@meetless/mla 0.1.4

package/dist/lib/rules/stop-response-snapshot.js

@@ -0,0 +1,174 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.selectParentAssistantText = selectParentAssistantText;
+exports.readStopResponseSnapshot = readStopResponseSnapshot;
+const fs_1 = require("fs");
+const canonical_json_1 = require("./canonical-json");
+// CE0 §2.3 Stage B, the best-effort response snapshot
+// (notes/20260617-evidence-consultation-forcing-function-proposal.md §2.3, lines 1119-1160).
+//
+// Stage B is layered ON TOP of the Stage A deadline claim, never inside it: a transcript read must
+// never delay Stop, fail Stop, or roll back the deadline. This module holds the PURE selector
+// (PARENT_ASSISTANT_TEXT_V1, with no filesystem surface) and the bounded backward reader that feeds
+// it real transcript records. The reader is best-effort: every failure mode resolves to a stable
+// labelability reason, never a throw.
+const MAX_WINDOW_BYTES = 2 * 1024 * 1024; // 2 MiB (§2.3)
+const MAX_RECORDS = 256; // at most 256 records from the tail (§2.3)
+const NEWLINE = 0x0a; // JSONL is newline-delimited; 0x0a never appears inside a UTF-8 continuation byte
+/**
+ * The §2.3 PARENT_ASSISTANT_TEXT_V1 selector, as a pure function over already-parsed transcript
+ * records given in file order (oldest first). It returns the canonical answer of the latest top-level
+ * parent assistant record, or null when the scanned window holds no such record
+ * (NO_PARENT_ASSISTANT_RECORD).
+ *
+ * A "top-level parent assistant record" is one whose `type` is "assistant" and which is NOT a
+ * sidechain / subagent record (`isSidechain === true`). User, system, progress, and tool-result
+ * records are excluded by that same `type` filter. The canonical answer is the selected record's text
+ * blocks (`block.type === "text"`) joined with a single literal newline, preserving each block's text
+ * exactly; a record with no text blocks yields the empty answer "" rather than skipping to an earlier
+ * record. The latest such record wins, so the scan runs from the newest record backward and stops at
+ * the first match.
+ */
+function selectParentAssistantText(records) {
+    const idx = findLatestParentAssistantIndex(records);
+    return idx < 0 ? null : joinTextBlocks(records[idx]);
+}
+/** The latest (highest-index) top-level parent assistant record, or -1 when there is none. The byte
+ * reader and the pure text selector share this one selection predicate. */
+function findLatestParentAssistantIndex(records) {
+    for (let i = records.length - 1; i >= 0; i--) {
+        if (isTopLevelParentAssistant(records[i]))
+            return i;
+    }
+    return -1;
+}
+function isTopLevelParentAssistant(rec) {
+    if (typeof rec !== "object" || rec === null)
+        return false;
+    const r = rec;
+    return r.type === "assistant" && r.isSidechain !== true;
+}
+/** Extract `message.content[]` text blocks in order and join them with a single literal newline.
+ * A missing / malformed message, a non-array content, or an absence of text blocks all yield "". */
+function joinTextBlocks(rec) {
+    const message = rec.message;
+    if (typeof message !== "object" || message === null)
+        return "";
+    const content = message.content;
+    if (!Array.isArray(content))
+        return "";
+    const texts = [];
+    for (const block of content) {
+        if (typeof block === "object" && block !== null) {
+            const b = block;
+            if (b.type === "text" && typeof b.text === "string") {
+                texts.push(b.text);
+            }
+        }
+    }
+    return texts.join("\n");
+}
+/**
+ * Read the §2.3 Stage B response snapshot from the tail of a Claude transcript. Reads at most 2 MiB
+ * and at most 256 records backward from the end, selects the latest top-level parent assistant record,
+ * and returns its `responseHash = sha256Hex(canonicalAnswer)` plus a byte-exact `ResponseSourceRefV1`
+ * pointer the offline exporter can rehydrate deterministically. Any unreadable / absent transcript or
+ * empty selection window resolves to a stable reason; this function NEVER throws.
+ */
+function readStopResponseSnapshot(transcriptPath) {
+    if (!transcriptPath)
+        return { ok: false, reason: "TRANSCRIPT_MISSING" };
+    let isFile;
+    try {
+        isFile = (0, fs_1.statSync)(transcriptPath).isFile();
+    }
+    catch (err) {
+        return { ok: false, reason: isMissingError(err) ? "TRANSCRIPT_MISSING" : "TRANSCRIPT_UNREADABLE" };
+    }
+    // A path that exists but is not a regular file (e.g. a directory) is not MISSING; it simply cannot
+    // be read as a transcript.
+    if (!isFile)
+        return { ok: false, reason: "TRANSCRIPT_UNREADABLE" };
+    let coords;
+    try {
+        coords = readTailRecords(transcriptPath);
+    }
+    catch {
+        return { ok: false, reason: "TRANSCRIPT_UNREADABLE" };
+    }
+    const idx = findLatestParentAssistantIndex(coords.map((c) => c.record));
+    if (idx < 0)
+        return { ok: false, reason: "NO_PARENT_ASSISTANT_RECORD" };
+    const chosen = coords[idx];
+    const canonicalAnswer = joinTextBlocks(chosen.record);
+    const responseHash = (0, canonical_json_1.sha256Hex)(canonicalAnswer);
+    const responseSourceRef = {
+        kind: "CLAUDE_TRANSCRIPT_JSONL",
+        version: 1,
+        transcriptPath,
+        recordByteOffset: chosen.byteOffset,
+        recordByteLength: chosen.byteLength,
+        // The line's exact bytes; the line is valid UTF-8 (it parsed), so hashing the decoded string
+        // re-encodes to the identical bytes the exporter will read at recordByteOffset.
+        recordSha256: (0, canonical_json_1.sha256Hex)(chosen.bytes),
+        selector: "PARENT_ASSISTANT_TEXT_V1",
+    };
+    return { ok: true, responseHash, responseSourceRef };
+}
+function isMissingError(err) {
+    return (typeof err === "object" &&
+        err !== null &&
+        err.code === "ENOENT");
+}
+/**
+ * Read the tail window (at most 2 MiB) and parse it into records with exact byte coordinates, keeping
+ * at most the last 256. When the window starts mid-file it almost certainly starts mid-record, so the
+ * partial first line is dropped to keep every recorded byte span complete. Unparseable lines in the
+ * live window are skipped (the selected record, a top-level assistant, parses by construction).
+ */
+function readTailRecords(transcriptPath) {
+    const fd = (0, fs_1.openSync)(transcriptPath, "r");
+    let windowStart;
+    let buf;
+    let read;
+    try {
+        const size = (0, fs_1.fstatSync)(fd).size;
+        const windowSize = Math.min(size, MAX_WINDOW_BYTES);
+        windowStart = size - windowSize;
+        buf = Buffer.allocUnsafe(windowSize);
+        read = 0;
+        while (read < windowSize) {
+            const n = (0, fs_1.readSync)(fd, buf, read, windowSize - read, windowStart + read);
+            if (n === 0)
+                break;
+            read += n;
+        }
+    }
+    finally {
+        (0, fs_1.closeSync)(fd);
+    }
+    let cursor = 0;
+    if (windowStart > 0) {
+        const firstNl = buf.indexOf(NEWLINE, 0);
+        cursor = firstNl === -1 ? read : firstNl + 1;
+    }
+    const coords = [];
+    while (cursor < read) {
+        const nl = buf.indexOf(NEWLINE, cursor);
+        const lineEnd = nl === -1 ? read : nl; // exclusive; excludes the trailing newline
+        if (lineEnd > cursor) {
+            const bytes = buf.subarray(cursor, lineEnd).toString("utf8");
+            try {
+                const record = JSON.parse(bytes);
+                coords.push({ record, byteOffset: windowStart + cursor, byteLength: lineEnd - cursor, bytes });
+            }
+            catch {
+                // not valid JSONL at this offset: skip it, it cannot be the selected assistant record
+            }
+        }
+        if (nl === -1)
+            break;
+        cursor = nl + 1;
+    }
+    return coords.length > MAX_RECORDS ? coords.slice(coords.length - MAX_RECORDS) : coords;
+}

package/dist/lib/rules/types.js

@@ -0,0 +1,10 @@
+"use strict";
+// Schema-independent R0 core for "rules as node and action interception"
+// (notes/20260615-rules-as-node-and-action-interception-consolidated-proposal.md).
+//
+// This module declares ONLY the in-memory shapes the pure logic operates on. It
+// deliberately contains no persistence, no SQLite rows, no deny behavior, and no
+// rollout state: those are the documented seam left for a later slice. Everything
+// here is the value-level contract the parser, selector, evaluator, and the
+// observe-only adapter agree on.
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/lib/rules/ulid.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encodeTime = encodeTime;
+exports.encodeRandom = encodeRandom;
+exports.ulid = ulid;
+const crypto_1 = require("crypto");
+/**
+ * A locally-minted ULID, the primary key for R0 interception records.
+ *
+ * PreToolUse hooks receive no tool_use_id, so the interception path mints its own
+ * attempt_id and evaluation_id. A ULID gives a 26-char Crockford base32 identifier: a
+ * 48-bit millisecond timestamp encoded as the leading 10 chars (so keys sort
+ * lexicographically by mint time, matching created_at order) followed by 80 bits of
+ * randomness (16 chars) so the attempt row and its observed-arm evaluation row, minted in
+ * the same transaction within one millisecond, never collide.
+ *
+ * `now` and the random source are parameters so the durable-observation slice and its
+ * tests stay deterministic; production callers pass nothing and get Date.now() + a CSPRNG.
+ */
+// Crockford base32: digits 0-9 then A-Z excluding I, L, O, U (32 symbols).
+const CROCKFORD = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+// 256 is an exact multiple of 32, so a single random byte modulo 32 is unbiased.
+const defaultRand = () => (0, crypto_1.randomBytes)(1)[0] % 32;
+/** Encode a non-negative millisecond timestamp as `len` Crockford base32 chars (big-endian). */
+function encodeTime(ms, len = 10) {
+    let value = ms;
+    let out = "";
+    for (let i = 0; i < len; i++) {
+        const mod = value % 32;
+        out = CROCKFORD[mod] + out;
+        value = (value - mod) / 32;
+    }
+    return out;
+}
+/** Encode `len` Crockford base32 chars drawn from a 0..31 integer source. */
+function encodeRandom(len = 16, rand = defaultRand) {
+    let out = "";
+    for (let i = 0; i < len; i++) {
+        out += CROCKFORD[rand() % 32];
+    }
+    return out;
+}
+/** Mint a 26-char ULID: a 10-char time prefix followed by 16 chars of randomness. */
+function ulid(now = Date.now(), rand = defaultRand) {
+    return encodeTime(now, 10) + encodeRandom(16, rand);
+}

package/dist/lib/rules/version-evaluation.js

@@ -0,0 +1,156 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.versionBackedVerdict = versionBackedVerdict;
+exports.recordVersionEvaluation = recordVersionEvaluation;
+exports.evaluateAndRecordNotesVersion = evaluateAndRecordNotesVersion;
+const evaluation_input_hash_1 = require("./evaluation-input-hash");
+const interception_store_1 = require("./interception-store");
+const local_rule_version_repo_1 = require("./local-rule-version-repo");
+const durable_observation_1 = require("./durable-observation");
+const notes_path_1 = require("./notes-path");
+const observe_adapter_1 = require("./observe-adapter");
+const evaluator_1 = require("./evaluator");
+const attest_notes_location_1 = require("./attest-notes-location");
+const ulid_1 = require("./ulid");
+/**
+ * The verdict computed FROM the attested payload. First it checks that the version's declared
+ * compliance triple is the one this MLA build can reproduce; on any mismatch it refuses with UNKNOWN
+ * / EVALUATOR_UNSUPPORTED WITHOUT reading the path (it cannot honor semantics it does not implement).
+ * On a match it delegates to the same snapshot-pure rule R0 uses, over the payload's forbidden root,
+ * so a supported-triple version evaluates byte-for-byte like the observed rule it was attested from.
+ */
+function versionBackedVerdict(payload, target) {
+    const c = payload.compliance;
+    const supported = c.evaluatorContractVersion === durable_observation_1.EVALUATOR_CONTRACT_VERSION &&
+        c.matcherSchemaVersion === durable_observation_1.MATCHER_SCHEMA_VERSION &&
+        c.pathCanonicalizerVersion === durable_observation_1.PATH_CANONICALIZER_VERSION;
+    if (!supported) {
+        return { result: "UNKNOWN", verdictReasonCode: "EVALUATOR_UNSUPPORTED" };
+    }
+    return (0, durable_observation_1.verdictFromEvaluationInput)(target, c.config.forbiddenRootRelativePath);
+}
+/**
+ * Persist one version-backed evaluation as the two-record pair, atomically. Mints two distinct ULIDs
+ * (one attempt, one evaluation), parses the version's immutable payload for its forbidden root,
+ * computes the version-backed verdict, builds the canonical evaluation-input-v1 snapshot + hash, and
+ * writes a tool_attempt (NO_DECISION / NOT_APPLICABLE deny status) plus one VERSION-arm
+ * rule_evaluation_record inside a single BEGIN IMMEDIATE transaction so an interception is never
+ * half-recorded.
+ *
+ * The evaluation-input-v1 snapshot carries the RUNNING evaluator's supported triple, exactly like
+ * R0: those fields denote the evaluator that ran, and the version's own declared triple is recoverable
+ * from the version payload behind the recorded canonicalPayloadHash. Consequently R0's snapshot-only
+ * replay reproduces the stored verdict for any supported-triple version (the entire pilot); for a
+ * foreign-triple version the verdict is UNKNOWN / EVALUATOR_UNSUPPORTED and its authoritative replay
+ * basis is the referenced version row, not the snapshot alone.
+ */
+function recordVersionEvaluation(store, subject, ctx) {
+    const payload = JSON.parse(subject.version.rulePayload);
+    const attemptId = (0, ulid_1.ulid)(ctx.now, ctx.rand);
+    const evaluationId = (0, ulid_1.ulid)(ctx.now, ctx.rand);
+    const evaluationInput = {
+        toolName: subject.toolName,
+        target: subject.target,
+        forbiddenRootRelativePath: payload.compliance.config.forbiddenRootRelativePath,
+        evaluatorContractVersion: durable_observation_1.EVALUATOR_CONTRACT_VERSION,
+        matcherSchemaVersion: durable_observation_1.MATCHER_SCHEMA_VERSION,
+        pathCanonicalizerVersion: durable_observation_1.PATH_CANONICALIZER_VERSION,
+    };
+    const verdict = versionBackedVerdict(payload, subject.target);
+    const attempt = {
+        attemptId,
+        runtimeScopeId: ctx.runtimeScopeId,
+        sessionId: ctx.sessionId,
+        toolName: subject.toolName,
+        evaluationInputSnapshot: (0, evaluation_input_hash_1.serializeEvaluationInput)(evaluationInput),
+        evaluationInputHash: (0, evaluation_input_hash_1.evaluationInputHash)(evaluationInput),
+        aggregateDecision: "NO_DECISION",
+        denyEmissionStatus: "NOT_APPLICABLE",
+        inputAuthorityConfigHash: null,
+        createdAt: ctx.createdAt,
+    };
+    const evaluation = {
+        evaluationId,
+        attemptId,
+        runtimeScopeId: ctx.runtimeScopeId,
+        result: verdict.result,
+        eligibleEnforcement: "OBSERVE",
+        effectiveEnforcement: "OBSERVE",
+        verdictReasonCode: verdict.verdictReasonCode,
+        gateReasonCode: null,
+        evaluatorContractVersion: durable_observation_1.EVALUATOR_CONTRACT_VERSION,
+        ruleVersionId: subject.version.versionId,
+        canonicalPayloadHash: subject.version.canonicalPayloadHash,
+        createdAt: ctx.createdAt,
+    };
+    store.db
+        .transaction(() => {
+        (0, interception_store_1.insertToolAttempt)(store, attempt);
+        (0, local_rule_version_repo_1.insertVersionEvaluationRecord)(store, evaluation);
+    })
+        .immediate();
+    return {
+        attemptId,
+        evaluationId,
+        result: verdict.result,
+        verdictReasonCode: verdict.verdictReasonCode,
+        ruleVersionId: subject.version.versionId,
+        canonicalPayloadHash: subject.version.canonicalPayloadHash,
+    };
+}
+const NO_DECISION = {};
+/**
+ * The version-backed PreToolUse seam for the notes-location pilot. Parses the hook payload, resolves
+ * the LIVE attested version for the scope, runs the pure selector against the version's applicability,
+ * classifies the target, and on an applicable call persists the version-arm evaluation. Always returns
+ * the empty, decision-free hook response; the durable outcome travels on the side channel.
+ *
+ * Skip semantics (persist nothing): a malformed payload or a missing session id is INFRA (we refuse
+ * to fabricate the NOT NULL session_id); no LIVE version for the scope is NO_LIVE_VERSION (nothing has
+ * been attested, so there is no version to evaluate against); a non-Write/Edit tool or a glob non-match
+ * is NOT_APPLICABLE. Resolution order puts the infrastructure faults first, then the absent version,
+ * then applicability, so an unattested-but-applicable call reports NO_LIVE_VERSION (not NOT_APPLICABLE).
+ */
+async function evaluateAndRecordNotesVersion(store, input) {
+    const parsed = (0, observe_adapter_1.parsePreToolUseInput)(input.rawStdin);
+    if (!parsed) {
+        return { response: NO_DECISION, outcome: { kind: "INFRA", diagnostic: "malformed hook input" } };
+    }
+    if (parsed.session_id === undefined) {
+        return { response: NO_DECISION, outcome: { kind: "INFRA", diagnostic: "missing session_id" } };
+    }
+    const version = (0, local_rule_version_repo_1.getLiveLocalRuleVersion)(store, input.runtimeScopeId, attest_notes_location_1.NOTES_LOCATION_RULE_ID);
+    if (!version) {
+        return { response: NO_DECISION, outcome: { kind: "NO_LIVE_VERSION" } };
+    }
+    const payload = JSON.parse(version.rulePayload);
+    const call = { toolName: parsed.tool_name, toolInput: parsed.tool_input };
+    if ((0, evaluator_1.selectRule)(call, payload.applicability) === "NOT_APPLICABLE" || payload.applicability.mode !== "action") {
+        return { response: NO_DECISION, outcome: { kind: "NOT_APPLICABLE" } };
+    }
+    // The selector proved the tool is in the version's {Write, Edit} list and the matcher field holds a
+    // *.md string, so this narrowing is sound.
+    const toolName = parsed.tool_name;
+    const rawFilePath = parsed.tool_input[payload.applicability.matcher.field];
+    const classify = input.classifyRuntime ?? notes_path_1.classifyRuntimeTarget;
+    const target = await classify(rawFilePath, input.runtimeProjectRoot);
+    const persisted = recordVersionEvaluation(store, { toolName, target, version }, {
+        runtimeScopeId: input.runtimeScopeId,
+        sessionId: parsed.session_id,
+        createdAt: input.createdAt,
+        now: input.now,
+        rand: input.rand,
+    });
+    return {
+        response: NO_DECISION,
+        outcome: {
+            kind: "RECORDED",
+            attemptId: persisted.attemptId,
+            evaluationId: persisted.evaluationId,
+            result: persisted.result,
+            verdictReasonCode: persisted.verdictReasonCode,
+            ruleVersionId: persisted.ruleVersionId,
+            canonicalPayloadHash: persisted.canonicalPayloadHash,
+        },
+    };
+}

package/dist/lib/scanner/agent-memory.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.agentMemoryDir = agentMemoryDir;
+exports.readAgentMemoryFiles = readAgentMemoryFiles;
+exports.parseAgentMemoryDirectives = parseAgentMemoryDirectives;
+exports.discoverAgentMemoryDirectives = discoverAgentMemoryDirectives;
+// src/lib/scanner/agent-memory.ts
+//
+// Claude Code stores per-project agent memory at
+// `~/.claude/projects/<cwd-with-slashes-and-dots-as-dashes>/memory/`. Past sessions
+// distill the rules the user taught them into `feedback_*.md` topic files there. That
+// directory is NOT git-tracked, so `scanWorkspace`'s `git ls-files` enumeration
+// structurally misses it. This module discovers those files so the cold-start scan can
+// surface "the other things we need to support" beyond the committed instruction files.
+//
+// Hard trust gate: everything minted here is `machine_inferred` (untracked, per-machine,
+// agent-distilled). Per the cold-start proposal (§54, §225, §305) untracked content is
+// "not attested" and can NEVER earn must-follow; it rides advisory until a human attests.
+// `render.ts` already enforces this (must-follow requires `human_attested`), and
+// `scanWorkspace` keeps these out of the auto-injected `confirmedRulesXml` pack entirely.
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const types_1 = require("./types");
+const frontmatter_1 = require("./frontmatter");
+// A description that SHOUTS a normative modal is a MUST; everything else is a SHOULD.
+// Mirrors parse-directives.ts MUST_TOKENS so strength is consistent across sources.
+const MUST_TOKENS = /\b(MUST|NEVER|ALWAYS|REQUIRED|DO NOT|DON'?T|FORBIDDEN|NON-NEGOTIABLE)\b/;
+// Resolve the agent-memory dir for a workspace cwd. Replicates Claude Code's projects-dir
+// encoding (slashes AND dots become dashes). `home` is injectable for tests.
+function agentMemoryDir(cwd, home = (0, node_os_1.homedir)()) {
+    const encoded = cwd.replace(/[/.]/g, "-");
+    return (0, node_path_1.join)(home, ".claude", "projects", encoded, "memory");
+}
+// Read the `feedback_*.md` topic files (the "rules the user gave" bucket) from an
+// agent-memory dir, sorted for a stable/diffable worklist. Fails open to []: a missing
+// dir (fresh machine, no prior agent memory) is the common case and must never abort the
+// scan. The MEMORY.md index and project_/reference_ topic files are intentionally skipped
+// here: the index is one-line pointers, and only feedback memories are coordination rules.
+function readAgentMemoryFiles(dir) {
+    let names;
+    try {
+        names = (0, node_fs_1.readdirSync)(dir);
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const name of names) {
+        if (!name.startsWith("feedback_") || !name.endsWith(".md"))
+            continue;
+        try {
+            out.push({ name, text: (0, node_fs_1.readFileSync)((0, node_path_1.join)(dir, name), "utf8") });
+        }
+        catch {
+            // An unreadable single file must not abort discovery of the rest.
+        }
+    }
+    return out.sort((a, b) => a.name.localeCompare(b.name));
+}
+// One advisory directive per feedback memory: its frontmatter `description` is the
+// distilled one-line rule, which is exactly the grain a review worklist wants (§316,
+// "one-line reason per file"). Files without a description are skipped; identical
+// descriptions collapse to one.
+function parseAgentMemoryDirectives(files) {
+    const out = [];
+    const seen = new Set();
+    for (const f of files) {
+        const { data } = (0, frontmatter_1.parseFrontmatter)(f.text);
+        const desc = (data.description ?? "").trim();
+        if (!desc)
+            continue;
+        const text = desc.replace(/\s+/g, " ");
+        if (seen.has(text))
+            continue;
+        seen.add(text);
+        const source = `agent-memory:${f.name}`;
+        out.push({
+            id: (0, types_1.directiveId)(source, text),
+            text,
+            source,
+            kind: "RULE",
+            strength: MUST_TOKENS.test(text) ? "MUST_FOLLOW" : "SHOULD_FOLLOW",
+            attestation: "machine_inferred",
+        });
+    }
+    return out;
+}
+// The default cap is a pathological-directory guard (e.g. a symlink loop or an unrelated
+// tool dumping thousands of files under ~/.claude/projects), NOT a curation limit. A real
+// feedback corpus is tens to low-hundreds of files (the dogfood repo has ~55) and must
+// surface in full; bounding scan-time I/O only matters at the absurd end. Scan runs on
+// `mla activate`, not the per-Write hot path, so reading a few hundred small files is cheap.
+const DEFAULT_AGENT_MEMORY_CAP = 500;
+// Discover + parse the agent-memory rules for a workspace cwd. The advisory worklist is
+// surfaced for review, never bulk-injected. Fully fail-open via readAgentMemoryFiles.
+function discoverAgentMemoryDirectives(cwd, home = (0, node_os_1.homedir)(), cap = DEFAULT_AGENT_MEMORY_CAP) {
+    return parseAgentMemoryDirectives(readAgentMemoryFiles(agentMemoryDir(cwd, home))).slice(0, cap);
+}

package/dist/lib/scanner/bootstrap-summary.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderActivationCard = renderActivationCard;
+exports.renderBootstrapSummary = renderBootstrapSummary;
+// GAP1 Slice 1: the activation "what we found" surface.
+//
+// `mla activate` already runs the deterministic Tier-1 scan, extracts directives,
+// builds provisional context, and injects the high-confidence rules into the hot
+// path (the M-slices + scanner + injector cover steps 2-5 of the design's
+// `mla activate --bootstrap fast`, notes/20260611-onboarding-mla.md:1917). What was
+// missing is step 6: the "Active agent instructions" review bundle that lets the
+// human SEE what was found and what Meetless will do with it. That is the first-
+// session magic moment; until now the card showed only raw file counts.
+//
+// Everything here is pure rendering over the existing ScanResult. It introduces NO
+// new store: it reads the same three lists the scan already produces, split on the
+// two-axis model:
+//   - directives         : human-authored / high-confidence, injected NOW.
+//   - advisoryDirectives : machine_inferred, awaiting review, NEVER auto-injected.
+//   - staleSignals       : need a keep/drop verdict.
+const MAX_DIRECTIVES_SHOWN = 5;
+function pluralize(count, noun) {
+    return `${count} ${noun}${count === 1 ? "" : "s"}`;
+}
+// The inventory headline. Kept identical to the long-standing card so its callers
+// and golden assertions are unchanged; renderBootstrapSummary leads with it.
+function renderActivationCard(inv) {
+    return [
+        `Found: ${pluralize(inv.instructionFiles, "agent-instruction file")} · ` +
+            `${pluralize(inv.decisionDocs, "decision/spec doc")} · ` +
+            `${pluralize(inv.legacyNotes, "legacy note")} · ` +
+            `${pluralize(inv.staleSignals, "likely-stale signal")}.`,
+        "For your first run, Meetless will use high-confidence project instructions and mark everything else provisional.",
+    ].join("\n");
+}
+// MUST_FOLLOW before SHOULD_FOLLOW; otherwise stable (the scan's own order). A
+// stable sort keeps equal-strength directives in discovery order.
+function byStrength(a, b) {
+    const rank = (d) => (d.strength === "MUST_FOLLOW" ? 0 : 1);
+    return rank(a) - rank(b);
+}
+function directiveBullet(d) {
+    return `  • ${d.text}  (${d.source})`;
+}
+/**
+ * Render the full "Active agent instructions" bundle for `mla activate`. Leads with
+ * the inventory headline, then (only when non-empty):
+ *   - the high-confidence directives guiding the session now (capped, with an "and N
+ *     more" tail), MUST_FOLLOW first;
+ *   - the count of machine_inferred advisory candidates awaiting review, with the
+ *     `mla context advisory` pointer and an explicit "not injected" note;
+ *   - the count of likely-stale signals needing a verdict, with `mla context list`.
+ * An empty graph degrades to a calm "nothing high-confidence yet" line; it never
+ * prints an empty section header or a stray bullet.
+ */
+function renderBootstrapSummary(scan) {
+    const lines = [renderActivationCard(scan.inventory)];
+    const directives = [...scan.directives].sort(byStrength);
+    if (directives.length > 0) {
+        lines.push("");
+        lines.push("Guiding this session now (high-confidence, injected):");
+        const shown = directives.slice(0, MAX_DIRECTIVES_SHOWN);
+        for (const d of shown) {
+            lines.push(directiveBullet(d));
+        }
+        const remaining = directives.length - shown.length;
+        if (remaining > 0) {
+            lines.push(`  …and ${pluralize(remaining, "more rule")}.`);
+        }
+    }
+    else {
+        lines.push("");
+        lines.push("No high-confidence agent instructions found yet; this first run stays provisional.");
+    }
+    if (scan.advisoryDirectives.length > 0) {
+        lines.push("");
+        lines.push(`Awaiting your review: ${pluralize(scan.advisoryDirectives.length, "advisory rule")} ` +
+            "from agent memory (machine_inferred, NOT injected).");
+        lines.push("  See them with `mla context advisory`.");
+    }
+    if (scan.staleSignals.length > 0) {
+        lines.push("");
+        lines.push(`Possibly stale: ${pluralize(scan.staleSignals.length, "signal")} that may no longer apply.`);
+        lines.push("  Review and keep/drop with `mla context list`.");
+    }
+    return lines.join("\n");
+}

package/dist/lib/scanner/cache.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanCachePath = scanCachePath;
+exports.verdictsPath = verdictsPath;
+exports.writeScanCache = writeScanCache;
+exports.readScanCache = readScanCache;
+exports.readVerdicts = readVerdicts;
+exports.writeVerdicts = writeVerdicts;
+exports.applyVerdicts = applyVerdicts;
+const node_fs_1 = require("node:fs");
+const node_os_1 = require("node:os");
+const node_path_1 = require("node:path");
+const render_1 = require("./render");
+function wsDir(home, workspaceId) {
+    return (0, node_path_1.join)(home, ".meetless", "workspaces", workspaceId);
+}
+function scanCachePath(workspaceId, home = (0, node_os_1.homedir)()) {
+    return (0, node_path_1.join)(wsDir(home, workspaceId), "scan-cache.json");
+}
+function verdictsPath(workspaceId, home = (0, node_os_1.homedir)()) {
+    return (0, node_path_1.join)(wsDir(home, workspaceId), "scanner-verdicts.json");
+}
+function writeJson(path, value) {
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(path), { recursive: true });
+    (0, node_fs_1.writeFileSync)(path, JSON.stringify(value, null, 2), "utf8");
+}
+function readJson(path) {
+    try {
+        return JSON.parse((0, node_fs_1.readFileSync)(path, "utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+function writeScanCache(home, workspaceId, result) {
+    writeJson(scanCachePath(workspaceId, home), result);
+}
+function readScanCache(home, workspaceId) {
+    return readJson(scanCachePath(workspaceId, home));
+}
+const EMPTY_VERDICTS = { schemaVersion: 1, accepted: [], dismissed: [] };
+function readVerdicts(home, workspaceId) {
+    return readJson(verdictsPath(workspaceId, home)) ?? { ...EMPTY_VERDICTS };
+}
+function writeVerdicts(home, workspaceId, v) {
+    writeJson(verdictsPath(workspaceId, home), v);
+}
+// Dismissed signals are removed; the stale block + inventory are re-derived so the
+// cache the hot path reads always reflects the latest verdicts.
+function applyVerdicts(result, verdicts) {
+    const dismissed = new Set(verdicts.dismissed);
+    const staleSignals = result.staleSignals.filter((s) => !dismissed.has(s.id));
+    return {
+        ...result,
+        staleSignals,
+        staleContextXml: (0, render_1.renderStaleContextXml)(staleSignals),
+        inventory: { ...result.inventory, staleSignals: staleSignals.length },
+    };
+}