@soulguard/openclaw 0.1.4 → 0.2.1

package/dist/index.js

@@ -1,20 +1,4 @@
-import { createRequire } from "node:module";
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
-};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
@@ -24,88 +8,76 @@ var __export = (target, all) => {
       set: (newValue) => all[name] = () => newValue
     });
 };
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 // src/templates.ts
-var SOULGUARD_CONFIG = ["soulguard.json"];
-var CORE_IDENTITY = ["SOUL.md", "AGENTS.md", "IDENTITY.md", "USER.md"];
-var CORE_SESSION = ["TOOLS.md", "HEARTBEAT.md", "BOOTSTRAP.md"];
-var CORE_MEMORY = ["MEMORY.md"];
-var MEMORY_DIR = ["memory/**"];
-var SKILLS = ["skills/**"];
-var OPENCLAW_CONFIG = ["openclaw.json"];
-var CRON = ["cron/jobs.json"];
-var EXTENSIONS = ["extensions/**"];
-var SESSIONS = ["sessions/**"];
-var ALL_KNOWN_PATHS = [
-  ...SOULGUARD_CONFIG,
-  ...CORE_IDENTITY,
-  ...CORE_SESSION,
-  ...CORE_MEMORY,
-  ...MEMORY_DIR,
-  ...SKILLS,
-  ...OPENCLAW_CONFIG,
-  ...CRON,
-  ...EXTENSIONS,
-  ...SESSIONS
-];
-var defaultTemplate = {
-  name: "default",
-  description: "Core identity and config in vault, memory and skills tracked in ledger",
-  vault: [
-    ...SOULGUARD_CONFIG,
-    ...CORE_IDENTITY,
-    ...CORE_SESSION,
-    ...OPENCLAW_CONFIG,
-    ...CRON,
-    ...EXTENSIONS
-  ],
-  ledger: [...CORE_MEMORY, ...MEMORY_DIR, ...SKILLS],
-  unprotected: [...SESSIONS]
-};
-var paranoidTemplate = {
-  name: "paranoid",
-  description: "Everything possible in vault, only skills in ledger",
-  vault: [
-    ...SOULGUARD_CONFIG,
-    ...CORE_IDENTITY,
-    ...CORE_SESSION,
-    ...CORE_MEMORY,
-    ...MEMORY_DIR,
-    ...SKILLS,
-    ...OPENCLAW_CONFIG,
-    ...CRON,
-    ...EXTENSIONS
-  ],
-  ledger: [...SESSIONS],
-  unprotected: []
-};
-var relaxedTemplate = {
-  name: "relaxed",
-  description: "Only soulguard config locked, everything else tracked — good for initial setup",
-  vault: [...SOULGUARD_CONFIG],
-  ledger: [
-    ...CORE_IDENTITY,
-    ...CORE_SESSION,
-    ...CORE_MEMORY,
-    ...MEMORY_DIR,
-    ...SKILLS,
-    ...OPENCLAW_CONFIG,
-    ...CRON,
-    ...EXTENSIONS
-  ],
-  unprotected: [...SESSIONS]
-};
 var templates = {
-  default: defaultTemplate,
-  paranoid: paranoidTemplate,
-  relaxed: relaxedTemplate
+  default: {
+    name: "default",
+    description: "Core identity and config protected, memory and skills watched",
+    protect: [
+      "workspace/SOUL.md",
+      "workspace/AGENTS.md",
+      "workspace/IDENTITY.md",
+      "workspace/USER.md",
+      "workspace/TOOLS.md",
+      "workspace/HEARTBEAT.md",
+      "workspace/BOOTSTRAP.md",
+      "openclaw.json",
+      "cron/",
+      "extensions/"
+    ],
+    watch: ["workspace/MEMORY.md", "workspace/memory/", "workspace/skills/"],
+    release: ["workspace/sessions/"]
+  },
+  paranoid: {
+    name: "paranoid",
+    description: "Everything protected, only sessions watched",
+    protect: [
+      "workspace/SOUL.md",
+      "workspace/AGENTS.md",
+      "workspace/IDENTITY.md",
+      "workspace/USER.md",
+      "workspace/TOOLS.md",
+      "workspace/HEARTBEAT.md",
+      "workspace/BOOTSTRAP.md",
+      "workspace/MEMORY.md",
+      "workspace/memory/",
+      "workspace/skills/",
+      "openclaw.json",
+      "cron/",
+      "extensions/"
+    ],
+    watch: ["workspace/sessions/"],
+    release: []
+  },
+  relaxed: {
+    name: "relaxed",
+    description: "Everything watched — good for initial setup",
+    protect: [],
+    watch: [
+      "workspace/SOUL.md",
+      "workspace/AGENTS.md",
+      "workspace/IDENTITY.md",
+      "workspace/USER.md",
+      "workspace/TOOLS.md",
+      "workspace/HEARTBEAT.md",
+      "workspace/BOOTSTRAP.md",
+      "workspace/MEMORY.md",
+      "workspace/memory/",
+      "workspace/skills/",
+      "openclaw.json",
+      "cron/",
+      "extensions/"
+    ],
+    release: ["workspace/sessions/"]
+  }
 };
 // src/plugin.ts
 import { readFileSync } from "node:fs";
-import { join } from "node:path";
+import os from "node:os";
+import { join as join2 } from "node:path";
 
-// ../core/src/result.ts
+// ../core/src/util/result.ts
 function ok(value) {
   return { ok: true, value };
 }
@@ -4085,82 +4057,29 @@ var coerce = {
   date: (arg) => ZodDate.create({ ...arg, coerce: true })
 };
 var NEVER = INVALID;
-// ../core/src/schema.ts
+// ../core/src/sdk/schema.ts
+var tierSchema = exports_external.enum(["protect", "watch"]);
+var ownershipSchema = exports_external.object({
+  user: exports_external.string(),
+  group: exports_external.string(),
+  mode: exports_external.string()
+});
+var daemonConfigSchema = exports_external.object({
+  channel: exports_external.string()
+}).passthrough();
 var soulguardConfigSchema = exports_external.object({
-  vault: exports_external.array(exports_external.string()),
-  ledger: exports_external.array(exports_external.string()),
-  git: exports_external.boolean().optional()
+  version: exports_external.literal(1),
+  guardian: exports_external.string(),
+  files: exports_external.record(exports_external.string(), tierSchema),
+  git: exports_external.boolean().optional(),
+  defaultOwnership: ownershipSchema.optional(),
+  daemon: daemonConfigSchema.optional()
 });
 function parseConfig(raw) {
   return soulguardConfigSchema.parse(raw);
 }
-// ../core/src/system-ops.ts
-async function getFileInfo(path, ops) {
-  const statResult = await ops.stat(path);
-  if (!statResult.ok)
-    return statResult;
-  const hashResult = await ops.hashFile(path);
-  if (!hashResult.ok)
-    return hashResult;
-  return ok({
-    path,
-    ownership: statResult.value.ownership,
-    hash: hashResult.value
-  });
-}
-// ../core/src/system-ops-mock.ts
+// ../core/src/util/system-ops-mock.ts
 import { resolve } from "node:path";
-
-// ../core/src/glob.ts
-function isGlob(path) {
-  return path.includes("*");
-}
-function createGlobMatcher(pattern) {
-  const escape = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  let normalized = pattern;
-  normalized = normalized.replace(/\/\*\*\//g, "<GLOBSTAR>");
-  normalized = normalized.replace(/^\*\*\//, "<GLOBSTAR_PREFIX>");
-  normalized = normalized.replace(/\/\*\*$/, "<GLOBSTAR_SUFFIX>");
-  normalized = normalized.replace(/^\*\*$/, "<GLOBSTAR_ALL>");
-  const regexStr = normalized.split(/(<GLOBSTAR(?:_PREFIX|_SUFFIX|_ALL)?>)/).map((part) => {
-    if (part === "<GLOBSTAR>")
-      return "/(?:.+/)?";
-    if (part === "<GLOBSTAR_PREFIX>")
-      return "(?:.+/)?";
-    if (part === "<GLOBSTAR_SUFFIX>")
-      return "(?:/.*)?";
-    if (part === "<GLOBSTAR_ALL>")
-      return ".*";
-    return part.split("*").map(escape).join("[^/]*");
-  }).join("");
-  const regex = new RegExp(`^${regexStr}$`);
-  return (path) => regex.test(path);
-}
-function matchGlob(pattern, path) {
-  return createGlobMatcher(pattern)(path);
-}
-async function resolvePatterns(ops, patterns) {
-  const files = new Set;
-  for (const pattern of patterns) {
-    if (isGlob(pattern)) {
-      const result = await ops.glob(pattern);
-      if (!result.ok) {
-        return err(result.error);
-      }
-      for (const match of result.value) {
-        const statResult = await ops.stat(match);
-        if (statResult.ok && !statResult.value.isDirectory) {
-          files.add(match);
-        }
-      }
-    } else {
-      files.add(pattern);
-    }
-  }
-  return ok([...files].sort());
-}
-
-// ../core/src/system-ops-mock.ts
 class MockSystemOps {
   workspace;
   files = new Map;
@@ -4169,10 +4088,21 @@ class MockSystemOps {
   ops = [];
   failingExecs = new Set;
   failingDeletes = new Set;
+  failingStats = new Set;
+  failingHashes = new Set;
+  failingListDirs = new Set;
+  failingReads = new Set;
   execCallCounts = new Map;
   execFailOnCall = new Map;
   constructor(workspace) {
     this.workspace = workspace;
+    this.files.set(workspace, {
+      content: "",
+      owner: "root",
+      group: "root",
+      mode: "755",
+      isDirectory: true
+    });
   }
   resolve(path) {
     return resolve(this.workspace, path);
@@ -4185,6 +4115,15 @@ class MockSystemOps {
       mode: opts.mode ?? "644"
     });
   }
+  addDirectory(path, opts = {}) {
+    this.files.set(this.resolve(path), {
+      content: "",
+      owner: opts.owner ?? "unknown",
+      group: opts.group ?? "unknown",
+      mode: opts.mode ?? "755",
+      isDirectory: true
+    });
+  }
   addUser(name) {
     this.users.add(name);
   }
@@ -4198,6 +4137,9 @@ class MockSystemOps {
     return ok(this.groups.has(name));
   }
   async stat(path) {
+    if (this.failingStats.has(path)) {
+      return err({ kind: "permission_denied", path, operation: "stat" });
+    }
     const full = this.resolve(path);
     const file = this.files.get(full);
     if (!file)
@@ -4205,7 +4147,7 @@ class MockSystemOps {
     return ok({
       path,
       ownership: { user: file.owner, group: file.group, mode: file.mode },
-      isDirectory: false
+      isDirectory: file.isDirectory ?? false
     });
   }
   async chown(path, owner) {
@@ -4218,6 +4160,23 @@ class MockSystemOps {
     file.group = owner.group;
     return ok(undefined);
   }
+  async chownRecursive(path, owner) {
+    const full = this.resolve(path);
+    const file = this.files.get(full);
+    if (!file)
+      return err({ kind: "not_found", path });
+    this.ops.push({ kind: "chown", path, owner });
+    file.owner = owner.user;
+    file.group = owner.group;
+    const prefix = full + "/";
+    for (const [childPath, childFile] of this.files) {
+      if (childPath.startsWith(prefix)) {
+        childFile.owner = owner.user;
+        childFile.group = owner.group;
+      }
+    }
+    return ok(undefined);
+  }
   async chmod(path, mode) {
     const full = this.resolve(path);
     const file = this.files.get(full);
@@ -4227,7 +4186,25 @@ class MockSystemOps {
     file.mode = mode;
     return ok(undefined);
   }
+  async chmodRecursive(path, mode) {
+    const full = this.resolve(path);
+    const file = this.files.get(full);
+    if (!file)
+      return err({ kind: "not_found", path });
+    this.ops.push({ kind: "chmod", path, mode });
+    file.mode = mode;
+    const prefix = full + "/";
+    for (const [childPath, childFile] of this.files) {
+      if (childPath.startsWith(prefix)) {
+        childFile.mode = mode;
+      }
+    }
+    return ok(undefined);
+  }
   async readFile(path) {
+    if (this.failingReads.has(path)) {
+      return err({ kind: "permission_denied", path, operation: "read" });
+    }
     const full = this.resolve(path);
     const file = this.files.get(full);
     if (!file)
@@ -4250,14 +4227,26 @@ class MockSystemOps {
   async mkdir(path) {
     const full = this.resolve(path);
     if (!this.files.has(full)) {
-      this.files.set(full, { content: "", owner: "root", group: "root", mode: "755" });
+      this.files.set(full, {
+        content: "",
+        owner: "root",
+        group: "root",
+        mode: "755",
+        isDirectory: true
+      });
     }
     const parts = path.split("/");
     for (let i = 1;i < parts.length; i++) {
       const parent = parts.slice(0, i).join("/");
       const parentFull = this.resolve(parent);
       if (!this.files.has(parentFull)) {
-        this.files.set(parentFull, { content: "", owner: "root", group: "root", mode: "755" });
+        this.files.set(parentFull, {
+          content: "",
+          owner: "root",
+          group: "root",
+          mode: "755",
+          isDirectory: true
+        });
       }
     }
     return ok(undefined);
@@ -4286,6 +4275,9 @@ class MockSystemOps {
     return ok(undefined);
   }
   async hashFile(path) {
+    if (this.failingHashes.has(path)) {
+      return err({ kind: "io_error", path, message: "simulated hash failure" });
+    }
     const full = this.resolve(path);
     const file = this.files.get(full);
     if (!file)
@@ -4294,18 +4286,37 @@ class MockSystemOps {
     hash.update(file.content);
     return ok(hash.digest("hex"));
   }
-  async glob(pattern) {
-    const prefix = this.workspace + "/";
-    const matches = [];
-    for (const fullPath of this.files.keys()) {
-      if (!fullPath.startsWith(prefix))
-        continue;
-      const relPath = fullPath.slice(prefix.length);
-      if (matchGlob(pattern, relPath)) {
-        matches.push(relPath);
+  async chmodDirectoryTree(path, modes) {
+    const full = this.resolve(path);
+    const dir = this.files.get(full);
+    if (!dir)
+      return err({ kind: "not_found", path });
+    this.ops.push({ kind: "chmod", path, mode: modes.dirMode });
+    dir.mode = modes.dirMode;
+    const prefix = full + "/";
+    for (const [childPath, childFile] of this.files) {
+      if (childPath.startsWith(prefix)) {
+        childFile.mode = childFile.isDirectory ? modes.dirMode : modes.fileMode;
+      }
+    }
+    return ok(undefined);
+  }
+  async listDir(path) {
+    if (this.failingListDirs.has(path)) {
+      return err({ kind: "permission_denied", path, operation: "listDir" });
+    }
+    const full = this.resolve(path);
+    const dir = this.files.get(full);
+    if (!dir)
+      return err({ kind: "not_found", path });
+    const prefix = full + "/";
+    const files = [];
+    for (const [childPath, childFile] of this.files) {
+      if (childPath.startsWith(prefix) && !childFile.isDirectory) {
+        files.push(childPath.slice((this.workspace + "/").length));
       }
     }
-    return ok(matches.sort());
+    return ok(files.sort());
   }
   async exec(command, args) {
     this.ops.push({ kind: "exec", command, args });
@@ -4321,1411 +4332,389 @@ class MockSystemOps {
     }
     return ok(undefined);
   }
+  execCaptureResults = new Map;
+  async execCapture(command, args) {
+    this.ops.push({ kind: "exec", command, args });
+    const key = [command, ...args].join(" ");
+    if (this.failingExecs.has(key)) {
+      return err({ kind: "io_error", path: "", message: `${key} failed` });
+    }
+    return ok(this.execCaptureResults.get(key) ?? "");
+  }
 }
-// ../core/src/system-ops-node.ts
-import { resolve as resolve2, relative, dirname } from "node:path";
-import {
-  stat as fsStat,
-  readFile,
-  chmod as fsChmod,
-  writeFile as fsWriteFile,
-  mkdir as fsMkdir,
-  copyFile as fsCopyFile,
-  unlink as fsUnlink,
-  chown as fsChown,
-  access
-} from "node:fs/promises";
-import { createHash } from "node:crypto";
-import { createReadStream } from "node:fs";
+// ../core/src/util/system-ops-node.ts
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
 var execFileAsync = promisify(execFile);
-function mapError(e, path, operation) {
-  if (e instanceof Error && "code" in e) {
-    const code = e.code;
-    if (code === "ENOENT")
-      return { kind: "not_found", path };
-    if (code === "EACCES" || code === "EPERM") {
-      return { kind: "permission_denied", path, operation };
-    }
-  }
-  const message = e instanceof Error ? e.message : String(e);
-  return { kind: "io_error", path, message };
-}
-async function nameToUid(name) {
-  const { stdout } = await execFileAsync("id", ["-u", name]);
-  return parseInt(stdout.trim(), 10);
-}
-async function nameToGid(name) {
-  if (process.platform === "darwin") {
-    const { stdout: stdout2 } = await execFileAsync("dscl", [
-      ".",
-      "-read",
-      `/Groups/${name}`,
-      "PrimaryGroupID"
-    ]);
-    const gid = stdout2.trim().split(/\s+/).pop();
-    if (!gid || !/^\d+$/.test(gid)) {
-      throw new Error(`Could not resolve GID for group '${name}'`);
-    }
-    return parseInt(gid, 10);
-  }
-  const { stdout } = await execFileAsync("getent", ["group", name]);
-  const field = stdout.split(":")[2];
-  if (!field || !/^\d+$/.test(field.trim())) {
-    throw new Error(`Could not resolve GID for group '${name}'`);
-  }
-  return parseInt(field.trim(), 10);
+// ../core/src/sdk/state.ts
+import { createHash } from "node:crypto";
+
+// ../core/src/sdk/staging.ts
+import { join } from "node:path";
+var STAGING_DIR = ".soulguard-staging";
+function stagingPath(filePath) {
+  return join(STAGING_DIR, filePath);
 }
-async function uidToName(uid) {
-  try {
-    const { stdout } = await execFileAsync("id", ["-un", String(uid)]);
-    return stdout.trim();
-  } catch {
-    return String(uid);
-  }
+function isStagingPath(filePath) {
+  return filePath === STAGING_DIR || filePath.startsWith(STAGING_DIR + "/");
 }
-async function gidToName(gid) {
-  const platform = process.platform;
+function isDeleteSentinel(content) {
   try {
-    if (platform === "darwin") {
-      const { stdout } = await execFileAsync("dscl", [
-        ".",
-        "-search",
-        "/Groups",
-        "PrimaryGroupID",
-        String(gid)
-      ]);
-      const match = stdout.match(/^(\S+)/);
-      return match?.[1] ?? String(gid);
-    } else {
-      const { stdout } = await execFileAsync("getent", ["group", String(gid)]);
-      const name = stdout.split(":")[0];
-      return name || String(gid);
-    }
+    const parsed = JSON.parse(content);
+    return parsed != null && parsed.__soulguard_delete_sentinel__ === true;
   } catch {
-    return String(gid);
+    return false;
   }
 }
-function modeToString(mode) {
-  return (mode & 511).toString(8).padStart(3, "0");
-}
 
-class NodeSystemOps {
-  workspace;
-  constructor(workspace) {
-    this.workspace = resolve2(workspace);
-  }
-  resolvePath(path) {
-    const full = resolve2(this.workspace, path);
-    const rel = relative(this.workspace, full);
-    if (rel.startsWith("..")) {
-      return err({
-        kind: "io_error",
-        path,
-        message: "Path traversal outside workspace"
-      });
-    }
-    return ok(full);
-  }
-  async userExists(name) {
-    try {
-      await execFileAsync("id", ["-u", name]);
-      return ok(true);
-    } catch (e) {
-      if (e instanceof Error && "code" in e && typeof e.code === "number") {
-        return ok(false);
-      }
-      const message = e instanceof Error ? e.message : String(e);
-      return err({ kind: "io_error", path: "", message: `userExists(${name}): ${message}` });
-    }
-  }
-  async groupExists(name) {
-    try {
-      if (process.platform === "darwin") {
-        await execFileAsync("dscl", [".", "-read", `/Groups/${name}`, "PrimaryGroupID"]);
-      } else {
-        await execFileAsync("getent", ["group", name]);
-      }
-      return ok(true);
-    } catch (e) {
-      if (e instanceof Error && "code" in e && typeof e.code === "number") {
-        return ok(false);
-      }
-      const message = e instanceof Error ? e.message : String(e);
-      return err({ kind: "io_error", path: "", message: `groupExists(${name}): ${message}` });
-    }
-  }
-  async stat(path) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      const s = await fsStat(resolved.value);
-      const [user, group] = await Promise.all([uidToName(s.uid), gidToName(s.gid)]);
-      return ok({
-        path,
-        ownership: { user, group, mode: modeToString(s.mode) },
-        isDirectory: s.isDirectory()
-      });
-    } catch (e) {
-      return err(mapError(e, path, "stat"));
-    }
-  }
-  async chown(path, owner) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      const uid = await nameToUid(owner.user);
-      const gid = await nameToGid(owner.group);
-      await fsChown(resolved.value, uid, gid);
-      return ok(undefined);
-    } catch (e) {
-      return err(mapError(e, path, "chown"));
-    }
-  }
-  async chmod(path, mode) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      await fsChmod(resolved.value, parseInt(mode, 8));
-      return ok(undefined);
-    } catch (e) {
-      return err(mapError(e, path, "chmod"));
-    }
-  }
-  async readFile(path) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      const content = await readFile(resolved.value, "utf-8");
-      return ok(content);
-    } catch (e) {
-      return err(mapError(e, path, "readFile"));
-    }
-  }
-  async createUser(name, group) {
-    try {
-      if (process.platform === "darwin") {
-        const { stdout: gidOutput } = await execFileAsync("dscl", [
-          ".",
-          "-read",
-          `/Groups/${group}`,
-          "PrimaryGroupID"
-        ]);
-        const gid = gidOutput.trim().split(/\s+/).pop();
-        if (!gid || !/^\d+$/.test(gid)) {
-          return err({
-            kind: "io_error",
-            path: `/Groups/${group}`,
-            message: `Could not resolve GID for group ${group}`
-          });
-        }
-        await execFileAsync("dscl", [".", "-create", `/Users/${name}`]);
-        const MAX_SYSTEM_ID = 499;
-        let uid = 400;
-        while (uid <= MAX_SYSTEM_ID) {
-          const { stdout: uidSearch } = await execFileAsync("dscl", [
-            ".",
-            "-search",
-            "/Users",
-            "UniqueID",
-            String(uid)
-          ]);
-          if (!uidSearch.trim())
-            break;
-          uid++;
-        }
-        if (uid > MAX_SYSTEM_ID) {
-          return err({
-            kind: "io_error",
-            path: "",
-            message: `No available UID in system range (400-${MAX_SYSTEM_ID})`
-          });
-        }
-        await execFileAsync("dscl", [".", "-create", `/Users/${name}`, "UniqueID", String(uid)]);
-        await execFileAsync("dscl", [".", "-create", `/Users/${name}`, "PrimaryGroupID", gid]);
-        await execFileAsync("dscl", [
-          ".",
-          "-create",
-          `/Users/${name}`,
-          "UserShell",
-          "/usr/bin/false"
-        ]);
-      } else {
-        await execFileAsync("useradd", ["-r", "-g", group, "-s", "/usr/bin/false", name]);
-      }
-      return ok(undefined);
-    } catch (e) {
-      return err({
-        kind: "io_error",
-        path: "",
-        message: `createUser ${name}: ${e instanceof Error ? e.message : String(e)}`
-      });
-    }
-  }
-  async createGroup(name) {
-    try {
-      if (process.platform === "darwin") {
-        await execFileAsync("dscl", [".", "-create", `/Groups/${name}`]);
-        const MAX_SYSTEM_GID = 499;
-        let gid = 400;
-        while (gid <= MAX_SYSTEM_GID) {
-          const { stdout: searchOut } = await execFileAsync("dscl", [
-            ".",
-            "-search",
-            "/Groups",
-            "PrimaryGroupID",
-            String(gid)
-          ]);
-          if (!searchOut.trim())
-            break;
-          gid++;
-        }
-        if (gid > MAX_SYSTEM_GID) {
-          return err({
-            kind: "io_error",
-            path: "",
-            message: `No available GID in system range (400-${MAX_SYSTEM_GID})`
-          });
-        }
-        await execFileAsync("dscl", [
-          ".",
-          "-create",
-          `/Groups/${name}`,
-          "PrimaryGroupID",
-          String(gid)
-        ]);
-      } else {
-        await execFileAsync("groupadd", [name]);
-      }
-      return ok(undefined);
-    } catch (e) {
-      return err({
-        kind: "io_error",
-        path: "",
-        message: `createGroup ${name}: ${e instanceof Error ? e.message : String(e)}`
-      });
-    }
-  }
-  async writeFile(path, content) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      await fsMkdir(dirname(resolved.value), { recursive: true });
-      await fsWriteFile(resolved.value, content, "utf-8");
-      return ok(undefined);
-    } catch (e) {
-      return err(mapError(e, path, "writeFile"));
-    }
-  }
-  async mkdir(path) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      await fsMkdir(resolved.value, { recursive: true });
-      return ok(undefined);
-    } catch (e) {
-      return err(mapError(e, path, "mkdir"));
-    }
-  }
-  async copyFile(src, dest) {
-    const resolvedSrc = this.resolvePath(src);
-    if (!resolvedSrc.ok)
-      return resolvedSrc;
-    const resolvedDest = this.resolvePath(dest);
-    if (!resolvedDest.ok)
-      return resolvedDest;
-    try {
-      await fsMkdir(dirname(resolvedDest.value), { recursive: true });
-      await fsCopyFile(resolvedSrc.value, resolvedDest.value);
-      return ok(undefined);
-    } catch (e) {
-      return err(mapError(e, src, "copyFile"));
-    }
-  }
-  async exists(path) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return ok(false);
-    try {
-      await access(resolved.value);
-      return ok(true);
-    } catch (e) {
-      if (e instanceof Error && "code" in e && e.code === "ENOENT") {
-        return ok(false);
-      }
-      return err({
-        kind: "io_error",
-        path,
-        message: `exists: ${e instanceof Error ? e.message : String(e)}`
-      });
-    }
-  }
-  async deleteFile(path) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    try {
-      await fsUnlink(resolved.value);
-      return ok(undefined);
-    } catch (e) {
-      return err(mapError(e, path, "unlink"));
-    }
-  }
-  async hashFile(path) {
-    const resolved = this.resolvePath(path);
-    if (!resolved.ok)
-      return resolved;
-    return new Promise((resolve3) => {
-      const hash = createHash("sha256");
-      const stream = createReadStream(resolved.value);
-      stream.on("data", (chunk) => hash.update(chunk));
-      stream.on("end", () => resolve3(ok(hash.digest("hex"))));
-      stream.on("error", (e) => resolve3(err(mapError(e, path, "hashFile"))));
-    });
-  }
-  async glob(pattern) {
-    try {
-      const fs = await import("node:fs");
-      const { promisify: promisify2 } = await import("node:util");
-      const globFn = fs.glob;
-      if (typeof globFn !== "function") {
-        return err({
-          kind: "io_error",
-          path: pattern,
-          message: "fs.glob requires Node.js 22+"
-        });
-      }
-      const globAsync = promisify2(globFn);
-      const matches = await globAsync(pattern, { cwd: this.workspace });
-      return ok([...matches].sort());
-    } catch (e) {
-      return err({
-        kind: "io_error",
-        path: pattern,
-        message: `glob: ${e instanceof Error ? e.message : String(e)}`
-      });
-    }
-  }
-  async exec(command, args) {
-    const execFileAsync2 = promisify(execFile);
-    try {
-      await execFileAsync2(command, args, { cwd: this.workspace });
-      return ok(undefined);
-    } catch (e) {
-      return err({
-        kind: "io_error",
-        path: this.workspace,
-        message: `exec ${command}: ${e instanceof Error ? e.message : String(e)}`
-      });
-    }
-  }
+// ../core/src/util/constants.ts
+var SOULGUARD_GROUP = "soulguard";
+function getProtectOwnership(guardian) {
+  return { user: guardian, group: SOULGUARD_GROUP, mode: "444" };
 }
-// ../core/src/status.ts
-async function status(options) {
-  const { config, expectedVaultOwnership, expectedLedgerOwnership, ops } = options;
-  const [vaultResult, ledgerResult] = await Promise.all([
-    resolvePatterns(ops, config.vault),
-    resolvePatterns(ops, config.ledger)
-  ]);
-  if (!vaultResult.ok)
-    return vaultResult;
-  if (!ledgerResult.ok)
-    return ledgerResult;
-  const vaultPaths = vaultResult.value;
-  const ledgerPaths = ledgerResult.value;
-  const [vault, ledger] = await Promise.all([
-    Promise.all(vaultPaths.map((path) => checkPath(path, "vault", expectedVaultOwnership, ops))),
-    Promise.all(ledgerPaths.map((path) => checkPath(path, "ledger", expectedLedgerOwnership, ops)))
-  ]);
-  const issues = [...vault, ...ledger].filter((f) => f.status !== "ok");
-  return ok({ vault, ledger, issues });
-}
-async function checkPath(filePath, tier, expectedOwnership, ops) {
-  const infoResult = await getFileInfo(filePath, ops);
-  if (!infoResult.ok) {
-    if (infoResult.error.kind === "not_found") {
-      return { tier, status: "missing", path: filePath };
-    }
-    return { tier, status: "error", path: filePath, error: infoResult.error };
-  }
-  const file = infoResult.value;
-  const issues = [];
-  if (file.ownership.user !== expectedOwnership.user) {
-    issues.push({
-      kind: "wrong_owner",
-      expected: expectedOwnership.user,
-      actual: file.ownership.user
-    });
-  }
-  if (file.ownership.group !== expectedOwnership.group) {
-    issues.push({
-      kind: "wrong_group",
-      expected: expectedOwnership.group,
-      actual: file.ownership.group
-    });
-  }
-  if (file.ownership.mode !== expectedOwnership.mode) {
-    issues.push({
-      kind: "wrong_mode",
-      expected: expectedOwnership.mode,
-      actual: file.ownership.mode
-    });
-  }
-  if (issues.length === 0) {
-    return { tier, status: "ok", file };
+
+// ../core/src/sdk/state.ts
+var PROTECT_DIR_MODE = "555";
+
+class StateTreeBuildError extends Error {
+  constructor(error) {
+    super(`Failed to build state tree: ${error.message}`);
+    this.name = "StateTreeBuildError";
   }
-  return { tier, status: "drifted", file, issues };
 }
-// ../core/src/diff.ts
-import { createHash as createHash2 } from "node:crypto";
 
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/base.js
-class Diff {
-  diff(oldStr, newStr, options = {}) {
-    let callback;
-    if (typeof options === "function") {
-      callback = options;
-      options = {};
-    } else if ("callback" in options) {
-      callback = options.callback;
-    }
-    const oldString = this.castInput(oldStr, options);
-    const newString = this.castInput(newStr, options);
-    const oldTokens = this.removeEmpty(this.tokenize(oldString, options));
-    const newTokens = this.removeEmpty(this.tokenize(newString, options));
-    return this.diffWithOptionsObj(oldTokens, newTokens, options, callback);
-  }
-  diffWithOptionsObj(oldTokens, newTokens, options, callback) {
-    var _a;
-    const done = (value) => {
-      value = this.postProcess(value, options);
-      if (callback) {
-        setTimeout(function() {
-          callback(value);
-        }, 0);
-        return;
-      } else {
-        return value;
-      }
-    };
-    const newLen = newTokens.length, oldLen = oldTokens.length;
-    let editLength = 1;
-    let maxEditLength = newLen + oldLen;
-    if (options.maxEditLength != null) {
-      maxEditLength = Math.min(maxEditLength, options.maxEditLength);
-    }
-    const maxExecutionTime = (_a = options.timeout) !== null && _a !== undefined ? _a : Infinity;
-    const abortAfterTimestamp = Date.now() + maxExecutionTime;
-    const bestPath = [{ oldPos: -1, lastComponent: undefined }];
-    let newPos = this.extractCommon(bestPath[0], newTokens, oldTokens, 0, options);
-    if (bestPath[0].oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
-      return done(this.buildValues(bestPath[0].lastComponent, newTokens, oldTokens));
-    }
-    let minDiagonalToConsider = -Infinity, maxDiagonalToConsider = Infinity;
-    const execEditLength = () => {
-      for (let diagonalPath = Math.max(minDiagonalToConsider, -editLength);diagonalPath <= Math.min(maxDiagonalToConsider, editLength); diagonalPath += 2) {
-        let basePath;
-        const removePath = bestPath[diagonalPath - 1], addPath = bestPath[diagonalPath + 1];
-        if (removePath) {
-          bestPath[diagonalPath - 1] = undefined;
-        }
-        let canAdd = false;
-        if (addPath) {
-          const addPathNewPos = addPath.oldPos - diagonalPath;
-          canAdd = addPath && 0 <= addPathNewPos && addPathNewPos < newLen;
-        }
-        const canRemove = removePath && removePath.oldPos + 1 < oldLen;
-        if (!canAdd && !canRemove) {
-          bestPath[diagonalPath] = undefined;
-          continue;
-        }
-        if (!canRemove || canAdd && removePath.oldPos < addPath.oldPos) {
-          basePath = this.addToPath(addPath, true, false, 0, options);
-        } else {
-          basePath = this.addToPath(removePath, false, true, 1, options);
-        }
-        newPos = this.extractCommon(basePath, newTokens, oldTokens, diagonalPath, options);
-        if (basePath.oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
-          return done(this.buildValues(basePath.lastComponent, newTokens, oldTokens)) || true;
-        } else {
-          bestPath[diagonalPath] = basePath;
-          if (basePath.oldPos + 1 >= oldLen) {
-            maxDiagonalToConsider = Math.min(maxDiagonalToConsider, diagonalPath - 1);
-          }
-          if (newPos + 1 >= newLen) {
-            minDiagonalToConsider = Math.max(minDiagonalToConsider, diagonalPath + 1);
-          }
-        }
-      }
-      editLength++;
-    };
-    if (callback) {
-      (function exec() {
-        setTimeout(function() {
-          if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
-            return callback(undefined);
-          }
-          if (!execEditLength()) {
-            exec();
-          }
-        }, 0);
-      })();
-    } else {
-      while (editLength <= maxEditLength && Date.now() <= abortAfterTimestamp) {
-        const ret = execEditLength();
-        if (ret) {
-          return ret;
+class StateTree {
+  entities;
+  config;
+  protectOwnership;
+  constructor(entities, config, protectOwnership) {
+    this.entities = entities;
+    this.config = config;
+    this.protectOwnership = protectOwnership;
+  }
+  static async buildOrThrow(options) {
+    const result = await StateTree.build(options);
+    if (!result.ok)
+      throw new StateTreeBuildError(result.error);
+    return result.value;
+  }
+  static async build(options) {
+    const { ops, config } = options;
+    const protectOwnership = getProtectOwnership(config.guardian);
+    const entities = [];
+    for (const [key, tier] of Object.entries(config.files)) {
+      let isDir = key.endsWith("/");
+      const path = isDir ? key.slice(0, -1) : key;
+      if (!isDir) {
+        const statResult = await ops.stat(path);
+        if (statResult.ok && statResult.value.isDirectory) {
+          isDir = true;
         }
       }
-    }
-  }
-  addToPath(path, added, removed, oldPosInc, options) {
-    const last = path.lastComponent;
-    if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
-      return {
-        oldPos: path.oldPos + oldPosInc,
-        lastComponent: { count: last.count + 1, added, removed, previousComponent: last.previousComponent }
-      };
-    } else {
-      return {
-        oldPos: path.oldPos + oldPosInc,
-        lastComponent: { count: 1, added, removed, previousComponent: last }
-      };
-    }
-  }
-  extractCommon(basePath, newTokens, oldTokens, diagonalPath, options) {
-    const newLen = newTokens.length, oldLen = oldTokens.length;
-    let oldPos = basePath.oldPos, newPos = oldPos - diagonalPath, commonCount = 0;
-    while (newPos + 1 < newLen && oldPos + 1 < oldLen && this.equals(oldTokens[oldPos + 1], newTokens[newPos + 1], options)) {
-      newPos++;
-      oldPos++;
-      commonCount++;
-      if (options.oneChangePerToken) {
-        basePath.lastComponent = { count: 1, previousComponent: basePath.lastComponent, added: false, removed: false };
-      }
-    }
-    if (commonCount && !options.oneChangePerToken) {
-      basePath.lastComponent = { count: commonCount, previousComponent: basePath.lastComponent, added: false, removed: false };
-    }
-    basePath.oldPos = oldPos;
-    return newPos;
-  }
-  equals(left, right, options) {
-    if (options.comparator) {
-      return options.comparator(left, right);
-    } else {
-      return left === right || !!options.ignoreCase && left.toLowerCase() === right.toLowerCase();
-    }
-  }
-  removeEmpty(array) {
-    const ret = [];
-    for (let i = 0;i < array.length; i++) {
-      if (array[i]) {
-        ret.push(array[i]);
-      }
-    }
-    return ret;
-  }
-  castInput(value, options) {
-    return value;
-  }
-  tokenize(value, options) {
-    return Array.from(value);
-  }
-  join(chars) {
-    return chars.join("");
-  }
-  postProcess(changeObjects, options) {
-    return changeObjects;
-  }
-  get useLongestToken() {
-    return false;
-  }
-  buildValues(lastComponent, newTokens, oldTokens) {
-    const components = [];
-    let nextComponent;
-    while (lastComponent) {
-      components.push(lastComponent);
-      nextComponent = lastComponent.previousComponent;
-      delete lastComponent.previousComponent;
-      lastComponent = nextComponent;
-    }
-    components.reverse();
-    const componentLen = components.length;
-    let componentPos = 0, newPos = 0, oldPos = 0;
-    for (;componentPos < componentLen; componentPos++) {
-      const component = components[componentPos];
-      if (!component.removed) {
-        if (!component.added && this.useLongestToken) {
-          let value = newTokens.slice(newPos, newPos + component.count);
-          value = value.map(function(value2, i) {
-            const oldValue = oldTokens[oldPos + i];
-            return oldValue.length > value2.length ? oldValue : value2;
-          });
-          component.value = this.join(value);
-        } else {
-          component.value = this.join(newTokens.slice(newPos, newPos + component.count));
-        }
-        newPos += component.count;
-        if (!component.added) {
-          oldPos += component.count;
-        }
+      if (isDir) {
+        const result = await buildDirectory(ops, path, tier);
+        if (!result.ok)
+          return result;
+        if (result.value)
+          entities.push(result.value);
       } else {
-        component.value = this.join(oldTokens.slice(oldPos, oldPos + component.count));
-        oldPos += component.count;
+        const result = await buildFile(ops, key, tier);
+        if (!result.ok)
+          return result;
+        if (result.value)
+          entities.push(result.value);
       }
     }
-    return components;
+    return ok(new StateTree(entities, config, protectOwnership));
   }
-}
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/character.js
-class CharacterDiff extends Diff {
-}
-var characterDiff = new CharacterDiff;
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/util/string.js
-function longestCommonPrefix(str1, str2) {
-  let i;
-  for (i = 0;i < str1.length && i < str2.length; i++) {
-    if (str1[i] != str2[i]) {
-      return str1.slice(0, i);
-    }
-  }
-  return str1.slice(0, i);
-}
-function longestCommonSuffix(str1, str2) {
-  let i;
-  if (!str1 || !str2 || str1[str1.length - 1] != str2[str2.length - 1]) {
-    return "";
+  flatFiles() {
+    return collectFiles(this.entities);
   }
-  for (i = 0;i < str1.length && i < str2.length; i++) {
-    if (str1[str1.length - (i + 1)] != str2[str2.length - (i + 1)]) {
-      return str1.slice(-i);
+  get approvalHash() {
+    const changed = this.changedFiles();
+    if (changed.length === 0)
+      return null;
+    const sorted = [...changed].sort((a, b) => a.path.localeCompare(b.path));
+    const hasher = createHash("sha256");
+    for (const file of sorted) {
+      hasher.update(file.path);
+      hasher.update(file.status);
+      hasher.update(file.canonicalHash ?? "null");
+      hasher.update(file.stagedHash ?? "null");
     }
+    return hasher.digest("hex");
   }
-  return str1.slice(-i);
-}
-function replacePrefix(string, oldPrefix, newPrefix) {
-  if (string.slice(0, oldPrefix.length) != oldPrefix) {
-    throw Error(`string ${JSON.stringify(string)} doesn't start with prefix ${JSON.stringify(oldPrefix)}; this is a bug`);
+  changedFiles() {
+    return this.flatFiles().filter((f) => f.status !== "unchanged");
   }
-  return newPrefix + string.slice(oldPrefix.length);
-}
-function replaceSuffix(string, oldSuffix, newSuffix) {
-  if (!oldSuffix) {
-    return string + newSuffix;
+  stagedFiles() {
+    return this.flatFiles().filter((f) => f.stagedHash !== null || f.status === "deleted");
   }
-  if (string.slice(-oldSuffix.length) != oldSuffix) {
-    throw Error(`string ${JSON.stringify(string)} doesn't end with suffix ${JSON.stringify(oldSuffix)}; this is a bug`);
+  driftedEntities() {
+    return collectDrifts(this.entities, this.protectOwnership);
   }
-  return string.slice(0, -oldSuffix.length) + newSuffix;
-}
-function removePrefix(string, oldPrefix) {
-  return replacePrefix(string, oldPrefix, "");
-}
-function removeSuffix(string, oldSuffix) {
-  return replaceSuffix(string, oldSuffix, "");
 }
-function maximumOverlap(string1, string2) {
-  return string2.slice(0, overlapCount(string1, string2));
-}
-function overlapCount(a, b) {
-  let startA = 0;
-  if (a.length > b.length) {
-    startA = a.length - b.length;
-  }
-  let endB = b.length;
-  if (a.length < b.length) {
-    endB = a.length;
-  }
-  const map = Array(endB);
-  let k = 0;
-  map[0] = 0;
-  for (let j = 1;j < endB; j++) {
-    if (b[j] == b[k]) {
-      map[j] = map[k];
+function collectFiles(entities) {
+  const files = [];
+  for (const entity of entities) {
+    if (entity.kind === "file") {
+      files.push(entity);
     } else {
-      map[j] = k;
-    }
-    while (k > 0 && b[j] != b[k]) {
-      k = map[k];
-    }
-    if (b[j] == b[k]) {
-      k++;
+      files.push(...collectFiles(entity.children));
     }
   }
-  k = 0;
-  for (let i = startA;i < a.length; i++) {
-    while (k > 0 && a[i] != b[k]) {
-      k = map[k];
-    }
-    if (a[i] == b[k]) {
-      k++;
-    }
-  }
-  return k;
-}
-function trailingWs(string) {
-  let i;
-  for (i = string.length - 1;i >= 0; i--) {
-    if (!string[i].match(/\s/)) {
-      break;
-    }
-  }
-  return string.substring(i + 1);
+  return files;
 }
-function leadingWs(string) {
-  const match = string.match(/^\s*/);
-  return match ? match[0] : "";
-}
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/word.js
-var extendedWordChars = "a-zA-Z0-9_\\u{AD}\\u{C0}-\\u{D6}\\u{D8}-\\u{F6}\\u{F8}-\\u{2C6}\\u{2C8}-\\u{2D7}\\u{2DE}-\\u{2FF}\\u{1E00}-\\u{1EFF}";
-var tokenizeIncludingWhitespace = new RegExp(`[${extendedWordChars}]+|\\s+|[^${extendedWordChars}]`, "ug");
-
-class WordDiff extends Diff {
-  equals(left, right, options) {
-    if (options.ignoreCase) {
-      left = left.toLowerCase();
-      right = right.toLowerCase();
-    }
-    return left.trim() === right.trim();
-  }
-  tokenize(value, options = {}) {
-    let parts;
-    if (options.intlSegmenter) {
-      const segmenter = options.intlSegmenter;
-      if (segmenter.resolvedOptions().granularity != "word") {
-        throw new Error('The segmenter passed must have a granularity of "word"');
-      }
-      parts = [];
-      for (const segmentObj of Array.from(segmenter.segment(value))) {
-        const segment = segmentObj.segment;
-        if (parts.length && /\s/.test(parts[parts.length - 1]) && /\s/.test(segment)) {
-          parts[parts.length - 1] += segment;
-        } else {
-          parts.push(segment);
-        }
+function collectDrifts(entities, protectOwnership) {
+  const drifts = [];
+  for (const entity of entities) {
+    if (entity.configTier === "protect" && entity.ownership) {
+      const details = [];
+      const expectedMode = entity.kind === "directory" ? PROTECT_DIR_MODE : protectOwnership.mode;
+      if (entity.ownership.user !== protectOwnership.user) {
+        details.push({
+          kind: "wrong_owner",
+          expected: protectOwnership.user,
+          actual: entity.ownership.user
+        });
       }
-    } else {
-      parts = value.match(tokenizeIncludingWhitespace) || [];
-    }
-    const tokens = [];
-    let prevPart = null;
-    parts.forEach((part) => {
-      if (/\s/.test(part)) {
-        if (prevPart == null) {
-          tokens.push(part);
-        } else {
-          tokens.push(tokens.pop() + part);
-        }
-      } else if (prevPart != null && /\s/.test(prevPart)) {
-        if (tokens[tokens.length - 1] == prevPart) {
-          tokens.push(tokens.pop() + part);
-        } else {
-          tokens.push(prevPart + part);
-        }
-      } else {
-        tokens.push(part);
+      if (entity.ownership.group !== protectOwnership.group) {
+        details.push({
+          kind: "wrong_group",
+          expected: protectOwnership.group,
+          actual: entity.ownership.group
+        });
       }
-      prevPart = part;
-    });
-    return tokens;
-  }
-  join(tokens) {
-    return tokens.map((token, i) => {
-      if (i == 0) {
-        return token;
-      } else {
-        return token.replace(/^\s+/, "");
+      if (entity.ownership.mode !== expectedMode) {
+        details.push({ kind: "wrong_mode", expected: expectedMode, actual: entity.ownership.mode });
       }
-    }).join("");
-  }
-  postProcess(changes, options) {
-    if (!changes || options.oneChangePerToken) {
-      return changes;
-    }
-    let lastKeep = null;
-    let insertion = null;
-    let deletion = null;
-    changes.forEach((change) => {
-      if (change.added) {
-        insertion = change;
-      } else if (change.removed) {
-        deletion = change;
-      } else {
-        if (insertion || deletion) {
-          dedupeWhitespaceInChangeObjects(lastKeep, deletion, insertion, change);
-        }
-        lastKeep = change;
-        insertion = null;
-        deletion = null;
+      if (details.length > 0) {
+        drifts.push({ entity, details });
       }
-    });
-    if (insertion || deletion) {
-      dedupeWhitespaceInChangeObjects(lastKeep, deletion, insertion, null);
     }
-    return changes;
+    if (entity.kind === "directory") {
+      drifts.push(...collectDrifts(entity.children, protectOwnership));
+    }
   }
+  return drifts;
 }
-var wordDiff = new WordDiff;
-function dedupeWhitespaceInChangeObjects(startKeep, deletion, insertion, endKeep) {
-  if (deletion && insertion) {
-    const oldWsPrefix = leadingWs(deletion.value);
-    const oldWsSuffix = trailingWs(deletion.value);
-    const newWsPrefix = leadingWs(insertion.value);
-    const newWsSuffix = trailingWs(insertion.value);
-    if (startKeep) {
-      const commonWsPrefix = longestCommonPrefix(oldWsPrefix, newWsPrefix);
-      startKeep.value = replaceSuffix(startKeep.value, newWsPrefix, commonWsPrefix);
-      deletion.value = removePrefix(deletion.value, commonWsPrefix);
-      insertion.value = removePrefix(insertion.value, commonWsPrefix);
-    }
-    if (endKeep) {
-      const commonWsSuffix = longestCommonSuffix(oldWsSuffix, newWsSuffix);
-      endKeep.value = replacePrefix(endKeep.value, newWsSuffix, commonWsSuffix);
-      deletion.value = removeSuffix(deletion.value, commonWsSuffix);
-      insertion.value = removeSuffix(insertion.value, commonWsSuffix);
-    }
-  } else if (insertion) {
-    if (startKeep) {
-      const ws = leadingWs(insertion.value);
-      insertion.value = insertion.value.substring(ws.length);
-    }
-    if (endKeep) {
-      const ws = leadingWs(endKeep.value);
-      endKeep.value = endKeep.value.substring(ws.length);
-    }
-  } else if (startKeep && endKeep) {
-    const newWsFull = leadingWs(endKeep.value), delWsStart = leadingWs(deletion.value), delWsEnd = trailingWs(deletion.value);
-    const newWsStart = longestCommonPrefix(newWsFull, delWsStart);
-    deletion.value = removePrefix(deletion.value, newWsStart);
-    const newWsEnd = longestCommonSuffix(removePrefix(newWsFull, newWsStart), delWsEnd);
-    deletion.value = removeSuffix(deletion.value, newWsEnd);
-    endKeep.value = replacePrefix(endKeep.value, newWsFull, newWsEnd);
-    startKeep.value = replaceSuffix(startKeep.value, newWsFull, newWsFull.slice(0, newWsFull.length - newWsEnd.length));
-  } else if (endKeep) {
-    const endKeepWsPrefix = leadingWs(endKeep.value);
-    const deletionWsSuffix = trailingWs(deletion.value);
-    const overlap = maximumOverlap(deletionWsSuffix, endKeepWsPrefix);
-    deletion.value = removeSuffix(deletion.value, overlap);
-  } else if (startKeep) {
-    const startKeepWsSuffix = trailingWs(startKeep.value);
-    const deletionWsPrefix = leadingWs(deletion.value);
-    const overlap = maximumOverlap(startKeepWsSuffix, deletionWsPrefix);
-    deletion.value = removePrefix(deletion.value, overlap);
+async function buildFile(ops, path, tier) {
+  const statResult = await ops.stat(path);
+  let diskExists = false;
+  let ownership = null;
+  if (statResult.ok) {
+    diskExists = true;
+    ownership = statResult.value.ownership;
+  } else if (statResult.error.kind !== "not_found") {
+    return err({
+      kind: "build_failed",
+      message: `stat failed for ${path}: ${statResult.error.kind}`
+    });
   }
-}
-
-class WordsWithSpaceDiff extends Diff {
-  tokenize(value) {
-    const regex = new RegExp(`(\\r?\\n)|[${extendedWordChars}]+|[^\\S\\n\\r]+|[^${extendedWordChars}]`, "ug");
-    return value.match(regex) || [];
+  let canonicalHash = null;
+  if (diskExists) {
+    const hashResult = await ops.hashFile(path);
+    if (!hashResult.ok) {
+      return err({
+        kind: "build_failed",
+        message: `hash failed for ${path}: ${hashResult.error.kind}`
+      });
+    }
+    canonicalHash = hashResult.value;
   }
-}
-var wordsWithSpaceDiff = new WordsWithSpaceDiff;
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/line.js
-class LineDiff extends Diff {
-  constructor() {
-    super(...arguments);
-    this.tokenize = tokenize;
+  const staged = stagingPath(path);
+  const stagedExists = await ops.exists(staged);
+  if (!stagedExists.ok) {
+    return err({
+      kind: "build_failed",
+      message: `exists check failed for ${staged}: ${stagedExists.error.kind}`
+    });
   }
-  equals(left, right, options) {
-    if (options.ignoreWhitespace) {
-      if (!options.newlineIsToken || !left.includes(`
-`)) {
-        left = left.trim();
-      }
-      if (!options.newlineIsToken || !right.includes(`
-`)) {
-        right = right.trim();
-      }
-    } else if (options.ignoreNewlineAtEof && !options.newlineIsToken) {
-      if (left.endsWith(`
-`)) {
-        left = left.slice(0, -1);
-      }
-      if (right.endsWith(`
-`)) {
-        right = right.slice(0, -1);
-      }
+  let stagedHash = null;
+  let isDelete = false;
+  if (stagedExists.value) {
+    const content = await ops.readFile(staged);
+    if (!content.ok) {
+      return err({
+        kind: "build_failed",
+        message: `read failed for ${staged}: ${content.error.kind}`
+      });
     }
-    return super.equals(left, right, options);
-  }
-}
-var lineDiff = new LineDiff;
-function diffLines(oldStr, newStr, options) {
-  return lineDiff.diff(oldStr, newStr, options);
-}
-function tokenize(value, options) {
-  if (options.stripTrailingCr) {
-    value = value.replace(/\r\n/g, `
-`);
-  }
-  const retLines = [], linesAndNewlines = value.split(/(\n|\r\n)/);
-  if (!linesAndNewlines[linesAndNewlines.length - 1]) {
-    linesAndNewlines.pop();
-  }
-  for (let i = 0;i < linesAndNewlines.length; i++) {
-    const line = linesAndNewlines[i];
-    if (i % 2 && !options.newlineIsToken) {
-      retLines[retLines.length - 1] += line;
+    if (isDeleteSentinel(content.value)) {
+      isDelete = true;
     } else {
-      retLines.push(line);
-    }
-  }
-  return retLines;
-}
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/sentence.js
-function isSentenceEndPunct(char) {
-  return char == "." || char == "!" || char == "?";
-}
-
-class SentenceDiff extends Diff {
-  tokenize(value) {
-    var _a;
-    const result = [];
-    let tokenStartI = 0;
-    for (let i = 0;i < value.length; i++) {
-      if (i == value.length - 1) {
-        result.push(value.slice(tokenStartI));
-        break;
-      }
-      if (isSentenceEndPunct(value[i]) && value[i + 1].match(/\s/)) {
-        result.push(value.slice(tokenStartI, i + 1));
-        i = tokenStartI = i + 1;
-        while ((_a = value[i + 1]) === null || _a === undefined ? undefined : _a.match(/\s/)) {
-          i++;
-        }
-        result.push(value.slice(tokenStartI, i + 1));
-        tokenStartI = i + 1;
+      const hashResult = await ops.hashFile(staged);
+      if (!hashResult.ok) {
+        return err({
+          kind: "build_failed",
+          message: `hash failed for ${staged}: ${hashResult.error.kind}`
+        });
       }
+      stagedHash = hashResult.value;
     }
-    return result;
-  }
-}
-var sentenceDiff = new SentenceDiff;
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/css.js
-class CssDiff extends Diff {
-  tokenize(value) {
-    return value.split(/([{}:;,]|\s+)/);
   }
-}
-var cssDiff = new CssDiff;
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/json.js
-class JsonDiff extends Diff {
-  constructor() {
-    super(...arguments);
-    this.tokenize = tokenize;
+  if (!diskExists && !stagedExists.value) {
+    return ok(null);
   }
-  get useLongestToken() {
-    return true;
-  }
-  castInput(value, options) {
-    const { undefinedReplacement, stringifyReplacer = (k, v) => typeof v === "undefined" ? undefinedReplacement : v } = options;
-    return typeof value === "string" ? value : JSON.stringify(canonicalize(value, null, null, stringifyReplacer), null, "  ");
-  }
-  equals(left, right, options) {
-    return super.equals(left.replace(/,([\r\n])/g, "$1"), right.replace(/,([\r\n])/g, "$1"), options);
-  }
-}
-var jsonDiff = new JsonDiff;
-function canonicalize(obj, stack, replacementStack, replacer, key) {
-  stack = stack || [];
-  replacementStack = replacementStack || [];
-  if (replacer) {
-    obj = replacer(key === undefined ? "" : key, obj);
-  }
-  let i;
-  for (i = 0;i < stack.length; i += 1) {
-    if (stack[i] === obj) {
-      return replacementStack[i];
-    }
-  }
-  let canonicalizedObj;
-  if (Object.prototype.toString.call(obj) === "[object Array]") {
-    stack.push(obj);
-    canonicalizedObj = new Array(obj.length);
-    replacementStack.push(canonicalizedObj);
-    for (i = 0;i < obj.length; i += 1) {
-      canonicalizedObj[i] = canonicalize(obj[i], stack, replacementStack, replacer, String(i));
-    }
-    stack.pop();
-    replacementStack.pop();
-    return canonicalizedObj;
-  }
-  if (obj && obj.toJSON) {
-    obj = obj.toJSON();
-  }
-  if (typeof obj === "object" && obj !== null) {
-    stack.push(obj);
-    canonicalizedObj = {};
-    replacementStack.push(canonicalizedObj);
-    const sortedKeys = [];
-    let key2;
-    for (key2 in obj) {
-      if (Object.prototype.hasOwnProperty.call(obj, key2)) {
-        sortedKeys.push(key2);
-      }
-    }
-    sortedKeys.sort();
-    for (i = 0;i < sortedKeys.length; i += 1) {
-      key2 = sortedKeys[i];
-      canonicalizedObj[key2] = canonicalize(obj[key2], stack, replacementStack, replacer, key2);
-    }
-    stack.pop();
-    replacementStack.pop();
+  let status;
+  if (isDelete) {
+    status = "deleted";
+  } else if (!diskExists) {
+    status = "created";
+  } else if (stagedHash === null) {
+    status = "unchanged";
+  } else if (stagedHash === canonicalHash) {
+    status = "unchanged";
   } else {
-    canonicalizedObj = obj;
-  }
-  return canonicalizedObj;
-}
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/diff/array.js
-class ArrayDiff extends Diff {
-  tokenize(value) {
-    return value.slice();
-  }
-  join(value) {
-    return value;
-  }
-  removeEmpty(value) {
-    return value;
+    status = "modified";
   }
+  return ok({
+    kind: "file",
+    path,
+    configTier: tier,
+    ownership: ownership ? { user: ownership.user, group: ownership.group, mode: ownership.mode } : null,
+    canonicalHash,
+    stagedHash,
+    status
+  });
 }
-var arrayDiff = new ArrayDiff;
-
-// ../../node_modules/.bun/diff@8.0.3/node_modules/diff/libesm/patch/create.js
-var INCLUDE_HEADERS = {
-  includeIndex: true,
-  includeUnderline: true,
-  includeFileHeaders: true
-};
-function structuredPatch(oldFileName, newFileName, oldStr, newStr, oldHeader, newHeader, options) {
-  let optionsObj;
-  if (!options) {
-    optionsObj = {};
-  } else if (typeof options === "function") {
-    optionsObj = { callback: options };
-  } else {
-    optionsObj = options;
-  }
-  if (typeof optionsObj.context === "undefined") {
-    optionsObj.context = 4;
-  }
-  const context = optionsObj.context;
-  if (optionsObj.newlineIsToken) {
-    throw new Error("newlineIsToken may not be used with patch-generation functions, only with diffing functions");
+async function buildDirectory(ops, dirPath, tier) {
+  const statResult = await ops.stat(dirPath);
+  let diskExists = false;
+  let ownership = null;
+  if (statResult.ok) {
+    if (statResult.value.isDirectory) {
+      diskExists = true;
+      ownership = statResult.value.ownership;
+    }
+  } else if (statResult.error.kind !== "not_found") {
+    return err({
+      kind: "build_failed",
+      message: `stat failed for ${dirPath}: ${statResult.error.kind}`
+    });
   }
-  if (!optionsObj.callback) {
-    return diffLinesResultToPatch(diffLines(oldStr, newStr, optionsObj));
-  } else {
-    const { callback } = optionsObj;
-    diffLines(oldStr, newStr, Object.assign(Object.assign({}, optionsObj), { callback: (diff) => {
-      const patch = diffLinesResultToPatch(diff);
-      callback(patch);
-    } }));
-  }
-  function diffLinesResultToPatch(diff) {
-    if (!diff) {
-      return;
-    }
-    diff.push({ value: "", lines: [] });
-    function contextLines(lines) {
-      return lines.map(function(entry) {
-        return " " + entry;
+  const staged = stagingPath(dirPath);
+  const stagedStat = await ops.stat(staged);
+  let dirDelete = false;
+  if (stagedStat.ok && !stagedStat.value.isDirectory) {
+    const content = await ops.readFile(staged);
+    if (!content.ok) {
+      return err({
+        kind: "build_failed",
+        message: `read failed for ${staged}: ${content.error.kind}`
       });
     }
-    const hunks = [];
-    let oldRangeStart = 0, newRangeStart = 0, curRange = [], oldLine = 1, newLine = 1;
-    for (let i = 0;i < diff.length; i++) {
-      const current = diff[i], lines = current.lines || splitLines(current.value);
-      current.lines = lines;
-      if (current.added || current.removed) {
-        if (!oldRangeStart) {
-          const prev = diff[i - 1];
-          oldRangeStart = oldLine;
-          newRangeStart = newLine;
-          if (prev) {
-            curRange = context > 0 ? contextLines(prev.lines.slice(-context)) : [];
-            oldRangeStart -= curRange.length;
-            newRangeStart -= curRange.length;
-          }
-        }
-        for (const line of lines) {
-          curRange.push((current.added ? "+" : "-") + line);
-        }
-        if (current.added) {
-          newLine += lines.length;
-        } else {
-          oldLine += lines.length;
-        }
-      } else {
-        if (oldRangeStart) {
-          if (lines.length <= context * 2 && i < diff.length - 2) {
-            for (const line of contextLines(lines)) {
-              curRange.push(line);
-            }
-          } else {
-            const contextSize = Math.min(lines.length, context);
-            for (const line of contextLines(lines.slice(0, contextSize))) {
-              curRange.push(line);
-            }
-            const hunk = {
-              oldStart: oldRangeStart,
-              oldLines: oldLine - oldRangeStart + contextSize,
-              newStart: newRangeStart,
-              newLines: newLine - newRangeStart + contextSize,
-              lines: curRange
-            };
-            hunks.push(hunk);
-            oldRangeStart = 0;
-            newRangeStart = 0;
-            curRange = [];
-          }
-        }
-        oldLine += lines.length;
-        newLine += lines.length;
-      }
-    }
-    for (const hunk of hunks) {
-      for (let i = 0;i < hunk.lines.length; i++) {
-        if (hunk.lines[i].endsWith(`
-`)) {
-          hunk.lines[i] = hunk.lines[i].slice(0, -1);
-        } else {
-          hunk.lines.splice(i + 1, 0, "\");
-          i++;
-        }
-      }
-    }
-    return {
-      oldFileName,
-      newFileName,
-      oldHeader,
-      newHeader,
-      hunks
-    };
-  }
-}
-function formatPatch(patch, headerOptions) {
-  if (!headerOptions) {
-    headerOptions = INCLUDE_HEADERS;
-  }
-  if (Array.isArray(patch)) {
-    if (patch.length > 1 && !headerOptions.includeFileHeaders) {
-      throw new Error("Cannot omit file headers on a multi-file patch. " + "(The result would be unparseable; how would a tool trying to apply " + "the patch know which changes are to which file?)");
+    if (isDeleteSentinel(content.value)) {
+      dirDelete = true;
     }
-    return patch.map((p) => formatPatch(p, headerOptions)).join(`
-`);
-  }
-  const ret = [];
-  if (headerOptions.includeIndex && patch.oldFileName == patch.newFileName) {
-    ret.push("Index: " + patch.oldFileName);
-  }
-  if (headerOptions.includeUnderline) {
-    ret.push("===================================================================");
-  }
-  if (headerOptions.includeFileHeaders) {
-    ret.push("--- " + patch.oldFileName + (typeof patch.oldHeader === "undefined" ? "" : "\t" + patch.oldHeader));
-    ret.push("+++ " + patch.newFileName + (typeof patch.newHeader === "undefined" ? "" : "\t" + patch.newHeader));
-  }
-  for (let i = 0;i < patch.hunks.length; i++) {
-    const hunk = patch.hunks[i];
-    if (hunk.oldLines === 0) {
-      hunk.oldStart -= 1;
-    }
-    if (hunk.newLines === 0) {
-      hunk.newStart -= 1;
-    }
-    ret.push("@@ -" + hunk.oldStart + "," + hunk.oldLines + " +" + hunk.newStart + "," + hunk.newLines + " @@");
-    for (const line of hunk.lines) {
-      ret.push(line);
-    }
-  }
-  return ret.join(`
-`) + `
-`;
-}
-function createTwoFilesPatch(oldFileName, newFileName, oldStr, newStr, oldHeader, newHeader, options) {
-  if (typeof options === "function") {
-    options = { callback: options };
-  }
-  if (!(options === null || options === undefined ? undefined : options.callback)) {
-    const patchObj = structuredPatch(oldFileName, newFileName, oldStr, newStr, oldHeader, newHeader, options);
-    if (!patchObj) {
-      return;
-    }
-    return formatPatch(patchObj, options === null || options === undefined ? undefined : options.headerOptions);
-  } else {
-    const { callback } = options;
-    structuredPatch(oldFileName, newFileName, oldStr, newStr, oldHeader, newHeader, Object.assign(Object.assign({}, options), { callback: (patchObj) => {
-      if (!patchObj) {
-        callback(undefined);
-      } else {
-        callback(formatPatch(patchObj, options.headerOptions));
-      }
-    } }));
+  } else if (!stagedStat.ok && stagedStat.error.kind !== "not_found") {
+    return err({
+      kind: "build_failed",
+      message: `stat failed for ${staged}: ${stagedStat.error.kind}`
+    });
   }
-}
-function splitLines(text) {
-  const hasTrailingNl = text.endsWith(`
-`);
-  const result = text.split(`
-`).map((line) => line + `
-`);
-  if (hasTrailingNl) {
-    result.pop();
-  } else {
-    result.push(result.pop().slice(0, -1));
+  if (!diskExists && !dirDelete) {
+    const stagedDirExists = stagedStat.ok && stagedStat.value.isDirectory;
+    if (!stagedDirExists)
+      return ok(null);
   }
-  return result;
-}
-
-// ../core/src/diff.ts
-var STAGING_DIR = ".soulguard/staging";
-async function diff(options) {
-  const { ops, config, files: filterFiles } = options;
-  const stagingExists = await ops.exists(STAGING_DIR);
-  if (!stagingExists.ok) {
-    return err({ kind: "read_failed", path: STAGING_DIR, message: stagingExists.error.message });
-  }
-  if (!stagingExists.value) {
-    return err({ kind: "no_staging" });
-  }
-  const resolved = await resolvePatterns(ops, config.vault);
-  if (!resolved.ok) {
-    return err({ kind: "read_failed", path: "glob", message: resolved.error.message });
-  }
-  let vaultFiles = resolved.value;
-  if (filterFiles && filterFiles.length > 0) {
-    const filterSet = new Set(filterFiles);
-    vaultFiles = vaultFiles.filter((p) => filterSet.has(p));
-  }
-  const fileDiffs = [];
-  for (const path of vaultFiles) {
-    const stagingPath = `${STAGING_DIR}/${path}`;
-    const [vaultExists, stagingFileExists] = await Promise.all([
-      ops.exists(path),
-      ops.exists(stagingPath)
-    ]);
-    if (!vaultExists.ok) {
-      return err({ kind: "read_failed", path, message: vaultExists.error.message });
-    }
-    if (!stagingFileExists.ok) {
+  const children = [];
+  const diskChildren = new Set;
+  if (diskExists) {
+    const listResult = await ops.listDir(dirPath);
+    if (!listResult.ok) {
       return err({
-        kind: "read_failed",
-        path: stagingPath,
-        message: stagingFileExists.error.message
-      });
-    }
-    if (vaultExists.value && !stagingFileExists.value) {
-      const vaultHash2 = await ops.hashFile(path);
-      fileDiffs.push({
-        path,
-        status: "deleted",
-        protectedHash: vaultHash2.ok ? vaultHash2.value : undefined
-      });
-      continue;
-    }
-    if (!vaultExists.value && stagingFileExists.value) {
-      const newHash = await ops.hashFile(stagingPath);
-      fileDiffs.push({
-        path,
-        status: "vault_missing",
-        stagedHash: newHash.ok ? newHash.value : undefined
-      });
-      continue;
-    }
-    if (!vaultExists.value && !stagingFileExists.value) {
-      fileDiffs.push({ path, status: "staging_missing" });
-      continue;
-    }
-    const [vaultHash, stagingHash] = await Promise.all([
-      ops.hashFile(path),
-      ops.hashFile(stagingPath)
-    ]);
-    if (!vaultHash.ok) {
-      return err({ kind: "read_failed", path, message: "hash failed" });
-    }
-    if (!stagingHash.ok) {
-      return err({ kind: "read_failed", path: stagingPath, message: "hash failed" });
-    }
-    if (vaultHash.value === stagingHash.value) {
-      fileDiffs.push({
-        path,
-        status: "unchanged",
-        protectedHash: vaultHash.value,
-        stagedHash: stagingHash.value
+        kind: "build_failed",
+        message: `listDir failed for ${dirPath}: ${listResult.error.kind}`
       });
-      continue;
     }
-    const [vaultContent, stagingContent] = await Promise.all([
-      ops.readFile(path),
-      ops.readFile(stagingPath)
-    ]);
-    if (!vaultContent.ok) {
-      return err({ kind: "read_failed", path, message: "read failed" });
+    for (const childPath of listResult.value) {
+      diskChildren.add(childPath);
     }
-    if (!stagingContent.ok) {
-      return err({ kind: "read_failed", path: stagingPath, message: "read failed" });
-    }
-    const unifiedDiff = createTwoFilesPatch(`a/${path}`, `b/${path}`, vaultContent.value, stagingContent.value);
-    fileDiffs.push({
-      path,
-      status: "modified",
-      diff: unifiedDiff,
-      protectedHash: vaultHash.value,
-      stagedHash: stagingHash.value
-    });
   }
-  const hasChanges = fileDiffs.some((f) => f.status !== "unchanged");
-  let approvalHash;
-  if (hasChanges) {
-    approvalHash = computeApprovalHash(fileDiffs);
+  const stagedChildren = new Set;
+  if (!dirDelete) {
+    if (stagedStat.ok && stagedStat.value.isDirectory) {
+      const stagedList = await ops.listDir(staged);
+      if (!stagedList.ok) {
+        return err({
+          kind: "build_failed",
+          message: `listDir failed for ${staged}: ${stagedList.error.kind}`
+        });
+      }
+      for (const stagedChildPath of stagedList.value) {
+        const canonical = stagedChildPath.slice(STAGING_DIR.length + 1);
+        stagedChildren.add(canonical);
+      }
+    }
   }
-  return ok({ files: fileDiffs, hasChanges, approvalHash });
-}
-function computeApprovalHash(files) {
-  const actionable = files.filter((f) => (f.status === "modified" || f.status === "vault_missing") && f.stagedHash || f.status === "deleted").sort((a, b) => a.path.localeCompare(b.path));
-  const hash = createHash2("sha256");
-  for (const f of actionable) {
-    if (f.status === "deleted") {
-      hash.update(`${f.path}\x00DELETED\x00${f.protectedHash ?? ""}\x00`);
+  const allChildren = new Set([...diskChildren, ...stagedChildren]);
+  for (const childPath of [...allChildren].sort()) {
+    if (dirDelete) {
+      const childStat = await ops.stat(childPath);
+      let childOwnership = null;
+      let childHash = null;
+      if (childStat.ok) {
+        childOwnership = {
+          user: childStat.value.ownership.user,
+          group: childStat.value.ownership.group,
+          mode: childStat.value.ownership.mode
+        };
+        const hashResult = await ops.hashFile(childPath);
+        if (!hashResult.ok) {
+          return err({
+            kind: "build_failed",
+            message: `hash failed for ${childPath}: ${hashResult.error.kind}`
+          });
+        }
+        childHash = hashResult.value;
+      } else if (childStat.error.kind !== "not_found") {
+        return err({
+          kind: "build_failed",
+          message: `stat failed for ${childPath}: ${childStat.error.kind}`
+        });
+      }
+      children.push({
+        kind: "file",
+        path: childPath,
+        configTier: tier,
+        ownership: childOwnership,
+        canonicalHash: childHash,
+        stagedHash: null,
+        status: "deleted"
+      });
     } else {
-      hash.update(`${f.path}\x00${f.stagedHash}\x00`);
+      const childResult = await buildFile(ops, childPath, tier);
+      if (!childResult.ok)
+        return childResult;
+      if (childResult.value)
+        children.push(childResult.value);
     }
   }
-  return hash.digest("hex");
+  if (!diskExists && children.length === 0)
+    return ok(null);
+  return ok({
+    kind: "directory",
+    path: dirPath,
+    configTier: tier,
+    ownership: ownership ? { user: ownership.user, group: ownership.group, mode: ownership.mode } : null,
+    deleted: dirDelete,
+    children
+  });
 }
-// ../core/src/constants.ts
-var IDENTITY = { user: "soulguardian", group: "soulguard" };
-var VAULT_OWNERSHIP = {
-  user: IDENTITY.user,
-  group: IDENTITY.group,
-  mode: "444"
-};
-// ../core/src/vault-check.ts
-function isVaultedFile(vaultFiles, filePath) {
+// ../core/src/sdk/config.ts
+function patternsForTier(config, tier) {
+  return Object.entries(config.files).filter(([, t]) => t === tier).map(([pattern]) => pattern);
+}
+function protectPatterns(config) {
+  return patternsForTier(config, "protect");
+}
+// ../core/src/sdk/protect-check.ts
+function isProtectedFile(protectFiles, filePath) {
   const norm = normalizePath(filePath);
-  return vaultFiles.some((pattern) => {
-    const normPattern = normalizePath(pattern);
-    if (isGlob(normPattern)) {
-      return matchGlob(normPattern, norm);
-    }
-    return norm === normPattern;
+  return protectFiles.some((entry) => {
+    const normEntry = normalizePath(entry);
+    return norm === normEntry || norm.startsWith(normEntry + "/");
   });
 }
 function normalizePath(p) {
@@ -5734,16 +4723,18 @@ function normalizePath(p) {
     s = s.slice(2);
   if (s.startsWith("/"))
     s = s.slice(1);
+  if (s.endsWith("/"))
+    s = s.slice(0, -1);
   return s;
 }
 // src/guard.ts
-import { basename } from "node:path";
-var WRITE_TOOLS = new Set(["Write", "Edit"]);
+import path from "node:path";
+var WRITE_TOOLS = new Set(["write", "edit"]);
 var PATH_KEYS = ["file_path", "path", "file"];
-var STAGING_PREFIX = ".soulguard/staging/";
 function guardToolCall(toolName, params, options) {
-  if (!WRITE_TOOLS.has(toolName))
+  if (!WRITE_TOOLS.has(toolName.toLowerCase())) {
     return { blocked: false };
+  }
   let targetPath;
   for (const key of PATH_KEYS) {
     const v = params[key];
@@ -5752,138 +4743,59 @@ function guardToolCall(toolName, params, options) {
       break;
     }
   }
+  if (targetPath && path.isAbsolute(targetPath)) {
+    targetPath = path.relative(options.stateDir, targetPath);
+  }
   if (!targetPath)
     return { blocked: false };
-  const norm = normalizePath(targetPath);
-  if (norm.startsWith(STAGING_PREFIX))
+  if (isStagingPath(targetPath))
     return { blocked: false };
-  if (!isVaultedFile(options.vaultFiles, targetPath))
+  if (!isProtectedFile(options.protectFiles, targetPath))
     return { blocked: false };
-  const fileName = basename(targetPath);
   return {
     blocked: true,
-    reason: `${fileName} is vault-protected by soulguard. ` + `To modify it, edit .soulguard/staging/${norm} instead. ` + `Your changes will be reviewed and approved by the owner.`
+    reason: [
+      `${targetPath} is protected by soulguard.`,
+      `To propose changes, run \`soulguard stage ${targetPath}\` to create a working copy,`,
+      `then edit the staged file at ${stagingPath(targetPath)}.`,
+      `Run \`soulguard diff\` to review your changes.`,
+      `Your owner will review and apply the changes.`
+    ].join(" ")
   };
 }
 
 // src/plugin.ts
-var OPENCLAW_DEFAULT_CONFIG = {
-  vault: ["openclaw.json", "soulguard.json"],
-  ledger: []
-};
+var PKG_VERSION = "0.2.1";
 var PLUGIN_DESCRIPTION = "Identity protection for AI agents";
 function createSoulguardPlugin(options) {
   return {
     id: "soulguard",
     name: "Soulguard",
     description: PLUGIN_DESCRIPTION,
-    version: "0.1.0",
+    version: PKG_VERSION,
     activate(api) {
-      const workspaceDir = api.resolvePath?.(".") ?? api.runtime.workspaceDir ?? ".";
+      const stateDir = process.env.OPENCLAW_STATE_DIR?.trim() ?? join2(os.homedir(), ".openclaw");
       const configFile = options?.configPath ?? "soulguard.json";
-      const configPath = api.resolvePath?.(configFile) ?? join(workspaceDir, configFile);
-      let config;
-      let vaultFiles;
+      const configPath = join2(stateDir, configFile);
+      let protectFiles;
       try {
         const raw = JSON.parse(readFileSync(configPath, "utf-8"));
-        config = parseConfig(raw);
-        vaultFiles = config.vault;
+        protectFiles = protectPatterns(parseConfig(raw));
       } catch {
-        config = OPENCLAW_DEFAULT_CONFIG;
-        vaultFiles = config.vault;
-        api.logger?.warn("soulguard: no soulguard.json found — using OpenClaw defaults");
+        api.logger?.warn(`soulguard: no config found at ${configPath} — plugin inactive`);
+        return;
       }
-      if (vaultFiles.length === 0)
+      if (protectFiles.length === 0)
         return;
-      const createOps = () => new NodeSystemOps(workspaceDir);
-      api.registerTool({
-        name: "soulguard_status",
-        description: "Check soulguard protection status of vault and ledger files",
-        parameters: { type: "object", properties: {}, required: [] },
-        async execute(_id, _params) {
-          const ops = createOps();
-          const result = await status({
-            config,
-            expectedVaultOwnership: { user: "soulguardian", group: "soulguard", mode: "444" },
-            expectedLedgerOwnership: { user: "agent", group: "staff", mode: "644" },
-            ops
-          });
-          if (!result.ok) {
-            return { content: [{ type: "text", text: "Status check failed" }] };
-          }
-          const lines = ["Soulguard Status:", ""];
-          for (const f of [...result.value.vault, ...result.value.ledger]) {
-            if (f.status === "ok")
-              lines.push(`  ✅ ${f.file.path}`);
-            else if (f.status === "drifted")
-              lines.push(`  ⚠️  ${f.file.path} — ${f.issues.map((i) => i.kind).join(", ")}`);
-            else if (f.status === "missing")
-              lines.push(`  ❌ ${f.path} — missing`);
-            else if (f.status === "error")
-              lines.push(`  ❌ ${f.path} — error: ${f.error.kind}`);
-          }
-          if (result.value.issues.length === 0)
-            lines.push("", "All files ok.");
-          else
-            lines.push("", `${result.value.issues.length} issue(s) found.`);
-          return { content: [{ type: "text", text: lines.join(`
-`) }] };
-        }
-      }, { optional: true });
-      api.registerTool({
-        name: "soulguard_diff",
-        description: "Show differences between vault files and their staging copies",
-        parameters: {
-          type: "object",
-          properties: {
-            files: {
-              type: "array",
-              items: { type: "string" },
-              description: "Specific files to diff (default: all vault files)"
-            }
-          },
-          required: []
-        },
-        async execute(_id, params) {
-          const ops = createOps();
-          const files = Array.isArray(params.files) ? params.files : undefined;
-          const result = await diff({ ops, config, files });
-          if (!result.ok) {
-            return {
-              content: [{ type: "text", text: `Diff failed: ${result.error.kind}` }]
-            };
-          }
-          if (!result.value.hasChanges) {
-            return {
-              content: [
-                { type: "text", text: "No differences — staging matches vault." }
-              ]
-            };
-          }
-          const lines = result.value.files.filter((d) => d.status === "modified" && d.diff).map((d) => `--- ${d.path}
-${d.diff}`);
-          let text = lines.join(`
-
-`) || "No modified files.";
-          if (result.value.approvalHash) {
-            text += `
-
-────────────────────────────────────────
-Approval hash: ${result.value.approvalHash}
-To approve: soulguard approve --hash ${result.value.approvalHash}`;
-          }
-          return { content: [{ type: "text", text }] };
-        }
-      }, { optional: true });
-      const hookFn = api.registerHook ?? api.on;
-      hookFn("before_tool_call", (...args) => {
+      api.on("before_tool_call", (...args) => {
         const event = args[0];
         if (!event || typeof event !== "object" || !("toolName" in event)) {
           return;
         }
         const e = event;
         const result = guardToolCall(e.toolName, e.params, {
-          vaultFiles
+          protectFiles,
+          stateDir
         });
         if (result.blocked) {
           return { block: true, blockReason: result.reason };
@@ -5893,14 +4805,28 @@ To approve: soulguard approve --hash ${result.value.approvalHash}`;
     }
   };
 }
+// src/context.ts
+async function getPendingChanges(options) {
+  const treeResult = await StateTree.build(options);
+  if (!treeResult.ok)
+    return { files: [] };
+  return { files: treeResult.value.changedFiles().map((f) => f.path) };
+}
+async function buildPendingChangesContext(options) {
+  const { files } = await getPendingChanges(options);
+  if (files.length === 0)
+    return;
+  const fileList = files.join(", ");
+  return `[Soulguard] ${files.length} protected file(s) have pending staged changes: ${fileList}. ` + `Use \`soulguard diff\` to review. Ask your owner to apply changes, ` + `or use \`soulguard reset\` to discard them.`;
+}
+
 // src/index.ts
 var src_default = createSoulguardPlugin();
 export {
   templates,
-  relaxedTemplate,
-  paranoidTemplate,
   guardToolCall,
-  defaultTemplate,
+  getPendingChanges,
   src_default as default,
-  createSoulguardPlugin
+  createSoulguardPlugin,
+  buildPendingChangesContext
 };