npm - @skill-map/cli - Versions diffs - 0.66.0 → 0.68.0 - Mend

@skill-map/cli 0.66.0 → 0.68.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/dist/conformance/index.js CHANGED Viewed

@@ -1,10 +1,11 @@
 // conformance/index.ts
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="bc1fc06c-0be1-5b35-9ac6-cedcc9367962")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="47b9c38a-6cac-52c4-9dce-13fbbd5b35ec")}catch(e){}}();
 import { spawnSync } from "child_process";
 import { cpSync, existsSync, mkdtempSync, readdirSync, readFileSync, rmSync, statSync } from "fs";
 import { tmpdir } from "os";
 import { isAbsolute, join as join2, relative, resolve as resolve2 } from "path";
+import { DatabaseSync } from "node:sqlite";
 // kernel/util/format-error.ts
 function formatErrorMessage(err) {
@@ -125,6 +126,11 @@ function runConformanceCase(options) {
     if (c.fixture) {
       replaceFixture(scope, fixturesRoot, c.fixture);
     }
+    grantFixturePluginTrust(scope, options.binary, {
+      ...pickSafeEnv(process.env),
+      ...options.env,
+      ...setupEnv
+    });
     const argv = [c.invoke.verb];
     if (c.invoke.sub) argv.push(c.invoke.sub);
     if (c.invoke.args) argv.push(...c.invoke.args);
@@ -194,6 +200,40 @@ function replaceFixture(scope, fixturesRoot, fixture) {
   const src = join2(fixturesRoot, fixture);
   cpSync(src, scope, { recursive: true });
 }
+function grantFixturePluginTrust(scope, binary, env) {
+  const pluginsDir = join2(scope, KERNEL_SKILL_MAP_DIR, "plugins");
+  if (!existsSync(pluginsDir)) return;
+  const ids = readdirSync(pluginsDir, { withFileTypes: true }).filter((e) => e.isDirectory() && existsSync(join2(pluginsDir, e.name, "plugin.json"))).map((e) => e.name);
+  if (ids.length === 0) return;
+  const dbPath = join2(scope, KERNEL_SKILL_MAP_DIR, "skill-map.db");
+  if (!existsSync(dbPath)) {
+    spawnSync(process.execPath, [binary, "init", "--no-scan"], { cwd: scope, env, encoding: "utf8" });
+  }
+  if (!hasConfigPluginsTable(dbPath)) {
+    spawnSync(process.execPath, [binary, "scan"], { cwd: scope, env, encoding: "utf8" });
+  }
+  const db = new DatabaseSync(dbPath);
+  try {
+    const stmt = db.prepare(
+      "INSERT INTO config_plugins (plugin_id, enabled, updated_at) VALUES (?, 1, 0) ON CONFLICT(plugin_id) DO UPDATE SET enabled = 1"
+    );
+    for (const id of ids) stmt.run(id);
+  } finally {
+    db.close();
+  }
+}
+function hasConfigPluginsTable(dbPath) {
+  if (!existsSync(dbPath)) return false;
+  const db = new DatabaseSync(dbPath, { readOnly: true });
+  try {
+    const row = db.prepare("SELECT name FROM sqlite_master WHERE type = 'table' AND name = 'config_plugins'").get();
+    return row !== void 0;
+  } catch {
+    return false;
+  } finally {
+    db.close();
+  }
+}
 function assertContained(root, rel, label) {
   if (isAbsolute(rel)) {
     throw new Error(
@@ -413,4 +453,4 @@ export {
   runConformanceCase
 };
 //# sourceMappingURL=index.js.map
-//# debugId=bc1fc06c-0be1-5b35-9ac6-cedcc9367962
+//# debugId=47b9c38a-6cac-52c4-9dce-13fbbd5b35ec

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 // kernel/i18n/registry.texts.ts
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="27ef1dc5-0da7-5a76-9fa8-d447025bd0d4")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="9e2b3a4e-2df6-5424-b6ce-30468020a39d")}catch(e){}}();
 var REGISTRY_TEXTS = {
   duplicateExtension: "Extension already registered: {{kind}}:{{qualifiedId}}",
   unknownKind: "Unknown extension kind: {{kind}}",
@@ -102,7 +102,7 @@ import { Tiktoken as Tiktoken2 } from "js-tiktoken/lite";
 // package.json
 var package_default = {
   name: "@skill-map/cli",
-  version: "0.66.0",
+  version: "0.68.0",
   description: "skill-map reference implementation \u2014 kernel + CLI + adapters.",
   license: "MIT",
   type: "module",
@@ -175,39 +175,38 @@ var package_default = {
     clean: "rm -rf dist coverage"
   },
   dependencies: {
-    "@hono/node-server": "2.0.1",
-    "@sentry/node": "10.55.0",
+    "@hono/node-server": "2.0.6",
+    "@sentry/node": "10.61.0",
     "@skill-map/spec": "workspace:*",
-    ajv: "8.18.0",
+    ajv: "8.20.0",
     "ajv-formats": "3.0.1",
     chokidar: "5.0.0",
     clipanion: "4.0.0-rc.4",
-    hono: "4.12.18",
+    hono: "4.12.27",
     ignore: "7.0.5",
     "js-tiktoken": "1.0.21",
-    "js-yaml": "4.1.1",
-    kysely: "0.28.17",
-    "posthog-node": "5.35.6",
-    semver: "7.7.4",
-    "smol-toml": "1.6.1",
+    "js-yaml": "5.1.0",
+    kysely: "0.29.2",
+    "posthog-node": "5.38.5",
+    semver: "7.8.5",
+    "smol-toml": "1.7.0",
     typanion: "3.14.0",
     ws: "8.21.0"
   },
   devDependencies: {
     "@eslint/js": "10.0.1",
     "@stylistic/eslint-plugin": "5.10.0",
-    "@types/js-yaml": "4.0.9",
-    "@types/node": "24.12.2",
+    "@types/node": "26.0.1",
     "@types/semver": "7.7.1",
     "@types/ws": "8.18.1",
     c8: "11.0.0",
-    eslint: "10.2.1",
-    "eslint-plugin-import-x": "4.16.2",
+    eslint: "10.5.0",
+    "eslint-plugin-import-x": "4.17.0",
     "json-schema-to-typescript": "15.0.4",
     tsup: "8.5.1",
-    tsx: "4.22.3",
-    typescript: "5.9.3",
-    "typescript-eslint": "8.59.1"
+    tsx: "4.22.4",
+    typescript: "6.0.3",
+    "typescript-eslint": "8.62.0"
   },
   engines: {
     node: ">=24.0"
@@ -258,6 +257,20 @@ var PLUGIN_LOADER_TEXTS = {
   invalidManifestExtensionShape: "{{relEntry}}: {{errors}}. See {{docUrl}}.",
   importExceededTimeout: "import exceeded {{timeoutMs}}ms; likely a top-level side effect (network call, infinite loop, large blocking work). Move side effects into the runtime methods (`detect` / `evaluate` / `render` / etc.).",
   disabledByConfig: "disabled by config_plugins or settings.json",
+  /**
+   * Reason stamped on a project-local disk plugin discovered but not
+   * imported because the operator never granted local trust. Distinct
+   * from `disabledByConfig` (an explicit toggle-off): this id has no
+   * `config_plugins` override at all, so its code stays unexecuted until
+   * `sm plugins enable` records local intent.
+   */
+  untrustedNotLoaded: "not loaded: project-local plugin is untrusted until enabled. Run `sm plugins enable {{pluginId}}` to load it.",
+  /**
+   * One-time aggregate notice the runtime emits when project-local
+   * plugins were found on disk but left unloaded for lack of trust. The
+   * `{{count}}` plugins ride the scan without executing any code.
+   */
+  untrustedPluginsFoundNotice: "{{count}} project-local plugin(s) found in .skill-map/plugins/ but not loaded (untrusted). Their code did NOT run. Review with `sm plugins list`, then enable any you trust with `sm plugins enable <id>`.",
   invalidManifestDirMismatch: "directory name '{{dirName}}' does not match manifest id '{{manifestId}}'. Rename the directory to match the id, or update the manifest id to match the directory.",
   idCollision: "Plugin '{{id}}' at {{pathA}} collides with the plugin at {{pathB}}. Rename one and rerun.",
   loadErrorPluginIdMismatch: "{{relEntry}}: extension declares pluginId '{{declared}}' but its plugin.json declares id '{{manifestId}}'. Remove the explicit pluginId from the extension; the loader injects it from plugin.json#/id.",
@@ -2226,7 +2239,7 @@ function readDefaultsFromDisk() {
 }
 // plugins/core/parsers/frontmatter-yaml/index.ts
-import yaml from "js-yaml";
+import { load as yamlLoad, JSON_SCHEMA } from "js-yaml";
 // kernel/util/strip-prototype-pollution.ts
 var FORBIDDEN_KEYS = /* @__PURE__ */ new Set([
@@ -2261,7 +2274,7 @@ var frontmatterYamlParser = {
     let parsed = {};
     const issues = [];
     try {
-      const doc = yaml.load(frontmatterRaw, { schema: yaml.JSON_SCHEMA });
+      const doc = yamlLoad(frontmatterRaw, { schema: JSON_SCHEMA });
       if (doc && typeof doc === "object" && !Array.isArray(doc)) {
         parsed = stripPrototypePollution(doc);
       }
@@ -2559,7 +2572,7 @@ import { existsSync as existsSync5, readFileSync as readFileSync6 } from "fs";
 import { dirname as dirname4, resolve as resolve8 } from "path";
 import { createRequire as createRequire3 } from "module";
 import { Ajv2020 as Ajv20204 } from "ajv/dist/2020.js";
-import yaml2 from "js-yaml";
+import { load as yamlLoad2, JSON_SCHEMA as JSON_SCHEMA2 } from "js-yaml";
 function readSidecarFor(mdAbsolutePath) {
   const sidecarPath = sidecarPathFor(mdAbsolutePath);
   if (!existsSync5(sidecarPath)) {
@@ -2577,7 +2590,7 @@ function readSidecarFor(mdAbsolutePath) {
   }
   let parsedYaml;
   try {
-    parsedYaml = yaml2.load(raw, { schema: yaml2.JSON_SCHEMA });
+    parsedYaml = yamlLoad2(raw, { schema: JSON_SCHEMA2 });
   } catch (err) {
     return {
       parsed: null,
@@ -2712,7 +2725,7 @@ import { existsSync as existsSync8, readFileSync as readFileSync8 } from "fs";
 import { dirname as dirname6, resolve as resolve9 } from "path";
 import { createRequire as createRequire4 } from "module";
 import { Ajv2020 as Ajv20205 } from "ajv/dist/2020.js";
-import yaml3 from "js-yaml";
+import { dump as yamlDump, load as yamlLoad3, CORE_SCHEMA, JSON_SCHEMA as JSON_SCHEMA3 } from "js-yaml";
 // kernel/util/atomic-write.ts
 import {
@@ -2734,7 +2747,7 @@ import { createHash } from "crypto";
 import { existsSync as existsSync9 } from "fs";
 import { isAbsolute as isAbsolute3, resolve as resolvePath } from "path";
 import "js-tiktoken/lite";
-import yaml4 from "js-yaml";
+import { dump as yamlDump2, CORE_SCHEMA as CORE_SCHEMA2 } from "js-yaml";
 // kernel/orchestrator/frontmatter.ts
 function validateFrontmatter(providerFrontmatter, provider, kind, frontmatter, path, strict) {
@@ -2827,22 +2840,22 @@ function canonicalFrontmatter(parsed, raw) {
   if (!hasParsedKeys && hasRawText) {
     return raw;
   }
-  return yaml4.dump(parsed, {
+  return yamlDump2(parsed, {
     sortKeys: true,
     lineWidth: -1,
     noRefs: true,
-    noCompatMode: true
+    schema: CORE_SCHEMA2
   });
 }
 function canonicalSidecarAnnotations(annotations) {
   if (!annotations || typeof annotations !== "object" || Array.isArray(annotations)) {
-    return yaml4.dump({}, { sortKeys: true, lineWidth: -1, noRefs: true, noCompatMode: true });
+    return yamlDump2({}, { sortKeys: true, lineWidth: -1, noRefs: true, schema: CORE_SCHEMA2 });
   }
-  return yaml4.dump(annotations, {
+  return yamlDump2(annotations, {
     sortKeys: true,
     lineWidth: -1,
     noRefs: true,
-    noCompatMode: true
+    schema: CORE_SCHEMA2
   });
 }
 function resolveSidecarOverlay(relativePath, nodePathForIssue, roots, liveBodyHash, liveFrontmatterHash) {
@@ -4150,4 +4163,4 @@ export {
   runScanWithRenames
 };
 //# sourceMappingURL=index.js.map
-//# debugId=27ef1dc5-0da7-5a76-9fa8-d447025bd0d4
+//# debugId=9e2b3a4e-2df6-5424-b6ce-30468020a39d

package/dist/kernel/index.d.ts CHANGED Viewed

@@ -1574,6 +1574,19 @@ interface IDiscoveredPlugin {
     storageSchemas?: Record<string, IPluginStorageSchema>;
     /** Human-readable diagnostic shown by `sm plugins list/show`. */
     reason?: string;
+    /**
+     * Runtime-only, never persisted, never spec-modeled.
+     *
+     * Set by the loader when a project-local disk plugin was discovered
+     * (manifest parsed + surfaced) but its extension code was NOT imported
+     * because the operator never granted local trust (no `config_plugins`
+     * override enables the plugin or any of its extensions). The plugin
+     * still rides as `status: 'disabled'` (extensions absent), this flag
+     * lets the runtime distinguish "not yet trusted" from an explicit
+     * `sm plugins disable`, so it can emit a one-time "found but not
+     * loaded, run `sm plugins enable`" notice. See spec § Plugin trust.
+     */
+    untrusted?: boolean;
 }
 /**
  * Runtime-only, a single AJV-compiled storage schema attached to a
@@ -1720,7 +1733,7 @@ declare function makePluginStore(opts: {
  *      a single `set` simply replaces the base.
  *   3. `delta`: additive (may be negative), summed.
  *   4. `floor`: raise to at least the value (`max`).
- *   5. `ceil`: lower to at most the value (`min`) — today's broken cap.
+ *   5. `ceil`: lower to at most the value (`min`), today's broken cap.
  *      Applied AFTER floor so a cap dominates a floor/ceil collision.
  *   6. clamp to [0,1] ONCE at the end, so opposing deltas round-trip
  *      (e.g. `-0.4` then `+0.4` returns to base, never clipped midway).
@@ -2598,12 +2611,22 @@ interface IProviderScaffold {
      * traversal; the consuming verb joins it onto the cwd.
      */
     skillDir: string;
+    /**
+     * Optional directory the materialising verb creates so the active-lens
+     * resolver picks THIS Provider when its `skillDir` is shared with another
+     * lens. The open `.agents/skills` territory is read by several lenses
+     * (`agent-skills`, `antigravity`, `codex`); a Provider whose skillDir is
+     * that shared territory but whose lens needs a distinct marker (Codex's
+     * `.codex`) declares it here, and `sm tutorial --for <id>` drops the marker
+     * alongside the skill. Omitted when the skillDir's parent IS the marker.
+     */
+    marker?: string;
     /**
      * Display-only hints naming the agents that consume this scaffold
-     * territory, rendered in parentheses next to the Provider label in the
-     * `sm tutorial` destination prompt (e.g. `.agents/skills` is read by
-     * Google's Antigravity and OpenAI's Codex). Purely presentational: NOT matched by
-     * `--for` (only registered Provider ids are) and has no runtime effect.
+     * territory AND share its tutorial track, rendered in parentheses next to
+     * the Provider label in the `sm tutorial` destination prompt. Purely
+     * presentational: NOT matched by `--for` (only registered Provider ids
+     * are) and has no runtime effect.
      */
     aka?: readonly string[];
 }

package/dist/kernel/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 // kernel/i18n/registry.texts.ts
-!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="ffec428d-8810-5e29-bc67-ad4ec917ce6f")}catch(e){}}();
+!function(){try{var e="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof globalThis?globalThis:"undefined"!=typeof self?self:{},n=(new e.Error).stack;n&&(e._sentryDebugIds=e._sentryDebugIds||{},e._sentryDebugIds[n]="f36575e1-2be1-582e-9ebc-c041fd1a716b")}catch(e){}}();
 var REGISTRY_TEXTS = {
   duplicateExtension: "Extension already registered: {{kind}}:{{qualifiedId}}",
   unknownKind: "Unknown extension kind: {{kind}}",
@@ -102,7 +102,7 @@ import { Tiktoken as Tiktoken2 } from "js-tiktoken/lite";
 // package.json
 var package_default = {
   name: "@skill-map/cli",
-  version: "0.66.0",
+  version: "0.68.0",
   description: "skill-map reference implementation \u2014 kernel + CLI + adapters.",
   license: "MIT",
   type: "module",
@@ -175,39 +175,38 @@ var package_default = {
     clean: "rm -rf dist coverage"
   },
   dependencies: {
-    "@hono/node-server": "2.0.1",
-    "@sentry/node": "10.55.0",
+    "@hono/node-server": "2.0.6",
+    "@sentry/node": "10.61.0",
     "@skill-map/spec": "workspace:*",
-    ajv: "8.18.0",
+    ajv: "8.20.0",
     "ajv-formats": "3.0.1",
     chokidar: "5.0.0",
     clipanion: "4.0.0-rc.4",
-    hono: "4.12.18",
+    hono: "4.12.27",
     ignore: "7.0.5",
     "js-tiktoken": "1.0.21",
-    "js-yaml": "4.1.1",
-    kysely: "0.28.17",
-    "posthog-node": "5.35.6",
-    semver: "7.7.4",
-    "smol-toml": "1.6.1",
+    "js-yaml": "5.1.0",
+    kysely: "0.29.2",
+    "posthog-node": "5.38.5",
+    semver: "7.8.5",
+    "smol-toml": "1.7.0",
     typanion: "3.14.0",
     ws: "8.21.0"
   },
   devDependencies: {
     "@eslint/js": "10.0.1",
     "@stylistic/eslint-plugin": "5.10.0",
-    "@types/js-yaml": "4.0.9",
-    "@types/node": "24.12.2",
+    "@types/node": "26.0.1",
     "@types/semver": "7.7.1",
     "@types/ws": "8.18.1",
     c8: "11.0.0",
-    eslint: "10.2.1",
-    "eslint-plugin-import-x": "4.16.2",
+    eslint: "10.5.0",
+    "eslint-plugin-import-x": "4.17.0",
     "json-schema-to-typescript": "15.0.4",
     tsup: "8.5.1",
-    tsx: "4.22.3",
-    typescript: "5.9.3",
-    "typescript-eslint": "8.59.1"
+    tsx: "4.22.4",
+    typescript: "6.0.3",
+    "typescript-eslint": "8.62.0"
   },
   engines: {
     node: ">=24.0"
@@ -258,6 +257,20 @@ var PLUGIN_LOADER_TEXTS = {
   invalidManifestExtensionShape: "{{relEntry}}: {{errors}}. See {{docUrl}}.",
   importExceededTimeout: "import exceeded {{timeoutMs}}ms; likely a top-level side effect (network call, infinite loop, large blocking work). Move side effects into the runtime methods (`detect` / `evaluate` / `render` / etc.).",
   disabledByConfig: "disabled by config_plugins or settings.json",
+  /**
+   * Reason stamped on a project-local disk plugin discovered but not
+   * imported because the operator never granted local trust. Distinct
+   * from `disabledByConfig` (an explicit toggle-off): this id has no
+   * `config_plugins` override at all, so its code stays unexecuted until
+   * `sm plugins enable` records local intent.
+   */
+  untrustedNotLoaded: "not loaded: project-local plugin is untrusted until enabled. Run `sm plugins enable {{pluginId}}` to load it.",
+  /**
+   * One-time aggregate notice the runtime emits when project-local
+   * plugins were found on disk but left unloaded for lack of trust. The
+   * `{{count}}` plugins ride the scan without executing any code.
+   */
+  untrustedPluginsFoundNotice: "{{count}} project-local plugin(s) found in .skill-map/plugins/ but not loaded (untrusted). Their code did NOT run. Review with `sm plugins list`, then enable any you trust with `sm plugins enable <id>`.",
   invalidManifestDirMismatch: "directory name '{{dirName}}' does not match manifest id '{{manifestId}}'. Rename the directory to match the id, or update the manifest id to match the directory.",
   idCollision: "Plugin '{{id}}' at {{pathA}} collides with the plugin at {{pathB}}. Rename one and rerun.",
   loadErrorPluginIdMismatch: "{{relEntry}}: extension declares pluginId '{{declared}}' but its plugin.json declares id '{{manifestId}}'. Remove the explicit pluginId from the extension; the loader injects it from plugin.json#/id.",
@@ -2226,7 +2239,7 @@ function readDefaultsFromDisk() {
 }
 // plugins/core/parsers/frontmatter-yaml/index.ts
-import yaml from "js-yaml";
+import { load as yamlLoad, JSON_SCHEMA } from "js-yaml";
 // kernel/util/strip-prototype-pollution.ts
 var FORBIDDEN_KEYS = /* @__PURE__ */ new Set([
@@ -2261,7 +2274,7 @@ var frontmatterYamlParser = {
     let parsed = {};
     const issues = [];
     try {
-      const doc = yaml.load(frontmatterRaw, { schema: yaml.JSON_SCHEMA });
+      const doc = yamlLoad(frontmatterRaw, { schema: JSON_SCHEMA });
       if (doc && typeof doc === "object" && !Array.isArray(doc)) {
         parsed = stripPrototypePollution(doc);
       }
@@ -2559,7 +2572,7 @@ import { existsSync as existsSync5, readFileSync as readFileSync6 } from "fs";
 import { dirname as dirname4, resolve as resolve8 } from "path";
 import { createRequire as createRequire3 } from "module";
 import { Ajv2020 as Ajv20204 } from "ajv/dist/2020.js";
-import yaml2 from "js-yaml";
+import { load as yamlLoad2, JSON_SCHEMA as JSON_SCHEMA2 } from "js-yaml";
 function readSidecarFor(mdAbsolutePath) {
   const sidecarPath = sidecarPathFor(mdAbsolutePath);
   if (!existsSync5(sidecarPath)) {
@@ -2577,7 +2590,7 @@ function readSidecarFor(mdAbsolutePath) {
   }
   let parsedYaml;
   try {
-    parsedYaml = yaml2.load(raw, { schema: yaml2.JSON_SCHEMA });
+    parsedYaml = yamlLoad2(raw, { schema: JSON_SCHEMA2 });
   } catch (err) {
     return {
       parsed: null,
@@ -2712,7 +2725,7 @@ import { existsSync as existsSync8, readFileSync as readFileSync8 } from "fs";
 import { dirname as dirname6, resolve as resolve9 } from "path";
 import { createRequire as createRequire4 } from "module";
 import { Ajv2020 as Ajv20205 } from "ajv/dist/2020.js";
-import yaml3 from "js-yaml";
+import { dump as yamlDump, load as yamlLoad3, CORE_SCHEMA, JSON_SCHEMA as JSON_SCHEMA3 } from "js-yaml";
 // kernel/util/atomic-write.ts
 import {
@@ -2734,7 +2747,7 @@ import { createHash } from "crypto";
 import { existsSync as existsSync9 } from "fs";
 import { isAbsolute as isAbsolute3, resolve as resolvePath } from "path";
 import "js-tiktoken/lite";
-import yaml4 from "js-yaml";
+import { dump as yamlDump2, CORE_SCHEMA as CORE_SCHEMA2 } from "js-yaml";
 // kernel/orchestrator/frontmatter.ts
 function validateFrontmatter(providerFrontmatter, provider, kind, frontmatter, path, strict) {
@@ -2827,22 +2840,22 @@ function canonicalFrontmatter(parsed, raw) {
   if (!hasParsedKeys && hasRawText) {
     return raw;
   }
-  return yaml4.dump(parsed, {
+  return yamlDump2(parsed, {
     sortKeys: true,
     lineWidth: -1,
     noRefs: true,
-    noCompatMode: true
+    schema: CORE_SCHEMA2
   });
 }
 function canonicalSidecarAnnotations(annotations) {
   if (!annotations || typeof annotations !== "object" || Array.isArray(annotations)) {
-    return yaml4.dump({}, { sortKeys: true, lineWidth: -1, noRefs: true, noCompatMode: true });
+    return yamlDump2({}, { sortKeys: true, lineWidth: -1, noRefs: true, schema: CORE_SCHEMA2 });
   }
-  return yaml4.dump(annotations, {
+  return yamlDump2(annotations, {
     sortKeys: true,
     lineWidth: -1,
     noRefs: true,
-    noCompatMode: true
+    schema: CORE_SCHEMA2
   });
 }
 function resolveSidecarOverlay(relativePath, nodePathForIssue, roots, liveBodyHash, liveFrontmatterHash) {
@@ -4150,4 +4163,4 @@ export {
   runScanWithRenames
 };
 //# sourceMappingURL=index.js.map
-//# debugId=ffec428d-8810-5e29-bc67-ad4ec917ce6f
+//# debugId=f36575e1-2be1-582e-9ebc-c041fd1a716b