convene-cli 1.0.5 → 1.1.1

package/dist/commands/gate-push.js

@@ -0,0 +1,333 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gatePush = gatePush;
+/**
+ * `convene gate-push` (WP9) — the PUSH GATE. Wired as a PreToolUse hook on
+ * `Bash(git push …)` (PreToolUse mode) and a PostToolUse hook (`--post`) that
+ * releases the lane. The hook WIRING itself is the WP13 capstone — this file is
+ * only the verb.
+ *
+ * POSTURE = FAIL-OPEN-LOUD (P0-FAILSAFE):
+ *   - A top-level watchdog force-exits 0 at WATCHDOG_MS=4000 no matter what, so a
+ *     hung network/git can NEVER wedge a push.
+ *   - Network calls (claim / lane-state) use an EXPLICIT short timeout (2500ms),
+ *     never the api.ts 10s default; local git (isAncestor/revParse) runs in
+ *     PARALLEL with the network call.
+ *   - TRANSPORT failure (ApiResult.status===0 = connection-refused/DNS) →
+ *     fail-OPEN-LOUD immediately (exit 0 + a `systemMessage` "deploy lane
+ *     UNVERIFIED — proceeding UNGATED").
+ *   - TIMEOUT / 5xx (bus up but contended) → retry 2× with backoff INSIDE the
+ *     watchdog, then still fail-open-loud + best-effort post a [STATUS]
+ *     "gate skipped" so the skip is auditable in real time.
+ *
+ * exit 2 (BLOCK) ONLY on a CONFIRMED positive:
+ *   (a) LANE_HELD by a DIFFERENT instance (409 from the claim CAS), OR
+ *   (b) an open DIRECTED HALT for this session (from lane-state.halts), OR
+ *   (c) HEAD CONFIRMED-BEHIND after `git fetch origin <ref>` then
+ *       isAncestor(remote, HEAD) === false.
+ * A SOFT foreign-lane conflict (a foreign live lane but no directed halt) is NOT
+ * a hard deny — it emits permissionDecision:'ask'.
+ *
+ * Auto-CLAIM on the way through: when the lane is free we CLAIM it (serialize via
+ * the server CAS, not a read-then-decide race). --post releases it (on success
+ * AND failure), an idempotent no-op if this instance no longer holds.
+ *
+ * --break-glass / CONVENE_DEPLOY_BREAKGLASS=1 → exit 0 + a loud audited takeover.
+ *
+ * NEVER calls die() and NEVER routes through ctx.getContext() (which die()s on a
+ * missing config) — it owns its own watchdog exactly like fetch.ts.
+ *
+ * The exit-2 stderr reason is a FIXED TEMPLATE with NO free-text interpolation of
+ * intent / holder_session / body — only a validated holder_handle, a numeric
+ * heartbeat age, and the one-step recovery hint.
+ */
+const git_1 = require("../git");
+const config_1 = require("../config");
+const cache_1 = require("../cache");
+const api_1 = require("../api");
+const guard_1 = require("./guard");
+const exit_1 = require("../exit");
+const WATCHDOG_MS = 4000;
+const NET_TIMEOUT_MS = 2500; // explicit short timeout — NEVER the api.ts 10s default
+const RETRIES = 2;
+/** Only `holder_handle` (validated) reaches the model-facing reason. */
+function safeHandle(s) {
+    if (typeof s !== 'string')
+        return 'another session';
+    const cleaned = s.replace(/[^a-zA-Z0-9_.\-/]+/g, '').slice(0, 64);
+    return cleaned ? `@${cleaned}` : 'another session';
+}
+function fmtAge(sec) {
+    const n = typeof sec === 'number' && Number.isFinite(sec) ? Math.max(0, Math.round(sec)) : null;
+    if (n == null)
+        return 'unknown';
+    if (n < 60)
+        return `${n}s`;
+    const m = Math.round(n / 60);
+    return m < 60 ? `${m}m` : `${Math.floor(m / 60)}h`;
+}
+/** A transport failure (connection-refused/DNS) is status 0; a timeout/5xx is "up but contended". */
+function isTransportFailure(status) {
+    return status === 0;
+}
+function isRetryable(status) {
+    // 408 request-timeout, 429 too-many, 5xx — bus up but contended → retry inside the watchdog.
+    return status === 408 || status === 429 || status >= 500;
+}
+/** Parse git's pre-push stdin into the deploy-ish ref(s) being pushed. */
+function parseRefsFromStdin(stdin) {
+    const refs = [];
+    for (const line of stdin.split('\n')) {
+        const parts = line.trim().split(/\s+/);
+        if (parts.length < 4)
+            continue;
+        const [localRef, localSha] = parts;
+        if (!localSha || /^0+$/.test(localSha))
+            continue; // deletion — nothing landed
+        if (localRef.startsWith('refs/heads/') || localRef.startsWith('refs/tags/'))
+            refs.push(localRef);
+    }
+    return refs;
+}
+/** Async, timeout-bounded stdin read (git closes the pipe immediately). */
+function readStdin(timeoutMs) {
+    if (process.stdin.isTTY)
+        return Promise.resolve(null);
+    return new Promise((resolve) => {
+        let data = '';
+        let settled = false;
+        const finish = (v) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            process.stdin.removeAllListeners();
+            resolve(v);
+        };
+        const timer = setTimeout(() => finish(null), timeoutMs);
+        process.stdin.setEncoding('utf8');
+        process.stdin.on('data', (c) => {
+            data += c;
+        });
+        process.stdin.on('end', () => finish(data));
+        process.stdin.on('error', () => finish(null));
+        process.stdin.resume();
+    });
+}
+function emitJson(obj) {
+    process.stdout.write(JSON.stringify(obj) + '\n');
+}
+/** PreToolUse "allow but tell the human" verdict — NOT a hard deny. */
+function ask(reason) {
+    emitJson({
+        hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'ask', permissionDecisionReason: reason },
+    });
+}
+/** A loud, non-blocking advisory (fail-open) surfaced to the agent. */
+function loudOpen(systemMessage) {
+    emitJson({ systemMessage });
+}
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+async function run(opts) {
+    const top = (0, git_1.gitToplevel)();
+    if (!top)
+        return 0; // not a git repo → no-op
+    const cwd = top;
+    const proj = (0, config_1.loadProjectConfig)(top);
+    const slug = opts.project || proj?.slug || null;
+    if (!slug)
+        return 0; // repo not on the bus → no-op (zero network)
+    const cfg = (0, config_1.resolveConfig)();
+    const member = cfg.member;
+    const session = member ? (0, git_1.sessionId)(member, top) : null;
+    // Determine the ref(s) being pushed.
+    let refs;
+    if (opts.stdin) {
+        const stdin = await readStdin(1500);
+        const trimmed = (stdin ?? '').trim();
+        if (trimmed.startsWith('{')) {
+            // Claude Code PreToolUse/PostToolUse payload (JSON). Gate ONLY a real
+            // `git push` — classify the command with the SAME anchored classifier as
+            // `guard`, so an ordinary Bash command (even one whose ARGS contain
+            // "deploy"/"release"/a ref name) is a zero-network no-op and NEVER claims a
+            // lane. A bare `git push` (no refspec) falls back to the current branch.
+            const cls = (0, guard_1.classifyCommand)((0, guard_1.commandFromPayload)(stdin));
+            if (cls.kind === 'push') {
+                const cb = (0, git_1.currentBranch)(cwd);
+                refs = cls.refs.length ? cls.refs : cb ? [`refs/heads/${cb}`] : [];
+            }
+            else {
+                refs = [];
+            }
+        }
+        else {
+            // git pre-push hook context: real refspecs arrive on stdin.
+            refs = stdin ? parseRefsFromStdin(stdin) : [];
+            if (!refs.length) {
+                const b = (0, git_1.currentBranch)(cwd);
+                refs = b ? [`refs/heads/${b}`] : [];
+            }
+        }
+    }
+    else {
+        // Explicit invocation (e.g. `convene deploy`): gate the current branch.
+        const b = (0, git_1.currentBranch)(cwd);
+        refs = b ? [`refs/heads/${b}`] : [];
+    }
+    // A deploy ref is one the anchored classifier recognizes (heads/main, tags, …).
+    const deployRefs = refs.filter((r) => (0, guard_1.classifyPushRefs)(r));
+    const ref = deployRefs[0] ?? refs[0] ?? 'refs/heads/main';
+    const lane = `deploy:${ref}`;
+    // PostToolUse: release the lane (idempotent no-op if we no longer hold it).
+    if (opts.post) {
+        if (!cfg.apiKey || !session)
+            return 0;
+        const instance = (0, cache_1.ensureSessionInstance)(slug);
+        const api = new api_1.ConveneApi(cfg.baseUrl, cfg.apiKey, session, cfg.tool, instance);
+        await api.laneRelease(slug, lane, NET_TIMEOUT_MS).catch(() => undefined);
+        return 0;
+    }
+    // Non-deploy ref → allow instantly with ZERO network.
+    if (!deployRefs.length)
+        return 0;
+    // Break-glass: self-authorized takeover. Exit 0 + a loud audited status.
+    const breakGlass = opts.breakGlass || process.env.CONVENE_DEPLOY_BREAKGLASS === '1';
+    // Not authenticated → fail-OPEN-loud (we cannot verify the lane).
+    if (!cfg.apiKey || !session) {
+        loudOpen('convene: deploy lane UNVERIFIED — not logged in, proceeding UNGATED.');
+        return 0;
+    }
+    const instance = (0, cache_1.ensureSessionInstance)(slug);
+    const api = new api_1.ConveneApi(cfg.baseUrl, cfg.apiKey, session, cfg.tool, instance);
+    if (breakGlass) {
+        // Self-authorized: the verdict is ALLOW (exit 0) regardless of the bus. Emit
+        // the loud audited advisory FIRST, then do the force-take + status + claim as
+        // BEST-EFFORT in parallel under a single short cap — so a slow/unreachable bus
+        // can never push break-glass past the watchdog (it must still exit 0 promptly).
+        loudOpen(`convene: BREAK-GLASS — forced deploy lane ${lane}. This takeover is audited.`);
+        await Promise.race([
+            Promise.allSettled([
+                api.laneForceRelease(slug, lane, NET_TIMEOUT_MS),
+                api.post(slug, { type: 'status', body: `BREAK-GLASS deploy on ${lane} by @${member}` }, `bg:${lane}:${Date.now()}`, NET_TIMEOUT_MS),
+                api.laneClaim(slug, lane, { intent: 'deploy' }, NET_TIMEOUT_MS),
+            ]),
+            sleep(NET_TIMEOUT_MS), // never block the exit-0 verdict longer than one timeout
+        ]).catch(() => undefined);
+        return 0;
+    }
+    if (opts.dryRun) {
+        loudOpen(`convene: gate-push would gate lane ${lane} (dry-run, no network).`);
+        return 0;
+    }
+    // ── Local git (compat) runs in PARALLEL with the network claim ──────────────
+    const headSha = (0, git_1.revParse)('HEAD', cwd) ?? '';
+    // The compat check fetches the real remote tip, then tests fast-forward.
+    const compatP = (async () => {
+        try {
+            const fetched = (0, git_1.gitFetch)(ref, 'origin', cwd);
+            if (!fetched)
+                return { behind: false }; // can't verify → don't block on compat
+            const remote = (0, git_1.revParse)(`origin/${ref.replace(/^refs\/heads\//, '')}`, cwd) ?? (0, git_1.revParse)(`origin/${ref}`, cwd);
+            if (!remote || !headSha)
+                return { behind: false };
+            // behind ⇔ remote is NOT an ancestor of HEAD (a non-fast-forward push).
+            return { behind: !(0, git_1.isAncestor)(remote, headSha, cwd) };
+        }
+        catch {
+            return { behind: false };
+        }
+    })();
+    // ── Network claim with transport/timeout discrimination + retry ─────────────
+    let claimRes = null;
+    for (let attempt = 0; attempt <= RETRIES; attempt++) {
+        claimRes = await api.laneClaim(slug, lane, { intent: 'deploy' }, NET_TIMEOUT_MS);
+        if (claimRes.status === 200 || claimRes.status === 409)
+            break; // resolved
+        if (isTransportFailure(claimRes.status)) {
+            // Genuinely unreachable → fail-OPEN-loud immediately, no retry.
+            loudOpen(`convene: deploy lane UNVERIFIED — bus unreachable, proceeding UNGATED on ${lane}.`);
+            return 0;
+        }
+        if (!isRetryable(claimRes.status))
+            break;
+        if (attempt < RETRIES)
+            await sleep(150 * (attempt + 1)); // backoff inside the watchdog
+    }
+    // 409 LANE_HELD by a different instance → check for a directed halt (hard) vs
+    // soft foreign lane (ask). exit 2 only on a CONFIRMED positive.
+    if (claimRes && claimRes.status === 409) {
+        const d = claimRes.json?.details ?? claimRes.json ?? {};
+        const holder = safeHandle(d.holder_handle);
+        // Is there an open DIRECTED HALT for this session? That is a HARD block.
+        const halt = await directedHaltFor(api, slug, ref);
+        if (halt) {
+            blockReason(`convene: BLOCKED — an active halt is directed at this session. Surface to the human; do not push.`);
+            return 2;
+        }
+        // Soft foreign-lane conflict: ask, don't hard-deny.
+        const age = fmtAge(typeof d.heartbeat_age_sec === 'number' ? d.heartbeat_age_sec : undefined);
+        ask(`Deploy lane ${lane} is held by ${holder} (heartbeat ${age} ago). ` +
+            `To proceed anyway: \`convene deploy --break-glass\` (audited), or wait for release. Allow this push?`);
+        return 0;
+    }
+    // Timeout/5xx after retries (bus up but contended) → fail-OPEN-LOUD + audit post.
+    if (!claimRes || (claimRes.status !== 200 && claimRes.status !== 409)) {
+        await api
+            .post(slug, { type: 'status', body: `gate skipped on ${lane} — bus contended/unverified at push time` }, `gateskip:${lane}:${Date.now()}`, NET_TIMEOUT_MS)
+            .catch(() => undefined);
+        loudOpen(`convene: deploy lane UNVERIFIED — bus contended, proceeding UNGATED on ${lane} (skip posted).`);
+        return 0;
+    }
+    // 200 → we hold the lane (claimed fresh or self-reclaimed). Now the COMPAT gate.
+    const compat = await compatP;
+    if (compat.behind) {
+        // Behind HEAD after a fresh fetch → CONFIRMED positive → release + hard block.
+        await api.laneRelease(slug, lane, NET_TIMEOUT_MS).catch(() => undefined);
+        blockReason(`convene: BLOCKED — HEAD is behind origin/${ref.replace(/^refs\/heads\//, '')} after fetch. ` +
+            `Run \`git pull --rebase\` then push again.`);
+        return 2;
+    }
+    // Also honor a directed halt even when the lane was free (defense in depth).
+    const halt = await directedHaltFor(api, slug, ref);
+    if (halt) {
+        await api.laneRelease(slug, lane, NET_TIMEOUT_MS).catch(() => undefined);
+        blockReason(`convene: BLOCKED — an active halt is directed at this session. Surface to the human; do not push.`);
+        return 2;
+    }
+    // Clear: lane claimed, fast-forward. Allow (PostToolUse releases later).
+    return 0;
+}
+/**
+ * Fixed-template block reason on stderr (PreToolUse exit 2 surfaces stderr to the
+ * agent). NO free-text interpolation of intent/holder_session/body.
+ */
+function blockReason(reason) {
+    process.stderr.write(reason + '\n');
+}
+/**
+ * Is there an open halt/interrupt directed at THIS session? The server computes
+ * relevance from principal + session (the client never passes a session string
+ * that authorizes which halts apply). Any uncertainty (transport/parse) → no
+ * halt (fail-open). Returns true only on a confirmed, server-relevance-filtered
+ * directed halt.
+ */
+async function directedHaltFor(api, slug, ref) {
+    const res = await api.laneState(slug, `deploy:${ref}`, NET_TIMEOUT_MS).catch(() => null);
+    if (!res || !res.ok || !res.json)
+        return false; // can't verify → fail-open
+    const halts = Array.isArray(res.json.halts) ? res.json.halts : [];
+    return halts.length > 0;
+}
+async function gatePush(opts = {}) {
+    let code = 0;
+    const watchdog = setTimeout(() => (0, exit_1.exitClean)(0), WATCHDOG_MS);
+    watchdog.unref();
+    try {
+        code = await run(opts);
+    }
+    catch {
+        code = 0; // fail-open: never wedge a push on our own error
+    }
+    clearTimeout(watchdog);
+    (0, exit_1.exitClean)(code);
+}

package/dist/commands/guard.js

@@ -0,0 +1,315 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyPushRefs = classifyPushRefs;
+exports.classifyCommand = classifyCommand;
+exports.commandFromPayload = commandFromPayload;
+exports.guard = guard;
+/**
+ * `convene guard` (WP9) — the PreToolUse halt+lane gate for Bash commands. Wired
+ * as a PreToolUse `Bash` hook (the WIRING is the WP13 capstone — this is the verb).
+ *
+ * POSTURE = FAIL-OPEN-LOUD (P0-FAILSAFE), exactly like fetch.ts/gate-push.ts:
+ *   - A top-level watchdog force-exits 0 at WATCHDOG_MS=4000.
+ *   - Network calls use an EXPLICIT short timeout (2500ms), never the 10s default.
+ *   - Transport failure / timeout / parse error / DEGRADED / no-bus → exit 0
+ *     (loud systemMessage on a contended bus, silent for a clean non-match).
+ *   - NEVER calls die(); NEVER routes through ctx.getContext() (which die()s on a
+ *     missing config) — it owns its own watchdog.
+ *
+ * ANCHORED command classifier (NOT bare substring): match only command-LEADING
+ * verbs — `git push`, `sls|cdk|serverless deploy`, `kubectl apply`,
+ * `helm upgrade`, `fly deploy`, `vercel --prod`, `gh release`, `npm publish`, and
+ * real `--force`/`-f` FLAGS. It MUST NOT match `grep -r deploy`, `rm -f x`, or a
+ * filename like `release.ts` (those are not command-leading deploy verbs).
+ *   - Non-match → exit 0 with ZERO network.
+ *   - Match → check open directed halts; for DEPLOY commands also check lane-state
+ *     (cached ~3s keyed (slug,intent)).
+ *
+ * exit 2 (BLOCK) ONLY on:
+ *   (a) an open DIRECTED HALT for this session (hard, for ANY matched command), OR
+ *   (b) a CONFIRMED held lane for a DEPLOY command (different instance).
+ * A SOFT held-lane conflict (foreign live lane, no directed halt) → 'ask'.
+ */
+const git_1 = require("../git");
+const config_1 = require("../config");
+const cache_1 = require("../cache");
+const api_1 = require("../api");
+const exit_1 = require("../exit");
+const WATCHDOG_MS = 4000;
+const NET_TIMEOUT_MS = 2500; // explicit short timeout — NEVER the 10s default
+/**
+ * True iff a pushed REF is a deploy ref (the lane is per-target). Used by both
+ * `guard` (push classification) and `gate-push` to keep ONE classifier.
+ * Default deploy refs: refs/heads/main, refs/heads/master, any refs/tags/*.
+ */
+function classifyPushRefs(ref) {
+    const r = ref.trim();
+    if (r.startsWith('refs/tags/'))
+        return true;
+    const head = r.replace(/^refs\/heads\//, '');
+    return head === 'main' || head === 'master';
+}
+/** Split a token off any leading env-assignment / `command` / `exec` prefixes. */
+function leadingTokens(cmd) {
+    // Split on shell connectors so `foo && git push` classifies the `git push`.
+    const segments = cmd.split(/(?:&&|\|\||;|\||\n)/g);
+    const tokens = [];
+    for (const seg of segments) {
+        const words = seg.trim().split(/\s+/).filter(Boolean);
+        // Drop leading VAR=val assignments and a leading `sudo`/`command`/`exec`/`time`.
+        let i = 0;
+        while (i < words.length && (/^[A-Za-z_][A-Za-z0-9_]*=/.test(words[i]) || /^(sudo|command|exec|time|env)$/.test(words[i])))
+            i++;
+        if (i < words.length)
+            tokens.push(...words.slice(i));
+        tokens.push('\u0000'); // segment boundary marker
+    }
+    return tokens;
+}
+/**
+ * ANCHORED classifier. Matches command-LEADING verbs only. Never a bare
+ * substring of `deploy`/`release`/`-f` (so `grep -r deploy`, `rm -f x`,
+ * `cat release.ts` do NOT match).
+ */
+function classifyCommand(command) {
+    if (!command || !command.trim())
+        return { kind: 'none' };
+    // Walk each connector-split segment; classify on its FIRST word (the program).
+    const segments = command.split(/(?:&&|\|\||;|\||\n)/g);
+    for (const seg of segments) {
+        const words = seg.trim().split(/\s+/).filter(Boolean);
+        let i = 0;
+        while (i < words.length && (/^[A-Za-z_][A-Za-z0-9_]*=/.test(words[i]) || /^(sudo|command|exec|time|env)$/.test(words[i])))
+            i++;
+        const w = words.slice(i);
+        if (!w.length)
+            continue;
+        const prog = w[0];
+        const sub = w[1];
+        const rest = w.slice(1);
+        // git push <remote?> <refspec...> — extract candidate refs.
+        if (prog === 'git' && sub === 'push') {
+            const refs = [];
+            // refspecs are the non-flag args after `push` (skip the remote name heuristically).
+            const args = w.slice(2).filter((a) => !a.startsWith('-'));
+            // args[0] is usually the remote; the rest are refspecs. Normalize each.
+            for (let k = 0; k < args.length; k++) {
+                const a = args[k];
+                if (k === 0 && !a.includes(':') && !a.includes('/'))
+                    continue; // remote name
+                const local = a.includes(':') ? a.split(':')[0] : a;
+                if (!local)
+                    continue;
+                refs.push(local.startsWith('refs/') ? local : `refs/heads/${local}`);
+            }
+            return { kind: 'push', refs };
+        }
+        // Deploy/publish verbs (program + leading subcommand).
+        if ((prog === 'sls' || prog === 'serverless' || prog === 'cdk') && sub === 'deploy')
+            return { kind: 'deploy' };
+        if (prog === 'fly' && sub === 'deploy')
+            return { kind: 'deploy' };
+        if (prog === 'kubectl' && sub === 'apply')
+            return { kind: 'deploy' };
+        if (prog === 'helm' && sub === 'upgrade')
+            return { kind: 'deploy' };
+        if (prog === 'gh' && sub === 'release')
+            return { kind: 'deploy' };
+        if (prog === 'npm' && sub === 'publish')
+            return { kind: 'deploy' };
+        if (prog === 'vercel' && rest.includes('--prod'))
+            return { kind: 'deploy' };
+        // A real --force / -f FLAG on a mutating program (anchored as a flag token,
+        // never a bare substring). `rm -f` is excluded — it's a filesystem op, not a
+        // deploy/push. We only treat --force on push-like programs as deploy-adjacent.
+        const hasForceFlag = rest.some((a) => a === '--force' || /^-[a-eg-zA-Z]*f[a-eg-zA-Z]*$/.test(a) || a === '-f');
+        if (hasForceFlag && (prog === 'git' || prog === 'sls' || prog === 'serverless' || prog === 'cdk' || prog === 'helm')) {
+            return { kind: 'force' };
+        }
+    }
+    return { kind: 'none' };
+}
+/** Async, timeout-bounded stdin read (the PreToolUse payload is JSON). */
+function readStdin(timeoutMs) {
+    if (process.stdin.isTTY)
+        return Promise.resolve(null);
+    return new Promise((resolve) => {
+        let data = '';
+        let settled = false;
+        const finish = (v) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timer);
+            process.stdin.removeAllListeners();
+            resolve(v);
+        };
+        const timer = setTimeout(() => finish(null), timeoutMs);
+        process.stdin.setEncoding('utf8');
+        process.stdin.on('data', (c) => {
+            data += c;
+        });
+        process.stdin.on('end', () => finish(data));
+        process.stdin.on('error', () => finish(null));
+        process.stdin.resume();
+    });
+}
+/** Pull the Bash command string out of a PreToolUse hook payload. */
+function commandFromPayload(raw) {
+    if (!raw)
+        return '';
+    try {
+        const j = JSON.parse(raw);
+        const c = j?.tool_input?.command;
+        return typeof c === 'string' ? c : '';
+    }
+    catch {
+        return '';
+    }
+}
+function emitJson(obj) {
+    process.stdout.write(JSON.stringify(obj) + '\n');
+}
+function ask(reason) {
+    emitJson({
+        hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'ask', permissionDecisionReason: reason },
+    });
+}
+function loudOpen(systemMessage) {
+    emitJson({ systemMessage });
+}
+function blockReason(reason) {
+    process.stderr.write(reason + '\n');
+}
+function safeHandle(s) {
+    if (typeof s !== 'string')
+        return 'another session';
+    const cleaned = s.replace(/[^a-zA-Z0-9_.\-/]+/g, '').slice(0, 64);
+    return cleaned ? `@${cleaned}` : 'another session';
+}
+async function run(opts) {
+    const raw = opts.stdin ? await readStdin(1500) : null;
+    const command = commandFromPayload(raw);
+    const cls = classifyCommand(command);
+    // The DEFAULT path is the WP9 deploy gate: a NON-match exits 0 with ZERO
+    // network (the overwhelming common case). The HALT-ONLY path (the cheap `.*`
+    // matcher, wired in WP13) checks EVERY command for a directed halt, so a long
+    // non-deploy turn aborts at its next tool call. A non-match in halt-only mode
+    // is NOT a free pass — it still does the one cheap cached halt read.
+    if (!opts.haltOnly && cls.kind === 'none')
+        return 0;
+    const top = (0, git_1.gitToplevel)();
+    if (!top)
+        return 0; // not a git repo → no-op
+    const proj = (0, config_1.loadProjectConfig)(top);
+    const slug = opts.project || proj?.slug || null;
+    if (!slug)
+        return 0; // not on the bus → no-op (covers BOTH match + non-match)
+    const cfg = (0, config_1.resolveConfig)();
+    const member = cfg.member;
+    const session = member ? (0, git_1.sessionId)(member, top) : null;
+    if (!cfg.apiKey || !session) {
+        // We cannot verify. The halt-only `.*` matcher stays SILENT (no point shouting
+        // on every Bash); the deploy gate on a MATCHED command fails OPEN-loud.
+        if (!opts.haltOnly && cls.kind !== 'none') {
+            loudOpen('convene: halt/lane state UNVERIFIED — not logged in, proceeding UNGATED.');
+        }
+        return 0;
+    }
+    const instance = (0, cache_1.ensureSessionInstance)(slug);
+    const api = new api_1.ConveneApi(cfg.baseUrl, cfg.apiKey, session, cfg.tool, instance);
+    // ── HALT-ONLY mode: ONE cheap cached halt read for ANY command ──────────────
+    // exit 2 ONLY on a confirmed OPEN DIRECTED halt for this session (the only
+    // confirmed positive). Any uncertainty (state===null) → exit 0 (fail-open). The
+    // "no halt for me" answer is cached for a short TTL so a command burst pays one
+    // GET. NO deploy classification, NO lane read — strictly the halt backstop.
+    if (opts.haltOnly) {
+        const halt = await haltStateCached(api, slug);
+        if (halt && halt.halts.length > 0) {
+            blockReason('convene: BLOCKED — an active halt is directed at this session. Surface to the human; do not proceed.');
+            return 2;
+        }
+        return 0; // null (couldn't verify) OR no halt → fail-open
+    }
+    // ── DEFAULT (deploy) path — unchanged from WP9 ──────────────────────────────
+    // Derive the lane intent for a deploy/push command (null = non-deploy).
+    let ref = null;
+    if (cls.kind === 'push') {
+        const deployRef = cls.refs.find((r) => classifyPushRefs(r));
+        // No deploy ref in the push (e.g. a feature branch) → not a deploy; only the
+        // halt check applies. ref stays null so we don't gate a feature-branch lane.
+        ref = deployRef ?? null;
+    }
+    else if (cls.kind === 'deploy' || cls.kind === 'force') {
+        ref = 'refs/heads/main'; // generic deploy lane intent
+    }
+    const intent = ref ? `deploy:${ref}` : 'deploy';
+    // ONE lane-state GET serves both the halt check and the lane check (cached ~3s
+    // keyed (slug,intent) by laneStateCached). Any failure → fail-open (no block).
+    const state = await laneStateCached(api, slug, intent);
+    if (!state) {
+        loudOpen('convene: halt/lane state UNVERIFIED — bus unreachable, proceeding UNGATED.');
+        return 0;
+    }
+    // (a) An open DIRECTED HALT for this session is a HARD block for ANY matched command.
+    const halts = Array.isArray(state.halts) ? state.halts : [];
+    if (halts.length > 0) {
+        blockReason('convene: BLOCKED — an active halt is directed at this session. Surface to the human; do not proceed.');
+        return 2;
+    }
+    // (b) A held lane only matters for a DEPLOY command (push to a deploy ref, or a
+    // deploy/force verb). A foreign held lane → soft conflict → 'ask' (NOT a hard
+    // deny — the gate-push CAS is the real serializer at push time).
+    const isDeploy = ref != null || cls.kind === 'deploy' || cls.kind === 'force';
+    if (isDeploy) {
+        const lanes = Array.isArray(state.lanes) ? state.lanes : [];
+        const foreign = lanes.find((l) => l && l.holder_instance_self === false);
+        if (foreign) {
+            ask(`A deploy lane is held by ${safeHandle(foreign.holder_handle)}. ` +
+                `The push gate will serialize this — proceed and let it claim, or coordinate first. Allow?`);
+            return 0;
+        }
+    }
+    return 0;
+}
+const STATE_TTL_MS = 3000;
+const stateCache = new Map();
+async function laneStateCached(api, slug, intent) {
+    const key = `${slug}\u0000${intent}`;
+    const hit = stateCache.get(key);
+    if (hit && Date.now() - hit.at < STATE_TTL_MS)
+        return { lanes: hit.lanes, halts: hit.halts };
+    const res = await api.laneState(slug, intent, NET_TIMEOUT_MS).catch(() => null);
+    if (!res || !res.ok || !res.json)
+        return null; // fail-open
+    const lanes = Array.isArray(res.json.lanes) ? res.json.lanes : [];
+    const halts = Array.isArray(res.json.halts) ? res.json.halts : [];
+    stateCache.set(key, { at: Date.now(), lanes, halts });
+    return { lanes, halts };
+}
+const haltCache = new Map();
+async function haltStateCached(api, slug) {
+    const hit = haltCache.get(slug);
+    if (hit && Date.now() - hit.at < STATE_TTL_MS)
+        return { halts: hit.halts };
+    // No intent: a halt is routed by member/session, not by lane — the cheapest read.
+    const res = await api.laneState(slug, null, NET_TIMEOUT_MS).catch(() => null);
+    if (!res || !res.ok || !res.json)
+        return null; // fail-open (and don't cache the miss)
+    const halts = Array.isArray(res.json.halts) ? res.json.halts : [];
+    haltCache.set(slug, { at: Date.now(), halts });
+    return { halts };
+}
+async function guard(opts = {}) {
+    let code = 0;
+    const watchdog = setTimeout(() => (0, exit_1.exitClean)(0), WATCHDOG_MS);
+    watchdog.unref();
+    try {
+        code = await run(opts);
+    }
+    catch {
+        code = 0; // fail-open: never block on our own error
+    }
+    clearTimeout(watchdog);
+    (0, exit_1.exitClean)(code);
+}