@pugi/cli 0.1.0-beta.24 → 0.1.0-beta.26

package/dist/core/repo-map/formatter.js

@@ -0,0 +1,145 @@
+/**
+ * Default byte cap for the engine system-prompt injection. The L28
+ * spec calls for 2000 tokens; conservatively that is ~8 KB of UTF-8
+ * (rough Claude tokeniser ratio: ~4 chars per token). We cap at 8 KB
+ * so the formatted block stays under the token budget across every
+ * supported model family without per-model accounting.
+ */
+export const DEFAULT_FORMAT_BYTES_CAP = 8 * 1024;
+/**
+ * Maximum symbols per row. The engine row format is:
+ *
+ *   `- path/to/file.ts — summary line — exports: Foo(class), bar(fn)`
+ *
+ * Beyond 6 symbols the row grows past the readable column budget and
+ * the additional names rarely move the needle for the model — the
+ * exports tail is signal-bearing only for the first few entries
+ * anyway (`index.ts` re-exports tend к pile up).
+ */
+export const MAX_SYMBOLS_PER_ROW = 6;
+/**
+ * Render the repo-map text. The implementation is intentionally split
+ * into:
+ *
+ *   - `prioritise(...)` — pure sort + filter, fully testable in
+ *     isolation, no I/O of any kind.
+ *   - `renderRow(...)`  — one file's row, byte-counted.
+ *   - main loop — assembles header + rows + footer, respecting cap.
+ *
+ * The split lets the spec assert each stage in isolation (priority
+ * order, single-row shape, truncation arithmetic).
+ */
+export function formatRepoMap(extracts, options = {}) {
+    const maxBytes = options.maxBytes ?? DEFAULT_FORMAT_BYTES_CAP;
+    const omitHeader = options.omitHeader === true;
+    const prioritised = prioritise(extracts);
+    const header = omitHeader
+        ? ''
+        : `## Repo map\n\n${prioritised.length} source files indexed.\n\n`;
+    const headerBytes = byteLength(header);
+    if (headerBytes >= maxBytes) {
+        // Cap is smaller than even the header — emit nothing rather than
+        // a truncated header that the engine cannot parse.
+        return {
+            text: '',
+            filesIncluded: 0,
+            filesTotal: extracts.length,
+            bytes: 0,
+            truncated: extracts.length > 0,
+        };
+    }
+    const rows = [];
+    let bytesUsed = headerBytes;
+    let filesIncluded = 0;
+    let truncated = false;
+    for (let i = 0; i < prioritised.length; i += 1) {
+        const row = renderRow(prioritised[i]);
+        const rowBytes = byteLength(row);
+        // Reserve space for the footer (`\n... N more files\n`). We
+        // overestimate at 64 bytes — the exact number depends on the
+        // file count digits but 64 covers any realistic case.
+        const footerReserve = i + 1 < prioritised.length ? 64 : 0;
+        if (bytesUsed + rowBytes + footerReserve > maxBytes) {
+            truncated = true;
+            break;
+        }
+        rows.push(row);
+        bytesUsed += rowBytes;
+        filesIncluded += 1;
+    }
+    let text = header + rows.join('');
+    if (truncated) {
+        const omitted = prioritised.length - filesIncluded;
+        text += `\n... ${omitted} more file${omitted === 1 ? '' : 's'}\n`;
+    }
+    return {
+        text,
+        filesIncluded,
+        filesTotal: extracts.length,
+        bytes: byteLength(text),
+        truncated,
+    };
+}
+/* ----------------------------- helpers ----------------------------- */
+/**
+ * Sort the extracts by (exported-symbol count desc, path asc). The
+ * engine cares about the public surface; a file with 12 exported
+ * symbols carries more signal than 50 private helpers.
+ */
+export function prioritise(extracts) {
+    return [...extracts].sort((a, b) => {
+        const expA = countExports(a);
+        const expB = countExports(b);
+        if (expA !== expB)
+            return expB - expA;
+        return a.relPath < b.relPath ? -1 : a.relPath > b.relPath ? 1 : 0;
+    });
+}
+function countExports(extract) {
+    let n = 0;
+    for (const sym of extract.symbols)
+        if (sym.exported)
+            n += 1;
+    return n;
+}
+/**
+ * Render a single file row. Format:
+ *
+ *   `- path/to/file.ts — summary — exports: Foo(class), bar(fn), Baz(type)`
+ *
+ * When there are no exported symbols, the `exports:` tail is dropped.
+ * When there is no summary, the dash separator is dropped.
+ */
+export function renderRow(extract) {
+    const exported = extract.symbols.filter((s) => s.exported);
+    const symbolsTail = exported.length > 0
+        ? ` — exports: ${formatSymbolList(exported.slice(0, MAX_SYMBOLS_PER_ROW))}`
+        : '';
+    const summaryTail = extract.summary ? ` — ${extract.summary}` : '';
+    return `- ${extract.relPath}${summaryTail}${symbolsTail}\n`;
+}
+function formatSymbolList(symbols) {
+    return symbols.map((s) => `${s.name}(${shortKind(s.kind)})`).join(', ');
+}
+function shortKind(kind) {
+    switch (kind) {
+        case 'function':
+            return 'fn';
+        case 'class':
+            return 'class';
+        case 'interface':
+            return 'iface';
+        case 'type':
+            return 'type';
+        case 'enum':
+            return 'enum';
+        case 'const':
+            return 'const';
+        case 'heading':
+            return 'h';
+    }
+}
+function byteLength(s) {
+    return Buffer.byteLength(s, 'utf8');
+}
+//# sourceMappingURL=formatter.js.map

package/dist/core/repo-map/scanner.js

@@ -0,0 +1,211 @@
+/**
+ * Repo-map scanner — Leak L28 (2026-05-27).
+ *
+ * Walks the workspace via `fs.readdirSync` (sync, depth-first), filters
+ * to a recognised set of source-language extensions, and applies the
+ * shared `PugiIgnore` matcher so the same exclusion rules used by the
+ * three-tier context skeleton also gate the repo-map.
+ *
+ * Why a stand-alone scanner (vs. reusing the α6.5 skeleton walker):
+ *
+ *   1. The skeleton walker emits a flat `IndexArtifact[]` of every
+ *      ignore-respecting file (markdown, configs, schemas, etc.) for
+ *      the working-set heuristic. The repo-map ONLY needs source
+ *      files — markdown headings and JSON keys are not "definitions"
+ *      in the L28 sense. Filtering downstream is cheap, but the
+ *      scanner gets to short-circuit on extension before stat'ing
+ *      the file, which matters for monorepos with thousands of
+ *      non-source artefacts (lockfiles, schemas, fixtures).
+ *
+ *   2. We need mtime + size per file so `cache.ts` can invalidate
+ *      stale entries without re-parsing. The skeleton walker
+ *      surfaces only paths.
+ *
+ *   3. The L28 contract caps the walk at `MAX_SRC_FILES` (5000) and
+ *      individual files at `MAX_FILE_BYTES` (200 KiB). When the cap
+ *      trips the scanner returns a `{ skipped: 'too-large' }`
+ *      verdict rather than partial data — the consumer must decide
+ *      whether to fall back to a no-op map or surface a hint к the
+ *      operator. Surfacing partial data would silently bias the
+ *      injected summary toward whichever subtree the walker happened
+ *      to traverse first.
+ *
+ * The output is sorted (POSIX path string compare) so two runs over
+ * the same workspace produce byte-identical `repo-map.json` caches —
+ * `cache.ts` relies on stable ordering for its hash-free freshness
+ * check. POSIX-style separators are used in `relPath` regardless of
+ * platform so the cache file stays portable.
+ *
+ * Pure module surface: no logging, no network. Errors during readdir
+ * on a single subtree (permission denied, symlink loop) are swallowed
+ * and the walker continues — repo-map is a best-effort context
+ * enrichment, never a gate.
+ */
+import { readdirSync, statSync } from 'node:fs';
+import { join, posix, relative, resolve, sep } from 'node:path';
+/**
+ * Hard ceiling on total source files surfaced by a single scan. The
+ * engine context budget is the binding constraint — a 5K-file repo
+ * already overflows the 2K-token injection cap so going higher buys
+ * nothing but walker latency. Repos above the cap fall back к the
+ * `{ skipped: 'too-large' }` verdict.
+ */
+export const MAX_SRC_FILES = 5000;
+/**
+ * Per-file size cap. Files larger than this are skipped — they are
+ * almost always generated (compiled JS, vendored libs, encoded blobs)
+ * and add noise without signal. The 200 KiB threshold mirrors the
+ * α6.5 skeleton walker's own `MAX_FILE_BYTES` so the two scans agree
+ * on "what counts as a source file".
+ */
+export const MAX_FILE_BYTES = 200 * 1024;
+/**
+ * Source-language extensions the extractor knows how to parse. Adding
+ * a language here without a matching extractor branch is a silent
+ * no-op (the file shows up в the scan but extracts zero symbols);
+ * the spec asserts the symmetry so a future PR cannot drift the two
+ * lists out of sync.
+ */
+export const SUPPORTED_EXTENSIONS = Object.freeze([
+    '.ts',
+    '.tsx',
+    '.js',
+    '.jsx',
+    '.mjs',
+    '.cjs',
+    '.md',
+    '.mdx',
+]);
+const defaultReaddir = (path) => readdirSync(path, { withFileTypes: true });
+const defaultStat = (path) => {
+    const s = statSync(path);
+    return { size: s.size, mtimeMs: s.mtimeMs };
+};
+/**
+ * Walk the workspace once and return every source file the extractor
+ * is willing to parse. The function is deliberately synchronous —
+ * the underlying walks are CPU-bound, не I/O-bound, and the sync
+ * call avoids the promise overhead that dominates for thousands of
+ * small files. The L28 engine boot path runs this on a Node `setImmediate`
+ * so the main thread is not blocked.
+ */
+export function scanRepoForMap(options) {
+    const root = resolve(options.root);
+    const readdir = options.readdir ?? defaultReaddir;
+    const stat = options.stat ?? defaultStat;
+    const maxFiles = options.maxFiles ?? MAX_SRC_FILES;
+    const maxFileBytes = options.maxFileBytes ?? MAX_FILE_BYTES;
+    const ignore = options.ignore;
+    const files = [];
+    let walked = 0;
+    let skippedLarge = 0;
+    let skippedIgnored = 0;
+    let tooLarge = false;
+    /**
+     * Depth-first recursion. We push dirs into a manual stack instead of
+     * recursing in JS because deep monorepos (Nx with 100+ packages)
+     * have approached the v8 default stack limit on Windows runners
+     * before; an explicit stack is one less thing to debug.
+     */
+    const stack = [root];
+    while (stack.length > 0) {
+        const dir = stack.pop();
+        let entries;
+        try {
+            entries = readdir(dir);
+        }
+        catch {
+            // Permission denied / symlink loop / mid-flight delete — keep
+            // walking. Repo-map is best-effort context, never a gate.
+            continue;
+        }
+        for (const entry of entries) {
+            const abs = join(dir, entry.name);
+            const isDir = entry.isDirectory();
+            if (ignore.isIgnored(abs, isDir)) {
+                skippedIgnored += 1;
+                continue;
+            }
+            if (isDir) {
+                stack.push(abs);
+                continue;
+            }
+            if (!entry.isFile()) {
+                // Symlinks, sockets, FIFOs etc. Skip silently — they are not
+                // source code and stat'ing them can throw on broken links.
+                continue;
+            }
+            walked += 1;
+            const ext = extOf(entry.name);
+            if (!SUPPORTED_EXTENSIONS.includes(ext)) {
+                continue;
+            }
+            let statResult;
+            try {
+                statResult = stat(abs);
+            }
+            catch {
+                // File vanished between readdir and stat — skip.
+                continue;
+            }
+            if (statResult.size > maxFileBytes) {
+                skippedLarge += 1;
+                continue;
+            }
+            // Workspace-relative POSIX path. `relative` returns the host
+            // separator on Windows; normalise to forward slashes so the
+            // cache file is portable.
+            const rel = relative(root, abs).split(sep).join(posix.sep);
+            files.push({
+                relPath: rel,
+                absPath: abs,
+                ext,
+                sizeBytes: statResult.size,
+                mtimeMs: statResult.mtimeMs,
+            });
+            if (files.length > maxFiles) {
+                tooLarge = true;
+                break;
+            }
+        }
+        if (tooLarge)
+            break;
+    }
+    if (tooLarge) {
+        return {
+            ok: false,
+            root,
+            skipped: {
+                reason: 'too-large',
+                walked,
+            },
+        };
+    }
+    // Sort by POSIX path for stable cache output. Two runs over the
+    // same workspace yield byte-identical JSON so the cache hash check
+    // is a simple `mtime + size` per entry without a content digest.
+    files.sort((a, b) => (a.relPath < b.relPath ? -1 : a.relPath > b.relPath ? 1 : 0));
+    return {
+        ok: true,
+        root,
+        files,
+        stats: {
+            walked,
+            kept: files.length,
+            skippedLarge,
+            skippedIgnored,
+        },
+    };
+}
+/**
+ * Lowercase extension including the leading dot, or '' when the
+ * filename has no extension. Mirrors `node:path.extname` semantics —
+ * inlined so the scanner has zero per-iteration call overhead.
+ */
+function extOf(name) {
+    const dot = name.lastIndexOf('.');
+    if (dot < 0 || dot === 0)
+        return '';
+    return name.slice(dot).toLowerCase();
+}
+//# sourceMappingURL=scanner.js.map

package/dist/core/session.js

@@ -18,6 +18,50 @@ export function openSession(root) {
         enabled,
     };
 }
+/**
+ * Leak L12 MVP — fire the `SessionStart` lifecycle event for all hooks
+ * declared in `~/.pugi/hooks-mvp.json`. Single-call surface; the REPL
+ * boot path invokes this once after `openSession`. Best-effort: any
+ * failure (missing config, hook spawn error) is swallowed so a
+ * misconfigured hook can never crash the REPL.
+ *
+ * Returns the number of hooks that fired (0 when no config / no
+ * matching hooks). Tests assert on the return value as the
+ * single-call invariant.
+ */
+export async function fireSessionStartMvp(session) {
+    try {
+        const { loadHooksConfig, fireHooks } = await import('./hooks/index.js');
+        // Defense-in-depth: `loadHooksConfig` is contractually non-null
+        // (returns `HooksConfig.empty(path)` when the file is absent), but
+        // the dynamic import boundary above can in principle return an
+        // unexpected shape if the module is mis-resolved at runtime. Guard
+        // the optional-chained `isEmpty()` call so a malformed loader can
+        // never raise `TypeError: Cannot read properties of undefined` and
+        // crash the REPL boot path. Belt-and-suspenders with the
+        // surrounding try/catch — the catch still swallows everything else.
+        const config = loadHooksConfig();
+        if (!config || config.isEmpty())
+            return 0;
+        const outcome = await fireHooks({
+            config,
+            event: 'SessionStart',
+            payload: {
+                event: 'SessionStart',
+                sessionId: session.id,
+                workspaceRoot: session.root,
+                startedAt: new Date().toISOString(),
+            },
+            workspaceRoot: session.root,
+        });
+        return outcome.results.length;
+    }
+    catch {
+        // SessionStart is never blocking — log nothing, return 0. A
+        // broken `hooks-mvp.json` is surfaced via `pugi hooks doctor`.
+        return 0;
+    }
+}
 export function recordCommandStarted(session, command) {
     if (!session.enabled)
         return;

package/dist/core/settings.js

@@ -88,6 +88,15 @@ const pugiSettingsSchema = z.object({
         python: z.boolean().optional(),
         go: z.boolean().optional(),
         rust: z.boolean().optional(),
+        // Leak L15 (2026-05-27): post-edit auto-diagnostics. When `true`,
+        // a successful `edit`/`write`/`multi_edit` triggers a diagnostic
+        // pull on the touched file(s) and the result is appended to the
+        // tool envelope so the model can self-correct in the same turn.
+        // Off by default — the cold-start of `typescript-language-server`
+        // is heavy enough that we opt in explicitly until dogfood proves
+        // the throughput trade is worth it. Also enabled via env var
+        // `PUGI_LSP_POST_EDIT=1` for CI / one-off operator probes.
+        postEditDiagnostics: z.boolean().optional(),
     })
         .optional(),
     // β1 Pl9 (#74) — per-command budget overrides. Optional. Partial

package/dist/core/telemetry/emitter.js

@@ -0,0 +1,229 @@
+/**
+ * Telemetry emitter — Wave 6 BIG TRACK 11 (PR-PUGI-OBSERVABILITY-STACK).
+ *
+ * Single entry point used by the REPL + slash dispatcher + tool runner
+ * to record CLI lifecycle events. Honours the L25 telemetry-state
+ * consent verdict — events are dropped silently when the operator chose
+ * `off` (default) and accepted into the queue when they chose
+ * `anonymous` or `community`.
+ *
+ * Opt-out hatches (any one of them stops the emitter cold):
+ *
+ *   1. `~/.pugi/.telemetry-disabled` marker file (per-user kill switch
+ *      the operator can drop with `touch` even when their config got
+ *      corrupted). Hot-path: we stat() this once at boot AND on every
+ *      emit so an emergency operator gesture takes effect immediately
+ *      without a REPL restart.
+ *   2. `PUGI_TELEMETRY=0` (env). Honoured at every emit — CI scripts
+ *      can wrap a one-shot invocation without touching the user's
+ *      config.
+ *   3. L25 `~/.pugi/config.json::telemetry === 'off'`. Default for
+ *      fresh installs — the onboarding wizard flips it to `anonymous`
+ *      or `community` when the operator says yes.
+ *
+ * The emitter is fire-and-forget. Calls never throw, never block the
+ * caller, and never await the network. The queue persists events to a
+ * JSONL spill so a synchronous CLI process can exit before a network
+ * round-trip completes without losing data.
+ *
+ * Allowlisted meta keys — call sites MUST pass only the canonical keys
+ * (see `META_ALLOWLIST` below). Unknown keys are dropped at this layer
+ * AND again at the admin-api ingest layer (defence in depth).
+ */
+import { statSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { resolve } from 'node:path';
+import { readTelemetryChoice, } from '../onboarding/telemetry-state.js';
+import { PUGI_CLI_VERSION } from '../../runtime/version.js';
+import { newSessionId, spillEvent, } from './queue.js';
+/**
+ * Allowed meta keys. Matches the admin-api allowlist verbatim — the two
+ * lists MUST stay in sync. The server is the structural wall; this is
+ * the defence-in-depth at the source. Anything off-list is dropped
+ * before the event lands on disk so a CI grep of the spill file never
+ * surfaces a key that was never supposed to leave the process.
+ */
+export const META_ALLOWLIST = new Set([
+    'platform',
+    'arch',
+    'nodeVersion',
+    'tier',
+    'consent',
+    'pty',
+    'durationCategory',
+    'exitCode',
+    'parentCommand',
+    'subagent',
+    'modelTier',
+    'cacheHit',
+    'retryCount',
+    'quotaTier',
+    'tunedModel',
+    'flagsHash',
+]);
+/**
+ * Single source-of-truth marker the operator can `touch` to kill all
+ * telemetry from a single user account in one gesture. Bypasses the
+ * config file — survives a corrupt `config.json` and is documented in
+ * `pugi help telemetry`.
+ */
+export const KILL_SWITCH_MARKER = '.telemetry-disabled';
+/**
+ * Resolve the kill-switch marker path. Pure — exposed for tests.
+ */
+export function killSwitchPath(env = process.env) {
+    const home = env.PUGI_HOME ?? resolve(homedir(), '.pugi');
+    return resolve(home, KILL_SWITCH_MARKER);
+}
+/**
+ * Is the kill switch armed? Stat the marker on every emit so an
+ * operator gesture (e.g. `touch ~/.pugi/.telemetry-disabled`) takes
+ * effect immediately without a REPL restart.
+ */
+export function isKillSwitchArmed(env = process.env) {
+    const path = killSwitchPath(env);
+    try {
+        statSync(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Is the env-var opt-out set? Honours common falsy literals so a CI
+ * matrix that exports `PUGI_TELEMETRY=false` or `=no` does the right
+ * thing.
+ */
+export function isEnvDisabled(env = process.env) {
+    const raw = (env.PUGI_TELEMETRY ?? '').trim().toLowerCase();
+    if (raw === '')
+        return false;
+    return raw === '0' || raw === 'false' || raw === 'off' || raw === 'no';
+}
+/**
+ * Resolve the current consent verdict. Cached per-call (no module-level
+ * caching) so the onboarding wizard's flip from `off` → `anonymous`
+ * takes effect immediately without a REPL restart.
+ */
+export function currentConsent(ctx = {}) {
+    return readTelemetryChoice({ env: ctx.env });
+}
+/**
+ * Strip unknown keys + truncate long string values. Mirrors the server
+ * sanitiser. Cap is intentionally smaller here (256) than on the wire
+ * (512) — keeps the spill file lean on a long-offline laptop.
+ */
+const META_VALUE_CAP = 256;
+export function sanitiseMeta(value) {
+    const out = {};
+    if (!value || typeof value !== 'object')
+        return out;
+    let kept = 0;
+    for (const [k, v] of Object.entries(value)) {
+        if (kept >= 16)
+            break;
+        if (!META_ALLOWLIST.has(k))
+            continue;
+        if (v === null || v === undefined)
+            continue;
+        if (typeof v === 'string') {
+            out[k] = v.length > META_VALUE_CAP ? v.slice(0, META_VALUE_CAP) : v;
+        }
+        else if (typeof v === 'number' && Number.isFinite(v)) {
+            out[k] = v;
+        }
+        else if (typeof v === 'boolean') {
+            out[k] = v;
+        }
+        else {
+            continue;
+        }
+        kept += 1;
+    }
+    return out;
+}
+/**
+ * Per-process session id. Allocated lazily on first `emit(...)` so a
+ * CLI invocation that never fires telemetry never burns a UUID.
+ */
+let cachedSessionId = null;
+/**
+ * Reset the cached session id. Called by tests AND the REPL `/reset`
+ * path so a long-running REPL can rotate sessions on demand.
+ */
+export function resetSessionId() {
+    cachedSessionId = null;
+}
+/**
+ * Build the outbound event from `EmitInput` + the resolved consent
+ * tier. Pure — exposed for spec parity.
+ */
+export function buildEvent(input, consent, sessionId) {
+    const kind = input.kind ?? 'command-exec';
+    const success = typeof input.success === 'boolean' ? input.success : true;
+    // Anonymous tier strips everything but the bare counts. Community
+    // tier carries the (sanitised) meta payload. Off tier never reaches
+    // this function — the emit() gate rejects before we build.
+    const meta = consent === 'community' ? sanitiseMeta(input.meta) : {};
+    const out = {
+        sessionId,
+        cliVersion: PUGI_CLI_VERSION,
+        command: input.command,
+        kind,
+        ts: new Date().toISOString(),
+        success,
+    };
+    if (typeof input.durationMs === 'number' && Number.isFinite(input.durationMs)) {
+        out.durationMs = Math.max(0, Math.round(input.durationMs));
+    }
+    if (input.errorCode)
+        out.errorCode = input.errorCode;
+    if (input.tool)
+        out.tool = input.tool;
+    if (input.model)
+        out.model = input.model;
+    if (typeof input.tokensIn === 'number' && Number.isFinite(input.tokensIn)) {
+        out.tokensIn = Math.max(0, Math.round(input.tokensIn));
+    }
+    if (typeof input.tokensOut === 'number' && Number.isFinite(input.tokensOut)) {
+        out.tokensOut = Math.max(0, Math.round(input.tokensOut));
+    }
+    if (Object.keys(meta).length > 0)
+        out.meta = meta;
+    return out;
+}
+/**
+ * Fire one telemetry event. Never throws. Returns a discriminated
+ * verdict so callers (the spec, the diagnostic surface) can assert on
+ * the path the emit took.
+ *
+ * Hot-path: opt-out checks → consent check → buildEvent → spillEvent.
+ * The spillEvent step is sync filesystem IO; for CLI surfaces that
+ * cannot tolerate a 1ms stat() (e.g. inner REPL tick) the caller
+ * should queue via `setImmediate(() => emit(...))`.
+ */
+export function emit(input, ctx = {}) {
+    const env = ctx.env ?? process.env;
+    // The three opt-out hatches, cheapest first.
+    if (isEnvDisabled(env))
+        return { kind: 'disabled', reason: 'env' };
+    if (isKillSwitchArmed(env))
+        return { kind: 'disabled', reason: 'marker' };
+    const consent = currentConsent({ env });
+    if (consent === 'off')
+        return { kind: 'disabled', reason: 'consent' };
+    if (!cachedSessionId)
+        cachedSessionId = ctx.sessionId ?? newSessionId();
+    const sessionId = ctx.sessionId ?? cachedSessionId;
+    const event = buildEvent(input, consent, sessionId);
+    try {
+        spillEvent(event, { repoRoot: ctx.repoRoot });
+    }
+    catch {
+        // Spill failure is silent — the emitter is best-effort by contract.
+        // A broken spill is a degraded-but-functional CLI, not a failed one.
+    }
+    return { kind: 'enqueued' };
+}
+//# sourceMappingURL=emitter.js.map