@skill-map/cli 0.50.0 → 0.51.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 // cli/entry.ts
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="0b2c1ef1-1905-525e-aa62-42c3a9c3c6a1")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="1a42a4ca-6765-5a66-abc9-6b57464bc9c6")}catch(e){}}();
 import { existsSync as existsSync33 } from "fs";
 import { Builtins, Cli as Cli2 } from "clipanion";
 
@@ -246,7 +246,7 @@ function bucketByKind(kind, instance, bag) {
 // package.json
 var package_default = {
   name: "@skill-map/cli",
-  version: "0.50.0",
+  version: "0.51.0",
   description: "skill-map reference implementation \u2014 kernel + CLI + adapters.",
   license: "MIT",
   type: "module",
@@ -2865,11 +2865,13 @@ function isPathStyleLink(link) {
 // plugins/core/analyzers/reference-redundant/text.ts
 var REFERENCE_REDUNDANT_TEXTS = {
   /**
-   * Multi-form / multi-occurrence reference message. Lists each
-   * occurrence (trigger + line) so the operator sees the full
-   * authorial surface without having to grep the body.
+   * Multi-form / multi-occurrence reference message. Short and direct:
+   * names the duplicated target + count and lists each occurrence
+   * (trigger + line) so the operator sees the offending spots at a
+   * glance. The source node is the finding's own node, so it is not
+   * repeated here.
    */
-  message: "{{source}} references {{resolvedTarget}} via {{count}} occurrences: {{occurrences}}. Consider consolidating to a single form to reduce maintenance surface and avoid duplicate inlining at runtime.",
+  message: "Duplicate reference to {{resolvedTarget}} ({{count}} occurrences): {{occurrences}}.",
   /** Inline separator between occurrences in the message. */
   occurrenceSeparator: ", ",
   /** Per-occurrence formatting (trigger + line). */
@@ -3985,7 +3987,7 @@ var nodeSupersedeAction = {
   }
 };
 
-// core/update-check/index.ts
+// kernel/update-check/index.ts
 var SEMVER_SHAPE_RE = /^[0-9]+\.[0-9]+\.[0-9]+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/;
 async function fetchLatestVersion(pkg, opts) {
   const controller = new AbortController();
@@ -4120,9 +4122,9 @@ function ansiFor(opts) {
 import { randomUUID } from "crypto";
 import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync5 } from "fs";
 import { homedir } from "os";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 
-// core/config/atomic-write.ts
+// kernel/util/atomic-write.ts
 import {
   closeSync,
   constants as fsConstants,
@@ -4180,17 +4182,31 @@ function writeJsonAtomic(path, content) {
 }
 
 // core/paths/db-path.ts
-import { join, resolve as resolve6 } from "path";
+import { join as join2, resolve as resolve6 } from "path";
+
+// kernel/util/skill-map-paths.ts
+import { join } from "path";
 var SKILL_MAP_DIR = ".skill-map";
+var KERNEL_SKILL_MAP_DIR = SKILL_MAP_DIR;
+var SETTINGS_FILENAME = "settings.json";
+var LOCAL_SETTINGS_FILENAME = "settings.local.json";
+function kernelSettingsPath(scopeRoot) {
+  return join(scopeRoot, KERNEL_SKILL_MAP_DIR, SETTINGS_FILENAME);
+}
+function kernelLocalSettingsPath(scopeRoot) {
+  return join(scopeRoot, KERNEL_SKILL_MAP_DIR, LOCAL_SETTINGS_FILENAME);
+}
+
+// core/paths/db-path.ts
 var DB_FILENAME = "skill-map.db";
 var JOBS_DIRNAME = "jobs";
 var PLUGINS_DIRNAME = "plugins";
-var SETTINGS_FILENAME = "settings.json";
-var LOCAL_SETTINGS_FILENAME = "settings.local.json";
+var SETTINGS_FILENAME2 = "settings.json";
+var LOCAL_SETTINGS_FILENAME2 = "settings.local.json";
 var IGNORE_FILENAME = ".skillmapignore";
 var DEFAULT_DB_REL = `${SKILL_MAP_DIR}/${DB_FILENAME}`;
 var GITIGNORE_ENTRIES = [
-  `${SKILL_MAP_DIR}/${LOCAL_SETTINGS_FILENAME}`,
+  `${SKILL_MAP_DIR}/${LOCAL_SETTINGS_FILENAME2}`,
   `${SKILL_MAP_DIR}/${DB_FILENAME}`
 ];
 function resolveDbPath(options) {
@@ -4207,23 +4223,23 @@ function defaultProjectPluginsDir(ctx) {
   return resolve6(ctx.cwd, SKILL_MAP_DIR, PLUGINS_DIRNAME);
 }
 function defaultDbPath(scopeRoot) {
-  return join(scopeRoot, SKILL_MAP_DIR, DB_FILENAME);
+  return join2(scopeRoot, SKILL_MAP_DIR, DB_FILENAME);
 }
 function defaultSettingsPath(scopeRoot) {
-  return join(scopeRoot, SKILL_MAP_DIR, SETTINGS_FILENAME);
+  return join2(scopeRoot, SKILL_MAP_DIR, SETTINGS_FILENAME2);
 }
 function defaultLocalSettingsPath(scopeRoot) {
-  return join(scopeRoot, SKILL_MAP_DIR, LOCAL_SETTINGS_FILENAME);
+  return join2(scopeRoot, SKILL_MAP_DIR, LOCAL_SETTINGS_FILENAME2);
 }
 function defaultIgnoreFilePath(scopeRoot) {
-  return join(scopeRoot, IGNORE_FILENAME);
+  return join2(scopeRoot, IGNORE_FILENAME);
 }
 
 // cli/util/user-settings-store.ts
 var FILENAME = "settings.json";
 var SCHEMA_VERSION = 1;
 function userSettingsFilePath() {
-  return join2(homedir(), SKILL_MAP_DIR, FILENAME);
+  return join3(homedir(), SKILL_MAP_DIR, FILENAME);
 }
 function defaultSettings() {
   return { schemaVersion: SCHEMA_VERSION, updateCheck: {}, telemetry: {} };
@@ -4262,7 +4278,7 @@ function backfillSubObjects(settings) {
   };
 }
 function writeUserSettings(patch) {
-  const dir = join2(homedir(), SKILL_MAP_DIR);
+  const dir = join3(homedir(), SKILL_MAP_DIR);
   const path = userSettingsFilePath();
   try {
     const current = readUserSettings();
@@ -5359,18 +5375,6 @@ var CONFIG_LOADER_TEXTS = {
   projectLocalOnlyStripped: "[config:{{layer}}] key {{key}} is project-local only; stripped from the committed project layer. Move it to .skill-map/settings.local.json (gitignored, per-checkout)."
 };
 
-// kernel/util/skill-map-paths.ts
-import { join as join3 } from "path";
-var KERNEL_SKILL_MAP_DIR = SKILL_MAP_DIR;
-var SETTINGS_FILENAME2 = "settings.json";
-var LOCAL_SETTINGS_FILENAME2 = "settings.local.json";
-function kernelSettingsPath(scopeRoot) {
-  return join3(scopeRoot, KERNEL_SKILL_MAP_DIR, SETTINGS_FILENAME2);
-}
-function kernelLocalSettingsPath(scopeRoot) {
-  return join3(scopeRoot, KERNEL_SKILL_MAP_DIR, LOCAL_SETTINGS_FILENAME2);
-}
-
 // config/defaults.json
 var defaults_default = {
   schemaVersion: 1,
@@ -5828,11 +5832,20 @@ var FilesystemSidecarStore = class {
    * files in the repo and entries are tiny).
    */
   #locks = /* @__PURE__ */ new Map();
+  /** Injected consent gate, see {@link TSidecarConsentGate}. */
+  #consentGate;
+  /**
+   * @param consentGate the write-consent gate, invoked first inside
+   *   `applyPatch`. Production wires
+   *   `core/config/sidecar-consent.ts:ensureSidecarWritesAllowed`; tests
+   *   wire the same function (to exercise the real config-backed gate)
+   *   or a stub.
+   */
+  constructor(consentGate) {
+    this.#consentGate = consentGate;
+  }
   async applyPatch(sidecarAbsPath, changes, consent) {
-    ensureSidecarWritesAllowed({
-      confirm: consent.confirm,
-      cwd: consent.cwd
-    });
+    this.#consentGate(consent);
     const prev = this.#locks.get(sidecarAbsPath) ?? Promise.resolve();
     let release;
     const settled = new Promise((res) => {
@@ -7856,7 +7869,7 @@ function rowToContribution(row) {
   };
 }
 
-// core/sqlite/schema-fingerprint.ts
+// kernel/adapters/sqlite/schema-fingerprint.ts
 import { createHash } from "crypto";
 import { existsSync as existsSync10, readFileSync as readFileSync10 } from "fs";
 import { DatabaseSync as DatabaseSync3 } from "node:sqlite";
@@ -9332,7 +9345,7 @@ var BumpCommand = class extends SmCommand {
    * the staging missed).
    */
   async #executePending(plan, cwd, ansi) {
-    const store = new FilesystemSidecarStore();
+    const store = new FilesystemSidecarStore(ensureSidecarWritesAllowed);
     const ctx = defaultRuntimeContext();
     const consent = {
       confirm: this.yes,
@@ -9478,7 +9491,7 @@ function buildBumpedOutcome(item, sidecarPath) {
   if (item.report.createdSidecar === true) outcome.createdSidecar = true;
   return outcome;
 }
-async function applyBumpWrites(item, consent, store = new FilesystemSidecarStore()) {
+async function applyBumpWrites(item, consent, store = new FilesystemSidecarStore(ensureSidecarWritesAllowed)) {
   let sidecarPath;
   try {
     for (const w of item.writes) {
@@ -11421,20 +11434,9 @@ function trimRedundantPath(message, primary) {
 import { existsSync as existsSync16 } from "fs";
 import { Command as Command4, Option as Option4 } from "clipanion";
 
-// core/config/active-provider.ts
+// kernel/scan/detect-providers.ts
 import { existsSync as existsSync15 } from "fs";
 import { join as join10 } from "path";
-function resolveActiveProvider(cwd, providers = []) {
-  const detected = detectProvidersFromFilesystem(cwd, providers);
-  const fromConfig = readConfigValue("activeProvider", { cwd });
-  if (typeof fromConfig === "string" && fromConfig.length > 0) {
-    return { resolved: fromConfig, source: "config", detected };
-  }
-  if (detected.length > 0) {
-    return { resolved: detected[0], source: "autodetect", detected };
-  }
-  return { resolved: null, source: "none", detected };
-}
 function detectProvidersFromFilesystem(cwd, providers) {
   const seen = /* @__PURE__ */ new Set();
   const out = [];
@@ -11449,6 +11451,19 @@ function detectProvidersFromFilesystem(cwd, providers) {
   return out;
 }
 
+// core/config/active-provider.ts
+function resolveActiveProvider(cwd, providers = []) {
+  const detected = detectProvidersFromFilesystem(cwd, providers);
+  const fromConfig = readConfigValue("activeProvider", { cwd });
+  if (typeof fromConfig === "string" && fromConfig.length > 0) {
+    return { resolved: fromConfig, source: "config", detected };
+  }
+  if (detected.length > 0) {
+    return { resolved: detected[0], source: "autodetect", detected };
+  }
+  return { resolved: null, source: "none", detected };
+}
+
 // cli/util/path-display.ts
 import { isAbsolute as isAbsolute4, relative as pathRelative } from "path";
 function relativeIfBelow(path, cwd) {
@@ -16980,7 +16995,7 @@ function resolveActiveProviderOption(optionValue, roots, providers) {
   for (const root of roots) {
     const absRoot = isAbsolute7(root) ? root : resolve28(root);
     if (!existsSync23(absRoot)) continue;
-    const detected = resolveActiveProvider(absRoot, providers).resolved;
+    const detected = detectProvidersFromFilesystem(absRoot, providers)[0] ?? null;
     if (detected !== null) return detected;
   }
   return null;
@@ -22270,7 +22285,7 @@ var IntentionalFailCommand = class extends SmCommand {
       throw new Error(INTENTIONAL_FAIL_TEXTS.errorMessage);
     }, 0);
     await new Promise((resolve40) => setTimeout(resolve40, 5e3));
-    return 1;
+    return ExitCode.Issues;
   }
 };
 
@@ -22339,6 +22354,25 @@ var SCAN_TEXTS = {
   persistedTo: "     {{dbPath}}\n",
   /** Body line for dry-run mode, same indent, marker tail. */
   wouldPersist: "     would persist to {{dbPath}}  (dry-run)\n",
+  /**
+   * Count-row nouns for the `{{counts}}` block in `scannedSummary`.
+   * The caller selects the singular / plural form on `count === 1`
+   * (English plural rule), so both forms live in the catalog instead of
+   * being hand-suffixed with `s` at the call site (per the i18n
+   * contract: catalog strings, no `${word}s` interpolation). `info` is
+   * uncountable in English (no `infos`), so it carries a single form;
+   * `countNoIssues` is the all-clean placeholder.
+   */
+  countNodeNounSingular: "node",
+  countNodeNounPlural: "nodes",
+  countLinkNounSingular: "link",
+  countLinkNounPlural: "links",
+  countErrorNounSingular: "error",
+  countErrorNounPlural: "errors",
+  countWarningNounSingular: "warning",
+  countWarningNounPlural: "warnings",
+  countInfoNoun: "info",
+  countNoIssues: "0 issues",
   /**
    * Cap-hit notice, printed when the walker stopped accepting nodes
    * because `--max-nodes` (or the `scan.maxNodes` setting) was reached.
@@ -23420,27 +23454,29 @@ function fillSeverityBucket(bucket, nodeIds) {
 function formatScanCounts(opts) {
   const { nodes, links, severities, ansi } = opts;
   const parts = [
-    `${nodes} ${plural(nodes, "node")}`,
-    `${links} ${plural(links, "link")}`
+    `${nodes} ${countNoun(nodes, SCAN_TEXTS.countNodeNounSingular, SCAN_TEXTS.countNodeNounPlural)}`,
+    `${links} ${countNoun(links, SCAN_TEXTS.countLinkNounSingular, SCAN_TEXTS.countLinkNounPlural)}`
   ];
   const total = severities.errors + severities.warns + severities.info;
   if (total === 0) {
-    parts.push(ansi.dim("0 issues"));
+    parts.push(ansi.dim(SCAN_TEXTS.countNoIssues));
   } else {
     if (severities.errors > 0) {
-      parts.push(ansi.red(`${severities.errors} ${plural(severities.errors, "error")}`));
+      const noun = countNoun(severities.errors, SCAN_TEXTS.countErrorNounSingular, SCAN_TEXTS.countErrorNounPlural);
+      parts.push(ansi.red(`${severities.errors} ${noun}`));
     }
     if (severities.warns > 0) {
-      parts.push(ansi.yellow(`${severities.warns} ${plural(severities.warns, "warning")}`));
+      const noun = countNoun(severities.warns, SCAN_TEXTS.countWarningNounSingular, SCAN_TEXTS.countWarningNounPlural);
+      parts.push(ansi.yellow(`${severities.warns} ${noun}`));
     }
     if (severities.info > 0) {
-      parts.push(ansi.dim(`${severities.info} info`));
+      parts.push(ansi.dim(`${severities.info} ${SCAN_TEXTS.countInfoNoun}`));
     }
   }
   return parts.join(" \xB7 ");
 }
-function plural(count, word) {
-  return count === 1 ? word : `${word}s`;
+function countNoun(count, singular, plural) {
+  return count === 1 ? singular : plural;
 }
 
 // cli/commands/scan-compare.ts
@@ -23886,11 +23922,10 @@ var SERVER_TEXTS = {
   // here (after static + SPA fallback have had their turn).
   unknownPath: "Not found: {{path}}.",
   // ---- sidecar bump route (routes/sidecar.ts) ------------------------------
-  // 409 refusal when a fresh node is bumped without `force`. The
-  // `sidecar-fresh:` prefix is load-bearing, the UI pattern-matches
-  // it (the global `app.onError` already maps HTTP 409 to the
-  // `sidecar-fresh` envelope `code`, so the prefix is for log-grep
-  // affinity with the CLI's bump verb).
+  // 409 refusal when a fresh node is bumped without `force`. Dispatch
+  // is via the typed `ConflictError` (`code: 'sidecar-fresh'`), so the
+  // `sidecar-fresh:` prefix is NOT load-bearing; it stays only for
+  // log-grep affinity with the CLI's bump verb.
   sidecarFreshRefusal: "sidecar-fresh: Node is fresh; pass force:true to bump anyway.",
   // 400 envelopes thrown by `parseBody` when the request payload is
   // malformed. Each branch has its own key so the UI / log can
@@ -23918,9 +23953,9 @@ var SERVER_TEXTS = {
   // dropped half the pipeline. Same gate the `?fresh=1` GET applies.
   scanPostRequiresFullPipeline: "POST /api/scan cannot run while the server was started with --no-built-ins or --no-plugins (would persist a partial DB).",
   // 409, another scan (watcher batch or another POST) is in flight.
-  // The `scan-busy:` prefix is load-bearing: HTTP 409 maps to
-  // `scan-busy` in `app.onError`'s `codeForStatus`, but the prefix
-  // keeps log-grep affinity with the CLI's `sm scan` verb.
+  // Dispatch is via the typed `ConflictError` (`code: 'scan-busy'`), so
+  // the `scan-busy:` prefix is NOT load-bearing; it stays only for
+  // log-grep affinity with the CLI's `sm scan` verb.
   scanPostBusy: "scan-busy: Another scan is already in flight; retry once it finishes.",
   // 500, DB missing on a write path. Read paths degrade to empty
   // shapes; mutations cannot persist without a DB so they fail fast.
@@ -24533,6 +24568,7 @@ function registerHealthRoute(app, deps) {
 var DEFAULT_LIMIT = 100;
 var MAX_LIMIT = 1e3;
 var BFF_MAX_BULK_CONTRIBUTIONS = 200;
+var MAX_WS_CLIENTS = 64;
 
 // server/routes/issues.ts
 function registerIssuesRoute(app, deps) {
@@ -24765,7 +24801,7 @@ function registerNodesRoutes(app, deps) {
     const tags = result?.tags ?? [];
     if (!bundle) {
       throw new HTTPException7(404, {
-        message: tx(SERVER_TEXTS.nodeNotFound, { path: nodePath })
+        message: tx(SERVER_TEXTS.nodeNotFound, { path: sanitizeForTerminal(nodePath) })
       });
     }
     const decoratedNode = { ...bundle.node, isFavorite, contributions, tags };
@@ -26055,7 +26091,7 @@ async function runPersistedScan(c, deps) {
     });
   } catch (err) {
     if (err instanceof ScanBusyError) {
-      throw new HTTPException14(409, { message: SERVER_TEXTS.scanPostBusy });
+      throw new ConflictError({ code: "scan-busy", message: SERVER_TEXTS.scanPostBusy });
     }
     throw err;
   }
@@ -26248,7 +26284,7 @@ function registerSidecarRoutes(app, deps) {
     }
     const result = invokeBump2(node, absPath, body);
     if (result.report.ok === false && result.report.reason === "fresh") {
-      throw new HTTPException15(409, { message: SERVER_TEXTS.sidecarFreshRefusal });
+      throw new ConflictError({ code: "sidecar-fresh", message: SERVER_TEXTS.sidecarFreshRefusal });
     }
     if (result.report.ok === true && result.report.noop === true) {
       const envelope2 = {
@@ -26263,7 +26299,7 @@ function registerSidecarRoutes(app, deps) {
       };
       return c.json(envelope2);
     }
-    const store = new FilesystemSidecarStore();
+    const store = new FilesystemSidecarStore(ensureSidecarWritesAllowed);
     try {
       for (const w of result.writes ?? []) {
         if (w.kind === "sidecar") {
@@ -26531,6 +26567,14 @@ var LoopbackGateError = class extends HTTPException16 {
     this.code = init.code;
   }
 };
+var ConflictError = class extends HTTPException16 {
+  code;
+  constructor(init) {
+    super(409, { message: init.message });
+    this.name = "ConflictError";
+    this.code = init.code;
+  }
+};
 function createApp(deps) {
   const app = new Hono();
   const configService = new ConfigService({
@@ -26607,16 +26651,12 @@ function createApp(deps) {
   });
   return app;
 }
-function codeForStatus(status, message) {
+function codeForStatus(status) {
   if (status === 404) return "not-found";
   if (status === 400) return "bad-query";
   if (status === 403) return "locked";
   if (status === 412) return "confirm-required";
   if (status === 413) return "payload-too-large";
-  if (status === 409) {
-    if (message.startsWith("scan-busy:")) return "scan-busy";
-    return "sidecar-fresh";
-  }
   return "internal";
 }
 function formatError2(err, c) {
@@ -26653,12 +26693,23 @@ function formatError2(err, c) {
     };
     return c.json(envelope, 403);
   }
+  if (err instanceof ConflictError) {
+    const envelope = {
+      ok: false,
+      error: {
+        code: err.code,
+        message: err.message,
+        details: null
+      }
+    };
+    return c.json(envelope, 409);
+  }
   if (err instanceof HTTPException16) {
     const status = err.status;
     const envelope = {
       ok: false,
       error: {
-        code: codeForStatus(status, err.message),
+        code: codeForStatus(status),
         message: err.message,
         details: null
       }
@@ -26709,6 +26760,7 @@ function formatInternalErrorFallThrough(err, c) {
 var MAX_BUFFERED_BYTES = 4 * 1024 * 1024;
 var CLOSE_CODE_GOING_AWAY = 1001;
 var CLOSE_CODE_MESSAGE_TOO_BIG = 1009;
+var CLOSE_CODE_TRY_AGAIN_LATER = 1013;
 var READY_STATE_OPEN = 1;
 var WsBroadcaster = class {
   #clients = /* @__PURE__ */ new Set();
@@ -26731,6 +26783,13 @@ var WsBroadcaster = class {
       }
       return;
     }
+    if (this.#clients.size >= MAX_WS_CLIENTS) {
+      try {
+        ws.close(CLOSE_CODE_TRY_AGAIN_LATER, "too many connections");
+      } catch {
+      }
+      return;
+    }
     this.#clients.add(ws);
   }
   /**
@@ -26977,14 +27036,19 @@ function validatePort(port) {
   return null;
 }
 function validateHost(host, devCors) {
-  if (devCors && !isLoopbackHost(host)) {
+  if (isLoopbackHost(host)) return null;
+  if (devCors) {
     return {
       code: "host-dev-cors-rejected",
       message: `--dev-cors requires a loopback --host (got ${host})`,
       value: host
     };
   }
-  return null;
+  return {
+    code: "host-not-loopback",
+    message: `--host must be a loopback address; multi-host serve is not supported pre-1.0 (got ${host})`,
+    value: host
+  };
 }
 function validateWatcher(noWatcher, noBuiltIns, _noPlugins) {
   if (noWatcher) return null;
@@ -27272,6 +27336,14 @@ var SERVE_TEXTS = {
    */
   hostDevCorsRejected: "{{glyph}}  sm serve: --dev-cors requires a loopback --host (got {{host}}).\n   {{hint}}\n",
   hostDevCorsRejectedHint: "Use --host 127.0.0.1 (or ::1) when --dev-cors is set. Multi-host serve reopens after v0.6.0 (Decision #119).",
+  /**
+   * §3.1b error block when `--host` is any non-loopback address (without
+   * `--dev-cors`). The BFF is loopback-only and unauthenticated pre-1.0
+   * (Decision #119), so binding off-loopback is refused outright rather
+   * than relying on the DNS-rebinding gate as the sole control.
+   */
+  hostNotLoopback: "{{glyph}}  sm serve: --host must be a loopback address (got {{host}}).\n   {{hint}}\n",
+  hostNotLoopbackHint: "Use --host 127.0.0.1 (or ::1). The server has no auth and is loopback-only; multi-host serve reopens after v0.6.0 (Decision #119).",
   /**
    * §3.1b error block when `--port` falls outside the [0, 65535] range.
    * Hint names the accepted range so the operator can re-run.
@@ -27820,6 +27892,12 @@ function formatValidationError(err, ansi) {
         host: sanitizeForTerminal(err.value),
         hint: ansi.dim(SERVE_TEXTS.hostDevCorsRejectedHint)
       });
+    case "host-not-loopback":
+      return tx(SERVE_TEXTS.hostNotLoopback, {
+        glyph: errGlyph,
+        host: sanitizeForTerminal(err.value),
+        hint: ansi.dim(SERVE_TEXTS.hostNotLoopbackHint)
+      });
     case "port-out-of-range":
       return tx(SERVE_TEXTS.portOutOfRange, {
         glyph: errGlyph,
@@ -28412,7 +28490,7 @@ var SidecarRefreshCommand = class extends SmCommand {
       );
       return ExitCode.Ok;
     }
-    const store = new FilesystemSidecarStore();
+    const store = new FilesystemSidecarStore(ensureSidecarWritesAllowed);
     try {
       await store.applyPatch(
         sidecarAbsPath,
@@ -28699,7 +28777,7 @@ var SidecarAnnotateCommand = class extends SmCommand {
         return ExitCode.Error;
       }
     }
-    const store = new FilesystemSidecarStore();
+    const store = new FilesystemSidecarStore(ensureSidecarWritesAllowed);
     try {
       await store.applyPatch(
         sidecarAbsPath,
@@ -29488,4 +29566,4 @@ function resolveBareDefault() {
   process.exit(ExitCode.Error);
 }
 //# sourceMappingURL=cli.js.map
-//# debugId=0b2c1ef1-1905-525e-aa62-42c3a9c3c6a1
+//# debugId=1a42a4ca-6765-5a66-abc9-6b57464bc9c6

package/dist/conformance/index.js

@@ -1,10 +1,10 @@
 // conformance/index.ts
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="e3097683-993f-599d-92ef-d1e724637586")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="cc85d6cc-8968-5fbd-b7b7-eab3d298263d")}catch(e){}}();
 import { spawnSync } from "child_process";
 import { cpSync, existsSync, mkdtempSync, readdirSync, readFileSync, rmSync, statSync } from "fs";
 import { tmpdir } from "os";
-import { isAbsolute, join as join3, relative, resolve as resolve2 } from "path";
+import { isAbsolute, join as join2, relative, resolve } from "path";
 
 // kernel/util/format-error.ts
 function formatErrorMessage(err) {
@@ -12,20 +12,8 @@ function formatErrorMessage(err) {
 }
 
 // kernel/util/skill-map-paths.ts
-import { join as join2 } from "path";
-
-// core/paths/db-path.ts
-import { join, resolve } from "path";
+import { join } from "path";
 var SKILL_MAP_DIR = ".skill-map";
-var DB_FILENAME = "skill-map.db";
-var LOCAL_SETTINGS_FILENAME = "settings.local.json";
-var DEFAULT_DB_REL = `${SKILL_MAP_DIR}/${DB_FILENAME}`;
-var GITIGNORE_ENTRIES = [
-  `${SKILL_MAP_DIR}/${LOCAL_SETTINGS_FILENAME}`,
-  `${SKILL_MAP_DIR}/${DB_FILENAME}`
-];
-
-// kernel/util/skill-map-paths.ts
 var KERNEL_SKILL_MAP_DIR = SKILL_MAP_DIR;
 
 // kernel/util/tx.ts
@@ -127,9 +115,9 @@ function pickSafeEnv(source) {
 function runConformanceCase(options) {
   const raw = readFileSync(options.casePath, "utf8");
   const c = JSON.parse(raw);
-  const fixturesRoot = options.fixturesRoot ?? join3(options.specRoot, "conformance", "fixtures");
+  const fixturesRoot = options.fixturesRoot ?? join2(options.specRoot, "conformance", "fixtures");
   const safeId = c.id.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 32);
-  const scope = mkdtempSync(join3(tmpdir(), `sm-conformance-${safeId}-`));
+  const scope = mkdtempSync(join2(tmpdir(), `sm-conformance-${safeId}-`));
   const setupEnv = disableEnv(c.setup);
   try {
     const priorFailure = runPriorScansSetup(c, options, scope, fixturesRoot, setupEnv);
@@ -201,9 +189,9 @@ function replaceFixture(scope, fixturesRoot, fixture) {
   assertContained(fixturesRoot, fixture, "fixture");
   for (const entry of readdirSync(scope)) {
     if (entry === KERNEL_SKILL_MAP_DIR) continue;
-    rmSync(join3(scope, entry), { recursive: true, force: true });
+    rmSync(join2(scope, entry), { recursive: true, force: true });
   }
-  const src = join3(fixturesRoot, fixture);
+  const src = join2(fixturesRoot, fixture);
   cpSync(src, scope, { recursive: true });
 }
 function assertContained(root, rel, label) {
@@ -212,7 +200,7 @@ function assertContained(root, rel, label) {
       tx(CONFORMANCE_RUNNER_TEXTS.pathMustBeRelative, { label, path: rel, anchor: root })
     );
   }
-  const abs = resolve2(root, rel);
+  const abs = resolve(root, rel);
   const r = relative(root, abs);
   if (r.startsWith("..") || isAbsolute(r)) {
     throw new Error(
@@ -239,7 +227,7 @@ function evaluateAssertion(a, ctx) {
       } catch (err) {
         return { ok: false, type: a.type, reason: formatErrorMessage(err) };
       }
-      const abs = resolve2(ctx.scope, a.path);
+      const abs = resolve(ctx.scope, a.path);
       return existsSync(abs) ? { ok: true, type: a.type } : {
         ok: false,
         type: a.type,
@@ -253,8 +241,8 @@ function evaluateAssertion(a, ctx) {
       } catch (err) {
         return { ok: false, type: a.type, reason: formatErrorMessage(err) };
       }
-      const fixturePath = join3(ctx.fixturesRoot, a.fixture);
-      const targetPath = resolve2(ctx.scope, a.path);
+      const fixturePath = join2(ctx.fixturesRoot, a.fixture);
+      const targetPath = resolve(ctx.scope, a.path);
       if (!existsSync(targetPath)) {
         return {
           ok: false,
@@ -415,7 +403,7 @@ function deepEqual(a, b) {
   return false;
 }
 function assertSpecRoot(specRoot) {
-  const indexPath = join3(specRoot, "index.json");
+  const indexPath = join2(specRoot, "index.json");
   if (!existsSync(indexPath) || !statSync(indexPath).isFile()) {
     throw new Error(tx(CONFORMANCE_RUNNER_TEXTS.specRootMissingIndex, { specRoot }));
   }
@@ -425,4 +413,4 @@ export {
   runConformanceCase
 };
 //# sourceMappingURL=index.js.map
-//# debugId=e3097683-993f-599d-92ef-d1e724637586
+//# debugId=cc85d6cc-8968-5fbd-b7b7-eab3d298263d