@zenalexa/unicli 0.220.0 → 0.220.1

package/dist/engine/browser/diagnostics.d.ts

@@ -0,0 +1,38 @@
+/**
+ * @owner Uni-CLI Browser
+ * @does Projects browser-backed command metadata into kernel diagnostics.
+ * @needs Invocation identity, adapter source path, target surface, and site-memory paths.
+ * @feeds InvocationResult diagnostics for CLI/MCP/ACP wrappers and browser evidence tests.
+ * @breaks Browser repair when commands do not expose target identity, evidence commands, or site memory locations.
+ */
+import type { TargetSurface } from "../../types.js";
+export interface BrowserCommandDiagnosticInput {
+    site: string;
+    command: string;
+    adapterPath: string;
+    targetSurface: TargetSurface;
+    browser: boolean;
+    domain?: string;
+}
+export interface BrowserCommandDiagnostic {
+    kind: "browser_command";
+    site: string;
+    command: string;
+    adapter_path: string;
+    target_surface: TargetSurface;
+    evidence: {
+        session: string;
+        network: string;
+        verify: string;
+    };
+    site_memory: {
+        endpoints: string;
+        field_map: string;
+        notes: string;
+        fixtures_dir: string;
+        verify_dir: string;
+    };
+    authoring_loop: string[];
+}
+export declare function buildBrowserCommandDiagnostic(input: BrowserCommandDiagnosticInput): BrowserCommandDiagnostic | undefined;
+//# sourceMappingURL=diagnostics.d.ts.map

package/dist/engine/browser/diagnostics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnostics.d.ts","sourceRoot":"","sources":["../../../src/engine/browser/diagnostics.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpD,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,aAAa,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,iBAAiB,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,aAAa,CAAC;IAC9B,QAAQ,EAAE;QACR,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,WAAW,EAAE;QACX,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,CAAC;QACrB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,6BAA6B,GACnC,wBAAwB,GAAG,SAAS,CA6BtC"}

package/dist/engine/browser/diagnostics.js

@@ -0,0 +1,40 @@
+/**
+ * @owner Uni-CLI Browser
+ * @does Projects browser-backed command metadata into kernel diagnostics.
+ * @needs Invocation identity, adapter source path, target surface, and site-memory paths.
+ * @feeds InvocationResult diagnostics for CLI/MCP/ACP wrappers and browser evidence tests.
+ * @breaks Browser repair when commands do not expose target identity, evidence commands, or site memory locations.
+ */
+import { siteMemoryPaths } from "../../browser/site-memory.js";
+export function buildBrowserCommandDiagnostic(input) {
+    if (!input.browser)
+        return undefined;
+    const paths = siteMemoryPaths(input.site);
+    const analyzeTarget = input.domain ?? `${input.site}.com`;
+    return {
+        kind: "browser_command",
+        site: input.site,
+        command: input.command,
+        adapter_path: input.adapterPath,
+        target_surface: input.targetSurface,
+        evidence: {
+            session: "unicli browser evidence --render-aware",
+            network: "unicli browser network --raw",
+            verify: `unicli browser verify ${input.site}/${input.command} --strict-memory`,
+        },
+        site_memory: {
+            endpoints: paths.endpoints,
+            field_map: paths.fieldMap,
+            notes: paths.notes,
+            fixtures_dir: paths.fixturesDir,
+            verify_dir: paths.verifyDir,
+        },
+        authoring_loop: [
+            `unicli browser analyze https://${analyzeTarget}`,
+            "unicli browser network --filter id,title",
+            `unicli browser verify ${input.site}/${input.command} --write-fixture`,
+            `unicli repair ${input.site} ${input.command}`,
+        ],
+    };
+}
+//# sourceMappingURL=diagnostics.js.map

package/dist/engine/browser/diagnostics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnostics.js","sourceRoot":"","sources":["../../../src/engine/browser/diagnostics.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAiC/D,MAAM,UAAU,6BAA6B,CAC3C,KAAoC;IAEpC,IAAI,CAAC,KAAK,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IACrC,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,MAAM,CAAC;IAC1D,OAAO;QACL,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,YAAY,EAAE,KAAK,CAAC,WAAW;QAC/B,cAAc,EAAE,KAAK,CAAC,aAAa;QACnC,QAAQ,EAAE;YACR,OAAO,EAAE,wCAAwC;YACjD,OAAO,EAAE,8BAA8B;YACvC,MAAM,EAAE,yBAAyB,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,kBAAkB;SAC/E;QACD,WAAW,EAAE;YACX,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,QAAQ;YACzB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,YAAY,EAAE,KAAK,CAAC,WAAW;YAC/B,UAAU,EAAE,KAAK,CAAC,SAAS;SAC5B;QACD,cAAc,EAAE;YACd,kCAAkC,aAAa,EAAE;YACjD,0CAA0C;YAC1C,yBAAyB,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,kBAAkB;YACtE,iBAAiB,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE;SAC/C;KACF,CAAC;AACJ,CAAC"}

package/dist/engine/invoke.d.ts

@@ -13,4 +13,5 @@ export type { Invocation, CompiledCommand, InvocationResult, AjvValidateFn, } fr
 export { newULID, _resetULIDForTests } from "./kernel/ulid.js";
 export { compileAll, getCompiled, compileCommand, _resetCompiledCacheForTests, } from "./kernel/compile.js";
 export { buildInvocation, execute, KernelLookupError, } from "./kernel/execute.js";
+export { KERNEL_STAGE_ORDER, authorizeKernelInvocation, hardenKernelInput, resolveKernelCommandContext, validateKernelInput, } from "./kernel/stages.js";
 //# sourceMappingURL=invoke.d.ts.map

package/dist/engine/invoke.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"invoke.d.ts","sourceRoot":"","sources":["../../src/engine/invoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,YAAY,EACV,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EACL,UAAU,EACV,WAAW,EACX,cAAc,EACd,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,eAAe,EACf,OAAO,EACP,iBAAiB,GAClB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"invoke.d.ts","sourceRoot":"","sources":["../../src/engine/invoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,YAAY,EACV,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EACL,UAAU,EACV,WAAW,EACX,cAAc,EACd,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,eAAe,EACf,OAAO,EACP,iBAAiB,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,yBAAyB,EACzB,iBAAiB,EACjB,2BAA2B,EAC3B,mBAAmB,GACpB,MAAM,oBAAoB,CAAC"}

package/dist/engine/invoke.js

@@ -12,4 +12,5 @@
 export { newULID, _resetULIDForTests } from "./kernel/ulid.js";
 export { compileAll, getCompiled, compileCommand, _resetCompiledCacheForTests, } from "./kernel/compile.js";
 export { buildInvocation, execute, KernelLookupError, } from "./kernel/execute.js";
+export { KERNEL_STAGE_ORDER, authorizeKernelInvocation, hardenKernelInput, resolveKernelCommandContext, validateKernelInput, } from "./kernel/stages.js";
 //# sourceMappingURL=invoke.js.map

package/dist/engine/invoke.js.map

@@ -1 +1 @@
-{"version":3,"file":"invoke.js","sourceRoot":"","sources":["../../src/engine/invoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EACL,UAAU,EACV,WAAW,EACX,cAAc,EACd,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,eAAe,EACf,OAAO,EACP,iBAAiB,GAClB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"invoke.js","sourceRoot":"","sources":["../../src/engine/invoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AASH,OAAO,EAAE,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EACL,UAAU,EACV,WAAW,EACX,cAAc,EACd,2BAA2B,GAC5B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,eAAe,EACf,OAAO,EACP,iBAAiB,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,kBAAkB,EAClB,yBAAyB,EACzB,iBAAiB,EACjB,2BAA2B,EAC3B,mBAAmB,GACpB,MAAM,oBAAoB,CAAC"}

package/dist/engine/kernel/errors.d.ts

@@ -0,0 +1,11 @@
+/**
+ * @owner Uni-CLI Kernel
+ * @does Defines kernel-specific error classes shared by stage modules.
+ * @needs Command lookup keys.
+ * @feeds Kernel stage resolution and legacy invoke exports.
+ * @breaks Missing compiled command cache entries.
+ */
+export declare class KernelLookupError extends Error {
+    constructor(key: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/engine/kernel/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/engine/kernel/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,qBAAa,iBAAkB,SAAQ,KAAK;gBAC9B,GAAG,EAAE,MAAM;CAOxB"}

package/dist/engine/kernel/errors.js

@@ -0,0 +1,15 @@
+/**
+ * @owner Uni-CLI Kernel
+ * @does Defines kernel-specific error classes shared by stage modules.
+ * @needs Command lookup keys.
+ * @feeds Kernel stage resolution and legacy invoke exports.
+ * @breaks Missing compiled command cache entries.
+ */
+export class KernelLookupError extends Error {
+    constructor(key) {
+        super(`KernelLookupError: compiled command not found: ${key}. ` +
+            "Loader must call compileAll() before execute() — call primeKernelCache() from discovery/loader.ts.");
+        this.name = "KernelLookupError";
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/engine/kernel/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/engine/kernel/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,YAAY,GAAW;QACrB,KAAK,CACH,kDAAkD,GAAG,IAAI;YACvD,oGAAoG,CACvG,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF"}

package/dist/engine/kernel/execute.d.ts

@@ -1,25 +1,14 @@
 /**
- * execute() — the bag-to-envelope pipeline every surface shares.
- *
- * Flow per invocation:
- *   1. ajv validate(bag.args)              → fail-closed USAGE_ERROR on reject
- *   2. hardenArgs(bag.args, argByName)     → schema-driven hardening
- *   3. runPipeline() / command.func()      → actual work
- *   4. build success envelope with live next_actions (runtime, not templated)
- *
- * Callers (CLI/MCP/ACP) format the returned `InvocationResult` for their
- * transport; they do not rebuild envelopes.
+ * @owner Uni-CLI Kernel
+ * @does Builds invocations and runs the shared kernel stage chain.
+ * @needs Registry resolution, compiled command cache, and explicit kernel stages.
+ * @feeds CLI/MCP/ACP transport renderers through InvocationResult.
+ * @breaks Surface parity when wrappers rebuild validation, authorization, execution, diagnostics, or envelopes.
  */
 import type { ResolvedArgs } from "../args.js";
+import { KernelLookupError } from "./errors.js";
 import type { Invocation, InvocationResult } from "./types.js";
-/**
- * Raised when execute() is called for a (site, cmd) pair that was not seen
- * by `compileAll()` at loader boot. Signals a wiring bug (the loader forgot
- * to prime the cache), not a user error.
- */
-export declare class KernelLookupError extends Error {
-    constructor(key: string);
-}
+export { KernelLookupError };
 /**
  * Look up an adapter + command pair and return an Invocation ready for
  * execute(). Returns `null` if either the site or command is unknown —

package/dist/engine/kernel/execute.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"execute.d.ts","sourceRoot":"","sources":["../../../src/engine/kernel/execute.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAiBH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAW/C,OAAO,KAAK,EACV,UAAU,EAEV,gBAAgB,EACjB,MAAM,YAAY,CAAC;AAGpB;;;;GAIG;AACH,qBAAa,iBAAkB,SAAQ,KAAK;gBAC9B,GAAG,EAAE,MAAM;CAOxB;AAyDD;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,EAC9B,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,YAAY,EACjB,OAAO,GAAE;IACP,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CACvB,GACL,UAAU,GAAG,IAAI,CAcnB;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAsYxE"}
+{"version":3,"file":"execute.d.ts","sourceRoot":"","sources":["../../../src/engine/kernel/execute.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAY/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAG/D,OAAO,EAAE,iBAAiB,EAAE,CAAC;AAE7B;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,EAC9B,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,YAAY,EACjB,OAAO,GAAE;IACP,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CACvB,GACL,UAAU,GAAG,IAAI,CAcnB;AAED;;;;GAIG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA8BxE"}

package/dist/engine/kernel/execute.js

@@ -1,82 +1,15 @@
 /**
- * execute() — the bag-to-envelope pipeline every surface shares.
- *
- * Flow per invocation:
- *   1. ajv validate(bag.args)              → fail-closed USAGE_ERROR on reject
- *   2. hardenArgs(bag.args, argByName)     → schema-driven hardening
- *   3. runPipeline() / command.func()      → actual work
- *   4. build success envelope with live next_actions (runtime, not templated)
- *
- * Callers (CLI/MCP/ACP) format the returned `InvocationResult` for their
- * transport; they do not rebuild envelopes.
+ * @owner Uni-CLI Kernel
+ * @does Builds invocations and runs the shared kernel stage chain.
+ * @needs Registry resolution, compiled command cache, and explicit kernel stages.
+ * @feeds CLI/MCP/ACP transport renderers through InvocationResult.
+ * @breaks Surface parity when wrappers rebuild validation, authorization, execution, diagnostics, or envelopes.
  */
-import { PipelineError, runPipeline } from "../executor.js";
-import { hardenArgs, InputHardeningError } from "../harden.js";
-import { defaultSuccessNextActions, defaultErrorNextActions, } from "../../output/next-actions.js";
-import { createApprovalStore, rememberApproval } from "../approval-store.js";
-import { errorTypeToCode, errorToAgentFields, mapErrorToExitCode, } from "../../output/error-map.js";
-import { commandStrategy, resolveCommand } from "../../registry.js";
-import { ExitCode } from "../../types.js";
-import { InvalidPermissionProfileError, resolveOperationAdapterPath, resolveOperationTargetSurface, } from "../operation-policy.js";
-import { evaluateOperationPolicyWithApprovals } from "../permission-runtime.js";
-import { PermissionRulesConfigError } from "../permission-rules.js";
-import { getCompiled } from "./compile.js";
+import { resolveCommand } from "../../registry.js";
+import { authorizeKernelInvocation, executeKernelCommand, executionErrorResult, hardenKernelInput, malformedCommandResult, rememberKernelApproval, resolveKernelCommandContext, successKernelResult, validateKernelInput, } from "./stages.js";
+import { KernelLookupError } from "./errors.js";
 import { newULID } from "./ulid.js";
-/**
- * Raised when execute() is called for a (site, cmd) pair that was not seen
- * by `compileAll()` at loader boot. Signals a wiring bug (the loader forgot
- * to prime the cache), not a user error.
- */
-export class KernelLookupError extends Error {
-    constructor(key) {
-        super(`KernelLookupError: compiled command not found: ${key}. ` +
-            "Loader must call compileAll() before execute() — call primeKernelCache() from discovery/loader.ts.");
-        this.name = "KernelLookupError";
-    }
-}
-function isRecord(value) {
-    return value !== null && typeof value === "object" && !Array.isArray(value);
-}
-function resourcesFromPermissionConfig(config) {
-    if (!isRecord(config) || !isRecord(config.resources))
-        return undefined;
-    const resources = {};
-    for (const [bucket, raw] of Object.entries(config.resources)) {
-        if (!Array.isArray(raw))
-            continue;
-        const values = raw.filter((value) => {
-            return typeof value === "string";
-        });
-        if (values.length > 0)
-            resources[bucket] = values;
-    }
-    return Object.keys(resources).length > 0 ? resources : undefined;
-}
-function runtimePermissionDeniedDiagnostic(err) {
-    if (!(err instanceof PipelineError) ||
-        err.detail.errorType !== "permission_denied") {
-        return undefined;
-    }
-    const config = err.detail.config;
-    const resources = resourcesFromPermissionConfig(config);
-    const ruleId = isRecord(config) && typeof config.rule_id === "string"
-        ? config.rule_id
-        : undefined;
-    return {
-        kind: "runtime_permission_denied",
-        code: "permission_denied",
-        action: err.detail.action,
-        step: err.detail.step,
-        retryable: err.detail.retryable ?? false,
-        ...(ruleId ? { rule_id: ruleId } : {}),
-        resource_buckets: resources ? Object.keys(resources).sort() : [],
-        ...(resources ? { resources } : {}),
-    };
-}
-function diagnosticsForError(err) {
-    const diagnostic = runtimePermissionDeniedDiagnostic(err);
-    return diagnostic ? [diagnostic] : undefined;
-}
+export { KernelLookupError };
 /**
  * Look up an adapter + command pair and return an Invocation ready for
  * execute(). Returns `null` if either the site or command is unknown —
@@ -105,345 +38,27 @@ export function buildInvocation(surface, site, cmd, bag, options = {}) {
  */
 export async function execute(inv) {
     const startedAt = Date.now();
-    const key = `${inv.adapter.name}.${inv.cmdName}`;
-    const compiled = getCompiled(inv.adapter.name, inv.cmdName);
     const warnings = [];
-    const strategy = commandStrategy(inv.adapter, inv.command);
-    const targetSurface = resolveOperationTargetSurface({
-        adapterType: inv.adapter.type,
-        targetSurface: inv.command.target_surface,
-    });
-    const adapterPath = resolveOperationAdapterPath(inv.adapter.name, inv.cmdName, inv.command.adapter_path);
-    // Loader primes the kernel cache via primeKernelCache() after every
-    // registry mutation. A miss here means either a wiring bug or a test
-    // that registers an adapter without calling primeKernelCache() — throw
-    // a clear error instead of silently recompiling.
-    if (!compiled)
-        throw new KernelLookupError(key);
-    let operationPolicy;
+    const ctx = resolveKernelCommandContext(inv);
+    const invalid = validateKernelInput(inv, ctx, startedAt, warnings);
+    if (invalid)
+        return invalid.result;
+    const hardened = hardenKernelInput(inv, ctx, startedAt, warnings);
+    if (hardened)
+        return hardened.result;
+    const authorization = await authorizeKernelInvocation(inv, ctx, startedAt, warnings);
+    if (authorization.blocked)
+        return authorization.blocked.result;
+    await rememberKernelApproval(inv, authorization.policy, warnings);
     try {
-        operationPolicy = await evaluateOperationPolicyWithApprovals({
-            site: inv.adapter.name,
-            command: inv.cmdName,
-            description: inv.command.description,
-            adapterType: inv.adapter.type,
-            targetSurface,
-            strategy,
-            domain: inv.command.domain ?? inv.adapter.domain,
-            base: inv.command.base ?? inv.adapter.base,
-            browser: inv.adapter.browser === true || inv.command.browser === true,
-            args: inv.command.adapterArgs,
-            profile: inv.permissionProfile,
-            approved: inv.approved,
-        });
-        if (operationPolicy.enforcement === "deny") {
-            const ruleId = operationPolicy.deny_rule?.id ?? "unknown";
-            const ruleReason = operationPolicy.deny_rule?.reason ?? "permission rule matched";
-            const err = {
-                code: "permission_denied",
-                message: `permission rule "${ruleId}" denies ${operationPolicy.effect}: ${ruleReason}`,
-                adapter_path: adapterPath,
-                step: 0,
-                suggestion: operationPolicy.approval_hint ??
-                    "edit or remove the matching permission rule",
-                retryable: false,
-                alternatives: [
-                    `unicli --dry-run ${inv.adapter.name} ${inv.cmdName}`,
-                    "edit ~/.unicli/permission-rules.json",
-                ],
-            };
-            const durationMs = Date.now() - startedAt;
-            return {
-                results: [],
-                envelope: {
-                    command: key,
-                    duration_ms: durationMs,
-                    adapter_version: inv.adapter.version,
-                    surface: targetSurface,
-                    error: err,
-                    next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, "permission_denied"),
-                },
-                durationMs,
-                exitCode: ExitCode.AUTH_REQUIRED,
-                warnings,
-                error: err,
-            };
-        }
-        if (operationPolicy.enforcement === "needs_approval") {
-            const err = {
-                code: "permission_denied",
-                message: `permission profile "${operationPolicy.profile}" requires approval for ${operationPolicy.effect}`,
-                adapter_path: adapterPath,
-                step: 0,
-                suggestion: operationPolicy.approval_hint ??
-                    "rerun with --yes or use --permission-profile open",
-                retryable: false,
-                alternatives: [
-                    `unicli --dry-run ${inv.adapter.name} ${inv.cmdName}`,
-                    `unicli --yes --permission-profile ${operationPolicy.profile} ${inv.adapter.name} ${inv.cmdName}`,
-                    `unicli --permission-profile open ${inv.adapter.name} ${inv.cmdName}`,
-                ],
-            };
-            const durationMs = Date.now() - startedAt;
-            return {
-                results: [],
-                envelope: {
-                    command: key,
-                    duration_ms: durationMs,
-                    adapter_version: inv.adapter.version,
-                    surface: targetSurface,
-                    error: err,
-                    next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, "permission_denied"),
-                },
-                durationMs,
-                exitCode: ExitCode.AUTH_REQUIRED,
-                warnings,
-                error: err,
-            };
+        if (!inv.command.pipeline && !inv.command.func) {
+            return malformedCommandResult(inv, ctx, startedAt, warnings).result;
         }
+        const results = await executeKernelCommand(inv, ctx);
+        return successKernelResult(inv, ctx, startedAt, warnings, results);
     }
     catch (err) {
-        if (err instanceof InvalidPermissionProfileError) {
-            const agentErr = {
-                code: "invalid_input",
-                message: err.message,
-                adapter_path: adapterPath,
-                step: 0,
-                suggestion: "use one of: open, confirm, locked",
-                retryable: false,
-            };
-            const durationMs = Date.now() - startedAt;
-            return {
-                results: [],
-                envelope: {
-                    command: key,
-                    duration_ms: durationMs,
-                    adapter_version: inv.adapter.version,
-                    surface: targetSurface,
-                    error: agentErr,
-                    next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, "invalid_input"),
-                },
-                durationMs,
-                exitCode: ExitCode.USAGE_ERROR,
-                warnings,
-                error: agentErr,
-            };
-        }
-        if (err instanceof PermissionRulesConfigError) {
-            const agentErr = {
-                code: err.code,
-                message: err.message,
-                adapter_path: adapterPath,
-                step: 0,
-                suggestion: err.suggestion,
-                retryable: false,
-            };
-            const durationMs = Date.now() - startedAt;
-            return {
-                results: [],
-                envelope: {
-                    command: key,
-                    duration_ms: durationMs,
-                    adapter_version: inv.adapter.version,
-                    surface: targetSurface,
-                    error: agentErr,
-                    next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, "invalid_input"),
-                },
-                durationMs,
-                exitCode: ExitCode.USAGE_ERROR,
-                warnings,
-                error: agentErr,
-            };
-        }
-        throw err;
+        return executionErrorResult(inv, ctx, startedAt, warnings, err).result;
     }
-    // 1. JSON Schema validation (fail-closed via ajv strict mode).
-    const v = compiled.validate(inv.bag.args);
-    if (!v.ok) {
-        const first = v.errors[0] ?? { message: "invalid arguments" };
-        const path = (first.instancePath ?? "").replace(/^\//, "");
-        const name = path || "args";
-        const err = {
-            code: "invalid_input",
-            message: `arg "${name}" ${first.message ?? "invalid"}`,
-            adapter_path: adapterPath,
-            step: 0,
-            suggestion: `match the JSON Schema at \`unicli describe ${inv.adapter.name} ${inv.cmdName}\``,
-            retryable: false,
-        };
-        const durationMs = Date.now() - startedAt;
-        return {
-            results: [],
-            envelope: {
-                command: key,
-                duration_ms: durationMs,
-                adapter_version: inv.adapter.version,
-                surface: targetSurface,
-                error: err,
-                next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, "invalid_input"),
-            },
-            durationMs,
-            exitCode: ExitCode.USAGE_ERROR,
-            warnings,
-            error: err,
-        };
-    }
-    // 2. Schema-driven hardening (ajv format-assertion + x-unicli-kind).
-    try {
-        const h = hardenArgs(inv.bag.args, compiled.argByName);
-        warnings.push(...h.warnings);
-    }
-    catch (err) {
-        if (err instanceof InputHardeningError) {
-            const agentErr = {
-                code: "invalid_input",
-                message: err.message,
-                adapter_path: adapterPath,
-                step: 0,
-                suggestion: err.suggestion,
-                retryable: false,
-            };
-            const durationMs = Date.now() - startedAt;
-            return {
-                results: [],
-                envelope: {
-                    command: key,
-                    duration_ms: durationMs,
-                    adapter_version: inv.adapter.version,
-                    surface: targetSurface,
-                    error: agentErr,
-                    next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, "invalid_input"),
-                },
-                durationMs,
-                exitCode: ExitCode.USAGE_ERROR,
-                warnings,
-                error: agentErr,
-            };
-        }
-        throw err;
-    }
-    if (inv.rememberApproval === true) {
-        try {
-            await rememberApproval(createApprovalStore(), {
-                policy: operationPolicy,
-            });
-        }
-        catch (error) {
-            warnings.push(`failed to persist approval memory: ${error instanceof Error ? error.message : String(error)}`);
-        }
-    }
-    // 3. Pipeline / func execution. runPipeline requires a ResolvedArgs bag
-    //    as of v0.213.3 P3 (D6); surface + trace_id are plumbed through so
-    //    YAML templates can reference ${{ surface }} / ${{ trace_id }}.
-    let results = [];
-    try {
-        if (inv.command.pipeline) {
-            results = await runPipeline(inv.command.pipeline, inv.bag, inv.adapter.base, {
-                site: inv.adapter.name,
-                command: inv.cmdName,
-                strategy,
-                domain: inv.command.domain ?? inv.adapter.domain,
-                surface: inv.surface,
-                trace_id: inv.trace_id,
-            });
-        }
-        else if (inv.command.func) {
-            let page = null;
-            try {
-                if (inv.command.browser === true) {
-                    const { acquirePage } = await import("../steps/browser-helpers.js");
-                    page = await acquirePage({
-                        data: null,
-                        args: inv.bag.args,
-                        vars: {},
-                        base: inv.adapter.base,
-                        source: inv.bag.source,
-                        surface: inv.surface,
-                        trace_id: inv.trace_id,
-                    });
-                }
-                const raw = await inv.command.func(page, inv.bag.args);
-                results = Array.isArray(raw) ? raw : [raw];
-            }
-            finally {
-                if (page && typeof page === "object" && "close" in page) {
-                    await Promise.resolve(page.close()).catch(() => {
-                        /* best effort */
-                    });
-                }
-            }
-        }
-        else {
-            const agentErr = {
-                code: "internal_error",
-                message: `command ${key} has neither pipeline nor func`,
-                adapter_path: adapterPath,
-                step: 0,
-                suggestion: "the adapter manifest is broken; run `unicli repair` to regenerate",
-                retryable: false,
-            };
-            const durationMs = Date.now() - startedAt;
-            return {
-                results: [],
-                envelope: {
-                    command: key,
-                    duration_ms: durationMs,
-                    adapter_version: inv.adapter.version,
-                    surface: targetSurface,
-                    error: agentErr,
-                },
-                durationMs,
-                exitCode: ExitCode.CONFIG_ERROR,
-                warnings,
-                error: agentErr,
-            };
-        }
-    }
-    catch (err) {
-        const fields = errorToAgentFields(err, adapterPath, inv.adapter.name);
-        const agentErr = {
-            code: errorTypeToCode(err),
-            message: err instanceof Error ? err.message : String(err),
-            ...fields,
-        };
-        const diagnostics = diagnosticsForError(err);
-        const durationMs = Date.now() - startedAt;
-        return {
-            results: [],
-            envelope: {
-                command: key,
-                duration_ms: durationMs,
-                adapter_version: inv.adapter.version,
-                surface: targetSurface,
-                error: agentErr,
-                next_actions: defaultErrorNextActions(inv.adapter.name, inv.cmdName, agentErr.code),
-            },
-            durationMs,
-            exitCode: mapErrorToExitCode(err),
-            warnings,
-            error: agentErr,
-            ...(diagnostics ? { diagnostics } : {}),
-        };
-    }
-    // 4. Success envelope. next_actions built at runtime with the literal
-    //    site/cmd so adapter templates that legitimately carry `${site}` are
-    //    never mangled and `paginated` metadata flows through.
-    const durationMs = Date.now() - startedAt;
-    const nextActions = defaultSuccessNextActions(inv.adapter.name, inv.cmdName, {
-        supportsPagination: inv.command.paginated === true,
-    });
-    return {
-        results,
-        envelope: {
-            command: key,
-            duration_ms: durationMs,
-            adapter_version: inv.adapter.version,
-            surface: targetSurface,
-            next_actions: nextActions,
-        },
-        durationMs,
-        exitCode: results.length === 0 ? ExitCode.EMPTY_RESULT : ExitCode.SUCCESS,
-        warnings,
-    };
 }
 //# sourceMappingURL=execute.js.map