@pugi/cli 0.1.0-beta.9 → 0.1.0-beta.91

package/dist/core/subagents/dispatcher-real.js

@@ -0,0 +1,600 @@
+/**
+ * Real subagent execution (β2 S1 —).
+ *
+ * Replaces the M1 stub in `dispatcher.ts` with a genuine Anvil-backed
+ * child engine loop. Given a SubagentTask + an EngineLoopClient, this
+ * module:
+ *
+ *  1. Resolves the role's persona + isolation tier (delegated to
+ *     `dispatcher.ts` so the policy lives in one file).
+ *  2. Optionally provisions a scratch worktree when the role's
+ *     isolation tier requires write isolation (β2 S5 wiring point).
+ *  3. Builds a per-child tools schema gated by the isolation matrix
+ *     (`isolation-matrix.ts::allowedToolsForRole`) so the child loop
+ *     cannot see tools its role is forbidden to use.
+ *  4. Runs `runEngineLoop` with the role-specific persona, budget,
+ *     and tools against the supplied EngineLoopClient (each child
+ *     gets its OWN logical Anvil session — same wire transport, but
+ *     a fresh transcript so the child cannot read parent context the
+ *     operator did not authorise).
+ *  5. Streams `subagent.tool_call` events back through the parent's
+ *     session journal as each child tool call fires (β2 S7 cross-
+ *     agent state surface).
+ *  6. Aggregates `filesChanged` + `toolCallCount` + token totals from
+ *     the child loop and returns them in the SubagentResult.
+ *
+ * What this module deliberately does NOT do:
+ *
+ *  - Promote the child's worktree back to the parent's main tree.
+ *    `pugi worktree promote` is operator-driven so the operator can
+ *    review the diff before it lands; the dispatcher only creates
+ *    the scratch worktree, runs the child in it, and leaves the
+ *    handle attached to the SubagentResult.filesChanged for the
+ *    caller to act on.
+ *
+ *  - Drop the worktree on failure. Same reasoning: the operator
+ *    should be able to inspect what the child did before the scratch
+ *    dir disappears. Cleanup happens via `pugi worktree drop` or via
+ *    the explicit `cleanup` callback returned on the worktree handle.
+ *
+ *  - Run grand-children. The capability matrix (S4) blocks the
+ *    `agent` tool for every role except orchestrator, so a coder/
+ *    reviewer/verifier cannot spawn a child of its own. Bounded
+ *    spawn depth = 1, which keeps the budget rollup tractable.
+ *
+ * Cross-reference: docs/research/2026-05-26-pugi-cli-consolidated-sprint-plan.md
+ * §β2 S1 + S7.
+ */
+import { randomUUID } from 'node:crypto';
+import { relative as relativePath } from 'node:path';
+import { runEngineLoop, } from '@pugi/sdk';
+import { resolveBudget } from '../engine/budgets.js';
+import { buildExecutor, buildToolsSchema, } from '../engine/tool-bridge.js';
+import { systemPromptFor } from '../engine/prompts.js';
+import { getPersonaForRole } from '../agents/registry.js';
+import { FileReadCache } from '../file-cache.js';
+import { loadSettings } from '../settings.js';
+import { openSession } from '../session.js';
+import { createWorktree, } from '../edits/worktree.js';
+import { classifyBash } from '../bash-classifier.js';
+import { allowedToolsForRole, bashIsReadOnlyForRole, capabilitiesForRole, } from './isolation-matrix.js';
+import { budgetForRole, isolationForRole, } from './dispatcher.js';
+/**
+ * Drive a real subagent dispatch. Returns the typed SubagentResult plus
+ * the optional WorktreeHandle (when isolation === 'worktree') so the
+ * caller can wire `pugi worktree promote/drop` follow-ups.
+ *
+ * Throws when the engine loop crashes uncaught — the caller should
+ * translate that into `recordSubagentFailed` on the parent session.
+ */
+export async function runRealDispatch(task, ctx) {
+    const persona = getPersonaForRole(task.role);
+    const isolation = isolationForRole(task.role);
+    const budget = budgetForRole(task.role, task.budget);
+    const capabilities = capabilitiesForRole(task.role);
+    const now = ctx.now ?? defaultNow;
+    const startedAt = Date.now();
+    // ---------------------------------------------------------------- //
+    // 1. Provision child workspace + session                          //
+    // ---------------------------------------------------------------- //
+    // The child's filesystem root depends on the isolation tier:
+    //
+    //  - prompt_only / shared_fs_readonly / shared_fs_serialized →
+    //    reuse the parent's workspaceRoot. Read isolation is enforced
+    //    by the capability matrix (no `write` cap → no write tool in
+    //    the schema). Serialized writes are gated by the file-tools
+    //    layer's existing in-process lock (per-process serialization
+    //    is enough at M1 because only one child runs per parent).
+    //
+    //  - worktree → spawn `.pugi/worktrees/<uuid>` via createWorktree
+    //    and pin the child's workspaceRoot there. The parent's tree is
+    //    untouched; promote/drop is operator-driven afterwards.
+    let childRoot = ctx.workspaceRoot;
+    let worktreeHandle;
+    // β2a r1 (Codex P1): the original gate required
+    // `isolationForRole()` to return `'worktree'` before honoring
+    // `ctx.useWorktreeIsolation`. But the role→isolation matrix never
+    // returns `'worktree'` for any writer (coders land at
+    // `shared_fs_serialized`), so the agentTool's explicit
+    // `useWorktreeIsolation: true` request was silently dropped and the
+    // coder mutated the parent checkout directly. Fix: treat an explicit
+    // `true` as an INDEPENDENT trigger so callers (agentTool with
+    // `isolation: 'worktree'`) actually get a scratch worktree.
+    //
+    // The three states map to:
+    //  - true  → force worktree regardless of role tier (explicit opt-in)
+    //  - false → skip worktree even if role tier would require it (spec
+    //             escape hatch + caller opt-out)
+    //  - undefined → honor role tier default (`'worktree'` → create)
+    const useWorktree = ctx.useWorktreeIsolation === true
+        ? true
+        : ctx.useWorktreeIsolation === false
+            ? false
+            : isolation === 'worktree';
+    // β2a r2 (Codex P2): compute the EFFECTIVE isolation tier
+    // for audit metadata. The role-default `isolation` value is the
+    // declarative tier from `isolationForRole()`, but when
+    // `ctx.useWorktreeIsolation === true` forces a scratch worktree for a
+    // role whose default is `shared_fs_serialized` (coder/release/devops/
+    // design_qa), the actual workspace boundary is `worktree`. Emitting
+    // the stale role-default in the `subagent.spawned` event was
+    // misleading audit consumers (SSE / cabinet UI) into thinking the
+    // child mutated the parent tree when it actually mutated a scratch
+    // worktree — and vice versa when `false` overrode a `worktree`-tier
+    // role into shared_fs. The `isolation` field on the lifecycle event
+    // now reflects the ACTUAL workspace decision.
+    const isolationEffective = useWorktree
+        ? 'worktree'
+        : isolation;
+    if (useWorktree) {
+        const wt = createWorktree({ cwd: ctx.workspaceRoot });
+        if (!wt.ok) {
+            // Translate worktree failure to a clean blocked result instead
+            // of throwing — the caller can surface it as
+            // subagent.blocked / tool_unavailable. The dispatcher.ts wrapper
+            // does the emission so the audit log lines up with other
+            // blocked dispatches.
+            //
+            // β2a r2 (Codex P2): isolation here falls back to the role
+            // default because the worktree failed to provision — the child
+            // never landed on a `worktree` boundary, so reporting the
+            // effective tier would lie. Use the declarative role default.
+            ctx.appendEvent({
+                id: randomUUID(),
+                sessionId: ctx.sessionId,
+                timestamp: now(),
+                type: 'subagent.spawned',
+                taskId: task.id,
+                role: task.role,
+                personaSlug: persona.slug,
+                parentSessionId: ctx.sessionId,
+                isolation,
+            });
+            const blockedResult = {
+                taskId: task.id,
+                role: task.role,
+                personaSlug: persona.slug,
+                status: 'blocked',
+                summary: `worktree provisioning failed: ${wt.reason}: ${wt.detail}`,
+                filesChanged: [],
+                toolCallCount: 0,
+                tokensIn: 0,
+                tokensOut: 0,
+                durationMs: Date.now() - startedAt,
+            };
+            ctx.appendEvent({
+                id: randomUUID(),
+                sessionId: ctx.sessionId,
+                timestamp: now(),
+                type: 'subagent.blocked',
+                taskId: task.id,
+                role: task.role,
+                personaSlug: persona.slug,
+                reason: 'tool_unavailable',
+                detail: `worktree provisioning failed (${wt.reason}): ${wt.detail}`,
+            });
+            return { result: blockedResult };
+        }
+        childRoot = wt.value.path;
+        worktreeHandle = wt.value;
+    }
+    const childSession = ctx.childSession ?? openSession(childRoot);
+    const settings = loadSettings(childRoot);
+    // ---------------------------------------------------------------- //
+    // 2. Emit subagent.spawned                                        //
+    // ---------------------------------------------------------------- //
+    // β2a r2 (Codex P2): use the EFFECTIVE isolation tier so
+    // audit consumers see the actual workspace boundary (`worktree` when
+    // `ctx.useWorktreeIsolation === true` forced a scratch worktree for
+    // a role whose default was `shared_fs_serialized`). The stale
+    // role-default emission was a P2 misdirection — operators watching
+    // `pugi sessions stream` saw `shared_fs_serialized` while the child
+    // was actually mutating `.pugi/worktrees/<uuid>/`.
+    ctx.appendEvent({
+        id: randomUUID(),
+        sessionId: ctx.sessionId,
+        timestamp: now(),
+        type: 'subagent.spawned',
+        taskId: task.id,
+        role: task.role,
+        personaSlug: persona.slug,
+        parentSessionId: ctx.sessionId,
+        isolation: isolationEffective,
+    });
+    // ---------------------------------------------------------------- //
+    // 3. Build per-child tools schema + executor                      //
+    // ---------------------------------------------------------------- //
+    // The schema is filtered by the capability matrix (S4). We start
+    // from buildToolsSchema's default set and intersect with
+    // `allowedToolsForRole`. The executor enforces the same set as a
+    // defense-in-depth gate — even if a model hallucinates an unknown
+    // tool name (or a future schema bug accidentally advertises one),
+    // the executor rejects it before any file-tools layer sees it.
+    const commandKind = ctx.commandKind ?? commandKindForRole(task.role);
+    const allowedTools = allowedToolsForRole(task.role);
+    // β2a r1 (Backend Architect P1): the executor's
+    // `allowFetch` flag previously only checked the workspace settings
+    // (`web.fetch.enabled`). For roles whose capability set DOES NOT
+    // include `web_fetch` (every non-orchestrator role today) the
+    // schema filter would strip the tool advertisement, but a model
+    // that fabricated a `web_fetch` call would still hit the executor
+    // with `allowFetch: true` and the call would succeed. Fix: AND the
+    // role-capability gate into the flag so a fabricated call also
+    // gets refused by the capability gate above; the AND below is the
+    // executor-level belt-and-braces.
+    const allowFetchForChild = allowedTools.has('web_fetch') && settings.web?.fetch?.enabled === true;
+    const schemaOpts = {
+        allowFetch: allowFetchForChild,
+    };
+    const fullSchema = buildToolsSchema(commandKind, schemaOpts);
+    const filteredSchema = fullSchema.filter((tool) => allowedTools.has(tool.name));
+    const toolCtx = {
+        root: childRoot,
+        settings,
+        session: childSession,
+        readCache: new FileReadCache(),
+    };
+    const rawExecutor = buildExecutor({
+        kind: commandKind,
+        ctx: toolCtx,
+        sessionId: childSession.id,
+        workspaceRoot: childRoot,
+        interactive: false,
+        allowFetch: allowFetchForChild,
+    });
+    // β2a r1 (Codex P1): roles in the bash_read_only tier
+    // (verifier today) need an EXTRA pre-flight on every `bash` call so
+    // a write-class command (echo into a file, sed -i, rm) is refused
+    // before bashToolSync's permission layer sees it. The bash tool
+    // defaults to permission mode `auto`, which permits write_workspace
+    // class commands; without this gate the no-edit contract is purely
+    // honor-system. Read + build_test are still allowed so test
+    // commands work; everything else surfaces a CAPABILITY_REFUSED
+    // sentinel back to the model so it can adapt.
+    const bashReadOnly = bashIsReadOnlyForRole(task.role);
+    const BASH_READ_ONLY_ALLOWED = new Set(['read', 'build_test']);
+    // ---------------------------------------------------------------- //
+    // 4. Wrap executor with the isolation-matrix refusal gate +       //
+    //   cross-agent event stream (S4 + S7)                           //
+    // ---------------------------------------------------------------- //
+    // Every tool call the child makes is:
+    //  (a) rejected if the role lacks the capability (defense in depth);
+    //  (b) emitted as a subagent.tool_call event into the parent
+    //      journal so `pugi sessions stream <id>` surfaces it inline;
+    //  (c) classified for the filesChanged summary.
+    const filesChanged = new Set();
+    let childToolCallCount = 0;
+    const gatedExecutor = async (input) => {
+        if (!allowedTools.has(input.name)) {
+            // Note: this is in addition to the schema filter — a model that
+            // fabricates a tool call for a name we deliberately did NOT
+            // advertise still gets rejected here. The error string is read
+            // by runEngineLoop and fed back into the next turn's tool frame.
+            throw new Error(`CAPABILITY_REFUSED: role '${task.role}' is not allowed to call '${input.name}' (${capabilities.rationale})`);
+        }
+        // β2a r1 (Codex P1): bash read-only gate for roles
+        // whose capability set is `bash_read_only` (verifier). Pre-classify
+        // the command and refuse anything outside read/build_test BEFORE
+        // the tool runs — the underlying bashToolSync's permission layer
+        // would otherwise wave write_workspace through under the default
+        // `auto` mode.
+        if (input.name === 'bash' && bashReadOnly) {
+            const cmd = extractBashCommand(input.arguments);
+            if (cmd !== null) {
+                const classification = classifyBash(cmd, {
+                    workspaceRoot: childRoot,
+                    additionalDirectories: [],
+                });
+                if (!BASH_READ_ONLY_ALLOWED.has(classification.class)) {
+                    throw new Error(`CAPABILITY_REFUSED: role '${task.role}' may only run read/build_test bash commands; '${classification.class}' refused (${classification.reason})`);
+                }
+            }
+        }
+        childToolCallCount += 1;
+        // β2 S7 cross-agent state: emit subagent.tool_call BEFORE dispatch
+        // so the parent journal sees the attempt even if the tool throws.
+        ctx.appendEvent({
+            id: randomUUID(),
+            sessionId: ctx.sessionId,
+            timestamp: now(),
+            type: 'subagent.tool_call',
+            taskId: task.id,
+            role: task.role,
+            personaSlug: persona.slug,
+            toolName: input.name,
+            toolCallId: input.callId,
+        });
+        const result = await rawExecutor(input);
+        if (input.name === 'write' || input.name === 'edit') {
+            const path = extractPathArg(input.arguments);
+            if (path)
+                filesChanged.add(path);
+        }
+        return result;
+    };
+    // ---------------------------------------------------------------- //
+    // 5. Build the engine loop budget envelope from the per-role      //
+    //   SubagentBudget (tokens/dollars/wallClockMs).                 //
+    // ---------------------------------------------------------------- //
+    // The engine loop driver uses {maxTokens, maxToolCalls}; we
+    // translate the subagent budget into the loop budget shape and
+    // fall back to the per-command defaults from `resolveBudget` for
+    // the call-count ceiling (subagent budget does not carry that knob).
+    const commandBudget = resolveBudget(commandKind, settings, { maxTokens: budget.tokens });
+    // ---------------------------------------------------------------- //
+    // 6. Drive the child loop                                         //
+    // ---------------------------------------------------------------- //
+    const hooks = {
+    // We deliberately do NOT proxy onTurnStart/onTurnComplete to the
+    // parent journal — the child's own session already records those
+    // via the per-loop session mirror, and re-emitting them at parent
+    // scope would double-count tokens in the cabinet UI.
+    //
+    // onToolCall + onToolResult are also folded into the gatedExecutor
+    // above (the cross-agent event stream) so the loop's hook surface
+    // stays empty here.
+    };
+    let outcome;
+    try {
+        outcome = await runEngineLoop({
+            client: ctx.engineClient,
+            executor: gatedExecutor,
+            systemPrompt: systemPromptFor(commandKind),
+            userPrompt: task.prompt,
+            tools: filteredSchema,
+            budget: commandBudget,
+            personaSlug: persona.slug,
+            hooks,
+            ...(ctx.signal ? { signal: ctx.signal } : {}),
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const failedResult = {
+            taskId: task.id,
+            role: task.role,
+            personaSlug: persona.slug,
+            status: 'failed',
+            summary: `engine loop crashed: ${message}`,
+            filesChanged: Array.from(filesChanged).sort(),
+            toolCallCount: childToolCallCount,
+            tokensIn: 0,
+            tokensOut: 0,
+            durationMs: Date.now() - startedAt,
+        };
+        ctx.appendEvent({
+            id: randomUUID(),
+            sessionId: ctx.sessionId,
+            timestamp: now(),
+            type: 'subagent.failed',
+            taskId: task.id,
+            role: task.role,
+            personaSlug: persona.slug,
+            error: message,
+        });
+        return { result: failedResult, ...(worktreeHandle ? { worktreeHandle } : {}) };
+    }
+    // ---------------------------------------------------------------- //
+    // 7. Translate loop outcome → SubagentResult                      //
+    // ---------------------------------------------------------------- //
+    const { status, terminalEvent } = translateOutcome(outcome);
+    const summary = composeSummary(outcome, status, capabilities.rationale, worktreeHandle, ctx.workspaceRoot);
+    const result = {
+        taskId: task.id,
+        role: task.role,
+        personaSlug: persona.slug,
+        status,
+        summary,
+        filesChanged: Array.from(filesChanged).sort(),
+        // childToolCallCount is the gate-level count (every tool the child
+        // attempted, including refusals). outcome.toolCallCount is what
+        // the engine loop actually ran. We use outcome's number because
+        // it matches the audit log's tool_call records — refusals were
+        // already surfaced as subagent.tool_call events before the throw.
+        toolCallCount: outcome.toolCallCount,
+        tokensIn: estimateTokensIn(outcome),
+        tokensOut: estimateTokensOut(outcome),
+        durationMs: Date.now() - startedAt,
+    };
+    // Emit the terminal event last so an audit-log reader sees the
+    // chronological order: spawned → tool_call(s) → completed/blocked/failed.
+    if (terminalEvent === 'completed') {
+        ctx.appendEvent({
+            id: randomUUID(),
+            sessionId: ctx.sessionId,
+            timestamp: now(),
+            type: 'subagent.completed',
+            taskId: task.id,
+            role: task.role,
+            personaSlug: persona.slug,
+            toolCallCount: result.toolCallCount,
+            tokensIn: result.tokensIn,
+            tokensOut: result.tokensOut,
+            durationMs: result.durationMs,
+        });
+    }
+    else if (terminalEvent === 'blocked') {
+        ctx.appendEvent({
+            id: randomUUID(),
+            sessionId: ctx.sessionId,
+            timestamp: now(),
+            type: 'subagent.blocked',
+            taskId: task.id,
+            role: task.role,
+            personaSlug: persona.slug,
+            reason: blockedReasonFor(outcome),
+            detail: outcome.reason ?? 'engine loop blocked without a specific reason',
+        });
+    }
+    else {
+        ctx.appendEvent({
+            id: randomUUID(),
+            sessionId: ctx.sessionId,
+            timestamp: now(),
+            type: 'subagent.failed',
+            taskId: task.id,
+            role: task.role,
+            personaSlug: persona.slug,
+            error: outcome.reason ?? 'unknown engine loop failure',
+        });
+    }
+    return { result, ...(worktreeHandle ? { worktreeHandle } : {}) };
+}
+/* ---------------------------------------------------------------- */
+/* Helpers                                                         */
+/* ---------------------------------------------------------------- */
+/**
+ * Default command kind for a role. Writers default to `code` (20 calls
+ * / 30k tokens envelope per β1 Pl9); readers default to `explain` (5 /
+ * 20k). The caller can always override via ctx.commandKind.
+ */
+function commandKindForRole(role) {
+    switch (role) {
+        case 'coder':
+        case 'release':
+        case 'devops':
+        case 'design_qa':
+            return 'code';
+        case 'verifier':
+            // verifier needs bash for tests but should not be writing —
+            // `fix` envelope is the right compromise (read + bash + edit-ish
+            // tokens, no full build budget).
+            return 'fix';
+        case 'orchestrator':
+            // orchestrator runs in parent context — `code` matches the
+            // parent's default and gives it room to delegate.
+            return 'code';
+        case 'architect':
+        case 'reviewer':
+        case 'researcher':
+        default:
+            return 'explain';
+    }
+}
+function translateOutcome(outcome) {
+    switch (outcome.status) {
+        case 'completed':
+            return { status: 'shipped', terminalEvent: 'completed' };
+        case 'budget_exhausted':
+        case 'tool_refused':
+        case 'aborted':
+            // `aborted` maps to `blocked` per the same logic as native-pugi.ts:
+            // the operator chose the outcome.
+            return { status: 'blocked', terminalEvent: 'blocked' };
+        case 'failed':
+            return { status: 'failed', terminalEvent: 'failed' };
+    }
+}
+function blockedReasonFor(outcome) {
+    switch (outcome.status) {
+        case 'budget_exhausted':
+            return 'budget_exhausted';
+        case 'tool_refused':
+            return 'plan_mode_refused';
+        case 'aborted':
+            // Operator abort surfaces as permission_denied — the operator
+            // pulled consent, which is the same shape as a permission rule
+            // refusing the call.
+            return 'permission_denied';
+        default:
+            return 'tool_unavailable';
+    }
+}
+function composeSummary(outcome, status, rationale, worktreeHandle, workspaceRoot) {
+    const finalText = outcome.finalText.trim();
+    const lines = [];
+    if (finalText) {
+        lines.push(finalText);
+    }
+    else if (outcome.reason) {
+        lines.push(`[${outcome.status}] ${outcome.reason}`);
+    }
+    else {
+        lines.push(`[${outcome.status}] no answer returned`);
+    }
+    if (worktreeHandle) {
+        // β2a r1 (Backend Architect P1): emit the worktree
+        // path RELATIVE to the workspace root. The summary text flows to
+        // the parent transcript and from there to the provider when the
+        // operator runs in `studio` / `provider-direct` privacy mode;
+        // shipping `/Users/<operator>/Web/...` (absolute) leaked the
+        // operator's home directory to the provider on every spawn. The
+        // relative form (`.pugi/worktrees/<uuid>`) is enough for the
+        // operator's local `pugi worktree promote/drop` commands.
+        const relPath = relativePath(workspaceRoot, worktreeHandle.path) || worktreeHandle.path;
+        lines.push('');
+        lines.push(`worktree: ${relPath}`);
+        lines.push(`base: ${worktreeHandle.baseSha}`);
+        lines.push(`promote via: pugi worktree promote ${relPath}`);
+        lines.push(`drop via: pugi worktree drop ${relPath}`);
+    }
+    // β2a r1 (Backend Architect P2): the rationale string
+    // duplicates the role's capability matrix entry, which on `shipped`
+    // outcomes is noise that bloats the parent transcript and provides
+    // an extra signal a prompt-injecting child could echo back. Limit
+    // it to `blocked` (where it explains the refusal) — failed
+    // outcomes already carry the engine loop's own reason field.
+    if (status === 'blocked') {
+        lines.push('');
+        lines.push(`role-capability rationale: ${rationale}`);
+    }
+    return lines.join('\n');
+}
+/**
+ * The engine-loop outcome carries a single `tokensUsed` counter (total
+ * prompt + completion tokens). We don't have a precise prompt/completion
+ * split surfaced from the loop driver — approximate the split as 70/30
+ * (typical chat-completion shape for tool-use loops where the model's
+ * replies are short tool_call frames). The numbers are surfaced in the
+ * cabinet UI as a guideline, not for billing reconciliation (billing
+ * lives at the runtime adapter side).
+ */
+function estimateTokensIn(outcome) {
+    return Math.round(outcome.tokensUsed * 0.7);
+}
+function estimateTokensOut(outcome) {
+    return Math.round(outcome.tokensUsed * 0.3);
+}
+function extractPathArg(raw) {
+    if (!raw)
+        return null;
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            const path = parsed.path;
+            if (typeof path === 'string' && path.length > 0)
+                return path;
+        }
+    }
+    catch {
+        // bad JSON — ignored.
+    }
+    return null;
+}
+/**
+ * β2a r1 : pull the `command` field out of a bash tool
+ * call's JSON arguments. Used by the bash read-only gate to feed the
+ * classifier. Returns null on bad JSON / missing field so the caller
+ * can fail-safe to allow (the underlying tool will surface its own
+ * parse error).
+ */
+function extractBashCommand(raw) {
+    if (!raw)
+        return null;
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            const cmd = parsed.command;
+            if (typeof cmd === 'string' && cmd.length > 0)
+                return cmd;
+        }
+    }
+    catch {
+        // bad JSON — let the tool surface the parse error.
+    }
+    return null;
+}
+function defaultNow() {
+    return new Date().toISOString();
+}
+//# sourceMappingURL=dispatcher-real.js.map