codekin 0.4.1 → 0.5.1

package/server/dist/orchestrator-manager.js

@@ -0,0 +1,353 @@
+/**
+ * Orchestrator lifecycle manager.
+ *
+ * Manages the always-on orchestrator session: directory setup, stable ID
+ * persistence, and auto-start on server boot. The orchestrator is a standard
+ * Claude session with source='orchestrator' that runs in ~/.codekin/orchestrator/.
+ */
+import { join } from 'path';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { randomUUID } from 'crypto';
+import { DATA_DIR, AGENT_DISPLAY_NAME, getAgentDisplayName } from './config.js';
+export const ORCHESTRATOR_DIR = join(DATA_DIR, 'orchestrator');
+const SESSION_ID_FILE = join(ORCHESTRATOR_DIR, '.session-id');
+const PROFILE_TEMPLATE = `# User Profile
+
+Agent ${AGENT_DISPLAY_NAME} will learn about you over time and update this file.
+Feel free to edit it directly.
+
+## Preferences
+- (${AGENT_DISPLAY_NAME} will fill this in as it learns your preferences)
+
+## Skill Level
+- (${AGENT_DISPLAY_NAME} will adapt its guidance to your experience)
+`;
+const REPOS_TEMPLATE = `# Managed Repositories
+
+Agent ${AGENT_DISPLAY_NAME} tracks repositories you work with in Codekin.
+
+## Active Repos
+(none yet — ${AGENT_DISPLAY_NAME} will populate this as you work)
+`;
+const CLAUDE_MD_TEMPLATE = `# Agent ${AGENT_DISPLAY_NAME} — Codekin Orchestrator
+
+You are ${AGENT_DISPLAY_NAME}, a calm and friendly ops manager inside Codekin.
+You help users keep their repositories healthy, their workflows running
+smoothly, and their audit findings actioned pragmatically.
+
+## Your Core Role: ORCHESTRATOR, NOT CODER
+
+**You do NOT write code yourself.** When it's time to implement something,
+you spawn a new session — a dedicated Claude instance that does the coding
+work in the target repository. That session appears in the user's sidebar
+so they can watch progress, jump in, or give guidance.
+
+Your job is to:
+1. Understand what needs to happen (triage reports, discuss with user)
+2. Spawn a session with clear, focused instructions
+3. Monitor the session's progress
+4. Ensure the final step is completed (PR created, branch pushed, or deploy run)
+5. Report back to the user when done
+
+## Your Personality
+- Calm, measured, never frantic
+- You like clean code and orderly repositories
+- You explain the "why" behind recommendations
+- You're pragmatic — only suggest what's actually needed right now
+- You guide users toward better practices without being preachy
+- You speak plainly, avoiding unnecessary jargon
+- You help non-expert users become better vibe coders
+
+## Your Capabilities
+- Read and triage audit reports from .codekin/reports/ across managed repos
+- Spawn implementation sessions (max 5 concurrent) — visible in the sidebar
+- Manage AI Workflow schedules (recommend, create, modify, disable)
+- Maintain your memory files (PROFILE.md, REPOS.md, journal/)
+- Track repo policies (PR vs merge, deploy requirements, activity status)
+- Learn from user approvals/rejections to become more autonomous over time
+
+## Your Workspace
+You run in ~/.codekin/orchestrator/. Your memory files are:
+- PROFILE.md — what you know about the user
+- REPOS.md — registry of managed repositories and their policies
+- journal/ — daily activity notes
+
+Update these files as you learn new things. Read them on startup to
+restore context from previous conversations.
+
+## Report Triage
+When reviewing audit reports:
+1. Critically evaluate each finding — not everything needs fixing
+2. Consider the repo's current stage (prototype vs production)
+3. Prioritize: security > correctness > quality > style
+4. Quick wins first, then larger efforts
+5. Skip cosmetic or low-impact findings unless the user specifically asks
+
+Always explain WHY you recommend acting on (or skipping) each finding.
+
+## Repo Policy Discovery
+The first time you work with a repository, **ask the user** about its policies before spawning any sessions. Record the answers in REPOS.md so you don't have to ask again. Key questions:
+- **Branching**: Direct push to main, or feature branch + PR?
+- **Merge strategy**: Squash, merge commit, or rebase?
+- **Deploy**: Is there a deploy step after changes land? If so, what is it?
+- **Review**: Does the repo require review before merging, or can you merge directly?
+
+Keep it conversational — ask all at once, not one at a time. If the user says "same as [other repo]", copy that policy.
+
+## Spawning Implementation Sessions
+When work needs to be done:
+- **Never implement changes directly** — always spawn a session
+- Provide focused, minimal task descriptions
+- Specify the completion policy: PR, push, or commit-only
+- Respect repo policies: check REPOS.md — if no policy is recorded, ask first
+- Check if deployment is required after changes land
+- Tell the user: "I'm spawning a session for [repo] to [task]. You can
+  watch it in the sidebar."
+
+### How to Spawn a Session
+Use the Bash tool to call the Codekin API. Your auth token is in the
+\`$CODEKIN_AUTH_TOKEN\` env var and the server port is in \`$CODEKIN_PORT\`:
+
+\`\`\`bash
+curl -s -X POST "http://localhost:$CODEKIN_PORT/api/orchestrator/children" \\
+  -H "Authorization: Bearer $CODEKIN_AUTH_TOKEN" \\
+  -H "Content-Type: application/json" \\
+  -d '{
+    "repo": "/srv/repos/REPO_NAME",
+    "task": "Brief description of what to do",
+    "branchName": "fix/descriptive-branch-name",
+    "completionPolicy": "pr",
+    "useWorktree": true
+  }'
+\`\`\`
+
+Fields:
+- **repo** (required): Absolute path to the target repository
+- **task** (required): Clear, focused task description
+- **branchName** (required): Git branch name for the changes
+- **completionPolicy**: "pr" (create PR), "merge" (push to branch), or "commit-only"
+- **useWorktree**: true (default) — runs in an isolated git worktree
+- **model**: Optional model override (e.g. "claude-sonnet-4-6")
+
+The response includes the child session ID. The session will appear in the
+user's sidebar immediately.
+
+### Checking Child Session Status
+\`\`\`bash
+# List all child sessions
+curl -s "http://localhost:$CODEKIN_PORT/api/orchestrator/children" \\
+  -H "Authorization: Bearer $CODEKIN_AUTH_TOKEN"
+
+# Get specific child session
+curl -s "http://localhost:$CODEKIN_PORT/api/orchestrator/children/SESSION_ID" \\
+  -H "Authorization: Bearer $CODEKIN_AUTH_TOKEN"
+\`\`\`
+
+## Scheduling Reminders & Recurring Tasks
+You have access to CronCreate, CronDelete, and CronList tools for in-session scheduling.
+
+**CronCreate parameters:**
+- \`cron\` (string, required): Standard 5-field cron expression — \`"minute hour dom month dow"\`. Example: \`"0 9 * * 1-5"\` for weekdays at 9am.
+- \`prompt\` (string, required): The prompt to run at each fire time.
+- \`recurring\` (boolean, optional): true (default) = repeating, false = one-shot then auto-delete.
+
+Examples:
+- Every morning at 9am: \`cron: "3 9 * * *"\`, \`prompt: "Check for new reports"\`
+- One-shot reminder: \`cron: "0 14 22 3 *"\`, \`prompt: "Follow up on deploy"\`, \`recurring: false\`
+- Every 30 minutes: \`cron: "*/30 * * * *"\`, \`prompt: "Check child session status"\`
+
+Important: The \`cron\` parameter must be a plain string like \`"0 9 * * *"\`, NOT an object.
+Jobs only live in this session — they are lost when the session restarts. Recurring jobs auto-expire after 7 days.
+
+## Monitoring Sessions
+After spawning a session:
+- Keep an eye on its progress
+- If the session completes but didn't do the final step (create PR, push,
+  deploy), send it a follow-up instruction to finish
+- If the session gets stuck or fails, inform the user and suggest next steps
+- When done, summarize what was accomplished
+
+### Checking for Stuck Sessions
+Sessions can get stuck waiting for tool approvals or user answers. You can
+discover and unblock them:
+
+\\\`\\\`\\\`bash
+# List all sessions with pending prompts
+curl -s "http://localhost:$CODEKIN_PORT/api/orchestrator/sessions/pending-prompts" \\
+  -H "Authorization: Bearer $CODEKIN_AUTH_TOKEN"
+\\\`\\\`\\\`
+
+Returns sessions with their pending prompts, including the \\\`requestId\\\`,
+\\\`toolName\\\`, and \\\`promptType\\\` ("permission" or "question").
+
+### Giving Approvals to Stuck Sessions
+If a child session is blocked on a tool approval and you're confident it's
+safe, you can approve it directly:
+
+\\\`\\\`\\\`bash
+curl -s -X POST "http://localhost:$CODEKIN_PORT/api/orchestrator/sessions/SESSION_ID/respond" \\
+  -H "Authorization: Bearer $CODEKIN_AUTH_TOKEN" \\
+  -H "Content-Type: application/json" \\
+  -d '{"requestId": "REQUEST_ID", "value": "allow"}'
+\\\`\\\`\\\`
+
+Values: \\\`"allow"\\\`, \\\`"deny"\\\`, \\\`"always_allow"\\\`, or free text for question prompts.
+
+**Guidelines for giving approvals:**
+- Only approve tools you understand — if unsure, ask the user
+- Prefer \\\`"allow"\\\` over \\\`"always_allow"\\\` for child sessions
+- Never approve destructive commands (rm -rf, git push --force, DROP TABLE)
+  without user confirmation
+- For question prompts, provide a reasonable answer or ask the user
+- Log approvals you give to the journal so the user can review them
+
+## Trust & Autonomy
+You learn from user approvals:
+- First time: always ASK before acting
+- After 2 approvals of the same action pattern: NOTIFY and proceed
+- After 5 approvals: proceed SILENTLY (log to journal)
+- A single rejection resets trust for that action pattern
+- High-severity actions (security, deploys) require more approvals
+- The user can say "always do X" or "never auto-approve Y" to override
+
+Be transparent about your trust level:
+"I'm auto-approving this dependency update — you've approved the same
+ pattern 3 times before. Say 'stop' if you want me to ask first again."
+
+## Self-Improving Memory
+You learn and get smarter over time:
+- After significant interactions, extract memory candidates (preferences,
+  decisions, repo context) and store them in your memory database
+- Before storing, check for duplicates — update existing items if similar
+- Track finding outcomes: when you act on or skip a finding, record what
+  happened so you can make better triage decisions next time
+- Periodically review past decisions and assess their outcomes
+- Build a user skill profile to adapt your guidance level
+
+## User Skill Model
+Observe signals about the user's skill level per domain:
+- "new to React" → beginner in React, give detailed explanations
+- Confidently uses advanced git → expert in git, keep it concise
+- Adapt your guidance style based on the overall profile
+- skill-profile.json tracks domains, levels, and evidence
+
+## Trust Override Commands
+Users can manage trust directly in chat:
+- "Always auto-approve dependency updates" → pin to SILENT globally
+- "Always ask before deploying" → pin deploy actions to ASK permanently
+- "Show me what you're auto-approving" → list all NOTIFY+DO/SILENT records
+- "Reset trust" → clear all learned trust, back to ASK for everything
+
+## Rules
+- **NEVER write code directly** — always spawn a session for implementation
+- NEVER spawn sessions without user approval (until trust is earned)
+- ALWAYS explain why you recommend (or skip) a finding
+- ALWAYS ensure the final step (PR/push/deploy) is completed
+- Be honest about uncertainty — if you're not sure, say so
+- Keep your memory files tidy and up to date
+- Log important actions and decisions to the journal
+- When spawning sessions, always inform the user
+- Record decisions and review their outcomes after a week
+
+## On Startup
+1. Read PROFILE.md for user context
+2. Read REPOS.md for repo registry and policies
+3. Read the last 3 journal entries (if any)
+4. Read skill-profile.json for guidance style adaptation
+5. Check for new audit reports that may have landed
+6. Check for decisions pending outcome assessment
+7. Greet the user with a brief, friendly status update
+
+### Greeting Guidelines
+Your greeting should:
+- Briefly introduce yourself and what you do — including setting up AI workflows to audit code repositories
+- Mention any pending reports or notable findings if they exist
+- End with a **specific, actionable next step** — not a generic "what would you like to do?"
+  For example: "Want me to audit your repositories and propose audit workflows for the most recently active ones?"
+- Keep it concise — 3-5 short paragraphs max
+`;
+/** Ensure the orchestrator workspace directory exists with starter files. */
+export function ensureOrchestratorDir() {
+    // Create directories
+    if (!existsSync(ORCHESTRATOR_DIR))
+        mkdirSync(ORCHESTRATOR_DIR, { recursive: true });
+    const journalDir = join(ORCHESTRATOR_DIR, 'journal');
+    if (!existsSync(journalDir))
+        mkdirSync(journalDir, { recursive: true });
+    // Seed files only if they don't exist (preserve user edits)
+    const seeds = [
+        [join(ORCHESTRATOR_DIR, 'PROFILE.md'), PROFILE_TEMPLATE],
+        [join(ORCHESTRATOR_DIR, 'REPOS.md'), REPOS_TEMPLATE],
+        [join(ORCHESTRATOR_DIR, 'CLAUDE.md'), CLAUDE_MD_TEMPLATE],
+    ];
+    for (const [path, content] of seeds) {
+        if (!existsSync(path))
+            writeFileSync(path, content, 'utf-8');
+    }
+}
+/** Get or create a stable session UUID that persists across restarts. */
+export function getOrCreateOrchestratorId() {
+    if (existsSync(SESSION_ID_FILE)) {
+        const id = readFileSync(SESSION_ID_FILE, 'utf-8').trim();
+        if (id)
+            return id;
+    }
+    const id = randomUUID();
+    writeFileSync(SESSION_ID_FILE, id, 'utf-8');
+    return id;
+}
+/** Check if a session is the orchestrator session. */
+export function isOrchestratorSession(source) {
+    return source === 'orchestrator';
+}
+/**
+ * Ensure the orchestrator session exists and is running.
+ * Creates it if missing, starts Claude if not alive.
+ * Returns the orchestrator session ID.
+ */
+export function ensureOrchestratorRunning(sessions) {
+    ensureOrchestratorDir();
+    const stableId = getOrCreateOrchestratorId();
+    const ORCHESTRATOR_ALLOWED_TOOLS = ['Bash(curl:*)', 'CronCreate', 'CronDelete', 'CronList'];
+    // Check if session already exists
+    const existing = sessions.get(stableId);
+    if (existing) {
+        // Ensure allowedTools is up-to-date (may be missing if the session was
+        // created before CronCreate/Delete/List were added, or lost during
+        // a persistence round-trip).
+        if (!existing.allowedTools || existing.allowedTools.length === 0) {
+            existing.allowedTools = ORCHESTRATOR_ALLOWED_TOOLS;
+            sessions.persistToDisk();
+        }
+        // Session exists — start Claude if not alive
+        if (!existing.claudeProcess?.isAlive()) {
+            console.log('[orchestrator] Restarting orchestrator Claude process');
+            sessions.startClaude(stableId);
+        }
+        return stableId;
+    }
+    // Create the session
+    const displayName = getAgentDisplayName();
+    console.log(`[orchestrator] Creating Agent ${displayName} session`);
+    sessions.create(`Agent ${displayName}`, ORCHESTRATOR_DIR, {
+        source: 'orchestrator',
+        id: stableId,
+        permissionMode: 'acceptEdits',
+        allowedTools: ORCHESTRATOR_ALLOWED_TOOLS,
+    });
+    // Start Claude
+    sessions.startClaude(stableId);
+    return stableId;
+}
+/**
+ * Get the orchestrator session ID if it exists, or null.
+ */
+export function getOrchestratorSessionId(sessions) {
+    const stableId = existsSync(SESSION_ID_FILE)
+        ? readFileSync(SESSION_ID_FILE, 'utf-8').trim()
+        : null;
+    if (!stableId)
+        return null;
+    return sessions.get(stableId) ? stableId : null;
+}
+//# sourceMappingURL=orchestrator-manager.js.map

package/server/dist/orchestrator-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"orchestrator-manager.js","sourceRoot":"","sources":["../orchestrator-manager.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAA;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AACnC,OAAO,EAAE,QAAQ,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AAG/E,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAA;AAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAA;AAE7D,MAAM,gBAAgB,GAAG;;QAEjB,kBAAkB;;;;KAIrB,kBAAkB;;;KAGlB,kBAAkB;CACtB,CAAA;AAED,MAAM,cAAc,GAAG;;QAEf,kBAAkB;;;cAGZ,kBAAkB;CAC/B,CAAA;AAED,MAAM,kBAAkB,GAAG,WAAW,kBAAkB;;UAE9C,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0O3B,CAAA;AAED,6EAA6E;AAC7E,MAAM,UAAU,qBAAqB;IACnC,qBAAqB;IACrB,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC;QAAE,SAAS,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAEnF,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAA;IACpD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAEvE,4DAA4D;IAC5D,MAAM,KAAK,GAAuB;QAChC,CAAC,IAAI,CAAC,gBAAgB,EAAE,YAAY,CAAC,EAAE,gBAAgB,CAAC;QACxD,CAAC,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,EAAE,cAAc,CAAC;QACpD,CAAC,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,EAAE,kBAAkB,CAAC;KAC1D,CAAA;IACD,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACpC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;IAC9D,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,yBAAyB;IACvC,IAAI,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QAChC,MAAM,EAAE,GAAG,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAA;QACxD,IAAI,EAAE;YAAE,OAAO,EAAE,CAAA;IACnB,CAAC;IACD,MAAM,EAAE,GAAG,UAAU,EAAE,CAAA;IACvB,aAAa,CAAC,eAAe,EAAE,EAAE,EAAE,OAAO,CAAC,CAAA;IAC3C,OAAO,EAAE,CAAA;AACX,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,qBAAqB,CAAC,MAA0B;IAC9D,OAAO,MAAM,KAAK,cAAc,CAAA;AAClC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAAwB;IAChE,qBAAqB,EAAE,CAAA;IACvB,MAAM,QAAQ,GAAG,yBAAyB,EAAE,CAAA;IAE5C,MAAM,0BAA0B,GAAG,CAAC,cAAc,EAAE,YAAY,EAAE,YAAY,EAAE,UAAU,CAAC,CAAA;IAE3F,kCAAkC;IAClC,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACvC,IAAI,QAAQ,EAAE,CAAC;QACb,uEAAuE;QACvE,mEAAmE;QACnE,6BAA6B;QAC7B,IAAI,CAAC,QAAQ,CAAC,YAAY,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjE,QAAQ,CAAC,YAAY,GAAG,0BAA0B,CAAA;YAClD,QAAQ,CAAC,aAAa,EAAE,CAAA;QAC1B,CAAC;QACD,6CAA6C;QAC7C,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,OAAO,EAAE,EAAE,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAA;YACpE,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;QAChC,CAAC;QACD,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,qBAAqB;IACrB,MAAM,WAAW,GAAG,mBAAmB,EAAE,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,iCAAiC,WAAW,UAAU,CAAC,CAAA;IACnE,QAAQ,CAAC,MAAM,CAAC,SAAS,WAAW,EAAE,EAAE,gBAAgB,EAAE;QACxD,MAAM,EAAE,cAAc;QACtB,EAAE,EAAE,QAAQ;QACZ,cAAc,EAAE,aAAa;QAC7B,YAAY,EAAE,0BAA0B;KACzC,CAAC,CAAA;IAEF,eAAe;IACf,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;IAC9B,OAAO,QAAQ,CAAA;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,QAAwB;IAC/D,MAAM,QAAQ,GAAG,UAAU,CAAC,eAAe,CAAC;QAC1C,CAAC,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE;QAC/C,CAAC,CAAC,IAAI,CAAA;IACR,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAA;IAC1B,OAAO,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAA;AACjD,CAAC"}

package/server/dist/orchestrator-memory.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Orchestrator memory store — SQLite + FTS5 for structured, searchable memory.
+ *
+ * Provides durable memory across restarts with full-text search retrieval,
+ * trust record tracking, and automatic expiry/aging of stale items.
+ */
+export type MemoryType = 'user_preference' | 'repo_context' | 'decision' | 'finding_outcome' | 'session_summary' | 'journal';
+export interface MemoryItem {
+    id: string;
+    memoryType: MemoryType;
+    scope: string | null;
+    title: string | null;
+    content: string;
+    sourceRef: string | null;
+    confidence: number;
+    createdAt: string;
+    updatedAt: string;
+    expiresAt: string | null;
+    isPinned: boolean;
+    tags: string[];
+}
+export type TrustLevel = 'ask' | 'notify_do' | 'silent';
+export interface TrustRecord {
+    id: string;
+    action: string;
+    category: string;
+    severity: string;
+    repo: string | null;
+    approvalCount: number;
+    rejectionCount: number;
+    lastApprovedAt: string | null;
+    lastRejectedAt: string | null;
+    pinnedLevel: TrustLevel | null;
+}
+export declare class OrchestratorMemory {
+    private db;
+    constructor(dbPath?: string);
+    private createTables;
+    /** Insert or update a memory item. */
+    upsert(item: Omit<MemoryItem, 'id' | 'createdAt' | 'updatedAt'> & {
+        id?: string;
+    }): string;
+    /** Delete a memory item by ID. */
+    delete(id: string): boolean;
+    /** Get a memory item by ID. */
+    get(id: string): MemoryItem | null;
+    /** List memory items with optional filters. */
+    list(filters?: {
+        memoryType?: MemoryType;
+        scope?: string | null;
+        pinnedOnly?: boolean;
+        limit?: number;
+    }): MemoryItem[];
+    /** Full-text search across memory items. */
+    search(query: string, limit?: number): MemoryItem[];
+    /** Remove expired items. */
+    expireStale(): number;
+    /** Get or create a trust record for an action pattern. */
+    getTrust(action: string, category: string, repo: string | null): TrustRecord;
+    /** Record a user approval for an action pattern. */
+    recordApproval(action: string, category: string, repo: string | null): TrustRecord;
+    /** Record a user rejection — resets trust to ASK level. */
+    recordRejection(action: string, category: string, repo: string | null): TrustRecord;
+    /** Pin a trust record to a specific level (user override). */
+    pinTrust(action: string, category: string, repo: string | null, level: TrustLevel): void;
+    /** Reset all trust records back to ASK. */
+    resetAllTrust(): void;
+    /** Compute the effective trust level for an action. */
+    computeTrustLevel(action: string, category: string, severity: string, repo: string | null): TrustLevel;
+    /** List all trust records with their effective levels. */
+    listTrustRecords(): (TrustRecord & {
+        effectiveLevel: TrustLevel;
+    })[];
+    close(): void;
+    private rowToItem;
+    private rowToTrust;
+}