@telora/daemon 0.17.48 → 0.17.56

package/dist/spawn-sandbox.d.ts

@@ -0,0 +1,117 @@
+/**
+ * OS sandbox for spawned agents -- "make the worktree boundary true" (D3).
+ *
+ * The daemon spawns agents with --dangerously-skip-permissions /
+ * --dangerously-bypass-approvals-and-sandbox. The ONLY isolation around such a
+ * spawn used to be a git worktree, which bounds the git branch but NOT the OS:
+ * the agent could read sibling repos, the operator's home, SSH/cloud creds, and
+ * reach the network freely. This module wraps the spawn command in an OS
+ * sandbox (bubblewrap on Linux) so the agent's filesystem is confined to its
+ * worktree plus an explicit read-only allowlist (toolchain + model-auth config),
+ * with privileged capabilities and namespaces dropped.
+ *
+ * Posture (see docs/security-posture-daemon-execution.md):
+ * - FILESYSTEM confinement + capability/namespace isolation are ENFORCED by bwrap.
+ * - OUTBOUND EGRESS allowlisting is NOT enforced here (bubblewrap has no L3/L7
+ *   egress filter); it is a documented residual gap. Network is shared so the
+ *   agent can still reach the Telora API / git / registries / model API.
+ *
+ * FAIL-CLOSED: an EXPLICIT 'bwrap' mode whose sandbox cannot initialize REFUSES
+ * the spawn (throws SandboxUnavailableError) rather than running unconfined.
+ *
+ * DEFAULT is 'off' (see resolveSandboxMode): auto-enabling a sandbox whose
+ * per-host read-bind set has not been validated could break real spawns, so
+ * operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. On Linux with bwrap present we log a
+ * recommendation to enable it.
+ *
+ * Pure command construction (buildSandboxCommand) takes injected deps so it is
+ * unit-testable without a real bubblewrap.
+ */
+import type { DaemonConfig, SandboxConfig, SandboxMode } from './types.js';
+/** Thrown when an explicitly-required sandbox cannot initialize (fail-closed). */
+export declare class SandboxUnavailableError extends Error {
+    constructor(detail: string);
+}
+/** Default bubblewrap executable name (overridable via deps for tests). */
+export declare const BWRAP_COMMAND = "bwrap";
+/** Return true if an executable name/path exists on the host PATH. */
+export declare function commandOnPath(command: string, env?: NodeJS.ProcessEnv): boolean;
+/** Is bubblewrap available on this host? */
+export declare function isBwrapAvailable(deps?: {
+    commandExists?: (cmd: string) => boolean;
+    bwrapCommand?: string;
+}): boolean;
+/**
+ * Resolve the effective sandbox mode.
+ *
+ * - explicit config.sandbox.mode wins (and is honored even if unavailable --
+ *   buildSandboxCommand then fail-closes).
+ * - unset + darwin => 'off' (dev; bwrap is Linux-only).
+ * - unset + linux  => 'off' (safe default), with a warning health event emitted
+ *   when bwrap is available. Operators opt in explicitly after per-host validation
+ *   -- see docs/runbook-daemon-service-user.md.
+ */
+export declare function resolveSandboxMode(sandbox: SandboxConfig | undefined, deps?: {
+    platform?: NodeJS.Platform;
+    bwrapAvailable?: boolean;
+    logRecommendation?: (msg: string) => void;
+}): SandboxMode;
+export interface SandboxPolicy {
+    /** The worktree -- bound read-write; the agent's only writable host tree. */
+    worktreePath: string;
+    /** Extra host paths exposed read-only (toolchain, model-auth config, certs). */
+    readOnlyPaths?: readonly string[];
+}
+export interface BuildSandboxArgs {
+    /** The inner command that would be spawned without a sandbox (e.g. 'claude'). */
+    command: string;
+    /** The inner command's args. */
+    args: readonly string[];
+    /** Filesystem policy. */
+    policy: SandboxPolicy;
+    /** Effective mode (from resolveSandboxMode). */
+    mode: SandboxMode;
+    /** Whether bubblewrap is available (injected for tests). */
+    bwrapAvailable: boolean;
+    /** bwrap executable (default 'bwrap'). */
+    bwrapCommand?: string;
+    /** Called once when mode resolves to running UNCONFINED, for loud logging. */
+    onUnconfined?: (reason: string) => void;
+}
+export interface SandboxedCommand {
+    command: string;
+    args: string[];
+}
+/**
+ * Build the (possibly sandbox-wrapped) command + args for a spawn.
+ *
+ * mode 'off'   -> returns the inner command unchanged and emits a loud
+ *                 "running unconfined" signal (the spawn has the daemon user's
+ *                 full authority).
+ * mode 'bwrap' -> if bwrap is unavailable, THROWS SandboxUnavailableError
+ *                 (fail-closed); otherwise returns a bwrap invocation that binds
+ *                 the worktree read-write, the readOnlyPaths read-only, system
+ *                 dirs read-only, and drops privileged namespaces.
+ */
+export declare function buildSandboxCommand(opts: BuildSandboxArgs): SandboxedCommand;
+/**
+ * High-level helper used by the spawn path: resolve mode from config, derive the
+ * read-only allowlist (toolchain + model-auth config), and build the wrapped
+ * command. Emits a health event on unconfined runs and refuses (throws) when an
+ * explicitly-required sandbox is unavailable.
+ */
+export declare function wrapSpawnCommand(config: DaemonConfig, spawn: {
+    command: string;
+    args: readonly string[];
+    worktreePath: string;
+}): SandboxedCommand;
+/**
+ * Derive the read-only host paths a spawn legitimately needs: the toolchain
+ * (the backend command's dir + the daemon's own node), the agent's model-auth
+ * config under HOME (~/.claude.json, ~/.claude, ~/.codex), and any extra paths
+ * configured. Kept narrow -- this is the allowlist that decides what the agent
+ * can read OUTSIDE its worktree. Exported for tests.
+ */
+export declare function deriveReadOnlyPaths(config: DaemonConfig, backendCommand: string): string[];
+//# sourceMappingURL=spawn-sandbox.d.ts.map

package/dist/spawn-sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"spawn-sandbox.d.ts","sourceRoot":"","sources":["../src/spawn-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAKH,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE3E,kFAAkF;AAClF,qBAAa,uBAAwB,SAAQ,KAAK;gBACpC,MAAM,EAAE,MAAM;CAI3B;AAED,2EAA2E;AAC3E,eAAO,MAAM,aAAa,UAAU,CAAC;AAErC,sEAAsE;AACtE,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,OAAO,CAI5F;AAED,4CAA4C;AAC5C,wBAAgB,gBAAgB,CAC9B,IAAI,GAAE;IAAE,aAAa,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAO,GAC7E,OAAO,CAIT;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,aAAa,GAAG,SAAS,EAClC,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAAC,cAAc,CAAC,EAAE,OAAO,CAAC;IAAC,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAO,GAC7G,WAAW,CAwBb;AAED,MAAM,WAAW,aAAa;IAC5B,6EAA6E;IAC7E,YAAY,EAAE,MAAM,CAAC;IACrB,gFAAgF;IAChF,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,gBAAgB;IAC/B,iFAAiF;IACjF,OAAO,EAAE,MAAM,CAAC;IAChB,gCAAgC;IAChC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACxB,yBAAyB;IACzB,MAAM,EAAE,aAAa,CAAC;IACtB,gDAAgD;IAChD,IAAI,EAAE,WAAW,CAAC;IAClB,4DAA4D;IAC5D,cAAc,EAAE,OAAO,CAAC;IACxB,0CAA0C;IAC1C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8EAA8E;IAC9E,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACzC;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,gBAAgB,GAAG,gBAAgB,CA0D5E;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,YAAY,EACpB,KAAK,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,GACxE,gBAAgB,CAqBlB;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,EAAE,CA0B1F"}

package/dist/spawn-sandbox.js

@@ -0,0 +1,210 @@
+/**
+ * OS sandbox for spawned agents -- "make the worktree boundary true" (D3).
+ *
+ * The daemon spawns agents with --dangerously-skip-permissions /
+ * --dangerously-bypass-approvals-and-sandbox. The ONLY isolation around such a
+ * spawn used to be a git worktree, which bounds the git branch but NOT the OS:
+ * the agent could read sibling repos, the operator's home, SSH/cloud creds, and
+ * reach the network freely. This module wraps the spawn command in an OS
+ * sandbox (bubblewrap on Linux) so the agent's filesystem is confined to its
+ * worktree plus an explicit read-only allowlist (toolchain + model-auth config),
+ * with privileged capabilities and namespaces dropped.
+ *
+ * Posture (see docs/security-posture-daemon-execution.md):
+ * - FILESYSTEM confinement + capability/namespace isolation are ENFORCED by bwrap.
+ * - OUTBOUND EGRESS allowlisting is NOT enforced here (bubblewrap has no L3/L7
+ *   egress filter); it is a documented residual gap. Network is shared so the
+ *   agent can still reach the Telora API / git / registries / model API.
+ *
+ * FAIL-CLOSED: an EXPLICIT 'bwrap' mode whose sandbox cannot initialize REFUSES
+ * the spawn (throws SandboxUnavailableError) rather than running unconfined.
+ *
+ * DEFAULT is 'off' (see resolveSandboxMode): auto-enabling a sandbox whose
+ * per-host read-bind set has not been validated could break real spawns, so
+ * operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. On Linux with bwrap present we log a
+ * recommendation to enable it.
+ *
+ * Pure command construction (buildSandboxCommand) takes injected deps so it is
+ * unit-testable without a real bubblewrap.
+ */
+import { existsSync } from 'node:fs';
+import { join, isAbsolute } from 'node:path';
+import { healthEvents } from '@telora/daemon-core';
+/** Thrown when an explicitly-required sandbox cannot initialize (fail-closed). */
+export class SandboxUnavailableError extends Error {
+    constructor(detail) {
+        super(`Sandbox required but unavailable -- refusing spawn (fail-closed). ${detail}`);
+        this.name = 'SandboxUnavailableError';
+    }
+}
+/** Default bubblewrap executable name (overridable via deps for tests). */
+export const BWRAP_COMMAND = 'bwrap';
+/** Return true if an executable name/path exists on the host PATH. */
+export function commandOnPath(command, env = process.env) {
+    if (isAbsolute(command) || command.includes('/'))
+        return existsSync(command);
+    const pathEnv = env.PATH ?? '';
+    return pathEnv.split(':').filter(Boolean).some((dir) => existsSync(join(dir, command)));
+}
+/** Is bubblewrap available on this host? */
+export function isBwrapAvailable(deps = {}) {
+    const cmd = deps.bwrapCommand ?? BWRAP_COMMAND;
+    const exists = deps.commandExists ?? ((c) => commandOnPath(c));
+    return exists(cmd);
+}
+/**
+ * Resolve the effective sandbox mode.
+ *
+ * - explicit config.sandbox.mode wins (and is honored even if unavailable --
+ *   buildSandboxCommand then fail-closes).
+ * - unset + darwin => 'off' (dev; bwrap is Linux-only).
+ * - unset + linux  => 'off' (safe default), with a warning health event emitted
+ *   when bwrap is available. Operators opt in explicitly after per-host validation
+ *   -- see docs/runbook-daemon-service-user.md.
+ */
+export function resolveSandboxMode(sandbox, deps = {}) {
+    if (sandbox?.mode)
+        return sandbox.mode;
+    const platform = deps.platform ?? process.platform;
+    if (platform !== 'linux')
+        return 'off';
+    const available = deps.bwrapAvailable ?? isBwrapAvailable();
+    if (available) {
+        const message = 'bubblewrap is available but the spawn sandbox is OFF (default). ' +
+            'Enable filesystem confinement by setting sandbox.mode="bwrap" in daemon.json ' +
+            'after validating per-host read-binds -- see docs/runbook-daemon-service-user.md.';
+        if (deps.logRecommendation) {
+            deps.logRecommendation(message);
+        }
+        else {
+            healthEvents.emit({
+                severity: 'warn',
+                source: 'spawn-sandbox',
+                code: 'sandbox.off_bwrap_available',
+                message,
+            });
+        }
+    }
+    return 'off';
+}
+/**
+ * Build the (possibly sandbox-wrapped) command + args for a spawn.
+ *
+ * mode 'off'   -> returns the inner command unchanged and emits a loud
+ *                 "running unconfined" signal (the spawn has the daemon user's
+ *                 full authority).
+ * mode 'bwrap' -> if bwrap is unavailable, THROWS SandboxUnavailableError
+ *                 (fail-closed); otherwise returns a bwrap invocation that binds
+ *                 the worktree read-write, the readOnlyPaths read-only, system
+ *                 dirs read-only, and drops privileged namespaces.
+ */
+export function buildSandboxCommand(opts) {
+    const { command, args, policy, mode, bwrapAvailable } = opts;
+    const bwrap = opts.bwrapCommand ?? BWRAP_COMMAND;
+    if (mode === 'off') {
+        opts.onUnconfined?.('spawn sandbox is OFF -- the agent runs with the daemon user\'s full filesystem authority');
+        return { command, args: [...args] };
+    }
+    // mode === 'bwrap'
+    if (!bwrapAvailable) {
+        throw new SandboxUnavailableError(`sandbox.mode is "bwrap" but the "${bwrap}" executable was not found on the daemon host. ` +
+            'Install bubblewrap or set sandbox.mode="off" (unconfined) deliberately.');
+    }
+    const bwrapArgs = [
+        // Lifecycle / isolation: drop privileged namespaces, keep NET (the agent
+        // needs Telora/git/registry/model access). Die with the daemon; new session.
+        '--die-with-parent',
+        '--new-session',
+        '--unshare-user',
+        '--unshare-ipc',
+        '--unshare-pid',
+        '--unshare-uts',
+        '--unshare-cgroup',
+        // Minimal virtual filesystems.
+        '--proc', '/proc',
+        '--dev', '/dev',
+        '--tmpfs', '/tmp',
+        // System runtime + config, read-only. -try so a missing dir is skipped, not fatal.
+        '--ro-bind', '/usr', '/usr',
+        '--ro-bind-try', '/bin', '/bin',
+        '--ro-bind-try', '/sbin', '/sbin',
+        '--ro-bind-try', '/lib', '/lib',
+        '--ro-bind-try', '/lib64', '/lib64',
+        // /etc read-only: CA certs, resolv.conf, passwd. Does NOT expose any home dir.
+        '--ro-bind-try', '/etc', '/etc',
+    ];
+    // The worktree is the ONLY writable host tree.
+    bwrapArgs.push('--bind', policy.worktreePath, policy.worktreePath);
+    // Explicit read-only allowlist (toolchain + model-auth config). Anything not
+    // listed -- sibling repos, ~/.ssh, ~/.aws, other homes -- is simply not bound,
+    // so it is invisible inside the sandbox.
+    for (const p of policy.readOnlyPaths ?? []) {
+        if (p && p.trim())
+            bwrapArgs.push('--ro-bind-try', p, p);
+    }
+    bwrapArgs.push('--chdir', policy.worktreePath);
+    // Terminator, then the real command.
+    bwrapArgs.push('--', command, ...args);
+    return { command: bwrap, args: bwrapArgs };
+}
+/**
+ * High-level helper used by the spawn path: resolve mode from config, derive the
+ * read-only allowlist (toolchain + model-auth config), and build the wrapped
+ * command. Emits a health event on unconfined runs and refuses (throws) when an
+ * explicitly-required sandbox is unavailable.
+ */
+export function wrapSpawnCommand(config, spawn) {
+    const mode = resolveSandboxMode(config.sandbox);
+    const bwrapAvailable = isBwrapAvailable();
+    const readOnlyPaths = deriveReadOnlyPaths(config, spawn.command);
+    return buildSandboxCommand({
+        command: spawn.command,
+        args: spawn.args,
+        policy: { worktreePath: spawn.worktreePath, readOnlyPaths },
+        mode,
+        bwrapAvailable,
+        onUnconfined: (reason) => {
+            healthEvents.emit({
+                severity: 'warn',
+                source: 'spawn-sandbox',
+                code: 'sandbox.unconfined',
+                message: reason,
+            });
+        },
+    });
+}
+/**
+ * Derive the read-only host paths a spawn legitimately needs: the toolchain
+ * (the backend command's dir + the daemon's own node), the agent's model-auth
+ * config under HOME (~/.claude.json, ~/.claude, ~/.codex), and any extra paths
+ * configured. Kept narrow -- this is the allowlist that decides what the agent
+ * can read OUTSIDE its worktree. Exported for tests.
+ */
+export function deriveReadOnlyPaths(config, backendCommand) {
+    const paths = new Set();
+    const home = process.env.HOME;
+    // Model-auth config the agent needs (NOT ~/.ssh, NOT ~/.aws).
+    // ~/.gitconfig: read-only, safe to expose -- agents commit work under the
+    // daemon user's identity; without this git refuses to commit inside the sandbox.
+    if (home) {
+        paths.add(join(home, '.claude.json'));
+        paths.add(join(home, '.claude'));
+        paths.add(join(home, '.codex'));
+        paths.add(join(home, '.gitconfig'));
+    }
+    // Per-product isolated CODEX_HOME, when set.
+    if (config.codexHome)
+        paths.add(config.codexHome);
+    // The daemon's node executable (so the agent's tooling can re-exec node).
+    if (process.execPath)
+        paths.add(process.execPath);
+    // The backend command itself, when it is an absolute path outside /usr.
+    if (isAbsolute(backendCommand))
+        paths.add(backendCommand);
+    // Operator-configured extras.
+    for (const p of config.sandbox?.readOnlyPaths ?? [])
+        paths.add(p);
+    return [...paths];
+}
+//# sourceMappingURL=spawn-sandbox.js.map

package/dist/spawn-sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spawn-sandbox.js","sourceRoot":"","sources":["../src/spawn-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD,kFAAkF;AAClF,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,MAAc;QACxB,KAAK,CAAC,qEAAqE,MAAM,EAAE,CAAC,CAAC;QACrF,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,2EAA2E;AAC3E,MAAM,CAAC,MAAM,aAAa,GAAG,OAAO,CAAC;AAErC,sEAAsE;AACtE,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,MAAyB,OAAO,CAAC,GAAG;IACjF,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;AAC1F,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,gBAAgB,CAC9B,OAA4E,EAAE;IAE9E,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC,EAClC,OAA4G,EAAE;IAE9G,IAAI,OAAO,EAAE,IAAI;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IAEvC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,gBAAgB,EAAE,CAAC;IAC5D,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GACX,kEAAkE;YAClE,+EAA+E;YAC/E,kFAAkF,CAAC;QACrF,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,IAAI,CAAC;gBAChB,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,6BAA6B;gBACnC,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AA+BD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAsB;IACxD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC;IAEjD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,YAAY,EAAE,CACjB,0FAA0F,CAC3F,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;IACtC,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,uBAAuB,CAC/B,oCAAoC,KAAK,iDAAiD;YACxF,yEAAyE,CAC5E,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAa;QAC1B,yEAAyE;QACzE,6EAA6E;QAC7E,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,eAAe;QACf,eAAe;QACf,eAAe;QACf,kBAAkB;QAClB,+BAA+B;QAC/B,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,MAAM;QACjB,mFAAmF;QACnF,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,eAAe,EAAE,MAAM,EAAE,MAAM;QAC/B,eAAe,EAAE,OAAO,EAAE,OAAO;QACjC,eAAe,EAAE,MAAM,EAAE,MAAM;QAC/B,eAAe,EAAE,QAAQ,EAAE,QAAQ;QACnC,+EAA+E;QAC/E,eAAe,EAAE,MAAM,EAAE,MAAM;KAChC,CAAC;IAEF,+CAA+C;IAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAEnE,6EAA6E;IAC7E,+EAA+E;IAC/E,yCAAyC;IACzC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,IAAI,EAAE,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;YAAE,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAC/C,qCAAqC;IACrC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAEvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAoB,EACpB,KAAyE;IAEzE,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,cAAc,GAAG,gBAAgB,EAAE,CAAC;IAE1C,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAEjE,OAAO,mBAAmB,CAAC;QACzB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,MAAM,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE,aAAa,EAAE;QAC3D,IAAI;QACJ,cAAc;QACd,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;YACvB,YAAY,CAAC,IAAI,CAAC;gBAChB,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAoB,EAAE,cAAsB;IAC9E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAE9B,8DAA8D;IAC9D,0EAA0E;IAC1E,iFAAiF;IACjF,IAAI,IAAI,EAAE,CAAC;QACT,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC;QACtC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;QACjC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAChC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,6CAA6C;IAC7C,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAElD,0EAA0E;IAC1E,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAElD,wEAAwE;IACxE,IAAI,UAAU,CAAC,cAAc,CAAC;QAAE,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAE1D,8BAA8B;IAC9B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,aAAa,IAAI,EAAE;QAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAElE,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/staleness.d.ts

@@ -61,6 +61,16 @@ export interface StalenessDeps {
     now: () => number;
 }
 export declare function resolveVersionCheckCachePath(): string;
+/**
+ * Read the version-check cache only when it is FRESH (within the TTL).
+ *
+ * The running daemon keeps this cache warm via {@link startVersionCacheRefreshLoop};
+ * the auto-update controller reads the candidate version from here instead of
+ * issuing a registry call on every idle edge, so rapid idle flapping cannot
+ * produce a registry-call storm. An expired cache returns null -- a stale
+ * answer must never drive an update decision.
+ */
+export declare function readFreshVersionCache(now?: () => number): VersionCheckCache | null;
 /** Options for {@link getStalenessInfoCore} / {@link getStalenessInfo}. */
 export interface StalenessOptions {
     /**

package/dist/staleness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"staleness.d.ts","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAIH,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC9F,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAMpD,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,eAAe,EAAE,OAAO,CAAC;IACzB,wDAAwD;IACxD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,wEAAwE;IACxE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,qDAAqD;AACrD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,oEAAoE;AACpE,eAAO,MAAM,0BAA0B,QAAqB,CAAC;AAE7D,gEAAgE;AAChE,eAAO,MAAM,wBAAwB,6BAA6B,CAAC;AAEnE,wEAAwE;AACxE,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,UAAU,GAAG,IAAI,CAAC;IAClC,eAAe,EAAE,MAAM,OAAO,CAAC;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAMD,wBAAgB,4BAA4B,IAAI,MAAM,CAErD;AAiCD,2EAA2E;AAC3E,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,aAAa,EACnB,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,GAAE,gBAAqB,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAajG;AAMD,qFAAqF;AACrF,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAsB,iCAAiC,CACrD,IAAI,EAAE,gBAAgB,EACtB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CAelB;AAED,sFAAsF;AACtF,wBAAsB,6BAA6B,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW5F;AAED,sFAAsF;AACtF,eAAO,MAAM,iCAAiC,QAAiB,CAAC;AAEhE;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,cAAc,EAAE,MAAM,EACtB,UAAU,GAAE,MAA0C,GACrD,MAAM,IAAI,CAaZ;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAShF"}
+{"version":3,"file":"staleness.d.ts","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAIH,OAAO,EAKL,KAAK,UAAU,EAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAmC,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC9F,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAMpD,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;IACvB,0DAA0D;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,eAAe,EAAE,OAAO,CAAC;IACzB,wDAAwD;IACxD,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,wEAAwE;IACxE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,qDAAqD;AACrD,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,oEAAoE;AACpE,eAAO,MAAM,0BAA0B,QAAqB,CAAC;AAE7D,gEAAgE;AAChE,eAAO,MAAM,wBAAwB,6BAA6B,CAAC;AAEnE,wEAAwE;AACxE,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,UAAU,GAAG,IAAI,CAAC;IAClC,eAAe,EAAE,MAAM,OAAO,CAAC;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAMD,wBAAgB,4BAA4B,IAAI,MAAM,CAErD;AAED;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,GAAE,MAAM,MAAiB,GAAG,iBAAiB,GAAG,IAAI,CAO5F;AAiCD,2EAA2E;AAC3E,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,aAAa,EACnB,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,GAAE,gBAAqB,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAajG;AAMD,qFAAqF;AACrF,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAC1C,UAAU,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC/C,eAAe,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAChF,GAAG,EAAE,MAAM,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAsB,iCAAiC,CACrD,IAAI,EAAE,gBAAgB,EACtB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,OAAO,CAAC,CAelB;AAED,sFAAsF;AACtF,wBAAsB,6BAA6B,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW5F;AAED,sFAAsF;AACtF,eAAO,MAAM,iCAAiC,QAAiB,CAAC;AAEhE;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,cAAc,EAAE,MAAM,EACtB,UAAU,GAAE,MAA0C,GACrD,MAAM,IAAI,CAaZ;AAMD;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAShF"}

package/dist/staleness.js

@@ -41,6 +41,26 @@ export const VERSION_CHECK_CACHE_FILE = 'version-check-cache.json';
 export function resolveVersionCheckCachePath() {
     return join(resolveGlobalStateDir(), VERSION_CHECK_CACHE_FILE);
 }
+/**
+ * Read the version-check cache only when it is FRESH (within the TTL).
+ *
+ * The running daemon keeps this cache warm via {@link startVersionCacheRefreshLoop};
+ * the auto-update controller reads the candidate version from here instead of
+ * issuing a registry call on every idle edge, so rapid idle flapping cannot
+ * produce a registry-call storm. An expired cache returns null -- a stale
+ * answer must never drive an update decision.
+ */
+export function readFreshVersionCache(now = Date.now) {
+    const cache = readCacheFile();
+    if (!cache)
+        return null;
+    const checkedAtMs = Date.parse(cache.checkedAt);
+    if (!Number.isFinite(checkedAtMs))
+        return null;
+    if (now() - checkedAtMs >= VERSION_CHECK_CACHE_TTL_MS)
+        return null;
+    return cache;
+}
 function readCacheFile() {
     const path = resolveVersionCheckCachePath();
     if (!existsSync(path))

package/dist/staleness.js.map

@@ -1 +1 @@
-{"version":3,"file":"staleness.js","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,cAAc,EACd,qBAAqB,GAEtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,cAAc,EAA2B,MAAM,oBAAoB,CAAC;AA0B9F,oEAAoE;AACpE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7D,gEAAgE;AAChE,MAAM,CAAC,MAAM,wBAAwB,GAAG,0BAA0B,CAAC;AAYnE,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,UAAU,4BAA4B;IAC1C,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,wBAAwB,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,IAAI,GAAG,4BAA4B,EAAE,CAAC;IAC5C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAA+B,CAAC;QACrF,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAwB;IAC9C,IAAI,CAAC;QACH,oBAAoB,EAAE,CAAC;QACvB,aAAa,CACX,4BAA4B,EAAE,EAC9B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EACrC,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;AACH,CAAC;AAiBD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAmB,EACnB,OAAyB,EAAE;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxF,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC;IAEpC,4EAA4E;IAC5E,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,CAAC,mDAAmD;QACpF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,2DAA2D;QACrF,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC;YACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;YAC7C,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,cAAc;QACd,aAAa;QACb,eAAe,EAAE,cAAc,CAAC,aAAa,EAAE,cAAc,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,GAAG,CAAC,IAAI,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/F,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAyB,EAAE;IAChE,IAAI,CAAC;QACH,OAAO,MAAM,oBAAoB,CAAC;YAChC,QAAQ,EAAE,cAAc;YACxB,eAAe,EAAE,GAAG,EAAE,CAAC,eAAe,EAAE,CAAC,OAAO;YAChD,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,IAAI,CAAC,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,IAAsB,EACtB,cAAsB;IAEtB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,OAAO,KAAK,CAAC,CAAC,0BAA0B;QAC1C,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAC1D,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC;QACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;QAC7C,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,cAAsB;IACxE,IAAI,CAAC;QACH,OAAO,MAAM,iCAAiC,CAAC;YAC7C,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,cAAc,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,MAAM,iCAAiC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEhE;;;;;;;;GAQG;AACH,MAAM,UAAU,4BAA4B,CAC1C,cAAsB,EACtB,aAAqB,iCAAiC;IAEtD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,IAAI,GAAG,GAAS,EAAE;QACtB,IAAI,OAAO;YAAE,OAAO;QACpB,KAAK,6BAA6B,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC,CAAC;IACF,IAAI,EAAE,CAAC,CAAC,mEAAmE;IAC3E,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC5C,KAAK,CAAC,KAAK,EAAE,CAAC;IACd,OAAO,GAAG,EAAE;QACV,OAAO,GAAG,IAAI,CAAC;QACf,aAAa,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,6DAA6D;AAC7D,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAA0B;IAC/D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,IAAI,GAAG,sBAAsB,IAAI,CAAC,cAAc,cAAc,IAAI,CAAC,aAAa,aAAa,CAAC;IAClG,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK,EAAE,CAAC;QACnE,IAAI;YACF,4GAA4G;gBAC5G,oFAAoF,CAAC;IACzF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"staleness.js","sourceRoot":"","sources":["../src/staleness.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,cAAc,EACd,qBAAqB,GAEtB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,cAAc,EAA2B,MAAM,oBAAoB,CAAC;AA0B9F,oEAAoE;AACpE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7D,gEAAgE;AAChE,MAAM,CAAC,MAAM,wBAAwB,GAAG,0BAA0B,CAAC;AAYnE,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,UAAU,4BAA4B;IAC1C,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,wBAAwB,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAoB,IAAI,CAAC,GAAG;IAChE,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,IAAI,GAAG,EAAE,GAAG,WAAW,IAAI,0BAA0B;QAAE,OAAO,IAAI,CAAC;IACnE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,IAAI,GAAG,4BAA4B,EAAE,CAAC;IAC5C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAA+B,CAAC;QACrF,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAwB;IAC9C,IAAI,CAAC;QACH,oBAAoB,EAAE,CAAC;QACvB,aAAa,CACX,4BAA4B,EAAE,EAC9B,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EACrC,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,wEAAwE;IAC1E,CAAC;AACH,CAAC;AAiBD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAmB,EACnB,OAAyB,EAAE;IAE3B,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxF,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;QAAE,OAAO,IAAI,CAAC;IAEzC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC;IAEpC,4EAA4E;IAC5E,IAAI,aAAa,GAAkB,IAAI,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;QACtC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,CAAC,mDAAmD;QACpF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,2DAA2D;QACrF,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC;YACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;YAC7C,aAAa;SACd,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,cAAc;QACd,aAAa;QACb,eAAe,EAAE,cAAc,CAAC,aAAa,EAAE,cAAc,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,GAAG,CAAC,IAAI,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/F,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAyB,EAAE;IAChE,IAAI,CAAC;QACH,OAAO,MAAM,oBAAoB,CAAC;YAChC,QAAQ,EAAE,cAAc;YACxB,eAAe,EAAE,GAAG,EAAE,CAAC,eAAe,EAAE,CAAC,OAAO;YAChD,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,IAAI,CAAC,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,IAAsB,EACtB,cAAsB;IAEtB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;IAC/B,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,0BAA0B,EAAE,CAAC;YAC1F,OAAO,KAAK,CAAC,CAAC,0BAA0B;QAC1C,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAC1D,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC,UAAU,CAAC;QACd,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE;QAC7C,aAAa,EAAE,MAAM,CAAC,aAAa;KACpC,CAAC,CAAC;IACH,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,cAAsB;IACxE,IAAI,CAAC;QACH,OAAO,MAAM,iCAAiC,CAAC;YAC7C,SAAS,EAAE,aAAa;YACxB,UAAU,EAAE,cAAc;YAC1B,eAAe;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,EAAE,cAAc,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,sFAAsF;AACtF,MAAM,CAAC,MAAM,iCAAiC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEhE;;;;;;;;GAQG;AACH,MAAM,UAAU,4BAA4B,CAC1C,cAAsB,EACtB,aAAqB,iCAAiC;IAEtD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,MAAM,IAAI,GAAG,GAAS,EAAE;QACtB,IAAI,OAAO;YAAE,OAAO;QACpB,KAAK,6BAA6B,CAAC,cAAc,CAAC,CAAC;IACrD,CAAC,CAAC;IACF,IAAI,EAAE,CAAC,CAAC,mEAAmE;IAC3E,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC5C,KAAK,CAAC,KAAK,EAAE,CAAC;IACd,OAAO,GAAG,EAAE;QACV,OAAO,GAAG,IAAI,CAAC;QACf,aAAa,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,6DAA6D;AAC7D,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAA0B;IAC/D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,IAAI,GAAG,sBAAsB,IAAI,CAAC,cAAc,cAAc,IAAI,CAAC,aAAa,aAAa,CAAC;IAClG,IAAI,IAAI,CAAC,WAAW,KAAK,KAAK,IAAI,IAAI,CAAC,iBAAiB,KAAK,KAAK,EAAE,CAAC;QACnE,IAAI;YACF,4GAA4G;gBAC5G,oFAAoF,CAAC;IACzF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/types/config.d.ts

@@ -21,12 +21,52 @@ export interface TelemetryConfig {
     /** Number of days to retain telemetry events. Default: 30. */
     retentionDays: number;
 }
+/**
+ * OS sandbox mode for spawned agents.
+ * - 'bwrap': confine each spawn with bubblewrap (Linux). If bwrap cannot
+ *   initialize, the spawn is REFUSED (fail-closed) -- never run unconfined.
+ * - 'off':   no OS sandbox; the spawn runs with the daemon user's authority
+ *            (the worktree bounds only the git branch, not the filesystem).
+ */
+export type SandboxMode = 'bwrap' | 'off';
+/**
+ * Configuration for the spawn OS sandbox (D3 -- "make the worktree boundary true").
+ *
+ * Default resolution when `mode` is unset: macOS (dev) => 'off'; Linux => 'off'
+ * by default too, but the daemon logs a recommendation to enable 'bwrap' when
+ * bubblewrap is available. Defaulting to 'off' is deliberate -- auto-enabling a
+ * sandbox whose per-host read-bind set has not been validated could break real
+ * spawns; operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. An EXPLICIT 'bwrap' is fail-closed: if
+ * bubblewrap is unavailable the spawn is refused, never silently unconfined.
+ */
+export interface SandboxConfig {
+    /** Sandbox mode. Unset => platform default (see above). */
+    mode?: SandboxMode;
+    /**
+     * Extra host paths to expose read-only inside the sandbox -- the toolchain
+     * (node/claude/codex bin dirs) and the agent's model-auth config the spawn
+     * legitimately needs (e.g. ~/.claude.json, ~/.codex). The worktree itself is
+     * always bound read-write; everything not listed is invisible.
+     */
+    readOnlyPaths?: string[];
+    /**
+     * Outbound egress allowlist (hostnames). NOTE: bubblewrap does NOT enforce
+     * L3/L7 egress, so this is currently advisory and documented as a residual
+     * gap in docs/security-posture-daemon-execution.md (candidate enforcement:
+     * per-uid nftables rules at the service-user layer). Filesystem confinement
+     * + capability/namespace isolation are the enforced boundary today.
+     */
+    egressAllowlist?: string[];
+}
 /**
  * Configuration for the daemon.
  *
  * Extends BaseConfig from @telora/daemon-core with daemon-specific fields.
  */
 export interface DaemonConfig extends BaseConfig {
+    /** OS sandbox for spawned agents (D3). Undefined => platform default. */
+    sandbox?: SandboxConfig;
     /** Path/command for the Codex CLI executable. Default: 'codex' (on PATH). */
     codexPath?: string;
     worktreeDir: string;

package/dist/types/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,4BAA4B,EAAE,MAAM,CAAC;IACrC,gFAAgF;IAChF,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,eAAe,CAAC;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,KAAK,CAAC;AAE1C;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC5B,2DAA2D;IAC3D,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,yEAAyE;IACzE,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,4BAA4B,EAAE,MAAM,CAAC;IACrC,gFAAgF;IAChF,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,eAAe,CAAC;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}

package/dist/unified-shell-config.d.ts

@@ -60,9 +60,17 @@ export declare function loopSectionFromRawConfig(rawFileConfig: Record<string, u
  */
 export declare function resolveAutoUpdateEnabled(config: UnifiedConfig): boolean;
 /**
- * Resolve auto-update check interval from env vars and config file.
- * Env var TELORA_AUTO_UPDATE_INTERVAL_MS takes precedence.
- * Default: 3600000 (1 hour).
+ * Resolve the idle-edge SAMPLING cadence (ms) from env vars and config file.
+ * The controller is event-driven (fires on the batch-safe idle edge); this only
+ * bounds how quickly a reached seam is noticed -- it is no longer an update clock.
+ * Env var TELORA_AUTO_UPDATE_INTERVAL_MS takes precedence. Default: 30000 (30s).
  */
 export declare function resolveAutoUpdateIntervalMs(config: UnifiedConfig): number;
+/**
+ * Resolve the batch-safe idle debounce window (ms). The idle signal must hold
+ * continuously this long before the updater acts on it.
+ * Env var TELORA_AUTO_UPDATE_IDLE_DEBOUNCE_MS takes precedence, then config file
+ * autoUpdate.idleDebounceMs. Default: 60000 (60s).
+ */
+export declare function resolveAutoUpdateIdleDebounceMs(config: UnifiedConfig): number;
 //# sourceMappingURL=unified-shell-config.d.ts.map

package/dist/unified-shell-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"unified-shell-config.d.ts","sourceRoot":"","sources":["../src/unified-shell-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,aAAa,EAEnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAMlD,sCAAsC;AACtC,MAAM,WAAW,oBAAoB;IACnC,mDAAmD;IACnD,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,mEAAmE;IACnE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qDAAqD;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,yDAAyD;IACzD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,mDAAmD;IACnD,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAsCD;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAIzB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAqD,GAC1F,eAAe,CAejB;AAMD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,EACzB,OAAO,EAAE,aAAa,EACtB,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAqD,GAC1F,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA4FtC;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa,CAgB9F;AAQD;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAWvE;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAYzE"}
+{"version":3,"file":"unified-shell-config.d.ts","sourceRoot":"","sources":["../src/unified-shell-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,KAAK,aAAa,EAClB,KAAK,aAAa,EAEnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAMlD,sCAAsC;AACtC,MAAM,WAAW,oBAAoB;IACnC,mDAAmD;IACnD,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,mEAAmE;IACnE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qDAAqD;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,sCAAsC;IACtC,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,yDAAyD;IACzD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,mDAAmD;IACnD,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAsCD;;;;;GAKG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAIzB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CACpC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAqD,GAC1F,eAAe,CAejB;AAMD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC,EACzB,OAAO,EAAE,aAAa,EACtB,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAqD,GAC1F,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CA4FtC;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa,CAgB9F;AAmBD;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAWvE;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAYzE;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAY7E"}

package/dist/unified-shell-config.js

@@ -160,7 +160,17 @@ export function loopSectionFromRawConfig(rawFileConfig) {
 // ---------------------------------------------------------------------------
 // Auto-update config resolution
 // ---------------------------------------------------------------------------
-const DEFAULT_AUTO_UPDATE_INTERVAL_MS = 3_600_000; // 1 hour
+// Cadence for SAMPLING the batch-safe idle edge. The old 1h update clock is
+// gone -- the controller is event-driven (fires on the idle edge), so this only
+// bounds how quickly a reached seam is noticed. Registry traffic is unaffected
+// (the candidate version is read from the warm cache).
+const DEFAULT_AUTO_UPDATE_INTERVAL_MS = 30_000; // 30s
+/**
+ * Debounce window the batch-safe idle signal must hold continuously before the
+ * updater treats the daemon as idle. Guards against a transient zero-team gap
+ * between deliveries momentarily reading as a safe seam. Default: 60s.
+ */
+const DEFAULT_AUTO_UPDATE_IDLE_DEBOUNCE_MS = 60_000;
 /**
  * Resolve whether auto-update is enabled from env vars and config file.
  * Env var TELORA_AUTO_UPDATE takes precedence over config file autoUpdate.enabled.
@@ -180,9 +190,10 @@ export function resolveAutoUpdateEnabled(config) {
     return true;
 }
 /**
- * Resolve auto-update check interval from env vars and config file.
- * Env var TELORA_AUTO_UPDATE_INTERVAL_MS takes precedence.
- * Default: 3600000 (1 hour).
+ * Resolve the idle-edge SAMPLING cadence (ms) from env vars and config file.
+ * The controller is event-driven (fires on the batch-safe idle edge); this only
+ * bounds how quickly a reached seam is noticed -- it is no longer an update clock.
+ * Env var TELORA_AUTO_UPDATE_INTERVAL_MS takes precedence. Default: 30000 (30s).
  */
 export function resolveAutoUpdateIntervalMs(config) {
     const envVal = process.env.TELORA_AUTO_UPDATE_INTERVAL_MS;
@@ -199,4 +210,25 @@ export function resolveAutoUpdateIntervalMs(config) {
     }
     return DEFAULT_AUTO_UPDATE_INTERVAL_MS;
 }
+/**
+ * Resolve the batch-safe idle debounce window (ms). The idle signal must hold
+ * continuously this long before the updater acts on it.
+ * Env var TELORA_AUTO_UPDATE_IDLE_DEBOUNCE_MS takes precedence, then config file
+ * autoUpdate.idleDebounceMs. Default: 60000 (60s).
+ */
+export function resolveAutoUpdateIdleDebounceMs(config) {
+    const envVal = process.env.TELORA_AUTO_UPDATE_IDLE_DEBOUNCE_MS;
+    if (envVal !== undefined && envVal !== '') {
+        const parsed = parseInt(envVal, 10);
+        if (!isNaN(parsed) && parsed >= 0)
+            return parsed;
+    }
+    const fileConfig = config.rawFileConfig;
+    if (typeof fileConfig.autoUpdate === 'object' && fileConfig.autoUpdate !== null) {
+        const au = fileConfig.autoUpdate;
+        if (typeof au.idleDebounceMs === 'number' && au.idleDebounceMs >= 0)
+            return au.idleDebounceMs;
+    }
+    return DEFAULT_AUTO_UPDATE_IDLE_DEBOUNCE_MS;
+}
 //# sourceMappingURL=unified-shell-config.js.map

package/dist/unified-shell-config.js.map

@@ -1 +1 @@
-{"version":3,"file":"unified-shell-config.js","sourceRoot":"","sources":["../src/unified-shell-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAGL,iBAAiB,GAClB,MAAM,qBAAqB,CAAC;AAwB7B,8EAA8E;AAC9E,2DAA2D;AAC3D,8EAA8E;AAE9E,SAAS,UAAU,CACjB,MAA0B,EAC1B,OAAgB,EAChB,UAAkB;IAElB,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,YAAY,CACnB,MAA0B,EAC1B,OAAgB,EAChB,UAAkB;IAElB,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,yEAAyE;AACzE,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CACtC,WAAoC;IAEpC,OAAO,CAAC,OAAO,WAAW,CAAC,SAAS,KAAK,QAAQ,IAAI,WAAW,CAAC,SAAS,KAAK,IAAI,CAAC;QAClF,CAAC,CAAC,WAAW,CAAC,SAAoC;QAClD,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CACpC,eAAwC,EACxC,MAA0C,OAAO,CAAC,GAAyC;IAE3F,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,wBAAwB,KAAK,SAAS;YACjD,CAAC,CAAC,GAAG,CAAC,wBAAwB,KAAK,GAAG,IAAI,GAAG,CAAC,wBAAwB,KAAK,OAAO;YAClF,CAAC,CAAC,CAAC,OAAO,eAAe,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;QACnF,IAAI,EAAE,UAAU,CACd,GAAG,CAAC,qBAAqB,EAAE,eAAe,CAAC,IAAI,EAAE,IAAI,CACtD;QACD,eAAe,EAAE,UAAU,CACzB,GAAG,CAAC,kCAAkC,EAAE,eAAe,CAAC,eAAe,EAAE,IAAI,CAC9E;QACD,aAAa,EAAE,UAAU,CACvB,GAAG,CAAC,+BAA+B,EAAE,eAAe,CAAC,aAAa,EAAE,EAAE,CACvE;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAAyB,EACzB,OAAsB,EACtB,MAA0C,OAAO,CAAC,GAAyC;IAE3F,6CAA6C;IAC7C,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAE9B,MAAM,QAAQ,GAAI,IAAI,CAAC,QAAmB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC5D,MAAM,cAAc,GAAI,IAAI,CAAC,cAAyB,IAAI,QAAQ,CAAC;IACnE,MAAM,MAAM,GAAI,IAAI,CAAC,MAAiB,IAAI,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC/E,MAAM,gBAAgB,GAAI,IAAI,CAAC,gBAA2B,IAAI,OAAO,CAAC;IAEtE,2CAA2C;IAC3C,MAAM,WAAW,GAAG,GAAG,CAAC,mBAAmB;WACtC,CAAC,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;WAClE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAE/C,MAAM,iBAAiB,GAAG,GAAG,CAAC,yBAAyB;WAClD,CAAC,OAAO,MAAM,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;WAC9E,aAAa,CAAC;IAEnB,MAAM,gBAAgB,GAAG,UAAU,CACjC,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,gBAAgB,EAAE,CAAC,CACnD,CAAC;IAEF,MAAM,UAAU,GAAG,UAAU,CAC3B,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAC3C,CAAC;IAEF,MAAM,SAAS,GAAG,YAAY,CAC5B,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,SAAS,EAAE,IAAI,CACvC,CAAC;IAEF,MAAM,kBAAkB,GAAG,UAAU,CACnC,GAAG,CAAC,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,MAAM,CAC7D,CAAC;IAEF,MAAM,4BAA4B,GAAG,UAAU,CAC7C,GAAG,CAAC,gCAAgC,EAAE,MAAM,CAAC,4BAA4B,EAAE,KAAK,CACjF,CAAC;IAEF,qBAAqB;IACrB,MAAM,oBAAoB,GAAG,GAAG,CAAC,0BAA0B;WACtD,CAAC,OAAO,MAAM,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;WAC9E,WAAW,CAAC;IACjB,IAAI,oBAAoB,KAAK,WAAW,IAAI,oBAAoB,KAAK,aAAa,EAAE,CAAC;QACnF,MAAM,IAAI,KAAK,CACb,wCAAwC,oBAAoB,0CAA0C,CACvG,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,MAAM,aAAa,GAAG,UAAU,CAC9B,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAC9C,CAAC;IACF,MAAM,gBAAgB,GAAG,UAAU,CACjC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,gBAAgB,EAAE,UAAU,CAC7D,CAAC;IACF,MAAM,WAAW,GAAG,UAAU,CAC5B,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,WAAW,EAAE,GAAG,CAC3C,CAAC;IAEF,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,SAAS,GAAG,sBAAsB,CAAC,wBAAwB,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;IAEhF,0EAA0E;IAC1E,MAAM,QAAQ,GAAI,IAAI,CAAC,QAAoD,IAAI,EAAE,CAAC;IAElF,OAAO;QACL,cAAc;QACd,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ;QACR,QAAQ;QACR,cAAc;QACd,MAAM;QACN,gBAAgB;QAChB,wBAAwB;QACxB,WAAW;QACX,iBAAiB;QACjB,gBAAgB;QAChB,UAAU;QACV,SAAS;QACT,kBAAkB;QAClB,4BAA4B;QAC5B,iBAAiB,EAAE,oBAAoB;QACvC,aAAa;QACb,gBAAgB;QAChB,WAAW;QACX,SAAS;KAC8B,CAAC;AAC5C,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAAsC;IAC7E,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;IACtC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/E,MAAM,IAAI,GAAI,OAAmC,CAAC,IAAI,CAAC;QACvD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACtE,MAAM,OAAO,GAAG,IAA+B,CAAC;YAChD,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnD,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;oBACtB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,KAAK,KAAK,EAAE,MAAM,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E,MAAM,+BAA+B,GAAG,SAAS,CAAC,CAAC,SAAS;AAE5D;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAAqB;IAC5D,MAAM,MAAM,GAAI,OAAO,CAAC,GAA0C,CAAC,kBAAkB,CAAC;IACtF,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,OAAO,CAAC;IAC9C,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,aAAwC,CAAC;IACnE,IAAI,OAAO,UAAU,CAAC,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAChF,MAAM,EAAE,GAAG,UAAU,CAAC,UAAqC,CAAC;QAC5D,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,SAAS;YAAE,OAAO,EAAE,CAAC,OAAO,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAAqB;IAC/D,MAAM,MAAM,GAAI,OAAO,CAAC,GAA0C,CAAC,8BAA8B,CAAC;IAClG,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;IAClD,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,aAAwC,CAAC;IACnE,IAAI,OAAO,UAAU,CAAC,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAChF,MAAM,EAAE,GAAG,UAAU,CAAC,UAAqC,CAAC;QAC5D,IAAI,OAAO,EAAE,CAAC,UAAU,KAAK,QAAQ,IAAI,EAAE,CAAC,UAAU,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC,UAAU,CAAC;IACnF,CAAC;IACD,OAAO,+BAA+B,CAAC;AACzC,CAAC"}
+{"version":3,"file":"unified-shell-config.js","sourceRoot":"","sources":["../src/unified-shell-config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAGL,iBAAiB,GAClB,MAAM,qBAAqB,CAAC;AAwB7B,8EAA8E;AAC9E,2DAA2D;AAC3D,8EAA8E;AAE9E,SAAS,UAAU,CACjB,MAA0B,EAC1B,OAAgB,EAChB,UAAkB;IAElB,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,YAAY,CACnB,MAA0B,EAC1B,OAAgB,EAChB,UAAkB;IAElB,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,yEAAyE;AACzE,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CACtC,WAAoC;IAEpC,OAAO,CAAC,OAAO,WAAW,CAAC,SAAS,KAAK,QAAQ,IAAI,WAAW,CAAC,SAAS,KAAK,IAAI,CAAC;QAClF,CAAC,CAAC,WAAW,CAAC,SAAoC;QAClD,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CACpC,eAAwC,EACxC,MAA0C,OAAO,CAAC,GAAyC;IAE3F,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,wBAAwB,KAAK,SAAS;YACjD,CAAC,CAAC,GAAG,CAAC,wBAAwB,KAAK,GAAG,IAAI,GAAG,CAAC,wBAAwB,KAAK,OAAO;YAClF,CAAC,CAAC,CAAC,OAAO,eAAe,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;QACnF,IAAI,EAAE,UAAU,CACd,GAAG,CAAC,qBAAqB,EAAE,eAAe,CAAC,IAAI,EAAE,IAAI,CACtD;QACD,eAAe,EAAE,UAAU,CACzB,GAAG,CAAC,kCAAkC,EAAE,eAAe,CAAC,eAAe,EAAE,IAAI,CAC9E;QACD,aAAa,EAAE,UAAU,CACvB,GAAG,CAAC,+BAA+B,EAAE,eAAe,CAAC,aAAa,EAAE,EAAE,CACvE;KACF,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,IAAyB,EACzB,OAAsB,EACtB,MAA0C,OAAO,CAAC,GAAyC;IAE3F,6CAA6C;IAC7C,MAAM,IAAI,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAE9B,MAAM,QAAQ,GAAI,IAAI,CAAC,QAAmB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC5D,MAAM,cAAc,GAAI,IAAI,CAAC,cAAyB,IAAI,QAAQ,CAAC;IACnE,MAAM,MAAM,GAAI,IAAI,CAAC,MAAiB,IAAI,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAC/E,MAAM,gBAAgB,GAAI,IAAI,CAAC,gBAA2B,IAAI,OAAO,CAAC;IAEtE,2CAA2C;IAC3C,MAAM,WAAW,GAAG,GAAG,CAAC,mBAAmB;WACtC,CAAC,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;WAClE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;IAE/C,MAAM,iBAAiB,GAAG,GAAG,CAAC,yBAAyB;WAClD,CAAC,OAAO,MAAM,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;WAC9E,aAAa,CAAC;IAEnB,MAAM,gBAAgB,GAAG,UAAU,CACjC,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,gBAAgB,EAAE,CAAC,CACnD,CAAC;IAEF,MAAM,UAAU,GAAG,UAAU,CAC3B,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAC3C,CAAC;IAEF,MAAM,SAAS,GAAG,YAAY,CAC5B,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,SAAS,EAAE,IAAI,CACvC,CAAC;IAEF,MAAM,kBAAkB,GAAG,UAAU,CACnC,GAAG,CAAC,qBAAqB,EAAE,MAAM,CAAC,kBAAkB,EAAE,MAAM,CAC7D,CAAC;IAEF,MAAM,4BAA4B,GAAG,UAAU,CAC7C,GAAG,CAAC,gCAAgC,EAAE,MAAM,CAAC,4BAA4B,EAAE,KAAK,CACjF,CAAC;IAEF,qBAAqB;IACrB,MAAM,oBAAoB,GAAG,GAAG,CAAC,0BAA0B;WACtD,CAAC,OAAO,MAAM,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,CAAC;WAC9E,WAAW,CAAC;IACjB,IAAI,oBAAoB,KAAK,WAAW,IAAI,oBAAoB,KAAK,aAAa,EAAE,CAAC;QACnF,MAAM,IAAI,KAAK,CACb,wCAAwC,oBAAoB,0CAA0C,CACvG,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,MAAM,aAAa,GAAG,UAAU,CAC9B,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAC9C,CAAC;IACF,MAAM,gBAAgB,GAAG,UAAU,CACjC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,gBAAgB,EAAE,UAAU,CAC7D,CAAC;IACF,MAAM,WAAW,GAAG,UAAU,CAC5B,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,WAAW,EAAE,GAAG,CAC3C,CAAC;IAEF,uEAAuE;IACvE,0EAA0E;IAC1E,MAAM,SAAS,GAAG,sBAAsB,CAAC,wBAAwB,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC;IAEhF,0EAA0E;IAC1E,MAAM,QAAQ,GAAI,IAAI,CAAC,QAAoD,IAAI,EAAE,CAAC;IAElF,OAAO;QACL,cAAc;QACd,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,QAAQ;QACR,QAAQ;QACR,cAAc;QACd,MAAM;QACN,gBAAgB;QAChB,wBAAwB;QACxB,WAAW;QACX,iBAAiB;QACjB,gBAAgB;QAChB,UAAU;QACV,SAAS;QACT,kBAAkB;QAClB,4BAA4B;QAC5B,iBAAiB,EAAE,oBAAoB;QACvC,aAAa;QACb,gBAAgB;QAChB,WAAW;QACX,SAAS;KAC8B,CAAC;AAC5C,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAAsC;IAC7E,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;IACtC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/E,MAAM,IAAI,GAAI,OAAmC,CAAC,IAAI,CAAC;QACvD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACtE,MAAM,OAAO,GAAG,IAA+B,CAAC;YAChD,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnD,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;oBACtB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBACtB,CAAC;YACH,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,KAAK,KAAK,EAAE,MAAM,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E,4EAA4E;AAC5E,gFAAgF;AAChF,+EAA+E;AAC/E,uDAAuD;AACvD,MAAM,+BAA+B,GAAG,MAAM,CAAC,CAAC,MAAM;AAEtD;;;;GAIG;AACH,MAAM,oCAAoC,GAAG,MAAM,CAAC;AAEpD;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAAqB;IAC5D,MAAM,MAAM,GAAI,OAAO,CAAC,GAA0C,CAAC,kBAAkB,CAAC;IACtF,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,OAAO,CAAC;IAC9C,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,aAAwC,CAAC;IACnE,IAAI,OAAO,UAAU,CAAC,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAChF,MAAM,EAAE,GAAG,UAAU,CAAC,UAAqC,CAAC;QAC5D,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,SAAS;YAAE,OAAO,EAAE,CAAC,OAAO,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,MAAqB;IAC/D,MAAM,MAAM,GAAI,OAAO,CAAC,GAA0C,CAAC,8BAA8B,CAAC;IAClG,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC;YAAE,OAAO,MAAM,CAAC;IAClD,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,aAAwC,CAAC;IACnE,IAAI,OAAO,UAAU,CAAC,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAChF,MAAM,EAAE,GAAG,UAAU,CAAC,UAAqC,CAAC;QAC5D,IAAI,OAAO,EAAE,CAAC,UAAU,KAAK,QAAQ,IAAI,EAAE,CAAC,UAAU,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC,UAAU,CAAC;IACnF,CAAC;IACD,OAAO,+BAA+B,CAAC;AACzC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAAC,MAAqB;IACnE,MAAM,MAAM,GAAI,OAAO,CAAC,GAA0C,CAAC,mCAAmC,CAAC;IACvG,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC;YAAE,OAAO,MAAM,CAAC;IACnD,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,aAAwC,CAAC;IACnE,IAAI,OAAO,UAAU,CAAC,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QAChF,MAAM,EAAE,GAAG,UAAU,CAAC,UAAqC,CAAC;QAC5D,IAAI,OAAO,EAAE,CAAC,cAAc,KAAK,QAAQ,IAAI,EAAE,CAAC,cAAc,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC,cAAc,CAAC;IAChG,CAAC;IACD,OAAO,oCAAoC,CAAC;AAC9C,CAAC"}

package/dist/unified-shell.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"unified-shell.d.ts","sourceRoot":"","sources":["../src/unified-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAMH,OAAO,EACL,KAAK,aAAa,EAMnB,MAAM,qBAAqB,CAAC;AA2B7B,YAAY,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AA+EtE;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAoBtE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CA8BtE;AAMD;;;;;;;;;;;GAWG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,aAAa,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAMD;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsShF"}
+{"version":3,"file":"unified-shell.d.ts","sourceRoot":"","sources":["../src/unified-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAMH,OAAO,EACL,KAAK,aAAa,EAOnB,MAAM,qBAAqB,CAAC;AAgC7B,YAAY,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AA+EtE;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAoBtE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CA8BtE;AAMD;;;;;;;;;;;GAWG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,aAAa,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC,CA2BlB;AAMD;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+ThF"}