@quantiya/codevibe-core 1.0.17 → 2.0.0

package/dist/appsync/appsync-client.d.ts

@@ -1,4 +1,4 @@
-import { CreateEventInput, CreateSessionInput, UpdateSessionInput, UpdateEventStatusInput, Event, Session, EventSource, DeviceKey, GrantSessionKeyInput } from '../types';
+import { CreateEventInput, CreateSessionInput, UpdateSessionInput, UpdateEventStatusInput, Event, Session, EventSource, DeviceKey, GrantSessionKeyInput, UpdateReviewerPolicyInput, UserReviewerPolicySnapshot } from '../types';
 /**
  * Download URL response
  */
@@ -15,9 +15,6 @@ export declare class AppSyncClient {
     private currentEmail;
     private tokens;
     private activeSubscriptions;
-    private pendingRefresh;
-    private lastRefreshFailureAt;
-    private static readonly REFRESH_BACKOFF_MS;
     private deviceKeyWatcher;
     private environment;
     constructor();
@@ -37,47 +34,6 @@ export declare class AppSyncClient {
      * Refresh expired tokens
      */
     private refreshTokens;
-    /**
-     * Do the work of refreshing tokens. Tries the caller-supplied tokens
-     * first; on failure, re-reads from storage and retries once with a
-     * potentially-fresher refresh token. This is the self-healing path
-     * that lets `codevibe login` (which writes new tokens to the
-     * keychain) recover running daemons without requiring a restart:
-     * the in-memory copy the daemon cached at boot may be invalid, but
-     * whatever the user just wrote from the login flow is still valid.
-     *
-     * Splitting the two attempts into a pure-network helper keeps the
-     * orchestration readable without duplicating the fetch + body-shape
-     * plumbing.
-     */
-    private performRefresh;
-    /**
-     * POST to Cognito's /oauth2/token with a refresh_token grant.
-     * Returns the parsed body on 200, or null on any failure (network
-     * error, non-2xx response, JSON parse failure). Caller decides how
-     * to proceed — this helper is side-effect-free beyond logging.
-     */
-    private callCognitoRefresh;
-    /**
-     * Apply a successful refresh response: update in-memory cache first,
-     * clear the backoff sentinel, then persist to storage. Success here
-     * is defined as "the process has usable fresh tokens in memory" —
-     * storage persistence is degraded-success, not a failure mode.
-     *
-     * Ordering matters. The API call to Cognito already succeeded, which
-     * means we hold valid access/id tokens right now. If we delayed the
-     * in-memory update until after persistence and the keychain write
-     * threw (keychain locked, disk full, file-backend permission error),
-     * we'd be stuck with stale-and-known-dead tokens in memory while
-     * holding valid fresh tokens in local scope that vanish at the end
-     * of this function. That would re-break both guarantees this hotfix
-     * makes: no-restart recovery becomes "restart required to escape
-     * the keychain-lock window," and backoff stays unarmed so the
-     * caller hot-loops against a working Cognito endpoint — R1's MEDIUM
-     * on round 1 of this review. Persistence-failure is loud-logged
-     * so operators can see degraded durability without losing availability.
-     */
-    private applyRefreshedTokens;
     /**
      * Check if authenticated
      */
@@ -114,45 +70,6 @@ export declare class AppSyncClient {
      * List events for a session
      */
     listEvents(sessionId: string, source?: EventSource, limit?: number): Promise<Event[]>;
-    /**
-     * List the authenticated user's sessions. Paginates automatically
-     * via nextToken so callers always get the complete set.
-     */
-    listSessions(limit?: number): Promise<Array<{
-        sessionId: string;
-        agentType: string;
-        status: string;
-        lastHeartbeatAt: string | null;
-    }>>;
-    /**
-     * Mark stale ACTIVE sessions of a given agentType INACTIVE so they
-     * stop appearing in the mobile app's session list. Called at daemon
-     * startup to clean up after daemons that died without running their
-     * graceful shutdown (crash, auth-loop death, force-kill, power loss).
-     *
-     * Staleness rule: lastHeartbeatAt is older than `staleThresholdMs`
-     * (default 15 min — a conservative ~7.5× the 2-min heartbeat
-     * interval, giving legitimately-active daemons on other machines
-     * ample margin before we consider their session abandoned).
-     *
-     * Safety:
-     *   - Only sessions with status === 'ACTIVE' are candidates.
-     *   - Sessions explicitly listed in `excludeSessionIds` are skipped
-     *     (caller can pass the session the daemon is about to attach to
-     *     if the ID is known before the sweep).
-     *   - Absent `lastHeartbeatAt` (never-heartbeated sessions — should
-     *     only happen for rows created within the last few seconds)
-     *     treats the session as fresh and skips.
-     *   - updateSession failures are logged as warnings and don't abort
-     *     the sweep — best-effort cleanup.
-     *
-     * Returns the number of sessions actually marked INACTIVE.
-     */
-    sweepOrphanSessions(opts: {
-        agentType: string;
-        staleThresholdMs?: number;
-        excludeSessionIds?: string[];
-    }): Promise<number>;
     /**
      * List user device keys
      */
@@ -177,6 +94,21 @@ export declare class AppSyncClient {
      * Get attachment download URL
      */
     getAttachmentDownloadUrl(s3Key: string): Promise<DownloadUrlResponse>;
+    /**
+     * Plugin startup pushes the user's locally-detected agents
+     * (`CLAUDE` / `GEMINI` / `CODEX`). Idempotent — safe to call every
+     * launch. Backend stores in `User.availableAgents`; used later to
+     * derive tier-default reviewer seat assignments.
+     */
+    updateAvailableAgents(agents: Array<'CLAUDE' | 'GEMINI' | 'CODEX'>): Promise<UserReviewerPolicySnapshot>;
+    /**
+     * Persist the user's orchestration opt-in default and/or custom
+     * reviewer panel. Backend validates seat-count against tier, seat_id
+     * uniqueness + range, and role uniqueness. Throws on validation
+     * failure — error message is user-facing (surfaced to the
+     * configure-reviewers wizard).
+     */
+    updateReviewerPolicy(input: UpdateReviewerPolicyInput): Promise<UserReviewerPolicySnapshot>;
     /**
      * Subscribe to events for a session
      */

package/dist/appsync/queries.d.ts

@@ -2,14 +2,6 @@ export declare const queries: {
     getSession: string;
     listEvents: string;
     listUserDeviceKeys: string;
-    /**
-     * Minimal session listing used by the orphan-sweep path. Only the
-     * fields needed to decide whether a session row is stale — sessionId
-     * for the INACTIVE mutation, agentType for the per-plugin filter,
-     * status to skip non-ACTIVE rows, and lastHeartbeatAt for the age
-     * check.
-     */
-    listSessions: string;
 };
 export declare const mutations: {
     createSession: string;
@@ -19,6 +11,8 @@ export declare const mutations: {
     registerDeviceKey: string;
     grantSessionKey: string;
     getAttachmentDownloadUrl: string;
+    updateAvailableAgents: string;
+    updateReviewerPolicy: string;
 };
 export declare const subscriptions: {
     onEventCreated: string;

package/dist/audit-keys/__tests__/audit-keys-parity.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit-keys/index.d.ts

@@ -0,0 +1,41 @@
+export type Uuid = string;
+/**
+ * `TaskCreated` — one per task lifecycle. Identity: `(task_id, kind)`.
+ */
+export declare function dedupKeyForTaskCreated(taskId: Uuid): string;
+/**
+ * `TaskTerminated` — one per task lifecycle. Identity: `(task_id, kind)`.
+ */
+export declare function dedupKeyForTaskTerminated(taskId: Uuid): string;
+/**
+ * `ProgressEvent` — keyed on `(task_id, kind, caller_event_id)`.
+ *
+ * `callerEventId` is REQUIRED (no `Option<&str>` fallback per the
+ * 2f.2 §5.2 lock). Callers without a stable id must invent one
+ * (e.g., a UUID at emit time); silently deriving from payload
+ * bytes would re-introduce the dedup-drift bug the lock prevents.
+ */
+export declare function dedupKeyForProgressEvent(taskId: Uuid, callerEventId: string): string;
+/**
+ * `ToolUse` — keyed on `(task_id, kind, caller_event_id)`. Same
+ * REQUIRED-not-optional rule as `dedupKeyForProgressEvent`.
+ */
+export declare function dedupKeyForToolUse(taskId: Uuid, callerEventId: string): string;
+/**
+ * `DestructiveActionEscalated` — keyed on `(gate_id, kind, action_id)`.
+ *
+ * Multiple destructive actions can be escalated within one gate
+ * (e.g., a turn that proposes both `rm -rf` and `git push --force`).
+ * `actionId` is the engine's internal id for the specific
+ * destructive call (NOT the gate, NOT the round).
+ */
+export declare function dedupKeyForDestructiveActionEscalated(gateId: Uuid, actionId: string): string;
+/**
+ * `FlagBadApproval` — keyed on `(flagged_entry_id, kind)`.
+ *
+ * A user flagging the same prior approval twice should dedupe to
+ * one flag. The Rust formula identifies the flag by the audit
+ * entry being flagged (not by a synthesized "bad-approval id"
+ * passed alongside).
+ */
+export declare function dedupKeyForFlagBadApproval(flaggedEntryId: Uuid): string;

package/dist/auth/auth-service.d.ts

@@ -8,8 +8,10 @@ export declare class AuthService {
     static getInstance(): AuthService;
     /**
      * Open URL in the user's default browser. Cross-platform: macOS, Linux,
-     * WSL, Windows. Always prints the URL to stdout first as a fallback —
+     * WSL, Windows. Always prints the URL to stderr first as a fallback —
      * if no browser-opening command is available, the user can copy-paste.
+     * (stderr, not stdout, because install.sh's auth stage discards stdout
+     * via `2>&1 >/dev/null`. See body comment.)
      *
      * On WSL, prefers opening the Windows host browser via WSL interop
      * (wslview → cmd.exe → powershell.exe) before falling back to xdg-open.
@@ -41,7 +43,7 @@ export declare class AuthService {
      *     is doing real work like launching a slow app, not hung)
      *
      * If all attempts exhaust, logs at debug level — the user still has the
-     * sign-in URL printed to stdout as a copy-paste fallback.
+     * sign-in URL printed to stderr above as a copy-paste fallback.
      */
     private tryBrowserCommand;
     /**

package/dist/auth/auth-telemetry.d.ts

@@ -40,19 +40,10 @@ export declare function fireAuthCompletedBeacon(userId: string): Promise<void>;
  * `reason` is constrained to the `AuthFailureReason` union — this
  * is the ONLY input path; passing a raw error message is a compile
  * error.
- *
- * Optional `errorFragment` is a diagnostic dimension reserved for
- * `reason: 'unknown'`. The outer `auth-cli` catch passes the first
- * portion of `error.message` here so the next analytics pass can
- * see what's hiding in `unknown` and we can ship a typed reason in
- * a follow-up. Sanitized inside (newlines/tabs/quotes/backslashes
- * stripped, non-ASCII dropped, capped at 100 chars to match GA4's
- * default per-param limit).
  */
 export declare function fireAuthFailedBeacon(reason: AuthFailureReason, extra?: {
     httpStatus?: number;
     stage?: AuthStage;
-    errorFragment?: string;
 }): Promise<void>;
 /**
  * Attach the reason + beaconed marker to an Error. Non-enumerable so

package/dist/index.d.ts

@@ -13,4 +13,8 @@ export { parseInteractivePrompt, normalizeSnapshot, } from './prompt-parser';
 export type { ParsedInteractivePrompt, PromptKind, InteractivePromptOption, } from './prompt-parser';
 export { resumeOrCreateSession, prepareSessionEncryption, rekeySessionForNewDevices, startDeviceKeyWatcher, registerDeviceEncryptionKey, } from './session';
 export type { ResumeOrCreateSessionInput, ResumeOrCreateSessionResult } from './session';
+export { detectInstalledAgents, pushDetectedAgents, applyPerSessionOrchestrationOverride, runOrchestrationCli, } from './orchestration';
+export type { DetectableAgent } from './orchestration';
+export * as Reviewer from './reviewer';
+export * as AuditKeys from './audit-keys';
 export * from './types';