@tuent/sentinel 0.1.0

package/dist/Sentinel-B_sv8Kiy.d.ts

@@ -0,0 +1,1785 @@
+import { KeyObject } from 'node:crypto';
+
+interface SkillNode {
+    id: string;
+    category: string;
+    label: string;
+    description: string;
+    weight: number;
+    recency: number;
+    lastActive: string;
+    color: string;
+    openness: number;
+    connections: string[];
+    layer: number;
+    source?: "seed" | "agent" | "manual" | "diary" | "conversation" | "agent-monitor";
+    core?: boolean;
+    sharable?: boolean;
+    files?: string[];
+}
+
+interface DataPoint {
+    label: string;
+    category: string;
+    lastActive: string;
+    description?: string;
+    weight?: number;
+    connections?: string[];
+    source?: "seed" | "agent" | "manual" | "diary" | "conversation" | "agent-monitor";
+    files?: string[];
+    sharable?: boolean;
+    core?: boolean;
+}
+
+interface StoredProfile {
+    version: 1;
+    id: string;
+    name: string;
+    dataPoints: DataPoint[];
+    createdAt: string;
+    updatedAt: string;
+}
+interface StorageBackend {
+    read(): Promise<StoredProfile | null>;
+    write(profile: StoredProfile): Promise<void>;
+    /** Returns true if the backing store was modified externally since the last read/write. */
+    hasExternalChanges?(): Promise<boolean>;
+}
+
+interface DataUpdatedEvent {
+    type: "data:updated";
+    payload: {
+        timestamp: number;
+    };
+}
+interface NodeAddedEvent {
+    type: "petal:added";
+    payload: {
+        petalId: string;
+        category: string;
+    };
+}
+interface NodeDecayedEvent {
+    type: "petal:decayed";
+    payload: {
+        petalId: string;
+    };
+}
+interface ProfileGeneratedEvent {
+    type: "profile:generated";
+    payload: {
+        profileId: string;
+    };
+}
+type ProfileBusEvent = DataUpdatedEvent | NodeAddedEvent | NodeDecayedEvent | ProfileGeneratedEvent;
+type EventMap = {
+    [E in ProfileBusEvent as E["type"]]: E;
+};
+type Listener<T extends ProfileBusEvent["type"]> = (event: EventMap[T]) => void;
+declare class EventBus {
+    private listeners;
+    on<T extends ProfileBusEvent["type"]>(type: T, listener: Listener<T>): () => void;
+    emit<T extends ProfileBusEvent["type"]>(event: EventMap[T]): void;
+    clear(): void;
+}
+
+declare class ProfileStore {
+    private backend;
+    private eventBus?;
+    private petalCount;
+    private engine;
+    private profile;
+    constructor(options: {
+        backend: StorageBackend;
+        eventBus?: EventBus;
+        petalCount?: number;
+    });
+    load(): Promise<StoredProfile | null>;
+    create(name: string): Promise<StoredProfile>;
+    addPoint(point: DataPoint): Promise<void>;
+    addPoints(points: DataPoint[]): void;
+    save(): Promise<void>;
+    build(): SkillNode[];
+    getProfile(): StoredProfile | null;
+}
+
+/** What an AI agent does — a single observed action event. */
+interface AgentActivityEvent {
+    agentId: string;
+    agentName: string;
+    agentRole: string;
+    action: "file_read" | "file_write" | "api_call" | "database_query" | "command_exec" | "tool_invocation" | "network_request";
+    /**
+     * All resources this action touches — the full target set.
+     *
+     * Replaces the pre-refactor singular `target: string` field.
+     * Each element is a path, URL, command, query, or other resource identifier.
+     * The array is non-empty: at minimum one target is always present.
+     *
+     * Examples:
+     * - file_read: ["/path/to/file"]
+     * - command_exec: ["git status", "/repo/.env"] (command + extracted paths)
+     * - tool_invocation: ["summarize project files"] (Task description)
+     * - network_request: ["https://example.com/api"] (URL)
+     * - file_write (NotebookEdit): ["/path/to/notebook.ipynb", "cell source content"]
+     *
+     * Policy evaluation checks every element against forbidden patterns.
+     * The matched element becomes SecurityFinding.evidence.target (singular).
+     */
+    targets: string[];
+    /**
+     * Derived display field — the principal target for human readability.
+     *
+     * Invariant: `primaryTarget === targets[0]`.
+     * Computed at event construction time (extractTarget), not stored
+     * independently in the audit log. Present for ergonomic access in
+     * code paths that need a single representative target (UI display,
+     * dedup keys, scope-narrowing checks, report summaries).
+     *
+     * For migration entries, primaryTarget is "schema:audit-log-v2".
+     */
+    primaryTarget: string;
+    /**
+     * Schema version marker. Value is 2 for all post-refactor entries.
+     *
+     * Pre-refactor entries lack this field; the migration script adds it
+     * during the one-time v1→v2 migration. Read-path code uses absence
+     * of this field (or value < 2) to identify legacy entries that need
+     * the v1→v2 normalization (target: string → targets: [string]).
+     */
+    schemaVersion: 2;
+    timestamp: string;
+    duration?: number;
+    metadata?: Record<string, string>;
+    authorized?: boolean;
+    /**
+     * Session identifier — system-managed by Sentinel.
+     *
+     * Generated automatically via `crypto.randomUUID()` on the first `wrap()` call
+     * for an agent. Reused across subsequent `wrap()` calls within the same session.
+     * Reset when `completeSession()` is called; the next `wrap()` generates a new ID.
+     *
+     * Optional at the type level (for external code constructing events manually),
+     * but Sentinel guarantees it is always populated at runtime on events reaching
+     * `execute()` and on audit trail entries.
+     *
+     * If a caller provides sessionId on the incoming event, Sentinel preserves it
+     * (does not overwrite).
+     */
+    sessionId?: string;
+    /**
+     * Human principal identifier — operator-supplied via `wrap()` options.
+     *
+     * Represents the human user who initiated the agent's operation. Not every
+     * operation has a human principal (system jobs, automated processes), so
+     * absence is valid — no auto-generation, no default.
+     */
+    userId?: string;
+}
+/** What an AI agent SHOULD do — its defined role and boundaries. */
+interface AgentRole {
+    agentId: string;
+    name: string;
+    description: string;
+    allowedActions: string[];
+    allowedTargetPatterns: string[];
+    forbiddenTargetPatterns: string[];
+    expectedSchedule?: {
+        activeDays?: string[];
+        activeHours?: [number, number];
+    };
+    maxEventsPerHour?: number;
+    maxSessionDuration?: number;
+    /** Scoped exceptions to forbidden target patterns. */
+    exceptions?: RoleException[];
+    /**
+     * Host allowlist for network_request targets (Sprint 6b W3c).
+     * Lowercase, trimmed, trailing-dot-stripped on load.
+     * When present, URL-parsed hosts matching an entry suppress MEDIUM scope_violation.
+     * CRITICAL findings (scheme/CIDR/credential-tier) are NOT overridden.
+     */
+    networkHosts?: string[];
+}
+/**
+ * A scoped exception to a forbidden target pattern.
+ *
+ * When a forbidden pattern matches, the exception check runs AFTER an
+ * independent sensitivity score gate: if `effectiveScore >= 0.9` (CRITICAL
+ * credentials/system/pii), the exception path is skipped entirely and the
+ * finding is returned unchanged. Exceptions can never downgrade CRITICAL
+ * findings.
+ */
+interface RoleException {
+    /** Glob pattern matching the target this exception covers. */
+    target: string;
+    /** Which actions this exception permits for the matched target. */
+    allowedActions: AgentActivityEvent["action"][];
+    /** If set, active task description must contain this keyword (case-insensitive). */
+    requiresTask?: string;
+    /** If true, the exception must be explicitly approved via approval callback. */
+    requiresApproval?: boolean;
+    /** If set, exception is valid for this many ms after the active task started. */
+    expiresAfter?: number;
+    /** Kind to assign when the exception fires. Default: "informational". */
+    downgradeKindTo?: "informational" | "actionable";
+}
+/** Context passed to the exception approval callback. */
+interface ExceptionApprovalContext {
+    finding: SecurityFinding;
+    exception: RoleException;
+    activeTask: TaskIntent | null;
+    expiresAt: Date | null;
+}
+/** Approval function for exceptions that require explicit approval. */
+type ExceptionApprovalFn = (ctx: ExceptionApprovalContext) => Promise<boolean> | boolean;
+/**
+ * A detected anomaly from behavioral analysis.
+ *
+ * The `kind` field distinguishes between two semantic categories:
+ *
+ * - `"informational"` — behavioral observations that qualify context but do not
+ *   indicate a boundary violation on their own. Typical types: volume_spike,
+ *   access_pattern, temporal_anomaly (from deviation/schedule checks),
+ *   behavioral_absence, intent_drift, and target_sensitivity findings with
+ *   effectiveScore < 0.8.
+ *
+ * - `"actionable"` — boundary violations that represent a concrete policy breach
+ *   requiring operator attention. Typical types: role_violation, unauthorized_target,
+ *   scope_violation, agent_quarantined, agent_restricted, hook_block, and
+ *   target_sensitivity findings with effectiveScore >= 0.8.
+ */
+interface SecurityFinding {
+    severity: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+    kind: "informational" | "actionable";
+    /**
+     * Finding type. `workspace_mismatch` (a gateway routing refusal — a request
+     * from a different workspace than the daemon was launched to serve) is
+     * intentionally NOT in `ESCALATION_ELIGIBLE_TYPES`: it denies the action but
+     * must not count toward the served agent's escalation ladder, because it is a
+     * routing error, not that agent's misbehavior. Same non-eligible posture as
+     * `bash_analysis`. Escalation-ineligibility is a consequence of what the type
+     * means, not a knob — see Sentinel.ESCALATION_ELIGIBLE_TYPES.
+     */
+    type: "scope_violation" | "temporal_anomaly" | "access_pattern" | "volume_spike" | "unauthorized_target" | "role_violation" | "behavioral_absence" | "agent_quarantined" | "agent_restricted" | "intent_drift" | "hook_block" | "bash_analysis" | "workspace_mismatch";
+    agentId: string;
+    agentName: string;
+    description: string;
+    evidence: {
+        action: string;
+        target: string;
+        timestamp: string;
+        baselineComparison?: string;
+    };
+    recommendation: string;
+    timestamp: string;
+    decision?: "allow" | "deny" | "modify";
+    modification?: {
+        type: "append_args";
+        args: string[];
+    };
+    softSignal?: boolean;
+}
+/** Computed behavioral baseline for an agent over a time window. */
+/**
+ * Statistical profile of an agent's historical behavior, computed from observed
+ * sessions. Used by DeviationDetector to identify anomalies.
+ *
+ * Baseline maturity tiers:
+ * - **empty** (sessionCount === 0): No data observed. All deviation checks are
+ *   suppressed except target sensitivity (which doesn't use baseline data).
+ * - **immature** (sessionCount > 0 but below configured thresholds): Not enough
+ *   data for reliable statistical deviation. Volume spike, access pattern,
+ *   category shift, temporal anomaly, and weight anomaly are suppressed.
+ *   Behavioral absence and target sensitivity still fire.
+ * - **mature** (meets all thresholds): All checks fire normally.
+ */
+interface AgentBaseline {
+    agentId: string;
+    computedAt: string;
+    periodDays: number;
+    totalSessions: number;
+    totalEvents: number;
+    actionDistribution: Record<string, number>;
+    topTargets: string[];
+    averageEventsPerSession: number;
+    averageSessionDurationMinutes: number;
+    typicalActiveHours: [number, number];
+    typicalActiveDays: string[];
+    normalWeightRange: [number, number];
+    /** Total sessions observed (used for maturity gating). */
+    sessionCount: number;
+    /** Calendar span in days between earliest and latest observed node. */
+    daysObserved: number;
+    /** Count of distinct activity categories observed. */
+    categoryDiversity: number;
+}
+/** Thresholds for baseline maturity tiers. All three must be met for "mature". */
+interface BaselineMaturityConfig {
+    minSessions: number;
+    minDaysObserved: number;
+    minCategoryDiversity: number;
+}
+/** Adapter configuration for connecting a SentinelRunner to a data source. */
+interface AdapterConfig {
+    type: "log" | "webhook" | "mcp" | "manual";
+    logPath?: string;
+    logFormat?: "json-lines" | "csv";
+    fieldMapping?: Record<string, string>;
+    mcpLogDir?: string;
+    webhookPort?: number;
+    webhookApiKey?: string;
+    pollIntervalMs?: number;
+    /** When true, process existing log content on start instead of tailing from end. */
+    readExisting?: boolean;
+}
+/** Sentinel monitoring configuration. */
+interface SentinelConfig {
+    agents: {
+        agentId: string;
+        name: string;
+        adapterType: "log" | "webhook" | "mcp" | "manual";
+        logPath?: string;
+        logFormat?: "json-lines" | "csv";
+        fieldMapping?: Record<string, string>;
+        mcpLogDir?: string;
+        webhookPort?: number;
+        webhookApiKey?: string;
+        roleDefinitionPath?: string;
+        readExisting?: boolean;
+    }[];
+    alerts?: {
+        minSeverity?: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+        minKind?: "informational" | "actionable";
+        dedupeWindowMs?: number;
+        quietHoursEnabled?: boolean;
+        quietHours?: [number, number];
+        channels?: {
+            type: "console" | "webhook" | "file";
+            name: string;
+            config: {
+                url?: string;
+                headers?: Record<string, string>;
+                filePath?: string;
+            };
+            minKind?: "informational" | "actionable";
+        }[];
+    };
+    alertWebhook?: string;
+    baselineWindowDays?: number;
+    checkIntervalMs?: number;
+}
+/** A declared task/intent for an agent. */
+interface TaskIntent {
+    taskId: string;
+    agentId: string;
+    description: string;
+    keywords: string[];
+    acceptableActions: AcceptableAction[];
+    startedAt: string;
+    ttlMs: number;
+    status: "active" | "completed" | "expired";
+    completedAt?: string;
+    relaxedActions?: AgentActivityEvent["action"][];
+    phases?: string[];
+    /**
+     * Sprint 23 P2 — per-session SCOPE narrowing globs (from a leading `SCOPE:`
+     * prompt line). When present, the effective allowed-target set is narrowed to
+     * `base ∩ scope`: a target allowed by the base role but matching NONE of these
+     * globs is a hard, ladder-eligible violation (RoleValidator Check 3.5). This is
+     * a pure NARROWING — it only ever subtracts from the base allowed set and can
+     * never widen it (the base allow check runs first and denies out-of-base
+     * targets before scope is consulted). The narrowing is session-scoped: it lives
+     * on the active task and expires/clears exactly when the task does (TTL,
+     * completion, or supersede by a later declaration). Distinct tier from the
+     * fuzzy P1 `INTENT:` semantic drift, which stays soft/advisory.
+     */
+    scopePatterns?: string[];
+}
+/** An action+target pattern considered on-task. */
+interface AcceptableAction {
+    action: AgentActivityEvent["action"];
+    targetPattern: string;
+}
+/** Result of checking an event against the active task intent. */
+interface IntentAlignmentResult {
+    aligned: boolean;
+    score: number;
+    taskId: string | null;
+    reason: string;
+    keywordMatches: string[];
+    acceptableActionMatch: boolean;
+    bypassed?: boolean;
+    bypassReason?: string | null;
+}
+/** Configuration for intent alignment scoring. */
+interface IntentAlignmentConfig {
+    defaultTtlMs: number;
+    keywordBoost: number;
+    acceptableActionBoost: number;
+    baseScore: number;
+    missingTaskScore: number;
+    disableDefaultAcceptable?: boolean;
+    denyAcceptable?: string[];
+    similarityThreshold?: number;
+}
+/** A single file entry in a repo sensitivity scan. */
+interface RepoSensitivityEntry {
+    path: string;
+    sensitivity: number;
+    category: string;
+    confidence: "low" | "medium" | "high";
+    matchedRules: string[];
+}
+/** Aggregate statistics for a repo sensitivity scan. */
+interface RepoSensitivitySummary {
+    totalFiles: number;
+    sensitiveFiles: number;
+    byCategory: Record<string, number>;
+    byConfidence: Record<"low" | "medium" | "high", number>;
+}
+/** Complete result of scanning a repository for sensitive files. */
+interface RepoSensitivityMap {
+    scannedAt: string;
+    repoRoot: string;
+    entries: RepoSensitivityEntry[];
+    summary: RepoSensitivitySummary;
+}
+/** The three operator decision types for overlay entries. */
+type OverlayDecisionType = "reject" | "accept" | "override";
+/**
+ * A single operator-controlled overlay decision for a file path.
+ *
+ * - `reject`: false positive — fall through to pattern matching (skip map entry)
+ * - `accept`: informational confirmation — map entry used as-is
+ * - `override`: operator supplies custom sensitivity/category
+ */
+interface OverlayDecision {
+    path: string;
+    decision: OverlayDecisionType;
+    /** Operator-provided note (e.g., "this is a tutorial file, not a real key"). */
+    reason?: string;
+    /** Custom sensitivity (only meaningful for "override" decisions). */
+    sensitivity?: number;
+    /** Custom category (only meaningful for "override" decisions). */
+    category?: string;
+    /** ISO timestamp when the decision was made. */
+    decidedAt: string;
+}
+/** Persisted overlay file: operator decisions layered on top of the auto map. */
+interface SensitivityOverlay {
+    version: "1.0";
+    repoRoot: string;
+    decisions: OverlayDecision[];
+    updatedAt: string;
+}
+
+interface AuditQueryOptions {
+    type?: "event" | "finding" | "session" | "baseline" | "mode_change" | "intent_start" | "intent_end" | "intent_check" | "exception_applied" | "exception_approved" | "elevated_scrutiny";
+    startTime?: string;
+    endTime?: string;
+    severity?: string;
+    limit?: number;
+}
+interface AuditEntry {
+    type: string;
+    timestamp: string;
+    agentId: string;
+    /** Session identifier — injected automatically by AuditTrail when session context is set. */
+    sessionId?: string;
+    /** Human principal identifier — injected automatically when set via session context. */
+    userId?: string;
+    /** Ed25519 signature (base64) of the entry payload. Present when audit trail signing is enabled. */
+    signature?: string;
+    /** Ed25519 public key (base64, raw 32 bytes) of the signer. For offline verification. */
+    signerPublicKey?: string;
+    [key: string]: unknown;
+}
+interface AuditStats {
+    totalEntries: number;
+    eventCount: number;
+    findingCount: number;
+    sessionCount: number;
+    baselineCount: number;
+    intentStartCount: number;
+    intentEndCount: number;
+    intentCheckCount: number;
+    intentDriftCount: number;
+    averageAlignmentScore: number | null;
+    oldestEntry: string | null;
+    newestEntry: string | null;
+    fileSizeBytes: number;
+    findingsBySeverity: Record<string, number>;
+}
+/**
+ * S21-P1 — signed, hash-chained file-level manifest.
+ *
+ * The per-entry hash chain resets to genesis at each rotated file, so deleting a
+ * WHOLE rotated file is undetectable by the entry chain alone. The manifest adds
+ * a layer ABOVE the signed entry chain (it never mutates an entry): one record
+ * per audit file, recording the file's last-entry hash + entry count. The
+ * records are themselves Ed25519-signed (same key as the trail) and hash-chained
+ * (genesis-rooted, identical discipline to entries), so removing or editing a
+ * record breaks the manifest's own chain/signature.
+ */
+interface ManifestIssue {
+    /** MANIFEST_FILE_MISSING (dangling record → file deleted), MANIFEST_HASH_MISMATCH
+     * (present file truncated/replaced), MANIFEST_TAMPERED (manifest's own chain or
+     * signature broken — record removed/edited/re-signed with a foreign key). */
+    type: "MANIFEST_FILE_MISSING" | "MANIFEST_HASH_MISMATCH" | "MANIFEST_TAMPERED";
+    file?: string;
+    detail: string;
+}
+/**
+ * S21-P5 — disclosure of a VALID signed checkpoint. When present, verify()
+ * certifies the chain from the anchor FORWARD (the clean tail) and surfaces this
+ * record so the certified verdict is VALID-WITH-DISCLOSURE, never a silent VALID.
+ * The pre-checkpoint history is retained on disk and disclosed here (count +
+ * enumeration reference), never rewritten.
+ */
+interface ManifestCheckpoint {
+    /** Audit file (basename) the anchor lives in, e.g. "audit.log". */
+    file: string;
+    /** 1-based line of the anchor entry within that file. */
+    line: number;
+    /** Timestamp of the anchor entry (the first certified entry). */
+    anchorTimestamp: string;
+    /** Why this trail is checkpointed (documented dev-era contamination, characterized). */
+    reason: string;
+    /** Reference to the forensic enumeration that characterized the breaks. */
+    enumerationRef: string;
+    /** Documented benign linkage breaks BEFORE the anchor (disclosed, not failed). */
+    preCheckpointBreaks: number;
+    /** Tampering found by the enumeration (the honest claim — expected 0). */
+    tamperingCount: number;
+    /** Human-readable VALID-with-disclosure line surfaced in verify output. */
+    disclosure: string;
+}
+interface ManifestCheck {
+    ok: boolean;
+    recordCount: number;
+    issues: ManifestIssue[];
+    /** S21-P2: files excluded from the pass/fail verdict by a VALID signed
+     * quarantine record (disclosure — VALID-with-disclosure, not VALID-by-hiding). */
+    quarantined: {
+        file: string;
+        reason: string;
+    }[];
+    /** S21-P5: present when a VALID signed checkpoint scopes the certified verdict
+     * to the post-anchor tail. Disclosure (not suppression) — the pre-checkpoint
+     * scope is visibly reported, the history retained on disk. */
+    checkpoint?: ManifestCheckpoint;
+}
+/**
+ * S21-P4 — the derived cumulative-stats.json counter (display-only; no security
+ * decision depends on it — enforcement uses getEffectiveBlockCount, baseline uses
+ * audit-log queries).
+ */
+interface CumulativeStatsFile {
+    totalEntries: number;
+    eventCount: number;
+    findingCount: number;
+    sessionCount: number;
+    baselineCount: number;
+    findingsBySeverity: Record<string, number>;
+    /** S21-P4: what totalEntries honestly counts — RETAINED entries (current +
+     * rotated archives .1–.3 + cold-archive); EXCLUDES manual pre-* backup
+     * snapshots (which duplicate historical content) and any cold files pruned
+     * before a recompute. Maintained monotonically per write (rotation-durable). */
+    countScope?: string;
+}
+declare class AuditTrail {
+    private static readonly GENESIS_HASH;
+    /** S21-P4: honest label for cumulative-stats.json's totalEntries. */
+    private static readonly STATS_SCOPE;
+    private agentId;
+    private logPath;
+    private statsPath;
+    private manifestPath;
+    private manifestHeadPath;
+    private coldDir;
+    /** Fix D: in-process write serialization. Every writeLine chains onto this so
+     * concurrent calls on one instance can't interleave their read-tail + append. */
+    private _writeChain;
+    /** Fix D: byte size of logPath right after THIS instance's last append. The
+     * reanchor guard compares against it: equal ⇒ we are still the sole writer
+     * (no-op, byte-identical hot path); changed ⇒ another instance appended ⇒
+     * re-read the on-disk tail before chaining. Null until first known. */
+    private _lastKnownSize;
+    private _coldCounter;
+    /** S21-P3b: set on rotation to the rotated file's last hash; stamped as the
+     * next entry's signed `chainPrev` (cross-file link), then cleared. */
+    private _chainLinkPending;
+    private opened;
+    private maxFileSizeBytes;
+    private currentChainHead;
+    private _sessionId?;
+    private _userId?;
+    private _signingPrivateKey?;
+    private _signingPublicKeyB64?;
+    constructor(agentId: string, options?: {
+        logDir?: string;
+        maxFileSizeMB?: number;
+    });
+    open(): Promise<void>;
+    /**
+     * Set the current session context for this audit trail.
+     * All subsequent log entries will include these values automatically.
+     * Call with undefined to clear (e.g., after completeSession).
+     *
+     * Note: sessionId is persisted on entries; query/filter by sessionId is future work.
+     */
+    setSessionContext(sessionId?: string, userId?: string): void;
+    /**
+     * Enable Ed25519 signing on all subsequent audit entries (AARM R5).
+     * Once set, every entry written via writeLine() will include `signature`
+     * and `signerPublicKey` fields. Call before writing entries.
+     */
+    setSigningKey(privateKey: KeyObject, publicKey: KeyObject): void;
+    logEvent(event: AgentActivityEvent): Promise<void>;
+    logFinding(finding: SecurityFinding): Promise<void>;
+    /**
+     * Log an agent-level ELEVATED-SCRUTINY advisory flag (the soft-signal
+     * consequence of converging behavioral deviation).
+     *
+     * This is advisory metadata, NOT an enforcement state. It is written as its
+     * own audit entry type ("elevated_scrutiny"), never as a "finding" and never
+     * as a "mode_change", so it can never be picked up by getEffectiveBlockCount
+     * (which counts only eligible findings) or perturb the restrict/quarantine
+     * ladder. It is read back by the report/fleet surfaces and self-clears: the
+     * flag is "active" only while now < expiresAt (a rolling decay window). A
+     * fresh convergence re-raises and extends the window; absence of convergence
+     * lets it lapse on its own.
+     */
+    logElevatedScrutiny(reason: string, windowMs: number): Promise<void>;
+    logSessionSummary(dataPoint: DataPoint): Promise<void>;
+    logModeChange(mode: string, reason: string, previousMode: string): Promise<void>;
+    logBaselineComputed(baseline: AgentBaseline): Promise<void>;
+    logIntentStart(taskIntent: TaskIntent): Promise<void>;
+    logIntentEnd(agentId: string, taskId: string): Promise<void>;
+    logIntentCheck(result: IntentAlignmentResult, event: AgentActivityEvent): Promise<void>;
+    query(options?: AuditQueryOptions): Promise<AuditEntry[]>;
+    getStats(): Promise<AuditStats>;
+    /**
+     * Verify audit trail integrity: hash chain AND Ed25519 signatures.
+     *
+     * Single-pass loop per file. For each entry:
+     *   1. Signature check (if signed) — content integrity + non-repudiation
+     *   2. Hash chain check — ordering + completeness
+     *
+     * Signature-first ordering surfaces content tampering before sequencing
+     * tampering for cleaner error reporting.
+     *
+     * Unsigned entries (pre-signing or signing disabled) emit warnings but
+     * do not fail verification (backward compatibility via lazy defaulting).
+     *
+     * S21-P5: when a VALID signed checkpoint exists, verify certifies the chain
+     * from the checkpoint anchor FORWARD (the clean tail) and DISCLOSES the
+     * retained pre-checkpoint history (manifest.checkpoint). Pass
+     * `{ fullHistory: true }` to ignore the checkpoint scoping and verify the
+     * entire history (which reports the documented pre-checkpoint breaks). A trail
+     * with no checkpoint verifies byte-identically regardless of the flag.
+     */
+    verify(options?: {
+        fullHistory?: boolean;
+    }): Promise<{
+        valid: boolean;
+        totalEntries: number;
+        brokenAt?: number;
+        signedEntries: number;
+        unsignedEntries: number;
+        invalidSignatures: number;
+        /** S21-P1: present ONLY when an audit.manifest exists for this trail. Absent
+         * (and behavior byte-identical to pre-S21-P1) for manifest-less trails. */
+        manifest?: ManifestCheck;
+    }>;
+    /** Read-only fingerprint of one audit file. Returns null if absent/empty. */
+    private fingerprintFile;
+    /** Hash of the entry at a 1-based line position (counting non-empty lines),
+     * or null if absent/unparseable. Used by checkManifest's live-file append
+     * tolerance to confirm the manifested boundary entry is still in place.
+     * Read-only. */
+    private hashAtLine;
+    /** Present audit files, OLDEST→NEWEST: highest archive (.N) … .1, then current.
+     * Oldest-first ordering puts archives in non-last manifest positions (so
+     * scrubbing an archive's record breaks the manifest chain) and the live
+     * current file last. Read-only. */
+    private listAuditFiles;
+    /** The public key the trail's entries are signed with (binds the manifest to
+     * the same key — a manifest re-signed with a foreign key is rejected). Reads
+     * the newest signed entry of the current file. Read-only. */
+    private trailSignerKey;
+    /**
+     * Enroll (or re-enroll) the signed manifest for this trail. READ-ONLY over the
+     * audit files — it hashes each file in place and writes ONLY audit.manifest;
+     * no audit entry is read-modified or re-signed. Requires a signing key (same
+     * key discipline as entries). Records are genesis-rooted hash-chained + signed,
+     * mirroring the entry chain exactly (sign content → hash covers content+sig).
+     *
+     * Honest scope: protects from enrollment FORWARD. Pre-enrollment deletions
+     * cannot be proven retroactively (there was no manifest to dangle).
+     */
+    enrollManifest(options?: {
+        /** S21-P2: files to mark quarantined (excluded from the verify verdict but
+         * RETAINED on disk and disclosed). Each must name a real, documented reason.
+         * Operational — the caller decides what/why; never auto-populated. */
+        quarantine?: {
+            file: string;
+            reason: string;
+        }[];
+        /** S21-P5: a checkpoint anchoring verify() to a documented entry FORWARD. The
+         * anchor binds to a SPECIFIC entry (file + 1-based line + that entry's hash);
+         * verify() then certifies the post-anchor tail while DISCLOSING the retained
+         * pre-checkpoint history. anchorHash/anchorTimestamp are derived from the file
+         * at enroll time unless provided (the auto-re-enroll path passes them through
+         * verbatim so a rotation re-enroll never re-derives a moved anchor). */
+        checkpoint?: {
+            file: string;
+            line: number;
+            reason: string;
+            enumerationRef: string;
+            preCheckpointBreaks: number;
+            tamperingCount: number;
+            anchorHash?: string;
+            anchorTimestamp?: string;
+        };
+    }): Promise<{
+        records: number;
+        quarantined: number;
+        checkpointed: number;
+    }>;
+    /**
+     * S21-P3 (II) — verify the head anchor for an anchored manifest. Returns a
+     * tamper issue if the anchor is missing, foreign-signed, signature-invalid, or
+     * its (manifestHead, recordCount) doesn't match the manifest's actual head.
+     * Read-only.
+     */
+    private verifyHeadAnchor;
+    /**
+     * Cross-check the manifest against the on-disk audit files. Returns null when
+     * NO manifest exists (caller then preserves pre-S21-P1 behavior). Detects:
+     *  - MANIFEST_TAMPERED   — manifest's own chain/signature broken, a record
+     *                          removed/reordered/edited, or re-signed with a key
+     *                          other than the trail's entry-signing key.
+     *  - MANIFEST_FILE_MISSING — a record whose file is absent (whole file deleted).
+     *  - MANIFEST_HASH_MISMATCH — a present file whose last-hash/count differs from
+     *                          its record (file truncated/replaced).
+     * Read-only.
+     */
+    /**
+     * Phase 1 — verify the manifest's OWN integrity: per-record Ed25519 signature
+     * bound to the trail's entry-signing key + genesis-rooted hash-chain. Returns
+     * the parsed records and an integrity verdict; null when no manifest exists.
+     * Shared by checkManifest() and trustedQuarantineSet() so the quarantine-skip
+     * decision and the reported verdict use IDENTICAL integrity gating. Read-only.
+     */
+    private verifyManifestIntegrity;
+    /**
+     * S21-P2 — the set of files quarantined by a VALID manifest. Empty unless the
+     * manifest is present AND fully integrity-valid: a tampered/forged/removed
+     * manifest record grants NO quarantine (fail-closed), so a quarantine can
+     * never be a silent escape hatch. Read-only.
+     */
+    private trustedQuarantineSet;
+    /**
+     * S21-P5 — the trusted checkpoint, IF the manifest is present AND fully
+     * integrity-valid (identical fail-closed gating to trustedQuarantineSet). A
+     * forged (foreign-key), moved (anchorHash/line are signed fields), or removed
+     * (chain/head-anchor break) checkpoint fails integrity → returns null → verify
+     * falls back to the full strict walk and the pre-checkpoint breaks resurface.
+     * So a checkpoint can never be a silent masking hatch. Read-only.
+     */
+    private trustedCheckpoint;
+    /**
+     * Cross-check the manifest against the on-disk audit files. Returns null when
+     * NO manifest exists (caller preserves pre-S21-P1 behavior). Detects:
+     *  - MANIFEST_TAMPERED   — manifest's own chain/signature broken, a record
+     *                          removed/reordered/edited, or re-signed with a key
+     *                          other than the trail's entry-signing key.
+     *  - MANIFEST_FILE_MISSING — a record whose file is absent (whole file deleted).
+     *  - MANIFEST_HASH_MISMATCH — a present file whose last-hash/count differs from
+     *                          its record (truncated/replaced).
+     * Also surfaces quarantined files (disclosure). Read-only.
+     */
+    private checkManifest;
+    /** Write an arbitrary audit entry. Used by HookEngine and other subsystems. */
+    logEntry(entry: AuditEntry): Promise<void>;
+    close(): Promise<void>;
+    private rotateIfNeeded;
+    /**
+     * S21-P3 (2) — keep the manifest current across a rotation. After a rotation
+     * shifts filenames, re-enroll the manifest (re-fingerprint the new layout +
+     * update the head anchor), PRESERVING existing quarantine records. No-op if no
+     * manifest is enrolled (forward-only — trails without a manifest are untouched)
+     * or if no signing key is set.
+     */
+    private autoUpdateManifestAfterRotation;
+    private computeHash;
+    private writeLine;
+    private _writeLineCritical;
+    /**
+     * Fix D — re-anchor the in-memory chain head to the ACTUAL on-disk tail.
+     *
+     * `currentChainHead` is in-memory and advanced per write; a concurrent or
+     * out-of-process AuditTrail instance (e.g. the CLI mode-change commands)
+     * appending to the same file does NOT update it. This re-reads the on-disk
+     * tail (identical "last entry hash" logic as open()) so the next entry chains
+     * THROUGH whatever was actually appended last, rather than to a stale
+     * predecessor. Caller gates this on a detected size change, so it only reads
+     * the file when an external append actually happened.
+     */
+    private reanchorFromDiskTail;
+    private readAllEntries;
+    private loadCumulativeStats;
+    /**
+     * S21-P4: derive cumulative stats from the entries actually retained on disk —
+     * the hot window (current + rotated .1–.3, via readAllEntries) PLUS the
+     * cold-archive (cold/), which is out of the hot window but still retained.
+     * EXCLUDES manual pre-* backup snapshots (they duplicate historical content and
+     * would double-count). Read-only over the trail; touches no signed entry.
+     */
+    private deriveStatsFromDisk;
+    /**
+     * S21-P4: one-time correction — regenerate cumulative-stats.json from the
+     * entries actually retained on disk (hot window + cold-archive). Use when the
+     * counter is known out of sync (e.g. the Sprint-18 migration reset). Returns
+     * the recomputed stats. Read-only over the signed trail.
+     */
+    recomputeCumulativeStats(): Promise<CumulativeStatsFile>;
+    /** Bootstrap cumulative stats when no stats file exists. S21-P4: seeds from ALL
+     * retained entries (hot window + cold-archive) so a re-seed after stats-file
+     * loss doesn't undercount the way the pre-P4 hot-window-only seed did. */
+    private bootstrapCumulativeStats;
+    private incrementCumulativeStats;
+    private parseEventCount;
+}
+
+declare class AgentProfileManager {
+    private agentsDir;
+    constructor(agentsDir?: string);
+    getAgentProfilePath(agentId: string): string;
+    getRolePath(agentId: string): string;
+    createAgent(agentId: string, name: string, role?: AgentRole): Promise<ProfileStore>;
+    loadAgentProfile(agentId: string): Promise<ProfileStore>;
+    saveRole(agentId: string, role: AgentRole): Promise<void>;
+    loadRole(agentId: string): Promise<AgentRole | null>;
+    listAgents(): Promise<string[]>;
+    agentExists(agentId: string): Promise<boolean>;
+    hasBaseline(agentId: string): Promise<boolean>;
+}
+
+interface ReportOptions {
+    periodDays: number;
+    format: "markdown" | "json";
+    includeAllEvents: boolean;
+    includeRecommendations: boolean;
+}
+
+interface AgentClassifierConfig {
+    sessionTimeoutMs: number;
+    minEvents: number;
+    minDurationMs: number;
+}
+
+/** Lazy-init wrapper passed via RoleValidatorOptions so Sentinel can own the cache. */
+interface ForbiddenInodeCacheRef {
+    getOrBuild: () => Set<bigint>;
+}
+/** Options for RoleValidator exception handling. */
+interface RoleValidatorOptions {
+    /** Synchronous approval callback for exceptions with requiresApproval. */
+    approvalFn?: (ctx: ExceptionApprovalContext) => boolean;
+    /** Synchronous callback invoked when an exception audit entry is produced. */
+    onAuditEntry?: (entry: AuditEntry) => void;
+    /** Session-scoped forbidden-inode cache for hardlink detection (Sprint 9). */
+    forbiddenInodeCache?: ForbiddenInodeCacheRef;
+    /**
+     * Absolute workspace root used to anchor bare allowed patterns in Check 3
+     * (Approach 1). Derived upstream as repo.root ?? dirname(policyPath) and
+     * threaded fromPolicy → monitor → here. Empty string disables anchoring
+     * (patterns matched as-authored — the documented fallback).
+     */
+    workspaceRoot?: string;
+}
+
+interface AlertChannel {
+    type: "console" | "webhook" | "file";
+    name: string;
+    config: {
+        url?: string;
+        headers?: Record<string, string>;
+        filePath?: string;
+    };
+    /** Per-channel minimum kind threshold. Overrides top-level minKind when set. */
+    minKind?: "informational" | "actionable";
+}
+interface AlertConfig {
+    channels: AlertChannel[];
+    minSeverity: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+    dedupeWindowMs: number;
+    quietHoursEnabled: boolean;
+    quietHours?: [number, number];
+    /**
+     * Minimum finding kind to route to alert channels.
+     * Defaults to "actionable" — behavioral observations (informational findings
+     * like volume_spike, temporal_anomaly, access_pattern) are suppressed by
+     * default to prevent alert fatigue. Set to "informational" to receive all
+     * findings including behavioral observations.
+     */
+    minKind?: "informational" | "actionable";
+}
+declare class AlertManager {
+    private config;
+    private recentAlerts;
+    constructor(config?: Partial<AlertConfig>);
+    alert(finding: SecurityFinding): Promise<void>;
+    clearDedupeCache(): void;
+    private sendConsole;
+    private severityColor;
+    private sendWebhook;
+    private sendFile;
+    /** Parse the similarity score from an intent_drift finding's baselineComparison. */
+    private parseIntentScore;
+    /** Parse the task description from an intent_drift finding's description. */
+    private parseTaskDescription;
+}
+
+interface KeywordSimilarityResult {
+    rawScore: number;
+    matchedPrimary: string[];
+    matchedPhase: string[];
+    missedKeywords: string[];
+    pathMatches: string[];
+}
+declare class SimilarityEngine {
+    private config;
+    private threshold;
+    private acceptableActions;
+    constructor(config?: Partial<IntentAlignmentConfig>);
+    computeAlignment(intent: TaskIntent, event: AgentActivityEvent): IntentAlignmentResult;
+    keywordSimilarity(primaryKeywords: string[], phaseKeywords: string[], event: AgentActivityEvent): KeywordSimilarityResult;
+    /** Check if an event matches acceptable action rules. */
+    private checkAcceptable;
+}
+
+/**
+ * PURITY CONTRACT — evaluateEvent
+ *
+ * This function is the core security evaluation logic extracted from
+ * SentinelRunner.processEvent(). It is the single source of truth for
+ * block/allow decisions across both the wrap() middleware path and the
+ * (future) HookEngine invocation path.
+ *
+ * INVARIANTS:
+ * - Returns a verdict. Does NOT log to audit trail.
+ * - Does NOT trigger violation callbacks or alerts.
+ * - Does NOT escalate modes or update block counts.
+ * - Does NOT modify ProfileStore or classify events into sessions.
+ * - Does NOT mutate its input state objects.
+ * - Same input produces same output with zero side effects.
+ *
+ * CALLER RESPONSIBILITIES:
+ * - Persisting findings to audit trail
+ * - Dispatching violation callbacks and alerts
+ * - Mode escalation (maybeEscalate)
+ * - Storing the returned newRecentAlignmentScores
+ * - Logging intent checks to audit trail
+ * - Session classification and DataPoint persistence
+ *
+ * NOTE ON DOUBLE EVALUATION (existing quirk, preserved intentionally):
+ * In the current architecture, wrap() calls check() pre-execution
+ * (role validation once) then record() post-execution which triggers
+ * processEvent() (role validation AGAIN). Same event, evaluated twice,
+ * duplicate findings dispatched. This is existing behavior — callbacks
+ * are idempotent-ish. Future cleanup candidate.
+ */
+
+/** Output from evaluateEvent — pure verdict with no side effects applied. */
+interface EvaluationResult {
+    findings: SecurityFinding[];
+    intentAlignment?: IntentAlignmentResult;
+    newRecentAlignmentScores: number[];
+}
+
+/**
+ * Hook type system for Sentinel's parallel enforcement pipeline.
+ *
+ * ARCHITECTURAL INVARIANT:
+ * Core defines the safety floor. Hooks can only go stricter or more contextual,
+ * never more permissive. evaluateEvent() is the unquestioned source of truth
+ * for block/allow decisions. Hooks extend behavior; they do not override
+ * safety-critical decisions.
+ *
+ * Guide responses are for recoverable misalignment only. Never use Guide for
+ * boundary violations, credential access, system files, or PII. These always
+ * Block. An attacker who can get the agent to retry after guidance has a new
+ * attack vector.
+ */
+
+/** Severity levels for hook responses, matching SecurityFinding severity. */
+type SecuritySeverity = "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+/**
+ * Only two checkpoints in v1. Other checkpoints (pre_prompt, pre_mcp,
+ * post_mcp, pre_tool, post_tool) are deliberately deferred until concrete
+ * integration needs justify them. Adding surface area ahead of demand
+ * creates maintenance tax for capabilities nobody uses.
+ */
+type HookCheckpoint = "pre_execution" | "post_execution";
+/** Context passed to every hook handler invocation. */
+interface HookContext {
+    agentId: string;
+    checkpoint: HookCheckpoint;
+    event: AgentActivityEvent;
+    metadata: Record<string, unknown>;
+    timestamp: string;
+}
+/** Proceed with execution. */
+type AllowResponse = {
+    kind: "allow";
+};
+/** Prevent execution. First Block wins and short-circuits. */
+type BlockResponse = {
+    kind: "block";
+    reason: string;
+    severity: SecuritySeverity;
+    finding?: SecurityFinding;
+};
+/**
+ * Fields that hooks may modify via suggestedAction. Restricted to `target`
+ * and `metadata` only — hooks CANNOT modify agentId, agentRole, agentName,
+ * action, timestamp, duration, or authorized. Without this restriction a
+ * hook could suggest `{ agentRole: "admin" }` to bypass role validation,
+ * `{ agentId: "other" }` to shift to another agent's policy, or
+ * `{ authorized: true }` to mark actions as pre-authorized.
+ */
+type ModifiableEventFields = {
+    target?: string;
+    metadata?: Record<string, string>;
+};
+/**
+ * Advisory correction — delivers guidance to the agent so it can
+ * course-correct, but does not block execution. First Guide wins
+ * (no concatenation). See ARCHITECTURAL INVARIANT above for scope
+ * restrictions on when Guide may be used.
+ *
+ * `suggestedAction` is an optional runtime modification that Sentinel
+ * applies to the action BEFORE execute() runs in `wrap()`. When present:
+ *
+ * - REQUIRES `enablePreExecutionHooks: true` on the Sentinel instance.
+ *   When the flag is off (default), hooks fire post-execution and
+ *   suggestedAction is never processed.
+ * - Safety floor: if the ORIGINAL action produces a HIGH/CRITICAL
+ *   actionable finding, the modification is rejected entirely.
+ * - Modified-event safety: after applying the modification, Sentinel
+ *   re-checks the modified target's sensitivity score. If it would score
+ *   HIGH or CRITICAL (effectiveScore >= 0.7), the modification is rejected.
+ * - Scope narrowing: simple path-prefix narrowing is enforced at runtime
+ *   (e.g., "src/" → "src/auth/login.ts" allowed; "src/auth/" → "src/"
+ *   rejected as broadening). Complex glob narrowing is hook-author
+ *   responsibility — Sentinel will not catch all cases of glob broadening,
+ *   but will reject modifications introducing HIGH/CRITICAL sensitivity.
+ * - Multiple hooks: first Guide with suggestedAction wins (hook priority
+ *   order). Register hooks in priority order knowing earlier ones win.
+ * - An `action_modified` audit entry records every applied modification.
+ *
+ * Distinct from `guidance` (agent-facing suggestion text) — suggestedAction
+ * is a runtime parameter change Sentinel applies before execution.
+ */
+type GuideResponse = {
+    kind: "guide";
+    guidance: string;
+    suggestedAction?: ModifiableEventFields;
+};
+/** Discriminated union of all hook response types. */
+type HookResponse = AllowResponse | BlockResponse | GuideResponse;
+/** A hook handler — may be sync or async. */
+type HookHandler = (context: HookContext) => Promise<HookResponse> | HookResponse;
+/** A registered hook with metadata. */
+interface HookRegistration {
+    id: string;
+    agentId: string | null;
+    checkpoint: HookCheckpoint;
+    handler: HookHandler;
+    registeredAt: string;
+    priority?: number;
+    failClosed?: boolean;
+    scope: "global" | "agent";
+    status: "active" | "orphaned";
+}
+
+/**
+ * HookEngine — parallel invocation path for Sentinel enforcement.
+ *
+ * INVARIANT: Core defines the safety floor. Hooks can only go stricter or more
+ * contextual, never more permissive. evaluateEvent() is the unquestioned source
+ * of truth for block/allow decisions. Hooks extend behavior; they do not
+ * override safety-critical decisions.
+ *
+ * CRITICAL GUARDRAIL: If evaluateEvent returns any finding with severity
+ * HIGH or CRITICAL, HookEngine rejects any Guide response from hooks and falls
+ * back to Block. This prevents hooks from softening safety-critical findings.
+ *
+ * Guide responses are for recoverable misalignment only. Never use Guide for
+ * boundary violations, credential access, system files, or PII.
+ */
+
+interface HookEngineOptions {
+    debug?: boolean;
+    logAllFirings?: boolean;
+}
+declare class HookEngine {
+    private hooks;
+    private auditTrail;
+    private options;
+    constructor(auditTrail: AuditTrail, options?: HookEngineOptions);
+    registerHook(agentId: string, checkpoint: HookCheckpoint, handler: HookHandler, options?: {
+        priority?: number;
+        failClosed?: boolean;
+    }): string;
+    registerGlobalHook(checkpoint: HookCheckpoint, handler: HookHandler, options?: {
+        priority?: number;
+        failClosed?: boolean;
+    }): string;
+    unregisterHook(id: string): boolean;
+    listHooks(agentId?: string): HookRegistration[];
+    fireHook(checkpoint: HookCheckpoint, context: HookContext, evaluationResult?: EvaluationResult): Promise<HookResponse>;
+    private logAudit;
+    private emitDebug;
+}
+
+interface ProcessEventResult {
+    dataPoint?: DataPoint;
+    finding?: SecurityFinding;
+    findings?: SecurityFinding[];
+    intentAlignment?: IntentAlignmentResult;
+    guidance?: string;
+    blocked?: boolean;
+}
+/**
+ * Result from firePreExecutionGate — a side-effect-free pre-execution verdict.
+ *
+ * Unlike processEvent, this does NOT log to audit trail, dispatch violation
+ * callbacks, classify events, or increment counters. It only runs evaluateEvent
+ * and fires pre_execution hooks (whose handlers may have their own side effects).
+ */
+interface PreExecutionGateResult {
+    blocked: boolean;
+    finding: SecurityFinding | null;
+    evaluation: EvaluationResult;
+    /** The raw hook response (Allow, Block, or Guide). Null when no HookEngine. */
+    hookResponse: HookResponse | null;
+}
+declare class SentinelRunner {
+    private agentId;
+    private config;
+    private adapterConfig;
+    private classifier;
+    private profileManager;
+    private validator;
+    private store;
+    private findings;
+    private adapter;
+    private webhookReceiver;
+    private auditTrail;
+    private alertManager;
+    private _started;
+    private _eventCount;
+    private _sessionCount;
+    private _onFinding;
+    private _auditLogDir;
+    private _baseline;
+    private _deviationDetector;
+    private _gapCheckInterval;
+    private _processQueue;
+    private _hookEngine?;
+    private _maturityConfig?;
+    private _validatorOptions?;
+    private intentTracker;
+    private similarityEngine;
+    private recentAlignmentScores;
+    constructor(agentId: string, config?: Partial<AgentClassifierConfig>, adapterConfig?: AdapterConfig, intentConfig?: Partial<IntentAlignmentConfig>);
+    /** Allow injection of a custom profile manager (for testing with temp dirs). */
+    setProfileManager(manager: AgentProfileManager): void;
+    /** Allow injection of a custom audit log directory (for testing with temp dirs). */
+    setAuditLogDir(dir: string): void;
+    /** Register a callback invoked on every new SecurityFinding. */
+    setFindingCallback(cb: (finding: SecurityFinding) => void): void;
+    /** Attach an AlertManager so findings trigger real-time alerts. */
+    setAlertManager(manager: AlertManager): void;
+    /** Attach a HookEngine for pre/post execution hook firing. */
+    setHookEngine(engine: HookEngine): void;
+    /** Read-only access to the attached HookEngine (if any). */
+    get hooks(): HookEngine | undefined;
+    /** Set baseline maturity thresholds (from YAML policy or programmatic config). */
+    setMaturityConfig(config: Partial<BaselineMaturityConfig>): void;
+    /** Set RoleValidator options (exception approval fn, audit callback). */
+    setRoleValidatorOptions(options: RoleValidatorOptions): void;
+    /** Set the behavioral baseline and start periodic gap checking. */
+    setBaseline(baseline: AgentBaseline): void;
+    /** Declare a new task intent for this agent. */
+    startTask(taskId: string, description: string, config?: {
+        acceptableActions?: AcceptableAction[];
+        ttlMs?: number;
+        relaxedActions?: AgentActivityEvent["action"][];
+        phases?: string[];
+        scopePatterns?: string[];
+    }): TaskIntent;
+    /** End the current task for this agent. */
+    endTask(): TaskIntent | null;
+    /** Get the active task for this agent (null if none or expired). */
+    getActiveTask(): TaskIntent | null;
+    /** Expose the similarity engine for pre-execution intent checks. */
+    getSimilarityEngine(): SimilarityEngine;
+    /**
+     * Side-effect-free pre-execution gate: evaluate an event and fire pre_execution
+     * hooks WITHOUT running processEvent's full pipeline.
+     *
+     * This method is designed for wrap() to consult hooks before calling execute().
+     * It does NOT:
+     * - Write to the audit trail (logEvent, logFinding)
+     * - Dispatch violation callbacks (onFinding)
+     * - Classify events into sessions
+     * - Increment event counters
+     * - Mutate alignment score state
+     *
+     * It DOES:
+     * - Run evaluateEvent() (pure evaluation)
+     * - Fire pre_execution hooks via HookEngine (handlers may have their own side effects)
+     * - Apply the guardrail: HIGH/CRITICAL evaluation findings synthesize Block
+     *   even if all hooks returned Allow
+     */
+    firePreExecutionGate(event: AgentActivityEvent): Promise<PreExecutionGateResult>;
+    private runGapCheck;
+    get eventCount(): number;
+    get sessionCount(): number;
+    start(): Promise<void>;
+    processEvent(event: AgentActivityEvent, options?: {
+        _skipPreHooks?: boolean;
+    }): Promise<ProcessEventResult>;
+    processEvents(events: AgentActivityEvent[]): Promise<{
+        dataPoints: DataPoint[];
+        findings: SecurityFinding[];
+    }>;
+    /**
+     * Flush the classifier to close the current session, then run
+     * session-level deviation analysis if a baseline is configured.
+     * Returns any SecurityFindings produced by the deviation detector.
+     */
+    completeSession(): Promise<SecurityFinding[]>;
+    getFindings(): SecurityFinding[];
+    clearFindings(): void;
+    getAuditTrail(): AuditTrail | null;
+    stop(): Promise<void>;
+    private startAdapter;
+}
+
+interface CorrelationFinding {
+    rule: string;
+    severity: "LOW" | "MEDIUM" | "HIGH" | "CRITICAL";
+    description: string;
+    agentA: {
+        agentId: string;
+        action: string;
+        target: string;
+        timestamp: string;
+    };
+    agentB: {
+        agentId: string;
+        action: string;
+        target: string;
+        timestamp: string;
+    };
+    timeDeltaMs: number;
+    recommendation: string;
+}
+
+type AgentMode = "normal" | "restricted" | "quarantined";
+interface MonitorOptions {
+    name: string;
+    description?: string;
+    allowedActions?: string[];
+    allowedTargetPatterns?: string[];
+    forbiddenTargetPatterns?: string[];
+    exceptions?: RoleException[];
+    /** Host allowlist for network_request targets (Sprint 6b W3c). */
+    networkHosts?: string[];
+    expectedSchedule?: {
+        activeHours?: [number, number];
+        activeDays?: string[];
+    };
+    maxEventsPerHour?: number;
+    maxSessionDuration?: number;
+    adapter?: AdapterConfig;
+    intentConfig?: Partial<IntentAlignmentConfig>;
+    /**
+     * Absolute workspace root for anchoring bare allowed patterns (Approach 1).
+     * Supplied by fromPolicy() as repo.root ?? dirname(policyPath). When omitted,
+     * allowed patterns are matched as-authored: direct callers must then supply
+     * absolute or globstar-prefixed allowed patterns themselves.
+     */
+    workspaceRoot?: string;
+}
+/**
+ * Public SDK facade for Tuent Sentinel.
+ *
+ * This is the primary entry point for external developers.
+ * It wraps the internal manager, validators, and reporters into a
+ * single cohesive API.
+ */
+declare class Sentinel {
+    private manager;
+    private profileManager;
+    private alertManager;
+    private violationCallbacks;
+    private alertCallbacks;
+    private exitSignalCallbacks;
+    private approvalCallback?;
+    private agentsDir;
+    private sensitivityScorer;
+    private agentModes;
+    private globalHookRegistrations;
+    private environment;
+    private restrictThreshold;
+    private quarantineThreshold;
+    private enablePreExecutionHooks;
+    private promoteSet;
+    private maturityConfig?;
+    private _exceptionApprovalFn;
+    /** Audit entries captured during the last check() call — used by wrap() for exception routing. */
+    private _lastCheckExceptionEntries;
+    private _repoRoot;
+    /** Absolute workspace root for Check 3 allowed-pattern anchoring (Approach 1). */
+    private _workspaceRoot;
+    /**
+     * Per-agentId init locks for the Approach-B per-workspace lazy-create path
+     * (B5a), mirroring B3's manager-level lock but at the Sentinel facade level
+     * (where role-save + baseline + finding-callback wiring live). Stored
+     * synchronously so concurrent first-requests for the same workspace run the
+     * full setup exactly once. Dormant until the gateway's isolation gate is on.
+     */
+    private readonly _workspaceInitLocks;
+    private _scanOnStartup;
+    private _mapPath;
+    private _overlayPath;
+    private _repoMap;
+    private _overlay;
+    private _repoInitPromise;
+    /**
+     * Per-agent session ID tracking (R6 identity binding).
+     * First wrap() call for an agent generates a UUID; subsequent calls reuse it.
+     * completeSession() clears the entry so the next wrap() starts a new session.
+     */
+    private currentSessionIds;
+    /**
+     * Per-agent session-scoped forbidden-inode caches (Sprint 9 hardlink closure).
+     * Built lazily on first nlink > 1 observation per session.
+     * Cleared on completeSession() / removeAgent().
+     */
+    private forbiddenInodeCaches;
+    constructor(config?: Partial<SentinelConfig> & {
+        agentsDir?: string;
+        environment?: "development" | "production";
+        enforcement?: {
+            restrictAfter?: number;
+            quarantineAfter?: number;
+            promote?: string[];
+            baselineMaturity?: Partial<BaselineMaturityConfig>;
+        };
+        enablePreExecutionHooks?: boolean;
+        repo?: {
+            root?: string;
+            scanOnStartup?: boolean;
+            mapPath?: string;
+            overlayPath?: string;
+        };
+    });
+    getMode(agentId: string): AgentMode;
+    isQuarantined(agentId: string): boolean;
+    isRestricted(agentId: string): boolean;
+    getQuarantinedAgents(): string[];
+    getRestrictedAgents(): string[];
+    /**
+     * Current escalation-eligible block count for an agent.
+     *
+     * Intentionally async: the count is DERIVED from the audit log (not an
+     * in-memory counter), so it survives gateway restarts and is the single source
+     * of truth for the restrict/quarantine ladder. Callers must await it.
+     */
+    getBlockCount(agentId: string): Promise<number>;
+    getEnvironment(): "development" | "production";
+    /**
+     * Initializes the repo sensitivity map. If scanOnStartup is true and
+     * repoRoot is set, performs a fresh scan and persists the map. Otherwise
+     * attempts to load an existing map from disk.
+     */
+    private _initRepoMap;
+    /**
+     * Returns a promise that resolves when the repo map initialization is
+     * complete. Safe to call multiple times (idempotent). Returns immediately
+     * if no repo init was started.
+     */
+    waitForRepoInit(): Promise<void>;
+    /**
+     * Triggers a fresh scan of the repo, persists the updated map, and
+     * grounds the scorer with the new data. Requires repoRoot to be set.
+     */
+    rescan(repoRoot?: string): Promise<RepoSensitivityMap>;
+    /** Returns the current repo sensitivity map, or null if none is loaded. */
+    getRepoMap(): RepoSensitivityMap | null;
+    /** Returns the current sensitivity overlay, or null if none is loaded. */
+    getOverlay(): SensitivityOverlay | null;
+    /**
+     * Sets an overlay decision for a file path. Persists the overlay to disk.
+     * Creates a new overlay if none exists.
+     */
+    setOverlayDecision(filePath: string, decision: OverlayDecisionType, options?: {
+        reason?: string;
+        sensitivity?: number;
+        category?: string;
+    }): Promise<void>;
+    /**
+     * Removes an overlay decision for a file path. Persists the overlay to disk.
+     */
+    removeOverlayDecision(filePath: string): Promise<void>;
+    /**
+     * Reloads the overlay from disk. Use after external edits to the overlay file.
+     */
+    reloadOverlay(): Promise<void>;
+    quarantine(agentId: string, reason: string): Promise<void>;
+    restrict(agentId: string, reason: string): Promise<void>;
+    release(agentId: string, reason?: string): Promise<void>;
+    private persistMode;
+    private logModeChange;
+    private stopAgent;
+    private loadModeFromDisk;
+    /**
+     * Pre-execution check: validate an event against an agent's role definition.
+     * Returns a finding if the event violates the role, or null if allowed.
+     * If the agent is not registered, returns a LOW finding warning about missing registration.
+     */
+    check(agentId: string, event: AgentActivityEvent): Promise<SecurityFinding | null>;
+    /**
+     * Post-execution record: record an event, classify into sessions,
+     * check baseline deviations. Returns findings and dataPoint if session closed.
+     * If the agent is not registered, returns a warning string.
+     *
+     */
+    record(event: AgentActivityEvent): Promise<{
+        dataPoint?: DataPoint;
+        findings: SecurityFinding[];
+        warning?: string;
+        intentAlignment?: IntentAlignmentResult;
+    }>;
+    /**
+     * Internal record path. `options._skipPreHooks` suppresses pre_execution hook
+     * firing in processEvent — used by wrap() when enablePreExecutionHooks is on, so
+     * the gate (already fired via firePreExecutionGate) doesn't double-fire. Kept
+     * OFF the public record() signature so the internal flag isn't a consumer API.
+     */
+    private _recordInternal;
+    /**
+     * Query the audit trail for an agent.
+     * If the agent is not registered, logs a warning and returns an empty array.
+     */
+    query(agentId: string, options?: AuditQueryOptions): Promise<AuditEntry[]>;
+    /**
+     * Public method allowing external code (notably the gateway) to write
+     * findings directly to an agent's audit trail. Used by the gateway's
+     * pre-tool-use handler to persist deny decisions and allow-with-finding
+     * emissions that don't flow through wrap().
+     *
+     * Without this method, gateway-level Sentinel decisions are returned in
+     * HTTP responses to cc but never recorded as type:"finding" entries in
+     * the audit log. That breaks SOC-tooling integration and forensic
+     * queries — restored in Sprint 6a hotfix between Prompts 6 and 7.
+     */
+    logFinding(agentId: string, finding: SecurityFinding): Promise<void>;
+    /**
+     * Persist a gateway-level deny finding and evaluate enforcement escalation.
+     *
+     * Called from SentinelGateway deny paths that short-circuit before wrap().
+     * Combines logFinding (audit persistence) with maybeEscalate (enforcement
+     * ladder evaluation) into a single atomic call.  Without this, gateway
+     * denies are persisted to the audit log but never trigger mode transitions.
+     *
+     * Sprint 16 — closes the enforcement ladder gap where 7 gateway DENY paths
+     * bypassed wrap() and therefore never reached maybeEscalate().
+     */
+    handleGatewayDeny(agentId: string, finding: SecurityFinding): Promise<void>;
+    addAgent(agentId: string, name: string, role?: AgentRole): Promise<void>;
+    /**
+     * Validate a derived workspace root and emit the Approach-1 safety-valve
+     * warnings (point 6). Returns the resolved root regardless (the warning is
+     * advisory) so anchoring still functions; the operator is told when the
+     * root looks wrong.
+     *
+     * - At or above $HOME → the policy was likely not found at a repo root, so
+     *   anchoring to home would be far too broad. Warn loudly.
+     * - Anchor prefix directories that don't exist on disk → warn once so a
+     *   typo'd root surfaces instead of silently denying every allowed read.
+     */
+    private validateWorkspaceRoot;
+    monitor(agentId: string, options: MonitorOptions): Promise<void>;
+    /**
+     * Approach B / B5a — lazily get-or-create a fully-configured per-workspace
+     * runner, idempotent and concurrency-safe, WITHOUT mutating the daemon-global
+     * `_workspaceRoot` (so Approach A's single-workspace semantics are untouched).
+     *
+     * Reuses B3's concurrency-safe runner construction (manager.getOrCreateAgent)
+     * but adds the Sentinel-level setup monitor() does — persist the merged role,
+     * wire the finding callback / alert manager, enable audit signing, set the
+     * baseline, load the mode — minus wireRunner()'s workspaceRoot clobber (which
+     * would force every workspace's validator onto the global root). Each runner
+     * anchors to ITS OWN `workspaceRoot` via validatorOptions.
+     *
+     * Touches activity (B4) on create. The gateway also touches on each request.
+     * DORMANT: only the gateway's isolation gate (off by default) calls this.
+     */
+    getOrCreateWorkspaceAgent(agentId: string, options: {
+        workspaceRoot: string;
+        role: AgentRole;
+        name: string;
+    }): Promise<SentinelRunner>;
+    private _initWorkspaceAgent;
+    /** B4 delegators for the gateway (touch on request, start/stop the idle sweep). */
+    touchAgent(agentId: string): void;
+    startWorkspaceSweep(intervalMs?: number): void;
+    stopWorkspaceSweep(): void;
+    evictIdleWorkspaceRunners(now?: number): Promise<string[]>;
+    /**
+     * Ids of all currently-registered runners (global + per-workspace under B).
+     * B5b-Phase-2: the gateway uses this to complete EVERY active session on
+     * shutdown, not just the global identity.
+     */
+    listActiveAgentIds(): string[];
+    static quickStart(agentId: string, name: string, logPath?: string): Promise<Sentinel>;
+    static fromPolicy(yamlPath: string, options?: {
+        agentsDir?: string;
+    }): Promise<Sentinel>;
+    removeAgent(agentId: string): Promise<void>;
+    computeBaseline(agentId: string): Promise<AgentBaseline>;
+    /**
+     * Inject a pre-built baseline into a registered agent's runner.
+     * Creates the DeviationDetector in the appropriate maturity tier
+     * (empty / immature / mature) based on the baseline's metrics.
+     */
+    setBaseline(agentId: string, baseline: AgentBaseline): void;
+    /**
+     * Flush the current session for an agent and run session-level
+     * deviation analysis. Returns any SecurityFindings produced.
+     */
+    completeSession(agentId: string): Promise<SecurityFinding[]>;
+    /** Declare a new task intent for an agent. Returns the TaskIntent object. */
+    startTask(agentId: string, taskId: string, description: string, config?: {
+        acceptableActions?: AcceptableAction[];
+        ttlMs?: number;
+        relaxedActions?: AgentActivityEvent["action"][];
+        phases?: string[];
+        scopePatterns?: string[];
+    }): TaskIntent | null;
+    /** End the current task for an agent. Returns the completed TaskIntent or null. */
+    endTask(agentId: string): TaskIntent | null;
+    /** Get the active task for an agent (null if none or expired). */
+    getActiveTask(agentId: string): TaskIntent | null;
+    /**
+     * Returns the existing sessionId for an agent, or generates a new one.
+     * New sessions are created on the first wrap() call for an agent, or
+     * after completeSession() clears the previous session.
+     */
+    private getOrCreateSessionId;
+    /**
+     * Middleware wrapper: pre-check, execute, post-record in one call.
+     * Blocks execution if agent is quarantined/restricted, check() returns HIGH/CRITICAL,
+     * pre-execution hooks block (when enablePreExecutionHooks is on),
+     * or an approval callback rejects a MEDIUM finding.
+     *
+     * The `execute` function receives the effective event — the original event with
+     * any hook-suggested modifications applied. When no modifications occur (the
+     * common case), effectiveEvent is the original event. Callers that don't need
+     * modification support can ignore the parameter — `() => Promise<T>` is
+     * assignable to `(event: AgentActivityEvent) => Promise<T>` in TypeScript.
+     *
+     * MODIFY decision (AARM R4): When `enablePreExecutionHooks` is true and a
+     * pre-execution hook returns Guide with `suggestedAction`, Sentinel applies
+     * the modification subject to safety checks before calling execute().
+     */
+    wrap<T>(agentId: string, event: Omit<AgentActivityEvent, "timestamp">, execute: (effectiveEvent: AgentActivityEvent) => Promise<T>, options?: {
+        userId?: string;
+    }): Promise<{
+        result?: T;
+        blocked: boolean;
+        finding?: SecurityFinding;
+    }>;
+    /**
+     * Factory for creating a wrapped tool function with a fixed agent identity.
+     * The execute function receives the effective event (with any modifications
+     * applied by hooks). See wrap() for MODIFY decision semantics.
+     */
+    wrapTool(agentId: string, agentName: string, agentRole: string): <T>(action: AgentActivityEvent["action"], target: string, execute: (effectiveEvent: AgentActivityEvent) => Promise<T>, options?: {
+        userId?: string;
+    }) => Promise<{
+        result?: T;
+        blocked: boolean;
+        finding?: SecurityFinding;
+    }>;
+    /**
+     * Apply a hook-suggested modification to an event, subject to safety checks.
+     * Returns the modified event if checks pass, or null if rejected.
+     *
+     * Safety checks:
+     * 1. Safety floor (original): if the original event already has a HIGH/CRITICAL
+     *    actionable finding, modifications cannot rescue it.
+     * 2. Scope narrowing: if the suggested target is not a prefix-extension of the
+     *    original primaryTarget (i.e., broadening), the modification is rejected.
+     * 3. Sensitivity re-check (modified): if the modified target scores HIGH/CRITICAL
+     *    on sensitivity (effectiveScore >= 0.7), the modification is rejected.
+     */
+    private applyModification;
+    private logModificationRejected;
+    detectCorrelations(windowMs?: number): Promise<CorrelationFinding[]>;
+    report(agentId: string, options?: Partial<ReportOptions>): Promise<string>;
+    fleetReport(options?: {
+        periodDays?: number;
+        format?: "markdown" | "json";
+    }): Promise<string>;
+    getHealthScore(agentId: string): Promise<{
+        score: number;
+        status: "healthy" | "caution" | "at_risk" | "critical" | "quarantined" | "restricted" | "new";
+        mode: AgentMode;
+        findings: {
+            critical: number;
+            high: number;
+            medium: number;
+            low: number;
+        };
+        lastEvent: string | null;
+        baselineEstablished: boolean;
+        agentName: string;
+    }>;
+    /**
+     * Register a hook handler for a specific agent's lifecycle checkpoint.
+     *
+     * @param agentId - The ID of the agent to attach the hook to. Agent must be registered.
+     * @param checkpoint - Either 'pre_execution' or 'post_execution'.
+     * @param handler - Sync or async function returning Allow, Block, or Guide response.
+     * @param options - Optional priority (higher fires first, default 0) and failClosed (default false).
+     * @returns Unique hook ID for later unregistration via off().
+     * @throws If agentId is not a registered agent.
+     *
+     * @example
+     * const hookId = sentinel.on('my-agent', 'pre_execution', async (ctx) => {
+     *   if (ctx.event.target.startsWith('/production')) {
+     *     return { kind: 'block', reason: 'production access blocked', severity: 'HIGH' };
+     *   }
+     *   return { kind: 'allow' };
+     * });
+     */
+    on(agentId: string, checkpoint: HookCheckpoint, handler: HookHandler, options?: {
+        priority?: number;
+        failClosed?: boolean;
+    }): string;
+    /**
+     * Register a global hook that fires for ALL agents — current and future.
+     *
+     * Immediately registers the hook on every currently-active runner. When a new
+     * agent is added via addAgent() or monitor(), the hook is automatically
+     * replayed onto the new runner.
+     *
+     * @param checkpoint - Either 'pre_execution' or 'post_execution'.
+     * @param handler - Sync or async function returning Allow, Block, or Guide response.
+     * @param options - Optional priority (higher fires first, default 0) and failClosed (default false).
+     * @returns Sentinel-level hook ID for later unregistration via off().
+     *
+     * @example
+     * const hookId = sentinel.onAll('pre_execution', (ctx) => {
+     *   if (ctx.event.target.includes('.env')) {
+     *     return { kind: 'block', reason: 'env access forbidden', severity: 'CRITICAL' };
+     *   }
+     *   return { kind: 'allow' };
+     * });
+     */
+    onAll(checkpoint: HookCheckpoint, handler: HookHandler, options?: {
+        priority?: number;
+        failClosed?: boolean;
+    }): string;
+    /**
+     * Unregister a hook by its ID. Works for both agent-specific and global hooks.
+     *
+     * @param hookId - The hook ID returned by on() or onAll().
+     * @returns true if the hook was found and removed, false otherwise.
+     */
+    off(hookId: string): boolean;
+    /**
+     * List registered hooks. If agentId is provided, returns that agent's hooks
+     * plus any global hooks. If omitted, returns all hooks across all agents.
+     *
+     * @param agentId - Optional agent ID to filter by.
+     * @returns Array of hook registrations.
+     */
+    listHooks(agentId?: string): HookRegistration[];
+    /** Replay all pending global hooks onto a newly-created runner. */
+    private replayGlobalHooks;
+    /** Lazily create and attach a HookEngine to a runner if it doesn't have one. */
+    private ensureHookEngine;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    onViolation(callback: (finding: SecurityFinding) => void): void;
+    onAlert(callback: (finding: SecurityFinding) => void): void;
+    onExitSignal(callback: (agentId: string, reason: string) => void): void;
+    onApprovalRequired(callback: (event: AgentActivityEvent, finding: SecurityFinding) => Promise<boolean>): void;
+    /**
+     * Register a callback for exception approvals.
+     *
+     * Distinct from onApprovalRequired (which gates MEDIUM-finding triage):
+     * - onApprovalRequired: "Sentinel found a borderline MEDIUM finding. Operator decides."
+     * - onExceptionApprovalRequired: "Sentinel found a forbidden access, but a YAML
+     *   exception says it might be okay if a human signs off. Operator approves the
+     *   pre-configured exception."
+     *
+     * Operators can wire both to the same handler for unified UX, but the type
+     * signatures are distinct so the handler can route on context.
+     */
+    onExceptionApprovalRequired(callback: ExceptionApprovalFn): void;
+    /**
+     * Single per-runner wiring path for BOTH the global add-agent/monitor runners
+     * and the per-workspace B runners (B5b-Phase-2 consolidation — _initWorkspaceAgent
+     * previously kept a hand-maintained "non-clobbering subset" of this, which is
+     * exactly how finding-callback / validator config drifts across sites). The
+     * only thing that varies is the anchoring root: global callers omit it and get
+     * the daemon-global this._workspaceRoot; the B-path passes the per-workspace
+     * root so the anchoring set at construction is RE-ASSERTED with the same value,
+     * not clobbered by the global root.
+     */
+    private wireRunner;
+    /**
+     * Enable Ed25519 audit trail signing for a runner's audit trail.
+     * Loads or generates a per-agent keypair, then wires it into the audit trail
+     * so all subsequent entries include signature + signerPublicKey fields.
+     */
+    private enableAuditSigning;
+    /** Mutate finding.kind from informational → actionable if the type is in the promote set. */
+    private applyPromote;
+    private notifyViolation;
+    private static readonly RESTRICTED_ALLOWED_ACTIONS;
+    private requestApproval;
+    private enforceMode;
+    private static readonly ESCALATION_ELIGIBLE_TYPES;
+    /**
+     * Derive the effective block count from the audit log.
+     *
+     * Counts escalation-eligible findings (HIGH/CRITICAL, actionable,
+     * matching ESCALATION_ELIGIBLE_TYPES) since the most recent release
+     * (mode_change to "normal"). If no release exists (genesis case),
+     * counts all eligible findings in the agent's entire audit history.
+     *
+     * Only release-type mode_changes reset the count — restrict and
+     * quarantine transitions do NOT reset it, matching the original
+     * in-memory behavior where only release() called blockCounts.set(0).
+     *
+     * Sprint 16 Prompt 3 — replaces in-memory blockCounts Map to survive
+     * gateway restarts. Same pattern as Sprint 11 sessionCount Shape D fix.
+     */
+    private getEffectiveBlockCount;
+    private maybeEscalate;
+}
+
+export { type AgentActivityEvent as A, type BlockResponse as B, type CorrelationFinding as C, type ExceptionApprovalContext as E, type GuideResponse as G, type HookCheckpoint as H, type IntentAlignmentConfig as I, type ModifiableEventFields as M, type OverlayDecisionType as O, type RepoSensitivityMap as R, type SecurityFinding as S, type TaskIntent as T, type AcceptableAction as a, type AdapterConfig as b, type AgentBaseline as c, type AgentMode as d, type AgentRole as e, type AlertChannel as f, type AlertConfig as g, type AllowResponse as h, type AuditEntry as i, type AuditQueryOptions as j, type ExceptionApprovalFn as k, type HookContext as l, type HookHandler as m, type HookRegistration as n, type HookResponse as o, type IntentAlignmentResult as p, type MonitorOptions as q, type ReportOptions as r, type RoleException as s, type SecuritySeverity as t, type SensitivityOverlay as u, Sentinel as v, type SentinelConfig as w };