@skill-map/cli 0.58.0 → 0.60.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 // cli/entry.ts
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="7e4fdbab-f037-5030-b67a-732bb7ee46fd")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="7e14428f-63d1-5e95-8756-98cea6d3c76e")}catch(e){}}();
 import { existsSync as existsSync33 } from "fs";
 import { Builtins, Cli as Cli2 } from "clipanion";
 
@@ -250,7 +250,7 @@ function bucketByKind(kind, instance, bag) {
 // package.json
 var package_default = {
   name: "@skill-map/cli",
-  version: "0.58.0",
+  version: "0.60.0",
   description: "skill-map reference implementation \u2014 kernel + CLI + adapters.",
   license: "MIT",
   type: "module",
@@ -1812,10 +1812,6 @@ var annotationFieldUnknownAnalyzer = {
     const rootKeys = indexRootContributions(contributions);
     const knownPluginIds = collectPluginIds(contributions);
     const issues = [];
-    const perNode = /* @__PURE__ */ new Map();
-    const bump2 = (nodePath) => {
-      perNode.set(nodePath, (perNode.get(nodePath) ?? 0) + 1);
-    };
     for (const node of ctx.nodes) {
       const root = sidecarRoots.get(node.path);
       if (!root) continue;
@@ -1833,7 +1829,6 @@ var annotationFieldUnknownAnalyzer = {
               }),
               data: { surface: "annotations", key }
             });
-            bump2(node.path);
           }
         }
       }
@@ -1862,7 +1857,6 @@ var annotationFieldUnknownAnalyzer = {
               }),
               data: { surface: "plugin-namespace", pluginId: key, key: contribKey }
             });
-            bump2(node.path);
           }
           continue;
         }
@@ -1876,10 +1870,8 @@ var annotationFieldUnknownAnalyzer = {
           }),
           data: { surface: "root", key }
         });
-        bump2(node.path);
       }
     }
-    void perNode;
     return issues;
   }
 };
@@ -2015,6 +2007,10 @@ var annotationStaleAnalyzer = {
   pluginId: CORE_PLUGIN_ID,
   kind: "analyzer",
   description: "Marks sidecars (`.sm`) that are out of date with their `.md`.",
+  // Ships experimental (disabled by default, Decision #128), gated as a
+  // unit with the `core/node-bump` action that resolves the drift it
+  // reports.
+  stability: "experimental",
   mode: "deterministic",
   // The natural fix is to bump the node: refreshes the sidecar hashes,
   // increments `annotations.version`, and stamps the audit block. The
@@ -2661,14 +2657,14 @@ var experimental = {
   slot: "card.footer.right",
   icon: "fa-solid fa-flask",
   label: "experimental",
-  emitWhenEmpty: false,
+  emitWhenEmpty: true,
   priority: 10
 };
 var deprecated = {
   slot: "card.footer.right",
   icon: "pi-ban",
   label: "deprecated",
-  emitWhenEmpty: false,
+  emitWhenEmpty: true,
   priority: 10
 };
 var nodeStabilityAnalyzer = {
@@ -3663,7 +3659,16 @@ var nodeBumpAction = {
   pluginId: CORE_PLUGIN_ID,
   kind: "action",
   description: "Marks a node as updated: bumps `annotations.version`, refreshes sidecar hashes, and records the timestamp.",
+  // Ships experimental (disabled by default, Decision #128), gated as a
+  // unit with the companion `core/annotation-stale` analyzer: a disabled
+  // action projects no Bump button, so the button never appears without
+  // the drift analyzer that motivates it.
+  stability: "experimental",
   mode: "deterministic",
+  // Declares the sidecar-write capability: `invoke()` returns a
+  // `{ kind: 'sidecar' }` write, so consumers (the `allowSidecarWriters`
+  // policy) can gate this action without invoking it.
+  writes: ["sidecar"],
   ui: { bumpButton },
   project(ctx) {
     for (const node of ctx.nodes) {
@@ -3764,6 +3769,10 @@ var nodeSetStabilityAction = {
   kind: "action",
   description: "Sets the lifecycle stage of the current node (writes `stability` to the sidecar).",
   mode: "deterministic",
+  // Declares the sidecar-write capability: `invoke()` returns a
+  // `{ kind: 'sidecar' }` write, so the `allowSidecarWriters` policy can
+  // gate this action without invoking it.
+  writes: ["sidecar"],
   ui: { setStabilityButton },
   project(ctx) {
     for (const node of ctx.nodes) {
@@ -3826,33 +3835,18 @@ function invokeSetStability(input, ctx) {
   return { report, writes: [write] };
 }
 
-// plugins/core/actions/node-set-tags/text.ts
-var TAGS_TEXTS = {
-  /** Label of the inspector action button that edits the node's tags. */
-  editLabel: "Edit tags",
-  /** Prompt label for the string-list tags input. */
-  promptLabel: "Tags"
-};
-
 // plugins/core/actions/node-set-tags/index.ts
 var ID27 = "node-set-tags";
-var setTagsButton = {
-  slot: "inspector.action.button",
-  priority: 15
-};
 var nodeSetTagsAction = {
   id: ID27,
   pluginId: CORE_PLUGIN_ID,
   kind: "action",
   description: "Sets the taxonomy tags of the current node (writes `tags` to the sidecar; whole-array replace).",
   mode: "deterministic",
-  ui: { setTagsButton },
-  project(ctx) {
-    for (const node of ctx.nodes) {
-      if (node.virtual === true) continue;
-      emitSetTagsButton(ctx, node);
-    }
-  },
+  // Declares the sidecar-write capability: `invoke()` returns a
+  // `{ kind: 'sidecar' }` write, so the `allowSidecarWriters` policy can
+  // gate this action without invoking it.
+  writes: ["sidecar"],
   // The runtime contract uses generic <TInput, TReport>; this narrows
   // both. The cast is the standard pattern for built-ins that want
   // typed local I/O while staying compatible with the open generic.
@@ -3861,29 +3855,21 @@ var nodeSetTagsAction = {
     return invokeSetTags(input, ctx);
   }
 };
-function emitSetTagsButton(ctx, node) {
-  ctx.emitContribution(node.path, setTagsButton, {
-    actionId: "core/node-set-tags",
-    label: TAGS_TEXTS.editLabel,
-    icon: "pi-tags",
-    enabled: true,
-    prompt: {
-      inputType: "string-list",
-      paramKey: "tags",
-      label: TAGS_TEXTS.promptLabel,
-      defaultValue: currentTags(node)
-    }
-  });
-}
-function currentTags(node) {
-  const ann = node.sidecar?.annotations;
-  if (!ann || typeof ann !== "object" || Array.isArray(ann)) return [];
-  const value = ann["tags"];
-  if (!Array.isArray(value)) return [];
-  return value.filter((t) => typeof t === "string");
+function sanitizeTags(raw) {
+  if (!Array.isArray(raw)) return [];
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const entry of raw) {
+    if (typeof entry !== "string") continue;
+    const tag = entry.trim();
+    if (tag.length === 0 || seen.has(tag)) continue;
+    seen.add(tag);
+    out.push(tag);
+  }
+  return out;
 }
 function invokeSetTags(input, ctx) {
-  const tags = Array.isArray(input.tags) ? input.tags : [];
+  const tags = sanitizeTags(input.tags);
   const timestamp = ctx.now().toISOString();
   const write = {
     kind: "sidecar",
@@ -5306,6 +5292,7 @@ var CONFIG_LOADER_TEXTS = {
 var defaults_default = {
   schemaVersion: 1,
   allowEditSmFiles: false,
+  allowSidecarWriters: true,
   tokenizer: "cl100k_base",
   roots: [],
   ignore: [],
@@ -5728,7 +5715,27 @@ var EConsentRequiredError = class extends Error {
     this.hintTarget = init.hintTarget;
   }
 };
+var ESidecarWritersForbiddenError = class extends Error {
+  key;
+  constructor(init) {
+    super(
+      `Sidecar-writing extensions are disabled in this project ('${init.key}' is false in .skill-map/settings.json). This is a team-level project policy and cannot be overridden.`
+    );
+    this.name = "ESidecarWritersForbiddenError";
+    this.key = init.key;
+  }
+};
+function assertSidecarWritersAllowed(cwd) {
+  const allowed = readConfigValue("allowSidecarWriters", {
+    cwd,
+    default: true
+  });
+  if (allowed === false) {
+    throw new ESidecarWritersForbiddenError({ key: "allowSidecarWriters" });
+  }
+}
 function ensureSidecarWritesAllowed(opts) {
+  assertSidecarWritersAllowed(opts.cwd);
   const allowed = readConfigValue("allowEditSmFiles", {
     cwd: opts.cwd,
     default: false
@@ -8635,13 +8642,18 @@ function applyIssueFilters(query, filter) {
     const tokens = filter.analyzerIds;
     q = q.where(
       ({ eb, or }) => or(
-        tokens.flatMap((token) => [
-          eb("analyzerId", "=", token),
-          // `'%/' || ?` keeps the LIKE pattern's `%` literal in the
-          // template and binds `token` separately, no interpolation of
-          // user input into the SQL string.
-          eb("analyzerId", "like", `%/${token}`)
-        ])
+        tokens.flatMap((token) => {
+          const conds = [
+            eb("analyzerId", "=", token),
+            // `'%/' || ?` keeps the LIKE pattern's `%` literal in the
+            // template and binds `token` separately, no interpolation of
+            // user input into the SQL string.
+            eb("analyzerId", "like", `%/${token}`)
+          ];
+          const slash = token.indexOf("/");
+          if (slash >= 0) conds.push(eb("analyzerId", "=", token.slice(slash + 1)));
+          return conds;
+        })
       )
     );
   }
@@ -9119,6 +9131,8 @@ var BumpCommand = class extends SmCommand {
     const flagError = this.#validateFlagCombo(ansi);
     if (flagError !== null) return flagError;
     const ctx = defaultRuntimeContext();
+    const policyError = this.#assertWritersAllowed(ansi, ctx.cwd);
+    if (policyError !== null) return policyError;
     const dbPath = resolveDbPath({ db: this.db, ...ctx });
     const persisted = await tryWithSqlite(
       { databasePath: dbPath, autoBackup: false },
@@ -9139,6 +9153,22 @@ var BumpCommand = class extends SmCommand {
       () => this.pending ? this.#runPending(persisted.nodes, ctx.cwd, ansi) : this.#runSingle(persisted.nodes, ctx.cwd, ansi)
     );
   }
+  /**
+   * Fail-fast guard for the `allowSidecarWriters: false` project policy.
+   * Returns `ExitCode.Error` (after printing the policy message) when
+   * sidecar writers are forbidden, or `null` when writes may proceed.
+   * Re-throws any non-policy error so unexpected failures still surface.
+   */
+  #assertWritersAllowed(ansi, cwd) {
+    try {
+      assertSidecarWritersAllowed(cwd);
+      return null;
+    } catch (err) {
+      if (!(err instanceof ESidecarWritersForbiddenError)) throw err;
+      this.printer.error(`${ansi.red("\u2715")} ${err.message}`);
+      return ExitCode.Error;
+    }
+  }
   /**
    * Three argument-validation guards, hoisted out of `run()` so the
    * lint complexity cap on `run()` is satisfied without an
@@ -9546,11 +9576,12 @@ import { Command as Command3, Option as Option3 } from "clipanion";
 function matchesAnalyzerFilter(analyzerId, filter) {
   if (filter.length === 0) return true;
   if (filter.includes(analyzerId)) return true;
-  const slashIdx = analyzerId.indexOf("/");
-  if (slashIdx >= 0) {
-    const short = analyzerId.slice(slashIdx + 1);
-    if (filter.includes(short)) return true;
+  for (const entry of filter) {
+    const slashIdx = entry.indexOf("/");
+    if (slashIdx >= 0 && entry.slice(slashIdx + 1) === analyzerId) return true;
   }
+  const argSlashIdx = analyzerId.indexOf("/");
+  if (argSlashIdx >= 0 && filter.includes(analyzerId.slice(argSlashIdx + 1))) return true;
   return false;
 }
 
@@ -11125,6 +11156,7 @@ function filterBuiltInManifests(manifests, resolveEnabled) {
 function composeScanExtensions(opts) {
   const resolveEnabled = opts.resolveEnabled ?? opts.pluginRuntime.resolveEnabled;
   const resolveSettings = opts.resolveSettings;
+  const forbidSidecarWriters = opts.forbidSidecarWriters === true;
   const providers = [];
   const extractors = [];
   const analyzers = [];
@@ -11134,7 +11166,8 @@ function composeScanExtensions(opts) {
     accumulateBuiltInScanExtensions(
       { providers, extractors, analyzers, hooks, actions },
       resolveEnabled,
-      resolveSettings
+      resolveSettings,
+      forbidSidecarWriters
     );
   }
   for (const ext of opts.pluginRuntime.extensions.providers) {
@@ -11150,7 +11183,9 @@ function composeScanExtensions(opts) {
     if (isPluginExtensionEnabled(ext, resolveEnabled)) hooks.push(withResolvedSettings(ext, resolveSettings));
   }
   for (const ext of opts.pluginRuntime.extensions.actions) {
-    if (isPluginExtensionEnabled(ext, resolveEnabled)) actions.push(ext);
+    if (!isPluginExtensionEnabled(ext, resolveEnabled)) continue;
+    if (forbidSidecarWriters && isSidecarWriterAction(ext)) continue;
+    actions.push(ext);
   }
   const finalProviders = opts.killSwitches?.providers === true ? [] : providers;
   const finalExtractors = opts.killSwitches?.extractors === true ? [] : extractors;
@@ -11170,7 +11205,10 @@ function withResolvedSettings(ext, resolveSettings) {
   if (!resolveSettings) return ext;
   return { ...ext, resolvedSettings: resolveSettings(ext) };
 }
-function accumulateBuiltInScanExtensions(buckets, resolveEnabled, resolveSettings) {
+function isSidecarWriterAction(ext) {
+  return ext.writes?.includes("sidecar") === true;
+}
+function accumulateBuiltInScanExtensions(buckets, resolveEnabled, resolveSettings, forbidSidecarWriters = false) {
   for (const plugin of builtInPlugins) {
     for (const ext of plugin.extensions) {
       if (!isBuiltInExtensionEnabled(plugin, ext, resolveEnabled)) continue;
@@ -11188,6 +11226,7 @@ function accumulateBuiltInScanExtensions(buckets, resolveEnabled, resolveSetting
           buckets.hooks.push(withResolvedSettings(ext, resolveSettings));
           break;
         case "action":
+          if (forbidSidecarWriters && isSidecarWriterAction(ext)) break;
           buckets.actions.push(ext);
           break;
         case "formatter":
@@ -18430,7 +18469,8 @@ function registerExtensions(kernel, pluginRuntime, opts, cfg) {
   const composeOpts = {
     noBuiltIns: opts.noBuiltIns,
     pluginRuntime,
-    resolveSettings: buildSettingsResolver(cfg)
+    resolveSettings: buildSettingsResolver(cfg),
+    forbidSidecarWriters: cfg.allowSidecarWriters === false
   };
   if (opts.killSwitches) composeOpts.killSwitches = opts.killSwitches;
   if (opts.resolveEnabledOverride) composeOpts.resolveEnabled = opts.resolveEnabledOverride;
@@ -23643,7 +23683,8 @@ function createWatcherRuntime(opts) {
         noBuiltIns: opts.noBuiltIns,
         pluginRuntime,
         resolveEnabled: resolveEnabledOverride,
-        resolveSettings: buildSettingsResolver(cfg)
+        resolveSettings: buildSettingsResolver(cfg),
+        forbidSidecarWriters: cfg.allowSidecarWriters === false
       };
       if (opts.killSwitches) composeOpts.killSwitches = opts.killSwitches;
       const composed = composeScanExtensions(composeOpts);
@@ -24653,6 +24694,7 @@ var ScanCompareCommand = class extends SmCommand {
       noBuiltIns: false,
       pluginRuntime,
       resolveSettings: buildSettingsResolver(cfg),
+      forbidSidecarWriters: cfg.allowSidecarWriters === false,
       killSwitches: readConformanceKillSwitches()
     });
     let current;
@@ -25119,8 +25161,13 @@ var SERVER_TEXTS = {
   // silently widen the scan surface.
   projectPrefsBodyNotJson: "Request body must be valid JSON.",
   projectPrefsBodyNotObject: "Request body must be a JSON object.",
-  projectPrefsBodyEmpty: "Request body must contain a `scan` block with `referencePaths`.",
+  projectPrefsBodyEmpty: "Request body must contain `allowSidecarWriters` and/or a `scan` block with `referencePaths`.",
   projectPrefsConfirmNotBoolean: "`confirm` must be a boolean.",
+  projectPrefsSidecarWritersNotBoolean: "`allowSidecarWriters` must be a boolean.",
+  // Server-stderr advisory after `PATCH /api/project-preferences`
+  // toggles the committed sidecar-writer policy. Lets the operator see
+  // the team-shared change land without opening settings.json.
+  projectPrefsSidecarWritersSet: "project-prefs: allowSidecarWriters = {{value}}",
   projectPrefsScanNotObject: '`scan` must be an object (e.g. `{"scan": {"referencePaths": ["~/Documents"]}}`).',
   projectPrefsListNotArray: "`{{key}}` must be an array of strings.",
   projectPrefsListEntryNotString: "`{{key}}` entries must be strings.",
@@ -26950,6 +26997,10 @@ function registerProjectPreferencesRoute(app, deps) {
 function buildEnvelope3(deps) {
   const cwd = deps.runtimeContext.cwd;
   return {
+    allowSidecarWriters: readConfigValue("allowSidecarWriters", {
+      cwd,
+      default: true
+    }) ?? true,
     scan: {
       referencePaths: readConfigValue("scan.referencePaths", {
         cwd,
@@ -26959,9 +27010,15 @@ function buildEnvelope3(deps) {
   };
 }
 async function applyPatch3(deps, body) {
-  const writes = collectWrites(body);
-  if (writes.length === 0) return;
   const cwd = deps.runtimeContext.cwd;
+  const policyChanged = typeof body.allowSidecarWriters === "boolean" && writeSidecarWritersPolicy(body.allowSidecarWriters, cwd);
+  const scan = applyScanWrites(body, cwd);
+  if (policyChanged || scan.mutated) await maybeRestartWatcher2(deps);
+  if (policyChanged || scan.attempted) deps.configService.reload();
+}
+function applyScanWrites(body, cwd) {
+  const writes = collectWrites(body);
+  if (writes.length === 0) return { attempted: false, mutated: false };
   const missingPaths = collectMissingPaths(writes, cwd);
   if (missingPaths.length > 0) {
     throw new HTTPException12(400, {
@@ -26979,12 +27036,29 @@ async function applyPatch3(deps, body) {
       })
     });
   }
-  let scanSurfaceMutated = false;
+  let mutated = false;
   for (const w of writes) {
-    if (runWrite(w, cwd)) scanSurfaceMutated = true;
+    if (runWrite(w, cwd)) mutated = true;
+  }
+  return { attempted: true, mutated };
+}
+function writeSidecarWritersPolicy(value, cwd) {
+  const before = readConfigValue("allowSidecarWriters", { cwd, default: true }) ?? true;
+  if (before === value) return false;
+  try {
+    writeConfigValue("allowSidecarWriters", value, { target: "project", cwd });
+  } catch (err) {
+    throw new HTTPException12(400, {
+      message: tx(SERVER_TEXTS.projectPrefsPersistFailed, {
+        key: "allowSidecarWriters",
+        message: formatErrorMessage(err)
+      })
+    });
   }
-  if (scanSurfaceMutated) await maybeRestartWatcher2(deps);
-  deps.configService.reload();
+  log.warn(
+    tx(SERVER_TEXTS.projectPrefsSidecarWritersSet, { value: String(value) })
+  );
+  return true;
 }
 function collectWrites(body) {
   if (!body.scan) return [];
@@ -27092,9 +27166,10 @@ function isExistingDirectory(entry, cwd) {
 var PATCH_BODY_SCHEMA3 = {
   type: "object",
   additionalProperties: false,
-  required: ["scan"],
+  anyOf: [{ required: ["allowSidecarWriters"] }, { required: ["scan"] }],
   properties: {
     confirm: { type: "boolean" },
+    allowSidecarWriters: { type: "boolean" },
     scan: {
       type: "object",
       additionalProperties: false,
@@ -27113,10 +27188,11 @@ var parsePatchBody4 = makeBodyValidator(PATCH_BODY_SCHEMA3, {
   notObject: SERVER_TEXTS.projectPrefsBodyNotObject,
   invalid: SERVER_TEXTS.projectPrefsBodyEmpty,
   mapping: {
-    "/scan:required": SERVER_TEXTS.projectPrefsBodyEmpty,
+    ":anyOf": SERVER_TEXTS.projectPrefsBodyEmpty,
     "/scan:minProperties": SERVER_TEXTS.projectPrefsBodyEmpty,
     "/scan:type:object": SERVER_TEXTS.projectPrefsScanNotObject,
     "/confirm:type:boolean": SERVER_TEXTS.projectPrefsConfirmNotBoolean,
+    "/allowSidecarWriters:type:boolean": SERVER_TEXTS.projectPrefsSidecarWritersNotBoolean,
     "/scan/referencePaths:type:array": tx(SERVER_TEXTS.projectPrefsListNotArray, { key: "scan.referencePaths" }),
     "/scan/referencePaths/*:type:string": tx(SERVER_TEXTS.projectPrefsListEntryNotString, { key: "scan.referencePaths" }),
     "/scan/referencePaths/*:pattern": SERVER_TEXTS.projectPrefsEntryHasComma
@@ -27348,6 +27424,7 @@ async function materializeWrites(writes, body, cwd) {
     }
   } catch (err) {
     if (err instanceof EConsentRequiredError) throw err;
+    if (err instanceof ESidecarWritersForbiddenError) throw err;
     throw new HTTPException15(500, { message: formatErrorMessage(err) });
   }
 }
@@ -28092,18 +28169,26 @@ function formatError2(err, c) {
     };
     return c.json(envelope, 400);
   }
+  const sidecar = formatSidecarConsentError(err, c);
+  if (sidecar) return sidecar;
+  return formatInternalErrorFallThrough(err, c);
+}
+function formatSidecarConsentError(err, c) {
   if (err instanceof EConsentRequiredError) {
     const envelope = {
       ok: false,
-      error: {
-        code: "confirm-required",
-        message: err.message,
-        details: { key: err.key }
-      }
+      error: { code: "confirm-required", message: err.message, details: { key: err.key } }
     };
     return c.json(envelope, 412);
   }
-  return formatInternalErrorFallThrough(err, c);
+  if (err instanceof ESidecarWritersForbiddenError) {
+    const envelope = {
+      ok: false,
+      error: { code: "sidecar-writers-forbidden", message: err.message, details: { key: err.key } }
+    };
+    return c.json(envelope, 403);
+  }
+  return null;
 }
 function formatConflict(err, c) {
   if (err instanceof ActionRefusedError) {
@@ -30973,4 +31058,4 @@ function resolveBareDefault() {
   process.exit(ExitCode.Error);
 }
 //# sourceMappingURL=cli.js.map
-//# debugId=7e4fdbab-f037-5030-b67a-732bb7ee46fd
+//# debugId=7e14428f-63d1-5e95-8756-98cea6d3c76e

package/dist/index.js

@@ -1,6 +1,6 @@
 // kernel/i18n/registry.texts.ts
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="4343b658-4e21-5fab-9600-420246ce199b")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="da133af4-c6e3-580c-95d3-203903628998")}catch(e){}}();
 var REGISTRY_TEXTS = {
   duplicateExtension: "Extension already registered: {{kind}}:{{qualifiedId}}",
   unknownKind: "Unknown extension kind: {{kind}}",
@@ -102,7 +102,7 @@ import { Tiktoken as Tiktoken2 } from "js-tiktoken/lite";
 // package.json
 var package_default = {
   name: "@skill-map/cli",
-  version: "0.58.0",
+  version: "0.60.0",
   description: "skill-map reference implementation \u2014 kernel + CLI + adapters.",
   license: "MIT",
   type: "module",
@@ -3845,4 +3845,4 @@ export {
   runScanWithRenames
 };
 //# sourceMappingURL=index.js.map
-//# debugId=4343b658-4e21-5fab-9600-420246ce199b
+//# debugId=da133af4-c6e3-580c-95d3-203903628998

package/dist/kernel/index.d.ts

@@ -3268,6 +3268,13 @@ type TActionWrite = {
     path: string;
     changes: Record<string, unknown>;
 };
+/**
+ * The discriminant kinds an Action may emit through `IActionResult.writes`.
+ * Today the union has a single member (`'sidecar'`); the alias keeps the
+ * manifest `writes` capability (`IAction.writes`) in lock-step with the
+ * runtime write union so a new write kind only has to be added in one place.
+ */
+type TActionWriteKind = TActionWrite['kind'];
 interface IActionResult<TReport = unknown> {
     report: TReport;
     writes?: TActionWrite[];
@@ -3353,6 +3360,19 @@ interface IAction extends IExtensionBase {
      * `expectedDurationSeconds` with the `prob*` prefix convention.
      */
     probExpectedDurationSeconds?: number;
+    /**
+     * Declared persistent-write capability. Mirrors the `kind`s this
+     * Action's `invoke()` may return in `IActionResult.writes`. Today the
+     * only kind is `'sidecar'` (the Action creates / modifies a `.sm`
+     * annotation sidecar). An Action that returns a sidecar write MUST
+     * declare `['sidecar']` here: the manifest declaration is what
+     * consumers gate on WITHOUT invoking the action, so the
+     * `allowSidecarWriters: false` project policy can drop every
+     * sidecar-writer from the scan composer (its `inspector.action.button`
+     * never projects) and the sidecar store can refuse the write. Absent =
+     * the Action performs no persistent writes (read-only / report-only).
+     */
+    writes?: TActionWriteKind[];
     /**
      * Optional declarative filter; absent → applies to every node.
      */

package/dist/kernel/index.js

@@ -1,6 +1,6 @@
 // kernel/i18n/registry.texts.ts
 
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="0597c2d7-10e5-56f2-81a2-8aef61ae4bed")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="694d5ef3-1132-5669-b493-3082eef46469")}catch(e){}}();
 var REGISTRY_TEXTS = {
   duplicateExtension: "Extension already registered: {{kind}}:{{qualifiedId}}",
   unknownKind: "Unknown extension kind: {{kind}}",
@@ -102,7 +102,7 @@ import { Tiktoken as Tiktoken2 } from "js-tiktoken/lite";
 // package.json
 var package_default = {
   name: "@skill-map/cli",
-  version: "0.58.0",
+  version: "0.60.0",
   description: "skill-map reference implementation \u2014 kernel + CLI + adapters.",
   license: "MIT",
   type: "module",
@@ -3845,4 +3845,4 @@ export {
   runScanWithRenames
 };
 //# sourceMappingURL=index.js.map
-//# debugId=0597c2d7-10e5-56f2-81a2-8aef61ae4bed
+//# debugId=694d5ef3-1132-5669-b493-3082eef46469