@quantiya/codevibe-claude-plugin 1.0.37 → 1.0.39

package/node_modules/ws/lib/permessage-deflate.js

@@ -37,6 +37,9 @@ class PerMessageDeflate {
    *     acknowledge disabling of client context takeover
    * @param {Number} [options.concurrencyLimit=10] The number of concurrent
    *     calls to zlib
+   * @param {Boolean} [options.isServer=false] Create the instance in either
+   *     server or client mode
+   * @param {Number} [options.maxPayload=0] The maximum allowed message length
    * @param {(Boolean|Number)} [options.serverMaxWindowBits] Request/confirm the
    *     use of a custom server window size
    * @param {Boolean} [options.serverNoContextTakeover=false] Request/accept
@@ -47,16 +50,13 @@ class PerMessageDeflate {
    *     deflate
    * @param {Object} [options.zlibInflateOptions] Options to pass to zlib on
    *     inflate
-   * @param {Boolean} [isServer=false] Create the instance in either server or
-   *     client mode
-   * @param {Number} [maxPayload=0] The maximum allowed message length
    */
-  constructor(options, isServer, maxPayload) {
-    this._maxPayload = maxPayload | 0;
+  constructor(options) {
     this._options = options || {};
     this._threshold =
       this._options.threshold !== undefined ? this._options.threshold : 1024;
-    this._isServer = !!isServer;
+    this._maxPayload = this._options.maxPayload | 0;
+    this._isServer = !!this._options.isServer;
     this._deflate = null;
     this._inflate = null;
 

package/node_modules/ws/lib/websocket-server.js

@@ -11,7 +11,7 @@ const extension = require('./extension');
 const PerMessageDeflate = require('./permessage-deflate');
 const subprotocol = require('./subprotocol');
 const WebSocket = require('./websocket');
-const { GUID, kWebSocket } = require('./constants');
+const { CLOSE_TIMEOUT, GUID, kWebSocket } = require('./constants');
 
 const keyRegex = /^[+/0-9A-Za-z]{22}==$/;
 
@@ -38,6 +38,9 @@ class WebSocketServer extends EventEmitter {
    *     pending connections
    * @param {Boolean} [options.clientTracking=true] Specifies whether or not to
    *     track clients
+   * @param {Number} [options.closeTimeout=30000] Duration in milliseconds to
+   *     wait for the closing handshake to finish after `websocket.close()` is
+   *     called
    * @param {Function} [options.handleProtocols] A hook to handle protocols
    * @param {String} [options.host] The hostname where to bind the server
    * @param {Number} [options.maxPayload=104857600] The maximum allowed message
@@ -67,6 +70,7 @@ class WebSocketServer extends EventEmitter {
       perMessageDeflate: false,
       handleProtocols: null,
       clientTracking: true,
+      closeTimeout: CLOSE_TIMEOUT,
       verifyClient: null,
       noServer: false,
       backlog: null, // use default (511 as implemented in net.js)
@@ -289,11 +293,11 @@ class WebSocketServer extends EventEmitter {
       this.options.perMessageDeflate &&
       secWebSocketExtensions !== undefined
     ) {
-      const perMessageDeflate = new PerMessageDeflate(
-        this.options.perMessageDeflate,
-        true,
-        this.options.maxPayload
-      );
+      const perMessageDeflate = new PerMessageDeflate({
+        ...this.options.perMessageDeflate,
+        isServer: true,
+        maxPayload: this.options.maxPayload
+      });
 
       try {
         const offers = extension.parse(secWebSocketExtensions);

package/node_modules/ws/lib/websocket.js

@@ -18,6 +18,7 @@ const { isBlob } = require('./validation');
 
 const {
   BINARY_TYPES,
+  CLOSE_TIMEOUT,
   EMPTY_BUFFER,
   GUID,
   kForOnEventAttribute,
@@ -32,7 +33,6 @@ const {
 const { format, parse } = require('./extension');
 const { toBuffer } = require('./buffer-util');
 
-const closeTimeout = 30 * 1000;
 const kAborted = Symbol('kAborted');
 const protocolVersions = [8, 13];
 const readyStates = ['CONNECTING', 'OPEN', 'CLOSING', 'CLOSED'];
@@ -88,6 +88,7 @@ class WebSocket extends EventEmitter {
       initAsClient(this, address, protocols, options);
     } else {
       this._autoPong = options.autoPong;
+      this._closeTimeout = options.closeTimeout;
       this._isServer = true;
     }
   }
@@ -629,6 +630,8 @@ module.exports = WebSocket;
  *     times in the same tick
  * @param {Boolean} [options.autoPong=true] Specifies whether or not to
  *     automatically send a pong in response to a ping
+ * @param {Number} [options.closeTimeout=30000] Duration in milliseconds to wait
+ *     for the closing handshake to finish after `websocket.close()` is called
  * @param {Function} [options.finishRequest] A function which can be used to
  *     customize the headers of each http request before it is sent
  * @param {Boolean} [options.followRedirects=false] Whether or not to follow
@@ -655,6 +658,7 @@ function initAsClient(websocket, address, protocols, options) {
   const opts = {
     allowSynchronousEvents: true,
     autoPong: true,
+    closeTimeout: CLOSE_TIMEOUT,
     protocolVersion: protocolVersions[1],
     maxPayload: 100 * 1024 * 1024,
     skipUTF8Validation: false,
@@ -673,6 +677,7 @@ function initAsClient(websocket, address, protocols, options) {
   };
 
   websocket._autoPong = opts.autoPong;
+  websocket._closeTimeout = opts.closeTimeout;
 
   if (!protocolVersions.includes(opts.protocolVersion)) {
     throw new RangeError(
@@ -688,7 +693,7 @@ function initAsClient(websocket, address, protocols, options) {
   } else {
     try {
       parsedUrl = new URL(address);
-    } catch (e) {
+    } catch {
       throw new SyntaxError(`Invalid URL: ${address}`);
     }
   }
@@ -750,11 +755,11 @@ function initAsClient(websocket, address, protocols, options) {
   opts.timeout = opts.handshakeTimeout;
 
   if (opts.perMessageDeflate) {
-    perMessageDeflate = new PerMessageDeflate(
-      opts.perMessageDeflate !== true ? opts.perMessageDeflate : {},
-      false,
-      opts.maxPayload
-    );
+    perMessageDeflate = new PerMessageDeflate({
+      ...opts.perMessageDeflate,
+      isServer: false,
+      maxPayload: opts.maxPayload
+    });
     opts.headers['Sec-WebSocket-Extensions'] = format({
       [PerMessageDeflate.extensionName]: perMessageDeflate.offer()
     });
@@ -1290,7 +1295,7 @@ function senderOnError(err) {
 function setCloseTimer(websocket) {
   websocket._closeTimer = setTimeout(
     websocket._socket.destroy.bind(websocket._socket),
-    closeTimeout
+    websocket._closeTimeout
   );
 }
 
@@ -1308,23 +1313,23 @@ function socketOnClose() {
 
   websocket._readyState = WebSocket.CLOSING;
 
-  let chunk;
-
   //
   // The close frame might not have been received or the `'end'` event emitted,
   // for example, if the socket was destroyed due to an error. Ensure that the
   // `receiver` stream is closed after writing any remaining buffered data to
   // it. If the readable side of the socket is in flowing mode then there is no
-  // buffered data as everything has been already written and `readable.read()`
-  // will return `null`. If instead, the socket is paused, any possible buffered
-  // data will be read as a single chunk.
+  // buffered data as everything has been already written. If instead, the
+  // socket is paused, any possible buffered data will be read as a single
+  // chunk.
   //
   if (
     !this._readableState.endEmitted &&
     !websocket._closeFrameReceived &&
     !websocket._receiver._writableState.errorEmitted &&
-    (chunk = websocket._socket.read()) !== null
+    this._readableState.length !== 0
   ) {
+    const chunk = this.read(this._readableState.length);
+
     websocket._receiver.write(chunk);
   }
 

package/node_modules/ws/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ws",
-  "version": "8.18.3",
+  "version": "8.20.0",
   "description": "Simple to use, blazing fast and thoroughly tested websocket client and server for Node.js",
   "keywords": [
     "HyBi",
@@ -55,12 +55,13 @@
     }
   },
   "devDependencies": {
+    "@eslint/js": "^10.0.1",
     "benchmark": "^2.1.4",
     "bufferutil": "^4.0.1",
-    "eslint": "^9.0.0",
+    "eslint": "^10.0.1",
     "eslint-config-prettier": "^10.0.1",
     "eslint-plugin-prettier": "^5.0.0",
-    "globals": "^16.0.0",
+    "globals": "^17.0.0",
     "mocha": "^8.4.0",
     "nyc": "^15.0.0",
     "prettier": "^3.0.0",

package/node_modules/ws/wrapper.mjs

@@ -1,8 +1,21 @@
 import createWebSocketStream from './lib/stream.js';
+import extension from './lib/extension.js';
+import PerMessageDeflate from './lib/permessage-deflate.js';
 import Receiver from './lib/receiver.js';
 import Sender from './lib/sender.js';
+import subprotocol from './lib/subprotocol.js';
 import WebSocket from './lib/websocket.js';
 import WebSocketServer from './lib/websocket-server.js';
 
-export { createWebSocketStream, Receiver, Sender, WebSocket, WebSocketServer };
+export {
+  createWebSocketStream,
+  extension,
+  PerMessageDeflate,
+  Receiver,
+  Sender,
+  subprotocol,
+  WebSocket,
+  WebSocketServer
+};
+
 export default WebSocket;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quantiya/codevibe-claude-plugin",
-  "version": "1.0.37",
+  "version": "1.0.39",
   "description": "Control Claude Code from your iPhone and Android — real-time sync, approve file edits, send prompts by voice. Part of CodeVibe.",
   "main": "dist/server.js",
   "bin": {
@@ -47,7 +47,7 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@quantiya/codevibe-core": "^1.0.21",
+    "@quantiya/codevibe-core": "^1.0.23",
     "dotenv": "^16.6.1",
     "express": "^5.1.0",
     "graphql": "^16.12.0",

package/node_modules/@quantiya/codevibe-core/dist/appsync/__tests__/appsync-client.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/audit-keys/__tests__/audit-keys-parity.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/audit-keys/index.d.ts

@@ -1,41 +0,0 @@
-export type Uuid = string;
-/**
- * `TaskCreated` — one per task lifecycle. Identity: `(task_id, kind)`.
- */
-export declare function dedupKeyForTaskCreated(taskId: Uuid): string;
-/**
- * `TaskTerminated` — one per task lifecycle. Identity: `(task_id, kind)`.
- */
-export declare function dedupKeyForTaskTerminated(taskId: Uuid): string;
-/**
- * `ProgressEvent` — keyed on `(task_id, kind, caller_event_id)`.
- *
- * `callerEventId` is REQUIRED (no `Option<&str>` fallback per the
- * 2f.2 §5.2 lock). Callers without a stable id must invent one
- * (e.g., a UUID at emit time); silently deriving from payload
- * bytes would re-introduce the dedup-drift bug the lock prevents.
- */
-export declare function dedupKeyForProgressEvent(taskId: Uuid, callerEventId: string): string;
-/**
- * `ToolUse` — keyed on `(task_id, kind, caller_event_id)`. Same
- * REQUIRED-not-optional rule as `dedupKeyForProgressEvent`.
- */
-export declare function dedupKeyForToolUse(taskId: Uuid, callerEventId: string): string;
-/**
- * `DestructiveActionEscalated` — keyed on `(gate_id, kind, action_id)`.
- *
- * Multiple destructive actions can be escalated within one gate
- * (e.g., a turn that proposes both `rm -rf` and `git push --force`).
- * `actionId` is the engine's internal id for the specific
- * destructive call (NOT the gate, NOT the round).
- */
-export declare function dedupKeyForDestructiveActionEscalated(gateId: Uuid, actionId: string): string;
-/**
- * `FlagBadApproval` — keyed on `(flagged_entry_id, kind)`.
- *
- * A user flagging the same prior approval twice should dedupe to
- * one flag. The Rust formula identifies the flag by the audit
- * entry being flagged (not by a synthesized "bad-approval id"
- * passed alongside).
- */
-export declare function dedupKeyForFlagBadApproval(flaggedEntryId: Uuid): string;

package/node_modules/@quantiya/codevibe-core/dist/auth/__tests__/auth-telemetry.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-bootstrap.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-failure-recourse.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-save.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-seat-picker.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-telemetry.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-test-agents.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-types.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/setup-wizard.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/__tests__/v1-options.test.d.ts

@@ -1 +0,0 @@
-export {};

package/node_modules/@quantiya/codevibe-core/dist/orchestration/detect-agents.d.ts

@@ -1,56 +0,0 @@
-import { Logger } from '../logger';
-import { AppSyncClient } from '../appsync';
-export type DetectableAgent = 'CLAUDE' | 'GEMINI' | 'CODEX';
-/**
- * Returns the subset of agents present on PATH. Uses `command -v`
- * (POSIX-standard) rather than `which` for portability across macOS
- * and Linux. Runs synchronously — the whole probe is <10ms in practice
- * even when agents are absent.
- *
- * Safe to call repeatedly; no caching here because the set of
- * installed agents CAN change between plugin launches (user installs
- * a new agent) and the caller decides how often to re-probe.
- */
-export declare function detectInstalledAgents(): DetectableAgent[];
-/**
- * Detect-and-push convenience for plugin daemon startup. All three
- * plugins (Claude, Gemini, Codex) call this once at start(). Runs
- * the local PATH probe, then pushes the set to the backend via
- * updateAvailableAgents. Idempotent — the backend dedupes and stores.
- * Non-fatal on the network failure path (caller should `.catch()`
- * and log but not abort startup — Quorum 2.0 auto-enable degrades
- * to "use last-pushed agent set" when the mutation fails).
- *
- * @param client  AppSyncClient that's already been authenticated via
- *                authenticateWithStoredTokens()
- * @param log     Logger — warn-level when no agents detected, info
- *                on success
- */
-export declare function pushDetectedAgents(client: AppSyncClient, log: Pick<Logger, 'info' | 'warn'>): Promise<void>;
-/**
- * Quorum 2.0 (2f.0.a.6) per-session orchestration CLI override applier.
- * All three plugin wrappers (`codevibe-claude`, `codevibe-gemini`,
- * `codevibe-codex`) export `CODEVIBE_ORCHESTRATION_OVERRIDE=true|false`
- * to the tmux env when the user passes `--orchestration` /
- * `--no-orchestration`. The daemon inherits this via the hook env
- * chain and calls THIS function after every session-creation site
- * to pin the per-session decision — wins outright over the server's
- * User.orchestrationEnabledDefault auto-populate.
- *
- * Called from each plugin's daemon at every session-creation call
- * site. Claude has one (handleSessionStart covers new + /resume
- * because Claude Code fires SessionStart on /resume). Gemini has
- * two (handleSessionStart + switchToResumedSession — /resume doesn't
- * fire SessionStart in Gemini). Codex has two (createLaunchSession
- * + handleSessionStarted — launch session gets replaced by runtime
- * session_meta).
- *
- * Non-fatal on error — a failed override doesn't block session setup;
- * the server's auto-populate decision stands and the user can flip
- * the session via mobile toggle after the fact.
- *
- * @param client     AppSyncClient authenticated for the session's owner
- * @param sessionId  Backend session ID (post-resumeOrCreateSession)
- * @param log        Logger
- */
-export declare function applyPerSessionOrchestrationOverride(client: AppSyncClient, sessionId: string, log: Pick<Logger, 'info' | 'warn'>): Promise<void>;

package/node_modules/@quantiya/codevibe-core/dist/orchestration/index.d.ts

@@ -1,3 +0,0 @@
-export { detectInstalledAgents, pushDetectedAgents, applyPerSessionOrchestrationOverride, type DetectableAgent, } from './detect-agents';
-export { runOrchestrationCli } from './orchestration-cli';
-export { V1_ORCHESTRATION_PROMPT_KIND, V1_ORCHESTRATION_OPTIONS, mapOptionNumberToUserDecisionKind, mapOptionToUserDecisionKind, mapV1KindToWire, type V1OrchestrationOption, type V1UserDecisionKind, } from './v1-options';

package/node_modules/@quantiya/codevibe-core/dist/orchestration/orchestration-cli.d.ts

@@ -1,12 +0,0 @@
-/**
- * Dispatch for the `orchestration` subcommand. Called by runAuthCli
- * when it sees `argv[2] === 'orchestration'`. Supports five sub-actions:
- *   enable    — set orchestrationEnabledDefault = true
- *   disable   — set orchestrationEnabledDefault = false
- *   status    — print current policy snapshot + installed agents
- *   configure — interactive wizard (toggle + panel customization)
- *   setup     — Phase 3.a (#190) 3-step locked setup wizard with Test
- *               My Agents (locked role taxonomy: architecture /
- *               correctness / security)
- */
-export declare function runOrchestrationCli(argv: string[]): Promise<void>;

package/node_modules/@quantiya/codevibe-core/dist/orchestration/setup-bootstrap.d.ts

@@ -1,146 +0,0 @@
-import { AppSyncClient } from '../appsync/appsync-client.js';
-import { DetectableAgent } from './detect-agents.js';
-import { CountBucket, WizardEntry, WizardTier } from './setup-types.js';
-import type { AgentKind } from '../reviewer/types.js';
-import type { UserReviewerPolicySnapshot } from '../types/reviewer.js';
-/**
- * Thrown by `defaultClientFactory` when `authenticateWithStoredTokens`
- * returns false AND the most recent failure kind is `'refresh_network'`
- * (transient 5xx / DNS / socket-reset during the Cognito refresh-token
- * POST). The wizard's `runBootstrap` catch routes this to
- * `subscription_status_network` — same recourse as
- * `getSubscriptionStatus` blowing up, but distinct from a genuine
- * `not_signed_in` (which we still surface as `not_signed_in` so the
- * user is told to re-authenticate).
- *
- * Stage 2 round-1 Codex M1. The error message is intentionally
- * network-shaped so the existing `isNetworkLikeError(message)` regex
- * also matches — defense in depth in case a future caller throws this
- * outside the bootstrap path.
- */
-export declare class AuthRefreshNetworkError extends Error {
-    constructor(cause: string);
-}
-/**
- * Successful bootstrap output. The wizard's state machine consumes
- * this to seed Step 1 (seat assignment).
- *
- * R1/R2 round-1 finding M1+L3+M6 (resolved 2026-05-08): the
- * authenticated `client` and the user's `email` are exposed here so
- * the wizard can render `✓ Signed in as <email>` per design §1
- * lines 47-50 and avoid double-authenticating before save.
- */
-export interface BootstrapResult {
-    tier: WizardTier;
-    /** Pro=2, Max=3. Free can't reach success (tier-gated above). */
-    seatBudget: number;
-    /** Lower-cased agent kinds detected on PATH, in canonical order. */
-    installedAgents: AgentKind[];
-    /** Pre-bucketed for telemetry; saved here so Step 1's emit doesn't recompute. */
-    installedAgentsBucket: CountBucket;
-    /**
-     * The authenticated AppSyncClient. Wizard reuses this for the save
-     * step rather than re-running `authenticateWithStoredTokens()` —
-     * eliminates the auth-evicted-between-bootstrap-and-save telemetry
-     * gap (R1 round-1 M1) and the wasteful double-auth (R1 round-1 L3).
-     */
-    client: AppSyncClient;
-    /**
-     * Email of the signed-in user (Cognito `email` claim), or null if
-     * the claim is not present. Used by the wizard's bootstrap-summary
-     * UI per design §1 lines 47-50.
-     */
-    userEmail: string | null;
-    /**
-     * Stage 2 round-1 Codex M2: the user's saved reviewer policy at
-     * bootstrap time, so the wizard can pre-populate seat-picker
-     * defaults on a re-run instead of always falling back to the
-     * tier-default agent / role priority. `null` when the snapshot
-     * fetch failed (the wizard then proceeds without saved-defaults —
-     * the canonical priority order is the fallback).
-     *
-     * Fetched via the existing `updateAvailableAgents` mutation, which
-     * is idempotent + already called by every plugin startup
-     * (`appsync-client.ts:721-724`). The wizard repeating it is safe
-     * and avoids introducing a new wire contract just to read three
-     * fields back.
-     */
-    savedPolicy: UserReviewerPolicySnapshot | null;
-}
-/**
- * Failure shape — discriminated by `kind`. The wizard surfaces a
- * user-facing message and exits with code 1; telemetry is fired by
- * `runBootstrap()` before the result is returned (so callers don't
- * re-fire on their failure path).
- */
-export type BootstrapFailure = {
-    kind: 'tier_gate_free';
-    tier: 'FREE';
-} | {
-    kind: 'not_signed_in';
-} | {
-    kind: 'subscription_status_network';
-    cause: string;
-} | {
-    kind: 'no_clis_installed';
-};
-export type BootstrapOutput = {
-    ok: true;
-    result: BootstrapResult;
-} | {
-    ok: false;
-    failure: BootstrapFailure;
-};
-/**
- * Inputs for `runBootstrap`. Threads the wizard run id through so
- * telemetry events stitch by `wizard_run_id`.
- *
- * `clientFactory` is injected so tests can swap in a mock AppSync
- * client; production passes `defaultClientFactory`.
- *
- * `agentDetector` defaults to `detectInstalledAgents` (the production
- * PATH walk) but is swappable for unit tests.
- *
- * `entry` is threaded in so `runBootstrap` can fire `wizard_started`
- * itself — Stage 2 round-1 Codex M3 moved the emit from the wizard
- * (where it skipped Free / no_clis users) into bootstrap (where it
- * fires post-tier-and-agents-known, before any gate).
- */
-export interface BootstrapDeps {
-    wizardRunId: string;
-    clientFactory: () => Promise<AppSyncClient | null>;
-    agentDetector: () => DetectableAgent[];
-    entry: WizardEntry;
-}
-/**
- * Production client factory. Builds an AppSyncClient and authenticates
- * with stored tokens. Returns null on `'no_tokens'` /
- * `'refresh_auth_rejected'` (the wizard maps both to `not_signed_in`);
- * THROWS `AuthRefreshNetworkError` on `'refresh_network'` so the
- * wizard's `runBootstrap` catch routes the user to
- * `subscription_status_network` instead of mistakenly telling a
- * signed-in user to re-login when their refresh-token POST hit a
- * transient 5xx.
- *
- * Stage 2 round-1 Codex M1: pre-fix, `authenticateWithStoredTokens`
- * returned false on every error path, including network failures
- * inside `callCognitoRefresh`'s catch block; the bootstrap's
- * `isNetworkLikeError` check only ran on caught throws and so never
- * fired in production for refresh-network failures.
- */
-export declare function defaultClientFactory(): Promise<AppSyncClient | null>;
-/**
- * Run Step 0. Emits `wizard_step_started{step:'bootstrap'}` on entry,
- * then either `wizard_step_completed` on success OR
- * `wizard_step_failed` + `wizard_aborted` on failure. Returns the
- * `BootstrapOutput` in either case so the caller can render UX before
- * exiting.
- *
- * Stage 2 round-1 Codex M3: `wizard_started` is emitted from here,
- * post-tier-and-agents-known, BEFORE the tier-gate / no-CLIs check.
- * Free + no_clis users now fire `wizard_started` (so analytics has
- * the funnel-entry numerator); auth/network bootstrap-aborts skip
- * `wizard_started` (no tier known) and surface as
- * `wizard_aborted{auth_expired | bootstrap_failure}` instead.
- */
-export declare function runBootstrap(deps: BootstrapDeps): Promise<BootstrapOutput>;

package/node_modules/@quantiya/codevibe-core/dist/orchestration/setup-failure-recourse.d.ts

@@ -1,23 +0,0 @@
-import type { PickerIO } from './setup-seat-picker.js';
-export type Step2Choice = 'retry' | 'save_anyway' | 'exit';
-export type Step3Choice = 'retry' | 'exit';
-/**
- * Render the Step 2 recourse menu after a Test My Agents failure.
- * Loops on invalid input. Returns the user's choice. The caller is
- * responsible for emitting `wizard_aborted` if `exit` is chosen.
- *
- * `canSaveAnyway` controls whether the `[s]` option is offered. When
- * false (spawn_failure / timeout), only `[r]` and `[x]` are accepted.
- */
-export declare function askStep2Recourse(io: PickerIO, canSaveAnyway: boolean): Promise<Step2Choice>;
-/**
- * Render the Step 3 recourse menu after a save failure. The caller's
- * retry loop preserves the in-memory `seats` state so retry is free.
- *
- * `recoverable` honors the §6 outcome table: when false
- * (auth_token_expired), `[r]` is suppressed because retry can only
- * fail again — the user must re-run `codevibe login` and start a new
- * wizard. The recourse menu collapses to a single `[x] exit` choice
- * with a re-auth instruction line. (R1 round-1 M3 / R2 round-1 M4.)
- */
-export declare function askStep3Recourse(io: PickerIO, recoverable?: boolean): Promise<Step3Choice>;

package/node_modules/@quantiya/codevibe-core/dist/orchestration/setup-save.d.ts

@@ -1,47 +0,0 @@
-import type { AppSyncClient } from '../appsync/appsync-client.js';
-import { WizardSeatPick, WizardStepFailureReason } from './setup-types.js';
-export type SaveResult = {
-    ok: true;
-} | {
-    ok: false;
-    reason: WizardStepFailureReason;
-    /**
-     * Whether `[r] retry` makes sense for this failure. Network /
-     * 5xx / throttle are retryable (transient). auth_token_expired
-     * is NOT retryable in-process — the user must re-run `codevibe
-     * login` and start a new wizard run.
-     */
-    recoverable: boolean;
-};
-export interface SaveDeps {
-    wizardRunId: string;
-    client: AppSyncClient;
-    seats: WizardSeatPick[];
-    /**
-     * Whether the user reached this step via "save anyway" after a
-     * Test My Agents warning. Drives the wizard_completed.outcome
-     * value at the wizard's terminal exit (`'ok' | 'saved_after_test_warning'`).
-     * Not used here — Step 3 just persists; the top-level wizard
-     * threads the outcome value into the final `wizard_completed` event.
-     */
-    savedAfterTestWarning: boolean;
-}
-/**
- * Run Step 3. Emits `wizard_step_started{step:'save'}` on entry,
- * `wizard_step_completed` on success, or `wizard_step_failed` with
- * the classified reason. Returns a SaveResult the wizard's recourse
- * loop consumes.
- */
-export declare function runSave(deps: SaveDeps): Promise<SaveResult>;
-/**
- * Classify a thrown error from `updateReviewerPolicy` into one of the
- * §7 save-step reason codes. Best-effort matching against the AppSync
- * client's error message conventions:
- *   - 401 / "Unauthorized" / "Token expired" → auth_token_expired
- *   - 429 / "Throttling" / "Rate exceeded" → update_policy_throttle
- *   - 5xx / "Internal" / "InternalServerError" → update_policy_5xx
- *   - everything else (fetch threw, ECONNRESET, DNS) → update_policy_network
- *
- * Exposed for tests to assert classification mapping.
- */
-export declare function classifySaveError(err: unknown): WizardStepFailureReason;