@meetless/mla 0.1.4

package/dist/lib/rules/local-rule-version-repo.js

@@ -0,0 +1,214 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NoLiveVersionToRevokeError = exports.NoLiveVersionToSupersedeError = exports.CrossScopeLineageError = void 0;
+exports.insertLocalRuleVersion = insertLocalRuleVersion;
+exports.getLocalRuleVersion = getLocalRuleVersion;
+exports.getLiveLocalRuleVersion = getLiveLocalRuleVersion;
+exports.listLiveLocalRuleVersions = listLiveLocalRuleVersions;
+exports.listLocalRuleVersionHistory = listLocalRuleVersionHistory;
+exports.supersedeLiveLocalRuleVersion = supersedeLiveLocalRuleVersion;
+exports.revokeLiveLocalRuleVersion = revokeLiveLocalRuleVersion;
+exports.insertVersionEvaluationRecord = insertVersionEvaluationRecord;
+const interception_store_1 = require("./interception-store");
+/** Raised when a version's lineage pointer would cross a runtime scope (FK lineage must stay in-scope). */
+class CrossScopeLineageError extends Error {
+    versionId;
+    runtimeScopeId;
+    supersedesVersionId;
+    constructor(versionId, runtimeScopeId, supersedesVersionId) {
+        super(`version ${versionId} in scope ${runtimeScopeId} cannot supersede ${supersedesVersionId}: ` +
+            `the predecessor is in a different runtime scope`);
+        this.versionId = versionId;
+        this.runtimeScopeId = runtimeScopeId;
+        this.supersedesVersionId = supersedesVersionId;
+        this.name = "CrossScopeLineageError";
+    }
+}
+exports.CrossScopeLineageError = CrossScopeLineageError;
+/** Raised when a supersession is requested but no LIVE version exists for the (scope, rule) to replace. */
+class NoLiveVersionToSupersedeError extends Error {
+    runtimeScopeId;
+    ruleId;
+    constructor(runtimeScopeId, ruleId) {
+        super(`no LIVE version for rule ${ruleId} in scope ${runtimeScopeId} to supersede`);
+        this.runtimeScopeId = runtimeScopeId;
+        this.ruleId = ruleId;
+        this.name = "NoLiveVersionToSupersedeError";
+    }
+}
+exports.NoLiveVersionToSupersedeError = NoLiveVersionToSupersedeError;
+/** Raised when a revoke (kill switch) is requested but no LIVE version exists for the (scope, rule). */
+class NoLiveVersionToRevokeError extends Error {
+    runtimeScopeId;
+    ruleId;
+    constructor(runtimeScopeId, ruleId) {
+        super(`no LIVE version for rule ${ruleId} in scope ${runtimeScopeId} to revoke`);
+        this.runtimeScopeId = runtimeScopeId;
+        this.ruleId = ruleId;
+        this.name = "NoLiveVersionToRevokeError";
+    }
+}
+exports.NoLiveVersionToRevokeError = NoLiveVersionToRevokeError;
+// ---------------------------------------------------------------------------
+// local_rule_version
+// ---------------------------------------------------------------------------
+function mapVersionRow(row) {
+    return {
+        versionId: row.version_id,
+        ruleId: row.rule_id,
+        runtimeScopeId: row.runtime_scope_id,
+        rulePayload: row.rule_payload,
+        canonicalPayloadHash: row.canonical_payload_hash,
+        lifecycleStatus: row.lifecycle_status,
+        attestationMethod: row.attestation_method,
+        attestedBy: row.attested_by,
+        supersedesVersionId: row.supersedes_version_id ?? null,
+        derivedFromObservedHash: row.derived_from_observed_hash ?? null,
+        attestedAt: row.attested_at,
+    };
+}
+/** Insert a version exactly as given. Same-scope FK lineage is verified BEFORE the write; everything
+ * else (one-LIVE, payload uniqueness, immutability) is left to the schema. */
+function insertLocalRuleVersion(store, rec) {
+    if (rec.supersedesVersionId !== null) {
+        const predecessor = getLocalRuleVersionAnyScope(store, rec.supersedesVersionId);
+        if (predecessor && predecessor.runtimeScopeId !== rec.runtimeScopeId) {
+            throw new CrossScopeLineageError(rec.versionId, rec.runtimeScopeId, rec.supersedesVersionId);
+        }
+    }
+    store.db
+        .prepare(`INSERT INTO local_rule_version
+        (version_id, rule_id, runtime_scope_id, rule_payload, canonical_payload_hash,
+         lifecycle_status, attestation_method, attested_by, supersedes_version_id,
+         derived_from_observed_hash, attested_at)
+       VALUES
+        (@version_id, @rule_id, @runtime_scope_id, @rule_payload, @canonical_payload_hash,
+         @lifecycle_status, @attestation_method, @attested_by, @supersedes_version_id,
+         @derived_from_observed_hash, @attested_at)`)
+        .run({
+        version_id: rec.versionId,
+        rule_id: rec.ruleId,
+        runtime_scope_id: rec.runtimeScopeId,
+        rule_payload: rec.rulePayload,
+        canonical_payload_hash: rec.canonicalPayloadHash,
+        lifecycle_status: rec.lifecycleStatus,
+        attestation_method: rec.attestationMethod,
+        attested_by: rec.attestedBy,
+        supersedes_version_id: rec.supersedesVersionId,
+        derived_from_observed_hash: rec.derivedFromObservedHash,
+        attested_at: rec.attestedAt,
+    });
+}
+/** Read one version by the runtime-scope-safe composite key; null if it is absent OR in another scope. */
+function getLocalRuleVersion(store, versionId, runtimeScopeId) {
+    const row = store.db
+        .prepare(`SELECT * FROM local_rule_version WHERE version_id = ? AND runtime_scope_id = ?`)
+        .get(versionId, runtimeScopeId);
+    return row ? mapVersionRow(row) : null;
+}
+/** Scope-agnostic lookup used ONLY to validate lineage (a predecessor's scope). Not exported. */
+function getLocalRuleVersionAnyScope(store, versionId) {
+    const row = store.db
+        .prepare(`SELECT * FROM local_rule_version WHERE version_id = ?`)
+        .get(versionId);
+    return row ? mapVersionRow(row) : null;
+}
+/** Read the current LIVE version for a (scope, rule); null when none is LIVE. */
+function getLiveLocalRuleVersion(store, runtimeScopeId, ruleId) {
+    const row = store.db
+        .prepare(`SELECT * FROM local_rule_version
+        WHERE runtime_scope_id = ? AND rule_id = ? AND lifecycle_status = 'LIVE'`)
+        .get(runtimeScopeId, ruleId);
+    return row ? mapVersionRow(row) : null;
+}
+/**
+ * List EVERY LIVE rule version in one scope, ordered by ruleId ascending. This is the rule-driven
+ * enforce dispatch's input (R4): the seam evaluates all of these against one tool attempt. The ruleId
+ * ordering is the deterministic tie-break the dispatch relies on when more than one rule would deny the
+ * same action (it emits the deny of the lowest ruleId and records the rest as arms). One LIVE row per
+ * (scope, rule) is guaranteed by ux_one_live_version, so this never returns two versions of one rule.
+ */
+function listLiveLocalRuleVersions(store, runtimeScopeId) {
+    const rows = store.db
+        .prepare(`SELECT * FROM local_rule_version
+        WHERE runtime_scope_id = ? AND lifecycle_status = 'LIVE'
+        ORDER BY rule_id`)
+        .all(runtimeScopeId);
+    return rows.map(mapVersionRow);
+}
+/** List a rule's version history in one scope, oldest first (attested_at then version_id). */
+function listLocalRuleVersionHistory(store, runtimeScopeId, ruleId) {
+    const rows = store.db
+        .prepare(`SELECT * FROM local_rule_version
+        WHERE runtime_scope_id = ? AND rule_id = ?
+        ORDER BY attested_at, version_id`)
+        .all(runtimeScopeId, ruleId);
+    return rows.map(mapVersionRow);
+}
+/**
+ * Atomically supersede the current LIVE version of a (scope, rule) with `successor`. In one
+ * BEGIN IMMEDIATE transaction: find the current LIVE; demote it to SUPERSEDED (the only lifecycle
+ * transition trg_version_immutable allows); insert `successor` as LIVE with supersedes_version_id
+ * pointing at the demoted version. Demote-then-insert is deliberate: it never leaves two LIVE rows
+ * for the (scope, rule), so ux_one_live_version is satisfied at every statement boundary. Throws
+ * NoLiveVersionToSupersedeError when there is nothing LIVE to replace, and refuses a `successor`
+ * whose supersedesVersionId is provided but does not name the actual prior LIVE. Returns the minted
+ * successor with its lineage filled in.
+ */
+function supersedeLiveLocalRuleVersion(store, successor) {
+    const run = store.db.transaction(() => {
+        const current = getLiveLocalRuleVersion(store, successor.runtimeScopeId, successor.ruleId);
+        if (!current) {
+            throw new NoLiveVersionToSupersedeError(successor.runtimeScopeId, successor.ruleId);
+        }
+        if (successor.supersedesVersionId !== null && successor.supersedesVersionId !== current.versionId) {
+            throw new Error(`successor ${successor.versionId} claims to supersede ${successor.supersedesVersionId} ` +
+                `but the current LIVE version is ${current.versionId}`);
+        }
+        store.db
+            .prepare(`UPDATE local_rule_version SET lifecycle_status = 'SUPERSEDED' WHERE version_id = ?`)
+            .run(current.versionId);
+        const minted = {
+            ...successor,
+            lifecycleStatus: "LIVE",
+            supersedesVersionId: current.versionId,
+        };
+        insertLocalRuleVersion(store, minted);
+        return minted;
+    });
+    return run.immediate();
+}
+/**
+ * The kill switch. Atomically disarm a (scope, rule) by flipping its current LIVE version to REVOKED
+ * (the LIVE->REVOKED transition trg_version_immutable explicitly permits). After this the (scope, rule)
+ * has NO LIVE version, so getLiveLocalRuleVersion returns null and the enforce seam finds NO_LIVE_VERSION
+ * and fails open: enforcement stops cleanly without deleting any history. Scoped strictly to the given
+ * runtime scope, so a same-rule LIVE version in another scope is never touched. Throws
+ * NoLiveVersionToRevokeError when there is nothing LIVE to disarm. Returns the now-REVOKED version.
+ */
+function revokeLiveLocalRuleVersion(store, runtimeScopeId, ruleId) {
+    const run = store.db.transaction(() => {
+        const current = getLiveLocalRuleVersion(store, runtimeScopeId, ruleId);
+        if (!current) {
+            throw new NoLiveVersionToRevokeError(runtimeScopeId, ruleId);
+        }
+        store.db
+            .prepare(`UPDATE local_rule_version SET lifecycle_status = 'REVOKED' WHERE version_id = ?`)
+            .run(current.versionId);
+        return { ...current, lifecycleStatus: "REVOKED" };
+    });
+    return run.immediate();
+}
+// ---------------------------------------------------------------------------
+// rule_evaluation_record (version arm)
+// ---------------------------------------------------------------------------
+/** Write a version-arm verdict: a rule_evaluation_record bound to a LocalRuleVersion. The observed
+ * arm is forced null here, so the schema's arm CHECK can only ever see the version arm; the composite
+ * (rule_version_id, runtime_scope_id) FK rejects a verdict that references a version in another scope. */
+function insertVersionEvaluationRecord(store, input) {
+    (0, interception_store_1.insertRuleEvaluationRecord)(store, {
+        ...input,
+        observedRuleSnapshot: null,
+        observedRuleHash: null,
+    });
+}

package/dist/lib/rules/memory-requirement.js

@@ -0,0 +1,109 @@
+"use strict";
+/**
+ * MEMORY-REQUIREMENT CLASSIFIER (vendored into the CLI for the UserPromptSubmit hook).
+ *
+ * Given the operator's current prompt, derive whether asserting an answer WITHOUT
+ * consulting governed memory plausibly violates an operator expectation. The CE0
+ * obligation forms ONLY on a REQUIRED turn, so this classifier is the relevance
+ * trigger for CONSULT_GOVERNED_EVIDENCE_ON_MEMORY_REQUIRED_TURN_V1
+ * (notes/20260617-evidence-consultation-forcing-function-proposal.md §1.3).
+ *
+ * Why vendored, not imported: the CLI intentionally does not depend on
+ * @meetless/utils (see kb-candidate.ts). This is a byte-faithful copy of the utils
+ * classifier (packages/utils/src/memory-requirement.ts); the seed-set versions
+ * (raw-prompt-substring-v1 / seed-v1) are pinned so the two implementations cannot
+ * silently diverge on which turns are governed. The classification is pure: no hash,
+ * no persistence, no runtime. The TurnMemoryAssessment record and the obligation it
+ * may create live in the store and the adapter.
+ *
+ * Three-valued band (R3 P1.2 removed HELPFUL): REQUIRED | NOT_REQUIRED | UNKNOWN.
+ * Only REQUIRED creates an obligation (P0.3); NOT_REQUIRED and UNKNOWN are telemetry.
+ * A REQUIRED seed marker wins (the seed catches "why did we choose X" even though
+ * "why" is itself an excluded generic lead-in); failing that, an EXCLUSION match is
+ * what makes a turn CONFIDENTLY NOT_REQUIRED; matching NEITHER is undecidable from
+ * shape, so it is UNKNOWN (the population recall improvements later promote).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EXCLUSION_MARKERS = exports.REQUIRED_MARKERS = exports.MEMORY_REQUIREMENT_EXCLUSION_SET_VERSION = exports.MEMORY_REQUIREMENT_MARKER_SET_VERSION = exports.MEMORY_REQUIREMENT_CLASSIFIER_VERSION = void 0;
+exports.normalizeForMarkerMatch = normalizeForMarkerMatch;
+exports.classifyMemoryRequirement = classifyMemoryRequirement;
+/** Frozen seed-set versions, stamped on every classification (P1.3 attestation). */
+exports.MEMORY_REQUIREMENT_CLASSIFIER_VERSION = "raw-prompt-substring-v1";
+exports.MEMORY_REQUIREMENT_MARKER_SET_VERSION = "seed-v1";
+exports.MEMORY_REQUIREMENT_EXCLUSION_SET_VERSION = "seed-v1";
+// Sorted for byte-stable identity; de-duplicated by construction.
+const sortedFrozen = (markers) => Object.freeze(Array.from(new Set(markers)).sort());
+/**
+ * Seed REQUIRED markers (proposal lines 290-301): high precision, deliberately low
+ * recall. A match means the prompt points at workspace-internal decisions, ownership,
+ * policy, architecture, or cross-session history.
+ */
+exports.REQUIRED_MARKERS = sortedFrozen([
+    "what did we decide",
+    "why did we choose",
+    "are we still doing",
+    "our canonical",
+    "previous session",
+    "earlier agent",
+    "who owns",
+    "who approves",
+    "our policy",
+    "our architecture decision",
+]);
+/**
+ * Explicitly EXCLUDED generic-conceptual lead-ins (proposal lines 305-310), stored as
+ * their placeholder-free, matchable prefixes. A match (absent any REQUIRED marker)
+ * makes the turn CONFIDENTLY NOT_REQUIRED.
+ */
+exports.EXCLUSION_MARKERS = sortedFrozen([
+    "why",
+    "how does",
+    "what is",
+    "difference between",
+]);
+/**
+ * Normalize text to a space-padded, lowercased, single-spaced token stream so a marker
+ * can be matched on token boundaries via plain substring containment (" who owns " is
+ * in " who owns this " but not in " whoever owns "). Any run of non-alphanumeric
+ * characters becomes a single space; an empty / all-punctuation input reduces to a
+ * single pad space.
+ */
+function normalizeForMarkerMatch(text) {
+    const core = text
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, " ")
+        .trim();
+    return core === "" ? " " : ` ${core} `;
+}
+/** Which of `markers` appear as whole-token substrings of the padded prompt. */
+function matched(paddedPrompt, markers) {
+    return markers.filter((m) => paddedPrompt.includes(` ${m} `));
+}
+/**
+ * Classify the current prompt's MemoryRequirement. Pure and deterministic: REQUIRED if
+ * any seed marker matches; else NOT_REQUIRED if any exclusion marker matches; else
+ * UNKNOWN.
+ */
+function classifyMemoryRequirement(prompt) {
+    const padded = normalizeForMarkerMatch(prompt);
+    const markersMatched = matched(padded, exports.REQUIRED_MARKERS);
+    const exclusionsMatched = matched(padded, exports.EXCLUSION_MARKERS);
+    let requirement;
+    if (markersMatched.length > 0) {
+        requirement = "REQUIRED";
+    }
+    else if (exclusionsMatched.length > 0) {
+        requirement = "NOT_REQUIRED";
+    }
+    else {
+        requirement = "UNKNOWN";
+    }
+    return {
+        requirement,
+        markersMatched,
+        exclusionsMatched,
+        classifierVersion: exports.MEMORY_REQUIREMENT_CLASSIFIER_VERSION,
+        markerSetVersion: exports.MEMORY_REQUIREMENT_MARKER_SET_VERSION,
+        exclusionSetVersion: exports.MEMORY_REQUIREMENT_EXCLUSION_SET_VERSION,
+    };
+}

package/dist/lib/rules/notes-observe.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.observeNotesRule = observeNotesRule;
+const notes_rule_1 = require("./notes-rule");
+const observe_adapter_1 = require("./observe-adapter");
+const notes_path_1 = require("./notes-path");
+const NO_DECISION = {};
+/**
+ * Observe a single PreToolUse call against the notes-location pilot. Selects the
+ * pilot directive from the scan cache, normalizes it into an ObservedRuleSpec,
+ * derives the runtime forbidden-root scope, and hands the call to the observe-only
+ * adapter. Always returns an empty (decision-free) response; the verdict travels on
+ * the observation side channel.
+ */
+async function observeNotesRule(input) {
+    // No notes-location rule declared in this workspace: nothing to observe. This is
+    // genuinely NOT_APPLICABLE (absence of a rule), not an infrastructure fault.
+    const directive = (0, notes_rule_1.selectNotesLocationDirective)(input.directives);
+    if (!directive) {
+        return { response: NO_DECISION, observation: { kind: "NOT_APPLICABLE" } };
+    }
+    const built = (0, notes_rule_1.buildObservedNotesRuleSpec)(directive);
+    if (!built.ok) {
+        return { response: NO_DECISION, observation: { kind: "INFRA", diagnostic: built.diagnostic } };
+    }
+    const notesScope = {
+        canonicalProjectRoot: input.runtimeProjectRoot,
+        configuredRelativeForbiddenPath: built.spec.forbiddenRootRelativePath,
+    };
+    const config = {
+        applicability: built.spec.applicability,
+        notesScope,
+        classify: input.classify ?? notes_path_1.classifyTargetPath,
+        timeoutMs: input.timeoutMs,
+    };
+    // The adapter runs selection + compliance evaluation and always returns
+    // `response: {}`. We pass its result straight through.
+    return (0, observe_adapter_1.observePreToolUse)(input.rawStdin, config);
+}

package/dist/lib/rules/notes-path.js

@@ -0,0 +1,261 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isUnderRoot = isUnderRoot;
+exports.classifyTargetPath = classifyTargetPath;
+exports.classifyRuntimeTarget = classifyRuntimeTarget;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const evaluation_input_hash_1 = require("./evaluation-input-hash");
+const moduleCaseCache = new Map();
+/** A tail component must be a single, safe, lexical name (no FS lookup). */
+function isValidTailComponent(component) {
+    return (component.length > 0 &&
+        component !== "." &&
+        component !== ".." &&
+        !component.includes("/") &&
+        !component.includes(path.sep) &&
+        !component.includes("\0"));
+}
+/**
+ * Canonicalize an absolute path. Walks up to the nearest existing ancestor,
+ * realpaths it (following symlinks), validates each not-yet-existing tail
+ * component lexically, and re-appends the tail. Returns null when the path
+ * cannot be canonicalized (permission errors, ambiguous `..` past a missing
+ * directory, etc.).
+ */
+async function canonicalize(absPath) {
+    const tail = [];
+    let cur = absPath;
+    for (;;) {
+        let resolved;
+        try {
+            resolved = await fs.promises.realpath(cur);
+        }
+        catch (err) {
+            const code = err.code;
+            if (code !== "ENOENT") {
+                // EACCES, ELOOP, ENOTDIR, invalid argument (NUL), etc.: cannot prove.
+                return null;
+            }
+            const base = path.basename(cur);
+            const parent = path.dirname(cur);
+            if (parent === cur) {
+                // Reached the filesystem root without finding an existing ancestor.
+                return null;
+            }
+            if (!isValidTailComponent(base)) {
+                return null;
+            }
+            tail.push(base);
+            cur = parent;
+            continue;
+        }
+        const canonical = tail.length > 0 ? path.join(resolved, ...tail.reverse()) : resolved;
+        let existingDir;
+        try {
+            const st = await fs.promises.stat(resolved);
+            existingDir = st.isDirectory() ? resolved : path.dirname(resolved);
+        }
+        catch {
+            return null;
+        }
+        return { canonical, existingDir };
+    }
+}
+/**
+ * Read-only per-device case-sensitivity probe: flip the case of the deepest
+ * existing directory's name and stat the sibling. Same inode -> case-insensitive;
+ * ENOENT -> case-sensitive; anything else (or no alphabetic character to flip)
+ * -> undeterminable.
+ */
+function defaultCaseProbe(existingDir) {
+    let real;
+    try {
+        real = fs.realpathSync(existingDir);
+    }
+    catch {
+        return null;
+    }
+    const base = path.basename(real);
+    const parent = path.dirname(real);
+    const flipped = flipCase(base);
+    if (flipped === base) {
+        // No alphabetic character to flip; cannot probe non-destructively.
+        return null;
+    }
+    let origStat;
+    try {
+        origStat = fs.statSync(real);
+    }
+    catch {
+        return null;
+    }
+    try {
+        const flipStat = fs.statSync(path.join(parent, flipped));
+        return flipStat.ino === origStat.ino && flipStat.dev === origStat.dev;
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return false;
+        }
+        return null;
+    }
+}
+function flipCase(name) {
+    let out = "";
+    for (const ch of name) {
+        const lower = ch.toLowerCase();
+        const upper = ch.toUpperCase();
+        if (lower !== upper) {
+            out += ch === lower ? upper : lower;
+        }
+        else {
+            out += ch;
+        }
+    }
+    return out;
+}
+/**
+ * Pure prefix comparison under a case policy. A path is "under" the root when it
+ * equals the root or is a descendant (boundary-correct: "/a/notes-archive" is
+ * NOT under "/a/notes").
+ */
+function isUnderRoot(target, root, caseInsensitive) {
+    const t = caseInsensitive ? target.toLowerCase() : target;
+    const r = caseInsensitive ? root.toLowerCase() : root;
+    if (t === r) {
+        return true;
+    }
+    return t.startsWith(r.endsWith(path.sep) ? r : r + path.sep);
+}
+async function classifyTargetPath(rawFilePath, scope, opts = {}) {
+    if (typeof rawFilePath !== "string" || rawFilePath.length === 0) {
+        return "INDETERMINATE";
+    }
+    if (rawFilePath.includes("\0")) {
+        return "INDETERMINATE";
+    }
+    const absTarget = path.isAbsolute(rawFilePath)
+        ? rawFilePath
+        : scope.canonicalProjectRoot + path.sep + rawFilePath;
+    const forbiddenRaw = path.isAbsolute(scope.configuredRelativeForbiddenPath)
+        ? scope.configuredRelativeForbiddenPath
+        : path.join(scope.canonicalProjectRoot, scope.configuredRelativeForbiddenPath);
+    const target = await canonicalize(absTarget);
+    if (!target) {
+        return "INDETERMINATE";
+    }
+    const forbidden = await canonicalize(forbiddenRaw);
+    if (!forbidden) {
+        return "INDETERMINATE";
+    }
+    const caseInsensitive = resolveCasePolicy(forbidden.existingDir, opts);
+    if (caseInsensitive === null) {
+        return "INDETERMINATE";
+    }
+    return isUnderRoot(target.canonical, forbidden.canonical, caseInsensitive)
+        ? "UNDER_FORBIDDEN_ROOT"
+        : "OUTSIDE_FORBIDDEN_ROOT";
+}
+/**
+ * Classify a target path into the evaluation-input-v1 `target` union (the
+ * pathCanonicalizerVersion="notes-path-v1" canonicalizer feeding the persisted
+ * snapshot). This is the runtime-SCOPE axis, distinct from the forbidden-root denylist
+ * of classifyTargetPath: it answers "where does this action write, relative to the
+ * runtime project root?", never leaking an absolute home path.
+ *
+ *   RUNTIME_RELATIVE { path }  the target canonicalizes under the runtime root; `path`
+ *                              is the posix, machine-independent relative path.
+ *   OUTSIDE_RUNTIME_SCOPE      the target canonicalizes outside the runtime root; no
+ *                              path is carried (privacy).
+ *   UNKNOWN / CANONICALIZATION_FAILED  canonicalization or the case policy cannot prove
+ *                              the answer (mirrors classifyTargetPath's INDETERMINATE).
+ *
+ * The stored target plus forbiddenRootRelativePath are sufficient for a later replay to
+ * recompute the verdict from the snapshot alone, with no second filesystem probe.
+ */
+async function classifyRuntimeTarget(rawFilePath, runtimeProjectRoot, opts = {}) {
+    const unknown = { kind: "UNKNOWN", reasonCode: evaluation_input_hash_1.CANONICALIZATION_FAILED };
+    if (typeof rawFilePath !== "string" || rawFilePath.length === 0) {
+        return unknown;
+    }
+    if (rawFilePath.includes("\0")) {
+        return unknown;
+    }
+    const absTarget = path.isAbsolute(rawFilePath)
+        ? rawFilePath
+        : runtimeProjectRoot + path.sep + rawFilePath;
+    const target = await canonicalize(absTarget);
+    if (!target) {
+        return unknown;
+    }
+    const root = await canonicalize(runtimeProjectRoot);
+    if (!root) {
+        return unknown;
+    }
+    const caseInsensitive = resolveCasePolicy(root.existingDir, opts);
+    if (caseInsensitive === null) {
+        return unknown;
+    }
+    if (!isUnderRoot(target.canonical, root.canonical, caseInsensitive)) {
+        return { kind: "OUTSIDE_RUNTIME_SCOPE" };
+    }
+    const relative = path.relative(root.canonical, target.canonical);
+    return { kind: "RUNTIME_RELATIVE", path: relative.split(path.sep).join("/") };
+}
+function resolveCasePolicy(existingDir, opts) {
+    const probe = opts.caseProbe ?? defaultCaseProbe;
+    // The process-wide cache is only consulted/written for the default probe. An
+    // injected probe is an explicit per-call override: it must neither be shadowed
+    // by a cached value nor poison the cache for other callers. A caller that wants
+    // a custom probe to be cached can pass its own caseCache.
+    const cache = opts.caseCache ?? (opts.caseProbe ? undefined : moduleCaseCache);
+    let dev;
+    try {
+        dev = fs.statSync(existingDir).dev;
+    }
+    catch {
+        dev = undefined;
+    }
+    if (cache && dev !== undefined && cache.has(dev)) {
+        return cache.get(dev);
+    }
+    const result = probe(existingDir);
+    if (cache && result !== null && dev !== undefined) {
+        cache.set(dev, result);
+    }
+    return result;
+}