@pugi/cli 0.1.0-beta.9 → 0.1.0-beta.91

package/dist/runtime/commands/report.js

@@ -0,0 +1,299 @@
+/**
+ * PAVF-7 — `pugi report --from-error` field-bug capture.
+ *
+ * Operator hit a CLI failure ("pugi explain: failed [auth_missing]...")
+ * and wants to file a clean report без manual log-grepping. This command:
+ *
+ *  1. Locates the most-recently-modified session under .pugi/sessions/
+ *     (the engine adapter mirrors EVERY dispatch's events to a fresh
+ *     session dir; the latest one is always the failure that just
+ *     surprised the operator).
+ *  2. Reads events.jsonl + extracts the terminal-state event +
+ *     the last 50 frames before it (enough context to triage; small
+ *     enough for a GH issue body or email paste).
+ *  3. Captures workspace metadata (CLI version, Node version, OS,
+ *     tenant id from credentials, current dir, .pugi/PUGI.md presence).
+ *  4. Strips secrets — auth tokens, env values, JWT signatures —
+ *     before the report ever touches disk OR network.
+ *  5. Writes the bundle к .pugi/reports/<ISO-timestamp>-<session-id>/
+ *     with both a machine-readable report.json and a human-readable
+ *     report.md the operator can paste into a GH issue / email.
+ *  6. Prints the path + the canonical share command the operator can
+ *     run when ready to upload (the upload endpoint is deferred to a
+ *     follow-up; v1 keeps everything LOCAL so an operator working
+ *     offline / behind a corporate firewall can still file a clean
+ *     report).
+ *
+ * Why not auto-upload in v1:
+ *  The CEO HARD rule `feedback_no_fake_dispatch_promises` says we do
+ *  not invent dispatch we cannot deliver. Without a live
+ *  /api/pugi/report endpoint, an auto-upload would either silently
+ *  no-op or claim shipped и lie. v1 emits the artifacts + a clear
+ *  "upload pending" status; v2 (separate PR) wires the endpoint и
+ *  flips the default к upload-on-success.
+ *
+ * Exit codes (match the existing PAVF-1 stage_code table):
+ *  0 = report written successfully
+ *  8 = no sessions found (operator ran in a workspace без .pugi/)
+ *  9 = session events.jsonl unreadable / corrupted
+ * 20 = output path not writable (disk full / perms)
+ *
+ * Secret-redaction posture: PII / tokens / env values are stripped at
+ * the report-generation layer, NOT at upload time. Even if the operator
+ * never uploads, the report dir on disk MUST NOT carry plaintext
+ * secrets — a colleague who later runs `cat .pugi/reports/.../report.md`
+ * over the shoulder sees the bug context but not the bearer token.
+ */
+import { existsSync, readdirSync, readFileSync, mkdirSync, statSync, writeFileSync } from 'node:fs';
+import { join, resolve as resolvePath } from 'node:path';
+import { homedir, platform, release } from 'node:os';
+import { PUGI_CLI_VERSION } from '../version.js';
+const MAX_TAIL_FRAMES = 50;
+const MAX_DETAIL_CHARS = 400;
+const TERMINAL_TYPES = new Set([
+    'agent.completed',
+    'agent.failed',
+    'agent.blocked',
+    'subagent.outcome',
+    'result',
+]);
+/**
+ * Bearer / JWT / env-secret patterns. We do NOT try to be exhaustive
+ * (cat-and-mouse with custom secret formats is unwinnable); we cover
+ * the shapes that actually appear in Pugi sessions:
+ *
+ *  - `Authorization: Bearer eyJ...` (JWT header.payload.signature)
+ *  - `apiKey: eyJ...` inside captured JSON envelopes
+ *  - any long base64-ish token (>= 20 chars, [A-Za-z0-9_-]) following
+ *    `token`, `password`, `secret`, or `key` field names
+ *
+ * Replacement is a length-preserving `[REDACTED:<n>]` marker so the
+ * operator can still verify the report at-a-glance ("yes, a 32-char
+ * token was here") без leaking the value.
+ */
+function redact(text) {
+    if (!text)
+        return text;
+    // Bearer + JWT shape.
+    text = text.replace(/(Bearer\s+)([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)/gi, (_m, prefix, tok) => `${prefix}[REDACTED:${tok.length}]`);
+    // Bare JWTs (no Bearer prefix) inside JSON / log lines.
+    text = text.replace(/\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g, (tok) => `[REDACTED:${tok.length}]`);
+    // `"token": "..."` / `"apiKey": "..."` / `"password": "..."` shapes.
+    text = text.replace(/("(?:apiKey|api_key|token|access_token|refresh_token|password|secret|bearer)"\s*:\s*")([^"]{10,})(")/gi, (_m, before, val, after) => `${before}[REDACTED:${val.length}]${after}`);
+    // Bare env-style KEY=VALUE на длинных значениях.
+    text = text.replace(/\b((?:PUGI_API_KEY|GITHUB_TOKEN|NPM_TOKEN|ANVIL_API_KEY|OPENAI_API_KEY|ANTHROPIC_API_KEY|GEMINI_API_KEY)=)([^\s"']{10,})/g, (_m, prefix, val) => `${prefix}[REDACTED:${val.length}]`);
+    return text;
+}
+function clampDetail(value) {
+    if (typeof value !== 'string')
+        return undefined;
+    const redacted = redact(value);
+    return redacted.length > MAX_DETAIL_CHARS
+        ? `${redacted.slice(0, MAX_DETAIL_CHARS)}…`
+        : redacted;
+}
+function findLatestSession(cwd) {
+    const dir = resolvePath(cwd, '.pugi/sessions');
+    if (!existsSync(dir))
+        return null;
+    const entries = readdirSync(dir, { withFileTypes: true })
+        .filter((e) => e.isDirectory())
+        .map((e) => {
+        const path = join(dir, e.name);
+        let mtime = 0;
+        try {
+            mtime = statSync(join(path, 'events.jsonl')).mtimeMs;
+        }
+        catch {
+            // Session dir without events.jsonl yet — never opened. Skip.
+            return null;
+        }
+        return { name: e.name, path, mtime };
+    })
+        .filter((x) => x !== null)
+        .sort((a, b) => b.mtime - a.mtime);
+    return entries[0]?.path ?? null;
+}
+function readTenantIdSafely() {
+    const credPath = resolvePath(homedir(), '.pugi/credentials.json');
+    if (!existsSync(credPath))
+        return undefined;
+    try {
+        const raw = JSON.parse(readFileSync(credPath, 'utf8'));
+        const first = raw.tokens?.[0]?.apiKey;
+        if (!first || typeof first !== 'string')
+            return undefined;
+        // JWT payload is the middle segment; base64-decode + parse for the
+        // `customerId` claim. Failure here returns undefined (the report
+        // still emits useful context without it).
+        const parts = first.split('.');
+        if (parts.length !== 3)
+            return undefined;
+        const payload = JSON.parse(Buffer.from(parts[1] ?? '', 'base64').toString('utf8'));
+        return typeof payload.customerId === 'string' ? payload.customerId : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function captureFrames(eventsPath) {
+    const lines = readFileSync(eventsPath, 'utf8')
+        .split('\n')
+        .filter((l) => l.trim().length > 0);
+    const parsed = lines
+        .map((line) => {
+        try {
+            return JSON.parse(line);
+        }
+        catch {
+            return null;
+        }
+    })
+        .filter((f) => f !== null);
+    // Keep the LAST MAX_TAIL_FRAMES frames — failures cluster at the
+    // end, and the tail is where the operator's context actually lives.
+    const tail = parsed.slice(-MAX_TAIL_FRAMES);
+    return tail.map((f) => {
+        const out = {
+            type: typeof f.type === 'string' ? f.type : 'unknown',
+        };
+        if (typeof f.taskId === 'string')
+            out.taskId = f.taskId;
+        if (typeof f.timestamp === 'string')
+            out.timestamp = f.timestamp;
+        if (typeof f.outcome === 'string')
+            out.outcome = f.outcome;
+        // Keep detail / error ONLY on terminal frames (full reply text on
+        // every agent.message would blow the report past the GH issue cap).
+        if (TERMINAL_TYPES.has(out.type)) {
+            const detail = clampDetail(f.detail) ?? clampDetail(f.error);
+            if (detail)
+                out.detail = detail;
+            if (typeof f.error === 'string')
+                out.error = clampDetail(f.error);
+        }
+        return out;
+    });
+}
+export function runReport(args, ctx) {
+    const fromError = args.includes('--from-error');
+    if (!fromError) {
+        ctx.writeOutput({
+            command: 'report',
+            status: 'no_sessions',
+            message: 'pugi report — capture a bug report from the most-recent session.\n\n' +
+                'Usage:\n' +
+                ' pugi report --from-error          Bundle the most-recent failed session as a report.\n\n' +
+                'Output: writes .pugi/reports/<timestamp>-<session-id>/{report.json, report.md}.\n' +
+                'Secrets (bearer tokens, JWTs, named env values) are stripped before disk write.',
+        }, 'pugi report — see `pugi report --help`');
+        return 0;
+    }
+    const sessionPath = findLatestSession(ctx.cwd);
+    if (!sessionPath) {
+        ctx.writeOutput({
+            command: 'report',
+            status: 'no_sessions',
+            message: 'No sessions found under .pugi/sessions/. Run a `pugi` command first.',
+        }, 'pugi report: no sessions found under .pugi/sessions/ — run a `pugi` command first.');
+        return 8;
+    }
+    const eventsPath = join(sessionPath, 'events.jsonl');
+    let frames;
+    try {
+        frames = captureFrames(eventsPath);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        ctx.writeOutput({
+            command: 'report',
+            status: 'unreadable',
+            message: `Failed to read ${eventsPath}: ${message}`,
+        }, `pugi report: cannot read session events (${message})`);
+        return 9;
+    }
+    const sessionId = sessionPath.split('/').pop() ?? 'unknown';
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const reportDir = resolvePath(ctx.cwd, '.pugi/reports', `${timestamp}-${sessionId}`);
+    let reportJson;
+    let reportMd;
+    try {
+        mkdirSync(reportDir, { recursive: true });
+        reportJson = join(reportDir, 'report.json');
+        reportMd = join(reportDir, 'report.md');
+        const meta = {
+            schema: 1,
+            generatedAt: new Date().toISOString(),
+            cliVersion: PUGI_CLI_VERSION,
+            nodeVersion: process.version,
+            os: `${platform()} ${release()}`,
+            cwd: ctx.cwd,
+            sessionId,
+            tenantId: readTenantIdSafely() ?? '(not resolvable)',
+            pugiMd: existsSync(resolvePath(ctx.cwd, '.pugi/PUGI.md')),
+            frames,
+        };
+        writeFileSync(reportJson, JSON.stringify(meta, null, 2), 'utf8');
+        const mdLines = [
+            `# Pugi bug report — ${sessionId}`,
+            '',
+            `Generated: \`${meta.generatedAt}\``,
+            `CLI version: \`${meta.cliVersion}\``,
+            `Node: \`${meta.nodeVersion}\` · OS: \`${meta.os}\``,
+            `Workspace: \`${meta.cwd}\` (PUGI.md present: ${meta.pugiMd ? 'yes' : 'no'})`,
+            `Tenant: \`${meta.tenantId}\``,
+            '',
+            `## Last ${frames.length} frames`,
+            '',
+            '```jsonl',
+            ...frames.map((f) => JSON.stringify(f)),
+            '```',
+            '',
+            '## How to share',
+            '',
+            '1. Review `report.md` for accidental PII or sensitive paths.',
+            '2. Paste the contents into a GH issue at https://github.com/pugi-io/pugi/issues',
+            '  OR attach the `report.json` as a file.',
+            '',
+            'Auto-upload to api.pugi.io is planned (`pugi report --upload`) but',
+            'NOT shipped in this build — v1 keeps everything local so an operator',
+            'behind a firewall can still file a clean report.',
+        ];
+        writeFileSync(reportMd, mdLines.join('\n'), 'utf8');
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        ctx.writeOutput({
+            command: 'report',
+            status: 'output_not_writable',
+            message: `Failed to write report bundle to ${reportDir}: ${message}`,
+        }, `pugi report: cannot write report dir (${message})`);
+        return 20;
+    }
+    ctx.writeOutput({
+        command: 'report',
+        status: 'written',
+        reportDir,
+        reportJson,
+        reportMd,
+        sessionId,
+        message: `Report written: ${reportDir}`,
+    }, [
+        `pugi report: bundle written`,
+        ` Session: ${sessionId}`,
+        ` Frames captured: ${frames.length}`,
+        ` Files:`,
+        `   ${reportJson}`,
+        `   ${reportMd}`,
+        ``,
+        `Review report.md for accidental PII, then paste into a GH issue OR`,
+        `attach report.json. Auto-upload is planned for a follow-up build.`,
+    ].join('\n'));
+    return 0;
+}
+// Test seam — the redactor is the most-tested piece (false negatives
+// leak secrets; false positives garble bug context). Exported so
+// apps/pugi-cli/test/report.spec.ts can assert the regex behaviour
+// без spinning up a full session.
+export const __INTERNAL_FOR_TESTS = { redact, clampDetail };
+//# sourceMappingURL=report.js.map

package/dist/runtime/commands/resume.js

@@ -0,0 +1,118 @@
+/**
+ * `/resume` runtime — .
+ *
+ * Light runner that augments the existing `pugi resume` surface in
+ * `runtime/cli.ts` with rewind-aware session listings. The full
+ * REPL-mount path stays in cli.ts (it owns the credential resolver +
+ * Ink renderer); this module exposes the data-access helpers the slash
+ * dispatcher + the cli.ts handler share.
+ *
+ * Why a separate runner rather than inlining inside cli.ts: the in-REPL
+ * `/resume` slash already holds the writer lock, so it cannot use the
+ * read-only view path the top-level command relies on. The split lets
+ * the slash code call `listResumableSessionsForRepl` (which routes
+ * through the live store) while the shell code calls
+ * `listResumableSessionsReadOnly` (which uses the no-lock view).
+ */
+import { homedir } from 'node:os';
+import { slugForCwd } from '../../core/repl/history.js';
+import { applyAllMasks, listResumableSessions, } from '../../core/checkpoint/resumer.js';
+import { findLatestActiveRewind } from '../../core/checkpoint/rewinder.js';
+/**
+ * Read-only `pugi resume --list` path. Uses the no-lock view so a live
+ * REPL writing in the same project does not block the listing.
+ */
+export async function runResumeList(ctx) {
+    const slug = slugForCwd(ctx.workspaceRoot);
+    const baseInput = {
+        projectSlug: slug,
+        limit: ctx.limit ?? 10,
+        home: ctx.home ?? homedir(),
+    };
+    const sessions = await listResumableSessions(baseInput);
+    const rows = sessions.map(toResumeListRow);
+    const text = renderResumeList(rows, slug);
+    ctx.writeOutput({
+        command: 'resume',
+        status: rows.length === 0 ? 'empty' : 'listed',
+        projectSlug: slug,
+        sessions: rows,
+    }, text);
+    return {
+        command: 'resume',
+        status: rows.length === 0 ? 'empty' : 'listed',
+        projectSlug: slug,
+        sessions: rows,
+    };
+}
+/**
+ * In-REPL `/resume` slash variant. The live REPL holds the writer
+ * lockfile so we cannot reuse the read-only view path; this routes
+ * through the store the session module already opened. Returns the
+ * sessions list directly so the slash handler can render system lines.
+ */
+export async function runResumeListForRepl(input) {
+    const slug = slugForCwd(input.workspaceRoot);
+    const limit = input.limit ?? 10;
+    const sessionRows = await input.store.listSessions({
+        project: slug,
+        limit,
+        status: 'active+archived',
+    });
+    const out = [];
+    for (const row of sessionRows) {
+        const events = await input.store.loadEvents(row.id);
+        const visible = applyAllMasks(events);
+        const latest = findLatestActiveRewind(events);
+        out.push({
+            id: row.id,
+            title: row.title,
+            branch: row.branch,
+            turnCount: row.turnCount,
+            eventCount: row.eventCount,
+            visibleEventCount: visible.length,
+            hasActiveRewind: latest !== null,
+            updatedAt: row.updatedAt,
+        });
+    }
+    return out;
+}
+function toResumeListRow(input) {
+    return {
+        id: input.row.id,
+        title: input.row.title,
+        branch: input.row.branch,
+        turnCount: input.row.turnCount,
+        eventCount: input.row.eventCount,
+        visibleEventCount: input.visibleEventCount,
+        hasActiveRewind: input.hasActiveRewind,
+        updatedAt: input.row.updatedAt,
+    };
+}
+/**
+ * Pretty-print a resume list. Adds a small "rewound" tag when the
+ * session carries an unfinished rewind so the operator knows the
+ * transcript will load with a masked range.
+ */
+export function renderResumeList(rows, projectSlug) {
+    if (rows.length === 0) {
+        return `No stored sessions for project '${projectSlug}' yet.`;
+    }
+    const lines = [
+        `Recent local sessions for '${projectSlug}' (${rows.length}):`,
+        '',
+    ];
+    for (let i = 0; i < rows.length; i += 1) {
+        const row = rows[i];
+        const title = (row.title ?? '(untitled)').slice(0, 64);
+        const idShort = row.id.slice(0, 13);
+        const branch = (row.branch ?? 'no-branch').padEnd(16);
+        const turns = `${row.turnCount}t`.padStart(4);
+        const events = `${row.visibleEventCount}e`.padStart(5);
+        const tag = row.hasActiveRewind ? ' [rewound]' : '';
+        lines.push(` ${idShort} ${branch} ${turns} ${events}${tag} ${title}`);
+    }
+    lines.push('', 'Resume with: pugi resume <id>');
+    return lines.join('\n');
+}
+//# sourceMappingURL=resume.js.map

package/dist/runtime/commands/review-consensus.js

@@ -1,7 +1,7 @@
 /**
- * `pugi review --consensus` — customer-facing triple-review (α6.7).
+ * `pugi review --consensus` — customer-facing triple-review .
  *
- * The differentiator: Claude Code ships single-Claude review, Codex CLI
+ * The differentiator: the upstream tool ships single-Claude review, peer CLI
  * ships single-GPT review, Gemini CLI ships single-Gemini review. Pugi
  * ships a 3-model consensus gate as a first-class command so customers
  * get the same production-readiness signal we use internally - without the
@@ -9,23 +9,23 @@
  *
  * Flow:
  *
- *   1. Resolve diff source from flags (`--commit` / `--pr` / `--branch`
- *      OR default to merge-base vs `origin/main`).
- *   2. POST diff to Anvil's `POST /api/pugi/review-consensus`. Anvil
- *      fans out to 3 reviewer routes server-side and streams an SSE.
- *   3. Render per-reviewer state inline as the SSE stream emits events.
- *   4. After the stream closes, recompute the rubric locally (never
- *      trust the server's verdict - see anvil-fanout.ts) and print:
- *        - per-reviewer summary
- *        - rubric verdict + reasoning
- *        - recommended next action
- *   5. Exit with 0 PASS / 1 WARN / 2 BLOCK.
+ *  1. Resolve diff source from flags (`--commit` / `--pr` / `--branch`
+ *     OR default to merge-base vs `origin/main`).
+ *  2. POST diff to Anvil's `POST /api/pugi/review-consensus`. Anvil
+ *     fans out to 3 reviewer routes server-side and streams an SSE.
+ *  3. Render per-reviewer state inline as the SSE stream emits events.
+ *  4. After the stream closes, recompute the rubric locally (never
+ *     trust the server's verdict - see anvil-fanout.ts) and print:
+ *       - per-reviewer summary
+ *       - rubric verdict + reasoning
+ *       - recommended next action
+ *  5. Exit with 0 PASS / 1 WARN / 2 BLOCK.
  *
- * Backend status: at α6.7 ship the admin-api endpoint is not yet
+ * Backend status: at ship the admin-api endpoint is not yet
  * deployed. The handler degrades gracefully — on `endpoint_missing`
  * the CLI prints an actionable "backend not deployed yet" notice and
  * exits 0 (the gate didn't run, but failing CI would be wrong because
- * the operator did nothing wrong). The α6.7.1 sprint lands the server.
+ * the operator did nothing wrong). The sprint lands the server.
  */
 import { captureDiff } from '../../core/consensus/diff-capture.js';
 import { dispatchConsensus, } from '../../core/consensus/anvil-fanout.js';
@@ -35,13 +35,28 @@ import { aggregate, exitCodeFor, reviewerVerdictFromRaw, } from '../../core/cons
  * arg list excludes the dispatcher's leading `review` keyword.
  *
  * Accepted forms:
- *   `--commit <sha>` / `--commit=<sha>`
- *   `--pr <number>` / `--pr=<number>`
- *   `--branch <name>` / `--branch=<name>`
- *   `--base <ref>` / `--base=<ref>`   (override default origin/main)
+ *  `--commit <sha>` / `--commit=<sha>`
+ *  `--pr <number>` / `--pr=<number>`
+ *  `--branch <name>` / `--branch=<name>`
+ *  `--base <ref>` / `--base=<ref>`  (override default origin/main)
  */
-export function parseConsensusArgs(args) {
+export function parseConsensusArgs(args, 
+/**
+ * (Codex r0 P1 on PR): cli.ts now parses --commit /
+ * --base in the GLOBAL flag pass for the new triple-provider path.
+ * Those tokens are consumed BEFORE this function sees `args`, so
+ * `pugi review --consensus --commit X` would silently fall back to
+ * the default diff and review the wrong changes. Pass the global
+ * flags through here so consensus picks them up when present.
+ * Inline `--commit`/`--base` tokens in args still win — explicit
+ * caller intent is preserved.
+ */
+fallback) {
     const spec = {};
+    if (fallback?.commit)
+        spec.commit = fallback.commit;
+    if (fallback?.base)
+        spec.baseRef = fallback.base;
     for (let i = 0; i < args.length; i += 1) {
         const arg = args[i] ?? '';
         const equalsIdx = arg.indexOf('=');
@@ -91,12 +106,12 @@ export function parseConsensusArgs(args) {
  *
  * Exit code contract (matches `handleFanoutFailure` + `exitCodeFor`):
  *
- *   0 = endpoint_missing (graceful degrade, consensus disabled on tier)
- *   0 = PASS (rubric clean) OR empty diff (nothing to review)
- *   1 = WARN (rubric: one reviewer P1, informational)
- *   2 = BLOCK (rubric: P0 or consensus P1) / failed / capture_failed
- *   5 = auth_missing (no credentials) / unauthenticated (token rejected)
- *   7 = rate_limited (quota exhausted, retry after backoff)
+ *  0 = endpoint_missing (graceful degrade, consensus disabled on tier)
+ *  0 = PASS (rubric clean) OR empty diff (nothing to review)
+ *  1 = WARN (rubric: one reviewer P1, informational)
+ *  2 = BLOCK (rubric: P0 or consensus P1) / failed / capture_failed
+ *  5 = auth_missing (no credentials) / unauthenticated (token rejected)
+ *  7 = rate_limited (quota exhausted, retry after backoff)
  *
  * Aligned with the legacy `describeSubmitFailure` in cli.ts so shell
  * scripts can branch on identical codes across both review surfaces.
@@ -119,7 +134,7 @@ export async function runReviewConsensus(args, ctx) {
     // exit 2 — same as BLOCK because the gate could not even run.
     let captured;
     try {
-        const spec = parseConsensusArgs(args);
+        const spec = parseConsensusArgs(args, ctx.flagsFallback);
         captured = captureDiff({ ...spec, cwd: ctx.cwd });
     }
     catch (error) {
@@ -183,7 +198,7 @@ export async function runReviewConsensus(args, ctx) {
     }
     ctx.emit('\n────────────────────────────────────────\n');
     ctx.emit(`Rubric: ${result.verdict}\n`);
-    ctx.emit(`  ${result.reasoning}\n`);
+    ctx.emit(` ${result.reasoning}\n`);
     ctx.emit('\n');
     ctx.emit(`Recommended action: ${recommendedAction(result)}\n`);
     ctx.writeOutput({
@@ -239,12 +254,12 @@ function handleFanoutFailure(result, ctx) {
         ctx.emit(`${message}\n`);
         ctx.writeOutput({ command: 'review-consensus', status: 'rate_limited', message }, message);
         // Exit code contract (kept in sync with `runReviewConsensus`):
-        //   0 = endpoint_missing (graceful degrade, consensus disabled on tier)
-        //   0 = PASS / empty diff
-        //   1 = WARN (informational, single asymmetric P1)
-        //   2 = BLOCK / failed / capture_failed (real findings or unrecoverable)
-        //   5 = auth_missing / unauthenticated (token rejected by Anvil)
-        //   7 = rate_limited (quota exhausted, retry with backoff)
+        //  0 = endpoint_missing (graceful degrade, consensus disabled on tier)
+        //  0 = PASS / empty diff
+        //  1 = WARN (informational, single asymmetric P1)
+        //  2 = BLOCK / failed / capture_failed (real findings or unrecoverable)
+        //  5 = auth_missing / unauthenticated (token rejected by Anvil)
+        //  7 = rate_limited (quota exhausted, retry with backoff)
         //
         // Aligned with the legacy `describeSubmitFailure` in cli.ts so a
         // shell script branching on exit code behaves identically across
@@ -264,15 +279,15 @@ function handleFanoutFailure(result, ctx) {
  *
  * Precedence (verdict wins over error):
  *
- *   started -> verdict       => verdict (rubric processes findings)
- *   started -> error         => error   (errored=true, no signal)
- *   started -> verdict -> error => verdict (terminal verdict wins; the
- *     trailing error is a stale retry/transport artifact and must NOT
- *     silently downgrade a real P0 BLOCK to "all errored")
- *   started -> error -> verdict => verdict (verdict still wins)
- *   started (no terminal)    => errored placeholder so the reviewer
- *                               appears in the output instead of being
- *                               silently dropped
+ *  started -> verdict      => verdict (rubric processes findings)
+ *  started -> error        => error  (errored=true, no signal)
+ *  started -> verdict -> error => verdict (terminal verdict wins; the
+ *    trailing error is a stale retry/transport artifact and must NOT
+ *    silently downgrade a real P0 BLOCK to "all errored")
+ *  started -> error -> verdict => verdict (verdict still wins)
+ *  started (no terminal)   => errored placeholder so the reviewer
+ *                              appears in the output instead of being
+ *                              silently dropped
  *
  * The verdict-wins-over-error rule is the fix for a real BLOCK
  * downgrade: Anvil's SSE emitter can send a verdict frame followed by
@@ -335,32 +350,32 @@ function collapseVerdicts(events) {
 function formatReviewerEventLine(event) {
     const name = event.reviewer.padEnd(9);
     if (event.type === 'started') {
-        return `  ${name} reviewing…\n`;
+        return ` ${name} reviewing…\n`;
     }
     if (event.type === 'error') {
         const why = event.error ?? 'unknown';
-        const ms = event.latencyMs ? `  ${event.latencyMs}ms` : '';
-        return `  ${name} ERROR: ${why}${ms}\n`;
+        const ms = event.latencyMs ? ` ${event.latencyMs}ms` : '';
+        return ` ${name} ERROR: ${why}${ms}\n`;
     }
     const severity = event.severity ?? 'CLEAN';
-    const ms = event.latencyMs ? `  ${event.latencyMs}ms` : '';
-    return `  ${name} ${severity}${ms}\n`;
+    const ms = event.latencyMs ? ` ${event.latencyMs}ms` : '';
+    return ` ${name} ${severity}${ms}\n`;
 }
 function formatReviewerSummaryLine(verdict) {
     const name = verdict.reviewer.padEnd(9);
     if (verdict.errored) {
-        return `  ${name} ERROR (no signal)\n`;
+        return ` ${name} ERROR (no signal)\n`;
     }
     if (verdict.findings.length === 0) {
-        return `  ${name} CLEAN\n`;
+        return ` ${name} CLEAN\n`;
     }
     // Group counts: shows operator the severity breakdown in one line.
     const counts = countSeverities(verdict);
     const summary = formatCounts(counts);
     const top = verdict.findings.slice(0, 3);
-    const tail = verdict.findings.length > 3 ? `\n              … ${verdict.findings.length - 3} more` : '';
-    const findings = top.map((f) => `\n              - [${f.severity}] ${f.summary}`).join('');
-    return `  ${name} ${summary}${findings}${tail}\n`;
+    const tail = verdict.findings.length > 3 ? `\n             … ${verdict.findings.length - 3} more` : '';
+    const findings = top.map((f) => `\n             - [${f.severity}] ${f.summary}`).join('');
+    return ` ${name} ${summary}${findings}${tail}\n`;
 }
 function countSeverities(verdict) {
     const counts = { P0: 0, P1: 0, P2: 0, P3: 0 };