@replayci/replay 0.1.4 → 0.1.6

package/dist/index.cjs

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,13 +17,29 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  MemoryStore: () => MemoryStore,
+  ReplayConfigError: () => ReplayConfigError,
+  ReplayContractError: () => ReplayContractError,
+  ReplayKillError: () => ReplayKillError,
+  RuntimeClient: () => RuntimeClient,
+  RuntimeClientError: () => RuntimeClientError,
+  createRuntimeClient: () => createRuntimeClient,
   observe: () => observe,
   prepareContracts: () => prepareContracts,
+  replay: () => replay,
   validate: () => validate
 });
 module.exports = __toCommonJS(index_exports);
@@ -61,6 +79,7 @@ var CaptureBuffer = class {
   remoteDisabled = false;
   closed = false;
   droppedOverflowTotal = 0;
+  hasSucceededOnce = false;
   lastFlushAttemptMs = 0;
   lastFlushSuccessMs = 0;
   lastFlushErrorMs = 0;
@@ -127,7 +146,7 @@ var CaptureBuffer = class {
   }
   flush() {
     if (this.closed || this.remoteDisabled) {
-      return Promise.resolve();
+      return Promise.resolve({ captured: 0, sent: 0, active: true, errors: [] });
     }
     if (this.flushPromise) {
       return this.flushPromise;
@@ -137,6 +156,7 @@ var CaptureBuffer = class {
         type: "flush_error",
         error: err instanceof Error ? err.message : String(err)
       });
+      return { captured: 0, sent: 0, active: true, errors: [err instanceof Error ? err.message : String(err)] };
     }).finally(() => {
       if (this.flushPromise === flushPromise) {
         this.flushPromise = void 0;
@@ -165,11 +185,11 @@ var CaptureBuffer = class {
   }
   async flushOnce() {
     if (this.closed || this.remoteDisabled || this.queue.length === 0) {
-      return;
+      return { captured: 0, sent: 0, active: true, errors: [] };
     }
     const now = this.now();
     if (this.circuitOpenUntil > now) {
-      return;
+      return { captured: 0, sent: 0, active: true, errors: [] };
     }
     if (this.circuitOpenUntil !== 0) {
       this.circuitOpenUntil = 0;
@@ -177,8 +197,9 @@ var CaptureBuffer = class {
     }
     const batch = this.queue.splice(0, Math.min(this.queue.length, MAX_BATCH_SIZE));
     if (batch.length === 0) {
-      return;
+      return { captured: 0, sent: 0, active: true, errors: [] };
     }
+    const captured = batch.length;
     this.lastFlushAttemptMs = this.now();
     emitStateChange(this.onStateChange, { type: "flush_attempt" });
     let payload = "";
@@ -186,7 +207,7 @@ var CaptureBuffer = class {
       payload = JSON.stringify({ captures: batch });
     } catch {
       this.handleFailure("JSON serialization failed");
-      return;
+      return { captured, sent: 0, active: true, errors: ["JSON serialization failed"] };
     }
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
@@ -209,19 +230,24 @@ var CaptureBuffer = class {
         this.circuitOpenUntil = Number.MAX_SAFE_INTEGER;
         emitDiagnostics(this.diagnostics, { type: "remote_disabled" });
         emitStateChange(this.onStateChange, { type: "remote_disabled" });
-        return;
+        return { captured, sent: 0, active: true, errors: ["remote_disabled"] };
       }
       if (!response.ok) {
-        this.handleFailure(`HTTP ${response.status}`);
-        return;
+        const msg = `HTTP ${response.status}`;
+        this.handleFailure(msg);
+        return { captured, sent: 0, active: true, errors: [msg] };
       }
       this.failureCount = 0;
       this.circuitOpenUntil = 0;
+      this.hasSucceededOnce = true;
       this.lastFlushSuccessMs = this.now();
       this.lastFlushErrorMsg = null;
       emitStateChange(this.onStateChange, { type: "flush_success", batch_size: batch.length });
+      return { captured, sent: captured, active: true, errors: [] };
     } catch (err) {
-      this.handleFailure(err instanceof Error ? err.message : String(err));
+      const msg = err instanceof Error ? err.message : String(err);
+      this.handleFailure(msg);
+      return { captured, sent: 0, active: true, errors: [msg] };
     } finally {
       clearTimeout(timeout);
     }
@@ -231,10 +257,12 @@ var CaptureBuffer = class {
     const errorStr = errorMsg ?? "unknown error";
     this.lastFlushErrorMs = this.now();
     this.lastFlushErrorMsg = errorStr;
-    emitDiagnostics(this.diagnostics, {
-      type: "flush_error",
-      error: errorStr
-    });
+    if (this.hasSucceededOnce) {
+      emitDiagnostics(this.diagnostics, {
+        type: "flush_error",
+        error: errorStr
+      });
+    }
     emitStateChange(this.onStateChange, { type: "flush_error", error: errorStr });
     if (this.failureCount >= CIRCUIT_BREAKER_FAILURE_LIMIT) {
       this.circuitOpenUntil = this.now() + CIRCUIT_BREAKER_MS;
@@ -546,10 +574,12 @@ var ReplayConfigurationError = class extends Error {
 };
 var ReplayInternalError = class extends Error {
   cause;
+  sessionId;
   constructor(message, options) {
     super(message);
     this.name = "ReplayInternalError";
     this.cause = options?.cause;
+    this.sessionId = options?.sessionId;
   }
 };
 
@@ -1434,8 +1464,35 @@ function ensureDir(dir) {
 
 // src/observe.ts
 var REPLAY_WRAPPED = /* @__PURE__ */ Symbol.for("replayci.wrapped");
+var REPLAY_ATTACHED = /* @__PURE__ */ Symbol.for("replayci.replay_attached");
 var DEFAULT_AGENT = "default";
 var IDLE_HEARTBEAT_MS = 3e4;
+function defaultDiagnosticsHandler(event) {
+  switch (event.type) {
+    case "observe_inactive":
+      if (event.reason_code === "missing_api_key") {
+        console.warn(
+          "[replayci] No API key provided. observe() is inactive \u2014 calls will not be captured. Set REPLAYCI_API_KEY or pass apiKey to observe()."
+        );
+      }
+      break;
+    case "activation_warning":
+      console.warn(`[replayci] ${event.message}`);
+      break;
+    case "flush_error":
+      console.warn(`[replayci] flush failed: ${event.error}`);
+      break;
+    case "flush_empty":
+      console.warn(
+        "[replayci] flush(): No calls were captured. Ensure your LLM calls use the client returned by observe()."
+      );
+      break;
+    case "circuit_open":
+      break;
+    default:
+      break;
+  }
+}
 function observe(client, opts = {}) {
   assertSupportedNodeRuntime();
   const sessionId = generateSessionId();
@@ -1445,38 +1502,45 @@ function observe(client, opts = {}) {
     if (isDisabled(opts)) {
       return createInactiveHandle(client, sessionId, agent, "disabled", void 0, now, opts.diagnostics, opts.stateDir);
     }
+    const diagnosticsHandler = opts.diagnostics ?? defaultDiagnosticsHandler;
     const apiKey = resolveApiKey(opts);
+    if (apiKey && !/^rci_(live|test)_/.test(apiKey)) {
+      emitDiagnostic(diagnosticsHandler, {
+        type: "activation_warning",
+        message: "API key format looks wrong (expected 'rci_live_...' or 'rci_test_...'). Verify your key at app.replayci.com/settings."
+      });
+    }
     if (!apiKey) {
-      return createInactiveHandle(client, sessionId, agent, "missing_api_key", void 0, now, opts.diagnostics, opts.stateDir);
+      return createInactiveHandle(client, sessionId, agent, "missing_api_key", void 0, now, diagnosticsHandler, opts.stateDir);
     }
-    const provider = detectProviderSafely(client, opts.diagnostics);
+    const provider = detectProviderSafely(client, diagnosticsHandler);
     if (!provider) {
-      return createInactiveHandle(client, sessionId, agent, "unsupported_client", "Could not detect provider.", now, opts.diagnostics, opts.stateDir);
+      return createInactiveHandle(client, sessionId, agent, "unsupported_client", "Could not detect provider.", now, diagnosticsHandler, opts.stateDir);
     }
     const patchTarget = resolvePatchTarget(client, provider);
     if (!patchTarget) {
-      emitDiagnostic(opts.diagnostics, {
+      emitDiagnostic(diagnosticsHandler, {
         type: "unsupported_client",
         mode: "observe",
         detail: `Unsupported ${provider} client shape.`
       });
-      return createInactiveHandle(client, sessionId, agent, "unsupported_client", `Unsupported ${provider} client shape.`, now, opts.diagnostics, opts.stateDir);
+      return createInactiveHandle(client, sessionId, agent, "unsupported_client", `Unsupported ${provider} client shape.`, now, diagnosticsHandler, opts.stateDir);
     }
-    if (isWrapped(client, patchTarget.target)) {
-      emitDiagnostic(opts.diagnostics, {
+    if (isWrapped(client, patchTarget.target) || isReplayAttached(client)) {
+      emitDiagnostic(diagnosticsHandler, {
         type: "double_wrap",
         mode: "observe"
       });
-      return createInactiveHandle(client, sessionId, agent, "double_wrap", void 0, now, opts.diagnostics, opts.stateDir);
+      return createInactiveHandle(client, sessionId, agent, "double_wrap", void 0, now, diagnosticsHandler, opts.stateDir);
     }
     const patchabilityError = getPatchabilityError(patchTarget.target, patchTarget.methodName);
     if (patchabilityError) {
-      emitDiagnostic(opts.diagnostics, {
+      emitDiagnostic(diagnosticsHandler, {
         type: "unsupported_client",
         mode: "observe",
         detail: patchabilityError
       });
-      return createInactiveHandle(client, sessionId, agent, "patch_target_unwritable", patchabilityError, now, opts.diagnostics, opts.stateDir);
+      return createInactiveHandle(client, sessionId, agent, "patch_target_unwritable", patchabilityError, now, diagnosticsHandler, opts.stateDir);
     }
     const captureLevel = normalizeCaptureLevel(opts.captureLevel);
     const patchTargetName = `${provider}.${provider === "openai" ? "chat.completions.create" : "messages.create"}`;
@@ -1534,7 +1598,7 @@ function observe(client, opts = {}) {
         const detail = err instanceof Error ? err.message : "Failed to write health snapshot";
         lastHealthStoreErrorAt = (/* @__PURE__ */ new Date()).toISOString();
         lastHealthStoreError = detail;
-        emitDiagnostic(opts.diagnostics, {
+        emitDiagnostic(diagnosticsHandler, {
           type: "health_store_error",
           detail
         });
@@ -1574,7 +1638,7 @@ function observe(client, opts = {}) {
           runtimeState.consecutive_failures = 0;
           runtimeState.circuit_open_until = null;
           runtimeState.queue_size = buffer.size;
-          emitDiagnostic(opts.diagnostics, {
+          emitDiagnostic(diagnosticsHandler, {
             type: "flush_succeeded",
             batch_size: event.batch_size
           });
@@ -1610,7 +1674,7 @@ function observe(client, opts = {}) {
       maxBuffer: opts.maxBuffer,
       flushMs: opts.flushMs,
       timeoutMs: opts.timeoutMs,
-      diagnostics: opts.diagnostics,
+      diagnostics: diagnosticsHandler,
       onStateChange: onBufferStateChange
     });
     registerBeforeExit(buffer);
@@ -1634,7 +1698,7 @@ function observe(client, opts = {}) {
     persistHealthEvent();
     safeRunJanitor(sessionsDir, sessionId);
     startHeartbeat();
-    emitDiagnostic(opts.diagnostics, {
+    emitDiagnostic(diagnosticsHandler, {
       type: "observe_activated",
       session_id: sessionId,
       provider,
@@ -1657,7 +1721,7 @@ function observe(client, opts = {}) {
           sessionId,
           runtimeState,
           persistHealthEvent,
-          diagnostics: opts.diagnostics
+          diagnostics: diagnosticsHandler
         });
         return response;
       });
@@ -1667,8 +1731,12 @@ function observe(client, opts = {}) {
     let restored = false;
     return {
       client,
-      flush() {
-        return buffer.flush();
+      async flush() {
+        const result = await buffer.flush();
+        if (result.captured === 0 && result.errors.length === 0) {
+          emitDiagnostic(diagnosticsHandler, { type: "flush_empty" });
+        }
+        return result;
       },
       restore() {
         if (restored) {
@@ -1707,7 +1775,7 @@ function observe(client, opts = {}) {
     };
   } catch (err) {
     const detail = err instanceof Error ? err.message : "Unknown internal error";
-    return createInactiveHandle(client, sessionId, agent, "internal_error", detail, now, opts.diagnostics, opts.stateDir);
+    return createInactiveHandle(client, sessionId, agent, "internal_error", detail, now, opts.diagnostics ?? defaultDiagnosticsHandler, opts.stateDir);
   }
 }
 function createInactiveHandle(client, sessionId, agent, reasonCode, detail, activatedAt, diagnostics, stateDir) {
@@ -1734,7 +1802,7 @@ function createInactiveHandle(client, sessionId, agent, reasonCode, detail, acti
   return {
     client,
     flush() {
-      return Promise.resolve();
+      return Promise.resolve({ captured: 0, sent: 0, active: false, errors: [] });
     },
     restore() {
     },
@@ -2061,6 +2129,9 @@ function isWrapped(client, target) {
     client[REPLAY_WRAPPED] || target[REPLAY_WRAPPED]
   );
 }
+function isReplayAttached(client) {
+  return Boolean(client[REPLAY_ATTACHED]);
+}
 function setWrapped(client, target) {
   try {
     client[REPLAY_WRAPPED] = true;
@@ -2126,7 +2197,16 @@ var import_contracts_core3 = require("@replayci/contracts-core");
 var import_contracts_core2 = require("@replayci/contracts-core");
 var import_node_fs2 = require("fs");
 var import_node_path2 = require("path");
+
+// src/safeRegex.ts
+var import_re2 = __toESM(require("re2"), 1);
+function safeRegex(pattern) {
+  return new import_re2.default(pattern);
+}
+
+// src/contracts.ts
 var CONTRACT_EXTENSIONS = /* @__PURE__ */ new Set([".yaml", ".yml"]);
+var SESSION_YAML_NAMES = /* @__PURE__ */ new Set(["session.yaml", "session.yml"]);
 var MAX_REGEX_BYTES = 1024;
 var NESTED_QUANTIFIER_RE = /\((?:[^()\\]|\\.)*[+*{](?:[^()\\]|\\.)*\)(?:[+*]|\{\d+(?:,\d*)?\})/;
 function loadContracts(input) {
@@ -2218,7 +2298,7 @@ function collectContractFiles(inputPath) {
     if (entry.isDirectory()) {
       return collectContractFiles(fullPath);
     }
-    if (entry.isFile() && CONTRACT_EXTENSIONS.has((0, import_node_path2.extname)(entry.name).toLowerCase())) {
+    if (entry.isFile() && CONTRACT_EXTENSIONS.has((0, import_node_path2.extname)(entry.name).toLowerCase()) && !SESSION_YAML_NAMES.has(entry.name.toLowerCase())) {
       return [fullPath];
     }
     return [];
@@ -2268,7 +2348,19 @@ function normalizeInlineContract(input) {
     ...expectedToolCalls.length > 0 ? { expected_tool_calls: expectedToolCalls } : {},
     ...isMatchMode(source.tool_call_match_mode) ? {
       tool_call_match_mode: source.tool_call_match_mode
-    } : {}
+    } : {},
+    // replay() fields — pass through when present on the Contract type
+    ...source.response_format_invariants != null ? { response_format_invariants: source.response_format_invariants } : {},
+    ...source.policy != null ? { policy: source.policy } : {},
+    ...source.execution_constraints != null ? { execution_constraints: source.execution_constraints } : {},
+    ...Array.isArray(source.preconditions) ? { preconditions: source.preconditions } : {},
+    ...Array.isArray(source.forbids_after) ? { forbids_after: source.forbids_after } : {},
+    ...source.session_limits != null ? { session_limits: source.session_limits } : {},
+    ...Array.isArray(source.argument_value_invariants) ? { argument_value_invariants: source.argument_value_invariants } : {},
+    ...source.transitions != null ? { transitions: source.transitions } : {},
+    ...source.gate != null ? { gate: source.gate } : {},
+    ...source.evidence_class != null ? { evidence_class: source.evidence_class } : {},
+    ...source.commit_requirement != null ? { commit_requirement: source.commit_requirement } : {}
   };
   validateSafeRegexes(contract);
   return contract;
@@ -2303,6 +2395,12 @@ function validateSafeRegexes(contract) {
       invariants: expectedToolCall.argument_invariants ?? []
     });
   }
+  if (contract.argument_value_invariants) {
+    invariantGroups.push({
+      label: "argument_value_invariants",
+      invariants: contract.argument_value_invariants
+    });
+  }
   for (const group of invariantGroups) {
     for (const invariant of group.invariants) {
       if (typeof invariant.regex !== "string") {
@@ -2319,7 +2417,7 @@ function validateSafeRegexes(contract) {
         );
       }
       try {
-        void new RegExp(invariant.regex);
+        void safeRegex(invariant.regex);
       } catch (error) {
         throw new ReplayConfigurationError(
           `Invalid regex in ${contractLabel} (${group.label}, ${invariant.path}): ${formatErrorMessage(error)}`
@@ -2410,7 +2508,7 @@ function toToolOrder(value, hasExpectedTools) {
   return hasExpectedTools ? "any" : void 0;
 }
 function isSideEffect(value) {
-  return value === "read" || value === "write" || value === "destructive";
+  return value === "read" || value === "write" || value === "destructive" || value === "admin" || value === "financial";
 }
 function formatErrorMessage(error) {
   return error instanceof Error ? error.message : String(error);
@@ -2813,9 +2911,3691 @@ function toRecord6(value) {
 function toString6(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
+
+// src/replay.ts
+var import_node_crypto5 = __toESM(require("crypto"), 1);
+var import_node_fs3 = require("fs");
+var import_node_path3 = require("path");
+var import_contracts_core6 = require("@replayci/contracts-core");
+
+// src/redaction.ts
+var import_node_crypto2 = __toESM(require("crypto"), 1);
+
+// ../../artifacts/schema/redaction-patterns.json
+var redaction_patterns_default = {
+  schema_version: "1.0",
+  fingerprint_algorithm: "sha256",
+  patterns: [
+    {
+      name: "slack_token",
+      detect: "xox[baprs]-[A-Za-z0-9-]+",
+      detect_flags: "g",
+      redact: "xox[baprs]-[A-Za-z0-9-]+",
+      redact_flags: "g",
+      replacement: "[REDACTED]"
+    },
+    {
+      name: "bearer_token",
+      detect: "Bearer\\s+[A-Za-z0-9._-]{10,}",
+      detect_flags: "g",
+      redact: "Bearer\\s+[A-Za-z0-9._-]{10,}",
+      redact_flags: "g",
+      replacement: "Bearer [REDACTED]"
+    },
+    {
+      name: "connection_string",
+      detect: "(?:postgresql|mysql|mongodb(?:\\+srv)?)://[^\\s]+@[^\\s]+",
+      detect_flags: "g",
+      redact: "((?:postgresql|mysql|mongodb(?:\\+srv)?)://)[^\\s]+@([^\\s]+)",
+      redact_flags: "g",
+      replacement: "$1[REDACTED]@$2"
+    },
+    {
+      name: "openai_api_key",
+      detect: "sk-(?:proj-)?[A-Za-z0-9]{10,}",
+      detect_flags: "g",
+      redact: "sk-(?:proj-)?[A-Za-z0-9]{10,}",
+      redact_flags: "g",
+      replacement: "[REDACTED]"
+    },
+    {
+      name: "anthropic_api_key",
+      detect: "sk-ant-[A-Za-z0-9_-]{20,}",
+      detect_flags: "g",
+      redact: "sk-ant-[A-Za-z0-9_-]{20,}",
+      redact_flags: "g",
+      replacement: "[REDACTED]"
+    },
+    {
+      name: "api_key_header",
+      detect: "(?:api[_-]key|x-api-key)\\s*[:=]\\s*[A-Za-z0-9._-]{10,}",
+      detect_flags: "gi",
+      redact: "((?:api[_-]key|x-api-key)\\s*[:=]\\s*)[A-Za-z0-9._-]{10,}",
+      redact_flags: "gi",
+      replacement: "$1[REDACTED]"
+    },
+    {
+      name: "private_key",
+      detect: "-----BEGIN\\s[\\w\\s]*PRIVATE\\sKEY-----",
+      detect_flags: "g",
+      redact: "-----BEGIN\\s[\\w\\s]*PRIVATE\\sKEY-----[\\s\\S]*?-----END\\s[\\w\\s]*PRIVATE\\sKEY-----",
+      redact_flags: "g",
+      replacement: "[REDACTED_PRIVATE_KEY]"
+    }
+  ]
+};
+
+// src/redaction.ts
+function sha256Hex(s) {
+  return import_node_crypto2.default.createHash("sha256").update(s).digest("hex");
+}
+var compiledPatterns = redaction_patterns_default.patterns.map((p) => ({
+  name: p.name,
+  detectRe: new RegExp(p.detect, p.detect_flags),
+  redactRe: new RegExp(p.redact, p.redact_flags),
+  replacement: p.replacement
+}));
+var PATTERN_FINGERPRINT = sha256Hex(
+  JSON.stringify(redaction_patterns_default.patterns)
+);
+function detectFindings(s) {
+  const findings = [];
+  for (const pattern of compiledPatterns) {
+    for (const m of s.matchAll(pattern.detectRe)) {
+      findings.push({ kind: pattern.name, sample_hash: sha256Hex(m[0]) });
+    }
+  }
+  return findings;
+}
+function redactString(s) {
+  let out = s;
+  for (const pattern of compiledPatterns) {
+    out = out.replace(pattern.redactRe, pattern.replacement);
+  }
+  return out;
+}
+function redactCapture(input) {
+  const findings = detectFindings(input);
+  const redacted = redactString(input);
+  return {
+    redacted,
+    findings,
+    redacted_any: redacted !== input,
+    pattern_fingerprint: PATTERN_FINGERPRINT
+  };
+}
+
+// src/errors/replay.ts
+var ReplayContractError = class extends Error {
+  decision;
+  contractFile;
+  failures;
+  constructor(message, decision, contractFile, failures) {
+    super(message);
+    this.name = "ReplayContractError";
+    this.decision = decision;
+    this.contractFile = contractFile;
+    this.failures = failures;
+  }
+};
+var ReplayKillError = class extends Error {
+  sessionId;
+  killedAt;
+  constructor(sessionId, killedAt) {
+    super(`Session ${sessionId} was killed at ${killedAt}`);
+    this.name = "ReplayKillError";
+    this.sessionId = sessionId;
+    this.killedAt = killedAt;
+  }
+};
+var ReplayConfigError = class extends ReplayConfigurationError {
+  condition;
+  details;
+  constructor(condition, details) {
+    super(`ReplayConfigError: ${condition} \u2014 ${details}`);
+    this.name = "ReplayConfigError";
+    this.condition = condition;
+    this.details = details;
+  }
+};
+
+// src/gate.ts
+function applyGateDecision(decision, response, provider, gateMode, onBlock) {
+  if (decision.action === "allow") {
+    return response;
+  }
+  try {
+    onBlock?.(decision);
+  } catch {
+  }
+  if (gateMode === "reject_all") {
+    throw buildContractError(decision);
+  }
+  const allowedCalls = getAllowedCalls(decision.tool_calls, decision.blocked);
+  if (gateMode === "strip_partial") {
+    if (allowedCalls.length === 0) {
+      throw buildContractError(decision);
+    }
+    return stripBlockedCalls(response, allowedCalls, provider);
+  }
+  if (allowedCalls.length === 0) {
+    return normalizeStrippedResponse(response, provider);
+  }
+  return stripBlockedCalls(response, allowedCalls, provider);
+}
+function normalizeStrippedResponse(response, provider) {
+  if (provider === "openai") {
+    return normalizeOpenAIStripped(response);
+  }
+  return normalizeAnthropicStripped(response);
+}
+function getAllowedCalls(allCalls, blocked) {
+  const blockedPool = blocked.map((b) => ({ name: b.tool_name, args: b.arguments }));
+  return allCalls.filter((call) => {
+    const exactIdx = blockedPool.findIndex(
+      (b) => b.name === call.name && b.args === call.arguments
+    );
+    if (exactIdx !== -1) {
+      blockedPool.splice(exactIdx, 1);
+      return false;
+    }
+    const nameIdx = blockedPool.findIndex(
+      (b) => b.name === call.name && b.args === ""
+    );
+    if (nameIdx !== -1) {
+      blockedPool.splice(nameIdx, 1);
+      return false;
+    }
+    return true;
+  });
+}
+function stripBlockedCalls(response, allowedCalls, provider) {
+  const allowedIds = new Set(allowedCalls.map((c) => c.id));
+  if (provider === "openai") {
+    return stripOpenAICalls(response, allowedIds);
+  }
+  return stripAnthropicCalls(response, allowedIds);
+}
+function stripOpenAICalls(response, allowedIds) {
+  const record = toRecord7(response);
+  const choices = Array.isArray(record.choices) ? record.choices : [];
+  if (choices.length === 0) return response;
+  const firstChoice = toRecord7(choices[0]);
+  const message = toRecord7(firstChoice.message);
+  const toolCalls = Array.isArray(message.tool_calls) ? message.tool_calls : [];
+  const filtered = toolCalls.filter((tc) => {
+    const id = toRecord7(tc).id;
+    return typeof id === "string" && allowedIds.has(id);
+  });
+  return {
+    ...record,
+    replay_modified: true,
+    choices: [{
+      ...firstChoice,
+      message: {
+        ...message,
+        tool_calls: filtered
+      }
+    }]
+  };
+}
+function stripAnthropicCalls(response, allowedIds) {
+  const record = toRecord7(response);
+  const content = Array.isArray(record.content) ? record.content : [];
+  const filtered = content.filter((block) => {
+    const b = toRecord7(block);
+    if (b.type !== "tool_use") return true;
+    const id = b.id;
+    return typeof id === "string" && allowedIds.has(id);
+  });
+  return {
+    ...record,
+    replay_modified: true,
+    content: filtered
+  };
+}
+function normalizeOpenAIStripped(response) {
+  const record = toRecord7(response);
+  const choices = Array.isArray(record.choices) ? record.choices : [];
+  if (choices.length === 0) return { ...record, replay_modified: true };
+  const firstChoice = toRecord7(choices[0]);
+  const message = toRecord7(firstChoice.message);
+  const content = typeof message.content === "string" && message.content.length > 0 ? message.content : "[replay: all tool calls blocked]";
+  const finishReason = firstChoice.finish_reason === "tool_calls" ? "stop" : firstChoice.finish_reason;
+  return {
+    ...record,
+    replay_modified: true,
+    choices: [{
+      ...firstChoice,
+      finish_reason: finishReason,
+      message: {
+        ...message,
+        content,
+        tool_calls: void 0
+      }
+    }]
+  };
+}
+function normalizeAnthropicStripped(response) {
+  const record = toRecord7(response);
+  const contentBlocks = Array.isArray(record.content) ? record.content : [];
+  const textBlocks = contentBlocks.filter((b) => toRecord7(b).type === "text");
+  const stopReason = record.stop_reason === "tool_use" ? "end_turn" : record.stop_reason;
+  const content = textBlocks.length > 0 ? textBlocks : [{ type: "text", text: "[replay: all tool calls blocked]" }];
+  return {
+    ...record,
+    replay_modified: true,
+    stop_reason: stopReason,
+    content
+  };
+}
+function buildContractError(decision) {
+  if (decision.action !== "block") {
+    throw new Error("Cannot build contract error from allow decision");
+  }
+  const first = decision.blocked[0];
+  return new ReplayContractError(
+    `Tool call blocked: ${first?.tool_name ?? "unknown"} \u2014 ${first?.reason ?? "unknown"}`,
+    decision,
+    first?.contract_file ?? "",
+    first?.failures ?? []
+  );
+}
+function toRecord7(value) {
+  return value !== null && typeof value === "object" ? value : {};
+}
+
+// src/responseFormat.ts
+function extractResponseMetadata(response, provider) {
+  if (provider === "openai") {
+    return extractOpenAIMetadata(response);
+  }
+  return extractAnthropicMetadata(response);
+}
+function extractOpenAIMetadata(response) {
+  const record = toRecord8(response);
+  const choices = Array.isArray(record.choices) ? record.choices : [];
+  if (choices.length === 0) {
+    return { finish_reason: null, content: null, tool_calls_present: false, has_content: false };
+  }
+  const firstChoice = toRecord8(choices[0]);
+  const message = toRecord8(firstChoice.message);
+  const finishReason = typeof firstChoice.finish_reason === "string" ? firstChoice.finish_reason : null;
+  const content = typeof message.content === "string" ? message.content : null;
+  const toolCalls = Array.isArray(message.tool_calls) ? message.tool_calls : [];
+  return {
+    finish_reason: finishReason,
+    content,
+    tool_calls_present: toolCalls.length > 0,
+    has_content: content !== null && content.length > 0
+  };
+}
+function extractAnthropicMetadata(response) {
+  const record = toRecord8(response);
+  const stopReason = typeof record.stop_reason === "string" ? record.stop_reason : null;
+  const contentBlocks = Array.isArray(record.content) ? record.content : [];
+  const textBlocks = contentBlocks.filter(
+    (block) => toRecord8(block).type === "text"
+  );
+  const toolUseBlocks = contentBlocks.filter(
+    (block) => toRecord8(block).type === "tool_use"
+  );
+  const textContent = textBlocks.map((block) => {
+    const text = toRecord8(block).text;
+    return typeof text === "string" ? text : "";
+  }).join("\n");
+  let finishReason = null;
+  if (stopReason === "end_turn") {
+    finishReason = "stop";
+  } else if (stopReason === "tool_use") {
+    finishReason = "tool_calls";
+  } else if (stopReason !== null) {
+    finishReason = stopReason;
+  }
+  return {
+    finish_reason: finishReason,
+    content: textContent.length > 0 ? textContent : null,
+    tool_calls_present: toolUseBlocks.length > 0,
+    has_content: textContent.length > 0
+  };
+}
+function evaluateResponseFormatInvariants(response, contracts, requestToolNames, provider) {
+  const requestToolSet = new Set(requestToolNames);
+  const metadata = extractResponseMetadata(response, provider);
+  const failures = [];
+  for (const contract of contracts) {
+    if (!contract.response_format_invariants) continue;
+    if (!requestToolSet.has(contract.tool)) continue;
+    const rfi = contract.response_format_invariants;
+    const contractFile = contract.contract_file ?? contract.tool;
+    failures.push(...checkFinishReason(rfi, metadata, contractFile));
+    failures.push(...checkContentWhenToolCalls(rfi, metadata, contractFile));
+    failures.push(...checkToolCallsPresent(rfi, metadata, contractFile));
+  }
+  return { failures };
+}
+function checkFinishReason(rfi, metadata, contractFile) {
+  if (rfi.finish_reason === void 0) return [];
+  if (metadata.finish_reason === rfi.finish_reason) return [];
+  return [{
+    path: "$.finish_reason",
+    operator: "response_format",
+    expected: rfi.finish_reason,
+    found: metadata.finish_reason,
+    message: `Expected finish_reason "${rfi.finish_reason}", got "${metadata.finish_reason}"`,
+    contract_file: contractFile
+  }];
+}
+function checkContentWhenToolCalls(rfi, metadata, contractFile) {
+  if (rfi.content_when_tool_calls === void 0) return [];
+  if (rfi.content_when_tool_calls !== "empty") return [];
+  if (!metadata.tool_calls_present) return [];
+  if (!metadata.has_content) return [];
+  return [{
+    path: "$.content",
+    operator: "response_format",
+    expected: "empty when tool_calls present",
+    found: "content present",
+    message: 'content_when_tool_calls is "empty" but response has both content and tool_calls',
+    contract_file: contractFile
+  }];
+}
+function checkToolCallsPresent(rfi, metadata, contractFile) {
+  if (rfi.tool_calls_present === void 0) return [];
+  if (rfi.tool_calls_present === metadata.tool_calls_present) return [];
+  return [{
+    path: "$.tool_calls",
+    operator: "response_format",
+    expected: rfi.tool_calls_present,
+    found: metadata.tool_calls_present,
+    message: rfi.tool_calls_present ? "tool_calls_present: true but no tool_calls in response" : "tool_calls_present: false but tool_calls found in response",
+    contract_file: contractFile
+  }];
+}
+function toRecord8(value) {
+  return value !== null && typeof value === "object" ? value : {};
+}
+
+// src/sessionState.ts
+var import_node_crypto3 = __toESM(require("crypto"), 1);
+
+// src/phases.ts
+function validatePhaseTransition(toolCalls, sessionState, compiledSession) {
+  if (!compiledSession.phases) {
+    return { legal: true, newPhase: sessionState.currentPhase };
+  }
+  const attemptedTransitions = [];
+  for (const toolCall of toolCalls) {
+    const contract = compiledSession.perToolContracts.get(toolCall.name);
+    if (!contract?.transitions?.advances_to) continue;
+    const allowedTransitions = compiledSession.transitions.get(
+      sessionState.currentPhase ?? ""
+    );
+    if (!allowedTransitions?.includes(contract.transitions.advances_to)) {
+      return {
+        legal: false,
+        newPhase: sessionState.currentPhase,
+        blockedTool: toolCall.name,
+        attemptedTransition: `${sessionState.currentPhase} \u2192 ${contract.transitions.advances_to}`,
+        reason: "illegal_phase_transition"
+      };
+    }
+    attemptedTransitions.push({
+      tool: toolCall.name,
+      target: contract.transitions.advances_to
+    });
+  }
+  if (attemptedTransitions.length > 1) {
+    const distinctTargets = new Set(attemptedTransitions.map((t) => t.target));
+    if (distinctTargets.size > 1) {
+      return {
+        legal: false,
+        newPhase: sessionState.currentPhase,
+        blockedTool: attemptedTransitions.map((t) => t.tool).join(", "),
+        attemptedTransition: attemptedTransitions.map((t) => `${t.tool} \u2192 ${t.target}`).join("; "),
+        reason: "ambiguous_phase_transition"
+      };
+    }
+  }
+  if (attemptedTransitions.length > 0) {
+    return { legal: true, newPhase: attemptedTransitions[0].target };
+  }
+  return { legal: true, newPhase: sessionState.currentPhase };
+}
+function recomputePhaseFromCommitted(committedCalls, sessionState, compiledSession) {
+  if (!compiledSession.phases) return sessionState.currentPhase;
+  const transitions = [];
+  for (const tc of committedCalls) {
+    const contract = compiledSession.perToolContracts.get(tc.toolName);
+    if (!contract?.transitions?.advances_to) continue;
+    transitions.push(contract.transitions.advances_to);
+  }
+  if (transitions.length === 0) return sessionState.currentPhase;
+  const distinct = new Set(transitions);
+  if (distinct.size > 1) {
+    return sessionState.currentPhase;
+  }
+  return transitions[0];
+}
+function getLegalNextPhases(sessionState, compiledSession) {
+  if (!compiledSession.phases) return [];
+  return compiledSession.transitions.get(sessionState.currentPhase ?? "") ?? [];
+}
+
+// src/sessionState.ts
+var MAX_STEPS_HARD_CAP = 1e4;
+function createInitialState(sessionId, options) {
+  return {
+    sessionId,
+    agent: options?.agent ?? null,
+    principal: options?.principal ?? null,
+    startedAt: /* @__PURE__ */ new Date(),
+    tier: options?.tier ?? "compat",
+    stateVersion: 0,
+    controlRevision: 0,
+    currentPhase: null,
+    totalStepCount: 0,
+    totalToolCalls: 0,
+    actualCost: 0,
+    totalCost: 0,
+    toolCallCounts: /* @__PURE__ */ new Map(),
+    forbiddenTools: /* @__PURE__ */ new Set(),
+    satisfiedPreconditions: /* @__PURE__ */ new Map(),
+    steps: [],
+    pendingEntries: [],
+    lastStep: null,
+    consecutiveBlockCount: 0,
+    consecutiveErrorCount: 0,
+    totalBlockCount: 0,
+    totalUnguardedCalls: 0,
+    killed: false,
+    contractHash: null
+  };
+}
+function finalizeExecutedStep(state, step, contracts, compiledSession) {
+  const newSteps = [...state.steps, step];
+  const newToolCallCounts = updateToolCallCounts(state.toolCallCounts, step);
+  const resolvedContracts = compiledSession ? Array.from(compiledSession.perToolContracts.values()) : contracts;
+  const newForbiddenTools = updateForbidden(state.forbiddenTools, step, resolvedContracts);
+  const newSatisfiedPreconditions = updatePreconditionCache(
+    state.satisfiedPreconditions,
+    step
+  );
+  const costDelta = computeStepCost(step);
+  const newPhase = compiledSession ? recomputePhaseFromCommitted(step.toolCalls, state, compiledSession) : state.currentPhase;
+  return {
+    ...state,
+    steps: newSteps,
+    currentPhase: newPhase,
+    totalStepCount: state.totalStepCount + 1,
+    totalToolCalls: state.totalToolCalls + step.toolCalls.length,
+    totalCost: state.totalCost + costDelta,
+    toolCallCounts: newToolCallCounts,
+    forbiddenTools: newForbiddenTools,
+    satisfiedPreconditions: newSatisfiedPreconditions,
+    lastStep: step,
+    stateVersion: state.stateVersion + 1
+  };
+}
+function updateActualCost(state, costDelta) {
+  return {
+    ...state,
+    actualCost: state.actualCost + costDelta
+  };
+}
+function recordDecisionOutcome(state, outcome) {
+  switch (outcome) {
+    case "allowed":
+      return {
+        ...state,
+        consecutiveBlockCount: 0,
+        consecutiveErrorCount: 0
+      };
+    case "blocked":
+      return {
+        ...state,
+        consecutiveBlockCount: state.consecutiveBlockCount + 1,
+        consecutiveErrorCount: 0,
+        totalBlockCount: state.totalBlockCount + 1
+      };
+    case "error":
+      return {
+        ...state,
+        consecutiveErrorCount: state.consecutiveErrorCount + 1,
+        consecutiveBlockCount: 0
+      };
+  }
+}
+function killSession(state) {
+  return {
+    ...state,
+    killed: true
+  };
+}
+function isAtHardStepCap(state) {
+  return state.totalStepCount >= MAX_STEPS_HARD_CAP;
+}
+function computeArgumentsHash(args) {
+  return import_node_crypto3.default.createHash("sha256").update(args).digest("hex").slice(0, 16);
+}
+var RESOURCE_SEPARATOR = "\0";
+function makeForbiddenKey(toolName, resourceValue) {
+  if (resourceValue === void 0) return toolName;
+  return `${toolName}${RESOURCE_SEPARATOR}${JSON.stringify(resourceValue)}`;
+}
+function isForbidden(forbiddenTools, toolName, resourceValue) {
+  if (forbiddenTools.has(toolName)) return true;
+  if (resourceValue !== void 0) {
+    return forbiddenTools.has(makeForbiddenKey(toolName, resourceValue));
+  }
+  return false;
+}
+function updateToolCallCounts(counts, step) {
+  const updated = new Map(counts);
+  for (const tc of step.toolCalls) {
+    updated.set(tc.toolName, (updated.get(tc.toolName) ?? 0) + 1);
+  }
+  return updated;
+}
+function updateForbidden(forbidden, step, contracts) {
+  const updated = new Set(forbidden);
+  const contractByTool = new Map(contracts.map((c) => [c.tool, c]));
+  for (const tc of step.toolCalls) {
+    const contract = contractByTool.get(tc.toolName);
+    if (contract?.forbids_after) {
+      for (const entry of contract.forbids_after) {
+        if (typeof entry === "string") {
+          updated.add(entry);
+        } else {
+          const resourcePath = entry.resource;
+          if (resourcePath && tc.resourceValues) {
+            const resourceValue = tc.resourceValues[resourcePath];
+            if (resourceValue !== void 0) {
+              updated.add(makeForbiddenKey(entry.tool, resourceValue));
+            } else {
+              updated.add(entry.tool);
+            }
+          } else {
+            updated.add(entry.tool);
+          }
+        }
+      }
+    }
+  }
+  return updated;
+}
+function updatePreconditionCache(cache, step) {
+  const updated = new Map(cache);
+  for (const tc of step.toolCalls) {
+    updated.set(tc.toolName, step.outputExtract);
+    if (tc.resourceValues) {
+      for (const [_path, value] of Object.entries(tc.resourceValues)) {
+        const resourceKey = `${tc.toolName}:${JSON.stringify(value)}`;
+        updated.set(resourceKey, step.outputExtract);
+      }
+    }
+  }
+  return updated;
+}
+function computeStepCost(step) {
+  if (!step.usage) return 0;
+  return (step.usage.prompt_tokens + step.usage.completion_tokens) * 1e-5;
+}
+
+// src/sessionLimits.ts
+function checkSessionLimits(state, limits) {
+  if (typeof limits.max_steps === "number" && state.totalStepCount >= limits.max_steps) {
+    return {
+      exceeded: true,
+      reason: `max_steps exceeded: ${state.totalStepCount} >= ${limits.max_steps}`
+    };
+  }
+  if (typeof limits.max_tool_calls === "number" && state.totalToolCalls >= limits.max_tool_calls) {
+    return {
+      exceeded: true,
+      reason: `max_tool_calls exceeded: ${state.totalToolCalls} >= ${limits.max_tool_calls}`
+    };
+  }
+  if (typeof limits.max_cost_per_session === "number" && state.actualCost >= limits.max_cost_per_session) {
+    return {
+      exceeded: true,
+      reason: `max_cost_per_session exceeded: ${state.actualCost} >= ${limits.max_cost_per_session}`
+    };
+  }
+  return { exceeded: false, reason: null };
+}
+function checkPerToolLimits(state, toolName, limits) {
+  if (!limits.max_calls_per_tool) return { exceeded: false, reason: null };
+  const max = limits.max_calls_per_tool[toolName];
+  if (typeof max !== "number") return { exceeded: false, reason: null };
+  const current = state.toolCallCounts.get(toolName) ?? 0;
+  if (current >= max) {
+    return {
+      exceeded: true,
+      reason: `max_calls_per_tool.${toolName} exceeded: ${current} >= ${max}`
+    };
+  }
+  return { exceeded: false, reason: null };
+}
+function checkLoopDetection(toolName, argsString, state, config) {
+  const { window, threshold } = config;
+  const windowSteps = state.steps.slice(-window);
+  const targetHash = computeArgumentsHash(argsString);
+  const targetTuple = `${toolName}:${targetHash}`;
+  let matchCount = 0;
+  for (const step of windowSteps) {
+    for (const tc of step.toolCalls) {
+      if (`${tc.toolName}:${tc.arguments_hash}` === targetTuple) {
+        matchCount++;
+      }
+    }
+  }
+  return {
+    triggered: matchCount >= threshold,
+    matchCount,
+    threshold,
+    window
+  };
+}
+function checkCircuitBreaker(state, config) {
+  if (state.consecutiveBlockCount >= config.consecutive_blocks) {
+    return { triggered: true, reason: "consecutive_blocks" };
+  }
+  if (state.consecutiveErrorCount >= config.consecutive_errors) {
+    return { triggered: true, reason: "consecutive_errors" };
+  }
+  return { triggered: false, reason: null };
+}
+
+// src/preconditions.ts
+function evaluatePreconditions(preconditions, sessionState, currentArguments) {
+  return preconditions.map(
+    (p) => evaluatePrecondition(p, sessionState, currentArguments)
+  );
+}
+function evaluatePrecondition(precondition, sessionState, currentArguments) {
+  if (precondition.requires_step_count) {
+    const required = precondition.requires_step_count.gte;
+    if (sessionState.totalStepCount < required) {
+      return {
+        satisfied: false,
+        detail: `Need ${required} prior steps, have ${sessionState.totalStepCount}`
+      };
+    }
+  }
+  if (precondition.requires_prior_tool) {
+    const toolName = precondition.requires_prior_tool;
+    const resourcePath = precondition.resource ? typeof precondition.resource === "string" ? precondition.resource : precondition.resource.path : void 0;
+    const resourceValue = resourcePath ? extractPath(currentArguments ?? {}, resourcePath) : void 0;
+    const cacheKey = resourceValue !== void 0 ? `${toolName}:${JSON.stringify(resourceValue)}` : toolName;
+    let priorStep;
+    for (let i = sessionState.steps.length - 1; i >= 0; i--) {
+      const s = sessionState.steps[i];
+      if (s.toolCalls.some((tc) => {
+        if (tc.toolName !== toolName) return false;
+        if (tc.proposal_decision !== "allowed") return false;
+        if (resourceValue !== void 0 && tc.resourceValues?.[resourcePath] !== resourceValue) {
+          return false;
+        }
+        return true;
+      })) {
+        priorStep = s;
+        break;
+      }
+    }
+    const cachedExtract = sessionState.satisfiedPreconditions.get(cacheKey);
+    if (!priorStep && cachedExtract === void 0) {
+      const detail = resourceValue !== void 0 ? `Required prior tool ${toolName} not found for resource ${JSON.stringify(resourceValue)}` : `Required prior tool ${toolName} not found in session`;
+      return { satisfied: false, detail };
+    }
+    if (precondition.with_output) {
+      const extract = priorStep?.outputExtract ?? cachedExtract ?? {};
+      for (const assertion of precondition.with_output) {
+        const value = extractPath(extract, assertion.path);
+        if (assertion.equals !== void 0 && value !== assertion.equals) {
+          return {
+            satisfied: false,
+            detail: `Prior tool output assertion failed: ${assertion.path} \u2014 expected ${JSON.stringify(assertion.equals)}, got ${JSON.stringify(value)}`
+          };
+        }
+      }
+    }
+  }
+  return { satisfied: true, detail: "" };
+}
+function extractPath(obj, path) {
+  const cleanPath = path.startsWith("$.") ? path.slice(2) : path;
+  if (cleanPath === "" || cleanPath === "$") return obj;
+  const segments = cleanPath.split(".");
+  let current = obj;
+  for (const segment of segments) {
+    if (current === null || current === void 0) return void 0;
+    if (typeof current !== "object") return void 0;
+    current = current[segment];
+  }
+  return current;
+}
+
+// src/crossStep.ts
+function validateCrossStep(toolCalls, sessionState, contracts) {
+  const failures = [];
+  const contractByTool = new Map(contracts.map((c) => [c.tool, c]));
+  const workingForbidden = new Set(sessionState.forbiddenTools);
+  for (const tc of toolCalls) {
+    const contract = contractByTool.get(tc.name);
+    let parsedArgs;
+    try {
+      parsedArgs = JSON.parse(tc.arguments);
+    } catch {
+      parsedArgs = void 0;
+    }
+    let resourceValue;
+    if (parsedArgs && contract?.preconditions) {
+      for (const pre of contract.preconditions) {
+        if (pre.resource) {
+          const path = typeof pre.resource === "string" ? pre.resource : pre.resource.path;
+          resourceValue = extractPath(parsedArgs, path);
+          break;
+        }
+      }
+    }
+    if (isForbidden(workingForbidden, tc.name, resourceValue)) {
+      failures.push({
+        toolName: tc.name,
+        reason: "forbidden_tool",
+        detail: resourceValue !== void 0 ? `Tool "${tc.name}" is forbidden in this session for resource ${JSON.stringify(resourceValue)}` : `Tool "${tc.name}" is forbidden in this session`
+      });
+      continue;
+    }
+    if (contract?.preconditions && contract.preconditions.length > 0) {
+      const results = evaluatePreconditions(
+        contract.preconditions,
+        sessionState,
+        parsedArgs
+      );
+      for (const result of results) {
+        if (!result.satisfied) {
+          failures.push({
+            toolName: tc.name,
+            reason: "precondition_not_met",
+            detail: result.detail
+          });
+        }
+      }
+    }
+    if (contract?.forbids_after) {
+      for (const entry of contract.forbids_after) {
+        if (typeof entry === "string") {
+          workingForbidden.add(entry);
+        } else {
+          const resourcePath = entry.resource;
+          if (resourcePath && parsedArgs) {
+            const val = extractPath(parsedArgs, resourcePath);
+            if (val !== void 0) {
+              workingForbidden.add(makeForbiddenKey(entry.tool, val));
+            } else {
+              workingForbidden.add(entry.tool);
+            }
+          } else {
+            workingForbidden.add(entry.tool);
+          }
+        }
+      }
+    }
+  }
+  return {
+    passed: failures.length === 0,
+    failures
+  };
+}
+
+// src/argumentValues.ts
+function evaluateArgumentValueInvariants(parsedArguments, invariants) {
+  const failures = [];
+  for (const inv of invariants) {
+    const value = extractPath(parsedArguments, inv.path);
+    if (inv.exact_match !== void 0) {
+      const strValue = typeof value === "string" ? value : JSON.stringify(value);
+      if (strValue !== inv.exact_match) {
+        failures.push({
+          path: inv.path,
+          operator: "exact_match",
+          expected: inv.exact_match,
+          actual: value,
+          detail: `Expected exact match "${inv.exact_match}", got "${strValue}"`
+        });
+      }
+    }
+    if (inv.regex !== void 0) {
+      const strValue = typeof value === "string" ? value : String(value);
+      try {
+        const re = safeRegex(inv.regex);
+        if (!re.test(strValue)) {
+          failures.push({
+            path: inv.path,
+            operator: "regex",
+            expected: inv.regex,
+            actual: value,
+            detail: `Value "${strValue}" does not match regex "${inv.regex}"`
+          });
+        }
+      } catch {
+        failures.push({
+          path: inv.path,
+          operator: "regex",
+          expected: inv.regex,
+          actual: value,
+          detail: `Invalid regex pattern: "${inv.regex}"`
+        });
+      }
+    }
+    if (inv.one_of !== void 0) {
+      const match = inv.one_of.some((candidate) => {
+        if (typeof candidate === typeof value) {
+          return JSON.stringify(candidate) === JSON.stringify(value);
+        }
+        return false;
+      });
+      if (!match) {
+        failures.push({
+          path: inv.path,
+          operator: "one_of",
+          expected: inv.one_of,
+          actual: value,
+          detail: `Value ${JSON.stringify(value)} not in ${JSON.stringify(inv.one_of)}`
+        });
+      }
+    }
+    if (inv.type !== void 0) {
+      const actualType = Array.isArray(value) ? "array" : typeof value;
+      if (actualType !== inv.type) {
+        failures.push({
+          path: inv.path,
+          operator: "type",
+          expected: inv.type,
+          actual: actualType,
+          detail: `Expected type "${inv.type}", got "${actualType}"`
+        });
+      }
+    }
+    if (typeof inv.gte === "number") {
+      if (typeof value !== "number" || value < inv.gte) {
+        failures.push({
+          path: inv.path,
+          operator: "gte",
+          expected: inv.gte,
+          actual: value,
+          detail: `Expected >= ${inv.gte}, got ${JSON.stringify(value)}`
+        });
+      }
+    }
+    if (typeof inv.lte === "number") {
+      if (typeof value !== "number" || value > inv.lte) {
+        failures.push({
+          path: inv.path,
+          operator: "lte",
+          expected: inv.lte,
+          actual: value,
+          detail: `Expected <= ${inv.lte}, got ${JSON.stringify(value)}`
+        });
+      }
+    }
+  }
+  return {
+    passed: failures.length === 0,
+    failures
+  };
+}
+
+// src/messageValidation.ts
+var import_contracts_core4 = require("@replayci/contracts-core");
+function validateToolResultMessages(messages, contracts, provider) {
+  const failures = [];
+  const contractByTool = new Map(contracts.map((c) => [c.tool, c]));
+  const toolResults = extractToolResults(messages, provider);
+  for (const result of toolResults) {
+    const contract = contractByTool.get(result.toolName);
+    if (!contract) continue;
+    const outputInvariants = contract.assertions.output_invariants;
+    if (outputInvariants.length === 0) continue;
+    let parsed;
+    try {
+      parsed = typeof result.content === "string" ? JSON.parse(result.content) : result.content;
+    } catch {
+      continue;
+    }
+    const invariantResult = (0, import_contracts_core4.evaluateInvariants)(parsed, outputInvariants, process.env);
+    for (const failure of invariantResult) {
+      failures.push({
+        toolName: result.toolName,
+        detail: `Tool result validation failed for "${result.toolName}": ${failure.detail}`
+      });
+    }
+  }
+  return {
+    passed: failures.length === 0,
+    failures
+  };
+}
+function extractToolResults(messages, provider) {
+  const results = [];
+  if (provider === "openai") {
+    results.push(...extractOpenAIToolResults(messages));
+  } else {
+    results.push(...extractAnthropicToolResults(messages));
+  }
+  return results;
+}
+function extractOpenAIToolResults(messages) {
+  const results = [];
+  const toolCallIdToName = /* @__PURE__ */ new Map();
+  for (const msg of messages) {
+    const rec = toRecord9(msg);
+    if (rec.role !== "assistant") continue;
+    const toolCalls = rec.tool_calls;
+    if (!Array.isArray(toolCalls)) continue;
+    for (const tc of toolCalls) {
+      const tcRec = toRecord9(tc);
+      const id = typeof tcRec.id === "string" ? tcRec.id : null;
+      const fn = toRecord9(tcRec.function);
+      const name = typeof fn.name === "string" ? fn.name : typeof tcRec.name === "string" ? tcRec.name : null;
+      if (id && name) {
+        toolCallIdToName.set(id, name);
+      }
+    }
+  }
+  for (const msg of messages) {
+    const rec = toRecord9(msg);
+    if (rec.role !== "tool") continue;
+    const toolCallId = typeof rec.tool_call_id === "string" ? rec.tool_call_id : null;
+    const toolName = toolCallId ? toolCallIdToName.get(toolCallId) ?? "unknown" : "unknown";
+    results.push({
+      toolName,
+      toolCallId,
+      content: rec.content
+    });
+  }
+  return results;
+}
+function extractAnthropicToolResults(messages) {
+  const results = [];
+  const toolUseIdToName = /* @__PURE__ */ new Map();
+  for (const msg of messages) {
+    const rec = toRecord9(msg);
+    if (rec.role !== "assistant") continue;
+    const content = rec.content;
+    if (!Array.isArray(content)) continue;
+    for (const block of content) {
+      const blockRec = toRecord9(block);
+      if (blockRec.type === "tool_use") {
+        const id = typeof blockRec.id === "string" ? blockRec.id : null;
+        const name = typeof blockRec.name === "string" ? blockRec.name : null;
+        if (id && name) {
+          toolUseIdToName.set(id, name);
+        }
+      }
+    }
+  }
+  for (const msg of messages) {
+    const rec = toRecord9(msg);
+    if (rec.role !== "user") continue;
+    const content = rec.content;
+    if (!Array.isArray(content)) continue;
+    for (const block of content) {
+      const blockRec = toRecord9(block);
+      if (blockRec.type === "tool_result") {
+        const toolUseId = typeof blockRec.tool_use_id === "string" ? blockRec.tool_use_id : null;
+        const toolName = toolUseId ? toolUseIdToName.get(toolUseId) ?? "unknown" : "unknown";
+        results.push({
+          toolName,
+          toolCallId: toolUseId,
+          content: blockRec.content
+        });
+      }
+    }
+  }
+  return results;
+}
+function toRecord9(value) {
+  return value !== null && typeof value === "object" ? value : {};
+}
+
+// src/policy.ts
+function evaluatePolicy(toolName, principal, _arguments, _sessionState, policyProgram) {
+  for (const rule of policyProgram.sessionRules) {
+    if (!rule.deny) continue;
+    if (rule.allow) continue;
+    const denyPredicate = rule.deny.principal;
+    if (evaluatePredicate(denyPredicate, principal)) {
+      return {
+        allowed: false,
+        reason: `Session deny rule matched: ${denyPredicate.path}`
+      };
+    }
+  }
+  const toolPolicy = policyProgram.perToolRules.get(toolName);
+  if (toolPolicy?.deny) {
+    for (const rule of toolPolicy.deny) {
+      if (evaluatePredicate(rule.principal, principal)) {
+        return {
+          allowed: false,
+          reason: `Per-tool deny rule matched: ${rule.principal.path}`
+        };
+      }
+    }
+  }
+  if (policyProgram.defaultDeny) {
+    const sessionAllow = policyProgram.sessionRules.some((r) => {
+      if (!r.allow) return false;
+      if (r.allow.tools && !r.allow.tools.includes(toolName)) return false;
+      return evaluatePredicate(r.allow.principal, principal);
+    });
+    const toolAllow = toolPolicy?.allow?.some(
+      (rule) => evaluatePredicate(rule.principal, principal)
+    ) ?? false;
+    if (!sessionAllow && !toolAllow) {
+      return {
+        allowed: false,
+        reason: "default_deny: no matching allow rule"
+      };
+    }
+  }
+  return { allowed: true, reason: null };
+}
+function evaluatePredicate(predicate, principal) {
+  const value = extractPath2(principal, predicate.path);
+  if (predicate.equals !== void 0) {
+    return JSON.stringify(value) === JSON.stringify(predicate.equals);
+  }
+  if (predicate.one_of !== void 0) {
+    return predicate.one_of.some(
+      (candidate) => JSON.stringify(candidate) === JSON.stringify(value)
+    );
+  }
+  if (predicate.regex !== void 0) {
+    const strValue = typeof value === "string" ? value : String(value);
+    try {
+      const re = safeRegex(predicate.regex);
+      return re.test(strValue);
+    } catch {
+      return false;
+    }
+  }
+  if (predicate.contains !== void 0) {
+    const strValue = typeof value === "string" ? value : String(value);
+    return strValue.includes(predicate.contains);
+  }
+  return false;
+}
+function extractPath2(obj, path) {
+  const cleanPath = path.startsWith("$.") ? path.slice(2) : path;
+  if (cleanPath === "" || cleanPath === "$") return obj;
+  const segments = cleanPath.split(".");
+  let current = obj;
+  for (const seg of segments) {
+    if (current === null || current === void 0 || typeof current !== "object") {
+      return void 0;
+    }
+    current = current[seg];
+  }
+  return current;
+}
+
+// src/narrow.ts
+function narrowTools(requestedTools, sessionState, compiledSession, unmatchedPolicy, manualFilter) {
+  const allowed = [];
+  const removed = [];
+  for (const tool of requestedTools) {
+    if (manualFilter && !manualFilter.includes(tool.name)) {
+      removed.push({ tool: tool.name, reason: "manual_filter" });
+      continue;
+    }
+    const contract = compiledSession.perToolContracts.get(tool.name);
+    if (!contract) {
+      if (unmatchedPolicy === "allow") {
+        allowed.push(tool);
+      } else {
+        removed.push({ tool: tool.name, reason: "no_contract" });
+      }
+      continue;
+    }
+    if (sessionState.currentPhase && contract.transitions?.valid_in_phases) {
+      if (!contract.transitions.valid_in_phases.includes(
+        sessionState.currentPhase
+      )) {
+        removed.push({
+          tool: tool.name,
+          reason: "wrong_phase",
+          detail: `Tool valid in [${contract.transitions.valid_in_phases.join(", ")}], current phase: ${sessionState.currentPhase}`
+        });
+        continue;
+      }
+    }
+    if (contract.preconditions && contract.preconditions.length > 0) {
+      const results = evaluatePreconditions(
+        contract.preconditions,
+        sessionState
+      );
+      const unsatisfied = results.find((r) => !r.satisfied);
+      if (unsatisfied) {
+        removed.push({
+          tool: tool.name,
+          reason: "precondition_not_met",
+          detail: unsatisfied.detail
+        });
+        continue;
+      }
+    }
+    if (sessionState.forbiddenTools.has(tool.name)) {
+      removed.push({
+        tool: tool.name,
+        reason: "forbidden_in_state"
+      });
+      continue;
+    }
+    if (compiledSession.policyProgram && compiledSession.principal !== null && compiledSession.principal !== void 0) {
+      const verdict = evaluatePolicy(
+        tool.name,
+        compiledSession.principal,
+        {},
+        sessionState,
+        compiledSession.policyProgram
+      );
+      if (!verdict.allowed) {
+        removed.push({
+          tool: tool.name,
+          reason: "policy_denied",
+          detail: verdict.reason ?? "Policy deny rule matched"
+        });
+        continue;
+      }
+    }
+    allowed.push(tool);
+  }
+  return { allowed, removed };
+}
+function extractToolDefinitions(tools) {
+  const result = [];
+  for (const tool of tools) {
+    if (!tool || typeof tool !== "object") continue;
+    const record = tool;
+    const name = getToolName(record);
+    if (name) {
+      result.push({ ...record, name });
+    }
+  }
+  return result;
+}
+function getToolName(tool) {
+  if (typeof tool.name === "string" && tool.name.length > 0) return tool.name;
+  const fn = tool.function;
+  if (fn && typeof fn === "object" && typeof fn.name === "string") {
+    return fn.name;
+  }
+  return void 0;
+}
+
+// src/executionConstraints.ts
+var import_contracts_core5 = require("@replayci/contracts-core");
+function enforceExecutionConstraints(toolName, args, constraints) {
+  if (constraints.length === 0) {
+    return { passed: true, failures: [] };
+  }
+  const failures = (0, import_contracts_core5.evaluateInvariants)(args, constraints, process.env);
+  const constraintFailures = failures.map((f) => ({
+    path: f.path,
+    operator: f.rule,
+    expected: f.detail,
+    actual: f.detail
+  }));
+  return {
+    passed: constraintFailures.length === 0,
+    failures: constraintFailures
+  };
+}
+function createWrappedToolExecutor(toolName, executor, compiledSession) {
+  const constraints = compiledSession.executionConstraints.get(toolName);
+  return async (args) => {
+    if (constraints && constraints.length > 0) {
+      const verdict = enforceExecutionConstraints(toolName, args, constraints);
+      if (!verdict.passed) {
+        return { result: void 0, constraint_verdict: verdict };
+      }
+      const result2 = await executor(args);
+      return { result: result2, constraint_verdict: verdict };
+    }
+    const result = await executor(args);
+    return {
+      result,
+      constraint_verdict: { passed: true, failures: [] }
+    };
+  };
+}
+function buildWrappedToolsMap(tools, compiledSession) {
+  if (!tools) return {};
+  if (!compiledSession) {
+    return Object.fromEntries(
+      Object.entries(tools).map(([name, executor]) => [
+        name,
+        async (args) => {
+          const result = await executor(args);
+          return { result, constraint_verdict: { passed: true, failures: [] } };
+        }
+      ])
+    );
+  }
+  return Object.fromEntries(
+    Object.entries(tools).map(([name, executor]) => [
+      name,
+      createWrappedToolExecutor(name, executor, compiledSession)
+    ])
+  );
+}
+
+// src/runtimeClient.ts
+var import_node_crypto4 = __toESM(require("crypto"), 1);
+var CIRCUIT_BREAKER_FAILURE_LIMIT2 = 5;
+var CIRCUIT_BREAKER_MS2 = 10 * 6e4;
+var DEFAULT_TIMEOUT_MS2 = 3e4;
+var DEFAULT_RUNTIME_URL = "https://app.replayci.com";
+var RuntimeClientError = class extends Error {
+  code;
+  httpStatus;
+  constructor(code, message, httpStatus) {
+    super(message);
+    this.name = "RuntimeClientError";
+    this.code = code;
+    this.httpStatus = httpStatus;
+  }
+};
+function createRuntimeClient(opts) {
+  return new RuntimeClient(opts);
+}
+var RuntimeClient = class {
+  apiKey;
+  baseUrl;
+  timeoutMs;
+  fetchImpl;
+  now;
+  failureCount = 0;
+  circuitOpenUntil = 0;
+  constructor(opts) {
+    this.apiKey = opts.apiKey;
+    this.baseUrl = normalizeUrl(opts.apiUrl ?? DEFAULT_RUNTIME_URL);
+    this.timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
+    this.fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+    this.now = opts.now ?? (() => Date.now());
+  }
+  // -------------------------------------------------------------------------
+  // Public API
+  // -------------------------------------------------------------------------
+  async createSession(input) {
+    const body = {
+      agent: input.agent,
+      requested_mode: input.requestedMode,
+      requested_tier: input.requestedTier,
+      adapter_capability: input.adapterCapability,
+      contract_hash: input.contractHash
+    };
+    if (input.sessionId) body.session_id = input.sessionId;
+    if (input.allowAdvisoryDowngrade) body.allow_advisory_downgrade = true;
+    if (input.provider) body.provider = input.provider;
+    if (input.modelId !== void 0) body.model_id = input.modelId;
+    if (input.principal !== void 0) body.principal = input.principal;
+    if (input.compiledSession) body.compiled_session = input.compiledSession;
+    if (input.sessionContractHash !== void 0) body.session_contract_hash = input.sessionContractHash;
+    if (input.workflow) {
+      const wf = {
+        workflow_id: input.workflow.workflowId,
+        role: input.workflow.role
+      };
+      if (input.workflow.compiledWorkflow) {
+        wf.compiled_workflow = {
+          hash: input.workflow.compiledWorkflow.hash,
+          body: input.workflow.compiledWorkflow.body
+        };
+      }
+      if (input.workflow.parentSessionId) wf.parent_session_id = input.workflow.parentSessionId;
+      if (input.workflow.handoffId) wf.handoff_id = input.workflow.handoffId;
+      body.workflow = wf;
+    }
+    const data = await this.post("/api/v1/replay/sessions", body);
+    const s = data.session;
+    const result = {
+      sessionId: s.session_id,
+      mode: s.mode,
+      tier: s.tier,
+      status: s.status,
+      stateVersion: s.state_version,
+      controlRevision: s.control_revision,
+      leaseFence: s.lease_fence ?? null
+    };
+    const wfResp = data.workflow;
+    if (wfResp) {
+      result.workflow = {
+        workflowId: wfResp.workflow_id,
+        role: wfResp.role,
+        stateVersion: wfResp.state_version,
+        controlRevision: wfResp.control_revision,
+        linkId: wfResp.link_id,
+        generation: wfResp.generation,
+        depth: wfResp.depth,
+        status: wfResp.status
+      };
+    }
+    return result;
+  }
+  async preflight(input) {
+    const body = {
+      lease_fence: input.leaseFence,
+      provider: input.provider,
+      model_id: input.modelId,
+      request_envelope: input.requestEnvelope
+    };
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/preflight`,
+      body
+    );
+    const pr = data.prepared_request;
+    return {
+      preparedRequestId: pr.prepared_request_id,
+      stateVersion: pr.state_version,
+      controlRevision: pr.control_revision,
+      leaseFence: pr.lease_fence,
+      requestEnvelope: pr.request_envelope,
+      removedTools: pr.removed_tools ?? []
+    };
+  }
+  async submitProposal(input) {
+    const body = {
+      lease_fence: input.leaseFence,
+      prepared_request_id: input.preparedRequestId,
+      response_envelope: input.responseEnvelope
+    };
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/proposals`,
+      body
+    );
+    const d = data.decision;
+    const pending = d.pending_calls ?? [];
+    const blocked = d.blocked_calls ?? [];
+    return {
+      decision: d.result,
+      advisory: d.mode === "advisory",
+      stateVersion: d.state_version,
+      pendingCalls: pending.map((pc) => ({
+        pendingCallId: pc.pending_call_id,
+        toolCallId: pc.tool_call_id,
+        toolName: pc.tool_name,
+        argumentsHash: pc.arguments_hash
+      })),
+      blockedCalls: blocked.map((bc) => ({
+        toolName: bc.tool_name,
+        reason: bc.reason
+      }))
+    };
+  }
+  async submitReceipt(input) {
+    const body = {
+      lease_fence: input.leaseFence,
+      pending_call_id: input.pendingCallId,
+      executor_kind: input.executorKind,
+      tool_name: input.toolName,
+      arguments_hash: input.argumentsHash,
+      status: input.status,
+      started_at: input.startedAt,
+      completed_at: input.completedAt
+    };
+    if (input.executorId) body.executor_id = input.executorId;
+    if (input.outputHash) body.output_hash = input.outputHash;
+    if (input.outputExtract) body.output_extract = input.outputExtract;
+    if (input.resourceValues) body.resource_values = input.resourceValues;
+    if (input.evidenceArtifactHash) body.evidence_artifact_hash = input.evidenceArtifactHash;
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/receipts`,
+      body
+    );
+    const r = data.resolution;
+    return {
+      accepted: r.accepted,
+      commitState: r.commit_state,
+      stateAdvanced: r.state_advanced,
+      stateVersion: r.state_version
+    };
+  }
+  async setToolFilter(input) {
+    const body = {
+      lease_fence: input.leaseFence,
+      allowed_tools: input.allowedTools
+    };
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/tool-filter`,
+      body
+    );
+    const s = data.session;
+    return {
+      controlRevision: s.control_revision
+    };
+  }
+  async reportBypass(input) {
+    const body = {
+      source: input.source
+    };
+    if (input.detail) body.detail = input.detail;
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/report-bypass`,
+      body
+    );
+    const s = data.session;
+    return {
+      status: s.status
+    };
+  }
+  async killSession(input) {
+    const body = {
+      lease_fence: input.leaseFence,
+      reason: input.reason
+    };
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/kill`,
+      body
+    );
+    const s = data.session;
+    return {
+      status: s.status
+    };
+  }
+  /** v4: Get workflow state from the runtime. */
+  async getWorkflowState(workflowId) {
+    const data = await this.get(
+      `/api/v1/replay/workflows/${encodeURIComponent(workflowId)}`
+    );
+    const w = data.workflow;
+    return {
+      workflowId: w.workflow_id,
+      rootSessionId: w.root_session_id,
+      status: w.status,
+      stateVersion: w.state_version,
+      controlRevision: w.control_revision,
+      totalSessionCount: w.total_session_count,
+      activeSessionCount: w.active_session_count,
+      totalStepCount: w.total_step_count,
+      totalCost: w.total_cost,
+      totalHandoffCount: w.total_handoff_count,
+      unresolvedHandoffCount: w.unresolved_handoff_count,
+      lastEventSeq: w.last_event_seq,
+      killScope: w.kill_scope,
+      createdAt: w.created_at,
+      updatedAt: w.updated_at
+    };
+  }
+  /** v4: Offer a handoff from a session. */
+  async offerHandoff(input) {
+    const body = {
+      workflow_id: input.workflowId,
+      from_role: input.fromRole,
+      to_role: input.toRole,
+      handoff_id: input.handoffId
+    };
+    if (input.artifactRefs !== void 0) body.artifact_refs = input.artifactRefs;
+    if (input.summary !== void 0) body.summary = input.summary;
+    const data = await this.post(
+      `/api/v1/replay/sessions/${encodeURIComponent(input.sessionId)}/handoffs`,
+      body
+    );
+    const h = data.handoff;
+    return {
+      handoffId: h.handoff_id,
+      eventSeq: h.event_seq,
+      stateVersion: h.state_version
+    };
+  }
+  getHealth() {
+    return {
+      circuitOpen: this.now() < this.circuitOpenUntil,
+      failureCount: this.failureCount,
+      circuitOpenUntil: this.circuitOpenUntil
+    };
+  }
+  isCircuitOpen() {
+    return this.now() < this.circuitOpenUntil;
+  }
+  // -------------------------------------------------------------------------
+  // Internal
+  // -------------------------------------------------------------------------
+  async get(path) {
+    if (this.isCircuitOpen()) {
+      throw new RuntimeClientError(
+        "CIRCUIT_OPEN",
+        "Runtime client circuit breaker is open",
+        503
+      );
+    }
+    const url = `${this.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const response = await this.fetchImpl(url, {
+        method: "GET",
+        headers: {
+          "Authorization": `Bearer ${this.apiKey}`
+        },
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        const errorCode = errorBody.error ?? "UNKNOWN";
+        const errorMessage = errorBody.message ?? `HTTP ${response.status}`;
+        if (response.status >= 500 || response.status === 429) {
+          this.recordFailure();
+        }
+        throw new RuntimeClientError(errorCode, errorMessage, response.status);
+      }
+      this.failureCount = 0;
+      const data = await response.json();
+      if (!data.ok) {
+        throw new RuntimeClientError(
+          data.error ?? "UNKNOWN",
+          data.message ?? "Request failed",
+          400
+        );
+      }
+      return data;
+    } catch (err) {
+      clearTimeout(timeoutId);
+      if (err instanceof RuntimeClientError) throw err;
+      this.recordFailure();
+      if (err instanceof Error && err.name === "AbortError") {
+        throw new RuntimeClientError("TIMEOUT", "Runtime request timed out", 408);
+      }
+      throw new RuntimeClientError(
+        "NETWORK_ERROR",
+        err instanceof Error ? err.message : "Network error",
+        0
+      );
+    }
+  }
+  async post(path, body) {
+    if (this.isCircuitOpen()) {
+      throw new RuntimeClientError(
+        "CIRCUIT_OPEN",
+        "Runtime client circuit breaker is open",
+        503
+      );
+    }
+    const url = `${this.baseUrl}${path}`;
+    const idempotencyKey = generateIdempotencyKey();
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);
+    try {
+      const response = await this.fetchImpl(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${this.apiKey}`,
+          "Idempotency-Key": idempotencyKey
+        },
+        body: JSON.stringify(body),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        const errorCode = errorBody.error ?? "UNKNOWN";
+        const errorMessage = errorBody.message ?? `HTTP ${response.status}`;
+        if (response.status >= 500 || response.status === 429) {
+          this.recordFailure();
+        }
+        throw new RuntimeClientError(errorCode, errorMessage, response.status);
+      }
+      this.failureCount = 0;
+      const data = await response.json();
+      if (!data.ok) {
+        throw new RuntimeClientError(
+          data.error ?? "UNKNOWN",
+          data.message ?? "Request failed",
+          400
+        );
+      }
+      return data;
+    } catch (err) {
+      clearTimeout(timeoutId);
+      if (err instanceof RuntimeClientError) throw err;
+      this.recordFailure();
+      if (err instanceof Error && err.name === "AbortError") {
+        throw new RuntimeClientError("TIMEOUT", "Runtime request timed out", 408);
+      }
+      throw new RuntimeClientError(
+        "NETWORK_ERROR",
+        err instanceof Error ? err.message : "Network error",
+        0
+      );
+    }
+  }
+  recordFailure() {
+    this.failureCount++;
+    if (this.failureCount >= CIRCUIT_BREAKER_FAILURE_LIMIT2) {
+      this.circuitOpenUntil = this.now() + CIRCUIT_BREAKER_MS2;
+    }
+  }
+};
+function normalizeUrl(url) {
+  return url.endsWith("/") ? url.slice(0, -1) : url;
+}
+function generateIdempotencyKey() {
+  return `sdk_${import_node_crypto4.default.randomUUID().replace(/-/g, "")}`;
+}
+
+// src/replay.ts
+var REPLAY_ATTACHED2 = /* @__PURE__ */ Symbol.for("replayci.replay_attached");
+var OBSERVE_WRAPPED = /* @__PURE__ */ Symbol.for("replayci.wrapped");
+var MAX_RETRIES = 5;
+var DEFAULT_AGENT2 = "default";
+var DEFAULT_MAX_UNGUARDED_CALLS = 3;
+function replay(client, opts = {}) {
+  assertSupportedNodeRuntime();
+  const sessionId = opts.sessionId ?? generateSessionId2();
+  const agent = typeof opts.agent === "string" && opts.agent.length > 0 ? opts.agent : DEFAULT_AGENT2;
+  const mode = opts.mode ?? "enforce";
+  const gateMode = opts.gate ?? "reject_all";
+  const onError = opts.onError ?? "block";
+  const unmatchedPolicy = opts.unmatchedPolicy ?? "block";
+  const maxRetries = Math.min(Math.max(0, opts.maxRetries ?? 0), MAX_RETRIES);
+  const compatEnforcement = opts.compatEnforcement ?? "protective";
+  const diagnostics = opts.diagnostics;
+  let provider;
+  try {
+    provider = detectProvider(client);
+  } catch {
+    emitDiagnostic2(diagnostics, { type: "replay_inactive", reason: "unsupported_client" });
+    return createInactiveSession(client, sessionId, "Unsupported client");
+  }
+  if (isObserveWrapped(client) || isReplayAttached2(client)) {
+    emitDiagnostic2(diagnostics, { type: "replay_inactive", reason: "already_attached" });
+    return createInactiveSession(client, sessionId, "Client already has an active observe() or replay() attachment");
+  }
+  let contracts;
+  try {
+    contracts = resolveContracts(opts);
+  } catch (err) {
+    const detail = err instanceof Error ? err.message : "Failed to load contracts";
+    emitDiagnostic2(diagnostics, { type: "replay_contract_error", details: detail });
+    return createBlockingInactiveSession(client, sessionId, detail);
+  }
+  const configError = validateConfig(contracts, opts);
+  if (configError) {
+    emitDiagnostic2(diagnostics, { type: "replay_contract_error", details: configError.message });
+    return createBlockingInactiveSession(client, sessionId, configError.message, configError);
+  }
+  let discoveredSessionYaml = null;
+  try {
+    discoveredSessionYaml = discoverSessionYaml(opts);
+  } catch (err) {
+    const detail = `session.yaml: ${err instanceof Error ? err.message : String(err)}`;
+    emitDiagnostic2(diagnostics, { type: "replay_contract_error", details: detail });
+    return createBlockingInactiveSession(client, sessionId, detail);
+  }
+  let sessionYaml = discoveredSessionYaml;
+  if (!sessionYaml && opts.providerConstraints) {
+    sessionYaml = { schema_version: "1.0", agent, provider_constraints: opts.providerConstraints };
+  } else if (sessionYaml && opts.providerConstraints && !sessionYaml.provider_constraints) {
+    sessionYaml = { ...sessionYaml, provider_constraints: opts.providerConstraints };
+  }
+  let compiledSession = null;
+  try {
+    compiledSession = (0, import_contracts_core6.compileSession)(contracts, sessionYaml, {
+      principal: opts.principal,
+      tools: opts.tools ? new Map(Object.entries(opts.tools)) : void 0
+    });
+  } catch (err) {
+    emitDiagnostic2(diagnostics, {
+      type: "replay_contract_error",
+      details: `Session compilation: ${err instanceof Error ? err.message : String(err)}`
+    });
+  }
+  if (compiledSession?.warnings && compiledSession.warnings.length > 0) {
+    for (const warning of compiledSession.warnings) {
+      emitDiagnostic2(diagnostics, {
+        type: "replay_contract_error",
+        details: `Compile warning: ${warning}`
+      });
+    }
+  }
+  const providerConstraints = compiledSession?.providerConstraints ?? opts.providerConstraints ?? null;
+  if (providerConstraints) {
+    const spec = providerConstraints[provider];
+    if (spec) {
+      if (spec.block_incompatible && spec.block_incompatible.length > 0) {
+        const detail = `Provider '${provider}' is blocked by provider_constraints: ${spec.block_incompatible.join("; ")}`;
+        const err = new ReplayConfigError("provider_incompatible", detail);
+        emitDiagnostic2(diagnostics, { type: "replay_contract_error", details: detail });
+        return createBlockingInactiveSession(client, sessionId, detail, err);
+      }
+      if (spec.warn_incompatible && spec.warn_incompatible.length > 0) {
+        emitDiagnostic2(diagnostics, {
+          type: "replay_provider_warning",
+          provider,
+          warnings: spec.warn_incompatible
+        });
+      }
+    }
+  }
+  let compiledWorkflow = null;
+  const workflowOpts = opts.workflow;
+  let workflowId = null;
+  if (workflowOpts) {
+    if (workflowOpts.type === "root") {
+      workflowId = workflowOpts.workflowId ?? generateWorkflowId();
+      try {
+        compiledWorkflow = discoverWorkflowYaml(opts, workflowOpts);
+      } catch (err) {
+        const detail = `workflow.yaml: ${err instanceof Error ? err.message : String(err)}`;
+        emitDiagnostic2(diagnostics, { type: "replay_workflow_error", session_id: sessionId, details: detail });
+        return createBlockingInactiveSession(client, sessionId, detail);
+      }
+    } else {
+      workflowId = workflowOpts.workflowId;
+    }
+  }
+  const terminalInfo = resolveTerminal(client, provider);
+  if (!terminalInfo) {
+    emitDiagnostic2(diagnostics, { type: "replay_inactive", reason: "unsupported_client" });
+    return createInactiveSession(client, sessionId, "Could not resolve terminal resource");
+  }
+  const protectionLevel = determineProtectionLevel(mode, opts.tools, contracts);
+  const maxUnguardedCalls = opts.maxUnguardedCalls ?? DEFAULT_MAX_UNGUARDED_CALLS;
+  const narrowingFeedback = opts.narrowingFeedback ?? "silent";
+  const apiKey = resolveApiKey2(opts);
+  let runtimeClient = null;
+  let runtimeSession = null;
+  let runtimeInitPromise = null;
+  let leaseFence = null;
+  let runtimeDegraded = false;
+  let runtimeInitDone = false;
+  if (protectionLevel === "govern" && apiKey) {
+    const runtimeUrl = opts.runtimeUrl;
+    runtimeClient = new RuntimeClient({
+      apiKey,
+      apiUrl: runtimeUrl
+    });
+    const runtimeRequest = deriveRuntimeRequest(protectionLevel, mode);
+    const sessionInitPayload = {
+      agent,
+      sessionId,
+      requestedMode: runtimeRequest.requestedMode,
+      requestedTier: runtimeRequest.requestedTier,
+      adapterCapability: "full",
+      contractHash: compiledSession?.compiledHash ?? "",
+      compiledSession: compiledSession ? {
+        schemaVersion: "1",
+        hash: compiledSession.compiledHash,
+        body: (0, import_contracts_core6.serializeCompiledSession)(compiledSession)
+      } : void 0,
+      principal: opts.principal ?? null
+    };
+    if (workflowOpts && workflowId) {
+      if (workflowOpts.type === "root" && compiledWorkflow) {
+        const serialized = (0, import_contracts_core6.serializeCompiledWorkflow)(compiledWorkflow);
+        sessionInitPayload.workflow = {
+          workflowId,
+          role: workflowOpts.role,
+          compiledWorkflow: {
+            hash: compiledWorkflow.compiledHash,
+            body: serialized
+          }
+        };
+      } else if (workflowOpts.type === "child") {
+        sessionInitPayload.workflow = {
+          workflowId,
+          role: workflowOpts.role,
+          parentSessionId: workflowOpts.parentSessionId,
+          handoffId: workflowOpts.handoffId
+        };
+      }
+    }
+    runtimeInitPromise = runtimeClient.createSession(sessionInitPayload).then((result) => {
+      runtimeSession = result;
+      leaseFence = result.leaseFence;
+      runtimeInitDone = true;
+      if (result.workflow && workflowOpts) {
+        emitDiagnostic2(diagnostics, {
+          type: "replay_workflow_attached",
+          session_id: sessionId,
+          workflow_id: result.workflow.workflowId,
+          role: result.workflow.role,
+          attach_type: workflowOpts.type
+        });
+      }
+    }).catch(() => {
+      runtimeInitDone = true;
+      runtimeDegraded = true;
+      emitDiagnostic2(diagnostics, { type: "replay_inactive", reason: "runtime_degraded_to_protect" });
+    });
+  } else {
+    runtimeInitDone = true;
+  }
+  const initialTier = protectionLevel === "govern" && apiKey ? "strong" : "compat";
+  const principalValue = opts.principal != null && typeof opts.principal === "object" && !Array.isArray(opts.principal) ? opts.principal : null;
+  let sessionState = createInitialState(sessionId, { tier: initialTier, agent, principal: principalValue });
+  if (compiledSession?.phases) {
+    const initial = compiledSession.phases.find((p) => p.initial);
+    if (initial) {
+      sessionState = { ...sessionState, currentPhase: initial.name };
+    }
+  }
+  sessionState = { ...sessionState, contractHash: compiledSession?.compiledHash ?? null };
+  let killed = false;
+  let killedAt = null;
+  let restored = false;
+  let bypassDetected = false;
+  let lastShadowDeltaValue = null;
+  let lastNarrowResult = null;
+  let shadowEvaluationCount = 0;
+  let manualFilter = null;
+  const deferredReceipts = /* @__PURE__ */ new Map();
+  const contractLimits = resolveSessionLimits(contracts);
+  const compiledLimits = compiledSession?.sessionLimits;
+  const mergedLimits = { ...contractLimits ?? {}, ...compiledLimits ?? {} };
+  const resolvedSessionLimits = Object.keys(mergedLimits).length > 0 ? mergedLimits : null;
+  const store = opts.store ?? null;
+  let storeLoadPromise = null;
+  let storeLoadDone = false;
+  if (store) {
+    storeLoadPromise = Promise.resolve().then(() => store.load()).then((loaded) => {
+      if (loaded && loaded.sessionId === sessionId) {
+        const contractDrift = loaded.contractHash !== null && loaded.contractHash !== (compiledSession?.compiledHash ?? null);
+        sessionState = loaded;
+        if (loaded.killed) {
+          killed = true;
+          killedAt = (/* @__PURE__ */ new Date()).toISOString();
+        }
+        emitDiagnostic2(diagnostics, {
+          type: "replay_resumed",
+          session_id: sessionId,
+          state_version: loaded.stateVersion,
+          contract_drift: contractDrift
+        });
+      } else {
+        void Promise.resolve(store.compareAndSet(loaded?.stateVersion ?? 0, sessionState));
+      }
+      storeLoadDone = true;
+    }).catch(() => {
+      try {
+        void Promise.resolve(store.compareAndSet(0, sessionState));
+      } catch {
+      }
+      storeLoadDone = true;
+    });
+  } else {
+    storeLoadDone = true;
+  }
+  const buffer = apiKey ? new CaptureBuffer({
+    apiKey,
+    endpoint: void 0,
+    diagnostics
+  }) : null;
+  if (buffer) {
+    registerBeforeExit(buffer);
+  }
+  function syncStateToStore(prevVersion, newState) {
+    if (!store) return;
+    try {
+      const result = store.compareAndSet(prevVersion, newState);
+      if (result && typeof result.then === "function") {
+        void result.catch(() => {
+        });
+      }
+    } catch {
+    }
+  }
+  function appendCaptureToStore(capture) {
+    if (!store) return;
+    try {
+      const result = store.appendCapture(capture);
+      if (result && typeof result.then === "function") {
+        void result.catch(() => {
+        });
+      }
+    } catch {
+    }
+  }
+  const enforcementCreate = async function replayEnforcementCreate(...args) {
+    if (killed) {
+      throw new ReplayKillError(sessionId, killedAt);
+    }
+    if (restored) {
+      throw new ReplayContractError(
+        "Session has been restored \u2014 wrapper is inert",
+        { action: "block", tool_calls: [], blocked: [], response_modification: "reject_all" },
+        "",
+        []
+      );
+    }
+    if (runtimeInitPromise && !runtimeInitDone) {
+      await runtimeInitPromise;
+    }
+    if (storeLoadPromise && !storeLoadDone) {
+      await storeLoadPromise;
+    }
+    if (protectionLevel === "govern" && runtimeDegraded && sessionState.tier === "strong") {
+      sessionState = { ...sessionState, tier: "compat" };
+    }
+    const effectiveTier = sessionState.tier;
+    const isCompatAdvisory = effectiveTier === "compat" && compatEnforcement === "advisory";
+    if (protectionLevel === "govern" && runtimeDegraded && onError === "block" && !isCompatAdvisory) {
+      throw new ReplayInternalError("Govern mode requires runtime \u2014 runtime unavailable", { sessionId });
+    }
+    const guardStart = Date.now();
+    const timing = {
+      narrow_ms: 0,
+      pre_check_ms: 0,
+      llm_call_ms: 0,
+      validate_ms: 0,
+      cross_step_ms: 0,
+      phase_ms: 0,
+      argument_values_ms: 0,
+      policy_ms: 0,
+      gate_ms: 0,
+      finalize_ms: 0,
+      runtime_ms: 0,
+      total_ms: 0,
+      enforcement_ms: 0
+    };
+    const request = toRecord10(args[0]);
+    const requestToolNames = extractRequestToolNames(request);
+    let narrowResult = null;
+    let activeArgs = args;
+    if (compiledSession && Array.isArray(request.tools) && request.tools.length > 0) {
+      const toolDefs = extractToolDefinitions(request.tools);
+      if (toolDefs.length > 0) {
+        narrowResult = narrowTools(
+          toolDefs,
+          sessionState,
+          compiledSession,
+          unmatchedPolicy,
+          manualFilter
+        );
+        lastNarrowResult = narrowResult;
+        if (narrowResult.removed.length > 0) {
+          if (mode === "enforce") {
+            const modifiedRequest = { ...request };
+            if (narrowResult.allowed.length === 0) {
+              modifiedRequest.tools = [];
+              delete modifiedRequest.tool_choice;
+            } else {
+              modifiedRequest.tools = narrowResult.allowed;
+            }
+            if (narrowingFeedback === "inject") {
+              const injectionMsg = buildNarrowingInjectionMessage(narrowResult);
+              injectNarrowingSystemMessage(modifiedRequest, injectionMsg, provider);
+              emitDiagnostic2(diagnostics, {
+                type: "replay_narrow_injected",
+                session_id: sessionId,
+                message: injectionMsg
+              });
+            }
+            activeArgs = [modifiedRequest, ...Array.prototype.slice.call(args, 1)];
+          }
+          emitDiagnostic2(diagnostics, {
+            type: "replay_narrow",
+            session_id: sessionId,
+            removed: narrowResult.removed
+          });
+          try {
+            opts.onNarrow?.(narrowResult);
+          } catch {
+          }
+        }
+      }
+    }
+    timing.narrow_ms = Date.now() - guardStart;
+    const preCheckStart = Date.now();
+    try {
+      if (mode === "enforce" && resolvedSessionLimits) {
+        const limitResult = checkSessionLimits(sessionState, resolvedSessionLimits);
+        if (limitResult.exceeded) {
+          const decision = {
+            action: "block",
+            tool_calls: [],
+            blocked: [{
+              tool_name: "_session",
+              arguments: "",
+              reason: "session_limit_exceeded",
+              contract_file: "",
+              failures: [{ path: "$", operator: "session_limit", expected: "", found: "", message: limitResult.reason ?? "session limit exceeded" }]
+            }],
+            response_modification: gateMode
+          };
+          sessionState = recordDecisionOutcome(sessionState, "blocked");
+          if (resolvedSessionLimits.circuit_breaker) {
+            const cbResult = checkCircuitBreaker(sessionState, resolvedSessionLimits.circuit_breaker);
+            if (cbResult.triggered) {
+              killed = true;
+              killedAt = (/* @__PURE__ */ new Date()).toISOString();
+              sessionState = killSession(sessionState);
+              emitDiagnostic2(diagnostics, { type: "replay_kill", session_id: sessionId });
+            }
+          }
+          timing.pre_check_ms = Date.now() - preCheckStart;
+          captureDecision(
+            decision,
+            null,
+            request,
+            guardStart,
+            requestToolNames,
+            null,
+            narrowResult,
+            null,
+            null,
+            null,
+            void 0,
+            timing
+          );
+          if (isCompatAdvisory) {
+            emitDiagnostic2(diagnostics, {
+              type: "replay_compat_advisory",
+              session_id: sessionId,
+              would_block: decision.blocked,
+              details: limitResult.reason ?? "session limit exceeded"
+            });
+          } else {
+            throw buildContractError2(decision);
+          }
+        }
+        if (isAtHardStepCap(sessionState)) {
+          const decision = {
+            action: "block",
+            tool_calls: [],
+            blocked: [{
+              tool_name: "_session",
+              arguments: "",
+              reason: "session_limit_exceeded",
+              contract_file: "",
+              failures: [{ path: "$", operator: "session_limit", expected: "", found: "", message: "hard step cap (10,000) reached" }]
+            }],
+            response_modification: gateMode
+          };
+          timing.pre_check_ms = Date.now() - preCheckStart;
+          captureDecision(
+            decision,
+            null,
+            request,
+            guardStart,
+            requestToolNames,
+            null,
+            narrowResult,
+            null,
+            null,
+            null,
+            void 0,
+            timing
+          );
+          throw buildContractError2(decision);
+        }
+      }
+      const messages = Array.isArray(request.messages) ? request.messages : [];
+      if (messages.length > 0) {
+        const msgResult = validateToolResultMessages(messages, contracts, provider);
+        if (!msgResult.passed) {
+          emitDiagnostic2(diagnostics, {
+            type: "replay_contract_error",
+            details: `Message validation: ${msgResult.failures.map((f) => f.detail).join("; ")}`
+          });
+        }
+      }
+      if (messages.length > 0) {
+        const toolResults = extractToolResults(messages, provider);
+        if (toolResults.length > 0) {
+          const outputUpdates = extractOutputFromToolResults(toolResults, sessionState, contracts);
+          sessionState = applyOutputExtracts(sessionState, outputUpdates);
+        }
+      }
+      const inputFailures = evaluateInputInvariants(request, contracts);
+      if (mode === "enforce" && inputFailures.length > 0) {
+        if (onError === "block") {
+          const decision = {
+            action: "block",
+            tool_calls: [],
+            blocked: [{
+              tool_name: "_request",
+              arguments: "",
+              reason: "input_invariant_failed",
+              contract_file: inputFailures[0]?.contract_file ?? "",
+              failures: inputFailures
+            }],
+            response_modification: gateMode
+          };
+          timing.pre_check_ms = Date.now() - preCheckStart;
+          captureDecision(
+            decision,
+            null,
+            request,
+            guardStart,
+            requestToolNames,
+            null,
+            narrowResult,
+            null,
+            null,
+            null,
+            void 0,
+            timing
+          );
+          throw buildContractError2(decision);
+        }
+      }
+      timing.pre_check_ms = Date.now() - preCheckStart;
+      let lastError = null;
+      for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        if (killed) throw new ReplayKillError(sessionId, killedAt);
+        let attemptPreparedRequestId = null;
+        let attemptDegraded = false;
+        let attemptPendingCalls = null;
+        const isActiveGovern = protectionLevel === "govern" && !runtimeDegraded && runtimeClient != null && runtimeSession != null && leaseFence != null;
+        if (isActiveGovern) {
+          const rtPreflightStart = Date.now();
+          try {
+            const pf = await runtimeClient.preflight({
+              sessionId,
+              leaseFence,
+              requestEnvelope: activeArgs[0],
+              provider,
+              modelId: typeof request.model === "string" ? request.model : null
+            });
+            attemptPreparedRequestId = pf.preparedRequestId;
+            leaseFence = pf.leaseFence;
+          } catch (err) {
+            attemptDegraded = true;
+            if (runtimeClient.isCircuitOpen()) runtimeDegraded = true;
+            emitDiagnostic2(diagnostics, {
+              type: "replay_inactive",
+              reason: "runtime_preflight_failed",
+              error_message: err instanceof Error ? err.message : String(err)
+            });
+          }
+          timing.runtime_ms += Date.now() - rtPreflightStart;
+        }
+        const llmCallStart = Date.now();
+        const response = await terminalInfo.originalCreate.apply(this, activeArgs);
+        timing.llm_call_ms += Date.now() - llmCallStart;
+        if (killed) throw new ReplayKillError(sessionId, killedAt);
+        const responseUsage = extractUsage(response, provider);
+        if (responseUsage) {
+          const costDelta = (responseUsage.prompt_tokens + responseUsage.completion_tokens) * 1e-5;
+          sessionState = updateActualCost(sessionState, costDelta);
+        }
+        if (mode === "log-only") {
+          captureDecision(
+            { action: "allow", tool_calls: extractToolCalls(response, provider) },
+            response,
+            request,
+            guardStart,
+            requestToolNames,
+            null,
+            narrowResult,
+            null,
+            null,
+            null,
+            void 0,
+            timing
+          );
+          return response;
+        }
+        const toolCalls = extractToolCalls(response, provider);
+        const validateStart = Date.now();
+        const validation = validateResponse2(response, toolCalls, contracts, requestToolNames, unmatchedPolicy, provider);
+        timing.validate_ms += Date.now() - validateStart;
+        if (isActiveGovern && !attemptDegraded && attemptPreparedRequestId) {
+          const rtProposalStart = Date.now();
+          try {
+            const pr = await runtimeClient.submitProposal({
+              sessionId,
+              leaseFence,
+              preparedRequestId: attemptPreparedRequestId,
+              responseEnvelope: response
+            });
+            attemptPendingCalls = new Map(
+              pr.pendingCalls.map((pc) => [pc.toolCallId, pc])
+            );
+            for (const bc of pr.blockedCalls) {
+              validation.failures.push({
+                path: `$.tool_calls.${bc.toolName}`,
+                operator: "server_blocked",
+                expected: "allowed",
+                found: bc.reason,
+                message: `Server blocked: ${bc.toolName} \u2014 ${bc.reason}`,
+                contract_file: ""
+              });
+            }
+          } catch (err) {
+            attemptDegraded = true;
+            if (runtimeClient.isCircuitOpen()) runtimeDegraded = true;
+            emitDiagnostic2(diagnostics, {
+              type: "replay_inactive",
+              reason: "runtime_proposal_failed",
+              error_message: err instanceof Error ? err.message : String(err)
+            });
+          }
+          timing.runtime_ms += Date.now() - rtProposalStart;
+        }
+        const crossStepStart = Date.now();
+        const crossStepContracts = compiledSession ? Array.from(compiledSession.perToolContracts.values()) : contracts;
+        const crossStepResult = validateCrossStep(toolCalls, sessionState, crossStepContracts);
+        if (!crossStepResult.passed) {
+          for (const f of crossStepResult.failures) {
+            validation.failures.push({
+              path: `$.tool_calls.${f.toolName}`,
+              operator: f.reason,
+              expected: "",
+              found: "",
+              message: f.detail,
+              contract_file: ""
+            });
+          }
+        }
+        timing.cross_step_ms += Date.now() - crossStepStart;
+        let phaseResult = null;
+        const phaseStart = Date.now();
+        if (compiledSession) {
+          phaseResult = validatePhaseTransition(toolCalls, sessionState, compiledSession);
+          if (!phaseResult.legal) {
+            validation.failures.push({
+              path: `$.tool_calls.${phaseResult.blockedTool}`,
+              operator: phaseResult.reason,
+              expected: "",
+              found: phaseResult.attemptedTransition,
+              message: `Phase transition blocked: ${phaseResult.attemptedTransition} (${phaseResult.reason})`,
+              contract_file: ""
+            });
+          }
+        }
+        timing.phase_ms += Date.now() - phaseStart;
+        const argValuesStart = Date.now();
+        for (const tc of toolCalls) {
+          const contract = contracts.find((c) => c.tool === tc.name);
+          if (contract?.argument_value_invariants && contract.argument_value_invariants.length > 0) {
+            let parsedArgs;
+            try {
+              parsedArgs = JSON.parse(tc.arguments);
+            } catch {
+              parsedArgs = {};
+            }
+            const avResult = evaluateArgumentValueInvariants(parsedArgs, contract.argument_value_invariants);
+            if (!avResult.passed) {
+              for (const f of avResult.failures) {
+                validation.failures.push({
+                  path: f.path,
+                  operator: f.operator,
+                  expected: String(f.expected),
+                  found: String(f.actual),
+                  message: f.detail,
+                  contract_file: contract.contract_file ?? contract.tool,
+                  _tool_call_id: tc.id,
+                  _tool_call_arguments: tc.arguments
+                });
+              }
+            }
+          }
+          if (resolvedSessionLimits) {
+            const perToolResult = checkPerToolLimits(sessionState, tc.name, resolvedSessionLimits);
+            if (perToolResult.exceeded) {
+              validation.failures.push({
+                path: `$.tool_calls.${tc.name}`,
+                operator: "session_limit",
+                expected: "",
+                found: "",
+                message: perToolResult.reason ?? "per-tool limit exceeded",
+                contract_file: ""
+              });
+            }
+          }
+          if (resolvedSessionLimits?.loop_detection) {
+            const loopResult = checkLoopDetection(
+              tc.name,
+              tc.arguments,
+              sessionState,
+              resolvedSessionLimits.loop_detection
+            );
+            if (loopResult.triggered) {
+              validation.failures.push({
+                path: `$.tool_calls.${tc.name}`,
+                operator: "loop_detected",
+                expected: `< ${loopResult.threshold} occurrences in window ${loopResult.window}`,
+                found: String(loopResult.matchCount),
+                message: `Loop detected: ${tc.name} repeated ${loopResult.matchCount} times in last ${loopResult.window} steps`,
+                contract_file: ""
+              });
+            }
+          }
+        }
+        timing.argument_values_ms += Date.now() - argValuesStart;
+        let policyVerdicts = null;
+        const policyStart = Date.now();
+        if (compiledSession?.policyProgram && compiledSession.principal !== null && compiledSession.principal !== void 0) {
+          policyVerdicts = /* @__PURE__ */ new Map();
+          for (const tc of toolCalls) {
+            const verdict = evaluatePolicy(
+              tc.name,
+              compiledSession.principal,
+              (() => {
+                try {
+                  return JSON.parse(tc.arguments);
+                } catch {
+                  return {};
+                }
+              })(),
+              sessionState,
+              compiledSession.policyProgram
+            );
+            policyVerdicts.set(tc.name, verdict);
+            if (!verdict.allowed) {
+              validation.failures.push({
+                path: `$.tool_calls.${tc.name}`,
+                operator: "policy_denied",
+                expected: "allowed",
+                found: verdict.reason ?? "denied",
+                message: `Policy denied: ${tc.name} \u2014 ${verdict.reason}`,
+                contract_file: ""
+              });
+            }
+          }
+        }
+        timing.policy_ms += Date.now() - policyStart;
+        if (mode === "shadow") {
+          const shadowGateStart = Date.now();
+          const shadowDecision = validation.failures.length > 0 ? {
+            action: "block",
+            tool_calls: toolCalls,
+            blocked: buildBlockedCalls(toolCalls, validation.failures, validation.unmatchedBlocked),
+            response_modification: gateMode
+          } : { action: "allow", tool_calls: toolCalls };
+          const shadowDelta = {
+            would_have_blocked: shadowDecision.action === "block" ? shadowDecision.blocked : [],
+            would_have_narrowed: narrowResult?.removed ?? [],
+            current_phase: sessionState.currentPhase,
+            legal_next_phases: compiledSession ? getLegalNextPhases(sessionState, compiledSession) : []
+          };
+          lastShadowDeltaValue = shadowDelta;
+          shadowEvaluationCount++;
+          timing.gate_ms += Date.now() - shadowGateStart;
+          captureDecision(shadowDecision, response, request, guardStart, requestToolNames, crossStepResult, narrowResult, phaseResult, policyVerdicts, null, shadowDelta, timing);
+          return response;
+        }
+        if (isCompatAdvisory) {
+          const advisoryGateStart = Date.now();
+          const advisoryDecision = buildDecision(toolCalls, validation, gateMode, compiledSession);
+          timing.gate_ms += Date.now() - advisoryGateStart;
+          const advisoryFinalizeStart = Date.now();
+          if (advisoryDecision.action === "allow" || advisoryDecision.action === "block") {
+            const completedStep = buildCompletedStep(
+              sessionState.totalStepCount,
+              sessionId,
+              toolCalls,
+              contracts,
+              response,
+              provider,
+              effectiveTier,
+              compiledSession
+            );
+            if (phaseResult && phaseResult.legal && phaseResult.newPhase !== sessionState.currentPhase) {
+              completedStep.phaseTransition = `${sessionState.currentPhase} \u2192 ${phaseResult.newPhase}`;
+              completedStep.phase = phaseResult.newPhase;
+            } else {
+              completedStep.phase = sessionState.currentPhase;
+            }
+            const prevVersion = sessionState.stateVersion;
+            sessionState = finalizeExecutedStep(sessionState, completedStep, contracts, compiledSession);
+            syncStateToStore(prevVersion, sessionState);
+          }
+          if (advisoryDecision.action === "block") {
+            sessionState = recordDecisionOutcome(sessionState, "blocked");
+            emitDiagnostic2(diagnostics, {
+              type: "replay_compat_advisory",
+              session_id: sessionId,
+              would_block: advisoryDecision.blocked,
+              details: advisoryDecision.blocked.map((b) => `${b.tool_name}: ${b.reason}`).join("; ")
+            });
+          } else {
+            sessionState = recordDecisionOutcome(sessionState, "allowed");
+          }
+          timing.finalize_ms += Date.now() - advisoryFinalizeStart;
+          captureDecision(advisoryDecision, response, request, guardStart, requestToolNames, crossStepResult, narrowResult, phaseResult, policyVerdicts, null, void 0, timing);
+          return response;
+        }
+        const enforceGateStart = Date.now();
+        const decision = buildDecision(toolCalls, validation, gateMode, compiledSession);
+        timing.gate_ms += Date.now() - enforceGateStart;
+        if (decision.action === "allow") {
+          const enforceFinalizeStart = Date.now();
+          const completedStep = buildCompletedStep(
+            sessionState.totalStepCount,
+            sessionId,
+            toolCalls,
+            contracts,
+            response,
+            provider,
+            effectiveTier,
+            compiledSession
+          );
+          if (phaseResult && phaseResult.legal && phaseResult.newPhase !== sessionState.currentPhase) {
+            completedStep.phaseTransition = `${sessionState.currentPhase} \u2192 ${phaseResult.newPhase}`;
+            completedStep.phase = phaseResult.newPhase;
+          } else {
+            completedStep.phase = sessionState.currentPhase;
+          }
+          const prevVersionAllow = sessionState.stateVersion;
+          sessionState = finalizeExecutedStep(sessionState, completedStep, contracts, compiledSession);
+          sessionState = recordDecisionOutcome(sessionState, "allowed");
+          syncStateToStore(prevVersionAllow, sessionState);
+          timing.finalize_ms += Date.now() - enforceFinalizeStart;
+          if (isActiveGovern && !attemptDegraded && attemptPendingCalls && attemptPendingCalls.size > 0) {
+            for (const [toolCallId, pending] of attemptPendingCalls) {
+              deferredReceipts.set(toolCallId, {
+                pendingCallId: pending.pendingCallId,
+                toolName: pending.toolName,
+                argumentsHash: stripHashPrefix(pending.argumentsHash)
+              });
+            }
+          }
+          captureDecision(decision, response, request, guardStart, requestToolNames, crossStepResult, narrowResult, phaseResult, policyVerdicts, null, void 0, timing);
+          return response;
+        }
+        sessionState = recordDecisionOutcome(sessionState, "blocked");
+        if (isActiveGovern && !attemptDegraded && attemptPendingCalls && attemptPendingCalls.size > 0) {
+          const rtBlockReceiptStart = Date.now();
+          const blockedToolCallIds = new Set(
+            decision.action === "block" ? decision.blocked.map((b) => {
+              const tc = toolCalls.find((c) => c.name === b.tool_name && c.arguments === b.arguments);
+              return tc?.id;
+            }).filter((id) => id != null) : []
+          );
+          const receiptNow = (/* @__PURE__ */ new Date()).toISOString();
+          for (const [toolCallId, pending] of attemptPendingCalls) {
+            if (blockedToolCallIds.has(toolCallId) || gateMode === "reject_all") {
+              try {
+                await runtimeClient.submitReceipt({
+                  sessionId,
+                  leaseFence,
+                  pendingCallId: pending.pendingCallId,
+                  executorKind: "WRAPPED_EXECUTOR",
+                  toolName: pending.toolName,
+                  argumentsHash: stripHashPrefix(pending.argumentsHash),
+                  status: "DISCARDED",
+                  startedAt: receiptNow,
+                  completedAt: receiptNow
+                });
+              } catch (err) {
+                attemptDegraded = true;
+                if (runtimeClient.isCircuitOpen()) runtimeDegraded = true;
+                emitDiagnostic2(diagnostics, {
+                  type: "replay_inactive",
+                  reason: "runtime_receipt_failed",
+                  error_message: err instanceof Error ? err.message : String(err)
+                });
+                break;
+              }
+            } else {
+              deferredReceipts.set(toolCallId, {
+                pendingCallId: pending.pendingCallId,
+                toolName: pending.toolName,
+                argumentsHash: stripHashPrefix(pending.argumentsHash)
+              });
+            }
+          }
+          timing.runtime_ms += Date.now() - rtBlockReceiptStart;
+        }
+        if (resolvedSessionLimits?.circuit_breaker) {
+          const cbResult = checkCircuitBreaker(sessionState, resolvedSessionLimits.circuit_breaker);
+          if (cbResult.triggered) {
+            killed = true;
+            killedAt = (/* @__PURE__ */ new Date()).toISOString();
+            sessionState = killSession(sessionState);
+            emitDiagnostic2(diagnostics, { type: "replay_kill", session_id: sessionId });
+          }
+        }
+        if (attempt < maxRetries) {
+          lastError = new ReplayContractError(
+            `Blocked on attempt ${attempt + 1}`,
+            decision,
+            decision.blocked[0]?.contract_file ?? "",
+            decision.blocked[0]?.failures ?? []
+          );
+          continue;
+        }
+        captureDecision(decision, response, request, guardStart, requestToolNames, crossStepResult, narrowResult, phaseResult, policyVerdicts, null, void 0, timing);
+        return applyGateDecision(decision, response, provider, gateMode, opts.onBlock);
+      }
+      if (lastError) throw lastError;
+      throw new ReplayInternalError("Retry loop exhausted without result", { sessionId });
+    } catch (err) {
+      if (err instanceof ReplayContractError || err instanceof ReplayKillError) {
+        throw err;
+      }
+      sessionState = recordDecisionOutcome(sessionState, "error");
+      if (resolvedSessionLimits?.circuit_breaker) {
+        const cbResult = checkCircuitBreaker(sessionState, resolvedSessionLimits.circuit_breaker);
+        if (cbResult.triggered) {
+          killed = true;
+          killedAt = (/* @__PURE__ */ new Date()).toISOString();
+          sessionState = killSession(sessionState);
+          emitDiagnostic2(diagnostics, { type: "replay_kill", session_id: sessionId });
+        }
+      }
+      if (onError === "block") {
+        throw new ReplayInternalError("Enforcement pipeline internal error", { cause: err, sessionId });
+      }
+      sessionState = { ...sessionState, totalUnguardedCalls: sessionState.totalUnguardedCalls + 1 };
+      if (sessionState.totalUnguardedCalls >= maxUnguardedCalls) {
+        killed = true;
+        killedAt = (/* @__PURE__ */ new Date()).toISOString();
+        sessionState = killSession(sessionState);
+        emitDiagnostic2(diagnostics, { type: "replay_kill", session_id: sessionId });
+      }
+      return terminalInfo.originalCreate.apply(this, args);
+    }
+  };
+  const wrapperClient = createWrapperClient(client, provider, enforcementCreate);
+  const bypassCreate = function replayBypassProxy(...args) {
+    bypassDetected = true;
+    emitDiagnostic2(diagnostics, { type: "replay_bypass_detected", session_id: sessionId });
+    if (runtimeClient && runtimeSession) {
+      runtimeClient.reportBypass({
+        sessionId,
+        source: "bypass_proxy",
+        detail: "Direct call on original client detected"
+      }).catch(() => {
+      });
+    }
+    return terminalInfo.originalCreate.apply(this, args);
+  };
+  terminalInfo.terminal[terminalInfo.methodName] = bypassCreate;
+  setReplayAttached(client);
+  emitDiagnostic2(diagnostics, {
+    type: "replay_activated",
+    session_id: sessionId,
+    provider,
+    agent,
+    mode
+  });
+  const session = {
+    client: wrapperClient,
+    async flush() {
+      if (!buffer) {
+        return { captured: 0, sent: 0, active: false, errors: [] };
+      }
+      return buffer.flush();
+    },
+    restore() {
+      if (restored) return;
+      restored = true;
+      if (terminalInfo.terminal[terminalInfo.methodName] === bypassCreate) {
+        terminalInfo.terminal[terminalInfo.methodName] = terminalInfo.originalCreate;
+      }
+      clearReplayAttached(client);
+      buffer?.close();
+    },
+    kill() {
+      if (killed) return;
+      killed = true;
+      killedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const prevVersionKill = sessionState.stateVersion;
+      sessionState = killSession(sessionState);
+      syncStateToStore(prevVersionKill, sessionState);
+      emitDiagnostic2(diagnostics, { type: "replay_kill", session_id: sessionId });
+      if (runtimeClient && runtimeSession && leaseFence) {
+        runtimeClient.killSession({
+          sessionId,
+          leaseFence,
+          reason: "sdk_kill"
+        }).catch(() => {
+        });
+      }
+      buffer?.flush().catch(() => {
+      });
+    },
+    getHealth() {
+      const isAuthoritative = runtimeSession != null && !runtimeDegraded;
+      const effectiveProtection = runtimeDegraded ? "protect" : protectionLevel;
+      let durability;
+      if (isAuthoritative) {
+        durability = runtimeClient?.isCircuitOpen() ? "degraded-local" : "server";
+      } else {
+        durability = runtimeDegraded ? "degraded-local" : "inactive";
+      }
+      let authorityState;
+      if (killed) authorityState = "killed";
+      else if (bypassDetected) authorityState = "compromised";
+      else if (isAuthoritative) authorityState = "active";
+      else authorityState = "advisory";
+      return {
+        status: killed ? "inactive" : sessionState.consecutiveErrorCount > 0 ? "degraded" : "healthy",
+        authorityState,
+        protectionLevel: effectiveProtection,
+        durability,
+        tier: sessionState.tier,
+        compatEnforcement,
+        cluster_detected: false,
+        bypass_detected: bypassDetected,
+        totalSteps: sessionState.totalStepCount,
+        totalBlocks: sessionState.totalBlockCount,
+        totalErrors: sessionState.consecutiveErrorCount,
+        killed,
+        shadowEvaluations: shadowEvaluationCount
+      };
+    },
+    /**
+     * v2: Return redacted session state snapshot.
+     * @see specs/replay-v2.md § getState() contract
+     */
+    getState() {
+      return buildStateSnapshot(sessionState, toNarrowingSnapshot(lastNarrowResult));
+    },
+    getLastNarrowing() {
+      return toNarrowingSnapshot(lastNarrowResult);
+    },
+    getLastShadowDelta() {
+      return lastShadowDeltaValue;
+    },
+    /**
+     * v3: Manually restrict available tools within compiled legal space.
+     * @see specs/replay-v3.md § narrow() / widen()
+     */
+    narrow(toolFilter) {
+      if (killed || restored) return;
+      manualFilter = toolFilter.length > 0 ? toolFilter : null;
+      sessionState = { ...sessionState, controlRevision: sessionState.controlRevision + 1 };
+      if (runtimeClient && runtimeSession && leaseFence) {
+        runtimeClient.setToolFilter({
+          sessionId,
+          leaseFence,
+          allowedTools: manualFilter
+        }).catch(() => {
+        });
+      }
+    },
+    /**
+     * v3: Remove manual restriction, return to contract-driven narrowing.
+     * @see specs/replay-v3.md § narrow() / widen()
+     */
+    widen() {
+      if (killed || restored) return;
+      if (manualFilter === null) return;
+      manualFilter = null;
+      sessionState = { ...sessionState, controlRevision: sessionState.controlRevision + 1 };
+      if (runtimeClient && runtimeSession && leaseFence) {
+        runtimeClient.setToolFilter({
+          sessionId,
+          leaseFence,
+          allowedTools: null
+        }).catch(() => {
+        });
+      }
+    },
+    tools: wrapToolsWithDeferredReceipts(
+      buildWrappedToolsMap(opts.tools, compiledSession)
+    ),
+    async getWorkflowState() {
+      if (!workflowId || !runtimeClient || runtimeDegraded) return null;
+      if (runtimeInitPromise && !runtimeInitDone) await runtimeInitPromise;
+      if (!runtimeSession?.workflow) return null;
+      try {
+        const state = await runtimeClient.getWorkflowState(workflowId);
+        return {
+          workflowId: state.workflowId,
+          rootSessionId: state.rootSessionId,
+          status: state.status,
+          stateVersion: state.stateVersion,
+          controlRevision: state.controlRevision,
+          totalSessionCount: state.totalSessionCount,
+          activeSessionCount: state.activeSessionCount,
+          totalStepCount: state.totalStepCount,
+          totalCost: state.totalCost,
+          totalHandoffCount: state.totalHandoffCount,
+          unresolvedHandoffCount: state.unresolvedHandoffCount,
+          lastEventSeq: state.lastEventSeq,
+          killScope: state.killScope,
+          createdAt: state.createdAt,
+          updatedAt: state.updatedAt
+        };
+      } catch {
+        return null;
+      }
+    },
+    async handoff(offer) {
+      if (!workflowId || !runtimeClient || runtimeDegraded) return null;
+      if (runtimeInitPromise && !runtimeInitDone) await runtimeInitPromise;
+      if (!runtimeSession?.workflow) return null;
+      try {
+        const result = await runtimeClient.offerHandoff({
+          sessionId,
+          workflowId,
+          fromRole: runtimeSession.workflow.role,
+          toRole: offer.toRole,
+          handoffId: offer.handoffId,
+          artifactRefs: offer.artifactRefs,
+          summary: offer.summary
+        });
+        return {
+          handoffId: result.handoffId,
+          eventSeq: result.eventSeq,
+          stateVersion: result.stateVersion
+        };
+      } catch {
+        return null;
+      }
+    }
+  };
+  return session;
+  function wrapToolsWithDeferredReceipts(baseTools) {
+    const wrapped = {};
+    for (const [toolName, executor] of Object.entries(baseTools)) {
+      wrapped[toolName] = async (args) => {
+        const result = await executor(args);
+        if (runtimeClient && leaseFence && !runtimeDegraded) {
+          for (const [callId, deferred] of deferredReceipts) {
+            if (deferred.toolName === toolName) {
+              deferredReceipts.delete(callId);
+              const now = (/* @__PURE__ */ new Date()).toISOString();
+              try {
+                const receiptResult = await runtimeClient.submitReceipt({
+                  sessionId,
+                  leaseFence,
+                  pendingCallId: deferred.pendingCallId,
+                  executorKind: "WRAPPED_EXECUTOR",
+                  toolName: deferred.toolName,
+                  argumentsHash: deferred.argumentsHash,
+                  status: "SUCCEEDED",
+                  startedAt: now,
+                  completedAt: now
+                });
+                if (receiptResult.stateAdvanced) {
+                  sessionState = { ...sessionState, stateVersion: receiptResult.stateVersion };
+                }
+              } catch {
+              }
+              break;
+            }
+          }
+        }
+        return result;
+      };
+    }
+    return wrapped;
+  }
+  function captureDecision(decision, response, request, guardStart, requestToolNames, crossStep, narrowing = null, phaseResult = null, policyVerdictMap = null, constraintVerdictVal = null, shadowDelta = void 0, timingParam) {
+    if (!buffer && !store) return;
+    if (timingParam) {
+      timingParam.total_ms = Date.now() - guardStart;
+      timingParam.enforcement_ms = timingParam.total_ms - timingParam.llm_call_ms;
+    }
+    const guardOverheadMs = timingParam ? timingParam.enforcement_ms : Date.now() - guardStart;
+    const phaseTransitionStr = phaseResult && !phaseResult.legal ? phaseResult.attemptedTransition : phaseResult && phaseResult.legal && phaseResult.newPhase !== sessionState.currentPhase ? `${sessionState.currentPhase} \u2192 ${phaseResult.newPhase}` : null;
+    const primaryTool = decision.tool_calls[0]?.name;
+    const capturedPolicyVerdict = primaryTool && policyVerdictMap ? policyVerdictMap.get(primaryTool) ?? null : null;
+    const replayMeta = {
+      session_id: sessionId,
+      step_index: sessionState.totalStepCount,
+      mode,
+      decision,
+      contract_hashes: contracts.map((c) => c.tool_schema_hash ?? c.tool),
+      guard_overhead_ms: guardOverheadMs,
+      timing: timingParam,
+      commit_tier: sessionState.tier,
+      principal: opts.principal ?? null,
+      policy_verdict: capturedPolicyVerdict,
+      execution_constraint_verdict: constraintVerdictVal,
+      counterfactual: {
+        tools_removed: narrowing?.removed ?? [],
+        calls_blocked: decision.action === "block" ? decision.blocked : []
+      },
+      // v2 additions
+      cross_step: crossStep ? { passed: crossStep.passed, failures: crossStep.failures.map((f) => ({ toolName: f.toolName, reason: f.reason, detail: f.detail })) } : null,
+      session_state_hash: null,
+      state_version: sessionState.stateVersion,
+      // v3 additions
+      narrowing,
+      phase: sessionState.currentPhase,
+      phase_transition: phaseTransitionStr,
+      shadow_delta: shadowDelta,
+      receipt: null
+    };
+    const capturedCall = {
+      schema_version: CAPTURE_SCHEMA_VERSION_CURRENT,
+      agent,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      provider,
+      model_id: typeof request.model === "string" ? request.model : "",
+      primary_tool_name: decision.tool_calls[0]?.name ?? null,
+      tool_names: decision.tool_calls.map((tc) => tc.name),
+      request: {
+        tools: requestToolNames.map((name) => ({ name }))
+      },
+      response: {
+        tool_calls: decision.tool_calls.map((tc) => ({
+          name: tc.name,
+          arguments: tc.arguments
+        })),
+        content: null
+      },
+      latency_ms: Date.now() - guardStart,
+      sdk_session_id: sessionId
+    };
+    try {
+      const serialized = JSON.stringify({ ...capturedCall, replay: replayMeta });
+      const { redacted } = redactCapture(serialized);
+      const redactedCall = JSON.parse(redacted);
+      if (buffer) buffer.push(redactedCall);
+      appendCaptureToStore(redactedCall);
+    } catch {
+    }
+  }
+}
+function resolveContracts(opts) {
+  if (opts.contracts) {
+    return loadContracts(opts.contracts);
+  }
+  if (opts.contractsDir) {
+    return loadContracts(opts.contractsDir);
+  }
+  throw new ReplayConfigError("compilation_failed", "No contracts or contractsDir provided");
+}
+var SESSION_YAML_NAMES2 = ["session.yaml", "session.yml"];
+function discoverSessionYaml(opts) {
+  if (opts.sessionYamlPath) {
+    const resolved = (0, import_node_path3.resolve)(opts.sessionYamlPath);
+    const raw = (0, import_node_fs3.readFileSync)(resolved, "utf8");
+    return (0, import_contracts_core6.parseSessionYaml)(raw);
+  }
+  if (opts.contractsDir) {
+    const dir = (0, import_node_path3.resolve)(opts.contractsDir);
+    for (const name of SESSION_YAML_NAMES2) {
+      const candidate = (0, import_node_path3.join)(dir, name);
+      if ((0, import_node_fs3.existsSync)(candidate)) {
+        const raw = (0, import_node_fs3.readFileSync)(candidate, "utf8");
+        return (0, import_contracts_core6.parseSessionYaml)(raw);
+      }
+    }
+  }
+  return null;
+}
+var WORKFLOW_YAML_NAMES = ["workflow.yaml", "workflow.yml"];
+function discoverWorkflowYaml(opts, workflowOpts) {
+  let raw = null;
+  if (workflowOpts.workflowYamlPath) {
+    const resolved = (0, import_node_path3.resolve)(workflowOpts.workflowYamlPath);
+    raw = (0, import_node_fs3.readFileSync)(resolved, "utf8");
+  }
+  if (!raw && opts.contractsDir) {
+    const dir = (0, import_node_path3.resolve)(opts.contractsDir);
+    for (const name of WORKFLOW_YAML_NAMES) {
+      const candidate = (0, import_node_path3.join)(dir, name);
+      if ((0, import_node_fs3.existsSync)(candidate)) {
+        raw = (0, import_node_fs3.readFileSync)(candidate, "utf8");
+        break;
+      }
+    }
+  }
+  if (!raw) return null;
+  const parsed = (0, import_contracts_core6.parseWorkflowYaml)(raw);
+  return (0, import_contracts_core6.compileWorkflow)(parsed);
+}
+function generateWorkflowId() {
+  return `rw_${import_node_crypto5.default.randomUUID().replace(/-/g, "").slice(0, 24)}`;
+}
+function validateConfig(contracts, opts) {
+  const hasPolicyBlock = contracts.some((c) => c.policy != null);
+  if (hasPolicyBlock && opts.principal === void 0) {
+    const toolsWithPolicy = contracts.filter((c) => c.policy != null).map((c) => c.tool).join(", ");
+    return new ReplayConfigError(
+      "policy_without_principal",
+      `Contracts with policy blocks (${toolsWithPolicy}) require a principal in replay() options`
+    );
+  }
+  const toolsMap = opts.tools ?? {};
+  const toolsWithConstraints = contracts.filter((c) => c.execution_constraints != null).filter((c) => !(c.tool in toolsMap));
+  if (toolsWithConstraints.length > 0) {
+    const names = toolsWithConstraints.map((c) => c.tool).join(", ");
+    return new ReplayConfigError(
+      "constraints_without_wrapper",
+      `Contracts with execution_constraints (${names}) require matching entries in the tools map`
+    );
+  }
+  return null;
+}
+function resolveTerminal(client, provider) {
+  try {
+    if (provider === "openai") {
+      const chat = client.chat;
+      const completions = chat.completions;
+      const create2 = completions.create;
+      if (typeof create2 !== "function") return null;
+      return {
+        terminal: completions,
+        methodName: "create",
+        originalCreate: create2
+      };
+    }
+    const messages = client.messages;
+    const create = messages.create;
+    if (typeof create !== "function") return null;
+    return {
+      terminal: messages,
+      methodName: "create",
+      originalCreate: create
+    };
+  } catch {
+    return null;
+  }
+}
+function createWrapperClient(originalClient, provider, enforcementCreate) {
+  if (provider === "openai") {
+    const origChat = originalClient.chat;
+    const origComp = origChat.completions;
+    const compWrapper = Object.create(origComp);
+    compWrapper.create = enforcementCreate;
+    const chatWrapper = Object.create(origChat);
+    chatWrapper.completions = compWrapper;
+    const wrapper2 = Object.create(originalClient);
+    wrapper2.chat = chatWrapper;
+    return wrapper2;
+  }
+  const origMessages = originalClient.messages;
+  const msgWrapper = Object.create(origMessages);
+  msgWrapper.create = enforcementCreate;
+  const wrapper = Object.create(originalClient);
+  wrapper.messages = msgWrapper;
+  return wrapper;
+}
+function validateResponse2(response, toolCalls, contracts, requestToolNames, unmatchedPolicy, provider) {
+  const failures = [];
+  const unmatchedBlocked = [];
+  const matched = matchContracts(contracts, toolCalls, void 0);
+  const unmatched = findUnmatchedTools(toolCalls, matched);
+  if (unmatchedPolicy === "block" && unmatched.length > 0) {
+    for (const tc of unmatched) {
+      unmatchedBlocked.push({
+        tool_name: tc.name,
+        arguments: tc.arguments,
+        reason: "unmatched_tool_blocked",
+        contract_file: "",
+        failures: [{
+          path: "$.tool_calls",
+          operator: "contract_match",
+          expected: "known tool",
+          found: tc.name,
+          message: `No contract for tool "${tc.name}"`
+        }]
+      });
+    }
+  }
+  for (const contract of matched) {
+    const outputInvariants = contract.assertions.output_invariants;
+    if (outputInvariants.length > 0) {
+      const normalizedResponse = buildNormalizedResponse(response, toolCalls);
+      const result = (0, import_contracts_core6.evaluateInvariants)(normalizedResponse, outputInvariants, process.env);
+      for (const failure of result) {
+        failures.push({
+          path: failure.path,
+          operator: failure.rule,
+          expected: failure.detail,
+          found: failure.detail,
+          message: failure.detail,
+          contract_file: contract.contract_file ?? contract.tool
+        });
+      }
+    }
+    if (contract.expected_tool_calls && contract.expected_tool_calls.length > 0) {
+      const result = (0, import_contracts_core6.evaluateExpectedToolCalls)(
+        toolCalls,
+        contract.expected_tool_calls,
+        contract.pass_threshold ?? 1,
+        contract.tool_call_match_mode ?? "any",
+        process.env
+      );
+      for (const failure of result.failures) {
+        failures.push({
+          path: failure.path,
+          operator: failure.rule,
+          expected: failure.detail,
+          found: failure.detail,
+          message: failure.detail,
+          contract_file: contract.contract_file ?? contract.tool
+        });
+      }
+    }
+  }
+  const formatResult = evaluateResponseFormatInvariants(response, contracts, requestToolNames, provider);
+  failures.push(...formatResult.failures);
+  return { failures, unmatchedBlocked, matchedContracts: matched };
+}
+function buildNormalizedResponse(_response, toolCalls) {
+  return {
+    tool_calls: toolCalls.map((tc) => {
+      let parsedArgs;
+      try {
+        parsedArgs = JSON.parse(tc.arguments);
+      } catch {
+        parsedArgs = null;
+      }
+      return {
+        id: tc.id,
+        name: tc.name,
+        function: { name: tc.name },
+        arguments: parsedArgs
+      };
+    })
+  };
+}
+function buildDecision(toolCalls, validation, gateMode, compiled) {
+  const blocked = [
+    ...validation.unmatchedBlocked,
+    ...buildBlockedCalls(toolCalls, validation.failures, [])
+  ];
+  if (compiled) {
+    const failedTools = new Set(validation.failures.map((f) => f.path.split(".").pop() ?? ""));
+    const alreadyBlocked = new Set(blocked.map((b) => b.tool_name));
+    for (const tc of toolCalls) {
+      if (alreadyBlocked.has(tc.name)) continue;
+      if (!failedTools.has(tc.name)) continue;
+      const contract = compiled.perToolContracts.get(tc.name);
+      if (contract?.effectiveGate === "block") {
+        blocked.push({
+          tool_name: tc.name,
+          arguments: tc.arguments,
+          reason: "risk_gate_blocked",
+          contract_file: "",
+          failures: [{
+            path: `$.tool_calls.${tc.name}`,
+            operator: "effective_gate",
+            expected: "allow",
+            found: "block",
+            message: `Tool '${tc.name}' blocked by risk_defaults (side_effect: ${contract.side_effect ?? "unknown"}, effectiveGate: block)`,
+            contract_file: ""
+          }]
+        });
+      }
+    }
+  }
+  if (blocked.length === 0) {
+    return { action: "allow", tool_calls: toolCalls };
+  }
+  return {
+    action: "block",
+    tool_calls: toolCalls,
+    blocked,
+    response_modification: gateMode
+  };
+}
+function buildBlockedCalls(toolCalls, failures, additionalBlocked) {
+  if (failures.length === 0) return additionalBlocked;
+  const failuresByKey = /* @__PURE__ */ new Map();
+  for (const failure of failures) {
+    const fr = failure;
+    let key;
+    let toolName;
+    let args;
+    if (fr._tool_call_id) {
+      key = fr._tool_call_id;
+      const tc = toolCalls.find((c) => c.id === fr._tool_call_id);
+      toolName = tc?.name ?? extractToolNameFromFailure(failure, toolCalls);
+      args = fr._tool_call_arguments ?? tc?.arguments ?? "";
+    } else {
+      toolName = extractToolNameFromFailure(failure, toolCalls);
+      const tc = toolCalls.find((c) => c.name === toolName);
+      key = `name:${toolName}`;
+      args = tc?.arguments ?? "";
+    }
+    const existing = failuresByKey.get(key);
+    if (existing) {
+      existing.failures.push(failure);
+    } else {
+      failuresByKey.set(key, { toolName, arguments: args, failures: [failure] });
+    }
+  }
+  const blocked = [...additionalBlocked];
+  for (const [, entry] of failuresByKey) {
+    const reason = determineBlockReason(entry.failures);
+    blocked.push({
+      tool_name: entry.toolName,
+      arguments: entry.arguments,
+      reason,
+      contract_file: entry.failures[0]?.contract_file ?? "",
+      failures: entry.failures
+    });
+  }
+  return blocked;
+}
+function extractToolNameFromFailure(failure, toolCalls) {
+  const pathMatch = failure.path?.match(/\$\.tool_calls\.(\w+)/);
+  if (pathMatch) {
+    const candidate = pathMatch[1];
+    if (toolCalls.some((tc) => tc.name === candidate)) return candidate;
+  }
+  if (failure.contract_file) {
+    const candidate = toolCalls.find((tc) => failure.contract_file.includes(tc.name));
+    if (candidate) return candidate.name;
+  }
+  return toolCalls[0]?.name ?? "_response";
+}
+function determineBlockReason(failures) {
+  for (const f of failures) {
+    if (f.operator === "response_format") return "response_format_invalid";
+    if (f.operator === "contract_match") return "unmatched_tool_blocked";
+    if (f.operator === "precondition_not_met") return "precondition_not_met";
+    if (f.operator === "forbidden_tool") return "forbidden_tool";
+    if (f.operator === "session_limit") return "session_limit_exceeded";
+    if (f.operator === "loop_detected") return "loop_detected";
+    if (f.operator === "policy_denied") return "policy_denied";
+    if (f.operator === "execution_constraint_violated") return "execution_constraint_violated";
+    if (f.operator === "exact_match" || f.operator === "argument_value_mismatch") return "argument_value_mismatch";
+  }
+  return "output_invariant_failed";
+}
+function evaluateInputInvariants(request, contracts) {
+  const failures = [];
+  const requestToolNames = extractRequestToolNames(request);
+  const requestToolSet = new Set(requestToolNames);
+  for (const contract of contracts) {
+    if (!requestToolSet.has(contract.tool)) continue;
+    if (contract.assertions.input_invariants.length === 0) continue;
+    const result = (0, import_contracts_core6.evaluateInvariants)(request, contract.assertions.input_invariants, process.env);
+    for (const failure of result) {
+      failures.push({
+        path: failure.path,
+        operator: failure.rule,
+        expected: failure.detail,
+        found: failure.detail,
+        message: failure.detail,
+        contract_file: contract.contract_file ?? contract.tool
+      });
+    }
+  }
+  return failures;
+}
+function extractRequestToolNames(request) {
+  const tools = request.tools;
+  if (!Array.isArray(tools)) return [];
+  return tools.map((tool) => {
+    const record = toRecord10(tool);
+    const name = typeof record.name === "string" ? record.name : typeof toRecord10(record.function).name === "string" ? toRecord10(record.function).name : void 0;
+    return name;
+  }).filter((name) => name !== void 0 && name.length > 0);
+}
+function buildContractError2(decision) {
+  if (decision.action !== "block") {
+    throw new Error("Cannot build contract error from allow decision");
+  }
+  const first = decision.blocked[0];
+  return new ReplayContractError(
+    `Tool call blocked: ${first?.tool_name ?? "unknown"} \u2014 ${first?.reason ?? "unknown"}`,
+    decision,
+    first?.contract_file ?? "",
+    first?.failures ?? []
+  );
+}
+function buildCompletedStep(stepIndex, sessionId, toolCalls, contracts, response, provider, tier = "strong", compiled) {
+  const contractByTool = new Map(contracts.map((c) => [c.tool, c]));
+  const completedToolCalls = toolCalls.map((tc) => {
+    const contract = contractByTool.get(tc.name);
+    const compiledContract = compiled?.perToolContracts.get(tc.name);
+    let parsedArgs;
+    try {
+      parsedArgs = JSON.parse(tc.arguments);
+    } catch {
+      parsedArgs = void 0;
+    }
+    let resourceValues = null;
+    const preconditions = compiledContract?.preconditions ?? contract?.preconditions;
+    if (preconditions && parsedArgs) {
+      for (const p of preconditions) {
+        if (p.resource) {
+          const resourcePath = typeof p.resource === "string" ? p.resource : p.resource.path;
+          const val = extractResourceValue(parsedArgs, resourcePath);
+          if (val !== void 0) {
+            if (!resourceValues) resourceValues = {};
+            resourceValues[resourcePath] = val;
+          }
+        }
+      }
+    }
+    const resolvedCommitRequirement = compiledContract?.commit_requirement ?? contract?.commit_requirement ?? "acknowledged";
+    return {
+      toolName: tc.name,
+      arguments_hash: computeArgumentsHash(tc.arguments),
+      proposal_decision: "allowed",
+      execution_state: "outcome_recorded",
+      evidence_level: "acknowledged",
+      commit_requirement: resolvedCommitRequirement,
+      commit_state: "committed",
+      commit_tier: tier,
+      executor_attested: false,
+      contractFile: contract?.contract_file ?? null,
+      resourceValues,
+      policyVerdict: null,
+      constraintVerdict: null
+    };
+  });
+  const respRec = toRecord10(response);
+  const choices = Array.isArray(respRec.choices) ? respRec.choices : [];
+  const firstChoice = toRecord10(choices[0]);
+  const finish_reason = typeof firstChoice.finish_reason === "string" ? firstChoice.finish_reason : null;
+  const model = typeof respRec.model === "string" ? respRec.model : null;
+  const usageRec = toRecord10(respRec.usage);
+  const usage = typeof usageRec.prompt_tokens === "number" && typeof usageRec.completion_tokens === "number" ? { prompt_tokens: usageRec.prompt_tokens, completion_tokens: usageRec.completion_tokens } : null;
+  return {
+    stepIndex,
+    stepId: `${sessionId}_step_${stepIndex}`,
+    toolCalls: completedToolCalls,
+    proposal_decision: "allowed",
+    commit_state: "committed",
+    commit_tier: tier,
+    max_evidence_level: "acknowledged",
+    invariantFailures: [],
+    phase: null,
+    phaseTransition: null,
+    completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    outputExtract: {},
+    finish_reason,
+    model,
+    usage
+  };
+}
+function extractResourceValue(args, path) {
+  const cleanPath = path.startsWith("$.") ? path.slice(2) : path;
+  if (cleanPath === "" || cleanPath === "$") return args;
+  const segments = cleanPath.split(".");
+  let current = args;
+  for (const seg of segments) {
+    if (current === null || current === void 0 || typeof current !== "object") return void 0;
+    current = current[seg];
+  }
+  return current;
+}
+function setAtPath(obj, path, value) {
+  const cleanPath = path.startsWith("$.") ? path.slice(2) : path;
+  if (cleanPath === "" || cleanPath === "$") return;
+  const segments = cleanPath.split(".");
+  let current = obj;
+  for (let i = 0; i < segments.length - 1; i++) {
+    if (current[segments[i]] === void 0 || current[segments[i]] === null || typeof current[segments[i]] !== "object") {
+      current[segments[i]] = {};
+    }
+    current = current[segments[i]];
+  }
+  current[segments[segments.length - 1]] = value;
+}
+function collectWithOutputPaths(toolName, contracts) {
+  const paths = /* @__PURE__ */ new Set();
+  for (const contract of contracts) {
+    if (!contract.preconditions) continue;
+    for (const p of contract.preconditions) {
+      if (p.requires_prior_tool === toolName && p.with_output) {
+        for (const assertion of p.with_output) {
+          paths.add(assertion.path);
+        }
+      }
+    }
+  }
+  return Array.from(paths);
+}
+function extractOutputFromToolResults(toolResults, state, contracts) {
+  const updates = /* @__PURE__ */ new Map();
+  for (const result of toolResults) {
+    if (result.toolName === "unknown") continue;
+    const paths = collectWithOutputPaths(result.toolName, contracts);
+    if (paths.length === 0) continue;
+    let parsed;
+    try {
+      parsed = typeof result.content === "string" ? JSON.parse(result.content) : result.content;
+    } catch {
+      continue;
+    }
+    if (parsed === null || typeof parsed !== "object") continue;
+    const extract = {};
+    for (const path of paths) {
+      const value = extractResourceValue(parsed, path);
+      if (value !== void 0) {
+        setAtPath(extract, path, value);
+      }
+    }
+    if (Object.keys(extract).length === 0) continue;
+    let matchingStep;
+    for (let i = state.steps.length - 1; i >= 0; i--) {
+      if (state.steps[i].toolCalls.some((tc) => tc.toolName === result.toolName)) {
+        matchingStep = state.steps[i];
+        break;
+      }
+    }
+    if (matchingStep) {
+      const existing = updates.get(matchingStep.stepIndex) ?? {};
+      updates.set(matchingStep.stepIndex, { ...existing, ...extract });
+    }
+  }
+  return updates;
+}
+function applyOutputExtracts(state, updates) {
+  if (updates.size === 0) return state;
+  const newSteps = state.steps.map((step) => {
+    const extract = updates.get(step.stepIndex);
+    if (!extract) return step;
+    return { ...step, outputExtract: { ...step.outputExtract, ...extract } };
+  });
+  const newCache = new Map(state.satisfiedPreconditions);
+  for (const step of newSteps) {
+    if (!updates.has(step.stepIndex)) continue;
+    for (const tc of step.toolCalls) {
+      newCache.set(tc.toolName, step.outputExtract);
+      if (tc.resourceValues) {
+        for (const [_path, value] of Object.entries(tc.resourceValues)) {
+          newCache.set(`${tc.toolName}:${JSON.stringify(value)}`, step.outputExtract);
+        }
+      }
+    }
+  }
+  const newLastStep = state.lastStep && updates.has(state.lastStep.stepIndex) ? newSteps.find((s) => s.stepIndex === state.lastStep.stepIndex) ?? state.lastStep : state.lastStep;
+  return {
+    ...state,
+    steps: newSteps,
+    satisfiedPreconditions: newCache,
+    lastStep: newLastStep
+  };
+}
+function resolveSessionLimits(contracts) {
+  for (const c of contracts) {
+    if (c.session_limits) return c.session_limits;
+  }
+  return null;
+}
+function buildStateSnapshot(state, lastNarrowing = null) {
+  const lastStep = state.lastStep ? {
+    stepIndex: state.lastStep.stepIndex,
+    stepId: state.lastStep.stepId,
+    toolCalls: state.lastStep.toolCalls.map((tc) => ({
+      toolName: tc.toolName,
+      arguments_hash: tc.arguments_hash,
+      contractFile: tc.contractFile
+    })),
+    invariantFailures: state.lastStep.invariantFailures,
+    phase: state.lastStep.phase,
+    phaseTransition: state.lastStep.phaseTransition,
+    completedAt: state.lastStep.completedAt,
+    outputExtract: {},
+    // FIX-14: Redacted per specs/replay-v2.md § getState()
+    finish_reason: state.lastStep.finish_reason,
+    model: state.lastStep.model
+  } : null;
+  return Object.freeze({
+    sessionId: state.sessionId,
+    agent: state.agent,
+    principal: null,
+    // Redacted — may contain user-scoped identities
+    startedAt: state.startedAt,
+    stateVersion: state.stateVersion,
+    controlRevision: state.controlRevision,
+    currentPhase: state.currentPhase,
+    totalStepCount: state.totalStepCount,
+    totalToolCalls: state.totalToolCalls,
+    totalCost: state.totalCost,
+    actualCost: state.actualCost,
+    toolCallCounts: Object.fromEntries(state.toolCallCounts),
+    forbiddenTools: Array.from(state.forbiddenTools),
+    satisfiedPreconditions: Object.fromEntries(
+      Array.from(state.satisfiedPreconditions.keys()).map((k) => [k, {}])
+    ),
+    // FIX-14: Values redacted (contain raw outputExtract)
+    lastStep,
+    lastNarrowing,
+    killed: state.killed,
+    totalUnguardedCalls: state.totalUnguardedCalls,
+    consecutiveBlockCount: state.consecutiveBlockCount,
+    totalBlockCount: state.totalBlockCount
+  });
+}
+var EMPTY_STATE_SNAPSHOT = Object.freeze({
+  sessionId: "",
+  agent: null,
+  principal: null,
+  startedAt: /* @__PURE__ */ new Date(0),
+  stateVersion: 0,
+  controlRevision: 0,
+  currentPhase: null,
+  totalStepCount: 0,
+  totalToolCalls: 0,
+  totalCost: 0,
+  actualCost: 0,
+  toolCallCounts: {},
+  forbiddenTools: [],
+  satisfiedPreconditions: {},
+  lastStep: null,
+  lastNarrowing: null,
+  killed: false,
+  totalUnguardedCalls: 0,
+  consecutiveBlockCount: 0,
+  totalBlockCount: 0
+});
+function createInactiveSession(client, sessionId, reason) {
+  return {
+    client,
+    flush: () => Promise.resolve({ captured: 0, sent: 0, active: false, errors: [] }),
+    restore() {
+    },
+    kill() {
+    },
+    getHealth: () => ({
+      status: "inactive",
+      authorityState: "inactive",
+      protectionLevel: "monitor",
+      durability: "inactive",
+      tier: "compat",
+      compatEnforcement: "protective",
+      cluster_detected: false,
+      bypass_detected: false,
+      totalSteps: 0,
+      totalBlocks: 0,
+      totalErrors: 0,
+      killed: false,
+      shadowEvaluations: 0
+    }),
+    getState: () => EMPTY_STATE_SNAPSHOT,
+    getLastNarrowing: () => null,
+    getLastShadowDelta: () => null,
+    narrow() {
+    },
+    widen() {
+    },
+    tools: {},
+    getWorkflowState: () => Promise.resolve(null),
+    handoff: () => Promise.resolve(null)
+  };
+}
+function createBlockingInactiveSession(client, sessionId, detail, configError) {
+  const error = configError ?? new ReplayConfigError("compilation_failed", detail);
+  const provider = detectProviderSafe(client);
+  const blockingCreate = () => {
+    throw error;
+  };
+  const wrapperClient = provider ? createWrapperClient(client, provider, blockingCreate) : client;
+  return {
+    client: wrapperClient,
+    flush: () => Promise.resolve({ captured: 0, sent: 0, active: false, errors: [] }),
+    restore() {
+    },
+    kill() {
+    },
+    getHealth: () => ({
+      status: "inactive",
+      authorityState: "inactive",
+      protectionLevel: "monitor",
+      durability: "inactive",
+      tier: "compat",
+      compatEnforcement: "protective",
+      cluster_detected: false,
+      bypass_detected: false,
+      totalSteps: 0,
+      totalBlocks: 0,
+      totalErrors: 0,
+      killed: false,
+      shadowEvaluations: 0
+    }),
+    getState: () => EMPTY_STATE_SNAPSHOT,
+    getLastNarrowing: () => null,
+    getLastShadowDelta: () => null,
+    narrow() {
+    },
+    widen() {
+    },
+    tools: {},
+    getWorkflowState: () => Promise.resolve(null),
+    handoff: () => Promise.resolve(null)
+  };
+}
+function toNarrowingSnapshot(result) {
+  if (!result || result.removed.length === 0) return null;
+  return {
+    removed: result.removed.map((r) => ({
+      tool: r.tool,
+      reason: r.reason,
+      ...r.detail != null ? { detail: r.detail } : {}
+    })),
+    removedCount: result.removed.length,
+    allowedCount: result.allowed.length
+  };
+}
+function buildNarrowingInjectionMessage(narrowResult) {
+  const lines = narrowResult.removed.map((r) => {
+    const reason = r.reason === "policy_denied" ? "restricted" : r.reason;
+    const detail = r.reason === "policy_denied" ? "" : r.detail ? `: ${r.detail}` : "";
+    return `- ${r.tool}: ${reason}${detail}`;
+  });
+  return `[System: The following tools are not available for this request:
+${lines.join("\n")}
+Please work with the available tools.]`;
+}
+function injectNarrowingSystemMessage(request, message, provider) {
+  if (provider === "openai") {
+    const messages = Array.isArray(request.messages) ? request.messages : [];
+    request.messages = [{ role: "system", content: message }, ...messages];
+  } else {
+    const existing = request.system;
+    if (typeof existing === "string") {
+      request.system = message + "\n\n" + existing;
+    } else if (Array.isArray(existing)) {
+      request.system = [{ type: "text", text: message }, ...existing];
+    } else {
+      request.system = message;
+    }
+  }
+}
+function isObserveWrapped(client) {
+  return Boolean(client[OBSERVE_WRAPPED]);
+}
+function isReplayAttached2(client) {
+  return Boolean(client[REPLAY_ATTACHED2]);
+}
+function setReplayAttached(client) {
+  try {
+    client[REPLAY_ATTACHED2] = true;
+  } catch {
+  }
+}
+function clearReplayAttached(client) {
+  try {
+    delete client[REPLAY_ATTACHED2];
+  } catch {
+  }
+}
+function detectProviderSafe(client) {
+  try {
+    return detectProvider(client);
+  } catch {
+    return null;
+  }
+}
+function resolveApiKey2(opts) {
+  if (typeof opts.apiKey === "string" && opts.apiKey.length > 0) {
+    return opts.apiKey;
+  }
+  const envKey = typeof process !== "undefined" ? process.env.REPLAYCI_API_KEY : void 0;
+  return typeof envKey === "string" && envKey.length > 0 ? envKey : void 0;
+}
+function generateSessionId2() {
+  return `rs_${import_node_crypto5.default.randomUUID().replace(/-/g, "").slice(0, 24)}`;
+}
+function stripHashPrefix(hash) {
+  return hash.startsWith("sha256:") ? hash.slice(7) : hash;
+}
+function emitDiagnostic2(diagnostics, event) {
+  try {
+    diagnostics?.(event);
+  } catch {
+  }
+}
+function toRecord10(value) {
+  return value !== null && typeof value === "object" ? value : {};
+}
+function determineProtectionLevel(mode, tools, contracts) {
+  if (mode === "shadow" || mode === "log-only") return "monitor";
+  if (!tools || Object.keys(tools).length === 0) return "protect";
+  const stateBearingTools = contracts.filter(isStateBearing);
+  if (stateBearingTools.length === 0) return "protect";
+  const wrappedTools = new Set(Object.keys(tools));
+  const allWrapped = stateBearingTools.every((c) => wrappedTools.has(c.tool));
+  return allWrapped ? "govern" : "protect";
+}
+function isStateBearing(contract) {
+  if (contract.commit_requirement != null && contract.commit_requirement !== "none") return true;
+  if (contract.transitions != null) return true;
+  if (contract.execution_constraints != null) return true;
+  if (contract.forbids_after != null && contract.forbids_after.length > 0) return true;
+  return false;
+}
+function deriveRuntimeRequest(protectionLevel, mode) {
+  if (protectionLevel === "govern") {
+    return { requestedMode: "authoritative", requestedTier: "strong" };
+  }
+  if (protectionLevel === "protect" && mode === "enforce") {
+    return { requestedMode: "advisory", requestedTier: "compat" };
+  }
+  return { requestedMode: "advisory", requestedTier: "compat" };
+}
+
+// src/memoryStore.ts
+var MemoryStore = class {
+  state = null;
+  captures = [];
+  compareAndSet(currentVersion, newState) {
+    if (this.state === null) {
+      this.state = newState;
+      return { success: true };
+    }
+    if (this.state.stateVersion !== currentVersion) {
+      return { success: false };
+    }
+    this.state = newState;
+    return { success: true };
+  }
+  load() {
+    return this.state;
+  }
+  appendCapture(capture) {
+    this.captures.push(capture);
+  }
+  /** @internal Test-only: get all captured calls. */
+  getCapturedCalls() {
+    return this.captures;
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MemoryStore,
+  ReplayConfigError,
+  ReplayContractError,
+  ReplayKillError,
+  RuntimeClient,
+  RuntimeClientError,
+  createRuntimeClient,
   observe,
   prepareContracts,
+  replay,
   validate
 });