@telora/daemon 0.15.36 → 0.15.40

package/dist/security-rescan-resolution.js

@@ -0,0 +1,114 @@
+/**
+ * Re-scan resolution: when a scan run completes that covered a finding's
+ * IOC class but did not re-produce a previously-open finding, flip the
+ * finding to 'resolved' and (if the linked injection's delivery is done)
+ * auto-verify the injection.
+ *
+ * Called by the scanner engine immediately after a run finishes writing
+ * its findings, before suppression-expiry sweeps and before the next
+ * tick begins.
+ *
+ * @module security-rescan-resolution
+ */
+import { callApi } from './queries/shared.js';
+/**
+ * Resolve previously-open findings that didn't re-appear in this run.
+ *
+ * @returns the list of finding ids that were flipped to 'resolved'.
+ */
+export async function resolveStaleFindings(productId, observedSets, deps) {
+    const iocClasses = observedSets.map((s) => s.iocClass);
+    if (iocClasses.length === 0)
+        return [];
+    const openFindings = await deps.listOpenFindings(productId, iocClasses);
+    const observedByClass = new Map();
+    for (const set of observedSets) {
+        observedByClass.set(set.iocClass, set.identifiers);
+    }
+    const resolvedIds = [];
+    for (const finding of openFindings) {
+        const observedInClass = observedByClass.get(finding.iocClass);
+        if (!observedInClass)
+            continue;
+        if (observedInClass.has(finding.identifier))
+            continue;
+        // Finding was open, its class was covered, but it didn't re-appear.
+        await deps.markFindingResolved(finding.id);
+        await deps.writeAudit({
+            findingId: finding.id,
+            organizationId: finding.organizationId,
+            action: 'resolved',
+            payload: { reason: 'absent_in_rescan', ioc_class: finding.iocClass },
+        });
+        resolvedIds.push(finding.id);
+        // Auto-verify the linked injection if its delivery has reached 'done'.
+        if (finding.linkedInjectionId) {
+            const status = await deps.getInjectionDeliveryStatus(finding.linkedInjectionId);
+            if (status === 'done') {
+                await deps.verifyInjection(finding.linkedInjectionId);
+            }
+        }
+    }
+    return resolvedIds;
+}
+// ---------------------------------------------------------------------------
+// Default Deps -- daemon-side wiring via callApi.
+// ---------------------------------------------------------------------------
+export function buildDefaultResolutionDeps() {
+    return {
+        listOpenFindings: async (productId, iocClasses) => {
+            const res = await callApi('daemon_list_open_security_findings', { productId, iocClasses });
+            return res.items ?? [];
+        },
+        markFindingResolved: async (findingId) => {
+            await callApi('daemon_resolve_security_finding', { findingId });
+        },
+        writeAudit: async (input) => {
+            await callApi('daemon_write_security_finding_audit', input);
+        },
+        getInjectionDeliveryStatus: async (injectionNodeId) => {
+            const res = await callApi('daemon_get_injection_delivery_status', { injectionNodeId });
+            return res.status;
+        },
+        verifyInjection: async (injectionNodeId) => {
+            await callApi('reality_tree_verify_injection', { injectionNodeId });
+        },
+    };
+}
+/**
+ * Sweep suppressions whose expires_at has passed and flip them back to
+ * 'open'. Idempotent: a suppression already expired is a no-op on the
+ * second call because the predicate now matches status='open'.
+ *
+ * @returns the finding ids whose suppression was lifted.
+ */
+export async function runSuppressionExpirySweep(deps) {
+    const expired = await deps.listExpiredSuppressions();
+    const lifted = [];
+    for (const finding of expired) {
+        await deps.unsuppressFinding(finding.id);
+        await deps.writeAudit({
+            findingId: finding.id,
+            organizationId: finding.organizationId,
+            action: 'unsuppressed',
+            payload: { reason: 'suppression_expired' },
+        });
+        lifted.push(finding.id);
+    }
+    return lifted;
+}
+export function buildDefaultSuppressionExpirySweepDeps() {
+    return {
+        listExpiredSuppressions: async () => {
+            const res = await callApi('daemon_list_expired_security_suppressions', {});
+            return res.items ?? [];
+        },
+        unsuppressFinding: async (findingId) => {
+            await callApi('daemon_unsuppress_security_finding', { findingId });
+        },
+        writeAudit: async (input) => {
+            await callApi('daemon_write_security_finding_audit', input);
+        },
+    };
+}
+//# sourceMappingURL=security-rescan-resolution.js.map

package/dist/security-rescan-resolution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-rescan-resolution.js","sourceRoot":"","sources":["../src/security-rescan-resolution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AA4C9C;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,YAAiC,EACjC,IAAoB;IAEpB,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACxE,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;IACvD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,MAAM,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC9D,IAAI,CAAC,eAAe;YAAE,SAAS;QAC/B,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC;YAAE,SAAS;QAEtD,oEAAoE;QACpE,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,UAAU,CAAC;YACpB,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE;SACrE,CAAC,CAAC;QACH,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAE7B,uEAAuE;QACvE,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAChF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAE9E,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,gBAAgB,EAAE,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE;YAChD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,oCAAoC,EACpC,EAAE,SAAS,EAAE,UAAU,EAAE,CAC1B,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,mBAAmB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACvC,MAAM,OAAO,CAAC,iCAAiC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;QACD,0BAA0B,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YACpD,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,sCAAsC,EACtC,EAAE,eAAe,EAAE,CACpB,CAAC;YACF,OAAO,GAAG,CAAC,MAAM,CAAC;QACpB,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE;YACzC,MAAM,OAAO,CAAC,+BAA+B,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC;QACtE,CAAC;KACF,CAAC;AACJ,CAAC;AAoBD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,IAAgC;IAEhC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC;IACrD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,IAAI,CAAC,UAAU,CAAC;YACpB,SAAS,EAAE,OAAO,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,EAAE,MAAM,EAAE,qBAAqB,EAAE;SAC3C,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,sCAAsC;IACpD,OAAO;QACL,uBAAuB,EAAE,KAAK,IAAI,EAAE;YAClC,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,2CAA2C,EAC3C,EAAE,CACH,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,iBAAiB,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE;YACrC,MAAM,OAAO,CAAC,oCAAoC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;YAC1B,MAAM,OAAO,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC9D,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/security-scan-engine.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Security scan engine.
+ *
+ * Polls security_scan_configs for due scans (cron-due or manual_run_requested_at
+ * set), dispatches pluggable Scanner implementations per IOC class, writes
+ * one security_scan_runs row plus N security_findings rows per execution,
+ * and (downstream) hands findings to security-auto-inject for severity-gated
+ * injection materialization.
+ *
+ * Activation: gated by shouldRunLoop('TELORA_SECURITY_SCAN_LOOP') in
+ * unified-shell.ts. Opt-out semantics match the other daemon loop ticks
+ * (unset/anything-but-'0' = enabled, '0' = disabled). See
+ * docs/runbook-loop-activation.md.
+ *
+ * Pattern reference: verification-engine.ts (pluggable strategies + Deps).
+ *
+ * @module security-scan-engine
+ */
+import type { DaemonConfig } from './types.js';
+import { type AutoInjectDeps } from './security-auto-inject.js';
+import { type ResolutionDeps } from './security-rescan-resolution.js';
+export type Severity = 'low' | 'medium' | 'high' | 'critical';
+/** Configuration row driving an individual product's scan cadence. */
+export interface ScanConfig {
+    id: string;
+    organizationId: string;
+    productId: string;
+    scheduleCron: string;
+    enabledIocClasses: string[];
+    autoInjectSeverityThreshold: Severity;
+    enabled: boolean;
+    manualRunRequestedAt: string | null;
+    lastRunAt: string | null;
+}
+/** Per-scan context passed to each Scanner. */
+export interface ScanContext {
+    config: ScanConfig;
+    repoPath: string;
+}
+/** Single finding draft emitted by a Scanner. Stored in security_findings. */
+export interface FindingDraft {
+    iocClass: string;
+    severity: Severity;
+    identifier: string;
+    payload: Record<string, unknown>;
+}
+/** Per-scanner output for a single scan run. */
+export interface ScanResult {
+    findings: FindingDraft[];
+    /** Coverage breadcrumb (e.g. packages_audited, files_scanned) + any warnings. */
+    coverage: Record<string, unknown>;
+}
+/** Pluggable Scanner contract -- one per IOC class. */
+export interface Scanner {
+    /** IOC class slug, matched against ScanConfig.enabledIocClasses. */
+    iocClass: string;
+    scan(ctx: ScanContext): Promise<ScanResult>;
+}
+export declare function registerScanner(scanner: Scanner): void;
+export declare function getRegisteredScanners(): Scanner[];
+export interface SecurityScanDeps {
+    getDueScanConfigs: () => Promise<ScanConfig[]>;
+    startRun: (configId: string, trigger: 'schedule' | 'manual') => Promise<string>;
+    finishRun: (runId: string, update: {
+        status: 'succeeded' | 'failed' | 'partial';
+        coverageSummary: Record<string, unknown>;
+        findingsCountBySeverity: Record<Severity, number>;
+        durationMs: number;
+    }) => Promise<void>;
+    /**
+     * Persist a finding and return its DB-assigned id so downstream
+     * hooks (auto-injection, resolution) can reference it.
+     */
+    writeFinding: (runId: string, productId: string, organizationId: string, finding: FindingDraft) => Promise<{
+        findingId: string;
+    }>;
+    clearManualRunRequest: (configId: string) => Promise<void>;
+    resolveCwd: (productId: string) => string;
+    scanners: Scanner[];
+    /**
+     * Optional severity-gated auto-injection hook. When set, each newly
+     * written finding is passed to processNewFinding so the daemon can
+     * materialize a remediation injection + delivery for it.
+     */
+    autoInjectDeps?: AutoInjectDeps;
+    /**
+     * Optional re-scan resolution hook. When set, after every scan run
+     * finishes, the engine asks the resolution module to flip previously
+     * open findings whose identifiers did not re-appear to 'resolved'.
+     */
+    resolutionDeps?: ResolutionDeps;
+}
+export declare function runScanForConfig(config: ScanConfig, trigger: 'schedule' | 'manual', deps: SecurityScanDeps): Promise<void>;
+export declare function runSecurityScanTick(deps: SecurityScanDeps): Promise<void>;
+export declare function buildDefaultSecurityScanDeps(config: DaemonConfig): SecurityScanDeps;
+//# sourceMappingURL=security-scan-engine.d.ts.map

package/dist/security-scan-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-scan-engine.d.ts","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,EAGL,KAAK,cAAc,EAGpB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAGL,KAAK,cAAc,EAEpB,MAAM,iCAAiC,CAAC;AAMzC,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE9D,sEAAsE;AACtE,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,2BAA2B,EAAE,QAAQ,CAAC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED,+CAA+C;AAC/C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,UAAU,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,8EAA8E;AAC9E,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,gDAAgD;AAChD,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,iFAAiF;IACjF,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,uDAAuD;AACvD,MAAM,WAAW,OAAO;IACtB,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;CAC7C;AAQD,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAEtD;AAED,wBAAgB,qBAAqB,IAAI,OAAO,EAAE,CAEjD;AAMD,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;IAC/C,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,QAAQ,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAChF,SAAS,EAAE,CACT,KAAK,EAAE,MAAM,EACb,MAAM,EAAE;QACN,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACzC,uBAAuB,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAClD,UAAU,EAAE,MAAM,CAAC;KACpB,KACE,OAAO,CAAC,IAAI,CAAC,CAAC;IACnB;;;OAGG;IACH,YAAY,EAAE,CACZ,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,YAAY,KAClB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACpC,qBAAqB,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,CAAC;IAC1C,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,UAAU,EAClB,OAAO,EAAE,UAAU,GAAG,QAAQ,EAC9B,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAAC,IAAI,CAAC,CA8Gf;AAMD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAa/E;AAMD,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,YAAY,GAAG,gBAAgB,CA0CnF"}

package/dist/security-scan-engine.js

@@ -0,0 +1,189 @@
+/**
+ * Security scan engine.
+ *
+ * Polls security_scan_configs for due scans (cron-due or manual_run_requested_at
+ * set), dispatches pluggable Scanner implementations per IOC class, writes
+ * one security_scan_runs row plus N security_findings rows per execution,
+ * and (downstream) hands findings to security-auto-inject for severity-gated
+ * injection materialization.
+ *
+ * Activation: gated by shouldRunLoop('TELORA_SECURITY_SCAN_LOOP') in
+ * unified-shell.ts. Opt-out semantics match the other daemon loop ticks
+ * (unset/anything-but-'0' = enabled, '0' = disabled). See
+ * docs/runbook-loop-activation.md.
+ *
+ * Pattern reference: verification-engine.ts (pluggable strategies + Deps).
+ *
+ * @module security-scan-engine
+ */
+import { callApi } from './queries/shared.js';
+import { configForProduct } from './config.js';
+import { buildDefaultAutoInjectDeps, processNewFinding, } from './security-auto-inject.js';
+import { resolveStaleFindings, buildDefaultResolutionDeps, } from './security-rescan-resolution.js';
+// ---------------------------------------------------------------------------
+// Default registry -- scanners self-register here in their own modules
+// ---------------------------------------------------------------------------
+const DEFAULT_REGISTRY = new Map();
+export function registerScanner(scanner) {
+    DEFAULT_REGISTRY.set(scanner.iocClass, scanner);
+}
+export function getRegisteredScanners() {
+    return [...DEFAULT_REGISTRY.values()];
+}
+export async function runScanForConfig(config, trigger, deps) {
+    const runId = await deps.startRun(config.id, trigger);
+    const startedAt = Date.now();
+    const coverage = {};
+    const warnings = [];
+    const counts = { low: 0, medium: 0, high: 0, critical: 0 };
+    let anyFailure = false;
+    let anySuccess = false;
+    const enabledScanners = deps.scanners.filter((s) => config.enabledIocClasses.includes(s.iocClass));
+    // Per-class observed identifier sets for re-scan resolution. Only
+    // classes whose scanner ran without error contribute -- a failed
+    // scanner can't claim coverage for its class.
+    const observedByClass = new Map();
+    for (const scanner of enabledScanners) {
+        try {
+            const result = await scanner.scan({
+                config,
+                repoPath: deps.resolveCwd(config.productId),
+            });
+            coverage[scanner.iocClass] = result.coverage;
+            anySuccess = true;
+            const observed = new Set();
+            for (const finding of result.findings) {
+                const { findingId } = await deps.writeFinding(runId, config.productId, config.organizationId, finding);
+                counts[finding.severity] = (counts[finding.severity] ?? 0) + 1;
+                observed.add(finding.identifier);
+                // Severity-gated auto-injection. Run per-finding so a failing
+                // injection for one finding does not block the others.
+                if (deps.autoInjectDeps) {
+                    try {
+                        const forInjection = {
+                            id: findingId,
+                            organizationId: config.organizationId,
+                            productId: config.productId,
+                            iocClass: finding.iocClass,
+                            severity: finding.severity,
+                            identifier: finding.identifier,
+                            payload: finding.payload,
+                            status: 'open',
+                            suppression: null,
+                            linkedInjectionId: null,
+                        };
+                        const options = {
+                            autoInjectThreshold: config.autoInjectSeverityThreshold,
+                        };
+                        await processNewFinding(forInjection, options, deps.autoInjectDeps);
+                    }
+                    catch (err) {
+                        warnings.push(`auto-inject ${finding.identifier}: ${err.message}`);
+                    }
+                }
+            }
+            observedByClass.set(scanner.iocClass, observed);
+        }
+        catch (err) {
+            anyFailure = true;
+            warnings.push(`${scanner.iocClass}: ${err.message}`);
+            coverage[scanner.iocClass] = { error: err.message };
+        }
+    }
+    // Re-scan resolution: previously-open findings whose class was
+    // covered by this run but whose identifier did not re-appear are
+    // flipped to 'resolved'. Failures here are non-fatal -- the run
+    // already succeeded for its primary purpose (finding fresh issues).
+    if (deps.resolutionDeps && observedByClass.size > 0) {
+        try {
+            const observedSets = Array.from(observedByClass.entries()).map(([iocClass, identifiers]) => ({ iocClass, identifiers }));
+            const resolved = await resolveStaleFindings(config.productId, observedSets, deps.resolutionDeps);
+            if (resolved.length > 0) {
+                coverage.resolved_findings = resolved.length;
+            }
+        }
+        catch (err) {
+            warnings.push(`resolution: ${err.message}`);
+        }
+    }
+    if (warnings.length > 0) {
+        coverage.warnings = warnings;
+    }
+    const status = anyFailure
+        ? anySuccess
+            ? 'partial'
+            : 'failed'
+        : 'succeeded';
+    await deps.finishRun(runId, {
+        status,
+        coverageSummary: coverage,
+        findingsCountBySeverity: counts,
+        durationMs: Date.now() - startedAt,
+    });
+    if (trigger === 'manual') {
+        await deps.clearManualRunRequest(config.id);
+    }
+}
+// ---------------------------------------------------------------------------
+// Loop tick -- invoked by unified-shell on a fixed cadence
+// ---------------------------------------------------------------------------
+export async function runSecurityScanTick(deps) {
+    const configs = await deps.getDueScanConfigs();
+    for (const config of configs) {
+        if (!config.enabled)
+            continue;
+        const trigger = config.manualRunRequestedAt ? 'manual' : 'schedule';
+        try {
+            await runScanForConfig(config, trigger, deps);
+        }
+        catch {
+            // Per-config failures are swallowed so a single broken product
+            // does not stop the engine from servicing others. The run row
+            // already records the failure status.
+        }
+    }
+}
+// ---------------------------------------------------------------------------
+// Default Deps -- daemon-side wiring via callApi
+// ---------------------------------------------------------------------------
+export function buildDefaultSecurityScanDeps(config) {
+    const resolveCwd = (productId) => {
+        const product = config.products.find((p) => p.id === productId);
+        if (!product)
+            return config.repoPath;
+        return configForProduct(config, product).repoPath;
+    };
+    return {
+        getDueScanConfigs: async () => {
+            const res = await callApi('daemon_get_due_security_scan_configs', {});
+            return res.items ?? [];
+        },
+        startRun: async (configId, trigger) => {
+            const res = await callApi('daemon_start_security_scan_run', {
+                configId,
+                trigger,
+            });
+            return res.runId;
+        },
+        finishRun: async (runId, update) => {
+            await callApi('daemon_finish_security_scan_run', { runId, ...update });
+        },
+        writeFinding: async (runId, productId, organizationId, finding) => {
+            const res = await callApi('daemon_write_security_finding', {
+                runId,
+                productId,
+                organizationId,
+                ...finding,
+            });
+            return { findingId: res.findingId };
+        },
+        clearManualRunRequest: async (configId) => {
+            await callApi('daemon_clear_manual_scan_request', { configId });
+        },
+        resolveCwd,
+        scanners: getRegisteredScanners(),
+        autoInjectDeps: buildDefaultAutoInjectDeps(),
+        resolutionDeps: buildDefaultResolutionDeps(),
+    };
+}
+//# sourceMappingURL=security-scan-engine.js.map

package/dist/security-scan-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-scan-engine.js","sourceRoot":"","sources":["../src/security-scan-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,GAIlB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,oBAAoB,EACpB,0BAA0B,GAG3B,MAAM,iCAAiC,CAAC;AAiDzC,8EAA8E;AAC9E,uEAAuE;AACvE,8EAA8E;AAE9E,MAAM,gBAAgB,GAAyB,IAAI,GAAG,EAAE,CAAC;AAEzD,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,qBAAqB;IACnC,OAAO,CAAC,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;AACxC,CAAC;AA6CD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAkB,EAClB,OAA8B,EAC9B,IAAsB;IAEtB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAC7C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,MAAM,GAA6B,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACrF,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,UAAU,GAAG,KAAK,CAAC;IAEvB,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEnG,kEAAkE;IAClE,iEAAiE;IACjE,8CAA8C;IAC9C,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuB,CAAC;IACvD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAChC,MAAM;gBACN,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC;aAC5C,CAAC,CAAC;YACH,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC7C,UAAU,GAAG,IAAI,CAAC;YAElB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;YACnC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAI,CAAC,YAAY,CAC3C,KAAK,EACL,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,cAAc,EACrB,OAAO,CACR,CAAC;gBACF,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC/D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAEjC,8DAA8D;gBAC9D,uDAAuD;gBACvD,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;oBACxB,IAAI,CAAC;wBACH,MAAM,YAAY,GAAwB;4BACxC,EAAE,EAAE,SAAS;4BACb,cAAc,EAAE,MAAM,CAAC,cAAc;4BACrC,SAAS,EAAE,MAAM,CAAC,SAAS;4BAC3B,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;4BAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;4BACxB,MAAM,EAAE,MAAM;4BACd,WAAW,EAAE,IAAI;4BACjB,iBAAiB,EAAE,IAAI;yBACxB,CAAC;wBACF,MAAM,OAAO,GAAsB;4BACjC,mBAAmB,EAAE,MAAM,CAAC,2BAA2B;yBACxD,CAAC;wBACF,MAAM,iBAAiB,CAAC,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;oBACtE,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,QAAQ,CAAC,IAAI,CAAC,eAAe,OAAO,CAAC,UAAU,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;oBAChF,CAAC;gBACH,CAAC;YACH,CAAC;YACD,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,UAAU,GAAG,IAAI,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAChE,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,EAAE,KAAK,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;QACjE,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,iEAAiE;IACjE,gEAAgE;IAChE,oEAAoE;IACpE,IAAI,IAAI,CAAC,cAAc,IAAI,eAAe,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,YAAY,GAAwB,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CACjF,CAAC,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CACzD,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CACzC,MAAM,CAAC,SAAS,EAChB,YAAY,EACZ,IAAI,CAAC,cAAc,CACpB,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,QAAQ,CAAC,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC;YAC/C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,IAAI,CAAC,eAAgB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC/B,CAAC;IAED,MAAM,MAAM,GAAG,UAAU;QACvB,CAAC,CAAC,UAAU;YACV,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,QAAQ;QACZ,CAAC,CAAC,WAAW,CAAC;IAEhB,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;QAC1B,MAAM;QACN,eAAe,EAAE,QAAQ;QACzB,uBAAuB,EAAE,MAAM;QAC/B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;KACnC,CAAC,CAAC;IAEH,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9C,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,2DAA2D;AAC3D,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAsB;IAC9D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;IAC/C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,SAAS;QAC9B,MAAM,OAAO,GAA0B,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3F,IAAI,CAAC;YACH,MAAM,gBAAgB,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;YAC/D,8DAA8D;YAC9D,sCAAsC;QACxC,CAAC;IACH,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,iDAAiD;AACjD,8EAA8E;AAE9E,MAAM,UAAU,4BAA4B,CAAC,MAAoB;IAC/D,MAAM,UAAU,GAAG,CAAC,SAAiB,EAAU,EAAE;QAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAChE,IAAI,CAAC,OAAO;YAAE,OAAO,MAAM,CAAC,QAAQ,CAAC;QACrC,OAAO,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC;IACpD,CAAC,CAAC;IAEF,OAAO;QACL,iBAAiB,EAAE,KAAK,IAAI,EAAE;YAC5B,MAAM,GAAG,GAAG,MAAM,OAAO,CACvB,sCAAsC,EACtC,EAAE,CACH,CAAC;YACF,OAAO,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE;YACpC,MAAM,GAAG,GAAG,MAAM,OAAO,CAAoB,gCAAgC,EAAE;gBAC7E,QAAQ;gBACR,OAAO;aACR,CAAC,CAAC;YACH,OAAO,GAAG,CAAC,KAAK,CAAC;QACnB,CAAC;QACD,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;YACjC,MAAM,OAAO,CAAC,iCAAiC,EAAE,EAAE,KAAK,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;QACD,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,EAAE;YAChE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAwB,+BAA+B,EAAE;gBAChF,KAAK;gBACL,SAAS;gBACT,cAAc;gBACd,GAAG,OAAO;aACX,CAAC,CAAC;YACH,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC;QACtC,CAAC;QACD,qBAAqB,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;YACxC,MAAM,OAAO,CAAC,kCAAkC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,UAAU;QACV,QAAQ,EAAE,qBAAqB,EAAE;QACjC,cAAc,EAAE,0BAA0B,EAAE;QAC5C,cAAc,EAAE,0BAA0B,EAAE;KAC7C,CAAC;AACJ,CAAC"}

package/dist/stage-classifier.d.ts

@@ -7,7 +7,7 @@
  * without metadata populated.
  */
 import type { WorkflowStage, Workflow } from './types.js';
-/** Stage where agent team has work to do (e.g., queued, coding, iterating). */
+/** Stage where agent team has work to do (e.g., queued, coding, awaiting_verify). */
 export declare function isAgentActionable(stage: WorkflowStage): boolean;
 /** Truly terminal — no more work ever (e.g., done, cancelled). */
 export declare function isTerminal(stage: WorkflowStage): boolean;
@@ -19,7 +19,7 @@ export declare function isCascadable(stage: WorkflowStage): boolean;
 /**
  * Blocks subsequent ranked deliveries from being picked up.
  * Backlog stages, agent-work stages, and paused block.
- * Review/iterating/terminal stages don't block.
+ * Review/awaiting_verify/terminal stages don't block.
  */
 export declare function isBlocking(stage: WorkflowStage): boolean;
 /** Excluded from cascade checks entirely (cancelled but not done). */

package/dist/stage-classifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stage-classifier.d.ts","sourceRoot":"","sources":["../src/stage-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAI1D,+EAA+E;AAC/E,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAG/D;AAED,kEAAkE;AAClE,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAGxD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAS1D;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAUxD;AAED,sEAAsE;AACtE,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAEnE;AAUD,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAMpF;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAM7E;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAM/E;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAM7E;AAED,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAMxF"}
+{"version":3,"file":"stage-classifier.d.ts","sourceRoot":"","sources":["../src/stage-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAI1D,qFAAqF;AACrF,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAG/D;AAED,kEAAkE;AAClE,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAGxD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAS1D;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAUxD;AAED,sEAAsE;AACtE,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAEnE;AAUD,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAMpF;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAM7E;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAM/E;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAM7E;AAED,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAMxF"}

package/dist/stage-classifier.js

@@ -7,11 +7,11 @@
  * without metadata populated.
  */
 // ── Stage-level classifiers ──────────────────────────────────────
-/** Stage where agent team has work to do (e.g., queued, coding, iterating). */
+/** Stage where agent team has work to do (e.g., queued, coding, awaiting_verify). */
 export function isAgentActionable(stage) {
     if (stage.is_agent_actionable !== undefined)
         return stage.is_agent_actionable;
-    return stage.name === 'queued' || stage.name === 'coding' || stage.name === 'iterating';
+    return stage.name === 'queued' || stage.name === 'coding' || stage.name === 'awaiting_verify';
 }
 /** Truly terminal — no more work ever (e.g., done, cancelled). */
 export function isTerminal(stage) {
@@ -29,7 +29,7 @@ export function isCascadable(stage) {
         if (stage.is_terminal)
             return true;
         // Non-terminal, non-actionable, non-blocking active stages are cascadable
-        // (verify, in_review, iterating)
+        // (verify, in_review, awaiting_verify)
         return !isAgentActionable(stage) && !isBlocking(stage);
     }
     return ['verify', 'in_review', 'done', 'cancelled'].includes(stage.name);
@@ -37,7 +37,7 @@ export function isCascadable(stage) {
 /**
  * Blocks subsequent ranked deliveries from being picked up.
  * Backlog stages, agent-work stages, and paused block.
- * Review/iterating/terminal stages don't block.
+ * Review/awaiting_verify/terminal stages don't block.
  */
 export function isBlocking(stage) {
     if (stage.meta_bucket !== undefined) {
@@ -52,7 +52,7 @@ export function isBlocking(stage) {
             return true;
         return false;
     }
-    return !['done', 'cancelled', 'verify', 'in_review', 'iterating'].includes(stage.name);
+    return !['done', 'cancelled', 'verify', 'in_review', 'awaiting_verify'].includes(stage.name);
 }
 /** Excluded from cascade checks entirely (cancelled but not done). */
 export function isExcludedFromCascade(stage) {
@@ -70,7 +70,7 @@ export function isStatusAgentActionable(status, workflow) {
         if (stage)
             return isAgentActionable(stage);
     }
-    return status === 'queued' || status === 'coding' || status === 'iterating';
+    return status === 'queued' || status === 'coding' || status === 'awaiting_verify';
 }
 export function isStatusTerminal(status, workflow) {
     if (workflow) {
@@ -94,7 +94,7 @@ export function isStatusBlocking(status, workflow) {
         if (stage)
             return isBlocking(stage);
     }
-    return !['done', 'cancelled', 'verify', 'in_review', 'iterating'].includes(status);
+    return !['done', 'cancelled', 'verify', 'in_review', 'awaiting_verify'].includes(status);
 }
 export function isStatusExcludedFromCascade(status, workflow) {
     if (workflow) {

package/dist/stage-classifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"stage-classifier.js","sourceRoot":"","sources":["../src/stage-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,oEAAoE;AAEpE,+EAA+E;AAC/E,MAAM,UAAU,iBAAiB,CAAC,KAAoB;IACpD,IAAI,KAAK,CAAC,mBAAmB,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,mBAAmB,CAAC;IAC9E,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC;AAC1F,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,UAAU,CAAC,KAAoB;IAC7C,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,WAAW,CAAC;IAC9D,OAAO,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,KAAoB;IAC/C,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACpC,wCAAwC;QACxC,IAAI,KAAK,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACnC,0EAA0E;QAC1E,iCAAiC;QACjC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC3E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,KAAoB;IAC7C,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACjD,IAAI,KAAK,CAAC,WAAW,KAAK,MAAM;YAAE,OAAO,KAAK,CAAC;QAC/C,iEAAiE;QACjE,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AACzF,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,qBAAqB,CAAC,KAAoB;IACxD,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC;AACpD,CAAC;AAED,oEAAoE;AACpE,8DAA8D;AAE9D,6DAA6D;AAC7D,SAAS,SAAS,CAAC,MAAc,EAAE,QAAkB;IACnD,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,QAAmB;IACzE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,WAAW,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,QAAmB;IAClE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,WAAW,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,QAAmB;IACpE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,QAAmB;IAClE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAc,EAAE,QAAmB;IAC7E,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,MAAM,KAAK,WAAW,CAAC;AAChC,CAAC"}
+{"version":3,"file":"stage-classifier.js","sourceRoot":"","sources":["../src/stage-classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,oEAAoE;AAEpE,qFAAqF;AACrF,MAAM,UAAU,iBAAiB,CAAC,KAAoB;IACpD,IAAI,KAAK,CAAC,mBAAmB,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,mBAAmB,CAAC;IAC9E,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,CAAC;AAChG,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,UAAU,CAAC,KAAoB;IAC7C,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,WAAW,CAAC;IAC9D,OAAO,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,KAAoB;IAC/C,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACpC,wCAAwC;QACxC,IAAI,KAAK,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QACnC,0EAA0E;QAC1E,uCAAuC;QACvC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC3E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,KAAoB;IAC7C,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,KAAK,CAAC,WAAW,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACjD,IAAI,KAAK,CAAC,WAAW,KAAK,MAAM;YAAE,OAAO,KAAK,CAAC;QAC/C,iEAAiE;QACjE,IAAI,iBAAiB,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC/F,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,qBAAqB,CAAC,KAAoB;IACxD,OAAO,UAAU,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC;AACpD,CAAC;AAED,oEAAoE;AACpE,8DAA8D;AAE9D,6DAA6D;AAC7D,SAAS,SAAS,CAAC,MAAc,EAAE,QAAkB;IACnD,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,QAAmB;IACzE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,iBAAiB,CAAC;AACpF,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,QAAmB;IAClE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,WAAW,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,QAAmB;IACpE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,CAAC,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc,EAAE,QAAmB;IAClE,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,WAAW,EAAE,iBAAiB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC3F,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAc,EAAE,QAAmB;IAC7E,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,KAAK;YAAE,OAAO,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,MAAM,KAAK,WAAW,CAAC;AAChC,CAAC"}

package/dist/state-cascade.d.ts

@@ -14,7 +14,7 @@
  *      user can request a fresh review when verify is reached again.
  *
  * Review completion is NOT auto-routed here. Closing out a review and
- * routing in_review deliveries to done/iterating is the exclusive
+ * routing in_review deliveries to done/awaiting_verify is the exclusive
  * responsibility of focus-completion.ts's review exit handler, which
  * gates on the exiting team's sessionType === 'review' (a positive
  * signal that an actual review ran). If the review team never spawns

package/dist/state-cascade.js

@@ -14,7 +14,7 @@
  *      user can request a fresh review when verify is reached again.
  *
  * Review completion is NOT auto-routed here. Closing out a review and
- * routing in_review deliveries to done/iterating is the exclusive
+ * routing in_review deliveries to done/awaiting_verify is the exclusive
  * responsibility of focus-completion.ts's review exit handler, which
  * gates on the exiting team's sessionType === 'review' (a positive
  * signal that an actual review ran). If the review team never spawns

package/dist/team-prompt-base.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"team-prompt-base.d.ts","sourceRoot":"","sources":["../src/team-prompt-base.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACf,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAG9D,MAAM,WAAW,gCAAgC;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,eAAe,EAAE,oBAAoB,CAAC;IACtC,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IACtC,kBAAkB,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACzC,yBAAyB,CAAC,EAAE,gCAAgC,GAAG,IAAI,CAAC;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAMD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,EAAE,CAO1D;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,EAAE,CAWtE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,EAAE,CAgBnD;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAkBtE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,sBAAsB,GAAG,MAAM,EAAE,CAQlF;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,CAAC,EAAE,iBAAiB,EAAE,GAAG,MAAM,EAAE,CAqB/E;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAC3C,QAAQ,CAAC,EAAE,gCAAgC,GAAG,IAAI,GACjD,MAAM,EAAE,CAmBV;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAGtE;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,EAAE,CAOlF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,sBAAsB,GAC9B,MAAM,EAAE,CA0GV;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CACzC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,MAAM,EAAE,cAAc,EAAE,GACvB,MAAM,EAAE,CAuGV;AAED;;GAEG;AACH,wBAAgB,6BAA6B,IAAI,MAAM,EAAE,CAoDxD;AAED;;GAEG;AACH,wBAAgB,iCAAiC,CAC/C,SAAS,EAAE,MAAM,GAChB,MAAM,EAAE,CA4BV;AAED;;GAEG;AACH;;;;;;;;;GASG;AACH,wBAAgB,8BAA8B,IAAI,MAAM,EAAE,CA0BzD;AAED,wBAAgB,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAqCzE;AAED;;GAEG;AACH,wBAAgB,oCAAoC,IAAI,MAAM,EAAE,CAuB/D;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gCAAgC,CAC9C,oBAAoB,EAAE,MAAM,GAC3B,MAAM,EAAE,CAqBV;AAED;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,0BAA0B,CAAC;AAElE;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,8BAA8B,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,EAAE,CAQjF;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,EAAE,CAiBrD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,CAiDlF;AAED;;GAEG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,EAAE,CAiBtD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,EAAE,CAepD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,EAAE,CAoBpD;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,EAAE,CA8BtD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,+BAA+B,IAAI,MAAM,CAuDxD;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,+BAA+B,CAC7C,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,MAAM,EAAE,CAqCV;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAajD;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,SAAS,EACf,OAAO,EAAE,sBAAsB,GAC9B,MAAM,CAgCR;AAMD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,SAAS,EACf,OAAO,EAAE,sBAAsB,GAC9B,MAAM,CAqCR"}
+{"version":3,"file":"team-prompt-base.d.ts","sourceRoot":"","sources":["../src/team-prompt-base.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACf,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAG9D,MAAM,WAAW,gCAAgC;IAC/C,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,MAAM,EAAE,cAAc,EAAE,CAAC;IACzB,eAAe,EAAE,oBAAoB,CAAC;IACtC,cAAc,EAAE,cAAc,GAAG,IAAI,CAAC;IACtC,kBAAkB,CAAC,EAAE,iBAAiB,EAAE,CAAC;IACzC,yBAAyB,CAAC,EAAE,gCAAgC,GAAG,IAAI,CAAC;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAMD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,EAAE,CAO1D;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,SAAS,GAAG,MAAM,EAAE,CAWtE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,EAAE,CAgBnD;AAED;;;GAGG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAkBtE;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,sBAAsB,GAAG,MAAM,EAAE,CAQlF;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,CAAC,EAAE,iBAAiB,EAAE,GAAG,MAAM,EAAE,CAqB/E;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAC3C,QAAQ,CAAC,EAAE,gCAAgC,GAAG,IAAI,GACjD,MAAM,EAAE,CAmBV;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAGtE;AAED;;GAEG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,EAAE,CAOlF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,sBAAsB,GAC9B,MAAM,EAAE,CA0GV;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CACzC,UAAU,EAAE,iBAAiB,EAAE,EAC/B,MAAM,EAAE,cAAc,EAAE,GACvB,MAAM,EAAE,CAuGV;AAED;;GAEG;AACH,wBAAgB,6BAA6B,IAAI,MAAM,EAAE,CAmExD;AAED;;GAEG;AACH,wBAAgB,iCAAiC,CAC/C,SAAS,EAAE,MAAM,GAChB,MAAM,EAAE,CA4BV;AAED;;GAEG;AACH;;;;;;;;;GASG;AACH,wBAAgB,8BAA8B,IAAI,MAAM,EAAE,CA0BzD;AAED,wBAAgB,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE,CAqCzE;AAED;;GAEG;AACH,wBAAgB,oCAAoC,IAAI,MAAM,EAAE,CAuB/D;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gCAAgC,CAC9C,oBAAoB,EAAE,MAAM,GAC3B,MAAM,EAAE,CAqBV;AAED;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,0BAA0B,CAAC;AAElE;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,8BAA8B,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,EAAE,CAQjF;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,EAAE,CAiBrD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE,CAiDlF;AAED;;GAEG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,EAAE,CAiBtD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,EAAE,CAepD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,EAAE,CAoBpD;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,EAAE,CA8BtD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,+BAA+B,IAAI,MAAM,CAuDxD;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,+BAA+B,CAC7C,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,MAAM,EAAE,CAqCV;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAajD;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,SAAS,EACf,OAAO,EAAE,sBAAsB,GAC9B,MAAM,CAgCR;AAMD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,SAAS,EACf,OAAO,EAAE,sBAAsB,GAC9B,MAAM,CAqCR"}

package/dist/team-prompt-base.js

@@ -424,6 +424,21 @@ export function buildStatusUpdateRulesSection() {
         '2. When the worker completes, verify its output',
         '3. Set issue to "Done" after verification',
         '',
+        '**Completion artifacts (MANDATORY on close):**',
+        '- When you set an issue to "Done" or "In Review", you MUST also supply',
+        '  `completionArtifacts` listing the primary files the work produced or',
+        '  modified. Shape: `{ "files": ["src/foo.ts", "src/foo.test.ts"], "tests": [...] }`.',
+        '- Drift detection compares these references against the worktree on a',
+        '  schedule. Without them, drift cannot surface for this issue and the',
+        '  Done-work signal is unreliable.',
+        '- Use repo-relative paths (no leading slash, no `./`). Include test files',
+        '  under `files` or `tests` -- both are checked.',
+        '- Workers spawned via Task: when reporting completion, return the list of',
+        '  files you modified so the team lead can pass them through in the',
+        '  `issue_update` call.',
+        '- Example close call:',
+        '  `{ "issueId": "<id>", "status": "Done", "completionArtifacts": { "files": ["src/foo.ts"] } }`',
+        '',
     ];
 }
 /**