aiden-runtime 4.0.2 → 4.1.1

package/dist/core/v4/mcp/server/stdioServer.js

@@ -0,0 +1,119 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/mcp/server/stdioServer.ts — Phase v4.1-mcp
+ *
+ * Stand up a Model Context Protocol server over stdio. Three protocol
+ * surfaces are wired:
+ *
+ *   - tools/list      → toolBridge.buildToolsList()
+ *   - tools/call      → toolBridge.buildToolCallHandler()
+ *   - resources/list  → skillBridge.buildResourcesList()
+ *   - resources/read  → skillBridge.readSkillResource()
+ *
+ * stdio invariants:
+ *   - stdout is the JSON-RPC channel — NEVER write to it from this
+ *     process outside the SDK transport. The logger is built in
+ *     `'mcp-stdio'` mode (file + stderr only) and tools should only
+ *     emit through that logger.
+ *   - the launch banner goes to stderr on purpose; spawning clients
+ *     (Claude Desktop, Cursor) capture stderr in their MCP log so the
+ *     user can grep the build fingerprint to verify what's running.
+ *
+ * The server function is a long-running call: it returns a `stop()`
+ * handle but ordinarily blocks until the parent closes the stdio pair.
+ * The CLI's `serve` action awaits a never-resolving promise so the
+ * Node process stays alive.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AIDEN_MCP_BUILD = void 0;
+exports.startStdioMcpServer = startStdioMcpServer;
+// SDK 1.29 ships its public surface via the package `exports` map.
+// Use the SDK's documented import paths verbatim — the wildcard
+// `paths` mapping in tsconfig.json lets the legacy
+// `moduleResolution: "node"` resolver find the type declarations,
+// while at runtime Node's exports-map resolver picks the same files.
+// (An earlier shape — `.../sdk/server/index` — typechecked but failed
+// at runtime: Node's wildcard fallback yielded a path missing the
+// `.js` extension. Phase v4.1-mcp.1 fix.)
+const server_1 = require("@modelcontextprotocol/sdk/server");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+const factory_1 = require("../../logger/factory");
+const toolBridge_1 = require("./toolBridge");
+const skillBridge_1 = require("./skillBridge");
+const diagnostics_1 = require("./diagnostics");
+var diagnostics_2 = require("./diagnostics");
+Object.defineProperty(exports, "AIDEN_MCP_BUILD", { enumerable: true, get: function () { return diagnostics_2.AIDEN_MCP_BUILD; } });
+/**
+ * Wire the MCP server up over stdio. Returns once the transport is
+ * connected; the caller is responsible for keeping the process alive
+ * (the `aiden mcp serve` CLI does this with a never-resolving promise).
+ */
+async function startStdioMcpServer(opts) {
+    const logger = opts.logger ?? (0, factory_1.noopLogger)();
+    const env = opts.env ?? (0, toolBridge_1.readToolBridgeEnv)();
+    const server = new server_1.Server({ name: 'aiden', version: diagnostics_1.AIDEN_MCP_BUILD }, { capabilities: { tools: {}, resources: {} } });
+    const callTool = (0, toolBridge_1.buildToolCallHandler)(opts.registry, opts.toolContext, env, logger);
+    // ── tools/list ──────────────────────────────────────────────
+    server.setRequestHandler(types_js_1.ListToolsRequestSchema, async () => ({
+        tools: (0, toolBridge_1.buildToolsList)(opts.registry, env),
+    }));
+    // ── tools/call ──────────────────────────────────────────────
+    // SDK 1.29 typed the response as a discriminated union including a
+    // task-style alternative. Aiden returns the non-task `CallToolResult`
+    // shape; the cast widens the return type to the union.
+    server.setRequestHandler(types_js_1.CallToolRequestSchema, async (request) => {
+        const name = request.params.name;
+        const args = (request.params.arguments ?? {});
+        const result = await callTool(name, args);
+        return result;
+    });
+    // ── resources/list ──────────────────────────────────────────
+    server.setRequestHandler(types_js_1.ListResourcesRequestSchema, async () => ({
+        resources: await (0, skillBridge_1.buildResourcesList)(opts.skillLoader),
+    }));
+    // ── resources/read ──────────────────────────────────────────
+    server.setRequestHandler(types_js_1.ReadResourceRequestSchema, async (request) => {
+        const uri = request.params.uri;
+        try {
+            const content = await (0, skillBridge_1.readSkillResource)(opts.skillLoader, uri);
+            return { contents: [content] };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            logger.warn('mcp resources/read failed', { scope: 'mcp', uri, error: message });
+            throw err;
+        }
+    });
+    // ── connect transport ──────────────────────────────────────
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+    // Diagnostics — emitted to stderr (logger in mcp-stdio mode), grep-able
+    // from the spawning client's MCP log. Build fingerprint included so the
+    // user can verify the running version matches the phase they expected.
+    const diag = await (0, diagnostics_1.collectMcpDiagnostics)(opts.registry, opts.skillLoader, env);
+    logger.warn(`mcp launched build=${diag.build}`, {
+        scope: 'mcp',
+        build: diag.build,
+        toolsTotal: diag.toolsTotal,
+        toolsExposed: diag.toolsExposed,
+        skillsTotal: diag.skillsTotal,
+        allowDestructive: diag.env.allowDestructive,
+        allowlist: diag.env.allowlist,
+    });
+    return {
+        server,
+        stop: async () => {
+            try {
+                await server.close();
+            }
+            catch { /* already closed */ }
+        },
+    };
+}

package/dist/core/v4/mcp/server/toolBridge.js

@@ -0,0 +1,168 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/mcp/server/toolBridge.ts — Phase v4.1-mcp
+ *
+ * Bridge between Aiden's `ToolRegistry` and the MCP wire format. The
+ * registry already stores schemas in the exact shape MCP wants
+ * (`{ name, description, inputSchema: { type: 'object', properties, required? } }`),
+ * so this layer is a thin pass-through plus three filters:
+ *
+ *   1. `mutates` filter — read-only tools by default. Set
+ *      `AIDEN_MCP_ALLOW_DESTRUCTIVE=1` to expose write/execute tools too.
+ *      Phase-9 approval engine still gates them at execution time
+ *      (defense in depth).
+ *   2. Allowlist filter — `AIDEN_MCP_TOOL_ALLOWLIST=tool_a,tool_b`
+ *      restricts the surface to a CSV-named subset. Applied AFTER the
+ *      mutates filter, so a user cannot allowlist `shell_exec` past the
+ *      destructive gate without also setting `ALLOW_DESTRUCTIVE=1`.
+ *   3. The handler wrapper coerces every dispatch outcome into MCP's
+ *      `CallToolResult` shape `{ content, isError }`. The agent loop's
+ *      executor returns `ToolCallResult` whose `.error` field is set when
+ *      the underlying handler threw or the moat layers refused the call;
+ *      that becomes `isError: true` here. We NEVER throw out of the
+ *      handler — protocol-level errors bypass the model's recovery path.
+ *
+ * The bridge is dependency-injected with the ToolRegistry + ToolContext
+ * the runtime already built. It does not own a logger; the stdio server
+ * passes one through for the env-config diagnostic line.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readToolBridgeEnv = readToolBridgeEnv;
+exports.exposedToolNames = exposedToolNames;
+exports.aidenToolToMCP = aidenToolToMCP;
+exports.buildToolsList = buildToolsList;
+exports.buildToolCallHandler = buildToolCallHandler;
+const factory_1 = require("../../logger/factory");
+function readToolBridgeEnv(env = process.env) {
+    const allowDestructive = env.AIDEN_MCP_ALLOW_DESTRUCTIVE === '1' ||
+        env.AIDEN_MCP_ALLOW_DESTRUCTIVE === 'true';
+    const raw = (env.AIDEN_MCP_TOOL_ALLOWLIST ?? '').trim();
+    const allowlist = raw
+        ? new Set(raw.split(',').map((s) => s.trim()).filter(Boolean))
+        : null;
+    return { allowDestructive, allowlist };
+}
+/**
+ * Compute the set of tool names exposed under the current env. Pure
+ * function over the registry snapshot; safe to call on every
+ * `tools/list` request (the registry is built once at boot).
+ */
+function exposedToolNames(registry, env) {
+    const out = [];
+    for (const name of registry.list()) {
+        const handler = registry.get(name);
+        if (!handler)
+            continue;
+        if (handler.mutates && !env.allowDestructive)
+            continue;
+        if (env.allowlist && !env.allowlist.has(name))
+            continue;
+        out.push(name);
+    }
+    return out;
+}
+/** Pass-through schema convert. The shapes are already aligned. */
+function aidenToolToMCP(handler) {
+    const s = handler.schema;
+    return {
+        name: s.name,
+        description: s.description,
+        inputSchema: {
+            type: 'object',
+            properties: s.inputSchema.properties,
+            required: s.inputSchema.required,
+        },
+    };
+}
+/** Build the tools array advertised on `tools/list`. */
+function buildToolsList(registry, env) {
+    const out = [];
+    for (const name of exposedToolNames(registry, env)) {
+        const handler = registry.get(name);
+        if (handler)
+            out.push(aidenToolToMCP(handler));
+    }
+    return out;
+}
+/**
+ * Build a `tools/call` handler closed over the registry's executor and
+ * the per-process env. Each call:
+ *
+ *   1. Re-checks exposure (env may have shifted is irrelevant — we read
+ *      it at server start — but this guards against allowlist drift if
+ *      a future caller passes a fresh env snapshot).
+ *   2. Synthesises a `ToolCallRequest` for the executor; uses a stable
+ *      id so logs cross-correlate.
+ *   3. Maps the executor's `ToolCallResult` to MCP's `{content,isError}`.
+ *
+ * Failures the executor reports via `result.error` become `isError: true`
+ * with the error message in the text payload — the model on the client
+ * side reads it and recovers. We never throw protocol-level.
+ */
+function buildToolCallHandler(registry, context, env, logger = (0, factory_1.noopLogger)()) {
+    const exposed = new Set(exposedToolNames(registry, env));
+    const execute = registry.buildExecutor(context);
+    return async (name, args) => {
+        if (!exposed.has(name)) {
+            logger.warn('mcp tools/call refused — tool not exposed', {
+                scope: 'mcp',
+                tool: name,
+                allowDestructive: env.allowDestructive,
+            });
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            error: `Tool "${name}" is not exposed via MCP.`,
+                            hint: env.allowDestructive
+                                ? 'Tool may not be in AIDEN_MCP_TOOL_ALLOWLIST.'
+                                : 'Set AIDEN_MCP_ALLOW_DESTRUCTIVE=1 to include mutating tools.',
+                        }),
+                    }],
+                isError: true,
+            };
+        }
+        const id = `mcp-${name}-${Date.now().toString(36)}`;
+        const call = { id, name, arguments: args ?? {} };
+        let result;
+        try {
+            result = await execute(call);
+        }
+        catch (err) {
+            // The executor itself swallows handler exceptions, but a bug in
+            // the executor (or a moat layer hard-throw) would land here.
+            const message = err instanceof Error ? err.message : String(err);
+            logger.error('mcp tools/call executor crashed', {
+                scope: 'mcp',
+                tool: name,
+                error: message,
+            });
+            return {
+                content: [{ type: 'text', text: `Internal error: ${message}` }],
+                isError: true,
+            };
+        }
+        if (result.error) {
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({ error: result.error }, null, 2),
+                    }],
+                isError: true,
+            };
+        }
+        const text = typeof result.result === 'string'
+            ? result.result
+            : JSON.stringify(result.result ?? null, null, 2);
+        return {
+            content: [{ type: 'text', text }],
+            isError: false,
+        };
+    };
+}

package/dist/core/v4/platformPaths.js

@@ -0,0 +1,105 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod). Licensed under AGPL-3.0.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/platformPaths.ts — Phase v4.1-cross-platform
+ *
+ * Cross-platform helpers for path normalisation, home expansion,
+ * shell selection, and writability checks. Centralising these so
+ * every other module can import a single canonical surface — and
+ * so the path audit has one place to scan for OS-specific bugs.
+ *
+ * Most of the work delegates to Node's built-in `path` module; the
+ * value-add is the small bit of glue (`expandHome`, `platformShell`,
+ * `isWritable`) that's easy to get wrong if redone ad-hoc.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizePath = normalizePath;
+exports.joinPaths = joinPaths;
+exports.expandHome = expandHome;
+exports.platformShell = platformShell;
+exports.isWritable = isWritable;
+exports.isReadable = isReadable;
+exports.classifyPlatform = classifyPlatform;
+const node_path_1 = __importDefault(require("node:path"));
+const node_os_1 = __importDefault(require("node:os"));
+const node_fs_1 = __importDefault(require("node:fs"));
+/** Idiomatic platform-aware path normalisation. */
+function normalizePath(p) {
+    if (typeof p !== 'string' || p.length === 0)
+        return p;
+    return node_path_1.default.normalize(p);
+}
+/** Re-export `path.join` under a stable name so callers don't have to import path directly. */
+function joinPaths(...parts) {
+    return node_path_1.default.join(...parts);
+}
+/**
+ * Expand `~/` and `~` to the current user's home directory. Pass
+ * paths through unchanged if they don't start with the tilde token.
+ *
+ *   expandHome('~/foo')  → `${os.homedir()}/foo`
+ *   expandHome('~')      → `${os.homedir()}`
+ *   expandHome('/abs/p') → '/abs/p'
+ *   expandHome('./rel')  → './rel'
+ */
+function expandHome(p) {
+    if (typeof p !== 'string' || p.length === 0)
+        return p;
+    if (p === '~')
+        return node_os_1.default.homedir();
+    if (p.startsWith('~/') || p.startsWith('~\\')) {
+        return node_path_1.default.join(node_os_1.default.homedir(), p.slice(2));
+    }
+    return p;
+}
+function platformShell() {
+    if (process.platform === 'win32')
+        return 'powershell';
+    // POSIX: prefer bash when present, otherwise sh. We don't probe at
+    // runtime — bash is ubiquitous on macOS/Linux and `sh` is the
+    // POSIX-mandated fallback. Callers that need certainty can call
+    // `which bash` themselves.
+    return 'bash';
+}
+/**
+ * Cross-platform writability check. Returns true if the path exists
+ * AND the current process can write to it, false otherwise. Catches
+ * EACCES/EPERM/ENOENT silently — never throws.
+ */
+function isWritable(p) {
+    try {
+        node_fs_1.default.accessSync(p, node_fs_1.default.constants.W_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Cross-platform readability check — paired with isWritable for
+ * doctor's filesystem audit.
+ */
+function isReadable(p) {
+    try {
+        node_fs_1.default.accessSync(p, node_fs_1.default.constants.R_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function classifyPlatform() {
+    switch (process.platform) {
+        case 'win32': return 'win32';
+        case 'darwin': return 'darwin';
+        case 'linux': return 'linux';
+        default: return 'other';
+    }
+}

package/dist/core/v4/providerFallback.js

@@ -412,6 +412,31 @@ class FallbackAdapter {
         }
         this.activeSlotId = slotId;
     }
+    /**
+     * Phase v4.1-subagent — clone the adapter with FRESH mutable state
+     * but SHARED slot configs. Subagent fanout uses this so each
+     * subagent gets its own rate-limit bookkeeping (slotState,
+     * cooldownUntil, requestCount, activeSlotId all reset) without
+     * paying for slot-config rebuilds. The slot list and the cooldownMs
+     * / clock / observer callbacks are read-only and safely shared
+     * across clones.
+     *
+     * One subagent hitting a 429 marks ITS clone's slot as cooled-down;
+     * the parent and sibling clones still see the slot as available.
+     * That's a deliberate tradeoff: tighter contention on the same
+     * provider key, but isolation prevents one slow subagent from
+     * starving siblings via parent-side cooldown state.
+     */
+    clone() {
+        return new FallbackAdapter({
+            apiMode: this.apiMode,
+            slots: this.slots,
+            cooldownMs: this.cooldownMs,
+            now: this.clock,
+            onRateLimit: this.onRateLimit,
+            onFallback: this.onFallback,
+        });
+    }
     /**
      * Diagnostic snapshot for `/providers`. Per-slot cooldown is reported
      * in seconds remaining (0 when the slot is fresh) so the slash command

package/dist/core/v4/skillLoader.js

@@ -74,15 +74,31 @@ class SkillLoader {
         return { ...this.lastCounts, skippedPaths: [...this.lastCounts.skippedPaths] };
     }
     async load(name) {
-        // Honour the cache when available so we don't re-walk for a
-        // single-skill lookup. Falls through to disk on a miss so newly
-        // dropped skills still resolve in long-running processes (the cache
-        // never sees them otherwise — that's the whole point of `invalidate`).
+        // Phase v4.1-cross-platform: case-insensitive cache lookup so a
+        // skill registered as `WebSearch` resolves the same on Linux
+        // (case-sensitive FS) as on Windows (case-insensitive FS). The
+        // ON-DISK directory name still has to match in case for the
+        // disk-fallback path to work, so we ALSO loadAll first when the
+        // case-insensitive cache hit succeeds — that gives us the actual
+        // file-system path and the loader can serve it from cache.
+        const target = name.toLowerCase();
+        if (!this.cache) {
+            // Trigger a one-time scan so case-insensitive lookup has data.
+            try {
+                await this.loadAll();
+            }
+            catch { /* ignore — fall through to disk */ }
+        }
         if (this.cache) {
-            const hit = this.cache.find((s) => s.frontmatter.name === name);
+            const hit = this.cache.find((s) => (s.frontmatter.name ?? '').toLowerCase() === target);
             if (hit)
                 return hit;
         }
+        // Disk fallback: try the verbatim name, then a lowercase variant
+        // (covers case where the cache failed to populate but the on-disk
+        // dir uses lowercase). On case-sensitive filesystems neither will
+        // hit if the directory case doesn't match the requested name —
+        // that's fine, the cache lookup above is the authoritative path.
         const dirSkill = node_path_1.default.join(this.paths.skillsDir, name, 'SKILL.md');
         const fileSkill = node_path_1.default.join(this.paths.skillsDir, `${name}.md`);
         return (await this.tryParse(dirSkill)) ?? (await this.tryParse(fileSkill));

package/dist/core/v4/skillMining/candidateStore.js

@@ -0,0 +1,164 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/skillMining/candidateStore.ts — Phase v4.1-skill-mining
+ *
+ * Atomic JSON queue for mined skill candidates and rejection
+ * fingerprints. Two files under `<aidenHome>/skills/learned/`:
+ *
+ *   - `.candidates.json` — pending review queue, append-only via
+ *     this module. `/skills review` reads it; `/skills accept`
+ *     and `/skills reject` mutate it.
+ *
+ *   - `.rejected.json` — fingerprint set the dedup gate consults
+ *     so a user-rejected workflow doesn't get re-proposed on the
+ *     next matching turn. Keyed by fingerprint, not id, so the
+ *     dedup survives across the candidate's lifecycle.
+ *
+ * Concurrency: a per-process write queue serialises every mutation
+ * (mirrors the BundledManifest pattern at
+ * `core/v4/skillBundledManifest.ts:50-53`). Cross-process safety
+ * is non-goal — the agent is a single-user CLI.
+ *
+ * Atomicity: writes go to a sibling `.tmp` file then `rename` over
+ * the live path. Windows rename is atomic on the same volume so a
+ * crash mid-write never leaves a partial JSON file.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CandidateStore = void 0;
+const node_fs_1 = require("node:fs");
+const node_path_1 = __importDefault(require("node:path"));
+const paths_1 = require("../paths");
+const ENVELOPE_VERSION = 1;
+class CandidateStore {
+    constructor() {
+        this.writeQueue = Promise.resolve();
+    }
+    /** `<aidenHome>/skills/learned/`. */
+    dir() {
+        return node_path_1.default.join((0, paths_1.resolveAidenPaths)().skillsDir, 'learned');
+    }
+    candidatesPath() {
+        return node_path_1.default.join(this.dir(), '.candidates.json');
+    }
+    rejectedPath() {
+        return node_path_1.default.join(this.dir(), '.rejected.json');
+    }
+    async ensureDir() {
+        await node_fs_1.promises.mkdir(this.dir(), { recursive: true });
+    }
+    async readJson(p, fallback) {
+        try {
+            const raw = await node_fs_1.promises.readFile(p, 'utf8');
+            return JSON.parse(raw);
+        }
+        catch {
+            return fallback;
+        }
+    }
+    /** Atomic `tmp` + rename. */
+    async writeJsonAtomic(p, data) {
+        await this.ensureDir();
+        const tmp = `${p}.tmp`;
+        await node_fs_1.promises.writeFile(tmp, JSON.stringify(data, null, 2), 'utf8');
+        await node_fs_1.promises.rename(tmp, p);
+    }
+    /** Append a candidate to the pending queue. Returns the assigned id. */
+    async append(candidate) {
+        return new Promise((resolve, reject) => {
+            this.writeQueue = this.writeQueue.then(async () => {
+                try {
+                    const env = await this.readJson(this.candidatesPath(), {
+                        version: ENVELOPE_VERSION,
+                        candidates: [],
+                    });
+                    env.version = ENVELOPE_VERSION;
+                    env.candidates.push(candidate);
+                    await this.writeJsonAtomic(this.candidatesPath(), env);
+                    resolve(candidate);
+                }
+                catch (err) {
+                    reject(err);
+                }
+            });
+        });
+    }
+    /** Read the full pending queue, newest last. */
+    async list() {
+        const env = await this.readJson(this.candidatesPath(), {
+            version: ENVELOPE_VERSION,
+            candidates: [],
+        });
+        return env.candidates ?? [];
+    }
+    /** Fetch a single candidate by id, or undefined. */
+    async get(id) {
+        const all = await this.list();
+        return all.find((c) => c.id === id);
+    }
+    /** Remove a candidate by id. No-op if missing. */
+    async remove(id) {
+        return new Promise((resolve, reject) => {
+            this.writeQueue = this.writeQueue.then(async () => {
+                try {
+                    const env = await this.readJson(this.candidatesPath(), {
+                        version: ENVELOPE_VERSION,
+                        candidates: [],
+                    });
+                    env.version = ENVELOPE_VERSION;
+                    env.candidates = env.candidates.filter((c) => c.id !== id);
+                    await this.writeJsonAtomic(this.candidatesPath(), env);
+                    resolve();
+                }
+                catch (err) {
+                    reject(err);
+                }
+            });
+        });
+    }
+    /** Append a rejection fingerprint (with optional reason). */
+    async recordRejection(fingerprint, reason) {
+        return new Promise((resolve, reject) => {
+            this.writeQueue = this.writeQueue.then(async () => {
+                try {
+                    const env = await this.readJson(this.rejectedPath(), {
+                        version: ENVELOPE_VERSION,
+                        rejected: [],
+                    });
+                    env.version = ENVELOPE_VERSION;
+                    env.rejected.push({
+                        fingerprint,
+                        reason,
+                        rejectedAt: new Date().toISOString(),
+                    });
+                    await this.writeJsonAtomic(this.rejectedPath(), env);
+                    resolve();
+                }
+                catch (err) {
+                    reject(err);
+                }
+            });
+        });
+    }
+    /** Return the set of rejected fingerprints (for dedup). */
+    async loadRejected() {
+        const env = await this.readJson(this.rejectedPath(), {
+            version: ENVELOPE_VERSION,
+            rejected: [],
+        });
+        return new Set((env.rejected ?? []).map((r) => r.fingerprint));
+    }
+    /** Test/reset hook: drop the in-process write queue. Disk untouched. */
+    _resetForTests() {
+        this.writeQueue = Promise.resolve();
+    }
+}
+exports.CandidateStore = CandidateStore;