@meetless/mla 0.1.5 → 0.1.6

package/dist/lib/agent-memory-capture/lock.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.acquireBindingLock = acquireBindingLock;
+// src/lib/agent-memory-capture/lock.ts
+//
+// Per-bindingId mutual exclusion (CONCURRENCY-1): overlapping Stops must not
+// double-process or corrupt the ledger, and a holder that dies must release
+// automatically.
+//
+// The proposal asks for an OS advisory flock "so it self-releases on death (not
+// a PID file)." Node ships no portable flock(2) (and macOS, the dogfood
+// platform, has no `flock` binary either), so this implements the SAME
+// invariant a different way: an exclusive-create lockfile whose holder is
+// liveness-checked. A stale lockfile from a dead PID is immediately stealable
+// (`process.kill(pid, 0)` throws ESRCH), which gives the "self-releases on
+// death" property the design requires. Acquisition is non-blocking: a live
+// holder means another collector is running, so we skip this pass and let the
+// next Stop rescan.
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const config_1 = require("../config");
+const paths_1 = require("./paths");
+function pidIsAlive(pid) {
+    if (!Number.isInteger(pid) || pid <= 0)
+        return false;
+    try {
+        // Signal 0 performs error checking without sending a signal: throws ESRCH
+        // when no such process exists, EPERM when it exists but we can't signal it
+        // (still alive). Either non-throw or EPERM means alive.
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (e) {
+        return e.code === "EPERM";
+    }
+}
+function readHolderPid(path) {
+    try {
+        const first = (0, node_fs_1.readFileSync)(path, "utf8").split("\n")[0]?.trim();
+        const pid = Number(first);
+        return Number.isInteger(pid) && pid > 0 ? pid : null;
+    }
+    catch {
+        return null;
+    }
+}
+function tryCreate(path, nowIso) {
+    let fd;
+    try {
+        fd = (0, node_fs_1.openSync)(path, "wx"); // exclusive create; EEXIST if held
+    }
+    catch (e) {
+        if (e.code === "EEXIST")
+            return null;
+        throw e;
+    }
+    try {
+        (0, node_fs_1.writeSync)(fd, `${process.pid}\n${nowIso}\n`);
+    }
+    finally {
+        (0, node_fs_1.closeSync)(fd);
+    }
+    let released = false;
+    return {
+        release() {
+            if (released)
+                return;
+            released = true;
+            try {
+                (0, node_fs_1.rmSync)(path);
+            }
+            catch {
+                // Already gone (stolen as stale, or never existed): nothing to do.
+            }
+        },
+    };
+}
+// Acquire the per-binding lock without blocking. Returns null when a LIVE holder
+// already owns it. A stale lockfile (dead holder) is stolen exactly once and the
+// acquisition retried.
+function acquireBindingLock(bindingId, nowIso, home = config_1.HOME) {
+    const path = (0, paths_1.lockPath)(bindingId, home);
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(path), { recursive: true });
+    const first = tryCreate(path, nowIso);
+    if (first)
+        return first;
+    // Held: only steal if the recorded holder is dead.
+    const holder = readHolderPid(path);
+    if (holder !== null && pidIsAlive(holder))
+        return null;
+    try {
+        (0, node_fs_1.rmSync)(path);
+    }
+    catch {
+        // Someone else just cleared/replaced it; fall through to one retry.
+    }
+    return tryCreate(path, nowIso);
+}

package/dist/lib/agent-memory-capture/paths.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bindingsPath = bindingsPath;
+exports.ledgerPath = ledgerPath;
+exports.lockPath = lockPath;
+exports.decisionLogPath = decisionLogPath;
+exports.liveLedgerPath = liveLedgerPath;
+exports.liveDecisionLogPath = liveDecisionLogPath;
+// src/lib/agent-memory-capture/paths.ts
+//
+// All capture-local state lives under the mla HOME (~/.meetless by default),
+// in its OWN files, deliberately NOT folded into cli-config.json. cli-config is
+// a carefully-guarded credential surface; capture bindings are non-credential
+// local state and get their own file, matching how SESSION_GATE_DIR / QUEUE_DIR
+// are kept separate from the config.
+const node_path_1 = require("node:path");
+const config_1 = require("../config");
+// The binding registry: { version, bindings: MemoryBinding[] }.
+function bindingsPath(home = config_1.HOME) {
+    return (0, node_path_1.join)(home, "agent-memory-bindings.json");
+}
+// Per-binding thin dry-run ledger: <home>/agent-memory/ledger/<bindingId>.json.
+function ledgerPath(bindingId, home = config_1.HOME) {
+    return (0, node_path_1.join)(home, "agent-memory", "ledger", `${bindingId}.json`);
+}
+// Per-binding advisory lockfile (PID-liveness; self-releases on process death).
+function lockPath(bindingId, home = config_1.HOME) {
+    return (0, node_path_1.join)(home, "agent-memory", "locks", `${bindingId}.lock`);
+}
+// Append-only, metadata-only decision log for the dry-run collector. One JSONL
+// per binding so volume analysis is per-source. NEVER contains raw content.
+function decisionLogPath(bindingId, home = config_1.HOME) {
+    return (0, node_path_1.join)(home, "agent-memory", "decisions", `${bindingId}.jsonl`);
+}
+// Per-binding LIVE ledger (Phase 2A+): <home>/agent-memory/live-ledger/<bindingId>.json.
+// Kept separate from the dry-run ledger so the two state shapes can never collide
+// on the same binding (§4) and a binding's live progress is never clobbered by an
+// earlier dry-run pass (or vice versa).
+function liveLedgerPath(bindingId, home = config_1.HOME) {
+    return (0, node_path_1.join)(home, "agent-memory", "live-ledger", `${bindingId}.json`);
+}
+// Append-only, metadata-only outcome log for the LIVE collector. NEVER contains
+// raw content; carries hashes, byte counts, matched credential rule ids, and the
+// server revision ids of acked uploads.
+function liveDecisionLogPath(bindingId, home = config_1.HOME) {
+    return (0, node_path_1.join)(home, "agent-memory", "live-decisions", `${bindingId}.jsonl`);
+}

package/dist/lib/agent-memory-capture/pipeline.js

@@ -0,0 +1,222 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sha256Hex = sha256Hex;
+exports.syntheticSourceId = syntheticSourceId;
+exports.isActionable = isActionable;
+exports.collectOnce = collectOnce;
+// src/lib/agent-memory-capture/pipeline.ts
+//
+// The exact-byte collection flow + the §4 lifecycle transition router. One
+// immutable byte buffer per file: the bytes hashed, parsed, and scanned are
+// provably the bytes that WOULD be uploaded, closing the TOCTOU where an editor
+// rewrites the file between a path scan and a re-read. A scan failure must never
+// mutate lifecycle (no upload, no retire) — that invariant lives in the routing
+// table below.
+//
+// Phase 1 is DRY-RUN: this computes a decision per file and updates the thin
+// ledger, but uploads nothing. The synthetic source id and content hash are
+// computed so the dry-run records what a live upload WOULD address.
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const config_1 = require("../config");
+const redactor_1 = require("../redactor");
+const classify_1 = require("./classify");
+const containment_1 = require("./containment");
+const ledger_1 = require("./ledger");
+function sha256Hex(buf) {
+    return (0, node_crypto_1.createHash)("sha256").update(buf).digest("hex");
+}
+function syntheticSourceId(bindingId, relativePath) {
+    return `_external/agent-auto-memory/${bindingId}/${relativePath}`;
+}
+// Only these decisions represent an event worth persisting to the JSONL.
+// `unchanged` and `skipped` are no-ops emitted every scan; persisting them would
+// grow the log without bound (a Phase 1 exit criterion).
+function isActionable(decision) {
+    return decision !== "unchanged" && decision !== "skipped";
+}
+// Run one dry-run collection pass for a single binding. Pure with respect to the
+// network (uploads nothing); reads the real directory and mutates the local
+// ledger. Returns every file's decision (the writer persists only the
+// actionable ones).
+function collectOnce(binding, deps) {
+    const home = deps.home ?? config_1.HOME;
+    const scan = deps.scan ?? redactor_1.scanForSecrets;
+    const scannerVersion = deps.scannerVersion ?? redactor_1.SECRET_SCANNER_VERSION;
+    // Local phases (0A/1) observe; only the future pre-upload path blocks.
+    const scannerMode = deps.scannerMode ?? "observe";
+    const now = deps.nowIso;
+    const ledger = (0, ledger_1.readLedger)(binding.bindingId, home);
+    const { files, complete } = (0, containment_1.enumerateEligibleFiles)(binding.memoryDir);
+    const records = [];
+    const present = new Set();
+    let mutated = false;
+    const base = (relativePath, bytes) => ({
+        sourceId: syntheticSourceId(binding.bindingId, relativePath),
+        relativePath,
+        bytes,
+        secretRuleIds: [],
+        observedAt: now,
+    });
+    for (const f of files) {
+        present.add(f.relativePath);
+        // Oversized: known from stat; never read, never upload, never retire.
+        if (f.bytes > containment_1.MAX_FILE_BYTES) {
+            records.push({ ...base(f.relativePath, f.bytes), hash: null, decision: "failed", reason: "oversized" });
+            continue;
+        }
+        let buf;
+        try {
+            buf = (0, node_fs_1.readFileSync)(f.realPath);
+        }
+        catch {
+            records.push({ ...base(f.relativePath, f.bytes), hash: null, decision: "failed", reason: "unreadable" });
+            continue;
+        }
+        // Guard the race where the file grew between stat and read.
+        if (buf.length > containment_1.MAX_FILE_BYTES) {
+            records.push({ ...base(f.relativePath, buf.length), hash: null, decision: "failed", reason: "oversized" });
+            continue;
+        }
+        const hash = sha256Hex(buf);
+        const text = buf.toString("utf8");
+        const cls = (0, classify_1.classifyMemory)(text);
+        const prior = ledger.entries[f.relativePath];
+        if (cls.malformed) {
+            records.push({ ...base(f.relativePath, buf.length), hash, decision: "failed", reason: "malformed_frontmatter" });
+            continue;
+        }
+        if (cls.type !== "project") {
+            // Was it previously a tracked project file? Ledger presence is the signal
+            // (we only ever create entries for project files).
+            if (prior) {
+                delete ledger.entries[f.relativePath];
+                mutated = true;
+                records.push({
+                    ...base(f.relativePath, buf.length),
+                    hash,
+                    decision: "reclassified",
+                    reason: `reclassified project -> ${cls.type ?? "none"}`,
+                });
+            }
+            else {
+                records.push({
+                    ...base(f.relativePath, buf.length),
+                    hash,
+                    decision: "skipped",
+                    reason: cls.type ? `type ${cls.type}` : "no project type",
+                });
+            }
+            continue;
+        }
+        // type === project: secret-scan the EXACT bytes. Posture decides what a hit
+        // means (§6). "off" skips scanning. "observe" (the local default) records
+        // matched rule ids as telemetry but never blocks: nothing is uploaded, so a
+        // scanner outage is not a safety event either. "block" (future pre-upload)
+        // is fail-closed: an outage fails the file, a hit becomes a `blocked`
+        // decision and pins the scanner version.
+        let secretRuleIds = [];
+        if (scannerMode !== "off") {
+            try {
+                secretRuleIds = scan(text);
+            }
+            catch {
+                if (scannerMode === "block") {
+                    records.push({
+                        ...base(f.relativePath, buf.length),
+                        hash,
+                        decision: "failed",
+                        reason: "scanner_unavailable",
+                    });
+                    continue;
+                }
+                secretRuleIds = [];
+            }
+        }
+        if (scannerMode === "block" && secretRuleIds.length > 0) {
+            const alreadyBlocked = prior?.lastDecision === "blocked" &&
+                prior.lastObservedHash === hash &&
+                prior.blockedScannerVersion === scannerVersion;
+            if (alreadyBlocked) {
+                records.push({
+                    ...base(f.relativePath, buf.length),
+                    hash,
+                    decision: "unchanged",
+                    reason: "blocked (unchanged, same scanner)",
+                    secretRuleIds,
+                });
+            }
+            else {
+                ledger.entries[f.relativePath] = {
+                    lastObservedHash: hash,
+                    lastDecision: "blocked",
+                    blockedScannerVersion: scannerVersion,
+                    lastObservedAt: now,
+                };
+                mutated = true;
+                records.push({
+                    ...base(f.relativePath, buf.length),
+                    hash,
+                    decision: "blocked",
+                    reason: "secret pattern matched",
+                    secretRuleIds,
+                });
+            }
+            continue;
+        }
+        // project + clean (or observe/off, where secretRuleIds rides along as a
+        // telemetry-only signal on the content-state decision).
+        if (prior && prior.lastObservedHash === hash && prior.lastDecision !== "blocked") {
+            records.push({
+                ...base(f.relativePath, buf.length),
+                hash,
+                decision: "unchanged",
+                reason: "content identical",
+                secretRuleIds,
+            });
+            continue;
+        }
+        ledger.entries[f.relativePath] = {
+            lastObservedHash: hash,
+            lastDecision: "eligible",
+            lastObservedAt: now,
+        };
+        mutated = true;
+        records.push({
+            ...base(f.relativePath, buf.length),
+            hash,
+            decision: "eligible",
+            reason: prior ? "changed" : "new",
+            secretRuleIds,
+        });
+    }
+    // Deletions: only reconcile when the scan completed; a partial scan must never
+    // mistake an un-enumerated file for a deletion.
+    if (complete) {
+        for (const rel of Object.keys(ledger.entries)) {
+            if (present.has(rel))
+                continue;
+            delete ledger.entries[rel];
+            mutated = true;
+            records.push({
+                sourceId: syntheticSourceId(binding.bindingId, rel),
+                relativePath: rel,
+                bytes: 0,
+                hash: null,
+                decision: "deleted",
+                reason: "absent after complete scan",
+                secretRuleIds: [],
+                observedAt: now,
+            });
+        }
+    }
+    if (mutated)
+        (0, ledger_1.writeLedger)(binding.bindingId, ledger, home);
+    return {
+        bindingId: binding.bindingId,
+        memoryDir: binding.memoryDir,
+        workspaceId: binding.workspaceId,
+        scanComplete: complete,
+        records,
+    };
+}

package/dist/lib/agent-memory-capture/report.js

@@ -0,0 +1,131 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeCorpus = analyzeCorpus;
+// src/lib/agent-memory-capture/report.ts
+//
+// Phase 0A static corpus value gate (§6): read-only statistics over a memory
+// directory, sends nothing. It measures the STATIC properties the doc allows to
+// be computed automatically (counts by type, size distribution) and explicitly
+// leaves the judgement gates (net-new reviewable %, overlap with session
+// capture, mixed-content rate) to a manual stratified review, which it reminds
+// the operator to run. Dynamic volume is NOT measured here (the memory dir has
+// no reliable revision history); that lives in the Phase 1 dry-run collector.
+//
+// Secret scanning here is OBSERVE-ONLY (An's verdict 2026-06-27): a hit is a
+// reported signal, never a value gate and never a block. The local phases upload
+// nothing, so there is nothing to protect; pre-upload credential blocking is a
+// Phase 2B concern. The named-fixture check is kept only as a Phase 2B
+// readiness probe (does the scanner still catch the known live credential?).
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const redactor_1 = require("../redactor");
+const classify_1 = require("./classify");
+// Tokens that the future Phase 2B pre-upload credential denylist MUST catch
+// (the credential-denylist readiness probe). The space-delimited Redis
+// `requirepass` directive is the canonical hard fixture: it is the live secret
+// known to sit in the real corpus and it slips past the uppercase
+// env_assignment + 32-char entropy patterns, so the scanner needs its directive
+// pattern to catch it. If a file carries one of these tokens but the scanner
+// does NOT match it, the probe fails loudly so the gap is visible before any
+// remote capture is ever enabled.
+const FIXTURE_TOKENS = ["requirepass", "masterauth", "masteruser"];
+function percentile(sortedAsc, p) {
+    if (sortedAsc.length === 0)
+        return 0;
+    const idx = Math.min(sortedAsc.length - 1, Math.floor((p / 100) * sortedAsc.length));
+    return sortedAsc[idx];
+}
+function analyzeCorpus(memoryDir) {
+    let names;
+    try {
+        names = (0, node_fs_1.readdirSync)(memoryDir);
+    }
+    catch {
+        return {
+            memoryDir,
+            exists: false,
+            totalMdFiles: 0,
+            byType: {},
+            projectFiles: 0,
+            malformedFiles: 0,
+            sizeBytes: { min: 0, median: 0, p90: 0, max: 0 },
+            secretSignalFiles: [],
+            credentialProbeMisses: [],
+            credentialProbePass: true,
+            manualGates: [],
+            files: [],
+        };
+    }
+    const files = [];
+    const byType = {};
+    const sizes = [];
+    for (const name of names) {
+        if (!name.toLowerCase().endsWith(".md"))
+            continue;
+        const abs = (0, node_path_1.join)(memoryDir, name);
+        let bytes;
+        let text;
+        try {
+            const st = (0, node_fs_1.statSync)(abs);
+            if (!st.isFile())
+                continue;
+            bytes = st.size;
+            text = (0, node_fs_1.readFileSync)(abs, "utf8");
+        }
+        catch {
+            continue;
+        }
+        const cls = (0, classify_1.classifyMemory)(text);
+        const typeKey = cls.malformed ? "malformed" : (cls.type ?? "none");
+        byType[typeKey] = (byType[typeKey] ?? 0) + 1;
+        sizes.push(bytes);
+        // Scan only what MVP would actually capture (project files); still record
+        // fixture tokens everywhere so a misclassified secret file is visible.
+        const blockRuleIds = cls.type === "project" ? (0, redactor_1.scanForSecrets)(text) : [];
+        const lower = text.toLowerCase();
+        const hasFixtureToken = FIXTURE_TOKENS.some((t) => lower.includes(t));
+        files.push({ file: name, type: cls.type, malformed: cls.malformed, bytes, blockRuleIds, hasFixtureToken });
+    }
+    files.sort((a, b) => a.file.localeCompare(b.file));
+    sizes.sort((a, b) => a - b);
+    const secretSignalFiles = files
+        .filter((f) => f.type === "project" && f.blockRuleIds.length > 0)
+        .map((f) => ({ file: f.file, ruleIds: f.blockRuleIds }));
+    // Credential-denylist readiness probe: any file carrying a known fixture token
+    // must be matched by the scanner. (Scan even non-project files for the
+    // cross-check so a mistyped secret file is still caught here.)
+    const credentialProbeMisses = files
+        .filter((f) => f.hasFixtureToken && (0, redactor_1.scanForSecrets)(safeRead(memoryDir, f.file)).length === 0)
+        .map((f) => f.file);
+    return {
+        memoryDir,
+        exists: true,
+        totalMdFiles: files.length,
+        byType,
+        projectFiles: byType["project"] ?? 0,
+        malformedFiles: byType["malformed"] ?? 0,
+        sizeBytes: {
+            min: sizes[0] ?? 0,
+            median: percentile(sizes, 50),
+            p90: percentile(sizes, 90),
+            max: sizes[sizes.length - 1] ?? 0,
+        },
+        secretSignalFiles,
+        credentialProbeMisses,
+        credentialProbePass: credentialProbeMisses.length === 0,
+        manualGates: [
+            "Gate 1 (>= 15% of sampled project files carry a net-new reviewable durable item): MANUAL stratified review of 50-75 files.",
+            "Gate 2 (existing session capture does not already cover the large majority of valuable findings): MANUAL cross-reference against session-derived KB.",
+            "Mixed-content rate (durable claim + transient log in one file): MANUAL design finding, not a numeric gate.",
+        ],
+        files,
+    };
+}
+function safeRead(dir, name) {
+    try {
+        return (0, node_fs_1.readFileSync)((0, node_path_1.join)(dir, name), "utf8");
+    }
+    catch {
+        return "";
+    }
+}

package/dist/lib/agent-memory-capture/types.js

@@ -0,0 +1,14 @@
+"use strict";
+// src/lib/agent-memory-capture/types.ts
+//
+// Shared types for the agent-memory capture pipeline
+// (notes/20260626-agent-memory-auto-capture-proposal.md). This subsystem routes
+// the coding agent's own private auto-memory writes
+// (`~/.claude/projects/<encoded-cwd>/memory/*.md`) into the governed KB, walled
+// off from grounding any session until a human accepts a derived claim.
+//
+// Phase 1 here is DRY-RUN ONLY: it observes, classifies, secret-scans, and
+// records a metadata-only decision per file. It never uploads. Live ingestion
+// (Phase 2A+) is blocked upstream by the missing cross-revision claim-grain
+// idempotency (DERIVED-IDEMPOTENCY-1, §5.2) and is intentionally not built here.
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/lib/agent-memory-capture/upsert-client.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CAPTURE_METHOD = void 0;
+exports.createIntelUpsertClient = createIntelUpsertClient;
+const http_1 = require("../http");
+// The capture method the route uses to branch provenance + non-publication.
+exports.CAPTURE_METHOD = "agent_auto_memory";
+// Default LDM profile; agent-memory bodies are markdown like notes. Kept here so
+// the route input is explicit rather than relying on a server default.
+const DEFAULT_PROFILE = "markdown_atomic_v1";
+function mapOutcome(outcome) {
+    if (outcome === "ingested")
+        return "created";
+    if (outcome === "noop_unchanged")
+        return "unchanged";
+    return "failed";
+}
+// The real client. Closes over a CliConfig-compatible config (controlToken +
+// intelUrl + auth) and reuses intelPost, so it inherits the intel auth fail-fast,
+// trace/session headers, and timeout handling already proven on `mla kb add`.
+function createIntelUpsertClient(cfg, post = http_1.intelPost) {
+    return {
+        async upsert(input) {
+            const body = {
+                workspaceId: input.workspaceId,
+                actor: input.actor,
+                captureMethod: exports.CAPTURE_METHOD,
+                bindingId: input.bindingId,
+                consentedAt: input.consentedAt,
+                provenance: exports.CAPTURE_METHOD, // advisory; the server derives the recorded value
+                profile: DEFAULT_PROFILE,
+                mode: "file",
+                documents: [
+                    {
+                        relPath: input.relPath,
+                        content: input.content,
+                        // Sent so the server can verify it received the exact bytes and echo
+                        // its own sha256 back for the COMMIT-1 hash check.
+                        contentSha256: input.contentHash,
+                    },
+                ],
+            };
+            let res;
+            try {
+                res = await post(cfg, "/internal/v1/kb/add", body);
+            }
+            catch (e) {
+                return {
+                    ok: false,
+                    outcome: "failed",
+                    serverContentHash: null,
+                    revisionId: null,
+                    logicalSourceId: null,
+                    reason: `upload_failed: ${e.message}`,
+                };
+            }
+            const receipt = res.receipts?.[0];
+            if (!receipt) {
+                return {
+                    ok: false,
+                    outcome: "failed",
+                    serverContentHash: null,
+                    revisionId: null,
+                    logicalSourceId: null,
+                    reason: "no_receipt",
+                };
+            }
+            return {
+                ok: true,
+                outcome: mapOutcome(receipt.outcome),
+                serverContentHash: receipt.contentSha256 ?? null,
+                revisionId: receipt.revisionId ?? null,
+                logicalSourceId: receipt.documentId ?? null,
+                reason: receipt.reason ?? receipt.outcome ?? "",
+            };
+        },
+        async withdraw(input) {
+            const body = {
+                workspaceId: input.workspaceId,
+                actor: input.actor,
+                captureMethod: exports.CAPTURE_METHOD,
+                relPath: input.relPath,
+                reason: input.reason,
+            };
+            try {
+                const res = await post(cfg, "/internal/v1/kb/withdraw", body);
+                return {
+                    ok: true,
+                    withdrawn: res.withdrawn === true,
+                    retiredPendingDerived: res.retiredPendingDerived ?? null,
+                    reason: res.reason ?? "",
+                };
+            }
+            catch (e) {
+                return {
+                    ok: false,
+                    withdrawn: false,
+                    retiredPendingDerived: null,
+                    reason: `withdraw_failed: ${e.message}`,
+                };
+            }
+        },
+    };
+}