lock at ${this.lockFilePath}`);
+  }
+};
+
+// ../kernel/dist/evidence/evidence-store.js
+import { appendFile as appendFile2, mkdir as mkdir2, open as open2, readdir, rename, rm as rm2 } from "fs/promises";
+import { createHash as createHash2 } from "crypto";
+import { join } from "path";
+
+// ../kernel/dist/evidence/fs-helpers.js
+import { readFile as readFile2, stat as stat2 } from "fs/promises";
+async function readFileOrEmpty(filePath) {
+  try {
+    return await readFile2(filePath, UTF8_ENCODING);
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return "";
+    }
+    throw error;
+  }
+}
+async function statOrNull(filePath) {
+  try {
+    return await stat2(filePath);
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+
+// ../kernel/dist/evidence/evidence-store.js
+var DEFAULT_LOCK_RETRY_DELAY_MS2 = 20;
+var DEFAULT_LOCK_MAX_RETRIES2 = 250;
+var DEFAULT_COMPACTION_THRESHOLD_BYTES = 10 * 1024 * 1024;
+var ACTIVE_TRACE_FILE_NAME = "tool-traces.jsonl";
+var SEGMENT_FILE_PATTERN = /^tool-traces\.(\d+)\.jsonl$/;
+function sha256Hex(content) {
+  return createHash2(SHA256_ALGORITHM).update(content).digest("hex");
+}
+function sleep2(ms) {
+  return new Promise((resolve2) => {
+    setTimeout(resolve2, ms);
+  });
+}
+var EvidenceStore = class {
+  tracesDir;
+  tracesFilePath;
+  tracesLockFilePath;
+  inputsDir;
+  lockRetryDelayMs;
+  lockMaxRetries;
+  compactionThresholdBytes;
+  tracesHydrated = false;
+  orderedTraces = [];
+  tracesByTaskId = /* @__PURE__ */ new Map();
+  taskIdByReceiptId = /* @__PURE__ */ new Map();
+  /** Dedup guard: tracks `receipt_id:kind` keys already indexed (WU-1881). */
+  seenTraceKeys = /* @__PURE__ */ new Set();
+  /** Byte offset cursor into the active trace file for incremental reads. */
+  activeFileCursor = 0;
+  /** Number of compacted segment files at last hydration. */
+  hydratedSegmentCount = 0;
+  constructor(options) {
+    this.tracesDir = join(options.evidenceRoot, "traces");
+    this.tracesFilePath = join(this.tracesDir, ACTIVE_TRACE_FILE_NAME);
+    this.tracesLockFilePath = join(this.tracesDir, "tool-traces.lock");
+    this.inputsDir = join(options.evidenceRoot, "inputs");
+    this.lockRetryDelayMs = options.lockRetryDelayMs ?? DEFAULT_LOCK_RETRY_DELAY_MS2;
+    this.lockMaxRetries = options.lockMaxRetries ?? DEFAULT_LOCK_MAX_RETRIES2;
+    this.compactionThresholdBytes = options.compactionThresholdBytes ?? DEFAULT_COMPACTION_THRESHOLD_BYTES;
+  }
+  async appendTrace(entry) {
+    const validated = ToolTraceEntrySchema.parse(entry);
+    let compacted = false;
+    await this.withFileLock(async () => {
+      await mkdir2(this.tracesDir, { recursive: true });
+      const serialized = `${JSON.stringify(validated)}
+`;
+      await appendFile2(this.tracesFilePath, serialized, UTF8_ENCODING);
+      compacted = await this.compactIfNeeded();
+    });
+    if (this.tracesHydrated) {
+      this.applyTraceToIndexes(validated);
+      if (compacted) {
+        this.hydratedSegmentCount += 1;
+        this.activeFileCursor = 0;
+      } else {
+        const fileStat = await statOrNull(this.tracesFilePath);
+        this.activeFileCursor = fileStat?.size ?? 0;
+      }
+    }
+  }
+  async readTraces() {
+    await this.hydrateIndexesIfNeeded();
+    return [...this.orderedTraces];
+  }
+  async readTracesByTaskId(taskId) {
+    await this.hydrateIndexesIfNeeded();
+    return [...this.tracesByTaskId.get(taskId) ?? []];
+  }
+  async pruneTask(taskId) {
+    await this.hydrateIndexesIfNeeded();
+    const receiptIdsToDelete = [];
+    for (const [receiptId, indexedTaskId] of this.taskIdByReceiptId.entries()) {
+      if (indexedTaskId === taskId) {
+        receiptIdsToDelete.push(receiptId);
+      }
+    }
+    for (const receiptId of receiptIdsToDelete) {
+      this.taskIdByReceiptId.delete(receiptId);
+    }
+    this.tracesByTaskId.delete(taskId);
+    return receiptIdsToDelete.length;
+  }
+  async getReceiptIndexSize() {
+    await this.hydrateIndexesIfNeeded();
+    return this.taskIdByReceiptId.size;
+  }
+  async hydrateIndexesIfNeeded() {
+    if (!this.tracesHydrated) {
+      return this.fullHydrate();
+    }
+    await this.incrementalHydrate();
+  }
+  /**
+   * Full hydration: reads all segment files (sorted ascending) then the active file.
+   * Sets cursor to end of active file for subsequent incremental reads.
+   */
+  async fullHydrate() {
+    this.resetIndexes();
+    const dirStat = await statOrNull(this.tracesDir);
+    if (!dirStat) {
+      this.tracesHydrated = true;
+      this.activeFileCursor = 0;
+      this.hydratedSegmentCount = 0;
+      return;
+    }
+    const segments = await this.listSegmentFiles();
+    for (const segmentFile of segments) {
+      const segmentPath = join(this.tracesDir, segmentFile);
+      await this.hydrateFromFile(segmentPath);
+    }
+    this.hydratedSegmentCount = segments.length;
+    const activeContent = await readFileOrEmpty(this.tracesFilePath);
+    if (activeContent.length > 0) {
+      this.parseAndApplyLines(activeContent);
+    }
+    this.activeFileCursor = Buffer.byteLength(activeContent, UTF8_ENCODING);
+    this.tracesHydrated = true;
+  }
+  /**
+   * Incremental hydration: only reads new segments (from compaction since last
+   * hydration) and new bytes appended to the active file since the cursor.
+   * This provides O(1) amortized reads for the hot path.
+   */
+  async incrementalHydrate() {
+    const currentSegments = await this.listSegmentFiles();
+    if (currentSegments.length > this.hydratedSegmentCount) {
+      const unseenSegments = currentSegments.slice(this.hydratedSegmentCount);
+      for (const segmentFile of unseenSegments) {
+        const segmentPath = join(this.tracesDir, segmentFile);
+        await this.hydrateFromFile(segmentPath);
+      }
+      this.hydratedSegmentCount = currentSegments.length;
+      this.activeFileCursor = 0;
+    }
+    const activeFileStat = await statOrNull(this.tracesFilePath);
+    const activeSize = activeFileStat?.size ?? 0;
+    if (activeSize <= this.activeFileCursor) {
+      return;
+    }
+    const handle = await open2(this.tracesFilePath, "r");
+    try {
+      const deltaSize = activeSize - this.activeFileCursor;
+      const buffer = Buffer.alloc(deltaSize);
+      await handle.read(buffer, 0, deltaSize, this.activeFileCursor);
+      const deltaContent = buffer.toString(UTF8_ENCODING);
+      if (deltaContent.trim().length > 0) {
+        this.parseAndApplyLines(deltaContent);
+      }
+      this.activeFileCursor = activeSize;
+    } finally {
+      await handle.close();
+    }
+  }
+  /**
+   * Lists compacted segment files sorted in ascending order.
+   * Segment files follow the pattern: tool-traces.NNNN.jsonl
+   */
+  async listSegmentFiles() {
+    let files;
+    try {
+      files = await readdir(this.tracesDir);
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "ENOENT") {
+        return [];
+      }
+      throw error;
+    }
+    return files.filter((f) => SEGMENT_FILE_PATTERN.test(f)).sort((a, b) => {
+      const matchA = a.match(SEGMENT_FILE_PATTERN);
+      const matchB = b.match(SEGMENT_FILE_PATTERN);
+      const numA = matchA ? parseInt(matchA[1] ?? "0", 10) : 0;
+      const numB = matchB ? parseInt(matchB[1] ?? "0", 10) : 0;
+      return numA - numB;
+    });
+  }
+  /**
+   * Reads an entire file and applies all trace lines to the indexes.
+   */
+  async hydrateFromFile(filePath) {
+    const content = await readFileOrEmpty(filePath);
+    if (content.trim().length > 0) {
+      this.parseAndApplyLines(content);
+    }
+  }
+  /**
+   * Parses newline-delimited JSON lines and applies each to the indexes.
+   */
+  parseAndApplyLines(content) {
+    const lines = content.split("\n").map((line) => line.trim()).filter(Boolean);
+    for (let index = 0; index < lines.length; index += 1) {
+      const line = lines[index];
+      if (!line) {
+        continue;
+      }
+      const parsed = (() => {
+        try {
+          return JSON.parse(line);
+        } catch (error) {
+          throw new Error(`Malformed evidence trace JSON at line ${index + 1}`, { cause: error });
+        }
+      })();
+      this.applyTraceToIndexes(ToolTraceEntrySchema.parse(parsed));
+    }
+  }
+  /**
+   * Rotates the active JSONL file to a numbered segment if it exceeds the
+   * compaction threshold. Called within the file lock after each append.
+   * @returns true if compaction (rotation) occurred.
+   */
+  async compactIfNeeded() {
+    const fileStat = await statOrNull(this.tracesFilePath);
+    if (!fileStat) {
+      return false;
+    }
+    if (fileStat.size < this.compactionThresholdBytes) {
+      return false;
+    }
+    const segments = await this.listSegmentFiles();
+    let nextNumber = 1;
+    if (segments.length > 0) {
+      const lastSegment = segments[segments.length - 1];
+      if (lastSegment) {
+        const match = lastSegment.match(SEGMENT_FILE_PATTERN);
+        if (match) {
+          nextNumber = parseInt(match[1] ?? "0", 10) + 1;
+        }
+      }
+    }
+    const segmentName = `tool-traces.${String(nextNumber).padStart(8, "0")}.jsonl`;
+    const segmentPath = join(this.tracesDir, segmentName);
+    await rename(this.tracesFilePath, segmentPath);
+    return true;
+  }
+  resetIndexes() {
+    this.orderedTraces = [];
+    this.tracesByTaskId = /* @__PURE__ */ new Map();
+    this.taskIdByReceiptId = /* @__PURE__ */ new Map();
+    this.seenTraceKeys = /* @__PURE__ */ new Set();
+  }
+  applyTraceToIndexes(entry) {
+    const traceKey = `${entry.receipt_id}:${entry.kind}`;
+    if (this.seenTraceKeys.has(traceKey)) {
+      return;
+    }
+    this.seenTraceKeys.add(traceKey);
+    this.orderedTraces.push(entry);
+    if (entry.kind === TOOL_TRACE_KINDS.TOOL_CALL_STARTED) {
+      this.taskIdByReceiptId.set(entry.receipt_id, entry.task_id);
+      const bucket2 = this.tracesByTaskId.get(entry.task_id) ?? [];
+      bucket2.push(entry);
+      this.tracesByTaskId.set(entry.task_id, bucket2);
+      return;
+    }
+    const taskId = this.taskIdByReceiptId.get(entry.receipt_id);
+    if (!taskId) {
+      return;
+    }
+    const bucket = this.tracesByTaskId.get(taskId) ?? [];
+    bucket.push(entry);
+    this.tracesByTaskId.set(taskId, bucket);
+  }
+  async persistData(data) {
+    const serialized = canonicalStringify(data);
+    const dataHash = sha256Hex(serialized);
+    const dataRef = join(this.inputsDir, dataHash);
+    await mkdir2(this.inputsDir, { recursive: true });
+    try {
+      const handle = await open2(dataRef, "wx");
+      try {
+        await handle.writeFile(serialized, UTF8_ENCODING);
+      } finally {
+        await handle.close();
+      }
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code !== "EEXIST") {
+        throw error;
+      }
+    }
+    return {
+      dataHash,
+      dataRef
+    };
+  }
+  /** @deprecated Use persistData instead */
+  async persistInput(input) {
+    return this.persistData(input);
+  }
+  async reconcileOrphanedStarts() {
+    const traces = await this.readTraces();
+    const started = /* @__PURE__ */ new Map();
+    const finished = /* @__PURE__ */ new Set();
+    for (const trace of traces) {
+      if (trace.kind === TOOL_TRACE_KINDS.TOOL_CALL_STARTED) {
+        started.set(trace.receipt_id, trace);
+      } else {
+        finished.add(trace.receipt_id);
+      }
+    }
+    let reconciled = 0;
+    for (const [receiptId] of started) {
+      if (finished.has(receiptId)) {
+        continue;
+      }
+      const policyDecisions = [
+        {
+          policy_id: KERNEL_POLICY_IDS.RECONCILIATION,
+          decision: "deny",
+          reason: "Orphaned started trace without matching finished trace"
+        }
+      ];
+      await this.appendTrace({
+        schema_version: 1,
+        kind: TOOL_TRACE_KINDS.TOOL_CALL_FINISHED,
+        receipt_id: receiptId,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        result: "crashed",
+        duration_ms: 0,
+        scope_enforcement_note: "Synthetic crashed finish generated by orphan reconciliation.",
+        policy_decisions: policyDecisions,
+        artifacts_written: []
+      });
+      reconciled += 1;
+    }
+    return reconciled;
+  }
+  async withFileLock(operation) {
+    await mkdir2(this.tracesDir, { recursive: true });
+    for (let attempt = 0; attempt <= this.lockMaxRetries; attempt += 1) {
+      let handle = null;
+      try {
+        handle = await open2(this.tracesLockFilePath, "wx");
+        const result = await operation();
+        await handle.close();
+        await rm2(this.tracesLockFilePath, { force: true });
+        return result;
+      } catch (error) {
+        const nodeError = error;
+        if (handle) {
+          try {
+            await handle.close();
+          } catch {
+          }
+          try {
+            await rm2(this.tracesLockFilePath, { force: true });
+          } catch {
+          }
+        }
+        if (nodeError.code === "EEXIST") {
+          if (attempt < this.lockMaxRetries) {
+            await sleep2(this.lockRetryDelayMs);
+            continue;
+          }
+          break;
+        }
+        throw error;
+      }
+    }
+    throw new Error(`Failed to acquire evidence-store lock at ${this.tracesLockFilePath}`);
+  }
+};
+
+// ../kernel/dist/policy/approval-event.js
+import { z } from "zod";
+var ApprovalScopeSchema = z.object({
+  level: z.enum(["workspace", "lane", "pack", "task"]),
+  id: z.string().min(1)
+});
+var ApprovalEventSchema = z.object({
+  schema_version: z.literal(1),
+  kind: z.literal("approval_event"),
+  run_id: z.string().min(1),
+  scope: ApprovalScopeSchema,
+  approved_by: z.string().min(1),
+  expires_at: z.string().datetime(),
+  reason: z.string().min(1).optional()
+});
+
+// ../kernel/dist/sandbox/bwrap-invocation.js
+import path from "path";
+var SYSTEM_READONLY_ALLOWLIST = ["/usr", "/bin", "/sbin", "/lib", "/lib64", "/etc"];
+function assertCommand(command) {
+  if (command.length === 0) {
+    throw new Error("Sandbox command is required");
+  }
+}
+function dedupeMounts(mounts) {
+  const unique = /* @__PURE__ */ new Map();
+  for (const mount of mounts) {
+    const key = `${mount.source}=>${mount.target}`;
+    if (!unique.has(key)) {
+      unique.set(key, mount);
+    }
+  }
+  return [...unique.values()];
+}
+function normalizePrefix(prefix) {
+  const resolved = path.resolve(prefix);
+  if (resolved === path.sep) {
+    return resolved;
+  }
+  return resolved.replace(/[/\\]+$/, "");
+}
+function isWithinPrefix(candidate, prefix) {
+  const normalizedCandidate = normalizePrefix(candidate);
+  const normalizedPrefix = normalizePrefix(prefix);
+  if (normalizedPrefix === path.sep) {
+    return true;
+  }
+  return normalizedCandidate === normalizedPrefix || normalizedCandidate.startsWith(`${normalizedPrefix}${path.sep}`);
+}
+function collectCommandMountPrefixes(profile) {
+  const prefixes = [
+    ...profile.readonly_bind_mounts.map((mount) => mount.target),
+    ...profile.writable_bind_mounts.map((mount) => mount.target)
+  ];
+  return [...new Set(prefixes.map(normalizePrefix))];
+}
+function collectCommandReadonlyMounts(profile, command) {
+  const mountPrefixes = collectCommandMountPrefixes(profile);
+  const mounts = [];
+  for (const segment of command) {
+    if (!path.isAbsolute(segment)) {
+      continue;
+    }
+    const absolute = path.resolve(segment);
+    const parent = path.dirname(absolute);
+    const grandparent = path.dirname(parent);
+    if (parent !== "/" && mountPrefixes.some((prefix) => isWithinPrefix(parent, prefix))) {
+      mounts.push({ source: parent, target: parent });
+    }
+    if (grandparent !== "/" && mountPrefixes.some((prefix) => isWithinPrefix(grandparent, prefix))) {
+      mounts.push({ source: grandparent, target: grandparent });
+    }
+  }
+  return dedupeMounts(mounts);
+}
+function collectReadonlyAllowlistMounts(profile, command) {
+  const writableTargets = new Set(profile.writable_bind_mounts.map((mount) => mount.target));
+  const readonlyMounts = [
+    ...SYSTEM_READONLY_ALLOWLIST.map((mountPath) => ({
+      source: mountPath,
+      target: mountPath
+    })),
+    ...collectCommandReadonlyMounts(profile, command),
+    ...profile.readonly_bind_mounts
+  ];
+  return dedupeMounts(readonlyMounts).filter((mount) => !writableTargets.has(mount.target));
+}
+function escapeShellArg(arg) {
+  return `'${arg.replace(/'/g, "'\\''")}'`;
+}
+function parseHostPort(entry) {
+  if (entry.includes("/")) {
+    return { host: entry, port: null };
+  }
+  const lastColon = entry.lastIndexOf(":");
+  if (lastColon > 0) {
+    return {
+      host: entry.slice(0, lastColon),
+      port: entry.slice(lastColon + 1)
+    };
+  }
+  return { host: entry, port: null };
+}
+function buildIptablesAllowlistScript(allowlist, command) {
+  const lines = [];
+  lines.push("iptables -A OUTPUT -o lo -j ACCEPT");
+  lines.push("iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT");
+  for (const entry of allowlist) {
+    const { host, port } = parseHostPort(entry);
+    if (port) {
+      lines.push(`iptables -A OUTPUT -d ${host} -p tcp --dport ${port} -j ACCEPT`);
+    } else {
+      lines.push(`iptables -A OUTPUT -d ${host} -j ACCEPT`);
+    }
+  }
+  lines.push("iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable");
+  const escapedCommand = command.map(escapeShellArg).join(" ");
+  lines.push(`exec ${escapedCommand}`);
+  return lines.join(" && ");
+}
+function buildBwrapInvocation(input) {
+  assertCommand(input.command);
+  const args = ["--die-with-parent", "--new-session", "--tmpfs", "/"];
+  for (const mount of collectReadonlyAllowlistMounts(input.profile, input.command)) {
+    args.push("--ro-bind", mount.source, mount.target);
+  }
+  for (const mount of input.profile.writable_bind_mounts) {
+    args.push("--bind", mount.source, mount.target);
+  }
+  for (const overlay of input.profile.deny_overlays) {
+    if (overlay.kind === "file") {
+      args.push("--bind", "/dev/null", overlay.path);
+    } else {
+      args.push("--tmpfs", overlay.path);
+    }
+  }
+  if (input.profile.network_posture === "off") {
+    args.push("--unshare-net");
+  } else if (input.profile.network_posture === "allowlist") {
+    args.push("--unshare-net");
+  }
+  for (const [key, value] of Object.entries(input.profile.env)) {
+    args.push("--setenv", key, value);
+  }
+  args.push("--proc", "/proc", "--dev", "/dev");
+  if (input.profile.network_posture === "allowlist" && input.profile.network_allowlist.length > 0) {
+    const iptablesScript = buildIptablesAllowlistScript(input.profile.network_allowlist, input.command);
+    args.push("--", "sh", "-c", iptablesScript);
+  } else {
+    args.push("--", ...input.command);
+  }
+  return {
+    command: input.sandboxBinary || "bwrap",
+    args,
+    env: input.profile.env
+  };
+}
+
+// ../kernel/dist/sandbox/profile.js
+import os from "os";
+import path2 from "path";
+var READ_CONFINEMENT_NOTE = "read confinement best-effort (v1)";
+function isGlobSegment(segment) {
+  return /[*?[{(]/.test(segment);
+}
+function resolveScopePatternToPath(pattern, workspaceRoot) {
+  const normalized = pattern.replaceAll("\\", "/");
+  const rawSegments = normalized.split("/").filter((segment) => segment.length > 0);
+  const staticSegments = [];
+  for (const segment of rawSegments) {
+    if (isGlobSegment(segment)) {
+      break;
+    }
+    staticSegments.push(segment);
+  }
+  if (normalized.startsWith("/")) {
+    const absolutePrefix = staticSegments.length === 0 ? "/" : `/${staticSegments.join("/")}`;
+    return path2.resolve(absolutePrefix);
+  }
+  if (staticSegments.length === 0) {
+    return path2.resolve(workspaceRoot);
+  }
+  return path2.resolve(workspaceRoot, staticSegments.join("/"));
+}
+function dedupeMounts2(mounts) {
+  const seen = /* @__PURE__ */ new Set();
+  return mounts.filter((mount) => {
+    const key = `${mount.source}=>${mount.target}`;
+    if (seen.has(key)) {
+      return false;
+    }
+    seen.add(key);
+    return true;
+  });
+}
+function normalizeEnvironment(env) {
+  if (!env) {
+    return {};
+  }
+  const normalized = {};
+  for (const [key, value] of Object.entries(env)) {
+    if (typeof value === "string") {
+      normalized[key] = value;
+    }
+  }
+  return normalized;
+}
+function createDefaultDenyOverlays(input) {
+  const workspaceRoot = path2.resolve(input.workspaceRoot);
+  const homeDir = path2.resolve(input.homeDir || os.homedir());
+  return [
+    { path: path2.join(homeDir, ".ssh"), kind: "directory" },
+    { path: path2.join(homeDir, ".aws"), kind: "directory" },
+    { path: path2.join(homeDir, ".gnupg"), kind: "directory" },
+    { path: path2.join(workspaceRoot, ".env"), kind: "file" }
+  ];
+}
+function resolveScopeEnforcementNote(scopes) {
+  const hasReadPathScope = scopes.some((scope) => scope.type === "path" && scope.access === "read");
+  return hasReadPathScope ? READ_CONFINEMENT_NOTE : void 0;
+}
+function buildSandboxProfileFromScopes(scopeEnforced, options = {}) {
+  const workspaceRoot = path2.resolve(options.workspaceRoot || process.cwd());
+  const writable_bind_mounts = [];
+  const readonly_bind_mounts = [];
+  let network_posture = "off";
+  const allowlistEntries = /* @__PURE__ */ new Set();
+  for (const scope of scopeEnforced) {
+    if (scope.type === "network") {
+      if (scope.posture === "full") {
+        network_posture = "full";
+      } else if (scope.posture === "allowlist" && network_posture !== "full") {
+        network_posture = "allowlist";
+        const entries = "allowlist_entries" in scope ? scope.allowlist_entries : [];
+        for (const entry of entries) {
+          allowlistEntries.add(entry);
+        }
+      }
+      continue;
+    }
+    const resolvedPath = resolveScopePatternToPath(scope.pattern, workspaceRoot);
+    const mount = {
+      source: resolvedPath,
+      target: resolvedPath
+    };
+    if (scope.access === "write") {
+      writable_bind_mounts.push(mount);
+    } else {
+      readonly_bind_mounts.push(mount);
+    }
+  }
+  return {
+    readonly_bind_mounts: dedupeMounts2(readonly_bind_mounts),
+    writable_bind_mounts: dedupeMounts2(writable_bind_mounts),
+    network_posture,
+    network_allowlist: network_posture === "allowlist" ? [...allowlistEntries].sort() : [],
+    deny_overlays: options.denyOverlays || createDefaultDenyOverlays({
+      workspaceRoot,
+      homeDir: options.homeDir
+    }),
+    env: normalizeEnvironment(options.env)
+  };
+}
+
+// ../kernel/dist/sandbox/subprocess-dispatcher.js
+import { spawn, spawnSync } from "child_process";
+import { randomUUID } from "crypto";
+import fs from "fs";
+import { fileURLToPath } from "url";
+
+// ../kernel/dist/sandbox/tool-runner-worker.js
+import path3 from "path";
+import { pathToFileURL } from "url";
+import { z as z2 } from "zod";
+var ToolRunnerWorkerInvocationSchema = z2.object({
+  tool_name: z2.string().min(1),
+  handler_entry: z2.string().min(1),
+  input: z2.unknown(),
+  scope_enforced: z2.array(ToolScopeSchema),
+  receipt_id: z2.string().min(1)
+});
+var ToolRunnerWorkerResponseSchema = z2.object({
+  output: ToolOutputSchema
+});
+function buildFailureOutput(code, message, details) {
+  return {
+    success: false,
+    error: {
+      code,
+      message,
+      ...details ? { details } : {}
+    }
+  };
+}
+function withScopeNote(output, scopeEnforced) {
+  const note = resolveScopeEnforcementNote(scopeEnforced);
+  if (!note) {
+    return output;
+  }
+  return {
+    ...output,
+    metadata: {
+      ...output.metadata || {},
+      scope_enforcement_note: note
+    }
+  };
+}
+async function defaultImportModule(specifier) {
+  return import(specifier);
+}
+function resolveEntrySpecifier(entry) {
+  if (entry.startsWith("file:")) {
+    return entry;
+  }
+  if (path3.isAbsolute(entry)) {
+    return pathToFileURL(path3.resolve(entry)).href;
+  }
+  if (entry.startsWith(".")) {
+    return pathToFileURL(path3.resolve(process.cwd(), entry)).href;
+  }
+  return entry;
+}
+function isToolAdapter(value) {
+  return typeof value === "function";
+}
+function selectAdapterExport(candidate) {
+  if (isToolAdapter(candidate)) {
+    return candidate;
+  }
+  if (!candidate || typeof candidate !== "object") {
+    return null;
+  }
+  const moduleRecord = candidate;
+  const defaultExport = moduleRecord.default;
+  if (isToolAdapter(defaultExport)) {
+    return defaultExport;
+  }
+  const runExport = moduleRecord.run;
+  if (isToolAdapter(runExport)) {
+    return runExport;
+  }
+  const handlerExport = moduleRecord.handler;
+  if (isToolAdapter(handlerExport)) {
+    return handlerExport;
+  }
+  return null;
+}
+async function readStreamAsString(stream) {
+  let output = "";
+  for await (const chunk of stream) {
+    output += typeof chunk === "string" ? chunk : chunk.toString(UTF8_ENCODING);
+  }
+  return output;
+}
+function parseToolRunnerWorkerResponse(raw) {
+  const parsedPayload = JSON.parse(raw);
+  return ToolRunnerWorkerResponseSchema.parse(parsedPayload);
+}
+async function executeToolRunnerInvocation(invocationInput, options = {}) {
+  const parsedInvocation = ToolRunnerWorkerInvocationSchema.safeParse(invocationInput);
+  if (!parsedInvocation.success) {
+    return buildFailureOutput("INVALID_INVOCATION_PAYLOAD", parsedInvocation.error.message);
+  }
+  const invocation = parsedInvocation.data;
+  const importModule = options.importModule || defaultImportModule;
+  let loadedModule;
+  try {
+    loadedModule = await importModule(resolveEntrySpecifier(invocation.handler_entry));
+  } catch (error) {
+    return withScopeNote(buildFailureOutput("ADAPTER_LOAD_FAILED", `Failed to load adapter "${invocation.handler_entry}": ${error.message}`), invocation.scope_enforced);
+  }
+  const adapter = selectAdapterExport(loadedModule);
+  if (!adapter) {
+    return withScopeNote(buildFailureOutput("ADAPTER_LOAD_FAILED", `Adapter "${invocation.handler_entry}" does not export a function`), invocation.scope_enforced);
+  }
+  let rawOutput;
+  try {
+    rawOutput = await adapter(invocation.input, {
+      tool_name: invocation.tool_name,
+      receipt_id: invocation.receipt_id,
+      scope_enforced: invocation.scope_enforced
+    });
+  } catch (error) {
+    return withScopeNote(buildFailureOutput("TOOL_EXECUTION_FAILED", `Adapter "${invocation.handler_entry}" failed: ${error.message}`), invocation.scope_enforced);
+  }
+  const parsedOutput = ToolOutputSchema.safeParse(rawOutput);
+  if (!parsedOutput.success) {
+    return withScopeNote(buildFailureOutput("INVALID_OUTPUT", parsedOutput.error.message), invocation.scope_enforced);
+  }
+  return withScopeNote(parsedOutput.data, invocation.scope_enforced);
+}
+async function runToolRunnerWorkerFromStreams(streams, options = {}) {
+  const rawPayload = await readStreamAsString(streams.stdin);
+  let payload;
+  try {
+    payload = JSON.parse(rawPayload);
+  } catch {
+    const invalidPayload = buildFailureOutput("INVALID_INVOCATION_PAYLOAD", "Worker stdin payload is not valid JSON");
+    streams.stdout.write(JSON.stringify({ output: invalidPayload }));
+    return;
+  }
+  const output = await executeToolRunnerInvocation(payload, options);
+  streams.stdout.write(JSON.stringify({ output }));
+}
+async function runToolRunnerWorkerProcess() {
+  await runToolRunnerWorkerFromStreams({
+    stdin: process.stdin,
+    stdout: process.stdout,
+    stderr: process.stderr
+  });
+}
+function shouldRunAsMain() {
+  const entryPath = process.argv[1];
+  if (!entryPath) {
+    return false;
+  }
+  return pathToFileURL(path3.resolve(entryPath)).href === import.meta.url;
+}
+if (shouldRunAsMain()) {
+  void runToolRunnerWorkerProcess();
+}
+
+// ../kernel/dist/sandbox/subprocess-dispatcher.js
+function buildFailureOutput2(code, message, details) {
+  return {
+    success: false,
+    error: {
+      code,
+      message,
+      ...details ? { details } : {}
+    }
+  };
+}
+function withScopeNote2(output, scopes) {
+  const scopeEnforcementNote = resolveScopeEnforcementNote(scopes);
+  if (!scopeEnforcementNote) {
+    return output;
+  }
+  return {
+    ...output,
+    metadata: {
+      ...output.metadata || {},
+      scope_enforcement_note: scopeEnforcementNote
+    }
+  };
+}
+function defaultCommandExists(binary) {
+  const probe = spawnSync(binary, ["--help"], { stdio: "ignore" });
+  return !probe.error;
+}
+function resolveDefaultWorkerEntry() {
+  const jsPath = fileURLToPath(new URL("./tool-runner-worker.js", import.meta.url));
+  if (fs.existsSync(jsPath)) {
+    return jsPath;
+  }
+  return fileURLToPath(new URL("./tool-runner-worker.ts", import.meta.url));
+}
+var NodeSubprocessTransport = class {
+  async execute(request) {
+    return new Promise((resolve2, reject) => {
+      const child = spawn(request.command, request.args, {
+        stdio: "pipe",
+        env: {
+          ...process.env,
+          ...request.env
+        }
+      });
+      let stdout = "";
+      let stderr = "";
+      child.stdout.setEncoding(UTF8_ENCODING);
+      child.stderr.setEncoding(UTF8_ENCODING);
+      child.stdout.on("data", (chunk) => {
+        stdout += chunk;
+      });
+      child.stderr.on("data", (chunk) => {
+        stderr += chunk;
+      });
+      child.on("error", (error) => {
+        reject(error);
+      });
+      child.on("close", (code) => {
+        resolve2({
+          code: code ?? 1,
+          stdout,
+          stderr
+        });
+      });
+      child.stdin.end(request.stdin);
+    });
+  }
+};
+var SandboxSubprocessDispatcher = class {
+  commandExists;
+  transport;
+  profileOptions;
+  workerEntry;
+  nodeBinary;
+  constructor(options = {}) {
+    this.commandExists = options.commandExists || defaultCommandExists;
+    this.transport = options.transport || new NodeSubprocessTransport();
+    this.profileOptions = {
+      workspaceRoot: options.workspaceRoot,
+      homeDir: options.homeDir,
+      env: options.env
+    };
+    this.workerEntry = options.workerEntry || resolveDefaultWorkerEntry();
+    this.nodeBinary = options.nodeBinary || process.execPath;
+  }
+  async dispatch(request) {
+    if (request.capability.handler.kind !== "subprocess") {
+      return buildFailureOutput2("INVALID_HANDLER_KIND", "Subprocess dispatcher requires subprocess handlers.");
+    }
+    if (!this.commandExists("bwrap")) {
+      return withScopeNote2(buildFailureOutput2("SUBPROCESS_SANDBOX_UNAVAILABLE", 'Subprocess execution unavailable: required binary "bwrap" was not found.'), request.scopeEnforced);
+    }
+    const invocationPayload = {
+      tool_name: request.capability.name,
+      handler_entry: request.capability.handler.entry,
+      input: request.input,
+      scope_enforced: request.scopeEnforced,
+      receipt_id: randomUUID()
+    };
+    const profile = buildSandboxProfileFromScopes(request.scopeEnforced, this.profileOptions);
+    const sandboxInvocation = buildBwrapInvocation({
+      profile,
+      command: [this.nodeBinary, this.workerEntry]
+    });
+    let transportResult;
+    try {
+      transportResult = await this.transport.execute({
+        command: sandboxInvocation.command,
+        args: sandboxInvocation.args,
+        stdin: JSON.stringify(invocationPayload),
+        env: sandboxInvocation.env
+      });
+    } catch (error) {
+      return withScopeNote2(buildFailureOutput2("SUBPROCESS_TRANSPORT_FAILED", error.message), request.scopeEnforced);
+    }
+    if (transportResult.code !== 0) {
+      return withScopeNote2(buildFailureOutput2("SUBPROCESS_EXIT_NONZERO", "Subprocess worker exited with non-zero code.", {
+        exit_code: transportResult.code,
+        stderr: transportResult.stderr
+      }), request.scopeEnforced);
+    }
+    try {
+      const response = parseToolRunnerWorkerResponse(transportResult.stdout);
+      return withScopeNote2(response.output, request.scopeEnforced);
+    } catch (error) {
+      return withScopeNote2(buildFailureOutput2("SUBPROCESS_PROTOCOL_ERROR", error.message, {
+        stdout: transportResult.stdout,
+        stderr: transportResult.stderr
+      }), request.scopeEnforced);
+    }
+  }
+};
+
+// ../kernel/dist/state-machine/index.js
+var TASK_LIFECYCLE_STATES = {
+  READY: "ready",
+  ACTIVE: "active",
+  BLOCKED: "blocked",
+  WAITING: "waiting",
+  DONE: "done"
+};
+var CANONICAL_STATES = [
+  TASK_LIFECYCLE_STATES.READY,
+  TASK_LIFECYCLE_STATES.ACTIVE,
+  TASK_LIFECYCLE_STATES.BLOCKED,
+  TASK_LIFECYCLE_STATES.WAITING,
+  TASK_LIFECYCLE_STATES.DONE
+];
+var ALLOWED_TRANSITIONS = {
+  ready: ["active"],
+  active: ["blocked", "waiting", "done", "ready"],
+  blocked: ["active", "done"],
+  waiting: ["active", "done"],
+  done: []
+};
+function buildAliasLookup(aliases) {
+  const lookup = /* @__PURE__ */ new Map();
+  for (const state of CANONICAL_STATES) {
+    lookup.set(state, state);
+  }
+  for (const [state, alias] of Object.entries(aliases)) {
+    if (!alias) {
+      continue;
+    }
+    const normalizedAlias = alias.trim();
+    if (!normalizedAlias) {
+      throw new Error(`Invalid alias for state "${state}": alias must be non-empty`);
+    }
+    const existing = lookup.get(normalizedAlias);
+    if (existing && existing !== state) {
+      throw new Error(`Ambiguous alias "${normalizedAlias}" resolves to both "${existing}" and "${state}"`);
+    }
+    lookup.set(normalizedAlias, state);
+  }
+  return lookup;
+}
+function resolveTaskState(state, aliases = {}) {
+  if (state === null || state === void 0) {
+    throw new Error(`Invalid state: ${state}`);
+  }
+  const normalized = state.trim();
+  if (!normalized) {
+    throw new Error(`Invalid state: ${state}`);
+  }
+  const lookup = buildAliasLookup(aliases);
+  const resolved = lookup.get(normalized);
+  if (!resolved) {
+    throw new Error(`Invalid state: ${state}. Expected one of: ${Array.from(lookup.keys()).join(", ")}`);
+  }
+  return resolved;
+}
+function assertTransition(from, to, taskId, aliases = {}) {
+  const fromState = resolveTaskState(from, aliases);
+  const toState = resolveTaskState(to, aliases);
+  const allowed = ALLOWED_TRANSITIONS[fromState];
+  if (!allowed.includes(toState)) {
+    const terminalHint = fromState === TASK_LIFECYCLE_STATES.DONE ? " (done is a terminal state)" : "";
+    const allowedNext = allowed.length > 0 ? allowed.join(", ") : "(none)";
+    throw new Error(`Illegal state transition for ${taskId}: ${fromState} -> ${toState}${terminalHint}. Allowed next states: ${allowedNext}`);
+  }
+}
+
+// ../kernel/dist/tool-host/builtins/capabilities.js
+import { readFile as readFile3 } from "fs/promises";
+import { resolve } from "path";
+import micromatch from "micromatch";
+import { z as z3 } from "zod";
+
+// ../kernel/dist/tool-host/tool-registry.js
+var ToolRegistry = class {
+  capabilities = /* @__PURE__ */ new Map();
+  register(capability) {
+    const validated = this.validate(capability);
+    if (this.capabilities.has(validated.name)) {
+      throw new Error(`Tool "${validated.name}" is already registered`);
+    }
+    this.capabilities.set(validated.name, validated);
+    return validated;
+  }
+  lookup(name) {
+    return this.capabilities.get(name) ?? null;
+  }
+  list() {
+    return [...this.capabilities.values()];
+  }
+  validate(capability) {
+    const parsed = ToolCapabilitySchema.safeParse(capability);
+    if (!parsed.success) {
+      throw new Error(`ToolCapability validation failed: ${parsed.error.message}`);
+    }
+    return parsed.data;
+  }
+};
+
+// ../kernel/dist/tool-host/builtins/capabilities.js
+var BUILTIN_POLICY_IDS = {
+  DEFAULT_ALLOW: KERNEL_POLICY_IDS.BUILTIN_DEFAULT,
+  PROC_EXEC_DEFAULT_DENY: KERNEL_POLICY_IDS.PROC_EXEC_DEFAULT_DENY
+};
+var BUILTIN_TOOL_NAMES = {
+  FS_READ: "fs:read",
+  FS_WRITE: "fs:write",
+  PROC_EXEC: "proc:exec"
+};
+var BUILTIN_SUBPROCESS_ENTRIES = {
+  FS_WRITE: "kernel/tool-impl/fs-write.js",
+  PROC_EXEC: "kernel/tool-impl/proc-exec.js"
+};
+var BUILTIN_PACK_ID = "kernel-builtins";
+var BUILTIN_TOOL_VERSION = "1.0.0";
+var TEXT_ENCODINGS = [UTF8_ENCODING, BASE64_ENCODING];
+var FsReadInputSchema = z3.object({
+  path: z3.string().min(1),
+  encoding: z3.enum(TEXT_ENCODINGS).optional()
+});
+var FsReadOutputSchema = z3.object({
+  path: z3.string().min(1),
+  content: z3.string(),
+  bytes: z3.number().int().nonnegative()
+});
+var FsWriteInputSchema = z3.object({
+  path: z3.string().min(1),
+  content: z3.string(),
+  encoding: z3.enum(TEXT_ENCODINGS).optional()
+});
+var FsWriteOutputSchema = z3.object({
+  queued: z3.boolean(),
+  target: z3.string().min(1)
+});
+var ProcExecInputSchema = z3.object({
+  command: z3.string().min(1),
+  args: z3.array(z3.string()).default([])
+});
+var ProcExecOutputSchema = z3.object({
+  exit_code: z3.number().int(),
+  stdout: z3.string(),
+  stderr: z3.string()
+});
+function buildScopeKey(scope) {
+  if (scope.type === "path") {
+    return `${scope.type}:${scope.access}:${scope.pattern}`;
+  }
+  return `${scope.type}:${scope.posture}`;
+}
+function dedupeScopes(scopes) {
+  const seen = /* @__PURE__ */ new Set();
+  const deduped = [];
+  for (const scope of scopes) {
+    const key = buildScopeKey(scope);
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    deduped.push(scope);
+  }
+  return deduped;
+}
+function buildFailureOutput3(code, message) {
+  return {
+    success: false,
+    error: {
+      code,
+      message
+    }
+  };
+}
+async function runFsRead(input, scopes) {
+  const parsedInput = FsReadInputSchema.safeParse(input);
+  if (!parsedInput.success) {
+    return buildFailureOutput3("INVALID_INPUT", parsedInput.error.message);
+  }
+  const resolvedPath = resolve(parsedInput.data.path);
+  const canReadPath = scopesAllowReadPath(scopes, resolvedPath);
+  if (!canReadPath) {
+    return buildFailureOutput3("SCOPE_VIOLATION", `Path ${resolvedPath} is outside the enforced read scopes for fs:read.`);
+  }
+  const encoding = parsedInput.data.encoding || UTF8_ENCODING;
+  try {
+    const content = await readFile3(resolvedPath, { encoding });
+    return {
+      success: true,
+      data: {
+        path: resolvedPath,
+        content,
+        bytes: Buffer.byteLength(content)
+      }
+    };
+  } catch (error) {
+    return buildFailureOutput3("FS_READ_FAILED", error.message);
+  }
+}
+function scopesAllowReadPath(scopes, filePath) {
+  const readScopes = scopes.filter((scope) => scope.type === "path" && scope.access === "read");
+  if (readScopes.length === 0) {
+    return false;
+  }
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  return readScopes.some((scope) => micromatch.isMatch(normalizedPath, resolve(scope.pattern).replace(/\\/g, "/")));
+}
+function createFsReadCapability(scopes) {
+  return {
+    name: BUILTIN_TOOL_NAMES.FS_READ,
+    domain: "filesystem",
+    version: BUILTIN_TOOL_VERSION,
+    input_schema: FsReadInputSchema,
+    output_schema: FsReadOutputSchema,
+    permission: "read",
+    required_scopes: scopes,
+    handler: {
+      kind: "in-process",
+      fn: (input) => runFsRead(input, scopes)
+    },
+    description: "Read file content from an allowed scope",
+    pack: BUILTIN_PACK_ID
+  };
+}
+function createFsWriteCapability(scopes, entry) {
+  return {
+    name: BUILTIN_TOOL_NAMES.FS_WRITE,
+    domain: "filesystem",
+    version: BUILTIN_TOOL_VERSION,
+    input_schema: FsWriteInputSchema,
+    output_schema: FsWriteOutputSchema,
+    permission: "write",
+    required_scopes: scopes,
+    handler: {
+      kind: "subprocess",
+      entry
+    },
+    description: "Write file content through sandboxed subprocess execution",
+    pack: BUILTIN_PACK_ID
+  };
+}
+function createProcExecCapability(scopes, entry) {
+  return {
+    name: BUILTIN_TOOL_NAMES.PROC_EXEC,
+    domain: "process",
+    version: BUILTIN_TOOL_VERSION,
+    input_schema: ProcExecInputSchema,
+    output_schema: ProcExecOutputSchema,
+    permission: "admin",
+    required_scopes: scopes,
+    handler: {
+      kind: "subprocess",
+      entry
+    },
+    description: "Execute internal subprocess actions for pack tool implementations",
+    pack: BUILTIN_PACK_ID
+  };
+}
+function createBuiltinToolCapabilities(options) {
+  const dedupedScopes = dedupeScopes(options.declaredScopes);
+  const subprocessEntries = {
+    fsWrite: options.subprocessEntries?.fsWrite || BUILTIN_SUBPROCESS_ENTRIES.FS_WRITE,
+    procExec: options.subprocessEntries?.procExec || BUILTIN_SUBPROCESS_ENTRIES.PROC_EXEC
+  };
+  const capabilities = [
+    createFsReadCapability(dedupedScopes),
+    createFsWriteCapability(dedupedScopes, subprocessEntries.fsWrite)
+  ];
+  if (options.includeInternalTools) {
+    capabilities.push(createProcExecCapability(dedupedScopes, subprocessEntries.procExec));
+  }
+  return capabilities;
+}
+function registerBuiltinToolCapabilities(registry, options) {
+  const capabilities = createBuiltinToolCapabilities(options);
+  for (const capability of capabilities) {
+    registry.register(capability);
+  }
+  return capabilities;
+}
+function createBuiltinPolicyHook(options = {}) {
+  const allowInternalProcExec = options.allowInternalProcExec || false;
+  return async (input) => {
+    if (input.capability.name === BUILTIN_TOOL_NAMES.PROC_EXEC && !allowInternalProcExec) {
+      return [
+        {
+          policy_id: BUILTIN_POLICY_IDS.PROC_EXEC_DEFAULT_DENY,
+          decision: "deny",
+          reason: "proc:exec is internal-only and default-denied by workspace policy."
+        }
+      ];
+    }
+    return [
+      {
+        policy_id: BUILTIN_POLICY_IDS.DEFAULT_ALLOW,
+        decision: "allow",
+        reason: "Builtin tool allowed by default policy."
+      }
+    ];
+  };
+}
+
+// ../kernel/dist/tool-host/tool-host.js
+import { randomUUID as randomUUID2 } from "crypto";
+
+// ../kernel/dist/tool-host/scope-intersection.js
+import micromatch2 from "micromatch";
+function toPathScopes(scopes, access2) {
+  return scopes.filter((scope) => scope.type === "path" && scope.access === access2);
+}
+function toNetworkScopes(scopes) {
+  return scopes.filter((scope) => scope.type === "network");
+}
+function patternContains(containerPattern, nestedPattern) {
+  if (containerPattern.startsWith("!") || nestedPattern.startsWith("!")) {
+    return false;
+  }
+  const hasGlobstar = nestedPattern.includes("**");
+  if (hasGlobstar) {
+    const rawExpansions = [
+      // 0 segments: double-star matches empty (strip the globstar segment)
+      nestedPattern.replace(/\*\*\/?/g, "").replace(/\/+/g, "/").replace(/^\/|\/$/g, ""),
+      // 1 segment depth
+      nestedPattern.replace(/\*\*/g, "__depth1__"),
+      // 2 segment depth
+      nestedPattern.replace(/\*\*/g, "__depth2a__/__depth2b__"),
+      // 3 segment depth
+      nestedPattern.replace(/\*\*/g, "__depth3a__/__depth3b__/__depth3c__")
+    ];
+    const testPaths = rawExpansions.map((p) => p.replace(/\*/g, "__segment__")).filter((p) => p.length > 0);
+    const validTestPaths = testPaths.filter((tp) => micromatch2.isMatch(tp, nestedPattern));
+    return validTestPaths.length > 0 && validTestPaths.every((tp) => micromatch2.isMatch(tp, containerPattern));
+  }
+  const testPath = nestedPattern.replace(/\*/g, "__segment__");
+  return micromatch2.isMatch(testPath, containerPattern);
+}
+function patternsOverlap(left, right) {
+  return left === right || patternContains(left, right) || patternContains(right, left) || micromatch2.isMatch(right, left) || micromatch2.isMatch(left, right);
+}
+function allPatternsOverlap(patterns) {
+  for (let i = 0; i < patterns.length; i += 1) {
+    const left = patterns[i];
+    if (left === void 0) {
+      continue;
+    }
+    for (let j = i + 1; j < patterns.length; j += 1) {
+      const right = patterns[j];
+      if (right === void 0) {
+        continue;
+      }
+      if (!patternsOverlap(left, right)) {
+        return false;
+      }
+    }
+  }
+  return true;
+}
+function specificityScore(pattern) {
+  const literalLength = pattern.replace(/[*[\]{}()!?+@]/g, "").length;
+  const wildcardCount = (pattern.match(/\*/g) ?? []).length;
+  return literalLength - wildcardCount * 5;
+}
+function selectNarrowestPattern(patterns) {
+  return [...patterns].sort((left, right) => specificityScore(right) - specificityScore(left))[0] ?? patterns[0] ?? "";
+}
+function intersectPathScopes(workspaceAllowed, laneAllowed, taskDeclared, toolRequired, access2) {
+  const workspace = toPathScopes(workspaceAllowed, access2);
+  const lane = toPathScopes(laneAllowed, access2);
+  const task = toPathScopes(taskDeclared, access2);
+  const tool = toPathScopes(toolRequired, access2);
+  if (workspace.length === 0 || lane.length === 0 || task.length === 0 || tool.length === 0) {
+    return [];
+  }
+  const scopes = /* @__PURE__ */ new Map();
+  for (const toolScope of tool) {
+    for (const workspaceScope of workspace) {
+      if (!patternsOverlap(toolScope.pattern, workspaceScope.pattern)) {
+        continue;
+      }
+      for (const laneScope of lane) {
+        if (!patternsOverlap(toolScope.pattern, laneScope.pattern)) {
+          continue;
+        }
+        for (const taskScope of task) {
+          if (!patternsOverlap(toolScope.pattern, taskScope.pattern)) {
+            continue;
+          }
+          const candidates = [
+            workspaceScope.pattern,
+            laneScope.pattern,
+            taskScope.pattern,
+            toolScope.pattern
+          ];
+          if (!allPatternsOverlap(candidates)) {
+            continue;
+          }
+          const pattern = selectNarrowestPattern(candidates);
+          const dedupeKey = `${access2}:${pattern}`;
+          scopes.set(dedupeKey, {
+            type: "path",
+            access: access2,
+            pattern
+          });
+        }
+      }
+    }
+  }
+  return [...scopes.values()];
+}
+function intersectNetworkScopes(workspaceAllowed, laneAllowed, taskDeclared, toolRequired) {
+  const workspace = toNetworkScopes(workspaceAllowed);
+  const lane = toNetworkScopes(laneAllowed);
+  const task = toNetworkScopes(taskDeclared);
+  const tool = toNetworkScopes(toolRequired);
+  if (workspace.length === 0 || lane.length === 0 || task.length === 0 || tool.length === 0) {
+    return [];
+  }
+  const allLayers = [workspace, lane, task, tool];
+  for (const layer of allLayers) {
+    const hasOnlyOff = layer.every((s) => s.posture === "off");
+    if (hasOnlyOff) {
+      const toolWantsNetwork = tool.some((s) => s.posture !== "off");
+      if (toolWantsNetwork) {
+        return [];
+      }
+    }
+  }
+  const hasAllowlist = allLayers.some((layer) => layer.some((s) => s.posture === "allowlist"));
+  if (hasAllowlist) {
+    const layerEntries = [];
+    for (const layer of allLayers) {
+      const allowlistScopes = layer.filter((s) => s.posture === "allowlist");
+      const hasFullScope = layer.some((s) => s.posture === "full");
+      if (allowlistScopes.length > 0) {
+        const entries = /* @__PURE__ */ new Set();
+        for (const scope of allowlistScopes) {
+          const scopeEntries = "allowlist_entries" in scope ? scope.allowlist_entries : [];
+          for (const entry of scopeEntries) {
+            entries.add(entry);
+          }
+        }
+        layerEntries.push(entries);
+      } else if (hasFullScope) {
+        continue;
+      } else {
+        return [];
+      }
+    }
+    if (layerEntries.length === 0) {
+      return [];
+    }
+    let intersected = layerEntries[0];
+    for (let i = 1; i < layerEntries.length; i++) {
+      const next = layerEntries[i];
+      if (!intersected || !next) {
+        return [];
+      }
+      intersected = new Set([...intersected].filter((entry) => next.has(entry)));
+    }
+    if (!intersected || intersected.size === 0) {
+      return [];
+    }
+    return [
+      {
+        type: "network",
+        posture: "allowlist",
+        allowlist_entries: [...intersected].sort()
+      }
+    ];
+  }
+  const scopes = /* @__PURE__ */ new Map();
+  for (const toolScope of tool) {
+    const posture = toolScope.posture;
+    if (workspace.some((scope) => scope.posture === posture) && lane.some((scope) => scope.posture === posture) && task.some((scope) => scope.posture === posture)) {
+      scopes.set(posture, {
+        type: "network",
+        posture
+      });
+    }
+  }
+  return [...scopes.values()];
+}
+function intersectToolScopes(input) {
+  const readPaths = intersectPathScopes(input.workspaceAllowed, input.laneAllowed, input.taskDeclared, input.toolRequired, "read");
+  const writePaths = intersectPathScopes(input.workspaceAllowed, input.laneAllowed, input.taskDeclared, input.toolRequired, "write");
+  const network = intersectNetworkScopes(input.workspaceAllowed, input.laneAllowed, input.taskDeclared, input.toolRequired);
+  return [...readPaths, ...writePaths, ...network];
+}
+
+// ../kernel/dist/tool-host/subprocess-dispatcher.js
+var DefaultSubprocessDispatcher = class {
+  async dispatch() {
+    return {
+      success: false,
+      error: {
+        code: "SUBPROCESS_NOT_AVAILABLE",
+        message: "Subprocess execution unavailable: no subprocess dispatcher was configured."
+      }
+    };
+  }
+};
+
+// ../kernel/dist/tool-host/tool-host.js
+function resolveMetadata(context) {
+  if (!context.metadata || typeof context.metadata !== "object") {
+    return {};
+  }
+  return context.metadata;
+}
+function parseScopeList(candidate, fallback) {
+  const parsed = ToolScopeSchema.array().safeParse(candidate);
+  if (parsed.success) {
+    return parsed.data;
+  }
+  return fallback;
+}
+function parseOptionalString(candidate) {
+  return typeof candidate === "string" && candidate.trim().length > 0 ? candidate : void 0;
+}
+function normalizeScopePattern(pattern) {
+  return pattern.replaceAll("\\", "/").replace(/^\.\//, "");
+}
+function isReservedFrameworkWriteScope(scope) {
+  if (scope.type !== "path" || scope.access !== "write") {
+    return false;
+  }
+  const normalized = normalizeScopePattern(scope.pattern);
+  return normalized === RESERVED_FRAMEWORK_SCOPE_ROOT || normalized.startsWith(RESERVED_FRAMEWORK_SCOPE_PREFIX);
+}
+function collectReservedFrameworkWriteScopes(scopes) {
+  const blocked = scopes.filter((scope) => isReservedFrameworkWriteScope(scope)).map((scope) => normalizeScopePattern(scope.pattern));
+  return [...new Set(blocked)];
+}
+var ToolHost = class {
+  registry;
+  evidenceStore;
+  subprocessDispatcher;
+  policyHook;
+  runtimeVersion;
+  now;
+  onTraceError;
+  onTraceAppended;
+  constructor(options) {
+    if (!options.policyHook) {
+      throw new Error("ToolHost requires an explicit policyHook. Use allowAllPolicyHook for development or provide a production policy.");
+    }
+    this.registry = options.registry;
+    this.evidenceStore = options.evidenceStore;
+    this.subprocessDispatcher = options.subprocessDispatcher ?? new DefaultSubprocessDispatcher();
+    this.policyHook = options.policyHook;
+    this.runtimeVersion = options.runtimeVersion ?? DEFAULT_KERNEL_RUNTIME_VERSION;
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+    this.onTraceError = options.onTraceError;
+    this.onTraceAppended = options.onTraceAppended;
+  }
+  async onStartup() {
+    return this.evidenceStore.reconcileOrphanedStarts();
+  }
+  async onShutdown() {
+    return this.evidenceStore.reconcileOrphanedStarts();
+  }
+  async execute(name, input, ctx) {
+    const context = ExecutionContextSchema.parse(ctx);
+    const capability = this.registry.lookup(name);
+    if (!capability) {
+      return {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.TOOL_NOT_FOUND,
+          message: `Tool "${name}" is not registered`
+        }
+      };
+    }
+    const metadata = resolveMetadata(context);
+    const { scopeRequested, scopeAllowed, scopeEnforced, reservedFrameworkWriteScopes } = this.resolveScope(capability, context, metadata);
+    const { dataHash: inputHash, dataRef: inputRef } = await this.evidenceStore.persistData(input);
+    const receiptId = randomUUID2();
+    const startedAt = this.now().getTime();
+    const timestamp = new Date(startedAt).toISOString();
+    const workspaceConfigHashCandidate = parseOptionalString(metadata[EXECUTION_METADATA_KEYS.WORKSPACE_CONFIG_HASH]);
+    const workspaceConfigHash = workspaceConfigHashCandidate && SHA256_HEX_REGEX.test(workspaceConfigHashCandidate) ? workspaceConfigHashCandidate : DEFAULT_WORKSPACE_CONFIG_HASH;
+    const runtimeVersion = parseOptionalString(metadata[EXECUTION_METADATA_KEYS.RUNTIME_VERSION]) ?? this.runtimeVersion;
+    const packVersion = parseOptionalString(metadata[EXECUTION_METADATA_KEYS.PACK_VERSION]);
+    const packIntegrity = parseOptionalString(metadata[EXECUTION_METADATA_KEYS.PACK_INTEGRITY]);
+    const packId = capability.pack ?? parseOptionalString(metadata[EXECUTION_METADATA_KEYS.PACK_ID]);
+    const startedEntry = {
+      schema_version: 1,
+      kind: TOOL_TRACE_KINDS.TOOL_CALL_STARTED,
+      receipt_id: receiptId,
+      run_id: context.run_id,
+      task_id: context.task_id,
+      session_id: context.session_id,
+      timestamp,
+      tool_name: capability.name,
+      execution_mode: capability.handler.kind,
+      scope_requested: scopeRequested,
+      scope_allowed: scopeAllowed,
+      scope_enforced: scopeEnforced,
+      input_hash: inputHash,
+      input_ref: inputRef,
+      tool_version: capability.version,
+      pack_id: packId,
+      pack_version: packVersion,
+      pack_integrity: packIntegrity,
+      workspace_config_hash: workspaceConfigHash,
+      runtime_version: runtimeVersion
+    };
+    try {
+      await this.evidenceStore.appendTrace(startedEntry);
+      this.onTraceAppended?.(startedEntry);
+    } catch (error) {
+      this.onTraceError?.(error);
+    }
+    const authResult = await this.authorize({
+      receiptId,
+      startedAt,
+      capability,
+      input,
+      context,
+      scopeRequested,
+      scopeAllowed,
+      scopeEnforced,
+      reservedFrameworkWriteScopes
+    });
+    if (authResult.denied) {
+      return authResult.output;
+    }
+    const parsedInput = capability.input_schema.safeParse(input);
+    if (!parsedInput.success) {
+      const invalidInputOutput = {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.INVALID_INPUT,
+          message: parsedInput.error.message
+        }
+      };
+      try {
+        await this.recordDeniedTrace({
+          receiptId,
+          startedAt,
+          result: "failure",
+          scopeEnforcementNote: "Input validation failed before dispatch.",
+          policyDecisions: authResult.policyDecisions
+        });
+      } catch (error) {
+        this.onTraceError?.(error);
+      }
+      return invalidInputOutput;
+    }
+    let output = await this.dispatch(capability, parsedInput.data, context, scopeEnforced);
+    output = this.normalizeOutput(output, capability);
+    try {
+      await this.recordTrace({
+        receiptId,
+        startedAt,
+        output,
+        policyDecisions: authResult.policyDecisions
+      });
+    } catch (error) {
+      this.onTraceError?.(error);
+    }
+    return output;
+  }
+  resolveScope(capability, context, metadata) {
+    const workspaceAllowed = parseScopeList(metadata[EXECUTION_METADATA_KEYS.WORKSPACE_ALLOWED_SCOPES], context.allowed_scopes);
+    const laneAllowed = parseScopeList(metadata[EXECUTION_METADATA_KEYS.LANE_ALLOWED_SCOPES], context.allowed_scopes);
+    const taskDeclared = parseScopeList(metadata[EXECUTION_METADATA_KEYS.TASK_DECLARED_SCOPES], context.allowed_scopes);
+    const scopeRequested = capability.required_scopes;
+    const reservedFrameworkWriteScopes = collectReservedFrameworkWriteScopes(scopeRequested);
+    const scopeAllowed = intersectToolScopes({
+      workspaceAllowed,
+      laneAllowed,
+      taskDeclared,
+      toolRequired: scopeRequested
+    });
+    const scopeEnforced = scopeAllowed;
+    return { scopeRequested, scopeAllowed, scopeEnforced, reservedFrameworkWriteScopes };
+  }
+  async authorize(params) {
+    const { receiptId, startedAt, capability, input, context, scopeRequested, scopeAllowed, scopeEnforced, reservedFrameworkWriteScopes } = params;
+    if (reservedFrameworkWriteScopes.length > 0) {
+      const output = {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.SCOPE_DENIED,
+          message: `Reserved scope violation: pack/tool write scopes under ${RESERVED_FRAMEWORK_SCOPE_GLOB} are not allowed.`,
+          details: {
+            reserved_scopes: reservedFrameworkWriteScopes
+          }
+        }
+      };
+      try {
+        await this.recordDeniedTrace({
+          receiptId,
+          startedAt,
+          result: "denied",
+          scopeEnforcementNote: `Denied by reserved framework boundary: ${RESERVED_FRAMEWORK_SCOPE_GLOB} is framework-owned.`,
+          policyDecisions: [
+            {
+              policy_id: KERNEL_POLICY_IDS.SCOPE_RESERVED_PATH,
+              decision: "deny",
+              reason: `Pack/tool declared write scope targets reserved ${RESERVED_FRAMEWORK_SCOPE_GLOB} namespace`
+            }
+          ]
+        });
+      } catch (error) {
+        this.onTraceError?.(error);
+      }
+      return { denied: true, output };
+    }
+    if (scopeEnforced.length === 0) {
+      const output = {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.SCOPE_DENIED,
+          message: "Scope intersection denied: no allowed scopes remain after intersection.",
+          details: {
+            scope_requested: scopeRequested,
+            scope_allowed: scopeAllowed
+          }
+        }
+      };
+      try {
+        await this.recordDeniedTrace({
+          receiptId,
+          startedAt,
+          result: "denied",
+          scopeEnforcementNote: "Denied by hard boundary: empty scope intersection.",
+          policyDecisions: [
+            {
+              policy_id: KERNEL_POLICY_IDS.SCOPE_BOUNDARY,
+              decision: "deny",
+              reason: "No intersecting scopes after scope resolution"
+            }
+          ]
+        });
+      } catch (error) {
+        this.onTraceError?.(error);
+      }
+      return { denied: true, output };
+    }
+    const tool_arguments = input !== null && typeof input === "object" && !Array.isArray(input) ? input : void 0;
+    const policyDecisions = await this.policyHook({
+      capability,
+      input,
+      context,
+      scopeEnforced,
+      tool_arguments
+    });
+    if (policyDecisions.some((decision) => decision.decision === "deny")) {
+      const output = {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.POLICY_DENIED,
+          message: "Policy hook denied tool execution."
+        }
+      };
+      try {
+        await this.recordDeniedTrace({
+          receiptId,
+          startedAt,
+          result: "denied",
+          scopeEnforcementNote: "Denied by policy hook decision.",
+          policyDecisions
+        });
+      } catch (error) {
+        this.onTraceError?.(error);
+      }
+      return { denied: true, output };
+    }
+    if (policyDecisions.some((decision) => decision.decision === "approval_required")) {
+      const approvalRequestId = randomUUID2();
+      const approvalReasons = policyDecisions.filter((decision) => decision.decision === "approval_required").map((decision) => decision.reason ?? decision.policy_id);
+      const output = {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.APPROVAL_REQUIRED,
+          message: `Tool execution requires human approval: ${approvalReasons.join("; ")}`,
+          details: {
+            request_id: approvalRequestId,
+            tool_name: capability.name,
+            task_id: context.task_id,
+            run_id: context.run_id,
+            policy_decisions: policyDecisions.filter((decision) => decision.decision === "approval_required")
+          }
+        }
+      };
+      try {
+        await this.recordDeniedTrace({
+          receiptId,
+          startedAt,
+          result: "denied",
+          scopeEnforcementNote: "Blocked pending human approval.",
+          policyDecisions
+        });
+      } catch (error) {
+        this.onTraceError?.(error);
+      }
+      return { denied: true, output };
+    }
+    return { denied: false, policyDecisions };
+  }
+  async dispatch(capability, input, context, scopeEnforced) {
+    try {
+      if (capability.handler.kind === TOOL_HANDLER_KINDS.IN_PROCESS) {
+        return await capability.handler.fn(input, context);
+      }
+      return await this.subprocessDispatcher.dispatch({
+        capability,
+        input,
+        context,
+        scopeEnforced
+      });
+    } catch (error) {
+      return {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.TOOL_EXECUTION_FAILED,
+          message: error.message
+        }
+      };
+    }
+  }
+  normalizeOutput(output, capability) {
+    const normalizedOutputResult = ToolOutputSchema.safeParse(output);
+    if (!normalizedOutputResult.success) {
+      return {
+        success: false,
+        error: {
+          code: TOOL_ERROR_CODES.INVALID_OUTPUT,
+          message: normalizedOutputResult.error.message
+        }
+      };
+    }
+    let normalized = normalizedOutputResult.data;
+    if (capability.output_schema && normalized.success) {
+      const parsedData = capability.output_schema.safeParse(normalized.data);
+      if (!parsedData.success) {
+        normalized = {
+          success: false,
+          error: {
+            code: TOOL_ERROR_CODES.INVALID_OUTPUT,
+            message: parsedData.error.message
+          }
+        };
+      }
+    }
+    return normalized;
+  }
+  async recordDeniedTrace(params) {
+    const finishedAt = this.now();
+    const entry = {
+      schema_version: 1,
+      kind: TOOL_TRACE_KINDS.TOOL_CALL_FINISHED,
+      receipt_id: params.receiptId,
+      timestamp: finishedAt.toISOString(),
+      result: params.result,
+      duration_ms: finishedAt.getTime() - params.startedAt,
+      scope_enforcement_note: params.scopeEnforcementNote,
+      policy_decisions: params.policyDecisions,
+      artifacts_written: []
+    };
+    await this.evidenceStore.appendTrace(entry);
+    this.onTraceAppended?.(entry);
+  }
+  async recordTrace(params) {
+    const { receiptId, startedAt, output, policyDecisions } = params;
+    const outputRef = output.data === void 0 ? void 0 : await this.evidenceStore.persistData(output.data);
+    const outputHash = outputRef?.dataHash;
+    const outputReference = outputRef?.dataRef;
+    const result = output.success ? "success" : output.error?.code === TOOL_ERROR_CODES.SCOPE_DENIED ? "denied" : "failure";
+    const finishedAt = this.now();
+    const entry = {
+      schema_version: 1,
+      kind: TOOL_TRACE_KINDS.TOOL_CALL_FINISHED,
+      receipt_id: receiptId,
+      timestamp: finishedAt.toISOString(),
+      result,
+      duration_ms: finishedAt.getTime() - startedAt,
+      output_hash: outputHash,
+      output_ref: outputReference,
+      scope_enforcement_note: result === "success" ? "Allowed by scope intersection and policy." : "Denied or failed during execution.",
+      policy_decisions: policyDecisions,
+      artifacts_written: Array.isArray(output.metadata?.artifacts_written) && output.metadata?.artifacts_written.every((artifact) => typeof artifact === "string") ? output.metadata.artifacts_written : []
+    };
+    await this.evidenceStore.appendTrace(entry);
+    this.onTraceAppended?.(entry);
+  }
+};
+
+// ../kernel/dist/runtime/kernel-runtime.js
+var DEFAULT_RUNTIME_ROOT = path4.join(LUMENFLOW_DIR_NAME, KERNEL_RUNTIME_ROOT_DIR_NAME);
+var DEFAULT_PACKS_ROOT_CANDIDATES = [
+  PACKS_DIR_NAME,
+  path4.join(PACKAGES_DIR_NAME, LUMENFLOW_SCOPE_NAME, PACKS_DIR_NAME)
+];
+var CLI_PACKAGE_DIRECTORY_NAME = "cli";
+var CLI_PACKS_ROOT_PATH_SEGMENTS = [
+  "..",
+  "..",
+  "..",
+  CLI_PACKAGE_DIRECTORY_NAME,
+  PACKS_DIR_NAME
+];
+var KERNEL_RUNTIME_MODULE_DIR = path4.dirname(fileURLToPath2(import.meta.url));
+var CLI_PACKS_ROOT_CANDIDATE = path4.resolve(KERNEL_RUNTIME_MODULE_DIR, ...CLI_PACKS_ROOT_PATH_SEGMENTS);
+var DEFAULT_PACK_TOOL_INPUT_SCHEMA = z4.record(z4.string(), z4.unknown());
+var DEFAULT_PACK_TOOL_OUTPUT_SCHEMA = z4.record(z4.string(), z4.unknown());
+var JSON_SCHEMA_MAX_DEPTH = 12;
+var RUNTIME_LOAD_STAGE_ERROR_PREFIX = "Runtime load stage failed for pack";
+var RUNTIME_REGISTRATION_STAGE_ERROR_PREFIX = "Runtime registration stage failed for tool";
+var WORKSPACE_UPDATED_INIT_SUMMARY = "Workspace config hash initialized during runtime startup.";
+var SPEC_TAMPERED_ERROR_CODE = "SPEC_TAMPERED";
+var SPEC_TAMPERED_WORKSPACE_MESSAGE = "Workspace configuration hash mismatch detected; execution blocked.";
+var SPEC_TAMPERED_WORKSPACE_MISSING_MESSAGE = "Workspace configuration file is missing; execution blocked.";
+function normalizeTimestamp(now, inputTimestamp) {
+  return inputTimestamp ?? now().toISOString();
+}
+function defaultRunIdFactory(taskId, nextRunNumber) {
+  const suffix = randomBytes(4).toString("hex");
+  return `run-${taskId}-${nextRunNumber}-${suffix}`;
+}
+function isRunLifecycleEvent2(event) {
+  return isRunLifecycleEventKind(event.kind);
+}
+function buildRunHistory(events) {
+  const sortedEvents = [...events].sort((left, right) => {
+    return Date.parse(left.timestamp) - Date.parse(right.timestamp);
+  });
+  const byRun = /* @__PURE__ */ new Map();
+  for (const event of sortedEvents) {
+    if (!isRunLifecycleEvent2(event)) {
+      continue;
+    }
+    const existing = byRun.get(event.run_id);
+    if (event.kind === KERNEL_EVENT_KINDS.RUN_STARTED) {
+      byRun.set(event.run_id, RunSchema.parse({
+        run_id: event.run_id,
+        task_id: event.task_id,
+        status: RUN_STATUSES.EXECUTING,
+        started_at: event.timestamp,
+        by: event.by,
+        session_id: event.session_id
+      }));
+      continue;
+    }
+    const fallback = existing ?? RunSchema.parse({
+      run_id: event.run_id,
+      task_id: event.task_id,
+      status: RUN_STATUSES.PLANNED,
+      started_at: event.timestamp,
+      by: "unknown",
+      session_id: "unknown"
+    });
+    if (event.kind === KERNEL_EVENT_KINDS.RUN_PAUSED) {
+      byRun.set(event.run_id, RunSchema.parse({
+        ...fallback,
+        status: RUN_STATUSES.PAUSED
+      }));
+      continue;
+    }
+    if (event.kind === KERNEL_EVENT_KINDS.RUN_FAILED) {
+      byRun.set(event.run_id, RunSchema.parse({
+        ...fallback,
+        status: RUN_STATUSES.FAILED,
+        completed_at: event.timestamp
+      }));
+      continue;
+    }
+    byRun.set(event.run_id, RunSchema.parse({
+      ...fallback,
+      status: RUN_STATUSES.SUCCEEDED,
+      completed_at: event.timestamp
+    }));
+  }
+  return [...byRun.values()].sort((left, right) => {
+    return Date.parse(left.started_at) - Date.parse(right.started_at);
+  });
+}
+function dedupePolicyDecisions(decisions) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const decision of decisions) {
+    const key = `${decision.policy_id}|${decision.decision}|${decision.reason ?? ""}`;
+    if (!byKey.has(key)) {
+      byKey.set(key, decision);
+    }
+  }
+  return [...byKey.values()];
+}
+function toPolicyHookDecisions(evaluation) {
+  if (evaluation.decisions.length === 0) {
+    return [
+      {
+        policy_id: KERNEL_POLICY_IDS.RUNTIME_FALLBACK,
+        decision: evaluation.decision,
+        reason: "Effective policy decision without explicit matching rules."
+      }
+    ];
+  }
+  if (evaluation.decision === "approval_required") {
+    const hasApprovalRequired = evaluation.decisions.some((decision) => decision.decision === "approval_required");
+    if (!hasApprovalRequired) {
+      return [
+        ...evaluation.decisions,
+        {
+          policy_id: KERNEL_POLICY_IDS.APPROVAL_REQUIRED,
+          decision: "approval_required",
+          reason: "Effective policy decision is approval_required."
+        }
+      ];
+    }
+  }
+  if (evaluation.decision === "deny") {
+    const hasHardDeny = evaluation.decisions.some((decision) => decision.decision === "deny");
+    if (!hasHardDeny) {
+      return [
+        ...evaluation.decisions,
+        {
+          policy_id: KERNEL_POLICY_IDS.RUNTIME_FALLBACK,
+          decision: "deny",
+          reason: "Effective policy decision is deny."
+        }
+      ];
+    }
+  }
+  return evaluation.decisions;
+}
+function mergeStateAliases(loadedPacks) {
+  const aliases = {};
+  const validStates = /* @__PURE__ */ new Set(["ready", "active", "blocked", "waiting", "done"]);
+  for (const loadedPack of loadedPacks) {
+    for (const [state, alias] of Object.entries(loadedPack.manifest.state_aliases)) {
+      if (!validStates.has(state)) {
+        continue;
+      }
+      aliases[state] = alias;
+    }
+  }
+  return aliases;
+}
+function formatRuntimeLoadStageError(packId) {
+  return `${RUNTIME_LOAD_STAGE_ERROR_PREFIX} "${packId}"`;
+}
+function formatRuntimeRegistrationStageError(toolName, packId) {
+  return `${RUNTIME_REGISTRATION_STAGE_ERROR_PREFIX} "${toolName}" in pack "${packId}"`;
+}
+function buildPackToolDescription(toolName, packId) {
+  return `Pack tool ${toolName} declared by ${packId}`;
+}
+function ensureJsonSchemaObject(value, context) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new Error(`${context} must be a JSON Schema object`);
+  }
+  return value;
+}
+function parseJsonSchemaType(schema, context) {
+  const schemaType = schema.type;
+  if (typeof schemaType !== "string") {
+    throw new Error(`${context}.type must be a string`);
+  }
+  return schemaType;
+}
+function isJsonLiteral(value) {
+  return value === null || typeof value === "string" || typeof value === "number" || typeof value === "boolean";
+}
+function buildEnumSchema(enumValues, context) {
+  if (enumValues.length === 0) {
+    throw new Error(`${context}.enum must not be empty`);
+  }
+  if (enumValues.every((value) => typeof value === "string")) {
+    const [firstValue, ...restValues] = enumValues;
+    if (typeof firstValue !== "string") {
+      throw new Error(`${context}.enum must include at least one string value`);
+    }
+    return z4.enum([firstValue, ...restValues]);
+  }
+  if (enumValues.length === 1) {
+    const singleValue = enumValues[0];
+    if (!isJsonLiteral(singleValue)) {
+      throw new Error(`${context}.enum values must be JSON literal values`);
+    }
+    return z4.literal(singleValue);
+  }
+  if (!enumValues.every((value) => isJsonLiteral(value))) {
+    throw new Error(`${context}.enum values must be JSON literal values`);
+  }
+  const literals = enumValues.map((value) => z4.literal(value));
+  const [firstLiteral, ...restLiterals] = literals;
+  if (!firstLiteral) {
+    throw new Error(`${context}.enum must include at least one value`);
+  }
+  return z4.union([firstLiteral, ...restLiterals]);
+}
+function buildStringSchema(schema, context) {
+  let resolved = z4.string();
+  if (typeof schema.minLength === "number") {
+    resolved = resolved.min(schema.minLength);
+  }
+  if (typeof schema.maxLength === "number") {
+    resolved = resolved.max(schema.maxLength);
+  }
+  if (typeof schema.pattern === "string") {
+    try {
+      resolved = resolved.regex(new RegExp(schema.pattern));
+    } catch {
+      throw new Error(`${context}.pattern must be a valid regular expression`);
+    }
+  }
+  return resolved;
+}
+function buildNumberSchema(schema, _context, integerOnly) {
+  let resolved = integerOnly ? z4.number().int() : z4.number();
+  if (typeof schema.minimum === "number") {
+    resolved = resolved.gte(schema.minimum);
+  }
+  if (typeof schema.maximum === "number") {
+    resolved = resolved.lte(schema.maximum);
+  }
+  if (typeof schema.exclusiveMinimum === "number") {
+    resolved = resolved.gt(schema.exclusiveMinimum);
+  }
+  if (typeof schema.exclusiveMaximum === "number") {
+    resolved = resolved.lt(schema.exclusiveMaximum);
+  }
+  return resolved;
+}
+function buildObjectSchema(schema, context, depth) {
+  const propertiesValue = schema.properties ?? {};
+  if (!propertiesValue || typeof propertiesValue !== "object" || Array.isArray(propertiesValue)) {
+    throw new Error(`${context}.properties must be an object when provided`);
+  }
+  const properties = propertiesValue;
+  const requiredValue = schema.required ?? [];
+  if (!Array.isArray(requiredValue)) {
+    throw new Error(`${context}.required must be an array when provided`);
+  }
+  const requiredKeys = new Set(requiredValue.filter((entry) => typeof entry === "string"));
+  const shape = {};
+  for (const [key, childSchemaValue] of Object.entries(properties)) {
+    const childContext = `${context}.properties.${key}`;
+    const childSchema = buildZodSchemaFromJsonSchema(childSchemaValue, childContext, depth + 1);
+    shape[key] = requiredKeys.has(key) ? childSchema : childSchema.optional();
+  }
+  const additionalProperties = schema.additionalProperties;
+  if (additionalProperties === true) {
+    return z4.object(shape).passthrough();
+  }
+  return z4.object(shape).strict();
+}
+function buildArraySchema(schema, context, depth) {
+  if (!("items" in schema)) {
+    throw new Error(`${context}.items is required for array schemas`);
+  }
+  const itemSchema = buildZodSchemaFromJsonSchema(schema.items, `${context}.items`, depth + 1);
+  let resolved = z4.array(itemSchema);
+  if (typeof schema.minItems === "number") {
+    resolved = resolved.min(schema.minItems);
+  }
+  if (typeof schema.maxItems === "number") {
+    resolved = resolved.max(schema.maxItems);
+  }
+  return resolved;
+}
+function buildZodSchemaFromJsonSchema(schemaValue, context, depth) {
+  if (depth > JSON_SCHEMA_MAX_DEPTH) {
+    throw new Error(`${context} exceeded maximum schema depth (${JSON_SCHEMA_MAX_DEPTH})`);
+  }
+  const schema = ensureJsonSchemaObject(schemaValue, context);
+  if ("const" in schema) {
+    if (!isJsonLiteral(schema.const)) {
+      throw new Error(`${context}.const must be a JSON literal value`);
+    }
+    return z4.literal(schema.const);
+  }
+  if (Array.isArray(schema.enum)) {
+    return buildEnumSchema(schema.enum, context);
+  }
+  const schemaType = parseJsonSchemaType(schema, context);
+  if (schemaType === "object") {
+    return buildObjectSchema(schema, context, depth);
+  }
+  if (schemaType === "array") {
+    return buildArraySchema(schema, context, depth);
+  }
+  if (schemaType === "string") {
+    return buildStringSchema(schema, context);
+  }
+  if (schemaType === "number") {
+    return buildNumberSchema(schema, context, false);
+  }
+  if (schemaType === "integer") {
+    return buildNumberSchema(schema, context, true);
+  }
+  if (schemaType === "boolean") {
+    return z4.boolean();
+  }
+  throw new Error(`${context}.type "${schemaType}" is not supported`);
+}
+function parsePackToolJsonSchema(schemaValue, toolName, schemaField) {
+  const context = `${schemaField} for tool "${toolName}"`;
+  try {
+    return buildZodSchemaFromJsonSchema(schemaValue, context, 0);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "unknown schema parsing error";
+    throw new Error(`Invalid ${context}: ${message}`, {
+      cause: error
+    });
+  }
+}
+async function defaultRuntimeToolCapabilityResolver(input) {
+  const resolvedEntry = resolvePackToolEntryPath(input.loadedPack.packRoot, input.tool.entry);
+  const resolvedInputSchema = input.tool.input_schema ? parsePackToolJsonSchema(input.tool.input_schema, input.tool.name, "input_schema") : DEFAULT_PACK_TOOL_INPUT_SCHEMA;
+  const resolvedOutputSchema = input.tool.output_schema ? parsePackToolJsonSchema(input.tool.output_schema, input.tool.name, "output_schema") : DEFAULT_PACK_TOOL_OUTPUT_SCHEMA;
+  return {
+    name: input.tool.name,
+    domain: input.loadedPack.manifest.id,
+    version: input.loadedPack.manifest.version,
+    input_schema: resolvedInputSchema,
+    output_schema: resolvedOutputSchema,
+    permission: input.tool.permission,
+    required_scopes: input.tool.required_scopes,
+    handler: {
+      kind: TOOL_HANDLER_KINDS.SUBPROCESS,
+      entry: resolvedEntry
+    },
+    description: buildPackToolDescription(input.tool.name, input.loadedPack.manifest.id),
+    pack: input.loadedPack.pin.id
+  };
+}
+async function fileExists(targetPath) {
+  try {
+    await access(targetPath);
+    return true;
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return false;
+    }
+    throw error;
+  }
+}
+async function resolvePacksRoot(options) {
+  if (options.packsRoot) {
+    return path4.resolve(options.packsRoot);
+  }
+  const workspaceRoot = path4.resolve(options.workspaceRoot);
+  for (const candidate of DEFAULT_PACKS_ROOT_CANDIDATES) {
+    const absoluteCandidate = path4.resolve(workspaceRoot, candidate);
+    if (await fileExists(absoluteCandidate)) {
+      return absoluteCandidate;
+    }
+  }
+  if (await fileExists(CLI_PACKS_ROOT_CANDIDATE)) {
+    return CLI_PACKS_ROOT_CANDIDATE;
+  }
+  const fallbackCandidate = DEFAULT_PACKS_ROOT_CANDIDATES[0];
+  if (!fallbackCandidate) {
+    throw new Error("No default packs root candidates are configured.");
+  }
+  return path4.resolve(workspaceRoot, fallbackCandidate);
+}
+async function resolveAvailablePackManifests(packsRoot) {
+  let entries;
+  try {
+    entries = await readdir2(packsRoot, { withFileTypes: true });
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
+  const manifests = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    if (!entry.isDirectory()) {
+      continue;
+    }
+    const manifestPath = path4.join(packsRoot, entry.name, PACK_MANIFEST_FILE_NAME);
+    if (!await fileExists(manifestPath)) {
+      continue;
+    }
+    try {
+      const rawManifest = await readFile4(manifestPath, UTF8_ENCODING);
+      const parsedManifest = YAML.parse(rawManifest);
+      if (!parsedManifest || typeof parsedManifest !== "object") {
+        continue;
+      }
+      const id = parsedManifest.id;
+      const version = parsedManifest.version;
+      if (typeof id === "string" && id.length > 0 && typeof version === "string" && version.length > 0) {
+        manifests.set(id, { id, version });
+      }
+    } catch {
+      continue;
+    }
+  }
+  return [...manifests.values()];
+}
+function resolveTaskSpecPath(taskSpecRoot, taskId) {
+  return path4.join(taskSpecRoot, `${taskId}.yaml`);
+}
+async function readTaskSpecFromDisk(taskSpecRoot, taskId) {
+  const taskSpecPath = resolveTaskSpecPath(taskSpecRoot, taskId);
+  try {
+    const yamlText = await readFile4(taskSpecPath, UTF8_ENCODING);
+    return TaskSpecSchema.parse(YAML.parse(yamlText));
+  } catch (error) {
+    const nodeError = error;
+    if (nodeError.code === "ENOENT") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function writeTaskSpecImmutable(taskSpecRoot, task) {
+  await mkdir3(taskSpecRoot, { recursive: true });
+  const taskSpecPath = resolveTaskSpecPath(taskSpecRoot, task.id);
+  const fileHandle = await open3(taskSpecPath, "wx");
+  try {
+    await fileHandle.writeFile(YAML.stringify(task), UTF8_ENCODING);
+  } catch (writeError) {
+    await fileHandle.close();
+    await rm3(taskSpecPath, { force: true });
+    throw writeError;
+  }
+  await fileHandle.close();
+  return taskSpecPath;
+}
+async function resolveWorkspaceSpec(options) {
+  const workspaceRoot = path4.resolve(options.workspaceRoot);
+  const workspaceFilePath = path4.resolve(options.workspaceFilePath ?? path4.join(workspaceRoot, options.workspaceFileName ?? WORKSPACE_FILE_NAME));
+  const raw = await readFile4(workspaceFilePath, UTF8_ENCODING);
+  const rawWorkspaceData = YAML.parse(raw);
+  const workspaceSpec = WorkspaceSpecSchema.parse(rawWorkspaceData);
+  return {
+    workspace_file_path: workspaceFilePath,
+    workspace_spec: workspaceSpec,
+    workspace_config_hash: canonical_json(raw),
+    raw_workspace_data: rawWorkspaceData
+  };
+}
+function buildDefaultPolicyLayers(loadedPacks) {
+  const packRules = loadedPacks.flatMap((loadedPack) => {
+    return loadedPack.manifest.policies.map((policy) => ({
+      id: policy.id,
+      trigger: policy.trigger,
+      decision: policy.decision,
+      reason: policy.reason
+    }));
+  });
+  return [
+    {
+      level: "workspace",
+      default_decision: "allow",
+      allow_loosening: true,
+      rules: []
+    },
+    {
+      level: "lane",
+      rules: []
+    },
+    {
+      level: "pack",
+      rules: packRules
+    },
+    {
+      level: "task",
+      rules: []
+    }
+  ];
+}
+function createRuntimePolicyHook(policyEngine) {
+  const builtinPolicyHook = createBuiltinPolicyHook();
+  return async (input) => {
+    const builtinDecisions = await builtinPolicyHook(input);
+    if (builtinDecisions.some((decision) => decision.decision === "deny")) {
+      return builtinDecisions;
+    }
+    const context = {
+      trigger: POLICY_TRIGGERS.ON_TOOL_REQUEST,
+      run_id: input.context.run_id,
+      task_id: input.context.task_id,
+      tool_name: input.capability.name,
+      pack_id: input.capability.pack,
+      tool_arguments: input.tool_arguments
+    };
+    const evaluation = await policyEngine.evaluate(context);
+    return [...builtinDecisions, ...toPolicyHookDecisions(evaluation)];
+  };
+}
+function resolveReplayTaskFilter(taskId) {
+  return {
+    taskId
+  };
+}
+function resolveExecutionMetadata(context) {
+  if (!context.metadata || typeof context.metadata !== "object") {
+    return {};
+  }
+  return context.metadata;
+}
+var DefaultKernelRuntime = class {
+  workspaceSpec;
+  workspaceFilePath;
+  workspaceConfigHash;
+  loadedPacks;
+  taskSpecRoot;
+  eventStore;
+  evidenceStore;
+  toolHost;
+  policyEngine;
+  stateAliases;
+  now;
+  runIdFactory;
+  pendingApprovals = /* @__PURE__ */ new Map();
+  constructor(options) {
+    this.workspaceSpec = options.workspace_spec;
+    this.workspaceFilePath = options.workspace_file_path;
+    this.workspaceConfigHash = options.workspace_config_hash;
+    this.loadedPacks = options.loaded_packs;
+    this.taskSpecRoot = options.task_spec_root;
+    this.eventStore = options.event_store;
+    this.evidenceStore = options.evidence_store;
+    this.toolHost = options.tool_host;
+    this.policyEngine = options.policy_engine;
+    this.stateAliases = options.state_aliases ?? {};
+    this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+    this.runIdFactory = options.run_id_factory ?? defaultRunIdFactory;
+  }
+  getToolHost() {
+    return this.toolHost;
+  }
+  getPolicyEngine() {
+    return this.policyEngine;
+  }
+  async executeTool(name, input, ctx) {
+    const context = ExecutionContextSchema.parse(ctx);
+    const metadata = resolveExecutionMetadata(context);
+    const expectedHash = this.workspaceConfigHash;
+    let actualHash;
+    let missingWorkspaceFile = false;
+    try {
+      actualHash = await this.computeWorkspaceConfigHash();
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code !== "ENOENT") {
+        throw error;
+      }
+      missingWorkspaceFile = true;
+      actualHash = canonical_json({
+        [WORKSPACE_CONFIG_HASH_CONTEXT_KEYS.WORKSPACE_FILE_MISSING]: this.workspaceFilePath
+      });
+    }
+    if (actualHash !== expectedHash) {
+      const tamperedEvent = {
+        schema_version: 1,
+        kind: KERNEL_EVENT_KINDS.SPEC_TAMPERED,
+        spec: "workspace",
+        id: this.workspaceSpec.id,
+        expected_hash: expectedHash,
+        actual_hash: actualHash,
+        timestamp: normalizeTimestamp(this.now)
+      };
+      await this.eventStore.append(tamperedEvent);
+      return {
+        success: false,
+        error: {
+          code: SPEC_TAMPERED_ERROR_CODE,
+          message: missingWorkspaceFile ? SPEC_TAMPERED_WORKSPACE_MISSING_MESSAGE : SPEC_TAMPERED_WORKSPACE_MESSAGE,
+          details: {
+            workspace_id: this.workspaceSpec.id,
+            workspace_file_path: this.workspaceFilePath,
+            [WORKSPACE_CONFIG_HASH_CONTEXT_KEYS.WORKSPACE_FILE_MISSING]: missingWorkspaceFile,
+            expected_hash: expectedHash,
+            actual_hash: actualHash
+          }
+        }
+      };
+    }
+    const runtimeContext = ExecutionContextSchema.parse({
+      ...context,
+      metadata: {
+        ...metadata,
+        [EXECUTION_METADATA_KEYS.WORKSPACE_CONFIG_HASH]: actualHash
+      }
+    });
+    const output = await this.toolHost.execute(name, input, runtimeContext);
+    if (output.error?.code === TOOL_ERROR_CODES.APPROVAL_REQUIRED) {
+      const details = output.error.details;
+      const requestId = typeof details?.request_id === "string" ? details.request_id : void 0;
+      if (requestId) {
+        this.pendingApprovals.set(requestId, {
+          task_id: context.task_id,
+          run_id: context.run_id,
+          tool_name: name,
+          requested_at: normalizeTimestamp(this.now)
+        });
+        const waitingEvent = {
+          schema_version: 1,
+          kind: KERNEL_EVENT_KINDS.TASK_WAITING,
+          task_id: context.task_id,
+          timestamp: normalizeTimestamp(this.now),
+          reason: `Approval required for tool "${name}"`,
+          wait_for: requestId
+        };
+        await this.eventStore.append(waitingEvent);
+      }
+    }
+    return output;
+  }
+  async createTask(taskSpec) {
+    const parsedTask = TaskSpecSchema.parse(taskSpec);
+    if (parsedTask.workspace_id !== this.workspaceSpec.id) {
+      throw new Error(`Task workspace mismatch: expected ${this.workspaceSpec.id}, got ${parsedTask.workspace_id}`);
+    }
+    const laneExists = this.workspaceSpec.lanes.some((lane) => lane.id === parsedTask.lane_id);
+    if (!laneExists) {
+      throw new Error(`Task lane "${parsedTask.lane_id}" is not declared in workspace lanes.`);
+    }
+    let taskSpecPath;
+    try {
+      taskSpecPath = await writeTaskSpecImmutable(this.taskSpecRoot, parsedTask);
+    } catch (error) {
+      const nodeError = error;
+      if (nodeError.code === "EEXIST") {
+        throw new Error(`Task spec already exists for ${parsedTask.id} and is immutable.`, {
+          cause: error
+        });
+      }
+      throw error;
+    }
+    const createdEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.TASK_CREATED,
+      task_id: parsedTask.id,
+      timestamp: normalizeTimestamp(this.now),
+      spec_hash: canonical_json(parsedTask)
+    };
+    try {
+      await this.eventStore.append(createdEvent);
+    } catch (eventError) {
+      await rm3(taskSpecPath, { force: true });
+      throw eventError;
+    }
+    return {
+      task: parsedTask,
+      task_spec_path: taskSpecPath,
+      event: createdEvent
+    };
+  }
+  async claimTask(input) {
+    const task = await this.requireTaskSpec(input.task_id);
+    const projected = await this.projectTaskState(task.id);
+    assertTransition(projected.status, "active", task.id, this.stateAliases);
+    const runId = this.runIdFactory(task.id, projected.run_count + 1);
+    const policy = await this.policyEngine.evaluate({
+      trigger: POLICY_TRIGGERS.ON_CLAIM,
+      run_id: runId,
+      task_id: task.id,
+      lane_id: task.lane_id,
+      pack_id: task.domain
+    });
+    if (policy.decision === "deny") {
+      throw new Error(`Policy denied claim for ${task.id}.`);
+    }
+    const claimedTimestamp = normalizeTimestamp(this.now, input.timestamp);
+    const claimedEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.TASK_CLAIMED,
+      task_id: task.id,
+      timestamp: claimedTimestamp,
+      by: input.by,
+      session_id: input.session_id,
+      domain_data: input.domain_data
+    };
+    const runStartedEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.RUN_STARTED,
+      task_id: task.id,
+      run_id: runId,
+      timestamp: claimedTimestamp,
+      by: input.by,
+      session_id: input.session_id
+    };
+    await this.eventStore.appendAll([claimedEvent, runStartedEvent]);
+    return {
+      task_id: task.id,
+      run: RunSchema.parse({
+        run_id: runId,
+        task_id: task.id,
+        status: RUN_STATUSES.EXECUTING,
+        started_at: runStartedEvent.timestamp,
+        by: input.by,
+        session_id: input.session_id
+      }),
+      events: [claimedEvent, runStartedEvent],
+      policy
+    };
+  }
+  async blockTask(input) {
+    const task = await this.requireTaskSpec(input.task_id);
+    const projected = await this.projectTaskState(task.id);
+    assertTransition(projected.status, "blocked", task.id, this.stateAliases);
+    const reason = input.reason.trim();
+    if (reason.length === 0) {
+      throw new Error(`Cannot block ${task.id}: reason is required.`);
+    }
+    const blockedEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.TASK_BLOCKED,
+      task_id: task.id,
+      timestamp: normalizeTimestamp(this.now, input.timestamp),
+      reason
+    };
+    await this.eventStore.append(blockedEvent);
+    return {
+      task_id: task.id,
+      event: blockedEvent
+    };
+  }
+  async unblockTask(input) {
+    const task = await this.requireTaskSpec(input.task_id);
+    const projected = await this.projectTaskState(task.id);
+    assertTransition(projected.status, "active", task.id, this.stateAliases);
+    const unblockedEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.TASK_UNBLOCKED,
+      task_id: task.id,
+      timestamp: normalizeTimestamp(this.now, input.timestamp)
+    };
+    await this.eventStore.append(unblockedEvent);
+    return {
+      task_id: task.id,
+      event: unblockedEvent
+    };
+  }
+  async completeTask(input) {
+    const task = await this.requireTaskSpec(input.task_id);
+    const projected = await this.projectTaskState(task.id);
+    assertTransition(projected.status, "done", task.id, this.stateAliases);
+    const runId = input.run_id ?? projected.current_run?.run_id;
+    if (!runId) {
+      throw new Error(`Cannot complete ${task.id}: no active run found.`);
+    }
+    const policy = await this.policyEngine.evaluate({
+      trigger: POLICY_TRIGGERS.ON_COMPLETION,
+      run_id: runId,
+      task_id: task.id,
+      lane_id: task.lane_id,
+      pack_id: task.domain
+    });
+    if (policy.decision === "deny") {
+      throw new Error(`Policy denied completion for ${task.id}.`);
+    }
+    const completedTimestamp = normalizeTimestamp(this.now, input.timestamp);
+    const runSucceededEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.RUN_SUCCEEDED,
+      task_id: task.id,
+      run_id: runId,
+      timestamp: completedTimestamp,
+      evidence_refs: input.evidence_refs
+    };
+    const taskCompletedEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.TASK_COMPLETED,
+      task_id: task.id,
+      timestamp: completedTimestamp,
+      evidence_refs: input.evidence_refs
+    };
+    await this.eventStore.appendAll([runSucceededEvent, taskCompletedEvent]);
+    await this.evidenceStore.pruneTask(task.id);
+    return {
+      task_id: task.id,
+      run_id: runId,
+      events: [runSucceededEvent, taskCompletedEvent],
+      policy
+    };
+  }
+  async inspectTask(taskId) {
+    const task = await this.requireTaskSpec(taskId);
+    const replayResult = await this.eventStore.replay(resolveReplayTaskFilter(taskId));
+    const events = replayResult.events;
+    const state = projectTaskState(task, events);
+    const runHistory = buildRunHistory(events);
+    const receipts = await this.readReceiptsForTask(taskId);
+    const receiptDecisions = receipts.flatMap((receipt) => {
+      if (receipt.kind === TOOL_TRACE_KINDS.TOOL_CALL_FINISHED) {
+        return receipt.policy_decisions;
+      }
+      return [];
+    });
+    const completionDecisions = state.status === "done" ? await this.evaluateCompletionPolicy(task, state) : [];
+    return {
+      task_id: taskId,
+      task,
+      state,
+      run_history: runHistory,
+      receipts,
+      policy_decisions: dedupePolicyDecisions([...receiptDecisions, ...completionDecisions]),
+      events
+    };
+  }
+  async resolveApproval(input) {
+    const pending = this.pendingApprovals.get(input.request_id);
+    if (!pending) {
+      throw new Error(`No pending approval found for request_id "${input.request_id}"`);
+    }
+    this.pendingApprovals.delete(input.request_id);
+    const resumedEvent = {
+      schema_version: 1,
+      kind: KERNEL_EVENT_KINDS.TASK_RESUMED,
+      task_id: pending.task_id,
+      timestamp: normalizeTimestamp(this.now)
+    };
+    await this.eventStore.append(resumedEvent);
+    return {
+      request_id: input.request_id,
+      approved: input.approved,
+      task_id: pending.task_id,
+      run_id: pending.run_id
+    };
+  }
+  async requireTaskSpec(taskId) {
+    const loaded = await readTaskSpecFromDisk(this.taskSpecRoot, taskId);
+    if (!loaded) {
+      throw new Error(`Task spec not found for ${taskId}`);
+    }
+    return loaded;
+  }
+  async projectTaskState(taskId) {
+    const task = await this.requireTaskSpec(taskId);
+    const { events } = await this.eventStore.replay(resolveReplayTaskFilter(taskId));
+    return projectTaskState(task, events);
+  }
+  async evaluateCompletionPolicy(task, state) {
+    const runId = state.current_run?.run_id;
+    if (!runId) {
+      return [];
+    }
+    const evaluation = await this.policyEngine.evaluate({
+      trigger: POLICY_TRIGGERS.ON_COMPLETION,
+      run_id: runId,
+      task_id: task.id,
+      lane_id: task.lane_id,
+      pack_id: task.domain
+    });
+    return evaluation.decisions;
+  }
+  async computeWorkspaceConfigHash() {
+    const raw = await readFile4(this.workspaceFilePath, UTF8_ENCODING);
+    return canonical_json(raw);
+  }
+  async readReceiptsForTask(taskId) {
+    const indexed = await this.evidenceStore.readTracesByTaskId(taskId);
+    if (indexed.length > 0) {
+      return indexed;
+    }
+    const traces = await this.evidenceStore.readTraces();
+    const receiptIds = /* @__PURE__ */ new Set();
+    for (const trace of traces) {
+      if (trace.kind !== TOOL_TRACE_KINDS.TOOL_CALL_STARTED) {
+        continue;
+      }
+      if (trace.task_id === taskId) {
+        receiptIds.add(trace.receipt_id);
+      }
+    }
+    return traces.filter((trace) => {
+      if (trace.kind === TOOL_TRACE_KINDS.TOOL_CALL_STARTED) {
+        return trace.task_id === taskId;
+      }
+      return receiptIds.has(trace.receipt_id);
+    });
+  }
+};
+async function initializeKernelRuntime(options) {
+  const workspaceRoot = path4.resolve(options.workspaceRoot);
+  const resolvedWorkspace = await resolveWorkspaceSpec(options);
+  const workspaceSpec = resolvedWorkspace.workspace_spec;
+  const packsRoot = await resolvePacksRoot(options);
+  const availableManifests = await resolveAvailablePackManifests(packsRoot);
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  const taskSpecRoot = path4.resolve(options.taskSpecRoot ?? path4.join(workspaceRoot, DEFAULT_RUNTIME_ROOT, KERNEL_RUNTIME_TASKS_DIR_NAME));
+  const eventsFilePath = path4.resolve(options.eventsFilePath ?? path4.join(workspaceRoot, DEFAULT_RUNTIME_ROOT, KERNEL_RUNTIME_EVENTS_DIR_NAME, KERNEL_RUNTIME_EVENTS_FILE_NAME));
+  const eventLockFilePath = path4.resolve(options.eventLockFilePath ?? path4.join(workspaceRoot, DEFAULT_RUNTIME_ROOT, KERNEL_RUNTIME_EVENTS_DIR_NAME, KERNEL_RUNTIME_EVENTS_LOCK_FILE_NAME));
+  const evidenceRoot = path4.resolve(options.evidenceRoot ?? path4.join(workspaceRoot, DEFAULT_RUNTIME_ROOT, KERNEL_RUNTIME_EVIDENCE_DIR_NAME));
+  const packLoader = new PackLoader({ packsRoot });
+  const loadedPacks = [];
+  for (const pin of workspaceSpec.packs) {
+    let loadedPack;
+    try {
+      loadedPack = await packLoader.load({
+        workspaceSpec,
+        packId: pin.id
+      });
+    } catch (error) {
+      throw new Error(formatRuntimeLoadStageError(pin.id), { cause: error });
+    }
+    loadedPacks.push(loadedPack);
+  }
+  const rootKeyValidation = validateWorkspaceRootKeys(resolvedWorkspace.raw_workspace_data, loadedPacks.map((lp) => lp.manifest), availableManifests);
+  if (!rootKeyValidation.valid) {
+    const keyList = rootKeyValidation.errors.join("\n  - ");
+    throw new Error(`Workspace root-key validation failed:
+  - ${keyList}`);
+  }
+  const registry = new ToolRegistry();
+  if (options.includeBuiltinTools !== false) {
+    registerBuiltinToolCapabilities(registry, {
+      declaredScopes: workspaceSpec.security.allowed_scopes
+    });
+  }
+  const toolCapabilityResolver = options.toolCapabilityResolver ?? defaultRuntimeToolCapabilityResolver;
+  for (const loadedPack of loadedPacks) {
+    for (const tool of loadedPack.manifest.tools) {
+      let capability;
+      try {
+        capability = await toolCapabilityResolver({
+          workspaceSpec,
+          loadedPack,
+          tool
+        });
+      } catch (error) {
+        throw new Error(formatRuntimeRegistrationStageError(tool.name, loadedPack.pin.id), {
+          cause: error
+        });
+      }
+      if (capability) {
+        registry.register(capability);
+      }
+    }
+  }
+  const policyEngine = new PolicyEngine({
+    layers: options.policyLayers ?? buildDefaultPolicyLayers(loadedPacks)
+  });
+  const evidenceStore = new EvidenceStore({ evidenceRoot });
+  const eventStoreOptions = {
+    eventsFilePath,
+    lockFilePath: eventLockFilePath,
+    taskSpecLoader: async (taskId) => readTaskSpecFromDisk(taskSpecRoot, taskId)
+  };
+  const eventStore = new EventStore(eventStoreOptions);
+  const workspaceUpdatedEvent = {
+    schema_version: 1,
+    kind: KERNEL_EVENT_KINDS.WORKSPACE_UPDATED,
+    timestamp: normalizeTimestamp(now),
+    config_hash: resolvedWorkspace.workspace_config_hash,
+    changes_summary: WORKSPACE_UPDATED_INIT_SUMMARY
+  };
+  await eventStore.append(workspaceUpdatedEvent);
+  const toolHost = new ToolHost({
+    registry,
+    evidenceStore,
+    subprocessDispatcher: options.subprocessDispatcher || new SandboxSubprocessDispatcher({
+      workspaceRoot,
+      ...options.sandboxSubprocessDispatcherOptions
+    }),
+    policyHook: createRuntimePolicyHook(policyEngine),
+    runtimeVersion: options.runtimeVersion
+  });
+  await toolHost.onStartup();
+  return new DefaultKernelRuntime({
+    workspace_spec: workspaceSpec,
+    workspace_file_path: resolvedWorkspace.workspace_file_path,
+    workspace_config_hash: resolvedWorkspace.workspace_config_hash,
+    loaded_packs: loadedPacks,
+    task_spec_root: taskSpecRoot,
+    event_store: eventStore,
+    evidence_store: evidenceStore,
+    tool_host: toolHost,
+    policy_engine: policyEngine,
+    state_aliases: mergeStateAliases(loadedPacks),
+    now,
+    run_id_factory: options.runIdFactory
+  });
+}
+
+export {
+  initializeKernelRuntime
+};