@meetless/mla 0.1.4 → 0.1.6

package/dist/commands/enrich.js

@@ -19,10 +19,16 @@ exports.resolveBudgetMs = resolveBudgetMs;
 exports.parsePlanArgs = parsePlanArgs;
 exports.parseIngestArgs = parseIngestArgs;
 exports.extractResults = extractResults;
+exports.renderIngestSummary = renderIngestSummary;
 exports.parseBriefArgs = parseBriefArgs;
+exports.parseMaterializeArgs = parseMaterializeArgs;
+exports.extractAcceptedCandidates = extractAcceptedCandidates;
+exports.validateAcceptedCandidates = validateAcceptedCandidates;
+exports.renderMaterializeSummary = renderMaterializeSummary;
 exports.runEnrich = runEnrich;
 const node_child_process_1 = require("node:child_process");
 const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
 const node_crypto_1 = require("node:crypto");
 const config_1 = require("../lib/config");
 const workspace_1 = require("../lib/workspace");
@@ -31,7 +37,9 @@ const plan_1 = require("../lib/enrichment/plan");
 const ingest_1 = require("../lib/enrichment/ingest");
 const scout_brief_1 = require("../lib/enrichment/scout-brief");
 const protocol_1 = require("../lib/enrichment/protocol");
-const USAGE = `mla enrich: agent-orchestrated onboarding enrichment (two bookends).
+const managed_rules_1 = require("../lib/scanner/managed-rules");
+const materialize_rules_1 = require("../lib/enrichment/materialize-rules");
+const USAGE = `mla enrich: agent-orchestrated onboarding enrichment.
 
   mla enrich plan [--json] [--budget-ms <n>] [--workspace <id>]
       Scan this repository into an immutable run record and print the plan the
@@ -50,7 +58,16 @@ const USAGE = `mla enrich: agent-orchestrated onboarding enrichment (two bookend
       stdin when no file is given (an array of scout results, or an object with a
       \`results\` array). Candidates land in the governed KB born PENDING.
       Exit: 0 clean, 1 a scout needs attention (persistence failed / malformed),
-      2 the request was rejected (unknown run, mismatch, corrupt record).`;
+      2 the request was rejected (unknown run, mismatch, corrupt record).
+
+  mla enrich materialize [--accepted-file <path>] [--dry-run] [--json]
+      Write the accepted DURABLE rules (constraint, convention, boundary) into the
+      mla-managed rule file (.meetless/rules.md), the one canonical source the local
+      scanner injects from. Reads the accepted candidates as JSON from --accepted-file,
+      or from stdin (a bare array, or an object with an \`accepted\` array). Decisions and
+      deprecations are reported as skipped, never written. Local only: no commit, no push
+      (prints "Effective locally. Commit and push to share with teammates."). --dry-run
+      reports the change without writing. Exit: 0 done (or nothing to do), 2 bad input.`;
 // Mirror kb_add's ingest timeout heuristic (it is module-private there). Generous,
 // scales with document count: the kb-add route runs the full atomic-claim pipeline.
 function ingestTimeoutMs(docCount) {
@@ -242,13 +259,31 @@ function extractResults(raw, runId) {
 }
 function renderIngestSummary(outcomes, status) {
     const lines = [`Onboarding ingest complete (state: ${status ?? "unknown"}).`, ``];
+    let totalPersisted = 0;
     for (const o of outcomes) {
+        totalPersisted += o.persisted;
         lines.push(`  ${o.scout}: ${o.accepted} accepted, ${o.rejected} rejected, ${o.persisted} persisted (received ${o.received})`);
         for (const e of o.errors) {
             const where = e.index >= 0 ? `candidate ${e.index}` : "scout";
             lines.push(`      - ${where}: ${e.code} (${e.message})`);
         }
     }
+    // Review handoff: candidates land born PENDING, so the human reviews them next. The
+    // extraction cap (up to 20 per run) is NOT the review batch: show the first
+    // REVIEW_BATCH_DEFAULT and keep the rest behind "show more" so a big run does not bury
+    // the reviewer (Phase 2). When everything fits in one batch, say so plainly.
+    if (totalPersisted > 0) {
+        const batch = (0, protocol_1.selectReviewBatch)(totalPersisted);
+        lines.push(``);
+        if (batch.hasMore) {
+            lines.push(`Next: review ${totalPersisted} candidate${totalPersisted === 1 ? "" : "s"} born PENDING. ` +
+                `Run \`mla review\` to see the first ${batch.shown}; ${batch.remaining} more are behind "show more".`);
+        }
+        else {
+            lines.push(`Next: review ${totalPersisted} candidate${totalPersisted === 1 ? "" : "s"} born PENDING with \`mla review\`. ` +
+                `Nothing is accepted until you say so.`);
+        }
+    }
     return lines.join("\n");
 }
 async function runEnrichIngest(argv) {
@@ -405,6 +440,178 @@ function runEnrichBrief(argv) {
     console.log((0, scout_brief_1.buildScoutPrompt)(run, flags.role));
     return 0;
 }
+function parseMaterializeArgs(argv) {
+    const flags = { json: false, dryRun: false };
+    for (let i = 0; i < argv.length; i++) {
+        const a = argv[i];
+        if (a === "--json")
+            flags.json = true;
+        else if (a === "--dry-run")
+            flags.dryRun = true;
+        else if (a === "--accepted-file") {
+            flags.acceptedFile = argv[++i];
+            if (!flags.acceptedFile)
+                throw new Error("--accepted-file requires a path");
+        }
+        else
+            throw new Error(`Unknown flag for \`mla enrich materialize\`: ${a}`);
+    }
+    return flags;
+}
+// Normalize the accepted payload into the candidate array. Accept a bare array, or an
+// object with an `accepted` array (the natural name for "the ones the human accepted"),
+// or a `candidates` array (so an onboard scout-result candidate list pastes through).
+function extractAcceptedCandidates(raw) {
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (e) {
+        throw new Error(`accepted candidates are not valid JSON: ${e.message}`);
+    }
+    if (Array.isArray(parsed))
+        return parsed;
+    if (parsed && typeof parsed === "object") {
+        const obj = parsed;
+        if (Array.isArray(obj.accepted))
+            return obj.accepted;
+        if (Array.isArray(obj.candidates))
+            return obj.candidates;
+    }
+    throw new Error("accepted candidates must be a JSON array, or an object with an `accepted` (or `candidates`) array");
+}
+function validateAcceptedCandidates(raw) {
+    const candidates = [];
+    const errors = [];
+    raw.forEach((r, i) => {
+        const res = (0, protocol_1.validateCandidateShape)(r, i);
+        if (res.ok)
+            candidates.push(res.candidate);
+        else
+            errors.push(...res.errors);
+    });
+    if (errors.length > 0)
+        return { ok: false, errors };
+    return { ok: true, candidates };
+}
+// Human-readable summary. Pure (no fs) and exported so its wording is pinned by a test.
+// `dryRun` flips the verb from "materialized" to "would materialize" and suppresses the
+// share line (nothing was written, so there is nothing local to share yet).
+function renderMaterializeSummary(result, relPath, dryRun) {
+    const lines = [];
+    const added = [...result.materialized].sort((a, b) => a.statement.localeCompare(b.statement));
+    const skipped = [...result.skipped].sort((a, b) => a.statement.localeCompare(b.statement));
+    if (added.length > 0) {
+        const verb = dryRun ? "Would materialize" : "Materialized";
+        lines.push(`${verb} ${added.length} durable rule${added.length === 1 ? "" : "s"} into ${relPath}:`);
+        for (const r of added)
+            lines.push(`  + ${r.statement}`);
+    }
+    else {
+        lines.push(`No durable rules to materialize (${relPath} unchanged).`);
+    }
+    if (skipped.length > 0) {
+        lines.push("");
+        lines.push(`Skipped ${skipped.length} non-rule candidate${skipped.length === 1 ? "" : "s"}:`);
+        for (const s of skipped) {
+            const why = s.reason === "empty_statement" ? "empty statement" : `${s.kind} (governed knowledge, not a rule)`;
+            lines.push(`  - ${s.statement || "(empty)"}: ${why}`);
+        }
+    }
+    if (result.changed && !dryRun) {
+        lines.push("");
+        lines.push(materialize_rules_1.MATERIALIZE_SHARE_MESSAGE);
+    }
+    return lines.join("\n");
+}
+function readManagedFile(path) {
+    try {
+        return (0, node_fs_1.readFileSync)(path, "utf8");
+    }
+    catch {
+        return ""; // missing file is the empty starting point, not an error
+    }
+}
+// Atomic write: render to a sibling temp file then rename, so a crash mid-write never
+// leaves a half-written rules file (the scanner reads it directly from disk every turn).
+function writeManagedFile(path, text) {
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(path), { recursive: true });
+    const tmp = `${path}.tmp-${process.pid}`;
+    (0, node_fs_1.writeFileSync)(tmp, text, "utf8");
+    (0, node_fs_1.renameSync)(tmp, path);
+}
+async function runEnrichMaterialize(argv) {
+    let flags;
+    try {
+        flags = parseMaterializeArgs(argv);
+    }
+    catch (e) {
+        console.error(e.message);
+        return 2;
+    }
+    // Local-only: the managed file lives at the git root. No workspace id, no auth.
+    let repositoryRoot;
+    try {
+        repositoryRoot = resolveRepositoryRoot(process.cwd());
+    }
+    catch (e) {
+        console.error(e.message);
+        return 2;
+    }
+    let raw;
+    try {
+        if (flags.acceptedFile) {
+            raw = (0, node_fs_1.readFileSync)(flags.acceptedFile, "utf8");
+        }
+        else if (!process.stdin.isTTY) {
+            raw = await readStdin();
+        }
+        else {
+            console.error("provide --accepted-file <path> or pipe the accepted candidates JSON to stdin");
+            return 2;
+        }
+    }
+    catch (e) {
+        console.error(`could not read accepted candidates: ${e.message}`);
+        return 2;
+    }
+    let rawCandidates;
+    try {
+        rawCandidates = extractAcceptedCandidates(raw);
+    }
+    catch (e) {
+        console.error(e.message);
+        return 2;
+    }
+    const validation = validateAcceptedCandidates(rawCandidates);
+    if (!validation.ok) {
+        console.error(`refusing to materialize: ${validation.errors.length} invalid candidate(s).`);
+        for (const e of validation.errors) {
+            console.error(`  - candidate ${e.index}: ${e.code}${e.field ? ` (${e.field})` : ""} ${e.message}`);
+        }
+        return 2;
+    }
+    const managedPath = (0, node_path_1.join)(repositoryRoot, managed_rules_1.MANAGED_RULES_PATH);
+    const existing = readManagedFile(managedPath);
+    const result = (0, materialize_rules_1.materializeRules)(existing, validation.candidates);
+    if (result.changed && !flags.dryRun) {
+        writeManagedFile(managedPath, result.text);
+    }
+    if (flags.json) {
+        console.log(JSON.stringify({
+            path: managed_rules_1.MANAGED_RULES_PATH,
+            changed: result.changed,
+            wrote: result.changed && !flags.dryRun,
+            dryRun: flags.dryRun,
+            materialized: result.materialized.map((r) => ({ id: r.id, statement: r.statement, strength: r.strength })),
+            skipped: result.skipped,
+        }, null, 2));
+    }
+    else {
+        console.log(renderMaterializeSummary(result, managed_rules_1.MANAGED_RULES_PATH, flags.dryRun));
+    }
+    return 0;
+}
 async function runEnrich(argv) {
     const sub = argv[0];
     const rest = argv.slice(1);
@@ -419,6 +626,8 @@ async function runEnrich(argv) {
             return runEnrichBrief(rest);
         case "ingest":
             return runEnrichIngest(rest);
+        case "materialize":
+            return runEnrichMaterialize(rest);
         default:
             console.error(`unknown \`mla enrich\` subcommand: ${sub}\n`);
             console.error(USAGE);

package/dist/commands/internal-auto-index.js

@@ -64,6 +64,7 @@ const config_1 = require("../lib/config");
 const active_memory_1 = require("../lib/active-memory");
 const auto_index_1 = require("../lib/auto-index");
 const kb_acl_1 = require("../lib/kb_acl");
+const live_collector_1 = require("../lib/agent-memory-capture/live-collector");
 const kb_add_1 = require("./kb_add");
 function activeMemoryStorePath() {
     return path.join(config_1.HOME, "logs", "kb-knowledge.jsonl");
@@ -87,6 +88,50 @@ function parseArgs(argv) {
     }
     return { sessionId };
 }
+// Roll the per-binding live results into a flat outcome tally for the worker's
+// JSON summary. Counts only; never carries content. `locked` is the number of
+// bindings skipped because another collector held the lock this pass.
+function tallyLive(results) {
+    let bindings = 0;
+    let uploaded = 0;
+    let deferred = 0;
+    let blocked = 0;
+    let withdrawn = 0;
+    let failed = 0;
+    // Bindings that did no work this pass: another collector held the lock, or the
+    // pipeline threw (fail-soft). Both surface as summary === null.
+    let skippedBindings = 0;
+    for (const r of results) {
+        if (!r.locked || !r.summary) {
+            skippedBindings++;
+            continue;
+        }
+        bindings++;
+        for (const rec of r.summary.records) {
+            switch (rec.outcome) {
+                case "uploaded":
+                    uploaded++;
+                    break;
+                case "deferred":
+                    deferred++;
+                    break;
+                case "blocked":
+                    blocked++;
+                    break;
+                case "reclassified":
+                case "deleted":
+                    withdrawn++;
+                    break;
+                case "failed":
+                    failed++;
+                    break;
+                default:
+                    break; // unchanged / skipped: no-op, not surfaced
+            }
+        }
+    }
+    return { bindings, uploaded, deferred, blocked, withdrawn, failed, skippedBindings };
+}
 // runKbAdd converts KbOwnerCheckError into stderr + exit 2 before it reaches
 // this loop, so a thrown denial only arrives from injected add fns or future
 // boundary changes. Match the class, the name (survives module-duplication
@@ -177,7 +222,25 @@ async function runInternalAutoIndex(argv, deps = {}) {
                 failed++; // fail-soft: one bad add never aborts the batch.
             }
         }
-        console.log(JSON.stringify({ indexed, skipped, failed, total: targets.length }));
+        // Live agent-memory capture (proposal §6): the collector attached to this
+        // existing Stop worker. DEFAULT OFF: it runs only when the operator opted in
+        // (MEETLESS_AGENT_MEMORY_LIVE) AND there is a consented binding + actor.
+        // Fully fail-soft and OUTSIDE the Zone-2 result above: any error here is
+        // swallowed and never changes the indexed/skipped/failed counts or the
+        // session. Runs last so it rides the same detached tail.
+        const summary = { indexed, skipped, failed, total: targets.length };
+        const liveEnabled = deps.liveEnabled ?? live_collector_1.liveCaptureEnabled;
+        if (liveEnabled()) {
+            try {
+                const runLive = deps.runLive ?? live_collector_1.runLiveCollector;
+                const liveResults = await runLive({ nowIso: new Date().toISOString() });
+                summary.liveCapture = tallyLive(liveResults);
+            }
+            catch {
+                // Live capture must never disturb the auto-index worker. Swallow.
+            }
+        }
+        console.log(JSON.stringify(summary));
         return 0;
     }
     catch {

package/dist/commands/internal-pretool-observe.js

@@ -18,6 +18,39 @@
 //      `mla`) would block the tool; we must never do that. Every failure path -- unreadable stdin,
 //      malformed payload, store open failure, a throwing dependency -- fails OPEN to the exit-0
 //      pass-through. The decision travels in the JSON body, never the exit code.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PRETOOL_PASS_THROUGH = void 0;
 exports.renderPreToolUseResponse = renderPreToolUseResponse;
@@ -28,6 +61,7 @@ const active_conflict_cache_1 = require("../lib/active-conflict-cache");
 const ce0_store_1 = require("../lib/rules/ce0-store");
 const enforce_notes_version_1 = require("../lib/rules/enforce-notes-version");
 const observe_adapter_1 = require("../lib/rules/observe-adapter");
+const enforcement_classify_1 = require("../lib/analytics/enforcement-classify");
 const runtime_scope_1 = require("../lib/rules/runtime-scope");
 const live_input_authority_1 = require("../lib/rules/live-input-authority");
 const cache_1 = require("../lib/scanner/cache");
@@ -120,7 +154,7 @@ async function computePretoolDecision(raw, deps) {
         const clock = (deps.clock ?? defaultClock)();
         const resolveInputAuthority = deps.resolveInputAuthority ?? live_input_authority_1.resolveLiveInputAuthority;
         const directives = (deps.resolveDirectives ?? defaultResolveDirectives)();
-        const { response } = await (0, enforce_notes_version_1.evaluateEnforceOrObserveNotesRule)(store, {
+        const { response, outcome } = await (0, enforce_notes_version_1.evaluateEnforceOrObserveNotesRule)(store, {
             rawStdin: raw,
             runtimeProjectRoot: scope.runtimeProjectRoot,
             runtimeScopeId: scope.runtimeScopeId,
@@ -135,6 +169,10 @@ async function computePretoolDecision(raw, deps) {
         // passes through do we layer the SOFT cross-session conflict warning (which can
         // only ever advise, never deny).
         if ("permissionDecision" in response && response.permissionDecision === "deny") {
+            // Emit the one analytics append the deny tile reads (§5.1). Awaited so the
+            // synchronous local spool write lands before this short-lived process exits;
+            // fail-soft so a telemetry fault can never turn into a thrown (blocking) hook.
+            await emitDenyIncident(raw, outcome, clock.now, deps);
             return renderPreToolUseResponse(response);
         }
         return computeConflictWarning(raw, deps);
@@ -185,6 +223,53 @@ function computeConflictWarning(raw, deps) {
         return renderPreToolUseResponse(exports.PRETOOL_PASS_THROUGH);
     }
 }
+/**
+ * Emit the enforcement-incident analytics event for one fired deny (the deny tile, §5.1).
+ * Classifies the tool + blocked-path surface into PII-safe enums (the path never leaves the
+ * device), resolves the workspace fail-open, and hands the built input/coords to the injected
+ * emitter (production lazy-imports the real append-only emit). The whole thing is fail-soft: a
+ * deny must never be turned into a thrown, blocking hook by a telemetry fault. The emitter is
+ * awaited so its synchronous local append lands before this short-lived hook process exits.
+ */
+async function emitDenyIncident(raw, outcome, nowMs, deps) {
+    try {
+        // The deny response is only ever returned alongside a DENIED outcome (the enforce path);
+        // guard defensively so a future shape change degrades to no-telemetry, never a wrong event.
+        if (outcome.kind !== "DENIED")
+            return;
+        const parsed = (0, observe_adapter_1.parsePreToolUseInput)(raw);
+        const filePath = typeof parsed?.tool_input?.file_path === "string" ? parsed.tool_input.file_path : null;
+        let workspaceId = null;
+        try {
+            workspaceId = (0, workspace_1.resolveWorkspaceIdWithEnv)() || null;
+        }
+        catch {
+            workspaceId = null;
+        }
+        const input = {
+            incidentId: outcome.attemptId,
+            decision: "deny",
+            tool: (0, enforcement_classify_1.normalizeEnforcedTool)(parsed?.tool_name),
+            touchedSurface: (0, enforcement_classify_1.classifyTouchedSurface)(filePath),
+            ruleVersionId: outcome.ruleVersionId,
+        };
+        const coords = {
+            workspaceId,
+            sessionId: parsed?.session_id ?? null,
+            nowMs,
+        };
+        await (deps.emitIncident ?? defaultEmitIncident)(input, coords);
+    }
+    catch {
+        // Fail-soft: deny telemetry must never escalate into a blocking hook.
+    }
+}
+/** Production deny emitter: lazy-imports the recorder-touching emit so the non-deny hot path
+ * never loads it, then performs the synchronous local append. Awaited by the caller. */
+async function defaultEmitIncident(input, coords) {
+    const { emitEnforcementIncident } = await Promise.resolve().then(() => __importStar(require("../lib/analytics/enforcement-incident")));
+    emitEnforcementIncident(input, coords);
+}
 function defaultResolveScope() {
     const root = (0, runtime_scope_1.resolveActiveRuntimeScopeId)();
     return { runtimeScopeId: root, runtimeProjectRoot: root };

package/dist/commands/internal-redact-capture.js

@@ -0,0 +1,130 @@
+"use strict";
+// `mla _internal redact-capture` (governed-story capture, P1). The
+// user-prompt-submit / post-tool-use hooks assemble injected-context blocks and
+// MCP query text in shell, then pipe a single JSON payload through this command
+// to redact secrets BEFORE the trace is spooled. We redact here (in a node
+// child) rather than in bash so the capture path reuses the ONE parity-locked
+// redactor (lib/redactor.ts, mirror of intel + control), instead of forking a
+// third, drifting copy of the secret patterns into shell. Spec
+// notes/20260627-session-detail-mla-actions-and-colored-injection-timeline-design.md §4.4.
+//
+// Contract (fail-closed telemetry, fail-open agent -- the agent's prompt is
+// delivered by the hook independently of this call):
+//   stdin  : { blocks?: [{kind, content, citations?, charCount?, itemCount?}], query?: string }
+//   stdout : { blocks: [{kind, content, contentStatus, citations, charCount, itemCount}], query }
+//   exit 0 : redaction succeeded; the hook spools the redacted output verbatim.
+//   exit 1 : ANY failure (unreadable/malformed stdin, serialization fault). The
+//            hook treats this as redaction_failed: it persists content:null +
+//            contentStatus:"redaction_failed" for every block and NEVER
+//            substitutes a raw body. Raw content never leaves this process on a
+//            failure path.
+//
+// charCount is computed HERE from the raw (pre-redaction) body so it is a single
+// factual source the control boundary can check (summary.injectedCharCount ==
+// sum(block.charCount)); the producer cannot drift it. citations and itemCount
+// are producer metadata and pass through untouched (they are governance ids /
+// counts, not secrets).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redactCapturePayload = redactCapturePayload;
+exports.runInternalRedactCapture = runInternalRedactCapture;
+const redactor_1 = require("../lib/redactor");
+function asStringArray(value) {
+    if (!Array.isArray(value))
+        return [];
+    return value.filter((v) => typeof v === "string");
+}
+function asNonNegativeInt(value) {
+    if (typeof value !== "number" || !Number.isInteger(value) || value < 0) {
+        return null;
+    }
+    return value;
+}
+// Count code points (not UTF-16 units) so the "N chars" the chip later shows is
+// honest for multi-byte content. Computed from the RAW body, pre-redaction.
+function charCountOf(content) {
+    return Array.from(content).length;
+}
+/**
+ * Pure. Redact every block body and the query with the shared redactor.
+ * - content null/empty stays as-is, contentStatus "available" (nothing to scrub).
+ * - content that the redactor changed -> "redacted"; unchanged -> "available".
+ * - charCount is the ORIGINAL (pre-redaction) length, factual.
+ * Never throws on well-formed string inputs (redact is a regex replace); the IO
+ * shell maps a throw to exit 1.
+ */
+function redactCapturePayload(input) {
+    const rawBlocks = Array.isArray(input.blocks) ? input.blocks : [];
+    const blocks = rawBlocks.map((b) => {
+        const block = (b ?? {});
+        const kind = typeof block.kind === "string" ? block.kind : "unknown";
+        const citations = asStringArray(block.citations);
+        const itemCount = asNonNegativeInt(block.itemCount);
+        const rawContent = typeof block.content === "string" ? block.content : null;
+        if (rawContent === null || rawContent === "") {
+            return {
+                kind,
+                content: rawContent,
+                contentStatus: "available",
+                citations,
+                charCount: 0,
+                itemCount,
+            };
+        }
+        const redacted = (0, redactor_1.redact)(rawContent) ?? rawContent;
+        return {
+            kind,
+            content: redacted,
+            contentStatus: redacted === rawContent ? "available" : "redacted",
+            citations,
+            charCount: charCountOf(rawContent),
+            itemCount,
+        };
+    });
+    const rawQuery = typeof input.query === "string" ? input.query : null;
+    const query = rawQuery === null ? null : ((0, redactor_1.redact)(rawQuery) ?? rawQuery);
+    return { blocks, query };
+}
+function readStdinReal() {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        process.stdin.on("data", (c) => chunks.push(c));
+        process.stdin.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+        process.stdin.on("error", reject);
+    });
+}
+const defaultDeps = {
+    readStdin: readStdinReal,
+    writeOut: (s) => process.stdout.write(s),
+};
+/**
+ * IO shell. Reads the JSON payload from stdin, redacts, writes the redacted JSON
+ * to stdout. Exit 1 on ANY failure (read error, malformed JSON, serialization
+ * fault) WITHOUT writing a partial/raw body, so the hook degrades to
+ * redaction_failed and never persists an unredacted secret. Takes no argv.
+ */
+async function runInternalRedactCapture(_argv, deps = defaultDeps) {
+    let raw;
+    try {
+        raw = await deps.readStdin();
+    }
+    catch {
+        return 1;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        return 1;
+    }
+    if (!parsed || typeof parsed !== "object")
+        return 1;
+    try {
+        const out = redactCapturePayload(parsed);
+        deps.writeOut(JSON.stringify(out));
+        return 0;
+    }
+    catch {
+        return 1;
+    }
+}