@remnic/core 1.1.22 → 1.1.23

package/dist/{chunk-GGCJ253V.js → chunk-MVAOT247.js}

@@ -22,7 +22,7 @@ import {
 import {
   CompoundingEngine,
   defaultTierMigrationCycleBudget
-} from "./chunk-FSODDMR2.js";
+} from "./chunk-IANK6Y5W.js";
 import {
   SharedContextManager
 } from "./chunk-U4SCL7B7.js";
@@ -168,7 +168,7 @@ import {
   buildEntityRecallSection,
   entityRecentTranscriptLookbackHours,
   readRecentEntityTranscriptEntries
-} from "./chunk-2IRT26RZ.js";
+} from "./chunk-QYHQ2JHL.js";
 import {
   buildEventOrderRecallSection,
   shouldRecallEventOrderEvidence
@@ -203,7 +203,7 @@ import {
   materializeAfterSemanticConsolidation,
   parseConsolidationResponse,
   parseOperatorAwareConsolidationResponse
-} from "./chunk-SZKCBLS5.js";
+} from "./chunk-PUXCIHRL.js";
 import {
   normalizeReplaySessionKey
 } from "./chunk-2PRQG7PV.js";
@@ -212,13 +212,13 @@ import {
 } from "./chunk-LUDTDZLK.js";
 import {
   searchVerifiedEpisodes
-} from "./chunk-5IQC4OG6.js";
+} from "./chunk-4H6DURG6.js";
 import {
   ThreadingManager
 } from "./chunk-W4RVMTHR.js";
 import {
   searchVerifiedSemanticRules
-} from "./chunk-QOHBYVZG.js";
+} from "./chunk-3F24QTRI.js";
 import {
   searchWorkProductLedgerEntries
 } from "./chunk-CULXMQJH.js";
@@ -230,7 +230,7 @@ import {
 } from "./chunk-EABGC2TL.js";
 import {
   NamespaceStorageRouter
-} from "./chunk-TLM762GT.js";
+} from "./chunk-2WIPXV3Y.js";
 import {
   NamespaceSearchRouter
 } from "./chunk-W7DK3CYM.js";
@@ -340,7 +340,7 @@ import {
   normalizeAttributePairs,
   normalizeEntityName,
   parseEntityFile
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 import {
   attachCitation,
   hasCitationForTemplate,
@@ -12433,4 +12433,4 @@ export {
   resolvePersistedMemoryRelativePath,
   Orchestrator
 };
-//# sourceMappingURL=chunk-GGCJ253V.js.map
+//# sourceMappingURL=chunk-MVAOT247.js.map

package/dist/{chunk-SH5S7XYD.js → chunk-MXFBBHJU.js}

@@ -1,11 +1,18 @@
 import {
+  AUTH_TAG_LENGTH,
+  ENVELOPE_HEADER_SIZE,
+  ENVELOPE_LAYOUT,
+  ENVELOPE_SALT_LENGTH,
+  ENVELOPE_VERSION,
+  IV_LENGTH,
   generateSalt,
   open,
   seal
 } from "./chunk-A6XUJE5D.js";
 
 // src/secure-store/secure-fs.ts
-import { lstat, mkdir, readFile, readdir, rename, unlink, writeFile } from "fs/promises";
+import { createCipheriv, randomBytes } from "crypto";
+import { lstat, mkdir, open as openFile, readFile, readdir, rename, unlink, writeFile } from "fs/promises";
 import path from "path";
 var SecureStoreLockedError = class extends Error {
   constructor(message = "secure-store is locked \u2014 run `remnic secure-store unlock` to decrypt") {
@@ -62,6 +69,12 @@ function decryptFileBody(buf, key, aad) {
     );
   }
 }
+function buildHeaderAad(salt) {
+  const out = Buffer.alloc(1 + ENVELOPE_SALT_LENGTH);
+  out.writeUInt8(ENVELOPE_VERSION, 0);
+  Buffer.from(salt).copy(out, 1);
+  return out;
+}
 function filePathAad(filePath, memoryDir) {
   let rel = filePath;
   if (memoryDir && path.isAbsolute(filePath)) {
@@ -111,6 +124,62 @@ async function writeMaybeEncryptedFile(filePath, content, key, options = {}, mem
     await writeFile(filePath, data, { mode });
   }
 }
+async function writeMaybeEncryptedFileFromChunks(filePath, chunks, key, options = {}, memoryDir) {
+  const { mode = 384, atomic = true } = options;
+  await mkdir(path.dirname(filePath), { recursive: true });
+  const writePath = atomic ? `${filePath}.tmp-${process.pid}-${Date.now()}` : filePath;
+  let completed = false;
+  try {
+    const handle = await openFile(writePath, "w", mode);
+    try {
+      if (key !== null) {
+        const salt = generateSalt();
+        const iv = randomBytes(IV_LENGTH);
+        const header = Buffer.alloc(MAGIC_HEADER_SIZE + ENVELOPE_HEADER_SIZE);
+        MAGIC_BYTES.copy(header, 0);
+        header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);
+        header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);
+        const envelopeOffset = MAGIC_HEADER_SIZE;
+        header.writeUInt8(ENVELOPE_VERSION, envelopeOffset + ENVELOPE_LAYOUT.version);
+        salt.copy(header, envelopeOffset + ENVELOPE_LAYOUT.salt);
+        iv.copy(header, envelopeOffset + ENVELOPE_LAYOUT.iv);
+        await handle.write(header);
+        const cipher = createCipheriv("aes-256-gcm", key, iv, { authTagLength: AUTH_TAG_LENGTH });
+        const aad = filePathAad(filePath, memoryDir);
+        cipher.setAAD(Buffer.concat([buildHeaderAad(salt), aad]));
+        for await (const chunk of chunks) {
+          if (chunk.length === 0) continue;
+          const encrypted = cipher.update(chunk);
+          if (encrypted.length > 0) await handle.write(encrypted);
+        }
+        const final = cipher.final();
+        if (final.length > 0) await handle.write(final);
+        const authTag = cipher.getAuthTag();
+        await handle.write(
+          authTag,
+          0,
+          authTag.length,
+          MAGIC_HEADER_SIZE + ENVELOPE_LAYOUT.authTag
+        );
+      } else {
+        for await (const chunk of chunks) {
+          if (chunk.length > 0) await handle.write(chunk);
+        }
+      }
+    } finally {
+      await handle.close();
+    }
+    if (atomic) {
+      await rename(writePath, filePath);
+    }
+    completed = true;
+  } finally {
+    if (!completed && atomic) {
+      await unlink(writePath).catch(() => {
+      });
+    }
+  }
+}
 async function migrateMemoryDirToEncrypted(dir, key, onBeforeEncrypt) {
   const result = { encrypted: 0, skipped: 0, errors: [] };
   const files = await collectEncryptableStorageFiles(dir);
@@ -306,7 +375,8 @@ export {
   readMaybeEncryptedFileBuffer,
   readMaybeEncryptedFile,
   writeMaybeEncryptedFile,
+  writeMaybeEncryptedFileFromChunks,
   migrateMemoryDirToEncrypted,
   decryptMemoryDirToPlaintext
 };
-//# sourceMappingURL=chunk-SH5S7XYD.js.map
+//# sourceMappingURL=chunk-MXFBBHJU.js.map

package/dist/chunk-MXFBBHJU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/secure-store/secure-fs.ts"],"sourcesContent":["/**\n * Transparent file-level encryption for the secure-store module.\n *\n * Issue #690 (PR 3/4) — storage.ts integration layer.\n *\n * This module sits between the raw filesystem and StorageManager.\n * Every memory file is either:\n *   - a plain UTF-8 text file (legacy, back-compat), or\n *   - a REMNIC-ENC sealed file (AES-256-GCM, see format below).\n *\n * On-disk format\n * --------------\n * Encrypted files begin with a 9-byte magic header:\n *\n *   REMNIC-ENC  (7 ASCII bytes)\n *   VER         (1 byte, currently 0x01)\n *   FLAGS       (1 byte, reserved, must be 0x00)\n *\n * Followed immediately by a `seal()` envelope from `cipher.ts`:\n *\n *   [VERSION:1][SALT:16][IV:12][AUTHTAG:16][CIPHERTEXT:...]\n *\n * The magic header makes encrypted files sniffable without attempting\n * a full `open()` call and gives operators a clear signal that the\n * file cannot be read by opening it in an editor.\n *\n * AAD\n * ---\n * The file path relative to the memory root is bound as Associated\n * Authenticated Data (AAD) on both encrypt and decrypt. This means\n * moving or renaming an encrypted file without re-encrypting it will\n * cause auth-tag failure on the next read — the file is tied to its\n * path. Callers that move files must re-encrypt them.\n *\n * Back-compat\n * -----------\n * `readMaybeEncryptedFile` transparently handles both formats: if the\n * file does NOT start with the magic bytes, it is returned as-is (plain\n * text). This lets an operator migrate incrementally: newly-written\n * files are encrypted while existing files continue to be read in plain\n * form until `migrateMemoryDirToEncrypted` is run.\n *\n * Naming: `secure-fs.ts` (not `vault-fs.ts`) — see `kdf.ts` naming note.\n */\n\nimport { createCipheriv, randomBytes } from \"node:crypto\";\nimport { lstat, mkdir, open as openFile, readFile, readdir, rename, unlink, writeFile } from \"node:fs/promises\";\nimport path from \"node:path\";\n\nimport {\n  AUTH_TAG_LENGTH,\n  ENVELOPE_HEADER_SIZE,\n  ENVELOPE_LAYOUT,\n  ENVELOPE_SALT_LENGTH,\n  ENVELOPE_VERSION,\n  IV_LENGTH,\n  generateSalt,\n  open as openEnvelope,\n  seal,\n} from \"./cipher.js\";\n\n// ---------------------------------------------------------------------------\n// Error classes\n// ---------------------------------------------------------------------------\n\n/**\n * Thrown when a read is attempted but the keyring entry for this\n * store is absent (i.e. `secure-store unlock` has not been run\n * since the last daemon start).\n */\nexport class SecureStoreLockedError extends Error {\n  constructor(message = \"secure-store is locked — run `remnic secure-store unlock` to decrypt\") {\n    super(message);\n    this.name = \"SecureStoreLockedError\";\n  }\n}\n\n/**\n * Thrown when `open()` fails because the auth tag does not validate.\n * This covers both wrong-key and tampered-ciphertext scenarios —\n * intentionally indistinguishable from the caller's perspective.\n */\nexport class SecureStoreDecryptError extends Error {\n  constructor(message = \"secure-store decryption failed — wrong key or tampered ciphertext\") {\n    super(message);\n    this.name = \"SecureStoreDecryptError\";\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Magic header\n// ---------------------------------------------------------------------------\n\n/** Magic bytes: the ASCII string \"REMNIC-ENC\" (10 bytes). */\nexport const MAGIC_BYTES = Buffer.from(\"REMNIC-ENC\", \"ascii\");\n\n/** Current on-disk version byte. */\nexport const FILE_FORMAT_VERSION = 0x01;\n\n/** Reserved flags byte — must be 0x00. */\nexport const FILE_FORMAT_FLAGS = 0x00;\n\n/** Total size of the magic header prefix (magic + version + flags). */\nexport const MAGIC_HEADER_SIZE = MAGIC_BYTES.length + 2; // 12 bytes\n\n// ---------------------------------------------------------------------------\n// Detection\n// ---------------------------------------------------------------------------\n\n/**\n * Return true iff `buf` begins with the REMNIC-ENC magic header.\n * Does not validate the envelope; just identifies the format.\n */\nexport function isEncryptedFile(buf: Uint8Array): boolean {\n  if (buf.length < MAGIC_HEADER_SIZE) return false;\n  const b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf);\n  return b.subarray(0, MAGIC_BYTES.length).equals(MAGIC_BYTES);\n}\n\n// ---------------------------------------------------------------------------\n// Encrypt / decrypt file body\n// ---------------------------------------------------------------------------\n\n/**\n * Encrypt `plain` (UTF-8 content of a memory file) and return a\n * Buffer ready to write to disk.\n *\n * @param plain  Plain-text file content (UTF-8 string or Buffer).\n * @param key    32-byte AES-256 key from the keyring.\n * @param aad    Optional associated data — defaults to empty if omitted.\n *               Callers should pass the file path relative to memoryDir\n *               so the ciphertext is bound to its location.\n */\nexport function encryptFileBody(plain: string | Buffer, key: Buffer, aad?: Buffer): Buffer {\n  const plainBuf = typeof plain === \"string\" ? Buffer.from(plain, \"utf8\") : plain;\n  const salt = generateSalt();\n  const envelope = seal(key, salt, plainBuf, aad ? { aad } : {});\n\n  const header = Buffer.alloc(MAGIC_HEADER_SIZE);\n  MAGIC_BYTES.copy(header, 0);\n  header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);\n  header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);\n\n  return Buffer.concat([header, envelope]);\n}\n\n/**\n * Decrypt a buffer produced by `encryptFileBody` and return the\n * original UTF-8 content.\n *\n * Throws `SecureStoreDecryptError` on auth failure (wrong key or\n * tampered ciphertext). Throws a plain `Error` for structural problems\n * (truncated buffer, wrong magic, unsupported version).\n */\nexport function decryptFileBody(buf: Buffer, key: Buffer, aad?: Buffer): Buffer {\n  if (!isEncryptedFile(buf)) {\n    throw new Error(\"decryptFileBody: buffer does not start with REMNIC-ENC magic header\");\n  }\n  const version = buf.readUInt8(MAGIC_BYTES.length);\n  if (version !== FILE_FORMAT_VERSION) {\n    throw new Error(\n      `decryptFileBody: unsupported file format version ${version} (this build supports ${FILE_FORMAT_VERSION})`,\n    );\n  }\n  const flags = buf.readUInt8(MAGIC_BYTES.length + 1);\n  if (flags !== FILE_FORMAT_FLAGS) {\n    throw new Error(`decryptFileBody: unknown flags byte 0x${flags.toString(16).padStart(2, \"0\")}`);\n  }\n  const envelope = buf.subarray(MAGIC_HEADER_SIZE);\n  try {\n    return openEnvelope(key, envelope, aad ? { aad } : {});\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    throw new SecureStoreDecryptError(\n      `secure-store decryption failed: ${msg}`,\n    );\n  }\n}\n\nfunction buildHeaderAad(salt: Uint8Array): Buffer {\n  const out = Buffer.alloc(1 + ENVELOPE_SALT_LENGTH);\n  out.writeUInt8(ENVELOPE_VERSION, 0);\n  Buffer.from(salt).copy(out, 1);\n  return out;\n}\n\n// ---------------------------------------------------------------------------\n// Path → AAD helper\n// ---------------------------------------------------------------------------\n\n/**\n * Build the AAD buffer for a file at `filePath` relative to\n * `memoryDir`. The AAD binds the ciphertext to its path so a\n * file cannot be silently relocated without re-encryption.\n *\n * When `memoryDir` is supplied and `filePath` is absolute, the\n * relative sub-path is used. Otherwise `filePath` is used verbatim.\n */\nexport function filePathAad(filePath: string, memoryDir?: string): Buffer {\n  let rel = filePath;\n  if (memoryDir && path.isAbsolute(filePath)) {\n    rel = path.relative(memoryDir, filePath);\n  }\n  return Buffer.from(rel, \"utf8\");\n}\n\n// ---------------------------------------------------------------------------\n// High-level read / write helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Read a file from `filePath`.\n *\n * - If the file is plaintext (no magic header), return its content\n *   as-is — back-compat with unencrypted stores.\n * - If the file is encrypted AND `key` is provided, decrypt and return\n *   the plaintext content.\n * - If the file is encrypted AND `key` is null, throw\n *   `SecureStoreLockedError`.\n *\n * @param filePath  Absolute path to the file.\n * @param key       32-byte AES-256 key, or null when the store is locked.\n * @param memoryDir Memory root for path-bound AAD.  Should be absolute.\n */\nexport async function readMaybeEncryptedFileBuffer(\n  filePath: string,\n  key: Buffer | null,\n  memoryDir?: string,\n): Promise<Buffer> {\n  const buf = await readFile(filePath);\n  if (!isEncryptedFile(buf)) {\n    // Plain file — legacy or unencrypted store.\n    return buf;\n  }\n  // Encrypted — key required.\n  if (key === null) {\n    throw new SecureStoreLockedError(\n      `secure-store is locked — cannot read encrypted file at ${filePath}. ` +\n        \"Run `remnic secure-store unlock` to decrypt.\",\n    );\n  }\n  const aad = filePathAad(filePath, memoryDir);\n  return decryptFileBody(buf, key, aad);\n}\n\nexport async function readMaybeEncryptedFile(\n  filePath: string,\n  key: Buffer | null,\n  memoryDir?: string,\n): Promise<string> {\n  return (await readMaybeEncryptedFileBuffer(filePath, key, memoryDir)).toString(\"utf8\");\n}\n\nexport interface WriteMaybeEncryptedFileOptions {\n  /**\n   * File mode bits. Default 0o600 (owner read/write only).\n   * Applied only on create; existing files inherit their existing mode.\n   */\n  mode?: number;\n  /**\n   * If true, write atomically via a temp file + rename (CLAUDE.md gotcha #54).\n   * Default true.\n   */\n  atomic?: boolean;\n}\n\n/**\n * Write `content` to `filePath`.\n *\n * - If `key` is provided and non-null, encrypt the content first.\n * - If `key` is null, write the content as plain UTF-8 (unencrypted store).\n *\n * Writes atomically: content is written to a `.tmp-<pid>-<ts>` file\n * first, then renamed into place (CLAUDE.md gotcha #54 — never delete\n * before write).\n */\nexport async function writeMaybeEncryptedFile(\n  filePath: string,\n  content: string | Buffer,\n  key: Buffer | null,\n  options: WriteMaybeEncryptedFileOptions = {},\n  memoryDir?: string,\n): Promise<void> {\n  const { mode = 0o600, atomic = true } = options;\n  await mkdir(path.dirname(filePath), { recursive: true });\n\n  let data: Buffer | string;\n  if (key !== null) {\n    const aad = filePathAad(filePath, memoryDir);\n    data = encryptFileBody(content, key, aad);\n  } else {\n    data = content;\n  }\n\n  if (atomic) {\n    const tempPath = `${filePath}.tmp-${process.pid}-${Date.now()}`;\n    try {\n      await writeFile(tempPath, data, { mode });\n      await rename(tempPath, filePath);\n    } catch (err) {\n      // Best-effort cleanup of the temp file.\n      try {\n        await unlink(tempPath);\n      } catch {\n        // ignore\n      }\n      throw err;\n    }\n  } else {\n    await writeFile(filePath, data, { mode });\n  }\n}\n\nexport async function writeMaybeEncryptedFileFromChunks(\n  filePath: string,\n  chunks: AsyncIterable<Buffer>,\n  key: Buffer | null,\n  options: WriteMaybeEncryptedFileOptions = {},\n  memoryDir?: string,\n): Promise<void> {\n  const { mode = 0o600, atomic = true } = options;\n  await mkdir(path.dirname(filePath), { recursive: true });\n  const writePath = atomic ? `${filePath}.tmp-${process.pid}-${Date.now()}` : filePath;\n  let completed = false;\n  try {\n    const handle = await openFile(writePath, \"w\", mode);\n    try {\n      if (key !== null) {\n        const salt = generateSalt();\n        const iv = randomBytes(IV_LENGTH);\n        const header = Buffer.alloc(MAGIC_HEADER_SIZE + ENVELOPE_HEADER_SIZE);\n        MAGIC_BYTES.copy(header, 0);\n        header.writeUInt8(FILE_FORMAT_VERSION, MAGIC_BYTES.length);\n        header.writeUInt8(FILE_FORMAT_FLAGS, MAGIC_BYTES.length + 1);\n        const envelopeOffset = MAGIC_HEADER_SIZE;\n        header.writeUInt8(ENVELOPE_VERSION, envelopeOffset + ENVELOPE_LAYOUT.version);\n        salt.copy(header, envelopeOffset + ENVELOPE_LAYOUT.salt);\n        iv.copy(header, envelopeOffset + ENVELOPE_LAYOUT.iv);\n        await handle.write(header);\n\n        const cipher = createCipheriv(\"aes-256-gcm\", key, iv, { authTagLength: AUTH_TAG_LENGTH });\n        const aad = filePathAad(filePath, memoryDir);\n        cipher.setAAD(Buffer.concat([buildHeaderAad(salt), aad]));\n        for await (const chunk of chunks) {\n          if (chunk.length === 0) continue;\n          const encrypted = cipher.update(chunk);\n          if (encrypted.length > 0) await handle.write(encrypted);\n        }\n        const final = cipher.final();\n        if (final.length > 0) await handle.write(final);\n        const authTag = cipher.getAuthTag();\n        await handle.write(\n          authTag,\n          0,\n          authTag.length,\n          MAGIC_HEADER_SIZE + ENVELOPE_LAYOUT.authTag,\n        );\n      } else {\n        for await (const chunk of chunks) {\n          if (chunk.length > 0) await handle.write(chunk);\n        }\n      }\n    } finally {\n      await handle.close();\n    }\n    if (atomic) {\n      await rename(writePath, filePath);\n    }\n    completed = true;\n  } finally {\n    if (!completed && atomic) {\n      await unlink(writePath).catch(() => {});\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Migration\n// ---------------------------------------------------------------------------\n\nexport interface MigrateResult {\n  /** Number of files successfully encrypted. */\n  encrypted: number;\n  /** Number of files already encrypted (skipped). */\n  skipped: number;\n  /** Files that failed to encrypt (path → error message). */\n  errors: Array<{ filePath: string; error: string }>;\n}\n\nexport interface DecryptResult {\n  /** Number of files successfully decrypted back to plaintext. */\n  decrypted: number;\n  /** Number of files already plaintext (skipped). */\n  skipped: number;\n  /** Files that failed to decrypt (path → error message). */\n  errors: Array<{ filePath: string; error: string }>;\n}\n\n/**\n * Walk `dir` recursively, find encryptable storage-managed files that are not\n * yet encrypted, and re-write them as encrypted files under `key`.\n *\n * Safety rules per CLAUDE.md gotchas #54 and #25:\n *   1. A page-version snapshot is taken (via `createVersion`) BEFORE\n *      each overwrite so the plaintext version is preserved in history.\n *      Since this module has no direct access to `page-versioning.ts`\n *      internals, callers who have page-versioning configured should\n *      pass `onBeforeEncrypt` to take the snapshot.\n *   2. The new encrypted content is written to a temp file first,\n *      then renamed atomically — never deleted before written.\n *   3. If encryption of any file fails, the error is recorded and the\n *      original file is left intact (partial migration is safe).\n *\n * @param dir              Absolute path to the memory directory.\n * @param key              32-byte AES-256 key.\n * @param onBeforeEncrypt  Optional callback invoked before encrypting\n *                         each file. Can be used to take page-version\n *                         snapshots. Errors here are non-fatal.\n */\nexport async function migrateMemoryDirToEncrypted(\n  dir: string,\n  key: Buffer,\n  onBeforeEncrypt?: (filePath: string) => Promise<void>,\n): Promise<MigrateResult> {\n  const result: MigrateResult = { encrypted: 0, skipped: 0, errors: [] };\n\n  const files = await collectEncryptableStorageFiles(dir);\n  for (const filePath of files) {\n    try {\n      const buf = await readFile(filePath);\n      if (isEncryptedFile(buf)) {\n        result.skipped++;\n        continue;\n      }\n      // Call optional pre-encryption hook (e.g. page-version snapshot).\n      if (onBeforeEncrypt) {\n        try {\n          await onBeforeEncrypt(filePath);\n        } catch {\n          // Non-fatal — continue with encryption even if snapshot fails.\n        }\n      }\n      const content = buf.toString(\"utf8\");\n      const aad = filePathAad(filePath, storageAadRootForFile(filePath, dir));\n      const encrypted = encryptFileBody(content, key, aad);\n\n      // Atomic write: temp → rename (gotcha #54).\n      const tempPath = `${filePath}.enc-tmp-${process.pid}-${Date.now()}`;\n      try {\n        await writeFile(tempPath, encrypted, { mode: 0o600 });\n        await rename(tempPath, filePath);\n        result.encrypted++;\n      } catch (writeErr) {\n        // Clean up temp file, leave original intact.\n        try {\n          const { unlink } = await import(\"node:fs/promises\");\n          await unlink(tempPath);\n        } catch {\n          // ignore\n        }\n        throw writeErr;\n      }\n    } catch (err) {\n      result.errors.push({\n        filePath,\n        error: err instanceof Error ? err.message : String(err),\n      });\n    }\n  }\n\n  return result;\n}\n\n/**\n * Walk `dir` recursively, find storage-managed encrypted files, and\n * re-write them as plaintext under the same paths.\n *\n * This is the reversible counterpart to {@link migrateMemoryDirToEncrypted}.\n * It only touches files under the same storage-managed roots, skips\n * plaintext files, skips symlinks, excludes `.secure-store/`, and writes\n * each plaintext replacement via temp-file + rename so a per-file failure\n * leaves the ciphertext intact.\n */\nexport async function decryptMemoryDirToPlaintext(\n  dir: string,\n  key: Buffer,\n): Promise<DecryptResult> {\n  const result: DecryptResult = { decrypted: 0, skipped: 0, errors: [] };\n\n  const files = await collectStorageManagedFiles(dir, isDecryptableStoragePath);\n  for (const filePath of files) {\n    try {\n      const buf = await readFile(filePath);\n      if (!isEncryptedFile(buf)) {\n        result.skipped++;\n        continue;\n      }\n\n      const aad = filePathAad(filePath, storageAadRootForFile(filePath, dir));\n      const plaintext = decryptFileBody(buf, key, aad);\n      const tempPath = `${filePath}.dec-tmp-${process.pid}-${Date.now()}`;\n      try {\n        await writeFile(tempPath, plaintext, { mode: 0o600 });\n        await rename(tempPath, filePath);\n        result.decrypted++;\n      } catch (writeErr) {\n        try {\n          await unlink(tempPath);\n        } catch {\n          // ignore cleanup errors; original ciphertext is still intact.\n        }\n        throw writeErr;\n      }\n    } catch (err) {\n      result.errors.push({\n        filePath,\n        error: err instanceof Error ? err.message : String(err),\n      });\n    }\n  }\n\n  return result;\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Recursively collect files under `dir` that are read through the\n * storage-layer secure-store helpers, excluding symlinked entries and\n * `.secure-store/` metadata.\n */\nasync function collectEncryptableStorageFiles(dir: string, rootDir = dir): Promise<string[]> {\n  return collectStorageManagedFiles(dir, isEncryptableStoragePath, rootDir);\n}\n\n/**\n * Recursively collect regular files under storage-managed roots, excluding\n * symlinked entries and `.secure-store/` metadata. This broader collector is\n * used by the decrypt/disable path so future encrypted sidecars can be\n * restored without requiring extension-specific logic.\n */\nasync function collectStorageManagedFiles(\n  dir: string,\n  includeFile: (filePath: string, rootDir: string) => boolean,\n  rootDir = dir,\n): Promise<string[]> {\n  const results: string[] = [];\n  let names: string[];\n  try {\n    names = await readdir(dir, { encoding: \"utf8\" });\n  } catch {\n    return results;\n  }\n  for (const name of names) {\n    if (name.startsWith(\".secure-store\")) continue;\n    const full = path.join(dir, name);\n    let isDir = false;\n    let isFile = false;\n    try {\n      const s = await lstat(full);\n      if (s.isSymbolicLink()) continue;\n      isDir = s.isDirectory();\n      isFile = s.isFile();\n    } catch {\n      continue;\n    }\n    if (isDir) {\n      const sub = await collectStorageManagedFiles(full, includeFile, rootDir);\n      results.push(...sub);\n    } else if (isFile && includeFile(full, rootDir)) {\n      results.push(full);\n    }\n  }\n  return results;\n}\n\nfunction isEncryptableStoragePath(filePath: string, rootDir: string): boolean {\n  const rel = path.relative(rootDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return false;\n  const normalized = normalizeStorageRelativePath(rel);\n  if (normalized === \"profile.md\") return true;\n  if (isEncryptableStateSidecar(normalized)) return true;\n  if (isEncryptableSummarySidecar(normalized)) return true;\n  const firstSegment = normalized.split(\"/\", 1)[0];\n  return ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS.has(firstSegment) && normalized.endsWith(\".md\");\n}\n\nfunction isDecryptableStoragePath(filePath: string, rootDir: string): boolean {\n  if (isEncryptableStoragePath(filePath, rootDir)) return true;\n  const rel = path.relative(rootDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return false;\n  const normalized = normalizeStorageRelativePath(rel);\n  const firstSegment = normalized.split(\"/\", 1)[0];\n  return DECRYPTABLE_SIDECAR_ROOTS.has(firstSegment);\n}\n\nfunction normalizeStorageRelativePath(rel: string): string {\n  const normalized = rel.split(path.sep).join(\"/\");\n  const parts = normalized.split(\"/\");\n  if (parts[0] === \"namespaces\" && parts.length >= 3) {\n    return parts.slice(2).join(\"/\");\n  }\n  return normalized;\n}\n\nfunction storageAadRootForFile(filePath: string, rootDir: string): string {\n  const rel = path.relative(rootDir, filePath);\n  if (rel === \"\" || rel.startsWith(\"..\") || path.isAbsolute(rel)) return rootDir;\n  const parts = rel.split(path.sep);\n  if (parts[0] === \"namespaces\" && parts.length >= 3 && parts[1]) {\n    return path.join(rootDir, \"namespaces\", parts[1]);\n  }\n  return rootDir;\n}\n\nconst ENCRYPTABLE_MARKDOWN_STORAGE_ROOTS = new Set([\n  \"facts\",\n  \"corrections\",\n  \"procedures\",\n  \"reasoning-traces\",\n  \"artifacts\",\n  \"archive\",\n  \"entities\",\n  \"identity\",\n]);\n\nconst ENCRYPTABLE_STATE_SIDECARS = new Set([\n  \"state/behavior-signals.jsonl\",\n  \"state/buffer-surprise-ledger.jsonl\",\n  \"state/buffer.json\",\n  \"state/compression-guideline-draft-state.json\",\n  \"state/compression-guideline-state.json\",\n  \"state/compression-guidelines.draft.md\",\n  \"state/compression-guidelines.md\",\n  \"state/entity-synthesis-queue.json\",\n  \"state/fact-hashes.txt\",\n  \"state/memory-actions.jsonl\",\n  \"state/memory-lifecycle-ledger.jsonl\",\n  \"state/meta.json\",\n  \"state/reextract-jobs.jsonl\",\n  \"state/topics.json\",\n]);\n\nfunction isEncryptableStateSidecar(normalized: string): boolean {\n  return ENCRYPTABLE_STATE_SIDECARS.has(normalized);\n}\n\nfunction isEncryptableSummarySidecar(normalized: string): boolean {\n  return normalized.startsWith(\"summaries/\") && normalized.endsWith(\".json\");\n}\n\nconst DECRYPTABLE_SIDECAR_ROOTS = new Set([\n  \"state\",\n  \"indexes\",\n  \"index\",\n  \"provenance\",\n]);\n"],"mappings":";;;;;;;;;;;;;AA6CA,SAAS,gBAAgB,mBAAmB;AAC5C,SAAS,OAAO,OAAO,QAAQ,UAAU,UAAU,SAAS,QAAQ,QAAQ,iBAAiB;AAC7F,OAAO,UAAU;AAuBV,IAAM,yBAAN,cAAqC,MAAM;AAAA,EAChD,YAAY,UAAU,6EAAwE;AAC5F,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,0BAAN,cAAsC,MAAM;AAAA,EACjD,YAAY,UAAU,0EAAqE;AACzF,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAOO,IAAM,cAAc,OAAO,KAAK,cAAc,OAAO;AAGrD,IAAM,sBAAsB;AAG5B,IAAM,oBAAoB;AAG1B,IAAM,oBAAoB,YAAY,SAAS;AAU/C,SAAS,gBAAgB,KAA0B;AACxD,MAAI,IAAI,SAAS,kBAAmB,QAAO;AAC3C,QAAM,IAAI,OAAO,SAAS,GAAG,IAAI,MAAM,OAAO,KAAK,GAAG;AACtD,SAAO,EAAE,SAAS,GAAG,YAAY,MAAM,EAAE,OAAO,WAAW;AAC7D;AAgBO,SAAS,gBAAgB,OAAwB,KAAa,KAAsB;AACzF,QAAM,WAAW,OAAO,UAAU,WAAW,OAAO,KAAK,OAAO,MAAM,IAAI;AAC1E,QAAM,OAAO,aAAa;AAC1B,QAAM,WAAW,KAAK,KAAK,MAAM,UAAU,MAAM,EAAE,IAAI,IAAI,CAAC,CAAC;AAE7D,QAAM,SAAS,OAAO,MAAM,iBAAiB;AAC7C,cAAY,KAAK,QAAQ,CAAC;AAC1B,SAAO,WAAW,qBAAqB,YAAY,MAAM;AACzD,SAAO,WAAW,mBAAmB,YAAY,SAAS,CAAC;AAE3D,SAAO,OAAO,OAAO,CAAC,QAAQ,QAAQ,CAAC;AACzC;AAUO,SAAS,gBAAgB,KAAa,KAAa,KAAsB;AAC9E,MAAI,CAAC,gBAAgB,GAAG,GAAG;AACzB,UAAM,IAAI,MAAM,qEAAqE;AAAA,EACvF;AACA,QAAM,UAAU,IAAI,UAAU,YAAY,MAAM;AAChD,MAAI,YAAY,qBAAqB;AACnC,UAAM,IAAI;AAAA,MACR,oDAAoD,OAAO,yBAAyB,mBAAmB;AAAA,IACzG;AAAA,EACF;AACA,QAAM,QAAQ,IAAI,UAAU,YAAY,SAAS,CAAC;AAClD,MAAI,UAAU,mBAAmB;AAC/B,UAAM,IAAI,MAAM,yCAAyC,MAAM,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE;AAAA,EAChG;AACA,QAAM,WAAW,IAAI,SAAS,iBAAiB;AAC/C,MAAI;AACF,WAAO,KAAa,KAAK,UAAU,MAAM,EAAE,IAAI,IAAI,CAAC,CAAC;AAAA,EACvD,SAAS,KAAK;AACZ,UAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,UAAM,IAAI;AAAA,MACR,mCAAmC,GAAG;AAAA,IACxC;AAAA,EACF;AACF;AAEA,SAAS,eAAe,MAA0B;AAChD,QAAM,MAAM,OAAO,MAAM,IAAI,oBAAoB;AACjD,MAAI,WAAW,kBAAkB,CAAC;AAClC,SAAO,KAAK,IAAI,EAAE,KAAK,KAAK,CAAC;AAC7B,SAAO;AACT;AAcO,SAAS,YAAY,UAAkB,WAA4B;AACxE,MAAI,MAAM;AACV,MAAI,aAAa,KAAK,WAAW,QAAQ,GAAG;AAC1C,UAAM,KAAK,SAAS,WAAW,QAAQ;AAAA,EACzC;AACA,SAAO,OAAO,KAAK,KAAK,MAAM;AAChC;AAoBA,eAAsB,6BACpB,UACA,KACA,WACiB;AACjB,QAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,MAAI,CAAC,gBAAgB,GAAG,GAAG;AAEzB,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ,MAAM;AAChB,UAAM,IAAI;AAAA,MACR,+DAA0D,QAAQ;AAAA,IAEpE;AAAA,EACF;AACA,QAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,SAAO,gBAAgB,KAAK,KAAK,GAAG;AACtC;AAEA,eAAsB,uBACpB,UACA,KACA,WACiB;AACjB,UAAQ,MAAM,6BAA6B,UAAU,KAAK,SAAS,GAAG,SAAS,MAAM;AACvF;AAyBA,eAAsB,wBACpB,UACA,SACA,KACA,UAA0C,CAAC,GAC3C,WACe;AACf,QAAM,EAAE,OAAO,KAAO,SAAS,KAAK,IAAI;AACxC,QAAM,MAAM,KAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAEvD,MAAI;AACJ,MAAI,QAAQ,MAAM;AAChB,UAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,WAAO,gBAAgB,SAAS,KAAK,GAAG;AAAA,EAC1C,OAAO;AACL,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ;AACV,UAAM,WAAW,GAAG,QAAQ,QAAQ,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC;AAC7D,QAAI;AACF,YAAM,UAAU,UAAU,MAAM,EAAE,KAAK,CAAC;AACxC,YAAM,OAAO,UAAU,QAAQ;AAAA,IACjC,SAAS,KAAK;AAEZ,UAAI;AACF,cAAM,OAAO,QAAQ;AAAA,MACvB,QAAQ;AAAA,MAER;AACA,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AACL,UAAM,UAAU,UAAU,MAAM,EAAE,KAAK,CAAC;AAAA,EAC1C;AACF;AAEA,eAAsB,kCACpB,UACA,QACA,KACA,UAA0C,CAAC,GAC3C,WACe;AACf,QAAM,EAAE,OAAO,KAAO,SAAS,KAAK,IAAI;AACxC,QAAM,MAAM,KAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AACvD,QAAM,YAAY,SAAS,GAAG,QAAQ,QAAQ,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC,KAAK;AAC5E,MAAI,YAAY;AAChB,MAAI;AACF,UAAM,SAAS,MAAM,SAAS,WAAW,KAAK,IAAI;AAClD,QAAI;AACF,UAAI,QAAQ,MAAM;AAChB,cAAM,OAAO,aAAa;AAC1B,cAAM,KAAK,YAAY,SAAS;AAChC,cAAM,SAAS,OAAO,MAAM,oBAAoB,oBAAoB;AACpE,oBAAY,KAAK,QAAQ,CAAC;AAC1B,eAAO,WAAW,qBAAqB,YAAY,MAAM;AACzD,eAAO,WAAW,mBAAmB,YAAY,SAAS,CAAC;AAC3D,cAAM,iBAAiB;AACvB,eAAO,WAAW,kBAAkB,iBAAiB,gBAAgB,OAAO;AAC5E,aAAK,KAAK,QAAQ,iBAAiB,gBAAgB,IAAI;AACvD,WAAG,KAAK,QAAQ,iBAAiB,gBAAgB,EAAE;AACnD,cAAM,OAAO,MAAM,MAAM;AAEzB,cAAM,SAAS,eAAe,eAAe,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,cAAM,MAAM,YAAY,UAAU,SAAS;AAC3C,eAAO,OAAO,OAAO,OAAO,CAAC,eAAe,IAAI,GAAG,GAAG,CAAC,CAAC;AACxD,yBAAiB,SAAS,QAAQ;AAChC,cAAI,MAAM,WAAW,EAAG;AACxB,gBAAM,YAAY,OAAO,OAAO,KAAK;AACrC,cAAI,UAAU,SAAS,EAAG,OAAM,OAAO,MAAM,SAAS;AAAA,QACxD;AACA,cAAM,QAAQ,OAAO,MAAM;AAC3B,YAAI,MAAM,SAAS,EAAG,OAAM,OAAO,MAAM,KAAK;AAC9C,cAAM,UAAU,OAAO,WAAW;AAClC,cAAM,OAAO;AAAA,UACX;AAAA,UACA;AAAA,UACA,QAAQ;AAAA,UACR,oBAAoB,gBAAgB;AAAA,QACtC;AAAA,MACF,OAAO;AACL,yBAAiB,SAAS,QAAQ;AAChC,cAAI,MAAM,SAAS,EAAG,OAAM,OAAO,MAAM,KAAK;AAAA,QAChD;AAAA,MACF;AAAA,IACF,UAAE;AACA,YAAM,OAAO,MAAM;AAAA,IACrB;AACA,QAAI,QAAQ;AACV,YAAM,OAAO,WAAW,QAAQ;AAAA,IAClC;AACA,gBAAY;AAAA,EACd,UAAE;AACA,QAAI,CAAC,aAAa,QAAQ;AACxB,YAAM,OAAO,SAAS,EAAE,MAAM,MAAM;AAAA,MAAC,CAAC;AAAA,IACxC;AAAA,EACF;AACF;AA6CA,eAAsB,4BACpB,KACA,KACA,iBACwB;AACxB,QAAM,SAAwB,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE;AAErE,QAAM,QAAQ,MAAM,+BAA+B,GAAG;AACtD,aAAW,YAAY,OAAO;AAC5B,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,UAAI,gBAAgB,GAAG,GAAG;AACxB,eAAO;AACP;AAAA,MACF;AAEA,UAAI,iBAAiB;AACnB,YAAI;AACF,gBAAM,gBAAgB,QAAQ;AAAA,QAChC,QAAQ;AAAA,QAER;AAAA,MACF;AACA,YAAM,UAAU,IAAI,SAAS,MAAM;AACnC,YAAM,MAAM,YAAY,UAAU,sBAAsB,UAAU,GAAG,CAAC;AACtE,YAAM,YAAY,gBAAgB,SAAS,KAAK,GAAG;AAGnD,YAAM,WAAW,GAAG,QAAQ,YAAY,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC;AACjE,UAAI;AACF,cAAM,UAAU,UAAU,WAAW,EAAE,MAAM,IAAM,CAAC;AACpD,cAAM,OAAO,UAAU,QAAQ;AAC/B,eAAO;AAAA,MACT,SAAS,UAAU;AAEjB,YAAI;AACF,gBAAM,EAAE,QAAAA,QAAO,IAAI,MAAM,OAAO,aAAkB;AAClD,gBAAMA,QAAO,QAAQ;AAAA,QACvB,QAAQ;AAAA,QAER;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,OAAO,KAAK;AAAA,QACjB;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAYA,eAAsB,4BACpB,KACA,KACwB;AACxB,QAAM,SAAwB,EAAE,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC,EAAE;AAErE,QAAM,QAAQ,MAAM,2BAA2B,KAAK,wBAAwB;AAC5E,aAAW,YAAY,OAAO;AAC5B,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,QAAQ;AACnC,UAAI,CAAC,gBAAgB,GAAG,GAAG;AACzB,eAAO;AACP;AAAA,MACF;AAEA,YAAM,MAAM,YAAY,UAAU,sBAAsB,UAAU,GAAG,CAAC;AACtE,YAAM,YAAY,gBAAgB,KAAK,KAAK,GAAG;AAC/C,YAAM,WAAW,GAAG,QAAQ,YAAY,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC;AACjE,UAAI;AACF,cAAM,UAAU,UAAU,WAAW,EAAE,MAAM,IAAM,CAAC;AACpD,cAAM,OAAO,UAAU,QAAQ;AAC/B,eAAO;AAAA,MACT,SAAS,UAAU;AACjB,YAAI;AACF,gBAAM,OAAO,QAAQ;AAAA,QACvB,QAAQ;AAAA,QAER;AACA,cAAM;AAAA,MACR;AAAA,IACF,SAAS,KAAK;AACZ,aAAO,OAAO,KAAK;AAAA,QACjB;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAWA,eAAe,+BAA+B,KAAa,UAAU,KAAwB;AAC3F,SAAO,2BAA2B,KAAK,0BAA0B,OAAO;AAC1E;AAQA,eAAe,2BACb,KACA,aACA,UAAU,KACS;AACnB,QAAM,UAAoB,CAAC;AAC3B,MAAI;AACJ,MAAI;AACF,YAAQ,MAAM,QAAQ,KAAK,EAAE,UAAU,OAAO,CAAC;AAAA,EACjD,QAAQ;AACN,WAAO;AAAA,EACT;AACA,aAAW,QAAQ,OAAO;AACxB,QAAI,KAAK,WAAW,eAAe,EAAG;AACtC,UAAM,OAAO,KAAK,KAAK,KAAK,IAAI;AAChC,QAAI,QAAQ;AACZ,QAAI,SAAS;AACb,QAAI;AACF,YAAM,IAAI,MAAM,MAAM,IAAI;AAC1B,UAAI,EAAE,eAAe,EAAG;AACxB,cAAQ,EAAE,YAAY;AACtB,eAAS,EAAE,OAAO;AAAA,IACpB,QAAQ;AACN;AAAA,IACF;AACA,QAAI,OAAO;AACT,YAAM,MAAM,MAAM,2BAA2B,MAAM,aAAa,OAAO;AACvE,cAAQ,KAAK,GAAG,GAAG;AAAA,IACrB,WAAW,UAAU,YAAY,MAAM,OAAO,GAAG;AAC/C,cAAQ,KAAK,IAAI;AAAA,IACnB;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,yBAAyB,UAAkB,SAA0B;AAC5E,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,aAAa,6BAA6B,GAAG;AACnD,MAAI,eAAe,aAAc,QAAO;AACxC,MAAI,0BAA0B,UAAU,EAAG,QAAO;AAClD,MAAI,4BAA4B,UAAU,EAAG,QAAO;AACpD,QAAM,eAAe,WAAW,MAAM,KAAK,CAAC,EAAE,CAAC;AAC/C,SAAO,mCAAmC,IAAI,YAAY,KAAK,WAAW,SAAS,KAAK;AAC1F;AAEA,SAAS,yBAAyB,UAAkB,SAA0B;AAC5E,MAAI,yBAAyB,UAAU,OAAO,EAAG,QAAO;AACxD,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,aAAa,6BAA6B,GAAG;AACnD,QAAM,eAAe,WAAW,MAAM,KAAK,CAAC,EAAE,CAAC;AAC/C,SAAO,0BAA0B,IAAI,YAAY;AACnD;AAEA,SAAS,6BAA6B,KAAqB;AACzD,QAAM,aAAa,IAAI,MAAM,KAAK,GAAG,EAAE,KAAK,GAAG;AAC/C,QAAM,QAAQ,WAAW,MAAM,GAAG;AAClC,MAAI,MAAM,CAAC,MAAM,gBAAgB,MAAM,UAAU,GAAG;AAClD,WAAO,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG;AAAA,EAChC;AACA,SAAO;AACT;AAEA,SAAS,sBAAsB,UAAkB,SAAyB;AACxE,QAAM,MAAM,KAAK,SAAS,SAAS,QAAQ;AAC3C,MAAI,QAAQ,MAAM,IAAI,WAAW,IAAI,KAAK,KAAK,WAAW,GAAG,EAAG,QAAO;AACvE,QAAM,QAAQ,IAAI,MAAM,KAAK,GAAG;AAChC,MAAI,MAAM,CAAC,MAAM,gBAAgB,MAAM,UAAU,KAAK,MAAM,CAAC,GAAG;AAC9D,WAAO,KAAK,KAAK,SAAS,cAAc,MAAM,CAAC,CAAC;AAAA,EAClD;AACA,SAAO;AACT;AAEA,IAAM,qCAAqC,oBAAI,IAAI;AAAA,EACjD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,6BAA6B,oBAAI,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,SAAS,0BAA0B,YAA6B;AAC9D,SAAO,2BAA2B,IAAI,UAAU;AAClD;AAEA,SAAS,4BAA4B,YAA6B;AAChE,SAAO,WAAW,WAAW,YAAY,KAAK,WAAW,SAAS,OAAO;AAC3E;AAEA,IAAM,4BAA4B,oBAAI,IAAI;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;","names":["unlink"]}

package/dist/{chunk-SZKCBLS5.js → chunk-PUXCIHRL.js}

@@ -1,6 +1,6 @@
 import {
   runPostConsolidationMaterialize
-} from "./chunk-KSFBM6TV.js";
+} from "./chunk-YITUHONZ.js";
 import {
   discoverMemoryExtensions,
   renderExtensionsBlock,
@@ -216,4 +216,4 @@ export {
   buildExtensionsBlockForConsolidation,
   materializeAfterSemanticConsolidation
 };
-//# sourceMappingURL=chunk-SZKCBLS5.js.map
+//# sourceMappingURL=chunk-PUXCIHRL.js.map

package/dist/{chunk-2IRT26RZ.js → chunk-QYHQ2JHL.js}

@@ -4,7 +4,7 @@ import {
 import {
   compareEntityTimestamps,
   normalizeEntityName
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 import {
   sanitizeMemoryContent
 } from "./chunk-FVQJYWH7.js";
@@ -593,4 +593,4 @@ export {
   entityIndexVersion,
   entityRecentTranscriptLookbackHours
 };
-//# sourceMappingURL=chunk-2IRT26RZ.js.map
+//# sourceMappingURL=chunk-QYHQ2JHL.js.map

package/dist/{chunk-LDJANWTK.js → chunk-RA73CTVY.js}

@@ -44,12 +44,12 @@ import {
 } from "./chunk-TPMQ3G6Z.js";
 import {
   rebuildMemoryLifecycleLedger
-} from "./chunk-NOQ74SJN.js";
+} from "./chunk-7D6O46PF.js";
 import {
   rebuildMemoryProjection,
   repairMemoryProjection,
   verifyMemoryProjection
-} from "./chunk-YO3AZEE5.js";
+} from "./chunk-25YQM6XW.js";
 import {
   rebuildObservations
 } from "./chunk-PZIAX57I.js";
@@ -64,7 +64,7 @@ import {
 } from "./chunk-TMM4S4IJ.js";
 import {
   promoteSemanticRuleFromMemory
-} from "./chunk-CN4P6SVA.js";
+} from "./chunk-RCZRL5BE.js";
 import {
   resolveAgentAccessAuthToken
 } from "./chunk-MXC3AP5I.js";
@@ -92,12 +92,12 @@ import {
   runOperatorInventory,
   runOperatorRepair,
   runOperatorSetup
-} from "./chunk-5ML4TH3E.js";
+} from "./chunk-TFORLO3O.js";
 import {
   listNamespaces,
   runNamespaceMigration,
   verifyNamespaces
-} from "./chunk-SGIXDVSF.js";
+} from "./chunk-S27EXIHY.js";
 import {
   GraphDashboardServer
 } from "./chunk-ZPKBYX2F.js";
@@ -110,7 +110,7 @@ import {
 } from "./chunk-LUDTDZLK.js";
 import {
   searchVerifiedEpisodes
-} from "./chunk-5IQC4OG6.js";
+} from "./chunk-4H6DURG6.js";
 import {
   getUtilityLearningStatus,
   learnUtilityPromotionWeights
@@ -124,7 +124,7 @@ import {
 } from "./chunk-W4RVMTHR.js";
 import {
   searchVerifiedSemanticRules
-} from "./chunk-QOHBYVZG.js";
+} from "./chunk-3F24QTRI.js";
 import {
   getWorkProductLedgerStatus,
   recordWorkProductLedgerEntry,
@@ -196,13 +196,13 @@ import {
 } from "./chunk-NGAVDO7E.js";
 import {
   EngramAccessHttpServer
-} from "./chunk-UA6OCL6S.js";
+} from "./chunk-HWF42K6J.js";
 import {
   EngramMcpServer
-} from "./chunk-26OQECWH.js";
+} from "./chunk-FHXVW3L4.js";
 import {
   EngramAccessService
-} from "./chunk-NGPO6S3M.js";
+} from "./chunk-MM5EBZVW.js";
 import {
   WorkStorage
 } from "./chunk-WELDCG6C.js";
@@ -224,7 +224,7 @@ import {
   readMemoryGovernanceRunArtifact,
   restoreMemoryGovernanceRun,
   runMemoryGovernance
-} from "./chunk-TOFUTKQN.js";
+} from "./chunk-TR4DK5OH.js";
 import {
   selectRouteRule,
   validateRouteTarget
@@ -6755,4 +6755,4 @@ export {
   resolveMemoryDirForNamespace,
   registerCli
 };
-//# sourceMappingURL=chunk-LDJANWTK.js.map
+//# sourceMappingURL=chunk-RA73CTVY.js.map

package/dist/{chunk-CN4P6SVA.js → chunk-RCZRL5BE.js}

@@ -1,6 +1,6 @@
 import {
   StorageManager
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 
 // src/semantic-rule-promotion.ts
 function normalizeRuleWhitespace(value) {
@@ -132,4 +132,4 @@ async function promoteSemanticRuleFromMemory(options) {
 export {
   promoteSemanticRuleFromMemory
 };
-//# sourceMappingURL=chunk-CN4P6SVA.js.map
+//# sourceMappingURL=chunk-RCZRL5BE.js.map

package/dist/{chunk-SGIXDVSF.js → chunk-S27EXIHY.js}

@@ -1,6 +1,6 @@
 import {
   NamespaceStorageRouter
-} from "./chunk-TLM762GT.js";
+} from "./chunk-2WIPXV3Y.js";
 import {
   namespaceCollectionName
 } from "./chunk-W7DK3CYM.js";
@@ -138,4 +138,4 @@ export {
   verifyNamespaces,
   runNamespaceMigration
 };
-//# sourceMappingURL=chunk-SGIXDVSF.js.map
+//# sourceMappingURL=chunk-S27EXIHY.js.map

package/dist/{chunk-5ML4TH3E.js → chunk-TFORLO3O.js}

@@ -1,6 +1,6 @@
 import {
   listNamespaces
-} from "./chunk-SGIXDVSF.js";
+} from "./chunk-S27EXIHY.js";
 import {
   runConsolidationProvenanceCheck
 } from "./chunk-5HRY2WRF.js";
@@ -36,13 +36,13 @@ import {
 import {
   listMemoryGovernanceRuns,
   readMemoryGovernanceRunArtifact
-} from "./chunk-TOFUTKQN.js";
+} from "./chunk-TR4DK5OH.js";
 import {
   analyzeGraphHealth
 } from "./chunk-RK2Y4XOM.js";
 import {
   StorageManager
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 import {
   lintWorkspaceFiles
 } from "./chunk-DM2T26WE.js";
@@ -1314,4 +1314,4 @@ export {
   runBenchmarkRecall,
   runOperatorRepair
 };
-//# sourceMappingURL=chunk-5ML4TH3E.js.map
+//# sourceMappingURL=chunk-TFORLO3O.js.map

package/dist/{chunk-TOFUTKQN.js → chunk-TR4DK5OH.js}

@@ -1,6 +1,6 @@
 import {
   StorageManager
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 import {
   decideLifecycleTransition
 } from "./chunk-TBBDFYXW.js";
@@ -718,4 +718,4 @@ export {
   listMemoryGovernanceRuns,
   readMemoryGovernanceRunArtifact
 };
-//# sourceMappingURL=chunk-TOFUTKQN.js.map
+//# sourceMappingURL=chunk-TR4DK5OH.js.map

package/dist/{chunk-6ORWKANA.js → chunk-VYU7PXUS.js}

@@ -1,7 +1,7 @@
 import {
   StorageManager,
   normalizeEntityName
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 import {
   readEnvVar,
   resolveHomeDir
@@ -824,4 +824,4 @@ export {
   resolveBriefingSaveDir,
   briefingFilename
 };
-//# sourceMappingURL=chunk-6ORWKANA.js.map
+//# sourceMappingURL=chunk-VYU7PXUS.js.map

package/dist/{chunk-FFU4GMST.js → chunk-WNARATI3.js}

@@ -19,7 +19,7 @@ import {
 import {
   decryptMemoryDirToPlaintext,
   migrateMemoryDirToEncrypted
-} from "./chunk-SH5S7XYD.js";
+} from "./chunk-MXFBBHJU.js";
 import {
   generateSalt
 } from "./chunk-A6XUJE5D.js";
@@ -451,4 +451,4 @@ export {
   renderStatusReport,
   createPassphraseReader
 };
-//# sourceMappingURL=chunk-FFU4GMST.js.map
+//# sourceMappingURL=chunk-WNARATI3.js.map

package/dist/{chunk-KSFBM6TV.js → chunk-YITUHONZ.js}

@@ -10,7 +10,7 @@ import {
 } from "./chunk-U3PN77QT.js";
 import {
   StorageManager
-} from "./chunk-7Q2P774N.js";
+} from "./chunk-F33CJ5CH.js";
 import {
   log
 } from "./chunk-2ODBA7MQ.js";
@@ -116,4 +116,4 @@ export {
   runCodexMaterialize,
   runPostConsolidationMaterialize
 };
-//# sourceMappingURL=chunk-KSFBM6TV.js.map
+//# sourceMappingURL=chunk-YITUHONZ.js.map

package/dist/{cli-BN0CkYzI.d.ts → cli-BguVmIwO.d.ts}

@@ -14,7 +14,7 @@ import { WorkProjectStatus, WorkTaskStatus, WorkTaskPriority } from './work/type
 import { RoutePatternType } from './routing/engine.js';
 import { TailscaleSyncOptions } from './network/tailscale.js';
 import { DashboardStatus } from './dashboard-runtime.js';
-import { E as EngramAccessService } from './access-service-DT9L2DW4.js';
+import { E as EngramAccessService } from './access-service-CEyV8XJ5.js';
 import { ResolveSecretRefFn } from './resolve-auth-token.js';
 import { CompatRunner, CompatReport } from './compat/types.js';
 import { EvalBaselineDeltaReport, EvalBaselineSnapshot, EvalCiGateReport, EvalBenchmarkPackSummary, EvalHarnessStatus, EvalStoredBaselineCiGateReport } from './evals.js';

package/dist/cli.d.ts

@@ -10,12 +10,12 @@ import 'node:stream';
 import './orchestrator-DuWl9Hwx.js';
 import './replay/runner.js';
 import './replay/types.js';
-export { A as AccessHttpServeCliCommandOptions, c as ArchiveObservationsCliCommandOptions, B as BulkImportCliCommandOptions, C as CompatCliCommandOptions, d as ConnectorsRunCliOutputOptions, e as ConversationIndexHealthCliOrchestrator, D as DashboardStartCliCommandOptions, g as DedupeCandidate, E as ExactDedupePlan, G as GraphHealthCliCommandOptions, M as MemoryActionAuditCliCommandOptions, h as MemoryActionAuditCliNamespaceSummary, i as MemoryActionAuditCliReport, j as MemoryGovernanceCliCommandOptions, k as MemoryGovernanceReportCliCommandOptions, l as MemoryGovernanceRestoreCliCommandOptions, m as MemoryReviewDispositionCliCommandOptions, n as MemoryTimelineCliCommandOptions, o as MigrateCliOrchestrator, q as MigrateCliReport, s as MigrateObservationsCliCommandOptions, t as PolicyDiffCliReport, u as PolicyDiffEntry, v as PolicyRollbackCliReport, w as PolicyStatusCliReport, x as PolicyTuningCliOrchestrator, R as RebuildMemoryLifecycleLedgerCliCommandOptions, y as RebuildMemoryProjectionCliCommandOptions, z as RebuildObservationsCliCommandOptions, F as RepairMemoryProjectionCliCommandOptions, H as ReplayCliCommandOptions, I as ReplayCliOrchestrator, J as RouteCliCommandOptions, S as SessionIntegrityCliCommandOptions, K as SessionRepairCliCommandOptions, T as TailscaleStatusCliCommandOptions, L as TailscaleSyncCliCommandOptions, N as TierMigrationCliOrchestrator, O as TrainingExportCliCommandOptions, V as VerifyMemoryProjectionCliCommandOptions, W as WebDavServeCliCommandOptions, Q as WorkProjectCliCommandOptions, U as WorkTaskCliCommandOptions, X as emitConnectorsRunCliResult, Y as filterNormalMemorySearchResults, Z as hasDestructivePurgeFailures, _ as isNormalRetrievalVisibleMemory, $ as parseDurationToMs, a0 as parseStrictCliDate, a1 as planAggressiveDuplicateDeletions, a2 as planExactDuplicateDeletions, a3 as registerCli, a4 as resolveAccessPrincipalOverride, a5 as resolveMemoryDirForNamespace, a6 as runAbstractionNodeStatusCliCommand, a7 as runAccessHttpServeCliCommand, a8 as runAccessHttpStatusCliCommand, a9 as runAccessHttpStopCliCommand, aa as runAccessMcpServeCliCommand, ab as runArchiveObservationsCliCommand, ac as runBenchmarkBaselineReportCliCommand, ad as runBenchmarkBaselineSnapshotCliCommand, ae as runBenchmarkCiGateCliCommand, af as runBenchmarkImportCliCommand, ag as runBenchmarkStatusCliCommand, ah as runBenchmarkStoredBaselineCiGateCliCommand, ai as runBenchmarkValidateCliCommand, r as runBulkImportCliCommand, aj as runCausalTrajectoryStatusCliCommand, ak as runCommitmentLifecycleCliCommand, al as runCommitmentRecordCliCommand, am as runCommitmentSetStateCliCommand, an as runCommitmentStatusCliCommand, ao as runCompatCliCommand, ap as runCompoundingPromoteCliCommand, aq as runConversationIndexHealthCliCommand, ar as runConversationIndexInspectCliCommand, as as runConversationIndexRebuildCliCommand, at as runCueAnchorStatusCliCommand, au as runDashboardStartCliCommand, av as runDashboardStatusCliCommand, aw as runDashboardStopCliCommand, ax as runGraphHealthCliCommand, ay as runHarmonicSearchCliCommand, az as runMemoryActionAuditCliCommand, aA as runMemoryGovernanceCliCommand, aB as runMemoryGovernanceReportCliCommand, aC as runMemoryGovernanceRestoreCliCommand, aD as runMemoryReviewDispositionCliCommand, aE as runMemoryTimelineCliCommand, aF as runMigrateNormalizeFrontmatterCliCommand, aG as runMigrateObservationsCliCommand, aH as runMigrateRechunkCliCommand, aI as runMigrateReextractCliCommand, aJ as runMigrateRescoreImportanceCliCommand, aK as runObjectiveStateStatusCliCommand, aL as runPolicyDiffCliCommand, aM as runPolicyRollbackCliCommand, aN as runPolicyStatusCliCommand, aO as runRebuildMemoryLifecycleLedgerCliCommand, aP as runRebuildMemoryProjectionCliCommand, aQ as runRebuildObservationsCliCommand, aR as runRepairMemoryProjectionCliCommand, aS as runReplayCliCommand, aT as runResumeBundleBuildCliCommand, aU as runResumeBundleRecordCliCommand, aV as runResumeBundleStatusCliCommand, aW as runRouteCliCommand, aX as runSemanticRulePromoteCliCommand, aY as runSemanticRuleVerifyCliCommand, aZ as runSessionCheckCliCommand, a_ as runSessionRepairCliCommand, a$ as runTailscaleStatusCliCommand, b0 as runTailscaleSyncCliCommand, b1 as runTierMigrateCliCommand, b2 as runTierStatusCliCommand, b3 as runTrainingExportCliCommand, b4 as runTrustZoneDemoSeedCliCommand, b5 as runTrustZonePromoteCliCommand, b6 as runTrustZoneStatusCliCommand, b7 as runUtilityLearningCliCommand, b8 as runUtilityLearningStatusCliCommand, b9 as runUtilityTelemetryRecordCliCommand, ba as runUtilityTelemetryStatusCliCommand, bb as runVerifiedRecallSearchCliCommand, bc as runVerifyMemoryProjectionCliCommand, bd as runWebDavServeCliCommand, be as runWebDavStopCliCommand, bf as runWorkProductRecallSearchCliCommand, bg as runWorkProductRecordCliCommand, bh as runWorkProductStatusCliCommand, bi as runWorkProjectCliCommand, bj as runWorkTaskCliCommand } from './cli-BN0CkYzI.js';
+export { A as AccessHttpServeCliCommandOptions, c as ArchiveObservationsCliCommandOptions, B as BulkImportCliCommandOptions, C as CompatCliCommandOptions, d as ConnectorsRunCliOutputOptions, e as ConversationIndexHealthCliOrchestrator, D as DashboardStartCliCommandOptions, g as DedupeCandidate, E as ExactDedupePlan, G as GraphHealthCliCommandOptions, M as MemoryActionAuditCliCommandOptions, h as MemoryActionAuditCliNamespaceSummary, i as MemoryActionAuditCliReport, j as MemoryGovernanceCliCommandOptions, k as MemoryGovernanceReportCliCommandOptions, l as MemoryGovernanceRestoreCliCommandOptions, m as MemoryReviewDispositionCliCommandOptions, n as MemoryTimelineCliCommandOptions, o as MigrateCliOrchestrator, q as MigrateCliReport, s as MigrateObservationsCliCommandOptions, t as PolicyDiffCliReport, u as PolicyDiffEntry, v as PolicyRollbackCliReport, w as PolicyStatusCliReport, x as PolicyTuningCliOrchestrator, R as RebuildMemoryLifecycleLedgerCliCommandOptions, y as RebuildMemoryProjectionCliCommandOptions, z as RebuildObservationsCliCommandOptions, F as RepairMemoryProjectionCliCommandOptions, H as ReplayCliCommandOptions, I as ReplayCliOrchestrator, J as RouteCliCommandOptions, S as SessionIntegrityCliCommandOptions, K as SessionRepairCliCommandOptions, T as TailscaleStatusCliCommandOptions, L as TailscaleSyncCliCommandOptions, N as TierMigrationCliOrchestrator, O as TrainingExportCliCommandOptions, V as VerifyMemoryProjectionCliCommandOptions, W as WebDavServeCliCommandOptions, Q as WorkProjectCliCommandOptions, U as WorkTaskCliCommandOptions, X as emitConnectorsRunCliResult, Y as filterNormalMemorySearchResults, Z as hasDestructivePurgeFailures, _ as isNormalRetrievalVisibleMemory, $ as parseDurationToMs, a0 as parseStrictCliDate, a1 as planAggressiveDuplicateDeletions, a2 as planExactDuplicateDeletions, a3 as registerCli, a4 as resolveAccessPrincipalOverride, a5 as resolveMemoryDirForNamespace, a6 as runAbstractionNodeStatusCliCommand, a7 as runAccessHttpServeCliCommand, a8 as runAccessHttpStatusCliCommand, a9 as runAccessHttpStopCliCommand, aa as runAccessMcpServeCliCommand, ab as runArchiveObservationsCliCommand, ac as runBenchmarkBaselineReportCliCommand, ad as runBenchmarkBaselineSnapshotCliCommand, ae as runBenchmarkCiGateCliCommand, af as runBenchmarkImportCliCommand, ag as runBenchmarkStatusCliCommand, ah as runBenchmarkStoredBaselineCiGateCliCommand, ai as runBenchmarkValidateCliCommand, r as runBulkImportCliCommand, aj as runCausalTrajectoryStatusCliCommand, ak as runCommitmentLifecycleCliCommand, al as runCommitmentRecordCliCommand, am as runCommitmentSetStateCliCommand, an as runCommitmentStatusCliCommand, ao as runCompatCliCommand, ap as runCompoundingPromoteCliCommand, aq as runConversationIndexHealthCliCommand, ar as runConversationIndexInspectCliCommand, as as runConversationIndexRebuildCliCommand, at as runCueAnchorStatusCliCommand, au as runDashboardStartCliCommand, av as runDashboardStatusCliCommand, aw as runDashboardStopCliCommand, ax as runGraphHealthCliCommand, ay as runHarmonicSearchCliCommand, az as runMemoryActionAuditCliCommand, aA as runMemoryGovernanceCliCommand, aB as runMemoryGovernanceReportCliCommand, aC as runMemoryGovernanceRestoreCliCommand, aD as runMemoryReviewDispositionCliCommand, aE as runMemoryTimelineCliCommand, aF as runMigrateNormalizeFrontmatterCliCommand, aG as runMigrateObservationsCliCommand, aH as runMigrateRechunkCliCommand, aI as runMigrateReextractCliCommand, aJ as runMigrateRescoreImportanceCliCommand, aK as runObjectiveStateStatusCliCommand, aL as runPolicyDiffCliCommand, aM as runPolicyRollbackCliCommand, aN as runPolicyStatusCliCommand, aO as runRebuildMemoryLifecycleLedgerCliCommand, aP as runRebuildMemoryProjectionCliCommand, aQ as runRebuildObservationsCliCommand, aR as runRepairMemoryProjectionCliCommand, aS as runReplayCliCommand, aT as runResumeBundleBuildCliCommand, aU as runResumeBundleRecordCliCommand, aV as runResumeBundleStatusCliCommand, aW as runRouteCliCommand, aX as runSemanticRulePromoteCliCommand, aY as runSemanticRuleVerifyCliCommand, aZ as runSessionCheckCliCommand, a_ as runSessionRepairCliCommand, a$ as runTailscaleStatusCliCommand, b0 as runTailscaleSyncCliCommand, b1 as runTierMigrateCliCommand, b2 as runTierStatusCliCommand, b3 as runTrainingExportCliCommand, b4 as runTrustZoneDemoSeedCliCommand, b5 as runTrustZonePromoteCliCommand, b6 as runTrustZoneStatusCliCommand, b7 as runUtilityLearningCliCommand, b8 as runUtilityLearningStatusCliCommand, b9 as runUtilityTelemetryRecordCliCommand, ba as runUtilityTelemetryStatusCliCommand, bb as runVerifiedRecallSearchCliCommand, bc as runVerifyMemoryProjectionCliCommand, bd as runWebDavServeCliCommand, be as runWebDavStopCliCommand, bf as runWorkProductRecallSearchCliCommand, bg as runWorkProductRecordCliCommand, bh as runWorkProductStatusCliCommand, bi as runWorkProjectCliCommand, bj as runWorkTaskCliCommand } from './cli-BguVmIwO.js';
 import './work/types.js';
 import './routing/engine.js';
 import './network/tailscale.js';
 import './dashboard-runtime.js';
-import './access-service-DT9L2DW4.js';
+import './access-service-CEyV8XJ5.js';
 import './resolve-auth-token.js';
 import './compat/types.js';
 import './evals.js';

package/dist/cli.js

@@ -89,7 +89,7 @@ import {
   runWorkProductStatusCliCommand,
   runWorkProjectCliCommand,
   runWorkTaskCliCommand
-} from "./chunk-LDJANWTK.js";
+} from "./chunk-RA73CTVY.js";
 import "./chunk-ICRIXAP2.js";
 import "./chunk-EHRTFRWW.js";
 import "./chunk-S7KDBTWT.js";
@@ -107,21 +107,21 @@ import "./chunk-Z734BLO3.js";
 import "./chunk-TKWGAOLV.js";
 import "./chunk-FIT6DMX6.js";
 import "./chunk-TPMQ3G6Z.js";
-import "./chunk-NOQ74SJN.js";
-import "./chunk-YO3AZEE5.js";
+import "./chunk-7D6O46PF.js";
+import "./chunk-25YQM6XW.js";
 import "./chunk-PZIAX57I.js";
 import "./chunk-65PG43EQ.js";
 import "./chunk-KJTKLXTH.js";
 import "./chunk-PK7H5L6Y.js";
 import "./chunk-LT3NLYSI.js";
 import "./chunk-TMM4S4IJ.js";
-import "./chunk-CN4P6SVA.js";
+import "./chunk-RCZRL5BE.js";
 import "./chunk-MXC3AP5I.js";
 import "./chunk-4CRG46BG.js";
 import "./chunk-MT4HVDUZ.js";
 import "./chunk-AJA46VX5.js";
-import "./chunk-5ML4TH3E.js";
-import "./chunk-SGIXDVSF.js";
+import "./chunk-TFORLO3O.js";
+import "./chunk-S27EXIHY.js";
 import "./chunk-HL4DB7TO.js";
 import "./chunk-ZPKBYX2F.js";
 import "./chunk-3SLRNYNG.js";
@@ -131,16 +131,16 @@ import "./chunk-5HRY2WRF.js";
 import "./chunk-YBPYIAA5.js";
 import "./chunk-2PRQG7PV.js";
 import "./chunk-LUDTDZLK.js";
-import "./chunk-5IQC4OG6.js";
+import "./chunk-4H6DURG6.js";
 import "./chunk-PYXS46O7.js";
 import "./chunk-3QKK7QOS.js";
 import "./chunk-W4RVMTHR.js";
-import "./chunk-QOHBYVZG.js";
+import "./chunk-3F24QTRI.js";
 import "./chunk-CULXMQJH.js";
 import "./chunk-5375UYTQ.js";
 import "./chunk-FF4KLI5W.js";
 import "./chunk-EABGC2TL.js";
-import "./chunk-TLM762GT.js";
+import "./chunk-2WIPXV3Y.js";
 import "./chunk-W7DK3CYM.js";
 import "./chunk-NTUNYIF7.js";
 import "./chunk-NJ3MJQZX.js";
@@ -176,7 +176,7 @@ import "./chunk-6HZ6AO2P.js";
 import "./chunk-NZL6GGQE.js";
 import "./chunk-PVGDJXVK.js";
 import "./chunk-NGAVDO7E.js";
-import "./chunk-UA6OCL6S.js";
+import "./chunk-HWF42K6J.js";
 import "./chunk-SEDEKFYQ.js";
 import "./chunk-6FC5EGNV.js";
 import "./chunk-3Y4P7RXM.js";
@@ -184,10 +184,10 @@ import "./chunk-6LVVDPJ4.js";
 import "./chunk-7MNMYOFP.js";
 import "./chunk-FKFMOY3N.js";
 import "./chunk-FAJ7FZYM.js";
-import "./chunk-26OQECWH.js";
+import "./chunk-FHXVW3L4.js";
 import "./chunk-C5BCH4ZS.js";
 import "./chunk-IQT3XTKW.js";
-import "./chunk-NGPO6S3M.js";
+import "./chunk-MM5EBZVW.js";
 import "./chunk-ZKSK55RC.js";
 import "./chunk-WELDCG6C.js";
 import "./chunk-ZYVPLJ4T.js";
@@ -201,7 +201,7 @@ import "./chunk-MGKYQQYF.js";
 import "./chunk-GL6I6MEQ.js";
 import "./chunk-3APJ5EVB.js";
 import "./chunk-5UM2VJ6D.js";
-import "./chunk-TOFUTKQN.js";
+import "./chunk-TR4DK5OH.js";
 import "./chunk-EIR5VLIH.js";
 import "./chunk-PCUKNJAZ.js";
 import "./chunk-RRF5UOBJ.js";
@@ -214,8 +214,8 @@ import "./chunk-U3PN77QT.js";
 import "./chunk-RK2Y4XOM.js";
 import "./chunk-2LSZVONP.js";
 import "./chunk-WIICJPET.js";
-import "./chunk-6ORWKANA.js";
-import "./chunk-7Q2P774N.js";
+import "./chunk-VYU7PXUS.js";
+import "./chunk-F33CJ5CH.js";
 import "./chunk-5UZXUTVO.js";
 import "./chunk-NN2DKE4T.js";
 import "./chunk-Q7P4WJDP.js";
@@ -244,7 +244,7 @@ import "./chunk-TVVEYCNW.js";
 import "./chunk-RFYAYKTD.js";
 import "./chunk-LBLXEFWK.js";
 import "./chunk-XKECPATV.js";
-import "./chunk-VMQRBXJ5.js";
+import "./chunk-7E7SZRPP.js";
 import "./chunk-QA2ZAPBU.js";
 import "./chunk-WEHSQBFR.js";
 import "./chunk-KNKUID7G.js";
@@ -252,10 +252,10 @@ import "./chunk-J4EB7DNW.js";
 import "./chunk-BJMBJZ2Y.js";
 import "./chunk-UKJAGEXH.js";
 import "./chunk-FP2373TW.js";
-import "./chunk-FF46Q3SN.js";
+import "./chunk-JKXFF3NT.js";
 import "./chunk-I6K5FBRQ.js";
 import "./chunk-AGZQD76C.js";
-import "./chunk-SH5S7XYD.js";
+import "./chunk-MXFBBHJU.js";
 import "./chunk-A6XUJE5D.js";
 import "./chunk-P7FMDTKL.js";
 import "./chunk-AH2JUU6X.js";