@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.1

package/dist/core/subagents/dispatcher-real.js

@@ -1,600 +0,0 @@
-/**
- * Real subagent execution (β2 S1 —).
- *
- * Replaces the M1 stub in `dispatcher.ts` with a genuine Anvil-backed
- * child engine loop. Given a SubagentTask + an EngineLoopClient, this
- * module:
- *
- *  1. Resolves the role's persona + isolation tier (delegated to
- *     `dispatcher.ts` so the policy lives in one file).
- *  2. Optionally provisions a scratch worktree when the role's
- *     isolation tier requires write isolation (β2 S5 wiring point).
- *  3. Builds a per-child tools schema gated by the isolation matrix
- *     (`isolation-matrix.ts::allowedToolsForRole`) so the child loop
- *     cannot see tools its role is forbidden to use.
- *  4. Runs `runEngineLoop` with the role-specific persona, budget,
- *     and tools against the supplied EngineLoopClient (each child
- *     gets its OWN logical Anvil session — same wire transport, but
- *     a fresh transcript so the child cannot read parent context the
- *     operator did not authorise).
- *  5. Streams `subagent.tool_call` events back through the parent's
- *     session journal as each child tool call fires (β2 S7 cross-
- *     agent state surface).
- *  6. Aggregates `filesChanged` + `toolCallCount` + token totals from
- *     the child loop and returns them in the SubagentResult.
- *
- * What this module deliberately does NOT do:
- *
- *  - Promote the child's worktree back to the parent's main tree.
- *    `pugi worktree promote` is operator-driven so the operator can
- *    review the diff before it lands; the dispatcher only creates
- *    the scratch worktree, runs the child in it, and leaves the
- *    handle attached to the SubagentResult.filesChanged for the
- *    caller to act on.
- *
- *  - Drop the worktree on failure. Same reasoning: the operator
- *    should be able to inspect what the child did before the scratch
- *    dir disappears. Cleanup happens via `pugi worktree drop` or via
- *    the explicit `cleanup` callback returned on the worktree handle.
- *
- *  - Run grand-children. The capability matrix (S4) blocks the
- *    `agent` tool for every role except orchestrator, so a coder/
- *    reviewer/verifier cannot spawn a child of its own. Bounded
- *    spawn depth = 1, which keeps the budget rollup tractable.
- *
- * Cross-reference: docs/research/2026-05-26-pugi-cli-consolidated-sprint-plan.md
- * §β2 S1 + S7.
- */
-import { randomUUID } from 'node:crypto';
-import { relative as relativePath } from 'node:path';
-import { runEngineLoop, } from '@pugi/sdk';
-import { resolveBudget } from '../engine/budgets.js';
-import { buildExecutor, buildToolsSchema, } from '../engine/tool-bridge.js';
-import { systemPromptFor } from '../engine/prompts.js';
-import { getPersonaForRole } from '../agents/registry.js';
-import { FileReadCache } from '../file-cache.js';
-import { loadSettings } from '../settings.js';
-import { openSession } from '../session.js';
-import { createWorktree, } from '../edits/worktree.js';
-import { classifyBash } from '../bash-classifier.js';
-import { allowedToolsForRole, bashIsReadOnlyForRole, capabilitiesForRole, } from './isolation-matrix.js';
-import { budgetForRole, isolationForRole, } from './dispatcher.js';
-/**
- * Drive a real subagent dispatch. Returns the typed SubagentResult plus
- * the optional WorktreeHandle (when isolation === 'worktree') so the
- * caller can wire `pugi worktree promote/drop` follow-ups.
- *
- * Throws when the engine loop crashes uncaught — the caller should
- * translate that into `recordSubagentFailed` on the parent session.
- */
-export async function runRealDispatch(task, ctx) {
-    const persona = getPersonaForRole(task.role);
-    const isolation = isolationForRole(task.role);
-    const budget = budgetForRole(task.role, task.budget);
-    const capabilities = capabilitiesForRole(task.role);
-    const now = ctx.now ?? defaultNow;
-    const startedAt = Date.now();
-    // ---------------------------------------------------------------- //
-    // 1. Provision child workspace + session                          //
-    // ---------------------------------------------------------------- //
-    // The child's filesystem root depends on the isolation tier:
-    //
-    //  - prompt_only / shared_fs_readonly / shared_fs_serialized →
-    //    reuse the parent's workspaceRoot. Read isolation is enforced
-    //    by the capability matrix (no `write` cap → no write tool in
-    //    the schema). Serialized writes are gated by the file-tools
-    //    layer's existing in-process lock (per-process serialization
-    //    is enough at M1 because only one child runs per parent).
-    //
-    //  - worktree → spawn `.pugi/worktrees/<uuid>` via createWorktree
-    //    and pin the child's workspaceRoot there. The parent's tree is
-    //    untouched; promote/drop is operator-driven afterwards.
-    let childRoot = ctx.workspaceRoot;
-    let worktreeHandle;
-    // β2a r1 (Codex P1): the original gate required
-    // `isolationForRole()` to return `'worktree'` before honoring
-    // `ctx.useWorktreeIsolation`. But the role→isolation matrix never
-    // returns `'worktree'` for any writer (coders land at
-    // `shared_fs_serialized`), so the agentTool's explicit
-    // `useWorktreeIsolation: true` request was silently dropped and the
-    // coder mutated the parent checkout directly. Fix: treat an explicit
-    // `true` as an INDEPENDENT trigger so callers (agentTool with
-    // `isolation: 'worktree'`) actually get a scratch worktree.
-    //
-    // The three states map to:
-    //  - true  → force worktree regardless of role tier (explicit opt-in)
-    //  - false → skip worktree even if role tier would require it (spec
-    //             escape hatch + caller opt-out)
-    //  - undefined → honor role tier default (`'worktree'` → create)
-    const useWorktree = ctx.useWorktreeIsolation === true
-        ? true
-        : ctx.useWorktreeIsolation === false
-            ? false
-            : isolation === 'worktree';
-    // β2a r2 (Codex P2): compute the EFFECTIVE isolation tier
-    // for audit metadata. The role-default `isolation` value is the
-    // declarative tier from `isolationForRole()`, but when
-    // `ctx.useWorktreeIsolation === true` forces a scratch worktree for a
-    // role whose default is `shared_fs_serialized` (coder/release/devops/
-    // design_qa), the actual workspace boundary is `worktree`. Emitting
-    // the stale role-default in the `subagent.spawned` event was
-    // misleading audit consumers (SSE / cabinet UI) into thinking the
-    // child mutated the parent tree when it actually mutated a scratch
-    // worktree — and vice versa when `false` overrode a `worktree`-tier
-    // role into shared_fs. The `isolation` field on the lifecycle event
-    // now reflects the ACTUAL workspace decision.
-    const isolationEffective = useWorktree
-        ? 'worktree'
-        : isolation;
-    if (useWorktree) {
-        const wt = createWorktree({ cwd: ctx.workspaceRoot });
-        if (!wt.ok) {
-            // Translate worktree failure to a clean blocked result instead
-            // of throwing — the caller can surface it as
-            // subagent.blocked / tool_unavailable. The dispatcher.ts wrapper
-            // does the emission so the audit log lines up with other
-            // blocked dispatches.
-            //
-            // β2a r2 (Codex P2): isolation here falls back to the role
-            // default because the worktree failed to provision — the child
-            // never landed on a `worktree` boundary, so reporting the
-            // effective tier would lie. Use the declarative role default.
-            ctx.appendEvent({
-                id: randomUUID(),
-                sessionId: ctx.sessionId,
-                timestamp: now(),
-                type: 'subagent.spawned',
-                taskId: task.id,
-                role: task.role,
-                personaSlug: persona.slug,
-                parentSessionId: ctx.sessionId,
-                isolation,
-            });
-            const blockedResult = {
-                taskId: task.id,
-                role: task.role,
-                personaSlug: persona.slug,
-                status: 'blocked',
-                summary: `worktree provisioning failed: ${wt.reason}: ${wt.detail}`,
-                filesChanged: [],
-                toolCallCount: 0,
-                tokensIn: 0,
-                tokensOut: 0,
-                durationMs: Date.now() - startedAt,
-            };
-            ctx.appendEvent({
-                id: randomUUID(),
-                sessionId: ctx.sessionId,
-                timestamp: now(),
-                type: 'subagent.blocked',
-                taskId: task.id,
-                role: task.role,
-                personaSlug: persona.slug,
-                reason: 'tool_unavailable',
-                detail: `worktree provisioning failed (${wt.reason}): ${wt.detail}`,
-            });
-            return { result: blockedResult };
-        }
-        childRoot = wt.value.path;
-        worktreeHandle = wt.value;
-    }
-    const childSession = ctx.childSession ?? openSession(childRoot);
-    const settings = loadSettings(childRoot);
-    // ---------------------------------------------------------------- //
-    // 2. Emit subagent.spawned                                        //
-    // ---------------------------------------------------------------- //
-    // β2a r2 (Codex P2): use the EFFECTIVE isolation tier so
-    // audit consumers see the actual workspace boundary (`worktree` when
-    // `ctx.useWorktreeIsolation === true` forced a scratch worktree for
-    // a role whose default was `shared_fs_serialized`). The stale
-    // role-default emission was a P2 misdirection — operators watching
-    // `pugi sessions stream` saw `shared_fs_serialized` while the child
-    // was actually mutating `.pugi/worktrees/<uuid>/`.
-    ctx.appendEvent({
-        id: randomUUID(),
-        sessionId: ctx.sessionId,
-        timestamp: now(),
-        type: 'subagent.spawned',
-        taskId: task.id,
-        role: task.role,
-        personaSlug: persona.slug,
-        parentSessionId: ctx.sessionId,
-        isolation: isolationEffective,
-    });
-    // ---------------------------------------------------------------- //
-    // 3. Build per-child tools schema + executor                      //
-    // ---------------------------------------------------------------- //
-    // The schema is filtered by the capability matrix (S4). We start
-    // from buildToolsSchema's default set and intersect with
-    // `allowedToolsForRole`. The executor enforces the same set as a
-    // defense-in-depth gate — even if a model hallucinates an unknown
-    // tool name (or a future schema bug accidentally advertises one),
-    // the executor rejects it before any file-tools layer sees it.
-    const commandKind = ctx.commandKind ?? commandKindForRole(task.role);
-    const allowedTools = allowedToolsForRole(task.role);
-    // β2a r1 (Backend Architect P1): the executor's
-    // `allowFetch` flag previously only checked the workspace settings
-    // (`web.fetch.enabled`). For roles whose capability set DOES NOT
-    // include `web_fetch` (every non-orchestrator role today) the
-    // schema filter would strip the tool advertisement, but a model
-    // that fabricated a `web_fetch` call would still hit the executor
-    // with `allowFetch: true` and the call would succeed. Fix: AND the
-    // role-capability gate into the flag so a fabricated call also
-    // gets refused by the capability gate above; the AND below is the
-    // executor-level belt-and-braces.
-    const allowFetchForChild = allowedTools.has('web_fetch') && settings.web?.fetch?.enabled === true;
-    const schemaOpts = {
-        allowFetch: allowFetchForChild,
-    };
-    const fullSchema = buildToolsSchema(commandKind, schemaOpts);
-    const filteredSchema = fullSchema.filter((tool) => allowedTools.has(tool.name));
-    const toolCtx = {
-        root: childRoot,
-        settings,
-        session: childSession,
-        readCache: new FileReadCache(),
-    };
-    const rawExecutor = buildExecutor({
-        kind: commandKind,
-        ctx: toolCtx,
-        sessionId: childSession.id,
-        workspaceRoot: childRoot,
-        interactive: false,
-        allowFetch: allowFetchForChild,
-    });
-    // β2a r1 (Codex P1): roles in the bash_read_only tier
-    // (verifier today) need an EXTRA pre-flight on every `bash` call so
-    // a write-class command (echo into a file, sed -i, rm) is refused
-    // before bashToolSync's permission layer sees it. The bash tool
-    // defaults to permission mode `auto`, which permits write_workspace
-    // class commands; without this gate the no-edit contract is purely
-    // honor-system. Read + build_test are still allowed so test
-    // commands work; everything else surfaces a CAPABILITY_REFUSED
-    // sentinel back to the model so it can adapt.
-    const bashReadOnly = bashIsReadOnlyForRole(task.role);
-    const BASH_READ_ONLY_ALLOWED = new Set(['read', 'build_test']);
-    // ---------------------------------------------------------------- //
-    // 4. Wrap executor with the isolation-matrix refusal gate +       //
-    //   cross-agent event stream (S4 + S7)                           //
-    // ---------------------------------------------------------------- //
-    // Every tool call the child makes is:
-    //  (a) rejected if the role lacks the capability (defense in depth);
-    //  (b) emitted as a subagent.tool_call event into the parent
-    //      journal so `pugi sessions stream <id>` surfaces it inline;
-    //  (c) classified for the filesChanged summary.
-    const filesChanged = new Set();
-    let childToolCallCount = 0;
-    const gatedExecutor = async (input) => {
-        if (!allowedTools.has(input.name)) {
-            // Note: this is in addition to the schema filter — a model that
-            // fabricates a tool call for a name we deliberately did NOT
-            // advertise still gets rejected here. The error string is read
-            // by runEngineLoop and fed back into the next turn's tool frame.
-            throw new Error(`CAPABILITY_REFUSED: role '${task.role}' is not allowed to call '${input.name}' (${capabilities.rationale})`);
-        }
-        // β2a r1 (Codex P1): bash read-only gate for roles
-        // whose capability set is `bash_read_only` (verifier). Pre-classify
-        // the command and refuse anything outside read/build_test BEFORE
-        // the tool runs — the underlying bashToolSync's permission layer
-        // would otherwise wave write_workspace through under the default
-        // `auto` mode.
-        if (input.name === 'bash' && bashReadOnly) {
-            const cmd = extractBashCommand(input.arguments);
-            if (cmd !== null) {
-                const classification = classifyBash(cmd, {
-                    workspaceRoot: childRoot,
-                    additionalDirectories: [],
-                });
-                if (!BASH_READ_ONLY_ALLOWED.has(classification.class)) {
-                    throw new Error(`CAPABILITY_REFUSED: role '${task.role}' may only run read/build_test bash commands; '${classification.class}' refused (${classification.reason})`);
-                }
-            }
-        }
-        childToolCallCount += 1;
-        // β2 S7 cross-agent state: emit subagent.tool_call BEFORE dispatch
-        // so the parent journal sees the attempt even if the tool throws.
-        ctx.appendEvent({
-            id: randomUUID(),
-            sessionId: ctx.sessionId,
-            timestamp: now(),
-            type: 'subagent.tool_call',
-            taskId: task.id,
-            role: task.role,
-            personaSlug: persona.slug,
-            toolName: input.name,
-            toolCallId: input.callId,
-        });
-        const result = await rawExecutor(input);
-        if (input.name === 'write' || input.name === 'edit') {
-            const path = extractPathArg(input.arguments);
-            if (path)
-                filesChanged.add(path);
-        }
-        return result;
-    };
-    // ---------------------------------------------------------------- //
-    // 5. Build the engine loop budget envelope from the per-role      //
-    //   SubagentBudget (tokens/dollars/wallClockMs).                 //
-    // ---------------------------------------------------------------- //
-    // The engine loop driver uses {maxTokens, maxToolCalls}; we
-    // translate the subagent budget into the loop budget shape and
-    // fall back to the per-command defaults from `resolveBudget` for
-    // the call-count ceiling (subagent budget does not carry that knob).
-    const commandBudget = resolveBudget(commandKind, settings, { maxTokens: budget.tokens });
-    // ---------------------------------------------------------------- //
-    // 6. Drive the child loop                                         //
-    // ---------------------------------------------------------------- //
-    const hooks = {
-    // We deliberately do NOT proxy onTurnStart/onTurnComplete to the
-    // parent journal — the child's own session already records those
-    // via the per-loop session mirror, and re-emitting them at parent
-    // scope would double-count tokens in the cabinet UI.
-    //
-    // onToolCall + onToolResult are also folded into the gatedExecutor
-    // above (the cross-agent event stream) so the loop's hook surface
-    // stays empty here.
-    };
-    let outcome;
-    try {
-        outcome = await runEngineLoop({
-            client: ctx.engineClient,
-            executor: gatedExecutor,
-            systemPrompt: systemPromptFor(commandKind),
-            userPrompt: task.prompt,
-            tools: filteredSchema,
-            budget: commandBudget,
-            personaSlug: persona.slug,
-            hooks,
-            ...(ctx.signal ? { signal: ctx.signal } : {}),
-        });
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        const failedResult = {
-            taskId: task.id,
-            role: task.role,
-            personaSlug: persona.slug,
-            status: 'failed',
-            summary: `engine loop crashed: ${message}`,
-            filesChanged: Array.from(filesChanged).sort(),
-            toolCallCount: childToolCallCount,
-            tokensIn: 0,
-            tokensOut: 0,
-            durationMs: Date.now() - startedAt,
-        };
-        ctx.appendEvent({
-            id: randomUUID(),
-            sessionId: ctx.sessionId,
-            timestamp: now(),
-            type: 'subagent.failed',
-            taskId: task.id,
-            role: task.role,
-            personaSlug: persona.slug,
-            error: message,
-        });
-        return { result: failedResult, ...(worktreeHandle ? { worktreeHandle } : {}) };
-    }
-    // ---------------------------------------------------------------- //
-    // 7. Translate loop outcome → SubagentResult                      //
-    // ---------------------------------------------------------------- //
-    const { status, terminalEvent } = translateOutcome(outcome);
-    const summary = composeSummary(outcome, status, capabilities.rationale, worktreeHandle, ctx.workspaceRoot);
-    const result = {
-        taskId: task.id,
-        role: task.role,
-        personaSlug: persona.slug,
-        status,
-        summary,
-        filesChanged: Array.from(filesChanged).sort(),
-        // childToolCallCount is the gate-level count (every tool the child
-        // attempted, including refusals). outcome.toolCallCount is what
-        // the engine loop actually ran. We use outcome's number because
-        // it matches the audit log's tool_call records — refusals were
-        // already surfaced as subagent.tool_call events before the throw.
-        toolCallCount: outcome.toolCallCount,
-        tokensIn: estimateTokensIn(outcome),
-        tokensOut: estimateTokensOut(outcome),
-        durationMs: Date.now() - startedAt,
-    };
-    // Emit the terminal event last so an audit-log reader sees the
-    // chronological order: spawned → tool_call(s) → completed/blocked/failed.
-    if (terminalEvent === 'completed') {
-        ctx.appendEvent({
-            id: randomUUID(),
-            sessionId: ctx.sessionId,
-            timestamp: now(),
-            type: 'subagent.completed',
-            taskId: task.id,
-            role: task.role,
-            personaSlug: persona.slug,
-            toolCallCount: result.toolCallCount,
-            tokensIn: result.tokensIn,
-            tokensOut: result.tokensOut,
-            durationMs: result.durationMs,
-        });
-    }
-    else if (terminalEvent === 'blocked') {
-        ctx.appendEvent({
-            id: randomUUID(),
-            sessionId: ctx.sessionId,
-            timestamp: now(),
-            type: 'subagent.blocked',
-            taskId: task.id,
-            role: task.role,
-            personaSlug: persona.slug,
-            reason: blockedReasonFor(outcome),
-            detail: outcome.reason ?? 'engine loop blocked without a specific reason',
-        });
-    }
-    else {
-        ctx.appendEvent({
-            id: randomUUID(),
-            sessionId: ctx.sessionId,
-            timestamp: now(),
-            type: 'subagent.failed',
-            taskId: task.id,
-            role: task.role,
-            personaSlug: persona.slug,
-            error: outcome.reason ?? 'unknown engine loop failure',
-        });
-    }
-    return { result, ...(worktreeHandle ? { worktreeHandle } : {}) };
-}
-/* ---------------------------------------------------------------- */
-/* Helpers                                                         */
-/* ---------------------------------------------------------------- */
-/**
- * Default command kind for a role. Writers default to `code` (20 calls
- * / 30k tokens envelope per β1 Pl9); readers default to `explain` (5 /
- * 20k). The caller can always override via ctx.commandKind.
- */
-function commandKindForRole(role) {
-    switch (role) {
-        case 'coder':
-        case 'release':
-        case 'devops':
-        case 'design_qa':
-            return 'code';
-        case 'verifier':
-            // verifier needs bash for tests but should not be writing —
-            // `fix` envelope is the right compromise (read + bash + edit-ish
-            // tokens, no full build budget).
-            return 'fix';
-        case 'orchestrator':
-            // orchestrator runs in parent context — `code` matches the
-            // parent's default and gives it room to delegate.
-            return 'code';
-        case 'architect':
-        case 'reviewer':
-        case 'researcher':
-        default:
-            return 'explain';
-    }
-}
-function translateOutcome(outcome) {
-    switch (outcome.status) {
-        case 'completed':
-            return { status: 'shipped', terminalEvent: 'completed' };
-        case 'budget_exhausted':
-        case 'tool_refused':
-        case 'aborted':
-            // `aborted` maps to `blocked` per the same logic as native-pugi.ts:
-            // the operator chose the outcome.
-            return { status: 'blocked', terminalEvent: 'blocked' };
-        case 'failed':
-            return { status: 'failed', terminalEvent: 'failed' };
-    }
-}
-function blockedReasonFor(outcome) {
-    switch (outcome.status) {
-        case 'budget_exhausted':
-            return 'budget_exhausted';
-        case 'tool_refused':
-            return 'plan_mode_refused';
-        case 'aborted':
-            // Operator abort surfaces as permission_denied — the operator
-            // pulled consent, which is the same shape as a permission rule
-            // refusing the call.
-            return 'permission_denied';
-        default:
-            return 'tool_unavailable';
-    }
-}
-function composeSummary(outcome, status, rationale, worktreeHandle, workspaceRoot) {
-    const finalText = outcome.finalText.trim();
-    const lines = [];
-    if (finalText) {
-        lines.push(finalText);
-    }
-    else if (outcome.reason) {
-        lines.push(`[${outcome.status}] ${outcome.reason}`);
-    }
-    else {
-        lines.push(`[${outcome.status}] no answer returned`);
-    }
-    if (worktreeHandle) {
-        // β2a r1 (Backend Architect P1): emit the worktree
-        // path RELATIVE to the workspace root. The summary text flows to
-        // the parent transcript and from there to the provider when the
-        // operator runs in `studio` / `provider-direct` privacy mode;
-        // shipping `/Users/<operator>/Web/...` (absolute) leaked the
-        // operator's home directory to the provider on every spawn. The
-        // relative form (`.pugi/worktrees/<uuid>`) is enough for the
-        // operator's local `pugi worktree promote/drop` commands.
-        const relPath = relativePath(workspaceRoot, worktreeHandle.path) || worktreeHandle.path;
-        lines.push('');
-        lines.push(`worktree: ${relPath}`);
-        lines.push(`base: ${worktreeHandle.baseSha}`);
-        lines.push(`promote via: pugi worktree promote ${relPath}`);
-        lines.push(`drop via: pugi worktree drop ${relPath}`);
-    }
-    // β2a r1 (Backend Architect P2): the rationale string
-    // duplicates the role's capability matrix entry, which on `shipped`
-    // outcomes is noise that bloats the parent transcript and provides
-    // an extra signal a prompt-injecting child could echo back. Limit
-    // it to `blocked` (where it explains the refusal) — failed
-    // outcomes already carry the engine loop's own reason field.
-    if (status === 'blocked') {
-        lines.push('');
-        lines.push(`role-capability rationale: ${rationale}`);
-    }
-    return lines.join('\n');
-}
-/**
- * The engine-loop outcome carries a single `tokensUsed` counter (total
- * prompt + completion tokens). We don't have a precise prompt/completion
- * split surfaced from the loop driver — approximate the split as 70/30
- * (typical chat-completion shape for tool-use loops where the model's
- * replies are short tool_call frames). The numbers are surfaced in the
- * cabinet UI as a guideline, not for billing reconciliation (billing
- * lives at the runtime adapter side).
- */
-function estimateTokensIn(outcome) {
-    return Math.round(outcome.tokensUsed * 0.7);
-}
-function estimateTokensOut(outcome) {
-    return Math.round(outcome.tokensUsed * 0.3);
-}
-function extractPathArg(raw) {
-    if (!raw)
-        return null;
-    try {
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-            const path = parsed.path;
-            if (typeof path === 'string' && path.length > 0)
-                return path;
-        }
-    }
-    catch {
-        // bad JSON — ignored.
-    }
-    return null;
-}
-/**
- * β2a r1 : pull the `command` field out of a bash tool
- * call's JSON arguments. Used by the bash read-only gate to feed the
- * classifier. Returns null on bad JSON / missing field so the caller
- * can fail-safe to allow (the underlying tool will surface its own
- * parse error).
- */
-function extractBashCommand(raw) {
-    if (!raw)
-        return null;
-    try {
-        const parsed = JSON.parse(raw);
-        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-            const cmd = parsed.command;
-            if (typeof cmd === 'string' && cmd.length > 0)
-                return cmd;
-        }
-    }
-    catch {
-        // bad JSON — let the tool surface the parse error.
-    }
-    return null;
-}
-function defaultNow() {
-    return new Date().toISOString();
-}
-//# sourceMappingURL=dispatcher-real.js.map