@meetless/mla 0.1.4

package/dist/lib/agent-decision/validate.js

@@ -0,0 +1,216 @@
+"use strict";
+// src/lib/agent-decision/validate.ts
+//
+// Hand-rolled structural validator for the canonical agent-decision contract.
+//
+// Deviation noted (spec build-order item 1 suggested "TypeScript / Zod"): the mla
+// CLI deliberately keeps a minimal dependency surface and ships NO Zod. This
+// validator is the contract's teeth instead: it enforces every field rule and the
+// cross-field invariants (INV-CHOICE-ID, decisionKind/multiSelect coherence,
+// free_text/no_match coupling) that the spec spells out in sections 6 and 7. It
+// returns a flat list of human-readable error strings; empty means valid.
+//
+// It is used by the contract tests and, fail-soft, at capture time so a malformed
+// decision is logged and skipped rather than crashing the hook it rides on.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateCanonicalDecisionPayload = validateCanonicalDecisionPayload;
+exports.isValidCanonicalDecisionPayload = isValidCanonicalDecisionPayload;
+const DECISION_KINDS = ["choice", "multi_choice", "free_text"];
+const ANSWER_TYPES = ["choice_label", "multi_choice_labels", "free_text"];
+const MATCH_STATUSES = ["exact_unique", "exact_ambiguous", "no_match"];
+const CAPTURED_BY = ["post_tool_use", "stop_transcript_scan"];
+const CHOICE_ID_RE = /^choice_\d+$/;
+function isPlainObject(v) {
+    return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function isNonEmptyString(v) {
+    return typeof v === "string" && v.length > 0;
+}
+function validatePrompt(prompt, errs) {
+    if (!isPlainObject(prompt)) {
+        errs.push("prompt: must be an object {title, body}");
+        return;
+    }
+    if (typeof prompt.title !== "string")
+        errs.push("prompt.title: must be a string");
+    if (typeof prompt.body !== "string")
+        errs.push("prompt.body: must be a string");
+}
+function validateChoices(choices, errs) {
+    const ids = new Set();
+    if (!Array.isArray(choices)) {
+        errs.push("choices: must be an array");
+        return ids;
+    }
+    choices.forEach((c, i) => {
+        if (!isPlainObject(c)) {
+            errs.push(`choices[${i}]: must be an object {id,label,description?}`);
+            return;
+        }
+        // INV-CHOICE-ID: positional, collision-safe, never a slug.
+        if (typeof c.id !== "string" || !CHOICE_ID_RE.test(c.id)) {
+            errs.push(`choices[${i}].id: must match choice_<index>, got ${JSON.stringify(c.id)}`);
+        }
+        else {
+            if (ids.has(c.id))
+                errs.push(`choices[${i}].id: duplicate id ${c.id}`);
+            ids.add(c.id);
+        }
+        if (typeof c.label !== "string")
+            errs.push(`choices[${i}].label: must be a string`);
+        if (c.description !== undefined && typeof c.description !== "string") {
+            errs.push(`choices[${i}].description: must be a string when present`);
+        }
+    });
+    return ids;
+}
+function validateAnswer(answer, choiceIds, errs) {
+    if (!isPlainObject(answer)) {
+        errs.push("answer: must be an object");
+        return;
+    }
+    const a = answer;
+    if (typeof a.type !== "string" || !ANSWER_TYPES.includes(a.type)) {
+        errs.push(`answer.type: must be one of ${ANSWER_TYPES.join(", ")}`);
+    }
+    if (typeof a.choiceMatchStatus !== "string" || !MATCH_STATUSES.includes(a.choiceMatchStatus)) {
+        errs.push(`answer.choiceMatchStatus: must be one of ${MATCH_STATUSES.join(", ")}`);
+    }
+    if (!("raw" in a)) {
+        errs.push("answer.raw: must be present (INV-RAW-PRESERVATION applies to the raw answer too)");
+    }
+    // value shape depends on type.
+    if (a.type === "multi_choice_labels") {
+        if (!Array.isArray(a.value) || !a.value.every((x) => typeof x === "string")) {
+            errs.push("answer.value: must be a string[] when type is multi_choice_labels");
+        }
+    }
+    else if (a.type === "choice_label" || a.type === "free_text") {
+        if (typeof a.value !== "string") {
+            errs.push(`answer.value: must be a string when type is ${a.type}`);
+        }
+    }
+    // choiceId presence/format rules (single-select).
+    if (a.choiceId !== undefined) {
+        if (typeof a.choiceId !== "string" || !CHOICE_ID_RE.test(a.choiceId)) {
+            errs.push(`answer.choiceId: must match choice_<index>, got ${JSON.stringify(a.choiceId)}`);
+        }
+        else if (!choiceIds.has(a.choiceId)) {
+            errs.push(`answer.choiceId: ${a.choiceId} is not one of the offered choices`);
+        }
+    }
+    if (a.choiceIds !== undefined) {
+        if (!Array.isArray(a.choiceIds) || !a.choiceIds.every((x) => typeof x === "string" && CHOICE_ID_RE.test(x))) {
+            errs.push("answer.choiceIds: must be an array of choice_<index> ids when present");
+        }
+        else {
+            for (const cid of a.choiceIds) {
+                if (!choiceIds.has(cid))
+                    errs.push(`answer.choiceIds: ${cid} is not one of the offered choices`);
+            }
+        }
+    }
+    // Cross-field coupling (spec section 6, derivation refined for multi-select).
+    // no_match is incompatible only with a singular choice_label claim. A single
+    // free_text answer carries it, and a multi_choice answer where no provided
+    // value matched an offered label may carry it too.
+    if (a.choiceMatchStatus === "no_match" && a.choiceId !== undefined) {
+        errs.push("answer: no_match must not carry a choiceId");
+    }
+    if (a.type === "choice_label") {
+        if (a.choiceMatchStatus === "no_match") {
+            errs.push("answer: choice_label cannot have choiceMatchStatus no_match");
+        }
+        if (a.choiceId === undefined) {
+            errs.push("answer: choice_label requires a choiceId");
+        }
+        if (a.choiceIds !== undefined) {
+            errs.push("answer: choice_label is single-select; use choiceId, not choiceIds");
+        }
+    }
+    if (a.type === "free_text") {
+        if (a.choiceMatchStatus !== "no_match") {
+            errs.push("answer: free_text requires choiceMatchStatus no_match");
+        }
+        if (a.choiceId !== undefined)
+            errs.push("answer: free_text must not carry a choiceId");
+        if (a.choiceIds !== undefined)
+            errs.push("answer: free_text must not carry choiceIds");
+    }
+    if (a.type === "multi_choice_labels" && a.choiceId !== undefined) {
+        errs.push("answer: multi_choice_labels is multi-select; use choiceIds, not a singular choiceId");
+    }
+}
+// Returns a flat list of validation errors; empty array means the payload
+// satisfies the canonical contract.
+function validateCanonicalDecisionPayload(payload) {
+    const errs = [];
+    if (!isPlainObject(payload)) {
+        return ["payload: must be an object"];
+    }
+    const p = payload;
+    if (!isNonEmptyString(p.provider))
+        errs.push("provider: must be a non-empty string");
+    if (!isNonEmptyString(p.providerSource))
+        errs.push("providerSource: must be a non-empty string");
+    if (!isNonEmptyString(p.providerEventId))
+        errs.push("providerEventId: must be a non-empty string");
+    if (p.providerToolName !== undefined && p.providerToolName !== null && typeof p.providerToolName !== "string") {
+        errs.push("providerToolName: must be a string, null, or omitted");
+    }
+    if (p.providerSessionId !== undefined && p.providerSessionId !== null && typeof p.providerSessionId !== "string") {
+        errs.push("providerSessionId: must be a string, null, or omitted");
+    }
+    if (typeof p.decisionKind !== "string" || !DECISION_KINDS.includes(p.decisionKind)) {
+        errs.push(`decisionKind: must be one of ${DECISION_KINDS.join(", ")}`);
+    }
+    validatePrompt(p.prompt, errs);
+    const choiceIds = validateChoices(p.choices, errs);
+    validateAnswer(p.answer, choiceIds, errs);
+    // decisionKind is derived from multiSelect + match outcome (spec section 6);
+    // enforce the coupling so the three fields can never drift.
+    const ansType = isPlainObject(p.answer) ? p.answer.type : undefined;
+    if (p.decisionKind === "multi_choice" && ansType !== "multi_choice_labels") {
+        errs.push("answer.type: must be multi_choice_labels when decisionKind is multi_choice");
+    }
+    if (p.decisionKind === "choice" && ansType !== "choice_label") {
+        errs.push("answer.type: must be choice_label when decisionKind is choice");
+    }
+    if (p.decisionKind === "free_text" && ansType !== "free_text") {
+        errs.push("answer.type: must be free_text when decisionKind is free_text");
+    }
+    if (typeof p.multiSelect !== "boolean") {
+        errs.push("multiSelect: must be a boolean");
+    }
+    else {
+        // Biconditional per spec section 6: multiSelect true iff decisionKind multi_choice.
+        if (p.multiSelect && p.decisionKind !== "multi_choice") {
+            errs.push("decisionKind: must be multi_choice when multiSelect is true");
+        }
+        if (!p.multiSelect && p.decisionKind === "multi_choice") {
+            errs.push("multiSelect: must be true when decisionKind is multi_choice");
+        }
+    }
+    if (typeof p.capturedBy !== "string" || !CAPTURED_BY.includes(p.capturedBy)) {
+        errs.push(`capturedBy: must be one of ${CAPTURED_BY.join(", ")}`);
+    }
+    if (p.turnIndex !== undefined && p.turnIndex !== null && typeof p.turnIndex !== "number") {
+        errs.push("turnIndex: must be a number, null, or omitted");
+    }
+    if (p.traceId !== undefined && p.traceId !== null && typeof p.traceId !== "string") {
+        errs.push("traceId: must be a string, null, or omitted");
+    }
+    if (p.actorDisplayName !== undefined && p.actorDisplayName !== null && typeof p.actorDisplayName !== "string") {
+        errs.push("actorDisplayName: must be a string, null, or omitted");
+    }
+    if (!("rawProviderPayload" in p)) {
+        errs.push("rawProviderPayload: must be present (INV-RAW-PRESERVATION)");
+    }
+    if (p.occurredAt !== undefined && typeof p.occurredAt !== "string") {
+        errs.push("occurredAt: must be an ISO string when present");
+    }
+    return errs;
+}
+function isValidCanonicalDecisionPayload(payload) {
+    return validateCanonicalDecisionPayload(payload).length === 0;
+}

package/dist/lib/analytics/capture.js

@@ -0,0 +1,96 @@
+"use strict";
+// captureCommandEvent: the run-finalize entry point that records one normalized
+// `mla_command` journey event (spec section 6.2, section 11.4). It is the only
+// thing cli.ts has to call. It runs after the command result is known and is
+// fully defensive: any failure here is swallowed so analytics can never change a
+// command's exit code or break its output.
+//
+// Order (matters): derive the sequence fields BEFORE recording, since they are
+// read from the strictly-prior `mla_command` rows in the local jsonl; then record
+// locally (durable, consent-gated); then best-effort forward to control (bounded,
+// telemetry-gated). The local append happens even with remote telemetry off
+// (local-first, INV-LOCAL-STATS-1); the forward is a no-op unless opted in.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCommandPayload = buildCommandPayload;
+exports.captureCommandEvent = captureCommandEvent;
+const command_event_1 = require("./command-event");
+const sequence_1 = require("./sequence");
+const store_1 = require("./store");
+const recorder_1 = require("./recorder");
+// Build the normalized command payload (pure). Exported so the privacy test can
+// assert directly on what would be emitted, no I/O.
+function buildCommandPayload(params) {
+    const { command, subcommand, flags_shape } = (0, command_event_1.normalizeCommand)(params.argv);
+    const { outcome, error_class, retryable } = (0, command_event_1.classifyOutcome)(params.exitCode, params.threw, params.thrown);
+    const seq = (0, sequence_1.computeSequence)(params.sessionId, params.startedAtMs, params.env);
+    const duration_ms = Math.max(0, params.nowMs - params.startedAtMs);
+    return {
+        command,
+        subcommand,
+        flags_shape,
+        scope: (0, command_event_1.classifyScope)(command, flags_shape),
+        duration_ms,
+        exit_code: params.exitCode,
+        outcome,
+        error_class,
+        retryable,
+        // The CLI command itself does not edit a code surface (that signal is for
+        // hook-origin events that wrap an edit). Honest default for a command event.
+        touched_surface: "unknown",
+        mla_version: params.mlaVersion,
+        git_sha: params.gitSha,
+        command_index_in_session: seq.command_index_in_session,
+        preceded_by: seq.preceded_by,
+        session_idle_gap_ms: seq.session_idle_gap_ms,
+    };
+}
+async function captureCommandEvent(params) {
+    const env = params.env ?? process.env;
+    try {
+        // `_internal` subcommands (evidence-inject, evidence-correlate, auto-index,
+        // finalize-session, active-review) are machine-internal plumbing spawned by
+        // hooks, not user journey steps. Emitting an mla_command for them pollutes the
+        // command-journey funnel with `command:"_internal", subcommand:null` noise, so
+        // skip the journey event entirely. The remote flush is kept: an internal
+        // command flushes its own buffer before this point, but keeping the flush
+        // preserves forwarding for any value events still buffered (no-op when empty).
+        const isInternal = (0, command_event_1.normalizeCommand)(params.argv).command === "_internal";
+        if (!isInternal) {
+            const payload = buildCommandPayload({
+                argv: params.argv,
+                exitCode: params.exitCode,
+                threw: params.threw,
+                thrown: params.thrown,
+                mlaVersion: params.mlaVersion,
+                gitSha: params.gitSha,
+                startedAtMs: params.startedAtMs,
+                nowMs: params.nowMs,
+                sessionId: params.sessionId,
+                env,
+            });
+            const nowIso = new Date(params.nowMs).toISOString();
+            const ctx = {
+                workspaceId: params.workspaceId,
+                sessionId: params.sessionId,
+                distinctId: params.actorUserId ?? (0, store_1.machineId)(),
+                // The un-collapsed actor cuid for attribution (T1.10): honest null on an
+                // actorless run, unlike distinctId which falls back to a hashed machine id.
+                actorWorkspaceUserId: params.actorUserId,
+                source: "cli",
+                now: nowIso,
+            };
+            // Local append (durable) + buffer. Mints the CLI-origin event_id once.
+            (0, recorder_1.recordAnalyticsEvent)(ctx, { eventType: "mla_command", payload: payload }, env, params.onError);
+        }
+        // Best-effort, bounded, telemetry-gated remote forward. Skipped entirely when
+        // the run has no control config.
+        if (params.cfg) {
+            await (0, recorder_1.flushAnalyticsEvents)(params.cfg, env, params.onError);
+        }
+    }
+    catch (err) {
+        // Analytics must never break a command. Surface on the debug hook only.
+        if (params.onError)
+            params.onError(err);
+    }
+}

package/dist/lib/analytics/command-event.js

@@ -0,0 +1,267 @@
+"use strict";
+// mla_command normalization (spec section 6.2, INV-ARGV-1, INV-POSTHOG-PII-1).
+//
+// Turns a raw argv into the three privacy-safe shape fields the journey event
+// carries: a known `command`, a known `subcommand` (or null), and a `flags_shape`
+// built from approved flag NAMES only. Raw argv is never emitted: positional
+// arguments (queries, paths, ids) do not start with a dash and are dropped; flag
+// VALUES are split off at `=` or live in a separate token and are likewise
+// dropped; an unrecognized command or flag is normalized away rather than passed
+// through. This is the single chokepoint that keeps INV-ARGV-1 true.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.APPROVED_FLAGS = exports.KNOWN_SUBCOMMANDS = exports.KNOWN_COMMANDS = void 0;
+exports.normalizeCommand = normalizeCommand;
+exports.classifyScope = classifyScope;
+exports.classifyOutcome = classifyOutcome;
+// The closed set of top-level commands `mla` dispatches (cli.ts:215). A first
+// token outside this set is normalized to "unknown" so a typo'd path or secret
+// pasted as argv[0] never reaches the wire.
+exports.KNOWN_COMMANDS = new Set([
+    "init",
+    "rewire",
+    "activate",
+    "deactivate",
+    "mute",
+    "unmute",
+    "workspace",
+    "doctor",
+    "flush",
+    "review",
+    "cases",
+    "session",
+    "ask",
+    "kb",
+    "summary",
+    "label",
+    "adoption",
+    "stats",
+    "whoami",
+    "login",
+    "logout",
+    "debug",
+    "_internal",
+]);
+// Known subcommand keywords per command. A second token is emitted as
+// `subcommand` ONLY when it is in this set; otherwise it is a positional (an id,
+// a query, a doc path) and `subcommand` is null. This is what stops
+// `mla review <case-id>` or `mla ask "<query>"` from leaking the positional as a
+// subcommand.
+exports.KNOWN_SUBCOMMANDS = {
+    kb: new Set([
+        "add",
+        "show",
+        "reingest",
+        "forget",
+        "purge",
+        "move",
+        "review",
+        "pending",
+        "personal",
+        "promote",
+        "share",
+        "retime",
+        "summary",
+    ]),
+    workspace: new Set(["show", "use"]),
+    session: new Set(["show"]),
+    stats: new Set(["evidence"]),
+    _internal: new Set(["finalize-session", "active-review", "auto-index"]),
+};
+// Approved flag NAMES (INV-ARGV-1). A token starting with a dash is reduced to
+// its name (leading dashes stripped, anything after `=` discarded) and kept only
+// if it is in this set. The set is flag NAMES the CLI actually parses; values are
+// never emitted regardless of allowlisting. Unknown flag names are dropped, not
+// surfaced, so a future flag is invisible to analytics until it is added here
+// (privacy-conservative by construction).
+exports.APPROVED_FLAGS = new Set([
+    "accept",
+    "actor",
+    "agent",
+    "all",
+    "allow-file-missing",
+    "allow-provenance-change",
+    "anchor-type",
+    "apply",
+    "as-of",
+    "audit-all",
+    "cached",
+    "control-token",
+    "control-url",
+    "create",
+    "doc",
+    "dry-run",
+    "effective-date",
+    "evidence",
+    "force",
+    "from-root",
+    "gc",
+    "glob",
+    "global",
+    "harmful",
+    "help",
+    "here",
+    "include-tombstoned",
+    "ingest-run-id",
+    "intel-url",
+    "is-inside-work-tree",
+    "json",
+    "last",
+    "markdown",
+    "marker",
+    "max",
+    "min",
+    "mode",
+    "name",
+    "no-flush",
+    "no-install-flock",
+    "no-post-tool-use",
+    "no-project-rules",
+    "no-relation",
+    "noisy",
+    "note",
+    "oneline",
+    "open",
+    "path",
+    "plain",
+    "posture",
+    "prevented-mistake",
+    "profile",
+    "provenance",
+    "purge-expired",
+    "queue",
+    "quiet",
+    "reap-only",
+    "reason",
+    "reclassify",
+    "reject",
+    "repair",
+    "scope-section",
+    "session",
+    "show-current",
+    "show-toplevel",
+    "skill-only",
+    "stat",
+    "unsafe-capture-non-bash",
+    "useful",
+    "verbose",
+    "window",
+    "workspace",
+    "workspace-id",
+    "yes",
+]);
+// Coarse command-to-scope map (where the command's effect primarily lands).
+// Command-granularity on purpose: a per-subcommand effect tracker is not worth
+// the maintenance for a breakdown dimension. Anchored to the spec's own example
+// (section 11: `kb review` -> scope "local"), so `kb` is local even though some
+// subcommands sync. `ask` / `adoption` / `summary` fundamentally read or compute
+// over workspace data, so they are "workspace". A `--global` flag overrides to
+// "global". Anything unrecognized is "unknown" (never guessed).
+const WORKSPACE_SCOPE_COMMANDS = new Set(["ask", "adoption", "summary"]);
+// Normalize the first token to a known command, "help"/"version" for the usage
+// and version shortcuts, or "unknown".
+function normalizeCommandToken(first) {
+    if (first === undefined || first === "help" || first === "--help" || first === "-h") {
+        return "help";
+    }
+    if (first === "--version" || first === "-v")
+        return "version";
+    if (exports.KNOWN_COMMANDS.has(first))
+        return first;
+    return "unknown";
+}
+// Reduce a raw token to its flag name, or null if it is not a flag (positional)
+// or not approved. `--window=7d` -> "window"; `--window 7d` -> "window" (the
+// "7d" is a separate token that returns null here); `query text` -> null.
+function flagName(token) {
+    if (!token.startsWith("-"))
+        return null;
+    const stripped = token.replace(/^-+/, "");
+    if (!stripped)
+        return null;
+    const name = stripped.split("=", 1)[0].toLowerCase();
+    return exports.APPROVED_FLAGS.has(name) ? name : null;
+}
+// Build the privacy-safe command shape from argv. Pure, no I/O.
+function normalizeCommand(argv) {
+    const command = normalizeCommandToken(argv[0]);
+    let subcommand = null;
+    const knownSubs = exports.KNOWN_SUBCOMMANDS[command];
+    if (knownSubs && typeof argv[1] === "string" && knownSubs.has(argv[1])) {
+        subcommand = argv[1];
+    }
+    // Scan ALL tokens for approved flags (flags can follow positionals). Dedupe and
+    // sort for a stable shape so PostHog funnels group identical invocations.
+    const flags = new Set();
+    for (const token of argv) {
+        const name = flagName(token);
+        if (name)
+            flags.add(name);
+    }
+    const flags_shape = [...flags].sort();
+    return { command, subcommand, flags_shape };
+}
+// Scope of the command's effect (best-effort, command-granularity). `--global`
+// in flags_shape wins.
+function classifyScope(command, flags_shape) {
+    if (flags_shape.includes("global"))
+        return "global";
+    if (command === "unknown")
+        return "unknown";
+    if (WORKSPACE_SCOPE_COMMANDS.has(command))
+        return "workspace";
+    return "local";
+}
+// Map a finished run (exit code + optional thrown error) to a closed-enum
+// outcome, a PII-safe error_class (a class/category token, NEVER a message), and
+// a retryable hint. The error's `status` (set by lib/http.buildError on HTTP
+// failures) drives the HTTP mapping; otherwise the error code/name is inspected
+// for the common network failure modes.
+function classifyOutcome(exitCode, threw, thrown) {
+    if (exitCode === 0) {
+        return { outcome: "success", error_class: null, retryable: false };
+    }
+    if (!threw) {
+        // A command returned non-zero without throwing: a handled, user-facing
+        // failure (bad input, not found, usage error -> exit 2). No exception object
+        // to classify, so no error_class.
+        return { outcome: "user_error", error_class: null, retryable: false };
+    }
+    const err = thrown;
+    const status = err?.status;
+    if (typeof status === "number") {
+        if (status === 401)
+            return { outcome: "auth_error", error_class: "http_401", retryable: false };
+        if (status === 403)
+            return { outcome: "permission_denied", error_class: "http_403", retryable: false };
+        if (status === 408)
+            return { outcome: "timeout", error_class: "http_408", retryable: true };
+        if (status === 429)
+            return { outcome: "system_error", error_class: "http_429", retryable: true };
+        if (status === 400 || status === 422) {
+            return { outcome: "validation_error", error_class: `http_${status}`, retryable: false };
+        }
+        if (status >= 500)
+            return { outcome: "system_error", error_class: `http_${status}`, retryable: true };
+        // Other 4xx: a client-side problem the user must fix.
+        return { outcome: "user_error", error_class: `http_${status}`, retryable: false };
+    }
+    // No HTTP status: a network-layer or programmatic error. fetch() rejects with a
+    // TypeError ("fetch failed") wrapping a cause; AbortController aborts surface as
+    // an AbortError; node socket errors carry an errno code.
+    const code = (err?.code || "").toUpperCase();
+    const name = err?.name || "";
+    if (code === "ETIMEDOUT" || name === "AbortError" || name === "TimeoutError") {
+        return { outcome: "timeout", error_class: "timeout", retryable: true };
+    }
+    if (code === "ECONNREFUSED" ||
+        code === "ENOTFOUND" ||
+        code === "ECONNRESET" ||
+        code === "EAI_AGAIN" ||
+        name === "FetchError" ||
+        name === "TypeError" // node's fetch wraps network failures as TypeError
+    ) {
+        return { outcome: "network_error", error_class: "network_error", retryable: true };
+    }
+    // Unknown thrown error: a class name is PII-safe (it is a type, not a message).
+    return { outcome: "system_error", error_class: name || "Error", retryable: false };
+}

package/dist/lib/analytics/consent.js

@@ -0,0 +1,58 @@
+"use strict";
+// Analytics consent: the three privacy postures (spec section 9, INV-CONSENT-1).
+//
+// Local recording, remote ids-only analytics, and content-bearing trace upload
+// are genuinely different privacy decisions; a user may want ids-only analytics
+// on but content traces off. We reconcile with the EXISTING CLI kill switch
+// (TELEMETRY.md) rather than inventing a parallel flag set:
+//
+//   MEETLESS_LOCAL_STATS   default ON   -> write ~/.meetless/events.jsonl
+//   MEETLESS_TELEMETRY     default OFF  -> ship ids-only events to control->PostHog
+//                                          AND keep its existing kill-switch role
+//   MEETLESS_TRACE_UPLOAD  default ON*  -> content-bearing traces (Langfuse) + Sentry
+//
+// (*) MEETLESS_TRACE_UPLOAD's ABSENCE preserves today's trace-plane behavior so
+// dogfood keeps working; the effective posture is still "off unless your server
+// opts in" because control refuses with TRACING_NOT_ENABLED_FOR_WORKSPACE. The
+// flag is an explicit content-trace sub-kill, independent of the analytics opt-in.
+//
+// The master kill switch (telemetryDisabled: MEETLESS_TELEMETRY in {off,0,false,no}
+// OR truthy MEETLESS_NO_TELEMETRY) wins over BOTH remote planes.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.localStatsEnabled = localStatsEnabled;
+exports.remoteAnalyticsEnabled = remoteAnalyticsEnabled;
+exports.traceUploadEnabled = traceUploadEnabled;
+const observability_1 = require("../observability");
+function isOff(v) {
+    const t = (v || "").trim().toLowerCase();
+    return t === "off" || t === "0" || t === "false" || t === "no";
+}
+function isOn(v) {
+    const t = (v || "").trim().toLowerCase();
+    return t === "on" || t === "1" || t === "true" || t === "yes";
+}
+// Local jsonl recording for `mla stats`. Default ON. Only an explicit off-value
+// disables it. Independent of the remote planes: `mla stats` (local) works even
+// with all remote telemetry off (INV-LOCAL-STATS-1, INV-CONSENT-1).
+function localStatsEnabled(env = process.env) {
+    return !isOff(env.MEETLESS_LOCAL_STATS);
+}
+// Remote ids-only analytics upload (CLI -> control -> PostHog/rollups). Default
+// OFF: it is an explicit opt-in via a truthy MEETLESS_TELEMETRY. The master kill
+// (telemetryDisabled) always wins. Note the asymmetry with the trace plane:
+// analytics is opt-IN (silent unless turned on), trace upload is opt-OUT.
+function remoteAnalyticsEnabled(env = process.env) {
+    if ((0, observability_1.telemetryDisabled)(env))
+        return false;
+    return isOn(env.MEETLESS_TELEMETRY);
+}
+// Content-bearing trace upload (Langfuse spans) + Sentry error reporting. The
+// master kill wins; an explicit MEETLESS_TRACE_UPLOAD off-value is the content
+// sub-kill; absence preserves the pre-existing trace-plane behavior (still
+// server-gated downstream). This is what gates initSentry() and the trace
+// flushFn at their cli.ts call sites.
+function traceUploadEnabled(env = process.env) {
+    if ((0, observability_1.telemetryDisabled)(env))
+        return false;
+    return !isOff(env.MEETLESS_TRACE_UPLOAD);
+}