@oscharko-dev/keiko-server 0.2.8 → 0.2.9

package/dist/gitRoutes.js

@@ -0,0 +1,543 @@
+import { spawn } from "node:child_process";
+import { Buffer } from "node:buffer";
+import { realpath } from "node:fs/promises";
+import { isAbsolute, relative, resolve } from "node:path";
+import { GIT_REPOSITORY_SCHEMA_VERSION, isRootRelativeFileIdentifier, } from "@oscharko-dev/keiko-contracts";
+import { errorBody } from "./routes.js";
+import { FilesError, resolveRoot, runFilesHandler } from "./files.js";
+const DEFAULT_STATUS_MAX_BYTES = 512 * 1024;
+const DEFAULT_DIFF_MAX_BYTES = 128 * 1024;
+const DEFAULT_MAX_CHANGES = 500;
+const DEFAULT_TIMEOUT_MS = 5_000;
+function devNullPath() {
+    return process.platform === "win32" ? "NUL" : "/dev/null";
+}
+// Local-read env: fully config-isolated. HOME/XDG/global+system config are neutralized so a read
+// can never load a user `~/.gitconfig`, a credential helper, or an SSH identity. Correct for the
+// local status/diff/branches/summary/history/remotes reads, which never authenticate to a remote.
+export function gitEnv() {
+    const env = {
+        PATH: process.env.PATH ?? "",
+        GIT_TERMINAL_PROMPT: "0",
+        GIT_PAGER: "cat",
+        PAGER: "cat",
+        GIT_CONFIG_NOSYSTEM: "1",
+        GIT_CONFIG_GLOBAL: devNullPath(),
+        GIT_OPTIONAL_LOCKS: "0",
+    };
+    if (process.platform === "win32") {
+        env.SystemRoot = process.env.SystemRoot ?? "";
+        env.WINDIR = process.env.WINDIR ?? "";
+    }
+    else {
+        env.HOME = "/nonexistent";
+        env.XDG_CONFIG_HOME = "/nonexistent";
+    }
+    return env;
+}
+// Network-sync env: a fetch/pull MUST be able to authenticate to a private/SSH remote, so it
+// inherits the real environment (the user's global `~/.gitconfig` credential.helper, the macOS
+// osxkeychain helper, and the real `~/.ssh` identities). It still never prompts — GIT_TERMINAL_PROMPT
+// is forced off and SSH runs in BatchMode — so it fails closed if no stored credential satisfies the
+// remote rather than hanging on an interactive prompt. Used ONLY for the actual fetch/pull command;
+// local reads keep the hardened, config-isolated `gitEnv` above.
+export function networkGitEnv() {
+    return {
+        ...process.env,
+        GIT_TERMINAL_PROMPT: "0", // never prompt — fail closed
+        GIT_PAGER: "cat",
+        PAGER: "cat",
+        GIT_OPTIONAL_LOCKS: "0",
+        // No SSH credential prompt and no implicit first-use trust. Unknown or changed host keys fail
+        // closed and are surfaced by the sync outcome classifier.
+        GIT_SSH_COMMAND: "ssh -oBatchMode=yes -oStrictHostKeyChecking=yes",
+    };
+}
+// Factory: the runner owns process lifecycle state, byte caps, timeout, and spawn-error mapping
+// together. `buildEnv` is the only seam — the local reads pass the hardened `gitEnv`, network sync
+// passes the credential-capable `networkGitEnv`; everything else is identical.
+// eslint-disable-next-line max-lines-per-function
+export function createGitProcessRunner(buildEnv) {
+    // eslint-disable-next-line max-lines-per-function
+    return (args, options) => 
+    // eslint-disable-next-line max-lines-per-function
+    new Promise((resolveResult) => {
+        const child = spawn("git", args, {
+            cwd: options.cwd,
+            env: buildEnv(),
+            shell: false,
+            windowsHide: true,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        const stdoutChunks = [];
+        const stderrChunks = [];
+        let stdoutBytes = 0;
+        let stderrBytes = 0;
+        let truncated = false;
+        let settled = false;
+        const timer = setTimeout(() => {
+            truncated = true;
+            child.kill("SIGTERM");
+        }, options.timeoutMs);
+        const capture = (chunks, currentBytes, chunk) => {
+            const remaining = options.maxBytes - currentBytes;
+            if (remaining <= 0) {
+                truncated = true;
+                child.kill("SIGTERM");
+                return currentBytes;
+            }
+            if (chunk.byteLength > remaining) {
+                chunks.push(chunk.subarray(0, remaining));
+                truncated = true;
+                child.kill("SIGTERM");
+                return options.maxBytes;
+            }
+            chunks.push(chunk);
+            return currentBytes + chunk.byteLength;
+        };
+        child.stdout.on("data", (chunk) => {
+            stdoutBytes = capture(stdoutChunks, stdoutBytes, chunk);
+        });
+        child.stderr.on("data", (chunk) => {
+            stderrBytes = capture(stderrChunks, stderrBytes, chunk);
+        });
+        child.on("error", () => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            resolveResult({
+                exitCode: 127,
+                signal: null,
+                stdout: "",
+                stderr: "git executable unavailable",
+                truncated,
+            });
+        });
+        child.on("close", (exitCode, signal) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            resolveResult({
+                exitCode,
+                signal,
+                stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+                stderr: Buffer.concat(stderrChunks).toString("utf8"),
+                truncated,
+            });
+        });
+    });
+}
+// Local reads use the hardened, config-isolated env; network sync needs the user's credential
+// configuration but must still never prompt (fail-closed) — see networkGitEnv.
+export const defaultGitProcessRunner = createGitProcessRunner(gitEnv);
+export const defaultGitNetworkProcessRunner = createGitProcessRunner(networkGitEnv);
+export function isContained(root, target) {
+    const rootCmp = process.platform === "win32" ? root.toLowerCase() : root;
+    const targetCmp = process.platform === "win32" ? target.toLowerCase() : target;
+    const rel = relative(rootCmp, targetCmp);
+    return rel === "" || (!rel.startsWith("..") && !isAbsolute(rel));
+}
+function toPosix(value) {
+    return value.replaceAll("\\", "/");
+}
+function genericUnavailable(root, reason, message) {
+    return {
+        schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+        root,
+        state: reason === "unsafe-repository" ? "unsafe" : "unavailable",
+        available: false,
+        reason,
+        message,
+        detached: false,
+        clean: true,
+        stagedCount: 0,
+        unstagedCount: 0,
+        untrackedCount: 0,
+        conflictedCount: 0,
+        changes: [],
+        truncated: false,
+        maxChanges: DEFAULT_MAX_CHANGES,
+    };
+}
+export function classifyFailure(result) {
+    const text = `${result.stdout}\n${result.stderr}`.toLowerCase();
+    if (result.exitCode === 127)
+        return "git-missing";
+    if (text.includes("dubious ownership") || text.includes("safe.directory")) {
+        return "unsafe-repository";
+    }
+    if (text.includes("not a git repository")) {
+        return "not-a-repository";
+    }
+    return "git-error";
+}
+// eslint-disable-next-line complexity
+export function optionsWithDefaults(options) {
+    return {
+        runner: options?.runner ?? defaultGitProcessRunner,
+        maxStatusBytes: options?.maxStatusBytes ?? DEFAULT_STATUS_MAX_BYTES,
+        maxDiffBytes: options?.maxDiffBytes ?? DEFAULT_DIFF_MAX_BYTES,
+        maxChanges: options?.maxChanges ?? DEFAULT_MAX_CHANGES,
+        timeoutMs: options?.timeoutMs ?? DEFAULT_TIMEOUT_MS,
+    };
+}
+export async function resolveRepository(ctx, deps, options) {
+    const selectedRoot = await resolveRoot(deps.store, ctx.url.searchParams.get("root"), deps.redactor);
+    const revParse = await options.runner([
+        "--no-pager",
+        "--no-optional-locks",
+        "-C",
+        selectedRoot.realRoot,
+        "rev-parse",
+        "--show-toplevel",
+    ], { cwd: selectedRoot.realRoot, maxBytes: 16 * 1024, timeoutMs: options.timeoutMs });
+    if (revParse.exitCode !== 0) {
+        const reason = classifyFailure(revParse);
+        return genericUnavailable(selectedRoot.root, reason, reason === "unsafe-repository"
+            ? "Git blocked this repository because its ownership is unsafe."
+            : "Git status is unavailable for this folder.");
+    }
+    const rawRepositoryRoot = resolve(revParse.stdout.split(/\r?\n/u)[0]?.trim() ?? "");
+    const repositoryRoot = await realpath(rawRepositoryRoot).catch(() => rawRepositoryRoot);
+    if (!isContained(repositoryRoot, selectedRoot.realRoot)) {
+        return genericUnavailable(selectedRoot.root, "repository-root-outside-root", "Git status is unavailable because the repository root is outside the selected folder.");
+    }
+    return {
+        root: selectedRoot.root,
+        realRoot: selectedRoot.realRoot,
+        repositoryRoot,
+        selectedRootPrefix: toPosix(relative(repositoryRoot, selectedRoot.realRoot)),
+    };
+}
+function parseBranch(header) {
+    if (header.includes("HEAD (no branch)") || header.includes("HEAD detached")) {
+        return { detached: true };
+    }
+    const trimmed = header.replace(/^##\s*/u, "");
+    const branch = trimmed
+        .split("...")[0]
+        ?.replace(/\s+\[.*$/u, "")
+        .trim();
+    if (branch === undefined || branch.length === 0 || branch.startsWith("No commits yet on ")) {
+        const unborn = branch?.replace(/^No commits yet on\s+/u, "");
+        return unborn === undefined || unborn.length === 0
+            ? { detached: false }
+            : { branch: unborn, detached: false };
+    }
+    return { branch, detached: false };
+}
+function stripSelectedPrefix(path, prefix) {
+    if (prefix.length === 0 || prefix === ".")
+        return path;
+    if (path === prefix)
+        return "";
+    const start = `${prefix}/`;
+    return path.startsWith(start) ? path.slice(start.length) : null;
+}
+function toStatusCode(value) {
+    if (value === undefined || value === "")
+        return " ";
+    return [" ", "M", "A", "D", "R", "C", "U", "?", "!"].includes(value)
+        ? value
+        : " ";
+}
+// Porcelain parsing is intentionally centralized so Git XY semantics stay audited in one place.
+// eslint-disable-next-line max-lines-per-function, complexity
+function parseStatus(stdout, root, repositoryRoot, selectedRootPrefix, maxChanges, processTruncated) {
+    const records = stdout.split("\0").filter((record) => record.length > 0);
+    let branch;
+    let detached = false;
+    const changes = [];
+    for (let index = 0; index < records.length; index += 1) {
+        const record = records[index] ?? "";
+        if (record.startsWith("## ")) {
+            const parsed = parseBranch(record);
+            branch = parsed.branch;
+            detached = parsed.detached;
+            continue;
+        }
+        if (record.length < 4)
+            continue;
+        const indexStatus = toStatusCode(record[0]);
+        const worktreeStatus = toStatusCode(record[1]);
+        const rawPath = record.slice(3);
+        const path = stripSelectedPrefix(rawPath, selectedRootPrefix);
+        if (path === null || path.length === 0)
+            continue;
+        const oldRawPath = indexStatus === "R" || indexStatus === "C" ? records[index + 1] : undefined;
+        if (oldRawPath !== undefined)
+            index += 1;
+        if (changes.length < maxChanges) {
+            const oldPath = oldRawPath === undefined
+                ? undefined
+                : (stripSelectedPrefix(oldRawPath, selectedRootPrefix) ?? undefined);
+            changes.push({
+                path,
+                oldPath,
+                indexStatus,
+                worktreeStatus,
+                staged: indexStatus !== " " && indexStatus !== "?",
+                unstaged: worktreeStatus !== " " && worktreeStatus !== "?",
+                untracked: indexStatus === "?" && worktreeStatus === "?",
+                conflicted: indexStatus === "U" ||
+                    worktreeStatus === "U" ||
+                    (indexStatus === "A" && worktreeStatus === "A") ||
+                    (indexStatus === "D" && worktreeStatus === "D"),
+            });
+        }
+    }
+    const stagedCount = changes.filter((change) => change.staged).length;
+    const unstagedCount = changes.filter((change) => change.unstaged).length;
+    const untrackedCount = changes.filter((change) => change.untracked).length;
+    const conflictedCount = changes.filter((change) => change.conflicted).length;
+    return {
+        schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+        root,
+        repositoryRoot,
+        state: "available",
+        available: true,
+        branch,
+        detached,
+        clean: changes.length === 0,
+        stagedCount,
+        unstagedCount,
+        untrackedCount,
+        conflictedCount,
+        changes,
+        truncated: processTruncated || records.length - 1 > maxChanges,
+        maxChanges,
+    };
+}
+function redacted(deps, value) {
+    return deps.redactor(value);
+}
+function unavailableBranchList(repo) {
+    return {
+        schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+        root: repo.root,
+        available: false,
+        state: repo.state === "error" ? "unavailable" : repo.state,
+        reason: repo.reason,
+        message: repo.message,
+        branches: [],
+        truncated: false,
+    };
+}
+function parseBranches(stdout) {
+    const fields = stdout.split("\0");
+    const branches = [];
+    for (let index = 0; index + 2 < fields.length; index += 3) {
+        const name = fields[index]?.trim() ?? "";
+        const headRefHash = fields[index + 1]?.trim() ?? "";
+        const headMarker = fields[index + 2]?.trim() ?? "";
+        if (name.length === 0 || headRefHash.length === 0)
+            continue;
+        branches.push({ name, headRefHash, current: headMarker === "*" });
+    }
+    return branches;
+}
+function branchListFailure(repo, result) {
+    const reason = classifyFailure(result);
+    return {
+        schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+        root: repo.root,
+        repositoryRoot: repo.repositoryRoot,
+        available: false,
+        state: reason === "unsafe-repository" ? "unsafe" : "unavailable",
+        reason,
+        message: "Git branches are unavailable for this folder.",
+        branches: [],
+        truncated: result.truncated,
+    };
+}
+export async function handleGitBranches(ctx, deps, rawOptions) {
+    return runFilesHandler(async () => {
+        const options = optionsWithDefaults(rawOptions ?? deps.gitRouteOptions);
+        const repo = await resolveRepository(ctx, deps, options);
+        if ("available" in repo) {
+            return { status: 200, body: redacted(deps, unavailableBranchList(repo)) };
+        }
+        const result = await options.runner([
+            "--no-pager",
+            "--no-optional-locks",
+            "-C",
+            repo.repositoryRoot,
+            "for-each-ref",
+            "--format=%(refname:short)%00%(objectname)%00%(HEAD)%00",
+            "refs/heads",
+        ], { cwd: repo.repositoryRoot, maxBytes: options.maxStatusBytes, timeoutMs: options.timeoutMs });
+        if (result.exitCode !== 0) {
+            return { status: 200, body: redacted(deps, branchListFailure(repo, result)) };
+        }
+        return {
+            status: 200,
+            body: redacted(deps, {
+                schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+                root: repo.root,
+                repositoryRoot: repo.repositoryRoot,
+                available: true,
+                state: "available",
+                branches: parseBranches(result.stdout),
+                truncated: result.truncated,
+            }),
+        };
+    });
+}
+function validatePath(path) {
+    const trimmed = path?.trim();
+    if (trimmed === undefined || trimmed.length === 0)
+        return undefined;
+    if (!isRootRelativeFileIdentifier(trimmed)) {
+        throw new FilesError(400, "BAD_PATH", "The path must be relative to the selected root.");
+    }
+    return trimmed;
+}
+function gitPath(prefix, path) {
+    const normalizedPrefix = prefix === "." ? "" : prefix;
+    if (path === undefined)
+        return normalizedPrefix.length > 0 ? normalizedPrefix : undefined;
+    return normalizedPrefix.length > 0 ? `${normalizedPrefix}/${path}` : path;
+}
+function literalGitPathspec(path) {
+    return `:(literal)${path}`;
+}
+function parseScope(input) {
+    if (input === null || input.length === 0)
+        return "all";
+    if (input === "all" || input === "worktree" || input === "staged")
+        return input;
+    throw new FilesError(400, "BAD_REQUEST", "The diff scope must be all, worktree, or staged.");
+}
+async function runDiff(repo, options, staged, path) {
+    const args = [
+        "--no-pager",
+        "--no-optional-locks",
+        "-C",
+        repo.repositoryRoot,
+        "diff",
+        "--no-ext-diff",
+        "--no-textconv",
+        "--no-color",
+    ];
+    if (staged)
+        args.push("--cached");
+    const relativePath = gitPath(repo.selectedRootPrefix, path);
+    if (relativePath !== undefined)
+        args.push("--", literalGitPathspec(relativePath));
+    return options.runner(args, {
+        cwd: repo.repositoryRoot,
+        maxBytes: options.maxDiffBytes,
+        timeoutMs: options.timeoutMs,
+    });
+}
+// eslint-disable-next-line max-lines-per-function
+export async function handleGitStatus(ctx, deps, rawOptions) {
+    return runFilesHandler(async () => {
+        const options = optionsWithDefaults(rawOptions ?? deps.gitRouteOptions);
+        const repo = await resolveRepository(ctx, deps, options);
+        if ("available" in repo) {
+            const body = { ...repo, maxChanges: options.maxChanges };
+            return { status: 200, body: redacted(deps, body) };
+        }
+        const status = await options.runner([
+            "--no-pager",
+            "--no-optional-locks",
+            "-C",
+            repo.repositoryRoot,
+            "status",
+            "--porcelain=v1",
+            "-z",
+            "--branch",
+            "--untracked-files=all",
+            "--",
+            ...(repo.selectedRootPrefix.length > 0 && repo.selectedRootPrefix !== "."
+                ? [literalGitPathspec(repo.selectedRootPrefix)]
+                : []),
+        ], { cwd: repo.repositoryRoot, maxBytes: options.maxStatusBytes, timeoutMs: options.timeoutMs });
+        if (status.exitCode !== 0) {
+            const reason = classifyFailure(status);
+            const body = genericUnavailable(repo.root, reason, reason === "unsafe-repository"
+                ? "Git blocked this repository because its ownership is unsafe."
+                : "Git status is unavailable for this folder.");
+            return { status: 200, body: redacted(deps, { ...body, maxChanges: options.maxChanges }) };
+        }
+        const body = parseStatus(status.stdout, repo.root, repo.repositoryRoot, repo.selectedRootPrefix, options.maxChanges, status.truncated);
+        return { status: 200, body: redacted(deps, body) };
+    });
+}
+// eslint-disable-next-line max-lines-per-function
+export async function handleGitDiff(ctx, deps, rawOptions) {
+    return runFilesHandler(
+    // eslint-disable-next-line max-lines-per-function
+    async () => {
+        const options = optionsWithDefaults(rawOptions ?? deps.gitRouteOptions);
+        const scope = parseScope(ctx.url.searchParams.get("scope"));
+        const path = validatePath(ctx.url.searchParams.get("path"));
+        const repo = await resolveRepository(ctx, deps, options);
+        if ("available" in repo) {
+            const body = {
+                schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+                root: repo.root,
+                state: repo.state,
+                available: false,
+                reason: repo.reason,
+                path,
+                scope,
+                diff: "",
+                truncated: false,
+                maxBytes: options.maxDiffBytes,
+            };
+            return { status: 200, body: redacted(deps, body) };
+        }
+        const runs = scope === "all"
+            ? [await runDiff(repo, options, true, path), await runDiff(repo, options, false, path)]
+            : [await runDiff(repo, options, scope === "staged", path)];
+        const failed = runs.find((result) => result.exitCode !== 0);
+        if (failed !== undefined) {
+            const reason = classifyFailure(failed);
+            if (reason === "unsafe-repository" || reason === "git-missing") {
+                const body = {
+                    schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+                    root: repo.root,
+                    repositoryRoot: repo.repositoryRoot,
+                    state: reason === "unsafe-repository" ? "unsafe" : "unavailable",
+                    available: false,
+                    reason,
+                    path,
+                    scope,
+                    diff: "",
+                    truncated: failed.truncated,
+                    maxBytes: options.maxDiffBytes,
+                };
+                return { status: 200, body: redacted(deps, body) };
+            }
+            return {
+                status: 500,
+                body: errorBody("GIT_DIFF_FAILED", "Git diff is unavailable for this folder."),
+            };
+        }
+        const rawDiff = runs
+            .map((result) => result.stdout)
+            .filter((entry) => entry.length > 0)
+            .join("\n");
+        const rawDiffBytes = Buffer.byteLength(rawDiff, "utf8");
+        const diff = rawDiffBytes > options.maxDiffBytes
+            ? Buffer.from(rawDiff, "utf8").subarray(0, options.maxDiffBytes).toString("utf8")
+            : rawDiff;
+        const body = {
+            schemaVersion: GIT_REPOSITORY_SCHEMA_VERSION,
+            root: repo.root,
+            repositoryRoot: repo.repositoryRoot,
+            state: "available",
+            available: true,
+            path,
+            scope,
+            diff,
+            truncated: runs.some((result) => result.truncated) || rawDiffBytes > options.maxDiffBytes,
+            maxBytes: options.maxDiffBytes,
+        };
+        return { status: 200, body: redacted(deps, body) };
+    });
+}

package/dist/governed-workflow.d.ts

@@ -1,3 +1,4 @@
+import type { SpokenActionAuditRecord } from "@oscharko-dev/keiko-contracts";
 import type { EvidenceGovernedWorkflowHandoff } from "@oscharko-dev/keiko-contracts/evidence";
 import type { ConnectedContextPack } from "@oscharko-dev/keiko-contracts/connected-context";
 import { type ProposedPatchEntry, type UserApprovalTokenInput, type WorkflowHandoffRequest } from "@oscharko-dev/keiko-contracts/workflow-handoff";
@@ -5,6 +6,7 @@ import type { PatchValidation, WorkspaceWriter } from "@oscharko-dev/keiko-tools
 export interface GovernedWorkflowHandoffContext {
     readonly request: WorkflowHandoffRequest;
     readonly sourceGroundedRunId?: string | undefined;
+    readonly voiceAction?: SpokenActionAuditRecord | undefined;
 }
 export declare function contextPackStableIdForPacks(packs: readonly ConnectedContextPack[]): string;
 export declare function readOnlyPathsForPacks(packs: readonly ConnectedContextPack[], editablePaths: readonly string[]): readonly string[];

package/dist/governed-workflow.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"governed-workflow.d.ts","sourceRoot":"","sources":["../src/governed-workflow.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,+BAA+B,EAAE,MAAM,wCAAwC,CAAC;AAC9F,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iDAAiD,CAAC;AAC5F,OAAO,EAGL,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC5B,MAAM,gDAAgD,CAAC;AACxD,OAAO,KAAK,EAAmB,eAAe,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAGnG,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,OAAO,EAAE,sBAAsB,CAAC;IACzC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CACnD;AAkDD,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,SAAS,oBAAoB,EAAE,GAAG,MAAM,CAS1F;AAED,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,SAAS,oBAAoB,EAAE,EACtC,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,SAAS,MAAM,EAAE,CAWnB;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,SAAS,oBAAoB,EAAE,GAAG,SAAS,MAAM,EAAE,CAUjG;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,sBAAsB,GAAG,sBAAsB,CAW7F;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,sBAAsB,GAAG,MAAM,CAEzE;AAED,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,8BAA8B,GACtC,+BAA+B,CAWjC;AAED,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,eAAe,EAC3B,aAAa,EAAE,MAAM,EACrB,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,eAAe,CA4BjB;AAED,wBAAgB,kCAAkC,CAChD,UAAU,EAAE,eAAe,GAC1B,SAAS,kBAAkB,EAAE,CAkB/B"}
+{"version":3,"file":"governed-workflow.d.ts","sourceRoot":"","sources":["../src/governed-workflow.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAC7E,OAAO,KAAK,EAAE,+BAA+B,EAAE,MAAM,wCAAwC,CAAC;AAC9F,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,iDAAiD,CAAC;AAC5F,OAAO,EAGL,KAAK,kBAAkB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC5B,MAAM,gDAAgD,CAAC;AACxD,OAAO,KAAK,EAAmB,eAAe,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAGnG,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,OAAO,EAAE,sBAAsB,CAAC;IACzC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAGlD,QAAQ,CAAC,WAAW,CAAC,EAAE,uBAAuB,GAAG,SAAS,CAAC;CAC5D;AAkDD,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,SAAS,oBAAoB,EAAE,GAAG,MAAM,CAS1F;AAED,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,SAAS,oBAAoB,EAAE,EACtC,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,SAAS,MAAM,EAAE,CAWnB;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,SAAS,oBAAoB,EAAE,GAAG,SAAS,MAAM,EAAE,CAUjG;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,sBAAsB,GAAG,sBAAsB,CAW7F;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,sBAAsB,GAAG,MAAM,CAEzE;AAED,wBAAgB,4BAA4B,CAC1C,OAAO,EAAE,8BAA8B,GACtC,+BAA+B,CAejC;AAED,wBAAgB,kBAAkB,CAChC,UAAU,EAAE,eAAe,EAC3B,aAAa,EAAE,MAAM,EACrB,aAAa,EAAE,SAAS,MAAM,EAAE,GAC/B,eAAe,CA4BjB;AAED,wBAAgB,kCAAkC,CAChD,UAAU,EAAE,eAAe,GAC1B,SAAS,kBAAkB,EAAE,CAkB/B"}

package/dist/governed-workflow.js

@@ -95,6 +95,10 @@ export function buildGovernedHandoffEvidence(handoff) {
         evidenceAtomCount: handoff.request.patchScope.evidenceAtomIds.length,
         expectedChecks: [...handoff.request.patchScope.expectedChecks],
         approvalTokenHash: sha256Hex(handoff.request.userApprovalToken),
+        // Additive-optional: the text path passes no `voiceAction`, so the field stays absent and the emitted
+        // evidence is byte-identical to the pre-#503 shape. A voice-originated handoff threads its content-free
+        // audit record here.
+        ...(handoff.voiceAction === undefined ? {} : { voiceAction: handoff.voiceAction }),
     };
 }
 export function createScopedWriter(baseWriter, workspaceRoot, editablePaths) {

package/dist/grounded-qa.d.ts

@@ -16,6 +16,11 @@ export declare function internalError(message: string): RouteResult;
 export declare function mappedGatewayError(error: unknown, deps: UiHandlerDeps): RouteResult | undefined;
 export declare function mappedWorkspaceError(error: unknown): RouteResult | undefined;
 export declare function isValidGroundedPack(pack: ConnectedContextPack): boolean;
+export interface AskInput {
+    readonly chatId: string;
+    readonly content: string;
+    readonly modelId: string | undefined;
+}
 export declare function deriveScopeIdFrom(chat: Chat, cs: ChatConnectedScope, index: number): string;
 export declare function buildSelectedScopeFrom(chat: Chat, cs: ChatConnectedScope, scopeId: string): SelectedScope;
 export declare function buildQuery(content: string, nowMs: () => number): RetrievalQuery;
@@ -45,5 +50,11 @@ export interface HybridSeam {
     readonly connectorRetrieve?: ConnectorRetrieve;
     readonly answer?: HybridAnswerer;
 }
+export declare function runGroundedAskInput(input: AskInput, deps: UiHandlerDeps, options?: {
+    readonly signal?: AbortSignal | undefined;
+    readonly runner?: GroundedRunner | undefined;
+    readonly multiSource?: MultiSourceSeam | undefined;
+    readonly hybrid?: HybridSeam | undefined;
+}): Promise<RouteResult>;
 export declare function handleGroundedAsk(ctx: RouteContext, deps: UiHandlerDeps, runner?: GroundedRunner, multiSource?: MultiSourceSeam, hybrid?: HybridSeam): Promise<RouteResult>;
 //# sourceMappingURL=grounded-qa.d.ts.map

package/dist/grounded-qa.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"grounded-qa.d.ts","sourceRoot":"","sources":["../src/grounded-qa.ts"],"names":[],"mappings":"AAUA,OAAO,EAOL,KAAK,WAAW,IAAI,kBAAkB,EAEvC,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EAEL,KAAK,6BAA6B,EACnC,MAAM,8BAA8B,CAAC;AAQtC,OAAO,EAGL,KAAK,oBAAoB,EAEzB,KAAK,cAAc,EACnB,KAAK,aAAa,EACnB,MAAM,iDAAiD,CAAC;AACzD,OAAO,EAIL,KAAK,wBAAwB,EAC7B,KAAK,mBAAmB,EACzB,MAAM,wCAAwC,CAAC;AAGhD,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE7D,OAAO,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAEzD,OAAO,KAAK,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAKL,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAAE,6BAA6B,EAAE,MAAM,mCAAmC,CAAC;AAGlF,OAAO,EAKL,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACzB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,cAAc,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAyC9D,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAEvD;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAEjE;AAaD,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAE1D;AAkBD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,GAAG,WAAW,GAAG,SAAS,CAE/F;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,SAAS,CAS5E;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAMvE;AA4ED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAK3F;AAKD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,kBAAkB,EACtB,OAAO,EAAE,MAAM,GACd,aAAa,CAef;AAyED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,MAAM,GAAG,cAAc,CAQ/E;AAwCD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI,CAI5D;AAgBD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE3D;AAID,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,SAAS,kBAAkB,EAAE,GAAG,MAAM,CAEhF;AAED,wBAAgB,yBAAyB,CAAC,mBAAmB,EAAE,MAAM,GAAG,MAAM,CAE7E;AAsBD,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,oBAAoB,EAC1B,eAAe,EAAE,MAAM,GACtB,oBAAoB,CAWtB;AAwCD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,oBAAoB,GAAG,MAAM,CAWpE;AAuBD,wBAAgB,aAAa,CAAC,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,GAAG,SAAS,MAAM,EAAE,CAgC/F;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,MAAM,EAAE,CAKnB;AAOD,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAgClC,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,kBAAkB,EAAE,CAE/B;AA0DD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAGtE;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,wBAAwB,EAAE,CAgBrC;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,mBAAmB,EAAE,CAUhC;AAOD,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,iBAAiB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAgCvF,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,aAAa,EACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,GACvB,SAAS,CAAC,WAAW,EAAE,WAAW,CAAC,CAmBrC;AASD,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,EAC3C,IAAI,EAAE,oBAAoB,GACzB,IAAI,CAAC,6BAA6B,EAAE,iBAAiB,CAAC,CAMxD;AAQD,wBAAgB,2BAA2B,CACzC,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,EAC3C,IAAI,EAAE,oBAAoB,GACzB,UAAU,CAAC,OAAO,6BAA6B,CAAC,GAAG,SAAS,CAM9D;AA+KD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,mBAAmB,CAAC;CACxC;AAmID,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,QAAQ,CAAC,MAAM,CAAC,EAAE,cAAc,CAAC;CAClC;AA8CD,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,aAAa,EACnB,MAAM,CAAC,EAAE,cAAc,EACvB,WAAW,CAAC,EAAE,eAAe,EAC7B,MAAM,CAAC,EAAE,UAAU,GAClB,OAAO,CAAC,WAAW,CAAC,CAsCtB"}
+{"version":3,"file":"grounded-qa.d.ts","sourceRoot":"","sources":["../src/grounded-qa.ts"],"names":[],"mappings":"AAUA,OAAO,EAOL,KAAK,WAAW,IAAI,kBAAkB,EAEvC,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EAEL,KAAK,6BAA6B,EACnC,MAAM,8BAA8B,CAAC;AAQtC,OAAO,EAGL,KAAK,oBAAoB,EAEzB,KAAK,cAAc,EACnB,KAAK,aAAa,EACnB,MAAM,iDAAiD,CAAC;AACzD,OAAO,EAIL,KAAK,wBAAwB,EAC7B,KAAK,mBAAmB,EACzB,MAAM,wCAAwC,CAAC;AAGhD,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE7D,OAAO,KAAK,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAEzD,OAAO,KAAK,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAKL,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACxB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAAE,6BAA6B,EAAE,MAAM,mCAAmC,CAAC;AAGlF,OAAO,EAKL,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACzB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,cAAc,EACpB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAyC9D,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAEvD;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAEjE;AAaD,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAE1D;AAkBD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,GAAG,WAAW,GAAG,SAAS,CAE/F;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,OAAO,GAAG,WAAW,GAAG,SAAS,CAS5E;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAMvE;AAED,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAAC;CACtC;AAsED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAK3F;AAKD,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,IAAI,EACV,EAAE,EAAE,kBAAkB,EACtB,OAAO,EAAE,MAAM,GACd,aAAa,CAef;AAyED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,MAAM,GAAG,cAAc,CAQ/E;AAwCD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI,CAI5D;AAgBD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE3D;AAID,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,SAAS,kBAAkB,EAAE,GAAG,MAAM,CAEhF;AAED,wBAAgB,yBAAyB,CAAC,mBAAmB,EAAE,MAAM,GAAG,MAAM,CAE7E;AAsBD,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,oBAAoB,EAC1B,eAAe,EAAE,MAAM,GACtB,oBAAoB,CAWtB;AAwCD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,oBAAoB,GAAG,MAAM,CAWpE;AAuBD,wBAAgB,aAAa,CAAC,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,GAAG,SAAS,MAAM,EAAE,CAgC/F;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,MAAM,EAAE,CAKnB;AAOD,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAgClC,wBAAgB,4BAA4B,CAC1C,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,kBAAkB,EAAE,CAE/B;AA0DD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAGtE;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,wBAAwB,EAAE,CAgBrC;AAED,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,oBAAoB,EAC1B,QAAQ,EAAE,QAAQ,GACjB,SAAS,mBAAmB,EAAE,CAUhC;AAOD,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,iBAAiB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAC;AAgCvF,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,aAAa,EACnB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,GACvB,SAAS,CAAC,WAAW,EAAE,WAAW,CAAC,CAmBrC;AASD,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,EAC3C,IAAI,EAAE,oBAAoB,GACzB,IAAI,CAAC,6BAA6B,EAAE,iBAAiB,CAAC,CAMxD;AAQD,wBAAgB,2BAA2B,CACzC,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,gBAAgB,CAAC,EAC3C,IAAI,EAAE,oBAAoB,GACzB,UAAU,CAAC,OAAO,6BAA6B,CAAC,GAAG,SAAS,CAM9D;AA+KD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,mBAAmB,CAAC;CACxC;AAmID,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,eAAe,CAAC,EAAE,eAAe,CAAC;IAC3C,QAAQ,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAC/C,QAAQ,CAAC,MAAM,CAAC,EAAE,cAAc,CAAC;CAClC;AA0FD,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,QAAQ,EACf,IAAI,EAAE,aAAa,EACnB,OAAO,GAAE;IACP,QAAQ,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,SAAS,CAAC;IAC1C,QAAQ,CAAC,MAAM,CAAC,EAAE,cAAc,GAAG,SAAS,CAAC;IAC7C,QAAQ,CAAC,WAAW,CAAC,EAAE,eAAe,GAAG,SAAS,CAAC;IACnD,QAAQ,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;CACrC,GACL,OAAO,CAAC,WAAW,CAAC,CAUtB;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,IAAI,EAAE,aAAa,EACnB,MAAM,CAAC,EAAE,cAAc,EACvB,WAAW,CAAC,EAAE,eAAe,EAC7B,MAAM,CAAC,EAAE,UAAU,GAClB,OAAO,CAAC,WAAW,CAAC,CAItB"}

package/dist/grounded-qa.js

@@ -877,10 +877,7 @@ async function dispatchHybridAsk(prepared, deps, skippedFolders, seam) {
     });
 }
 // ─── Public handler ───────────────────────────────────────────────────────────
-export async function handleGroundedAsk(ctx, deps, runner, multiSource, hybrid) {
-    const prepared = await prepareGroundedAsk(ctx, deps);
-    if ("status" in prepared)
-        return prepared;
+async function dispatchPreparedGroundedAsk(prepared, deps, runner, multiSource, hybrid) {
     const { chat } = prepared;
     // Epic #189 — count-based dispatch over BOTH source kinds. 0+0 → no scope. Connector-free chats
     // keep the EXISTING folder path (#532, byte-identical). A lone connector with no folders keeps the
@@ -909,3 +906,15 @@ export async function handleGroundedAsk(ctx, deps, runner, multiSource, hybrid)
     }
     return dispatchHybridAsk(preparedWithCanonicalFolders, deps, skippedFolders, hybrid);
 }
+export async function runGroundedAskInput(input, deps, options = {}) {
+    const chat = findChatById(deps, input.chatId);
+    if (chat === undefined)
+        return notFound("Chat not found.");
+    return dispatchPreparedGroundedAsk({ chat, input, signal: options.signal ?? new AbortController().signal }, deps, options.runner, options.multiSource, options.hybrid);
+}
+export async function handleGroundedAsk(ctx, deps, runner, multiSource, hybrid) {
+    const prepared = await prepareGroundedAsk(ctx, deps);
+    if ("status" in prepared)
+        return prepared;
+    return dispatchPreparedGroundedAsk(prepared, deps, runner, multiSource, hybrid);
+}

package/dist/headers.d.ts

@@ -1,3 +1,6 @@
 import type { ServerResponse } from "node:http";
-export declare function applySecurityHeaders(res: ServerResponse, csp: string, isApiPath: boolean): void;
+export interface SecurityHeaderOptions {
+    readonly allowMicrophone?: boolean | undefined;
+}
+export declare function applySecurityHeaders(res: ServerResponse, csp: string, isApiPath: boolean, options?: SecurityHeaderOptions): void;
 //# sourceMappingURL=headers.d.ts.map

package/dist/headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAchD,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,GAAG,IAAI,CAQ/F"}
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAahD,MAAM,WAAW,qBAAqB;IAKpC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CAChD;AAUD,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,OAAO,EAClB,OAAO,GAAE,qBAA0B,GAClC,IAAI,CASN"}