@ouro.bot/cli 0.1.0-alpha.62 → 0.1.0-alpha.637

package/dist/repertoire/commerce-self-test.js

@@ -0,0 +1,156 @@
+"use strict";
+/**
+ * Commerce self-test — per-service health checks for the agent's
+ * commerce infrastructure (Stripe, Duffel, LiteAPI).
+ *
+ * Used by the setup wizard to verify configuration and provide
+ * actionable error messages when services are misconfigured.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.commerceSelfTest = commerceSelfTest;
+const stripe_client_1 = require("./stripe-client");
+const duffel_client_1 = require("./duffel-client");
+const credential_access_1 = require("./credential-access");
+const runtime_1 = require("../nerves/runtime");
+// ---------------------------------------------------------------------------
+// Per-service tests
+// ---------------------------------------------------------------------------
+async function testStripe() {
+    try {
+        const client = await (0, stripe_client_1.createStripeClient)();
+        // Create a test card and immediately deactivate it
+        const card = await client.createVirtualCard({
+            type: "single_use",
+            spendLimit: 1,
+            currency: "usd",
+        });
+        await client.deactivateCard(card.cardId);
+        return { status: "ok", message: "Stripe Issuing working. Test card created and deactivated." };
+    }
+    catch (err) {
+        /* v8 ignore next -- reason @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        if (reason.includes("no credential found") || reason.includes("restrictedKey")) {
+            return {
+                status: "error",
+                message: `Stripe key missing. Add your restricted key at https://dashboard.stripe.com/apikeys and store it in the vault as stripe.com/restrictedKey.`,
+            };
+        }
+        if (reason.includes("401") || reason.includes("Invalid API Key")) {
+            return {
+                status: "error",
+                message: `Stripe key returned 401. Verify it at https://dashboard.stripe.com/apikeys.`,
+            };
+        }
+        return {
+            status: "error",
+            message: `Stripe error: ${reason}`,
+        };
+    }
+}
+async function testDuffel() {
+    try {
+        const client = await (0, duffel_client_1.createDuffelClient)();
+        await client.searchFlights({
+            origin: "SFO",
+            destination: "JFK",
+            departureDate: new Date(Date.now() + 30 * 86400000).toISOString().split("T")[0],
+            passengers: [{ type: "adult" }],
+        });
+        return { status: "ok", message: "Duffel Flights working. Test search completed." };
+    }
+    catch (err) {
+        /* v8 ignore next -- reason @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        if (reason.includes("no credential found") || reason.includes("apiKey")) {
+            return {
+                status: "error",
+                message: `Duffel key missing. Add your API key from https://app.duffel.com/tokens and store it in the vault as duffel.com/apiKey.`,
+            };
+        }
+        if (reason.includes("401") || reason.includes("Unauthorized")) {
+            return {
+                status: "error",
+                message: `Your Duffel key returned 401. Verify it at https://app.duffel.com/tokens.`,
+            };
+        }
+        return {
+            status: "error",
+            message: `Duffel error: ${reason}`,
+        };
+    }
+}
+async function testLiteApi() {
+    try {
+        const store = (0, credential_access_1.getCredentialStore)();
+        await store.getRawSecret("liteapi.travel", "apiKey");
+        // If we can retrieve the key, the config is present.
+        // LiteAPI is accessed via MCP, so we can't do a direct API call here.
+        // The actual health check happens when the MCP server starts.
+        return { status: "ok", message: "LiteAPI key found in vault. MCP server will use vault:liteapi.travel/apiKey." };
+    }
+    catch (err) {
+        /* v8 ignore next -- reason @preserve */
+        const reason = err instanceof Error ? err.message : String(err);
+        if (reason.includes("no credential found")) {
+            return {
+                status: "error",
+                message: `LiteAPI key missing. Get your API key from https://dashboard.liteapi.travel and store it in the vault as liteapi.travel/apiKey.`,
+            };
+        }
+        return {
+            status: "error",
+            message: `LiteAPI error: ${reason}`,
+        };
+    }
+}
+// ---------------------------------------------------------------------------
+// Main self-test
+// ---------------------------------------------------------------------------
+async function commerceSelfTest() {
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.commerce_self_test_start",
+        message: "starting commerce self-test",
+        meta: {},
+    });
+    const [stripe, duffel, liteapi] = await Promise.all([
+        testStripe(),
+        testDuffel(),
+        testLiteApi(),
+    ]);
+    const services = { stripe, duffel, liteapi };
+    const okCount = Object.values(services).filter((s) => s.status === "ok").length;
+    const total = Object.keys(services).length;
+    let overall;
+    if (okCount === total) {
+        overall = "healthy";
+    }
+    else if (okCount > 0) {
+        overall = "partial";
+    }
+    else {
+        overall = "unhealthy";
+    }
+    const lines = [];
+    if (stripe.status === "ok")
+        lines.push("Stripe: working");
+    else
+        lines.push(`Stripe: ${stripe.message}`);
+    if (duffel.status === "ok")
+        lines.push("Duffel: working");
+    else
+        lines.push(`Duffel: ${duffel.message}`);
+    if (liteapi.status === "ok")
+        lines.push("LiteAPI: working");
+    else
+        lines.push(`LiteAPI: ${liteapi.message}`);
+    const summary = `Commerce health: ${okCount}/${total} services ok.\n${lines.join("\n")}`;
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.commerce_self_test_end",
+        message: "commerce self-test complete",
+        meta: { overall, okCount, total },
+    });
+    return { overall, services, summary };
+}

package/dist/repertoire/credential-access.js

@@ -0,0 +1,178 @@
+"use strict";
+/**
+ * Credential access layer.
+ *
+ * Bitwarden/Vaultwarden is the sole runtime credential store. The only local
+ * secret is the vault unlock material held by an explicit local unlock store.
+ *
+ * Each agent owns one credential vault. getCredentialStore() returns that
+ * agent's vault directly; item names are not shared or namespaced across
+ * agents.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCredentialStore = getCredentialStore;
+exports.probeCredentialVaultAccess = probeCredentialVaultAccess;
+exports.resetCredentialStore = resetCredentialStore;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../nerves/runtime");
+const identity = __importStar(require("../heart/identity"));
+const bitwarden_store_1 = require("./bitwarden-store");
+const vault_unlock_1 = require("./vault-unlock");
+let stores = new Map();
+function loadVaultSectionForAgent(agentName) {
+    const configPath = path.join(identity.getAgentRoot(agentName), "agent.json");
+    try {
+        const parsed = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+        return { configPath, vault: parsed.vault };
+    }
+    catch {
+        return { configPath };
+    }
+}
+function bitwardenAppDataDir(agentName, vaultConfig, homeDir = os.homedir()) {
+    const digest = crypto
+        .createHash("sha256")
+        .update(`${agentName}:${vaultConfig.serverUrl}:${vaultConfig.email}`)
+        .digest("hex")
+        .slice(0, 24);
+    return path.join(homeDir, ".ouro-cli", "bitwarden", digest);
+}
+function getCredentialStore(agentNameInput) {
+    const agentName = agentNameInput ?? identity.getAgentName();
+    if (agentName === "SerpentGuide") {
+        throw new Error("SerpentGuide does not have a persistent credential vault; hatch bootstrap uses provider credentials in memory only.");
+    }
+    const { configPath, vault } = loadVaultSectionForAgent(agentName);
+    if (!vault || typeof vault.email !== "string" || vault.email.trim().length === 0) {
+        throw new Error((0, vault_unlock_1.credentialVaultNotConfiguredError)(agentName, configPath));
+    }
+    const vaultConfig = identity.resolveVaultConfig(agentName, vault);
+    const cacheKey = `${agentName}:${vaultConfig.serverUrl}:${vaultConfig.email}`;
+    const cached = stores.get(cacheKey);
+    if (cached)
+        return cached;
+    const unlock = (0, vault_unlock_1.readVaultUnlockSecret)({
+        agentName,
+        email: vaultConfig.email,
+        serverUrl: vaultConfig.serverUrl,
+    });
+    const unlockConfig = { agentName, email: vaultConfig.email, serverUrl: vaultConfig.serverUrl };
+    const unlockSource = unlock.source ?? unlockConfig;
+    let invalidUnlockCleared = false;
+    let canonicalUnlockStored = false;
+    const store = new bitwarden_store_1.BitwardenCredentialStore(vaultConfig.serverUrl, vaultConfig.email, unlock.secret, {
+        appDataDir: bitwardenAppDataDir(agentName, vaultConfig),
+        onInvalidUnlockSecret: (error) => {
+            if (invalidUnlockCleared)
+                return;
+            invalidUnlockCleared = true;
+            (0, vault_unlock_1.clearVaultUnlockSecret)({
+                agentName,
+                email: unlockSource.email,
+                serverUrl: unlockSource.serverUrl,
+            });
+            stores.delete(cacheKey);
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                event: "repertoire.credential_store_invalid_unlock_cleared",
+                component: "repertoire",
+                message: "cleared rejected local vault unlock material",
+                meta: {
+                    agentName,
+                    serverUrl: vaultConfig.serverUrl,
+                    email: vaultConfig.email,
+                    sourceServerUrl: unlockSource.serverUrl,
+                    error: error.message,
+                },
+            });
+        },
+        onLoginSuccess: () => {
+            if (canonicalUnlockStored)
+                return;
+            if (unlockSource.serverUrl === vaultConfig.serverUrl && unlockSource.email === vaultConfig.email)
+                return;
+            canonicalUnlockStored = true;
+            try {
+                (0, vault_unlock_1.storeVaultUnlockSecret)(unlockConfig, unlock.secret);
+                (0, vault_unlock_1.noteVaultUnlockSelfHeal)(unlockConfig, unlock.store.kind, unlockSource.serverUrl);
+            }
+            catch (error) {
+                (0, runtime_1.emitNervesEvent)({
+                    level: "warn",
+                    event: "repertoire.vault_unlock_self_heal_failed",
+                    component: "repertoire",
+                    message: "failed to rewrite local unlock material using canonical vault coordinates",
+                    meta: {
+                        store: unlock.store.kind,
+                        email: vaultConfig.email,
+                        sourceServerUrl: unlockSource.serverUrl,
+                        targetServerUrl: vaultConfig.serverUrl,
+                        error: error instanceof Error ? error.message : String(error),
+                    },
+                });
+            }
+        },
+    });
+    stores.set(cacheKey, store);
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.credential_store_init",
+        component: "repertoire",
+        message: "credential store initialized",
+        meta: {
+            backend: "bitwarden",
+            agentName,
+            serverUrl: vaultConfig.serverUrl,
+            email: vaultConfig.email,
+        },
+    });
+    return store;
+}
+async function probeCredentialVaultAccess(agentNameInput, unlockSecret, options = {}) {
+    const agentName = agentNameInput;
+    const { configPath, vault } = loadVaultSectionForAgent(agentName);
+    if (!vault || typeof vault.email !== "string" || vault.email.trim().length === 0) {
+        throw new Error((0, vault_unlock_1.credentialVaultNotConfiguredError)(agentName, configPath));
+    }
+    const vaultConfig = identity.resolveVaultConfig(agentName, vault);
+    const store = new bitwarden_store_1.BitwardenCredentialStore(vaultConfig.serverUrl, vaultConfig.email, unlockSecret, { appDataDir: bitwardenAppDataDir(agentName, vaultConfig, options.homeDir) });
+    await store.get("__ouro_vault_probe__");
+}
+function resetCredentialStore() {
+    stores = new Map();
+}

package/dist/repertoire/desk/classifier.js

@@ -0,0 +1,362 @@
+"use strict";
+/**
+ * Shared classifier for legacy `tasks/` → `desk/` migration.
+ *
+ * Pure data + parsing. Takes a file path relative to `<bundle>/tasks/` plus
+ * its content, returns a classification bucket. Used by `migrate-to-desk.ts`
+ * to decide where each file lands in the new `desk/` shape.
+ *
+ * Bucket definitions:
+ * - **terminal** — explicit done/complete/approved/cancelled/fixed status (or
+ *   synonyms). Always archived. Files under `tasks/archive/` are unconditionally
+ *   terminal regardless of frontmatter.
+ * - **stale_live** — live-looking status (`in-progress`, `ready_for_execution`,
+ *   `drafting`, `collaborating`, etc.) but the resolved `updated` date is
+ *   older than the 30-day cutoff. → archive (when-in-doubt rule).
+ * - **ambiguous** — no status, junk format, unknown status, `.md.bak` backup,
+ *   or empty file. → archive.
+ * - **live_clear** — live status AND updated within the last 30 days AND
+ *   coherent. → migrate to `legacy` track on the new desk.
+ * - **special_europe_trip** — historical one-off `ongoing/2026-03-09-1410-summer-2026-europe-trip.md` from the initial bundle that authored this migrator; kept as a labelled special case until the bundle is deprecated.
+ *
+ * Effective `updated` resolution priority: YAML `updated` → `approved` →
+ * `created` → body `**Updated**:` → date prefix in filename → file mtime.
+ *
+ * This is a pure-data helper: no side effects, no nerves observability of
+ * its own. The migrator emits nerves events around classify() calls.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveUpdatedMs = resolveUpdatedMs;
+exports.classifyFile = classifyFile;
+exports.deriveTaskSlug = deriveTaskSlug;
+exports.extractParentTaskDir = extractParentTaskDir;
+const frontmatter_1 = require("../../util/frontmatter");
+// ── Status vocabulary ──
+const TERMINAL_STATUSES = new Set([
+    "done",
+    "complete",
+    "completed",
+    "approved",
+    "cancelled",
+    "canceled",
+    "fixed",
+    "merged",
+    "merged_and_published",
+    "abandoned",
+    "rejected",
+    "closed",
+    "shipped",
+    "resolved",
+    "archived",
+    "obsolete",
+    "deprecated",
+    "superseded",
+    "converted",
+    "discarded",
+    "won't-do",
+    "wontfix",
+    "won't-fix",
+]);
+const LIVE_STATUSES = new Set([
+    "drafting",
+    "in-progress",
+    "in_progress",
+    "inprogress",
+    "ready_for_execution",
+    "ready-for-execution",
+    "collaborating",
+    "processing",
+    "validating",
+    "blocked",
+    "paused",
+    "open",
+    "needs_review",
+    "needs-review",
+    "handoff_needs_work_planner",
+    "running",
+    "active",
+    "reopened",
+    "handed-off",
+    "local_verified",
+    "ongoing",
+]);
+// ── Helpers ──
+function isMarkdownFile(relPath) {
+    return relPath.endsWith(".md");
+}
+function isBackupFile(relPath) {
+    return relPath.endsWith(".md.bak") || relPath.endsWith("~") || relPath.endsWith(".swp");
+}
+function isInArchiveSubdir(relPath) {
+    return relPath.startsWith("archive/") || relPath.includes("/archive/");
+}
+/**
+ * Detect the historical europe-trip task. Per the lift plan:
+ * `ongoing/2026-03-09-1410-summer-2026-europe-trip.md` is the only
+ * special-cased file.
+ */
+function isEuropeTripTask(relPath) {
+    return relPath === "ongoing/2026-03-09-1410-summer-2026-europe-trip.md";
+}
+/**
+ * Extract the frontmatter block (between `---` fences) from a markdown file.
+ * Returns the raw frontmatter text or undefined if no fenced block exists.
+ */
+function extractFrontmatterBlock(content) {
+    const trimmed = content.trimStart();
+    if (!trimmed.startsWith("---"))
+        return undefined;
+    const afterFirstFence = trimmed.slice(3);
+    const closeIdx = afterFirstFence.indexOf("\n---");
+    if (closeIdx === -1)
+        return undefined;
+    return afterFirstFence.slice(0, closeIdx).replace(/^\r?\n/, "");
+}
+function readStatusFromFrontmatter(fm) {
+    const candidates = ["status", "Status", "STATUS", "state", "State"];
+    for (const key of candidates) {
+        const value = fm[key];
+        if (typeof value === "string" && value.trim()) {
+            return value.trim().toLowerCase();
+        }
+    }
+    return undefined;
+}
+function readDateFromFrontmatter(fm, key) {
+    const value = fm[key];
+    if (typeof value !== "string")
+        return undefined;
+    const parsed = parseDateString(value);
+    return parsed;
+}
+/**
+ * Parse a date string into epoch ms. Accepts YYYY-MM-DD and full ISO 8601
+ * timestamps. Returns undefined for unparseable input.
+ */
+function parseDateString(raw) {
+    const trimmed = raw.trim();
+    /* v8 ignore start -- defensive: callers (readDateFromFrontmatter, extractUpdatedFromBody) only pass values that have already been confirmed non-empty (frontmatter scalar or regex-captured digits). The empty-string fallback is unreachable in practice. @preserve */
+    if (!trimmed)
+        return undefined;
+    /* v8 ignore stop */
+    // YYYY-MM-DD or YYYY-MM-DD HH:MM or full ISO
+    const dateOnlyMatch = /^(\d{4})-(\d{2})-(\d{2})$/.exec(trimmed);
+    if (dateOnlyMatch) {
+        const ms = Date.UTC(Number(dateOnlyMatch[1]), Number(dateOnlyMatch[2]) - 1, Number(dateOnlyMatch[3]));
+        /* v8 ignore start -- Date.UTC normalizes out-of-range numeric inputs to finite ms; the regex already guarantees four+two+two-digit ints. The undefined branch is genuinely unreachable. @preserve */
+        return Number.isFinite(ms) ? ms : undefined;
+        /* v8 ignore stop */
+    }
+    const ms = Date.parse(trimmed);
+    /* v8 ignore start -- v8 coverage tooling intermittently fails to register the NaN→undefined branch even when tests demonstrably exercise it (see "garbage123" / "not-a-date-at-all-12345xyz67890" tests in migrate-to-desk.test.ts). The behavior is correct; the coverage signal is the noise. @preserve */
+    if (!Number.isFinite(ms))
+        return undefined;
+    /* v8 ignore stop */
+    return ms;
+}
+/**
+ * Extract date prefix from a filename like `2026-05-12-1122-doing-foo.md`.
+ * Returns epoch ms or undefined.
+ */
+function extractDatePrefixFromFilename(relPath) {
+    /* v8 ignore start -- defensive `?? relPath` fallback: String.split() always returns at least one element, so pop() never returns undefined on a non-empty input. The fallback exists only as a type guard for the strict no-implicit-any setting. @preserve */
+    const base = relPath.split("/").pop() ?? relPath;
+    /* v8 ignore stop */
+    const match = /^(\d{4})-(\d{2})-(\d{2})(?:-(\d{2})(\d{2}))?/.exec(base);
+    if (!match)
+        return undefined;
+    const ms = Date.UTC(Number(match[1]), Number(match[2]) - 1, Number(match[3]), match[4] ? Number(match[4]) : 0, match[5] ? Number(match[5]) : 0);
+    /* v8 ignore start -- Date.UTC normalizes out-of-range numeric inputs to finite ms; the regex already guarantees four+two+two-digit ints. The undefined branch is genuinely unreachable. @preserve */
+    return Number.isFinite(ms) ? ms : undefined;
+    /* v8 ignore stop */
+}
+/**
+ * Extract `**Updated**: YYYY-MM-DD` from body prose (some legacy task formats
+ * use this convention instead of YAML frontmatter).
+ */
+function extractUpdatedFromBody(content) {
+    const match = /\*\*Updated\*\*:\s*([0-9]{4}-[0-9]{2}-[0-9]{2}[A-Za-z0-9:_\- .]*)/.exec(content);
+    if (!match)
+        return undefined;
+    return parseDateString(match[1]);
+}
+/**
+ * Resolve the effective `updated` timestamp using the priority chain.
+ * Priority: YAML `updated` → `approved` → `created` → body `**Updated**:` →
+ * date prefix in filename → file mtime.
+ */
+function resolveUpdatedMs(input) {
+    const fmBlock = extractFrontmatterBlock(input.content);
+    if (fmBlock) {
+        const fm = (0, frontmatter_1.parseFrontmatter)(fmBlock);
+        const updated = readDateFromFrontmatter(fm, "updated") ?? readDateFromFrontmatter(fm, "Updated");
+        if (updated !== undefined)
+            return updated;
+        const approved = readDateFromFrontmatter(fm, "approved") ?? readDateFromFrontmatter(fm, "Approved");
+        if (approved !== undefined)
+            return approved;
+        const created = readDateFromFrontmatter(fm, "created") ?? readDateFromFrontmatter(fm, "Created");
+        if (created !== undefined)
+            return created;
+    }
+    const bodyUpdated = extractUpdatedFromBody(input.content);
+    if (bodyUpdated !== undefined)
+        return bodyUpdated;
+    const filenameDate = extractDatePrefixFromFilename(input.relPath);
+    if (filenameDate !== undefined)
+        return filenameDate;
+    return input.mtimeMs;
+}
+/**
+ * Classify a status string into a coarse category. `terminal` overrides
+ * everything. `live` is the explicit live set. `unknown` is anything else.
+ */
+function classifyStatus(status) {
+    if (!status)
+        return "missing";
+    const normalized = status.trim().toLowerCase();
+    // Some statuses are free-text sentences (e.g. "core line approved, companion proof line in discussion").
+    // Match terminal keywords if they appear as the leading word.
+    const head = normalized.split(/[\s,;:]+/)[0];
+    if (TERMINAL_STATUSES.has(head) || TERMINAL_STATUSES.has(normalized))
+        return "terminal";
+    if (LIVE_STATUSES.has(head) || LIVE_STATUSES.has(normalized))
+        return "live";
+    return "unknown";
+}
+// ── Public classifier ──
+/**
+ * Classify a single file. Pairing/grouping is handled by the migrator at a
+ * higher level — this function is purely per-file.
+ */
+function classifyFile(input) {
+    // Europe-trip override comes first.
+    if (isEuropeTripTask(input.relPath)) {
+        return {
+            bucket: "special_europe_trip",
+            updatedMs: resolveUpdatedMs(input),
+            status: undefined,
+            reason: "operator-flagged europe-trip task",
+        };
+    }
+    // Backup files and `archive/` subdir are unconditionally archived.
+    if (isBackupFile(input.relPath)) {
+        return {
+            bucket: "ambiguous",
+            updatedMs: resolveUpdatedMs(input),
+            status: undefined,
+            reason: "backup or swap file",
+        };
+    }
+    if (isInArchiveSubdir(input.relPath)) {
+        return {
+            bucket: "terminal",
+            updatedMs: resolveUpdatedMs(input),
+            status: undefined,
+            reason: "under archive/ subdir",
+        };
+    }
+    // Empty file → ambiguous.
+    if (input.content.trim().length === 0) {
+        return {
+            bucket: "ambiguous",
+            updatedMs: input.mtimeMs,
+            status: undefined,
+            reason: "empty file",
+        };
+    }
+    // Non-markdown files inherit from their parent task dir (handled at the
+    // migrator level via the pairing rule). Classifier defaults to ambiguous
+    // for non-md singletons.
+    if (!isMarkdownFile(input.relPath)) {
+        return {
+            bucket: "ambiguous",
+            updatedMs: resolveUpdatedMs(input),
+            status: undefined,
+            reason: "non-markdown file (will inherit from parent if grouped)",
+        };
+    }
+    const fmBlock = extractFrontmatterBlock(input.content);
+    const fm = fmBlock ? (0, frontmatter_1.parseFrontmatter)(fmBlock) : {};
+    const status = readStatusFromFrontmatter(fm);
+    const category = classifyStatus(status);
+    const updatedMs = resolveUpdatedMs(input);
+    if (category === "terminal") {
+        return {
+            bucket: "terminal",
+            updatedMs,
+            status,
+            reason: `terminal status: ${status}`,
+        };
+    }
+    if (category === "missing" || category === "unknown") {
+        return {
+            bucket: "ambiguous",
+            updatedMs,
+            status,
+            reason: status ? `unknown status: ${status}` : "no status",
+        };
+    }
+    // category === "live"
+    if (updatedMs < input.cutoffMs) {
+        return {
+            bucket: "stale_live",
+            updatedMs,
+            status,
+            reason: `live status (${status}) but updated >30d ago`,
+        };
+    }
+    return {
+        bucket: "live_clear",
+        updatedMs,
+        status,
+        reason: `live status (${status}) within 30d`,
+    };
+}
+// ── Pairing rules ──
+/**
+ * Derive a task slug from a filename. Strips the `YYYY-MM-DD-HHMM-` (or
+ * `YYYY-MM-DD-`) prefix and the `planning-` / `doing-` / `ideation-` /
+ * `audit-` / `audit-report-` / `audit-backlog-` infix. Returns the remaining
+ * stem (without `.md`).
+ *
+ * Examples:
+ *   `2026-05-10-doing-foo.md` → `foo`
+ *   `2026-05-12-1122-doing-rest-loop-incident.md` → `rest-loop-incident`
+ *   `2026-05-12-1122-planning-rest-loop-incident.md` → `rest-loop-incident`
+ *   `one-shots/2026-04-29-0942-planning-substrate-trip-control-deploy.md`
+ *     → `substrate-trip-control-deploy`
+ */
+function deriveTaskSlug(relPath) {
+    /* v8 ignore start -- defensive `?? relPath` fallback: String.split() always returns at least one element, so pop() never returns undefined. The fallback exists as a type guard. @preserve */
+    const base = relPath.split("/").pop() ?? relPath;
+    /* v8 ignore stop */
+    const stem = base.replace(/\.md$/, "");
+    // Strip YYYY-MM-DD[-HHMM]- prefix
+    let remainder = stem.replace(/^\d{4}-\d{2}-\d{2}(?:-\d{4})?-/, "");
+    // Strip role infix: planning, doing, ideation, audit, audit-report, audit-backlog
+    remainder = remainder.replace(/^(planning|doing|ideation|audit-report|audit-backlog|audit)-/, "");
+    return remainder;
+}
+/**
+ * Extract the parent task directory for a sub-artifact path. Returns
+ * undefined for top-level files.
+ *
+ * Examples:
+ *   `one-shots/2026-05-10-doing-foo/baseline.md` → `one-shots/2026-05-10-doing-foo`
+ *   `one-shots/2026-05-10-doing-foo.md` → undefined
+ */
+function extractParentTaskDir(relPath) {
+    const segments = relPath.split("/");
+    if (segments.length < 2)
+        return undefined;
+    // Walk segments — if any intermediate segment looks like a task-dir name
+    // (matches the `YYYY-MM-DD[-HHMM]-(planning|doing|ideation|audit*)-` pattern),
+    // return everything up to and including it. Otherwise no parent.
+    for (let i = segments.length - 2; i >= 0; i -= 1) {
+        if (/^\d{4}-\d{2}-\d{2}(?:-\d{4})?-(planning|doing|ideation|audit-report|audit-backlog|audit)-/.test(segments[i])) {
+            return segments.slice(0, i + 1).join("/");
+        }
+    }
+    return undefined;
+}