@meetless/mla 0.1.4

package/dist/lib/rules/attest-code-rule-version.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mintAttestedCodeRuleVersion = mintAttestedCodeRuleVersion;
+const attest_rule_version_1 = require("./attest-rule-version");
+const local_rule_version_repo_1 = require("./local-rule-version-repo");
+/**
+ * Mint the LIVE version of a code-defined rule. NEW_RULE refuses an id already present in the scope (a
+ * collision is an operator error, never a silent re-version); SUCCESSOR supersedes the prior LIVE in the
+ * repo's single transaction, and a re-attest whose frozen hash already matches the LIVE version is an
+ * idempotent no-op. The stored bytes and hash are the registry's, verbatim; lineage to an observed
+ * snapshot is null because a code rule is authored, not observed.
+ */
+function mintAttestedCodeRuleVersion(store, input) {
+    const ruleId = input.codeRule.ruleId;
+    const scope = input.runtimeScopeId;
+    const canonicalPayloadHash = input.codeRule.canonicalPayloadHash;
+    const buildRecord = (supersedesVersionId) => ({
+        versionId: input.versionId,
+        ruleId,
+        runtimeScopeId: scope,
+        rulePayload: input.codeRule.serializedPayload,
+        canonicalPayloadHash,
+        lifecycleStatus: "LIVE",
+        attestationMethod: input.attestationMethod,
+        attestedBy: input.attestedBy,
+        supersedesVersionId,
+        derivedFromObservedHash: null,
+        attestedAt: input.attestedAt,
+    });
+    if (input.mode === "NEW_RULE") {
+        if ((0, local_rule_version_repo_1.listLocalRuleVersionHistory)(store, scope, ruleId).length > 0) {
+            throw new attest_rule_version_1.RuleIdentityCollisionError(scope, ruleId);
+        }
+        const record = buildRecord(null);
+        (0, local_rule_version_repo_1.insertLocalRuleVersion)(store, record);
+        return { outcome: "MINTED", version: record };
+    }
+    const current = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, scope, ruleId);
+    if (!current) {
+        throw new local_rule_version_repo_1.NoLiveVersionToSupersedeError(scope, ruleId);
+    }
+    if (current.canonicalPayloadHash === canonicalPayloadHash) {
+        return { outcome: "NOOP_IDEMPOTENT", version: current };
+    }
+    const minted = (0, local_rule_version_repo_1.supersedeLiveLocalRuleVersion)(store, buildRecord(current.versionId));
+    return { outcome: "SUPERSEDED", version: minted, supersededVersionId: current.versionId };
+}

package/dist/lib/rules/attest-notes-location.js

@@ -0,0 +1,217 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NOTES_LOCATION_RULE_ID = void 0;
+exports.convertForbiddenRootSnapshot = convertForbiddenRootSnapshot;
+exports.convertNotesLocationSnapshot = convertNotesLocationSnapshot;
+exports.mintAttestedNotesLocationVersion = mintAttestedNotesLocationVersion;
+const local_rule_version_repo_1 = require("./local-rule-version-repo");
+const attest_rule_version_1 = require("./attest-rule-version");
+// Slice 7 (Phase B.7): the ObservedRuleSpec -> RulePayloadV1 conversion, the §2.4 pilot admission
+// gate, and the mint-or-supersede orchestration behind `mla rules attest --from-observed <hash>`
+// (proposal §2.4 conversion table lines 921-945, the admission gate lines 2076-2085, the worked
+// attest flow lines 2037-2069). This module is the PURE core: it never reads the config, never
+// prompts, never resolves the runtime scope, and never reads the observed snapshot from the store
+// (that is the A.3 resolver). It converts the four observed fields plus the active runtime scope into
+// the frozen RulePayloadV1, and it drives the A.4 repo's one-LIVE-per-(scope, rule) supersession. The
+// command shell (commands/rules.ts) supplies the operator identity, the confirmation, and the IO.
+/** R1 has exactly one logical pilot rule; the identity is FIXED, never chosen (proposal §2.4, P0.55). */
+exports.NOTES_LOCATION_RULE_ID = "notes-location-v1";
+// The fields of the pilot payload that are FIXED by the §2.4 contract (everything except text,
+// applicability, and the carried forbidden root). Naming them as constants makes the conversion table
+// auditable against the proposal line by line.
+const PILOT_EFFECT = "PROHIBIT";
+const PILOT_STRENGTH = "MUST_FOLLOW";
+const PILOT_DELIVERY_CHANNELS = ["preToolUse"];
+const PILOT_ENFORCEMENT_CEILING = "DENY";
+const PILOT_INFRASTRUCTURE_FAILURE_POLICY = "PASS_WITH_ALERT";
+const PILOT_EVALUATOR_CONTRACT_VERSION = "four-state-evaluator-v1";
+const PILOT_MATCHER_SCHEMA_VERSION = "action-applicability-v1";
+const PILOT_PATH_CANONICALIZER_VERSION = "notes-path-v1";
+const PILOT_FORBIDDEN_ROOT = "notes";
+const PILOT_PAYLOAD_SCHEMA_VERSION = "rule-payload-v1";
+const PILOT_CANONICAL_SERIALIZATION_VERSION = "v1";
+// The supported tool SET for the pilot: EXACTLY {Write, Edit} (admission gate condition 2).
+const PILOT_TOOLS = ["Edit", "Write"];
+// The closed observed-rule-v1 schema key sets (must match observed-rule-hash.ts). An out-of-schema
+// field already fails the observed hash (P0.53), so it can never be admitted into the pilot either.
+const OBSERVED_RULE_KEYS = new Set(["text", "applicability", "effect", "forbiddenRootRelativePath"]);
+const APPLICABILITY_AMBIENT_KEYS = new Set(["mode"]);
+const APPLICABILITY_ACTION_KEYS = new Set(["mode", "tools", "matcher"]);
+const MATCHER_KEYS = new Set(["field", "glob"]);
+function reject(reason, detail) {
+    return { admitted: false, reason, detail };
+}
+/** Strictly parse a snapshot string into the closed observed-rule-v1 shape, or a typed refusal. */
+function parseObservedSnapshot(snapshotJson) {
+    let raw;
+    try {
+        raw = JSON.parse(snapshotJson);
+    }
+    catch {
+        return reject("SNAPSHOT_UNPARSEABLE", "the observed snapshot is not valid JSON");
+    }
+    if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+        return reject("MALFORMED_SNAPSHOT", "the observed snapshot is not a JSON object");
+    }
+    const obj = raw;
+    const unknownTop = Object.keys(obj).find((k) => !OBSERVED_RULE_KEYS.has(k));
+    if (unknownTop) {
+        return reject("UNKNOWN_FIELD", `unknown field '${unknownTop}' is outside the observed-rule-v1 schema`);
+    }
+    if (typeof obj.text !== "string")
+        return reject("MALFORMED_SNAPSHOT", "text must be a string");
+    if (typeof obj.effect !== "string")
+        return reject("MALFORMED_SNAPSHOT", "effect must be a string");
+    if (typeof obj.forbiddenRootRelativePath !== "string") {
+        return reject("MALFORMED_SNAPSHOT", "forbiddenRootRelativePath must be a string");
+    }
+    const applicability = parseApplicability(obj.applicability);
+    if ("admitted" in applicability)
+        return applicability;
+    return {
+        ok: true,
+        spec: {
+            text: obj.text,
+            applicability: applicability.value,
+            effect: obj.effect,
+            forbiddenRootRelativePath: obj.forbiddenRootRelativePath,
+        },
+    };
+}
+function parseApplicability(raw) {
+    if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+        return reject("MALFORMED_SNAPSHOT", "applicability must be a JSON object");
+    }
+    const a = raw;
+    if (a.mode === "ambient") {
+        const unknown = Object.keys(a).find((k) => !APPLICABILITY_AMBIENT_KEYS.has(k));
+        if (unknown)
+            return reject("UNKNOWN_FIELD", `unknown field '${unknown}' in applicability(ambient)`);
+        return { value: { mode: "ambient" } };
+    }
+    if (a.mode !== "action") {
+        return reject("NOT_ACTION_SCOPED", `applicability.mode '${String(a.mode)}' is not 'action'`);
+    }
+    const unknown = Object.keys(a).find((k) => !APPLICABILITY_ACTION_KEYS.has(k));
+    if (unknown)
+        return reject("UNKNOWN_FIELD", `unknown field '${unknown}' in applicability(action)`);
+    if (!Array.isArray(a.tools) || !a.tools.every((t) => typeof t === "string")) {
+        return reject("MALFORMED_SNAPSHOT", "applicability.tools must be a string array");
+    }
+    const matcher = parseMatcher(a.matcher);
+    if ("admitted" in matcher)
+        return matcher;
+    return { value: { mode: "action", tools: a.tools, matcher: matcher.value } };
+}
+function parseMatcher(raw) {
+    if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+        return reject("MALFORMED_SNAPSHOT", "applicability.matcher must be a JSON object");
+    }
+    const m = raw;
+    const unknown = Object.keys(m).find((k) => !MATCHER_KEYS.has(k));
+    if (unknown)
+        return reject("UNKNOWN_FIELD", `unknown field '${unknown}' in applicability.matcher`);
+    if (typeof m.field !== "string")
+        return reject("MALFORMED_SNAPSHOT", "matcher.field must be a string");
+    if (m.glob !== undefined && typeof m.glob !== "string") {
+        return reject("MALFORMED_SNAPSHOT", "matcher.glob must be a string when present");
+    }
+    const value = { field: m.field };
+    if (m.glob !== undefined)
+        value.glob = m.glob;
+    return { value };
+}
+function isExactlyWriteEdit(tools) {
+    const set = new Set(tools);
+    return set.size === PILOT_TOOLS.length && PILOT_TOOLS.every((t) => set.has(t));
+}
+/**
+ * Convert one frozen observed-rule-v1 snapshot into the immutable RulePayloadV1, for the WHOLE PROHIBIT
+ * forbidden-root family, or REFUSE it. The admission gate runs BEFORE any payload is built: a snapshot
+ * that is not an action-scoped, exactly-{Write, Edit}, field/glob-matcher, effect-PROHIBIT rule with a
+ * non-empty forbidden root (closed schema) is never converted, so it can never mint a version.
+ *
+ * Generalizing the forbidden root beyond the notes pilot is provably conflict-free (proposal §2.0: a
+ * conflict requires a LIVE rule whose effect EFFECTIVELY REQUIRES the action that another PROHIBITs;
+ * a PROHIBIT rule never requires a write, so two members of this family can never conflict). The
+ * evaluator/matcher/canonicalizer contract versions and the path canonicalizer (`notes-path.ts`) are
+ * already generic over the configured root, so the same frozen payload shape serves any root. Anything
+ * OUTSIDE this family (a different evaluator, PERMIT/EXCLUSION effects, ambient rules) stays R4.
+ *
+ * The conversion itself is the §2.4 table: text/applicability verbatim, every other field fixed by the
+ * family contract, the forbidden root carried AS CONTENT (P0.63), the runtime scope bound from the
+ * active evaluation scope. The compliance version triple is supported by construction (the minimal
+ * observed spec carries no compliance spec), satisfying gate condition 6.
+ */
+function convertForbiddenRootSnapshot(snapshotJson, runtimeScopeId) {
+    const parsed = parseObservedSnapshot(snapshotJson);
+    if ("admitted" in parsed)
+        return parsed;
+    const spec = parsed.spec;
+    if (spec.applicability.mode !== "action") {
+        return reject("NOT_ACTION_SCOPED", "an ambient rule is never an action-gating version");
+    }
+    if (!isExactlyWriteEdit(spec.applicability.tools)) {
+        return reject("TOOLS_NOT_WRITE_EDIT", `tools must be exactly {Write, Edit}, got [${spec.applicability.tools.join(", ")}]`);
+    }
+    if (spec.effect !== PILOT_EFFECT) {
+        return reject("EFFECT_NOT_PROHIBIT", `effect '${spec.effect}' is not 'PROHIBIT'`);
+    }
+    if (spec.forbiddenRootRelativePath.trim() === "") {
+        return reject("FORBIDDEN_ROOT_EMPTY", "forbidden root is empty: a rule forbidding the repo root is nonsensical");
+    }
+    const compliance = {
+        evaluatorContractVersion: PILOT_EVALUATOR_CONTRACT_VERSION,
+        matcherSchemaVersion: PILOT_MATCHER_SCHEMA_VERSION,
+        pathCanonicalizerVersion: PILOT_PATH_CANONICALIZER_VERSION,
+        config: { forbiddenRootRelativePath: spec.forbiddenRootRelativePath },
+    };
+    const payload = {
+        text: spec.text,
+        applicability: spec.applicability,
+        compliance,
+        effect: PILOT_EFFECT,
+        strength: PILOT_STRENGTH,
+        deliveryChannels: PILOT_DELIVERY_CHANNELS,
+        enforcementCeiling: PILOT_ENFORCEMENT_CEILING,
+        infrastructureFailurePolicy: PILOT_INFRASTRUCTURE_FAILURE_POLICY,
+        runtimeScopeId,
+        payloadSchemaVersion: PILOT_PAYLOAD_SCHEMA_VERSION,
+        canonicalSerializationVersion: PILOT_CANONICAL_SERIALIZATION_VERSION,
+    };
+    return { admitted: true, payload };
+}
+/**
+ * The notes-location pilot member of the forbidden-root family: the generic converter pinned to the
+ * "notes" root (proposal §2.4 condition 5). This is the converter the no-flag `mla rules attest` default
+ * uses, preserving the exact armed R1 behavior. An explicit `--new-rule`/`--rule` identity uses the
+ * generic `convertForbiddenRootSnapshot` instead.
+ */
+function convertNotesLocationSnapshot(snapshotJson, runtimeScopeId) {
+    const generic = convertForbiddenRootSnapshot(snapshotJson, runtimeScopeId);
+    if (!generic.admitted)
+        return generic;
+    const root = generic.payload.compliance.config.forbiddenRootRelativePath;
+    if (root !== PILOT_FORBIDDEN_ROOT) {
+        return reject("FORBIDDEN_ROOT_UNSUPPORTED", `forbidden root '${root}' is not 'notes'`);
+    }
+    return generic;
+}
+/**
+ * Mint the LIVE notes-location version for the payload's runtime scope (proposal worked attest flow
+ * lines 2058-2068) by deferring to the canonical R1 writer. The pilot's logical identity is FIXED to
+ * notes-location-v1, but it still flows through the P0.55 identity choice rather than re-deriving it:
+ * the FIRST attest in a scope mints that id as a NEW rule (no predecessor), and every later attest is a
+ * SUCCESSOR of the prior LIVE version of the same rule (idempotent no-op when the payload hash is
+ * unchanged, otherwise a supersession with backward lineage). Serialization, the rule-version-v1 hash,
+ * the one-LIVE supersession transaction, and the at-the-attested-ceiling guarantee all live in the
+ * canonical writer; attestation and effective enforcement stay separate (§10.2, lines 2117-2124).
+ */
+function mintAttestedNotesLocationVersion(store, input) {
+    const scope = input.payload.runtimeScopeId;
+    const live = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, scope, exports.NOTES_LOCATION_RULE_ID);
+    const identity = live
+        ? { mode: "SUCCESSOR", ruleId: exports.NOTES_LOCATION_RULE_ID }
+        : { mode: "NEW_RULE", ruleId: exports.NOTES_LOCATION_RULE_ID };
+    return (0, attest_rule_version_1.mintAttestedRuleVersion)(store, { ...input, identity });
+}

package/dist/lib/rules/attest-rule-version.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RuleIdentityCollisionError = void 0;
+exports.mintAttestedRuleVersion = mintAttestedRuleVersion;
+const local_rule_version_repo_1 = require("./local-rule-version-repo");
+const rule_version_hash_1 = require("./rule-version-hash");
+/**
+ * Raised when `--new-rule` names a logical id that already exists in the scope. P0.55 requires an
+ * accidental collision to be rejected rather than silently versioning the wrong rule; the operator must
+ * either choose `--rule <id>` to version the existing rule deliberately, or pick a fresh id.
+ */
+class RuleIdentityCollisionError extends Error {
+    runtimeScopeId;
+    ruleId;
+    constructor(runtimeScopeId, ruleId) {
+        super(`cannot mint a NEW rule '${ruleId}' in scope ${runtimeScopeId}: a version with that logical id ` +
+            `already exists; use --rule ${ruleId} to version it deliberately, or choose a fresh id`);
+        this.runtimeScopeId = runtimeScopeId;
+        this.ruleId = ruleId;
+        this.name = "RuleIdentityCollisionError";
+    }
+}
+exports.RuleIdentityCollisionError = RuleIdentityCollisionError;
+/**
+ * Mint the LIVE version the operator's identity choice selects (proposal §2.4, P0.55). For NEW_RULE the
+ * fresh logical id must not collide with any existing version in the scope (rejected, not silently
+ * versioned). For SUCCESSOR the prior LIVE version of the named rule is superseded in the A.4 repo's
+ * single BEGIN IMMEDIATE transaction (supersede-first so the one-LIVE partial unique index never trips),
+ * and a re-attest whose hash already matches that LIVE version is an idempotent no-op (P1.3).
+ */
+function mintAttestedRuleVersion(store, input) {
+    const scope = input.payload.runtimeScopeId;
+    const ruleId = input.identity.ruleId;
+    const canonicalPayloadHash = (0, rule_version_hash_1.ruleVersionHash)(input.payload);
+    const buildRecord = (supersedesVersionId) => ({
+        versionId: input.versionId,
+        ruleId,
+        runtimeScopeId: scope,
+        rulePayload: (0, rule_version_hash_1.serializeRuleVersion)(input.payload),
+        canonicalPayloadHash,
+        lifecycleStatus: "LIVE",
+        attestationMethod: input.attestationMethod,
+        attestedBy: input.attestedBy,
+        supersedesVersionId,
+        derivedFromObservedHash: input.observedRuleHash,
+        attestedAt: input.attestedAt,
+    });
+    if (input.identity.mode === "NEW_RULE") {
+        // A NEW logical rule must occupy a free id: any version (any lifecycle) under this (scope, ruleId)
+        // means the id is already taken, so minting "new" here would silently version the wrong rule.
+        if ((0, local_rule_version_repo_1.listLocalRuleVersionHistory)(store, scope, ruleId).length > 0) {
+            throw new RuleIdentityCollisionError(scope, ruleId);
+        }
+        const record = buildRecord(null);
+        (0, local_rule_version_repo_1.insertLocalRuleVersion)(store, record);
+        return { outcome: "MINTED", version: record };
+    }
+    // SUCCESSOR: declare this version the successor of an existing logical rule's prior LIVE version.
+    const current = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, scope, ruleId);
+    if (!current) {
+        // A successor needs a prior LIVE version to point back at; there is none for this rule.
+        throw new local_rule_version_repo_1.NoLiveVersionToSupersedeError(scope, ruleId);
+    }
+    if (current.canonicalPayloadHash === canonicalPayloadHash) {
+        return { outcome: "NOOP_IDEMPOTENT", version: current };
+    }
+    const minted = (0, local_rule_version_repo_1.supersedeLiveLocalRuleVersion)(store, buildRecord(current.versionId));
+    return { outcome: "SUPERSEDED", version: minted, supersededVersionId: current.versionId };
+}

package/dist/lib/rules/canonical-json.js

@@ -0,0 +1,97 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CanonicalJsonError = void 0;
+exports.canonicalize = canonicalize;
+exports.sha256Hex = sha256Hex;
+exports.canonicalDigest = canonicalDigest;
+const crypto_1 = require("crypto");
+const MAX_SAFE = Number.MAX_SAFE_INTEGER; // 2^53 - 1
+/** Serialize a single number per the V1 safe-integer profile (see file header). */
+function encodeNumber(n) {
+    if (!Number.isFinite(n)) {
+        throw new CanonicalJsonError(`non-finite number ${String(n)} cannot be canonically encoded`);
+    }
+    if (!Number.isInteger(n)) {
+        throw new CanonicalJsonError(`non-integer number ${n} rejected by the V1 safe-integer profile; ` +
+            `floats are out of scope for fingerprint payloads (see canonical-json.ts header)`);
+    }
+    if (Math.abs(n) > MAX_SAFE) {
+        throw new CanonicalJsonError(`integer ${n} exceeds Number.MAX_SAFE_INTEGER and cannot be encoded losslessly`);
+    }
+    // String(-0) === "0", String(42) === "42": exactly the RFC 8785 integer form.
+    return String(n);
+}
+/** Serialize a string: NFC normalize, then escape exactly as JSON.stringify. */
+function encodeString(s) {
+    return JSON.stringify(s.normalize("NFC"));
+}
+function encodeValue(value) {
+    if (value === undefined) {
+        throw new CanonicalJsonError("undefined is not a canonical value (use null, or omit the object key)");
+    }
+    if (value === null)
+        return "null";
+    switch (typeof value) {
+        case "boolean":
+            return value ? "true" : "false";
+        case "number":
+            return encodeNumber(value);
+        case "string":
+            return encodeString(value);
+        case "object":
+            break;
+        default:
+            throw new CanonicalJsonError(`unsupported value type '${typeof value}' in canonical payload`);
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map((el) => encodeValue(el)).join(",")}]`;
+    }
+    return encodeObject(value);
+}
+function encodeObject(obj) {
+    // NFC-normalize keys first so ordering is over the normalized form, then sort by
+    // UTF-16 code units. JS default string `<` compares by UTF-16 code unit, which is
+    // exactly RFC 8785's key order.
+    const entries = [];
+    const seen = new Map(); // normalizedKey -> originalKey
+    for (const rawKey of Object.keys(obj)) {
+        const v = obj[rawKey];
+        if (v === undefined)
+            continue; // absent optional: omit, matches JSON.stringify
+        const key = rawKey.normalize("NFC");
+        const prior = seen.get(key);
+        if (prior !== undefined) {
+            throw new CanonicalJsonError(`object keys '${prior}' and '${rawKey}' collide after NFC normalization`);
+        }
+        seen.set(key, rawKey);
+        entries.push([key, v]);
+    }
+    entries.sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0));
+    const body = entries
+        .map(([k, v]) => `${encodeString(k)}:${encodeValue(v)}`)
+        .join(",");
+    return `{${body}}`;
+}
+/** Thrown for any input the canonical encoder refuses (fail-closed). */
+class CanonicalJsonError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "CanonicalJsonError";
+    }
+}
+exports.CanonicalJsonError = CanonicalJsonError;
+/**
+ * Encode a value to its RFC 8785 canonical JSON string. The returned string, UTF-8
+ * encoded, is the exact byte sequence that is hashed.
+ */
+function canonicalize(value) {
+    return encodeValue(value);
+}
+/** SHA-256 (hex, lowercase, 64 chars) over the UTF-8 bytes of `text`. */
+function sha256Hex(text) {
+    return (0, crypto_1.createHash)("sha256").update(text, "utf8").digest("hex");
+}
+/** Canonical digest: `sha256Hex(canonicalize(value))`. */
+function canonicalDigest(value) {
+    return sha256Hex(canonicalize(value));
+}

package/dist/lib/rules/ce0-emit.js

@@ -0,0 +1,64 @@
+"use strict";
+// CE0 live telemetry sink (notes/20260617-evidence-consultation-forcing-function-proposal.md §6.4 P0.2):
+// the fail-soft local-append seam between the CE0 hooks and the existing generic analytics spool. The
+// pure ce0-telemetry builders produce a RecordInput; this attaches the run-context envelope and appends
+// it to the local jsonl via the shared recorder.
+//
+// Two §6.4 P0.2 invariants this seam upholds:
+//   - Local-append-only: the hook NEVER makes a synchronous network call. recordAnalyticsEvent appends
+//     to the local spool and buffers for the existing detached forward; remote delivery is that path's
+//     job, so CE0 adds no worker, queue, or uploader.
+//   - Fail-soft: a missing run context (no joinable trace/run) or a spool append fault is swallowed and
+//     never throws into the turn the hook observed. The durable CE0 store write already happened; live
+//     telemetry is strictly best-effort on top of it.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.emitCe0Event = emitCe0Event;
+const config_1 = require("../config");
+const store_1 = require("../analytics/store");
+const observability_1 = require("../observability");
+const recorder_1 = require("../analytics/recorder");
+/**
+ * Append a built CE0 RecordInput to the local analytics spool under a "hook" run-context envelope.
+ * Fail-soft and local-append-only (§6.4 P0.2): if there is no joinable run/trace context the event is
+ * skipped (the durable store already recorded the fact), and any fault in building or appending is
+ * swallowed so a telemetry failure never disturbs the turn.
+ */
+function emitCe0Event(input, coords, deps = {}) {
+    try {
+        const traceId = deps.traceId ?? (0, observability_1.getRunTraceId)();
+        const runId = deps.runId ?? (0, observability_1.getRunId)();
+        // No joinable envelope -> a local line that can never join the enrichment is worse than none.
+        if (!traceId || !runId)
+            return;
+        const readCfg = deps.readCfg ??
+            (() => {
+                try {
+                    return (0, config_1.readConfig)();
+                }
+                catch {
+                    return null;
+                }
+            });
+        const cfg = readCfg();
+        const mId = (deps.machineId ?? store_1.machineId)();
+        const ctx = {
+            workspaceId: coords.workspaceId,
+            sessionId: coords.sessionId,
+            // The hook cannot cheaply resolve the actor cuid; prefer the configured actor when present, else
+            // the hashed machine id (a workspace-scoped anonymous id, never end-user PII).
+            distinctId: cfg?.actorUserId ?? mId,
+            runId,
+            traceId,
+            source: "hook",
+            now: new Date(coords.nowMs).toISOString(),
+        };
+        const record = deps.record ?? recorder_1.recordAnalyticsEvent;
+        // The onError swallows a local spool append fault; the outer try swallows a buildEvent throw.
+        record(ctx, input, deps.env ?? process.env, () => {
+            /* fail-soft: a CE0 telemetry append must never escalate into a blocking hook. */
+        });
+    }
+    catch {
+        // Fail-soft (§6.4 P0.2): CE0 telemetry must never disturb the turn it observed.
+    }
+}