@manehorizons/cadence-core 1.1.1

package/dist/verify/prompter.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Abstract one-line prompt. `ask(question)` writes the question to the output
+ * stream and resolves with the user's reply (without trailing newline).
+ *
+ * Production: `StdinPrompter` over `readline/promises`. Tests: `ScriptedPrompter`.
+ */
+export interface Prompter {
+    ask(question: string): Promise<string>;
+    close?(): Promise<void> | void;
+}
+export interface StdinPrompterOptions {
+    input?: NodeJS.ReadableStream & {
+        isTTY?: boolean;
+    };
+    output?: NodeJS.WritableStream;
+}
+/**
+ * Real prompter backed by stdin/stdout. Refuses to construct when the input
+ * stream is not a TTY (CI, piped invocations) — the caller must bypass via
+ * `--no-interactive` or fall through to other gates.
+ */
+export declare class StdinPrompter implements Prompter {
+    private readonly rl;
+    constructor(opts?: StdinPrompterOptions);
+    ask(question: string): Promise<string>;
+    close(): void;
+}
+/**
+ * Deterministic prompter for tests. Returns pre-seeded answers in order;
+ * throws on exhaustion so tests fail fast when the prompt count drifts.
+ */
+export declare class ScriptedPrompter implements Prompter {
+    private readonly answers;
+    private cursor;
+    constructor(answers: string[]);
+    ask(_question: string): Promise<string>;
+    /** Indexed for assertions. */
+    get used(): number;
+}
+//# sourceMappingURL=prompter.d.ts.map

package/dist/verify/prompter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompter.d.ts","sourceRoot":"","sources":["../../src/verify/prompter.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CAChC;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC,cAAc,GAAG;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;IACpD,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;CAChC;AAED;;;;GAIG;AACH,qBAAa,aAAc,YAAW,QAAQ;IAC5C,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAY;gBAEnB,IAAI,GAAE,oBAAyB;IAWrC,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK5C,KAAK,IAAI,IAAI;CAGd;AAED;;;GAGG;AACH,qBAAa,gBAAiB,YAAW,QAAQ;IAEnC,OAAO,CAAC,QAAQ,CAAC,OAAO;IADpC,OAAO,CAAC,MAAM,CAAK;gBACU,OAAO,EAAE,MAAM,EAAE;IAExC,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAW7C,8BAA8B;IAC9B,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/verify/prompter.js

@@ -0,0 +1,48 @@
+import { createInterface } from 'node:readline/promises';
+/**
+ * Real prompter backed by stdin/stdout. Refuses to construct when the input
+ * stream is not a TTY (CI, piped invocations) — the caller must bypass via
+ * `--no-interactive` or fall through to other gates.
+ */
+export class StdinPrompter {
+    rl;
+    constructor(opts = {}) {
+        const input = opts.input ?? process.stdin;
+        const output = opts.output ?? process.stdout;
+        if (input === process.stdin && !process.stdin.isTTY) {
+            throw new Error('StdinPrompter: stdin is not a TTY. Use --no-interactive to bypass or pipe answers via a scripted prompter.');
+        }
+        this.rl = createInterface({ input, output });
+    }
+    async ask(question) {
+        const answer = await this.rl.question(question);
+        return answer;
+    }
+    close() {
+        this.rl.close();
+    }
+}
+/**
+ * Deterministic prompter for tests. Returns pre-seeded answers in order;
+ * throws on exhaustion so tests fail fast when the prompt count drifts.
+ */
+export class ScriptedPrompter {
+    answers;
+    cursor = 0;
+    constructor(answers) {
+        this.answers = answers;
+    }
+    async ask(_question) {
+        if (this.cursor >= this.answers.length) {
+            throw new Error(`ScriptedPrompter exhausted after ${this.answers.length} answer(s). Last question: ${_question}`);
+        }
+        const answer = this.answers[this.cursor];
+        this.cursor += 1;
+        return answer;
+    }
+    /** Indexed for assertions. */
+    get used() {
+        return this.cursor;
+    }
+}
+//# sourceMappingURL=prompter.js.map

package/dist/verify/prompter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompter.js","sourceRoot":"","sources":["../../src/verify/prompter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAkB,MAAM,wBAAwB,CAAC;AAkBzE;;;;GAIG;AACH,MAAM,OAAO,aAAa;IACP,EAAE,CAAY;IAE/B,YAAY,OAA6B,EAAE;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAK,OAAO,CAAC,KAAqD,CAAC;QAC3F,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;QAC7C,IAAI,KAAK,KAAK,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CACb,4GAA4G,CAC7G,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,QAAgB;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAChD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IAEE;IADrB,MAAM,GAAG,CAAC,CAAC;IACnB,YAA6B,OAAiB;QAAjB,YAAO,GAAP,OAAO,CAAU;IAAG,CAAC;IAElD,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,oCAAoC,IAAI,CAAC,OAAO,CAAC,MAAM,8BAA8B,SAAS,EAAE,CACjG,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAE,CAAC;QAC1C,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC;QACjB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,8BAA8B;IAC9B,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF"}

package/dist/verify/security-audit-factory.d.ts

@@ -0,0 +1,103 @@
+import { type SecurityAuditVerifier } from './security-audit.js';
+import { type VerifierSelectOptions } from './verifier-factory.js';
+/** @deprecated alias of `VerifierSelectOptions` (kept for API stability). */
+export type SelectSecurityAuditVerifierOptions = VerifierSelectOptions;
+/** Picks the security-audit verifier given config + env (Phase 25.2). */
+export declare const selectSecurityAuditVerifier: (config: Pick<{
+    schemaVersion: 1;
+    profile: "strict" | "standard" | "auto";
+    loopEnforcement: "strict" | "soft" | "reminder";
+    acDiscipline: "strict" | "tier-scaled" | "optional";
+    workstreamBackend: string;
+    ruleProvider: string;
+    subagentPolicy: {
+        contextBudgetThreshold: number;
+        largeTaskTokens: number;
+        mechanicalBatchMin: number;
+    };
+    modelPerClass: {
+        standard: string;
+        mechanical: string;
+        complex: string;
+        drafting: string;
+    };
+    commitCadence: "task" | "draft" | "manual";
+    templates: {
+        dir: string;
+        overrides: string[];
+    };
+    hooks: {
+        sessionStart: boolean;
+        stopReminder: boolean;
+        preToolUseBuildGate: boolean;
+        userPromptSubmit: boolean;
+    };
+    packs: {
+        enabled: string[];
+        disabled: string[];
+    };
+    telemetry: {
+        tokenUtilization: boolean;
+        skillInvocations: boolean;
+        remoteOptIn: boolean;
+    };
+    skillAudit: {
+        required: string[];
+    };
+    convergence: {
+        maxAttempts: number;
+    };
+    specReview: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    tier: {
+        standard: {
+            maxTasks: number;
+            maxFiles: number;
+        };
+        complex: {
+            maxTasks: number;
+            minTasks: number;
+        };
+        quickFix: {
+            maxTasks: number;
+            maxFiles: number;
+        };
+    };
+    verification: {
+        testGlobs: string[];
+        testCommand?: string | undefined;
+    };
+    verifier: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    perTaskVerifier: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    codeReview: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    planReview: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    securityAudit: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    notify: {
+        transport: "stderr" | "file" | "none" | "webhook";
+        file?: string | undefined;
+        webhook?: {
+            url: string;
+            headers?: Record<string, string> | undefined;
+            timeoutMs?: number | undefined;
+        } | undefined;
+    };
+    $schema?: string | undefined;
+}, "securityAudit"> | null, opts?: VerifierSelectOptions) => SecurityAuditVerifier;
+//# sourceMappingURL=security-audit-factory.d.ts.map

package/dist/verify/security-audit-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-audit-factory.d.ts","sourceRoot":"","sources":["../../src/verify/security-audit-factory.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,KAAK,qBAAqB,EAC3B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAEL,KAAK,qBAAqB,EAC3B,MAAM,uBAAuB,CAAC;AAE/B,6EAA6E;AAC7E,MAAM,MAAM,kCAAkC,GAAG,qBAAqB,CAAC;AAEvE,yEAAyE;AACzE,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;aAU0xY,CAAC;;;;;;;;;;;;;;;;;;mBAAoY,CAAC;;;;aAA4G,CAAC;;;;aAAmH,CAAC;;;;aAA8G,CAAC;;;;aAA8G,CAAC;;;;aAAiH,CAAC;;;;YAAkH,CAAC;eAAqC,CAAC;;mBAAgD,CAAC;qBAA2D,CAAC;;;;kFAD7/a,CAAC"}

package/dist/verify/security-audit-factory.js

@@ -0,0 +1,11 @@
+import { AnthropicSecurityAuditVerifier, LocalSecurityAuditVerifier, MockSecurityAuditVerifier, } from './security-audit.js';
+import { createVerifierFactory, } from './verifier-factory.js';
+/** Picks the security-audit verifier given config + env (Phase 25.2). */
+export const selectSecurityAuditVerifier = createVerifierFactory({
+    label: 'security-audit',
+    read: (c) => c?.securityAudit,
+    mock: () => new MockSecurityAuditVerifier(),
+    anthropic: (o) => new AnthropicSecurityAuditVerifier(o),
+    local: (o) => new LocalSecurityAuditVerifier(o),
+});
+//# sourceMappingURL=security-audit-factory.js.map

package/dist/verify/security-audit-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-audit-factory.js","sourceRoot":"","sources":["../../src/verify/security-audit-factory.ts"],"names":[],"mappings":"AACA,OAAO,EACL,8BAA8B,EAC9B,0BAA0B,EAC1B,yBAAyB,GAE1B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,qBAAqB,GAEtB,MAAM,uBAAuB,CAAC;AAK/B,yEAAyE;AACzE,MAAM,CAAC,MAAM,2BAA2B,GAAG,qBAAqB,CAG9D;IACA,KAAK,EAAE,gBAAgB;IACvB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,aAAa;IAC7B,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,yBAAyB,EAAE;IAC3C,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,8BAA8B,CAAC,CAAC,CAAC;IACvD,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,0BAA0B,CAAC,CAAC,CAAC;CAChD,CAAC,CAAC"}

package/dist/verify/security-audit.d.ts

@@ -0,0 +1,63 @@
+import Anthropic from '@anthropic-ai/sdk';
+import type { Finding } from '@manehorizons/cadence-types';
+/**
+ * Phase 25.2 — security-audit verifier. The final, most expensive gate:
+ * fires at `cadence settle run` after code-review and before SUMMARY write
+ * when `'security-audit'` is in the effective gate set (strict×complex
+ * only — the rarest cell). CRITICAL findings refuse settle unless
+ * `--force` / `--allow-security-audit-failure`. All findings (any
+ * severity) land on `SUMMARY.securityAudit`.
+ */
+export interface SecurityAuditInput {
+    /** Touched files (union across draft tasks). Scopes the diff + prompt. */
+    files: string[];
+    /** Unified diff (`git diff HEAD -- <files>`). May be empty. */
+    diff: string;
+}
+export interface SecurityAuditResult {
+    /** Flat finding list (not per-file — security issues span files). */
+    findings: Finding[];
+    provider: string;
+    model?: string;
+}
+export interface SecurityAuditVerifier {
+    readonly name: string;
+    verify(input: SecurityAuditInput): Promise<SecurityAuditResult>;
+}
+/**
+ * Deterministic mock — walks the unified diff and flags every added line
+ * carrying a hardcoded `Authorization:` header value or a JWT-shaped string
+ * as CRITICAL. Empty diff (or no matches) returns no findings. The rule is
+ * intentionally narrow: real OWASP review lives in the Anthropic provider.
+ */
+export declare class MockSecurityAuditVerifier implements SecurityAuditVerifier {
+    readonly name = "mock";
+    verify(input: SecurityAuditInput): Promise<SecurityAuditResult>;
+}
+export interface AnthropicSecurityAuditVerifierOptions {
+    apiKey?: string;
+    model?: string;
+    maxTokens?: number;
+    /** Inject a client for tests; production callers should omit this. */
+    client?: Anthropic;
+}
+export declare class AnthropicSecurityAuditVerifier implements SecurityAuditVerifier {
+    readonly name = "anthropic";
+    private readonly client;
+    private readonly model;
+    private readonly maxTokens;
+    constructor(opts?: AnthropicSecurityAuditVerifierOptions);
+    verify(input: SecurityAuditInput): Promise<SecurityAuditResult>;
+}
+export interface LocalSecurityAuditVerifierOptions {
+    baseURL: string;
+    model: string;
+    transport?: typeof fetch;
+}
+export declare class LocalSecurityAuditVerifier implements SecurityAuditVerifier {
+    private readonly o;
+    readonly name = "local";
+    constructor(o: LocalSecurityAuditVerifierOptions);
+    verify(input: SecurityAuditInput): Promise<SecurityAuditResult>;
+}
+//# sourceMappingURL=security-audit.d.ts.map

package/dist/verify/security-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-audit.d.ts","sourceRoot":"","sources":["../../src/verify/security-audit.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,mBAAmB,CAAC;AAG1C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,6BAA6B,CAAC;AAG3D;;;;;;;GAOG;AAEH,MAAM,WAAW,kBAAkB;IACjC,0EAA0E;IAC1E,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,+DAA+D;IAC/D,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,mBAAmB;IAClC,qEAAqE;IACrE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;CACjE;AAQD;;;;;GAKG;AACH,qBAAa,yBAA0B,YAAW,qBAAqB;IACrE,QAAQ,CAAC,IAAI,UAAU;IAEjB,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;CA+CtE;AA2BD,MAAM,WAAW,qCAAqC;IACpD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,MAAM,CAAC,EAAE,SAAS,CAAC;CACpB;AAED,qBAAa,8BACX,YAAW,qBAAqB;IAEhC,QAAQ,CAAC,IAAI,eAAe;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAY;IACnC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,IAAI,GAAE,qCAA0C;IAgBtD,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAiDtE;AAED,MAAM,WAAW,iCAAiC;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAED,qBAAa,0BAA2B,YAAW,qBAAqB;IAE1D,OAAO,CAAC,QAAQ,CAAC,CAAC;IAD9B,QAAQ,CAAC,IAAI,WAAW;gBACK,CAAC,EAAE,iCAAiC;IAE3D,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAsBtE"}

package/dist/verify/security-audit.js

@@ -0,0 +1,196 @@
+import Anthropic from '@anthropic-ai/sdk';
+import { zodOutputFormat } from '@anthropic-ai/sdk/helpers/zod';
+import { z } from 'zod/v4';
+import { localChatJSON } from './local-client.js';
+/** `Authorization:` header carrying a literal credential value. */
+const AUTH_HEADER_RE = /authorization['"\s:=]+\s*(?:bearer|basic|token)\s+\S+/i;
+/** A JWT-shaped string: three dot-separated base64url segments after `eyJ`. */
+const JWT_RE = /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/;
+/**
+ * Deterministic mock — walks the unified diff and flags every added line
+ * carrying a hardcoded `Authorization:` header value or a JWT-shaped string
+ * as CRITICAL. Empty diff (or no matches) returns no findings. The rule is
+ * intentionally narrow: real OWASP review lives in the Anthropic provider.
+ */
+export class MockSecurityAuditVerifier {
+    name = 'mock';
+    async verify(input) {
+        const findings = [];
+        if (input.diff.trim().length === 0) {
+            return { findings, provider: this.name };
+        }
+        let inFile = false;
+        let postLine = 0;
+        for (const raw of input.diff.split('\n')) {
+            if (raw.startsWith('+++ ')) {
+                const m = /^\+\+\+\s+(?:b\/)?(.+?)\s*$/.exec(raw);
+                inFile = !!(m && m[1] && m[1] !== '/dev/null');
+                continue;
+            }
+            if (raw.startsWith('--- '))
+                continue;
+            if (raw.startsWith('@@')) {
+                const m = /\+(\d+)(?:,\d+)?/.exec(raw);
+                postLine = m ? Number.parseInt(m[1], 10) : 0;
+                continue;
+            }
+            if (!inFile || raw.startsWith('++'))
+                continue;
+            if (raw.startsWith('+')) {
+                const body = raw.slice(1);
+                if (AUTH_HEADER_RE.test(body)) {
+                    findings.push({
+                        severity: 'critical',
+                        message: 'hardcoded Authorization header',
+                        line: postLine,
+                    });
+                }
+                if (JWT_RE.test(body)) {
+                    findings.push({
+                        severity: 'critical',
+                        message: 'hardcoded JWT-shaped credential',
+                        line: postLine,
+                    });
+                }
+                postLine += 1;
+            }
+            else if (raw.startsWith('-')) {
+                // pre-image line — does not advance the post-image counter
+            }
+            else {
+                postLine += 1;
+            }
+        }
+        return { findings, provider: this.name };
+    }
+}
+const FindingResponseSchema = z.object({
+    severity: z.enum(['critical', 'high', 'medium', 'low']),
+    message: z.string(),
+    line: z.number().int().positive().optional(),
+});
+const SecurityAuditResponseSchema = z.object({
+    findings: z.array(FindingResponseSchema),
+});
+const SYSTEM_PROMPT = `You are an independent application security auditor for an AI-assisted development tool called CADENCE.
+
+You receive the touched files and unified diff for a development phase. Perform an OWASP-aware security pass. Prioritize:
+- hardcoded secrets / credentials / tokens / private keys in source → critical
+- injection (SQL, command, path traversal, SSRF, template) reachable from untrusted input → critical
+- broken authn/authz, missing access checks on sensitive operations → critical
+- unsafe deserialization, prototype pollution, insecure crypto / weak randomness for security use → high
+- sensitive data in logs, missing input validation that is exploitable → high
+- defense-in-depth gaps that are not directly exploitable → medium
+- hardening nits → low
+
+Use severities exactly: "critical" | "high" | "medium" | "low". Only report issues you can tie to the diff. If there are none, return an empty findings array. Keep each message ≤ 200 characters. Return strict JSON matching the requested schema.`;
+const DEFAULT_MODEL = 'claude-sonnet-4-6';
+const DEFAULT_MAX_TOKENS = 8_000;
+export class AnthropicSecurityAuditVerifier {
+    name = 'anthropic';
+    client;
+    model;
+    maxTokens;
+    constructor(opts = {}) {
+        if (opts.client) {
+            this.client = opts.client;
+        }
+        else {
+            const apiKey = opts.apiKey ?? process.env.ANTHROPIC_API_KEY;
+            if (!apiKey) {
+                throw new Error('AnthropicSecurityAuditVerifier requires an API key. Set ANTHROPIC_API_KEY or pass `apiKey` / `client`.');
+            }
+            this.client = new Anthropic({ apiKey });
+        }
+        this.model = opts.model ?? DEFAULT_MODEL;
+        this.maxTokens = opts.maxTokens ?? DEFAULT_MAX_TOKENS;
+    }
+    async verify(input) {
+        if (input.files.length === 0 && input.diff.trim().length === 0) {
+            return { findings: [], provider: this.name, model: this.model };
+        }
+        const userMessage = formatUserMessage(input);
+        let response;
+        try {
+            response = await this.client.messages.parse({
+                model: this.model,
+                max_tokens: this.maxTokens,
+                system: [
+                    {
+                        type: 'text',
+                        text: SYSTEM_PROMPT,
+                        cache_control: { type: 'ephemeral' },
+                    },
+                ],
+                output_config: {
+                    format: zodOutputFormat(SecurityAuditResponseSchema),
+                },
+                messages: [{ role: 'user', content: userMessage }],
+            });
+        }
+        catch (err) {
+            if (err instanceof Anthropic.APIError) {
+                throw new Error(`AnthropicSecurityAuditVerifier API error (${err.status ?? 'unknown'}): ${err.message}`);
+            }
+            throw err;
+        }
+        const parsed = response.parsed_output;
+        if (!parsed) {
+            throw new Error('AnthropicSecurityAuditVerifier received no parseable output from the model (response.parsed_output was null/undefined).');
+        }
+        const findings = [];
+        for (const f of parsed.findings) {
+            findings.push({
+                severity: f.severity,
+                message: f.message,
+                ...(f.line !== undefined ? { line: f.line } : {}),
+            });
+        }
+        return { findings, provider: this.name, model: this.model };
+    }
+}
+export class LocalSecurityAuditVerifier {
+    o;
+    name = 'local';
+    constructor(o) {
+        this.o = o;
+    }
+    async verify(input) {
+        if (input.files.length === 0 && input.diff.trim().length === 0) {
+            return { findings: [], provider: this.name, model: this.o.model };
+        }
+        const parsed = await localChatJSON({
+            baseURL: this.o.baseURL,
+            model: this.o.model,
+            system: SYSTEM_PROMPT,
+            user: formatUserMessage(input),
+            schema: SecurityAuditResponseSchema,
+            ...(this.o.transport ? { transport: this.o.transport } : {}),
+        });
+        const findings = [];
+        for (const f of parsed.findings) {
+            findings.push({
+                severity: f.severity,
+                message: f.message,
+                ...(f.line !== undefined ? { line: f.line } : {}),
+            });
+        }
+        return { findings, provider: this.name, model: this.o.model };
+    }
+}
+function formatUserMessage(input) {
+    const fileList = input.files.length > 0
+        ? input.files.map((f) => `- ${f}`).join('\n')
+        : '(none)';
+    const diffSection = input.diff || '(no diff supplied)';
+    return `# Touched files
+
+${fileList}
+
+# Diff (\`git diff HEAD\`)
+
+${diffSection}
+
+Return security findings (possibly empty) using the requested schema.`;
+}
+//# sourceMappingURL=security-audit.js.map

package/dist/verify/security-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-audit.js","sourceRoot":"","sources":["../../src/verify/security-audit.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,mBAAmB,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,OAAO,EAAE,CAAC,EAAE,MAAM,QAAQ,CAAC;AAE3B,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AA8BlD,mEAAmE;AACnE,MAAM,cAAc,GAClB,wDAAwD,CAAC;AAC3D,+EAA+E;AAC/E,MAAM,MAAM,GAAG,mDAAmD,CAAC;AAEnE;;;;;GAKG;AACH,MAAM,OAAO,yBAAyB;IAC3B,IAAI,GAAG,MAAM,CAAC;IAEvB,KAAK,CAAC,MAAM,CAAC,KAAyB;QACpC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;QAC3C,CAAC;QAED,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3B,MAAM,CAAC,GAAG,6BAA6B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAClD,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC;gBAC/C,SAAS;YACX,CAAC;YACD,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,SAAS;YACrC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzB,MAAM,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACvC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9C,SAAS;YACX,CAAC;YACD,IAAI,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC9C,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC1B,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,UAAU;wBACpB,OAAO,EAAE,gCAAgC;wBACzC,IAAI,EAAE,QAAQ;qBACf,CAAC,CAAC;gBACL,CAAC;gBACD,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtB,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,UAAU;wBACpB,OAAO,EAAE,iCAAiC;wBAC1C,IAAI,EAAE,QAAQ;qBACf,CAAC,CAAC;gBACL,CAAC;gBACD,QAAQ,IAAI,CAAC,CAAC;YAChB,CAAC;iBAAM,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/B,2DAA2D;YAC7D,CAAC;iBAAM,CAAC;gBACN,QAAQ,IAAI,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;IAC3C,CAAC;CACF;AAED,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CAC7C,CAAC,CAAC;AACH,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC;CACzC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG;;;;;;;;;;;qPAW+N,CAAC;AAEtP,MAAM,aAAa,GAAG,mBAAmB,CAAC;AAC1C,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAUjC,MAAM,OAAO,8BAA8B;IAGhC,IAAI,GAAG,WAAW,CAAC;IACX,MAAM,CAAY;IAClB,KAAK,CAAS;IACd,SAAS,CAAS;IAEnC,YAAY,OAA8C,EAAE;QAC1D,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;YAC5D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,KAAK,CACb,wGAAwG,CACzG,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1C,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,aAAa,CAAC;QACzC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAyB;QACpC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/D,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAClE,CAAC;QAED,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,QAA6D,CAAC;QAClE,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC1C,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,UAAU,EAAE,IAAI,CAAC,SAAS;gBAC1B,MAAM,EAAE;oBACN;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,aAAa;wBACnB,aAAa,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;qBACrC;iBACF;gBACD,aAAa,EAAE;oBACb,MAAM,EAAE,eAAe,CAAC,2BAA2B,CAAC;iBACrD;gBACD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;aACnD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,SAAS,CAAC,QAAQ,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,6CAA6C,GAAG,CAAC,MAAM,IAAI,SAAS,MAAM,GAAG,CAAC,OAAO,EAAE,CACxF,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,MAAM,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,yHAAyH,CAC1H,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;IAC9D,CAAC;CACF;AAQD,MAAM,OAAO,0BAA0B;IAER;IADpB,IAAI,GAAG,OAAO,CAAC;IACxB,YAA6B,CAAoC;QAApC,MAAC,GAAD,CAAC,CAAmC;IAAG,CAAC;IAErE,KAAK,CAAC,MAAM,CAAC,KAAyB;QACpC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/D,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;QACpE,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,OAAO;YACvB,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK;YACnB,MAAM,EAAE,aAAa;YACrB,IAAI,EAAE,iBAAiB,CAAC,KAAK,CAAC;YAC9B,MAAM,EAAE,2BAA2B;YACnC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7D,CAAC,CAAC;QACH,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC;IAChE,CAAC;CACF;AAED,SAAS,iBAAiB,CAAC,KAAyB;IAClD,MAAM,QAAQ,GACZ,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QACpB,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;QAC7C,CAAC,CAAC,QAAQ,CAAC;IACf,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,IAAI,oBAAoB,CAAC;IACvD,OAAO;;EAEP,QAAQ;;;;EAIR,WAAW;;sEAEyD,CAAC;AACvE,CAAC"}

package/dist/verify/skill-match.d.ts

@@ -0,0 +1,10 @@
+/**
+ * A required skill token `req` is satisfied by an invoked entry `inv` iff
+ * `inv === req` OR `inv` ends with `:${req}` (tolerates plugin/namespace
+ * prefixes like `superpowers:brainstorming` without loose substring matching).
+ * Case-sensitive — skill ids are.
+ */
+export declare function satisfies(req: string, invoked: readonly string[]): boolean;
+/** Required tokens with no satisfying invoked entry, order preserved. */
+export declare function missingSkills(required: readonly string[], invoked: readonly string[]): string[];
+//# sourceMappingURL=skill-match.d.ts.map

package/dist/verify/skill-match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill-match.d.ts","sourceRoot":"","sources":["../../src/verify/skill-match.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAG1E;AAED,yEAAyE;AACzE,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,SAAS,MAAM,EAAE,EAC3B,OAAO,EAAE,SAAS,MAAM,EAAE,GACzB,MAAM,EAAE,CAEV"}

package/dist/verify/skill-match.js

@@ -0,0 +1,15 @@
+/**
+ * A required skill token `req` is satisfied by an invoked entry `inv` iff
+ * `inv === req` OR `inv` ends with `:${req}` (tolerates plugin/namespace
+ * prefixes like `superpowers:brainstorming` without loose substring matching).
+ * Case-sensitive — skill ids are.
+ */
+export function satisfies(req, invoked) {
+    const suffix = `:${req}`;
+    return invoked.some((inv) => inv === req || inv.endsWith(suffix));
+}
+/** Required tokens with no satisfying invoked entry, order preserved. */
+export function missingSkills(required, invoked) {
+    return required.filter((r) => !satisfies(r, invoked));
+}
+//# sourceMappingURL=skill-match.js.map

package/dist/verify/skill-match.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill-match.js","sourceRoot":"","sources":["../../src/verify/skill-match.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW,EAAE,OAA0B;IAC/D,MAAM,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;IACzB,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,aAAa,CAC3B,QAA2B,EAC3B,OAA0B;IAE1B,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AACxD,CAAC"}

package/dist/verify/spec-review-factory.d.ts

@@ -0,0 +1,103 @@
+import { type SpecReviewVerifier } from './spec-review.js';
+import { type VerifierSelectOptions } from './verifier-factory.js';
+/** @deprecated alias of `VerifierSelectOptions` (kept for API stability). */
+export type SelectSpecReviewVerifierOptions = VerifierSelectOptions;
+/** Picks the spec-review verifier given config + env (Phase 25.x). */
+export declare const selectSpecReviewVerifier: (config: Pick<{
+    schemaVersion: 1;
+    profile: "strict" | "standard" | "auto";
+    loopEnforcement: "strict" | "soft" | "reminder";
+    acDiscipline: "strict" | "tier-scaled" | "optional";
+    workstreamBackend: string;
+    ruleProvider: string;
+    subagentPolicy: {
+        contextBudgetThreshold: number;
+        largeTaskTokens: number;
+        mechanicalBatchMin: number;
+    };
+    modelPerClass: {
+        standard: string;
+        mechanical: string;
+        complex: string;
+        drafting: string;
+    };
+    commitCadence: "task" | "draft" | "manual";
+    templates: {
+        dir: string;
+        overrides: string[];
+    };
+    hooks: {
+        sessionStart: boolean;
+        stopReminder: boolean;
+        preToolUseBuildGate: boolean;
+        userPromptSubmit: boolean;
+    };
+    packs: {
+        enabled: string[];
+        disabled: string[];
+    };
+    telemetry: {
+        tokenUtilization: boolean;
+        skillInvocations: boolean;
+        remoteOptIn: boolean;
+    };
+    skillAudit: {
+        required: string[];
+    };
+    convergence: {
+        maxAttempts: number;
+    };
+    specReview: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    tier: {
+        standard: {
+            maxTasks: number;
+            maxFiles: number;
+        };
+        complex: {
+            maxTasks: number;
+            minTasks: number;
+        };
+        quickFix: {
+            maxTasks: number;
+            maxFiles: number;
+        };
+    };
+    verification: {
+        testGlobs: string[];
+        testCommand?: string | undefined;
+    };
+    verifier: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    perTaskVerifier: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    codeReview: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    planReview: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    securityAudit: {
+        provider: "mock" | "anthropic" | "local";
+        model?: string | undefined;
+    };
+    notify: {
+        transport: "stderr" | "file" | "none" | "webhook";
+        file?: string | undefined;
+        webhook?: {
+            url: string;
+            headers?: Record<string, string> | undefined;
+            timeoutMs?: number | undefined;
+        } | undefined;
+    };
+    $schema?: string | undefined;
+}, "specReview"> | null, opts?: VerifierSelectOptions) => SpecReviewVerifier;
+//# sourceMappingURL=spec-review-factory.d.ts.map

package/dist/verify/spec-review-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"spec-review-factory.d.ts","sourceRoot":"","sources":["../../src/verify/spec-review-factory.ts"],"names":[],"mappings":"AACA,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAEL,KAAK,qBAAqB,EAC3B,MAAM,uBAAuB,CAAC;AAE/B,6EAA6E;AAC7E,MAAM,MAAM,+BAA+B,GAAG,qBAAqB,CAAC;AAEpE,sEAAsE;AACtE,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;aAU00Y,CAAC;;;;;;;;;;;;;;;;;;mBAAoY,CAAC;;;;aAA4G,CAAC;;;;aAAmH,CAAC;;;;aAA8G,CAAC;;;;aAA8G,CAAC;;;;aAAiH,CAAC;;;;YAAkH,CAAC;eAAqC,CAAC;;mBAAgD,CAAC;qBAA2D,CAAC;;;;4EAD1ib,CAAC"}

package/dist/verify/spec-review-factory.js

@@ -0,0 +1,11 @@
+import { AnthropicSpecReviewVerifier, LocalSpecReviewVerifier, MockSpecReviewVerifier, } from './spec-review.js';
+import { createVerifierFactory, } from './verifier-factory.js';
+/** Picks the spec-review verifier given config + env (Phase 25.x). */
+export const selectSpecReviewVerifier = createVerifierFactory({
+    label: 'spec-review',
+    read: (c) => c?.specReview,
+    mock: () => new MockSpecReviewVerifier(),
+    anthropic: (o) => new AnthropicSpecReviewVerifier(o),
+    local: (o) => new LocalSpecReviewVerifier(o),
+});
+//# sourceMappingURL=spec-review-factory.js.map

package/dist/verify/spec-review-factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spec-review-factory.js","sourceRoot":"","sources":["../../src/verify/spec-review-factory.ts"],"names":[],"mappings":"AACA,OAAO,EACL,2BAA2B,EAC3B,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,qBAAqB,GAEtB,MAAM,uBAAuB,CAAC;AAK/B,sEAAsE;AACtE,MAAM,CAAC,MAAM,wBAAwB,GAAG,qBAAqB,CAG3D;IACA,KAAK,EAAE,aAAa;IACpB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,UAAU;IAC1B,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,sBAAsB,EAAE;IACxC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,2BAA2B,CAAC,CAAC,CAAC;IACpD,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,uBAAuB,CAAC,CAAC,CAAC;CAC7C,CAAC,CAAC"}