fixo-cli 1.0.0

package/dist/runtime/loop-trap.d.ts

@@ -0,0 +1,197 @@
+/**
+ * Loop-Trap Defenses — sha256-based repetition detection + semantic
+ * target-frequency detection.
+ *
+ * The module owns two independent detectors that run side-by-side:
+ *
+ *   1. {@link LoopTrapDetector} — the original Pillar 1 detector.
+ *      Operates on a three-layer composite fingerprint (tool-args,
+ *      tool-result, workspace). A model that re-issues the *same*
+ *      tool call with *the same* arguments on the *same* workspace
+ *      triggers it.
+ *
+ *   2. {@link SemanticLoopDetector} — Pillar 2 of the post-mortem
+ *      refit. Operates on the *resolved target path* of every file-
+ *      touching tool call. Two tool calls with completely different
+ *      arguments but the same target still trip this detector. The
+ *      algorithm is the one specified in the architectural refit:
+ *
+ *          F(p) = Σ 𝟙(P(Tᵢ) = p)   over sliding window W of last N turns
+ *
+ *      Defaults: windowSize = 5, triggerCount = 3 (warn), hardAbortCount
+ *      = 6 (throw). All three are tunable.
+ *
+ * Both detectors throw a typed error class (LoopTrapAbortedError /
+ * SemanticLoopAbortedError) when they hard-abort. Both expose a
+ * static {@link toSafetyAlertDirective} helper that produces the
+ * non-negotiable system-prompt directive the caller should inject.
+ *
+ * The module is pure and dependency-free apart from node:crypto,
+ * node:fs, and node:path. The semantic detector is fully
+ * synchronous.
+ */
+/** A single turn's three-layer fingerprint. */
+export interface LoopSnapshot {
+    /** 0-based index of the turn that produced this snapshot. */
+    readonly turnIndex: number;
+    /** sha256 of canonicalised tool-call arguments. */
+    readonly toolCallFingerprint: string;
+    /** sha256 of the tail of the tool result. */
+    readonly toolResultFingerprint: string;
+    /** sha256 of the (path, content-hash) walk over the workspace. */
+    readonly workspaceFingerprint: string;
+    /** ISO timestamp the snapshot was recorded. */
+    readonly ts: string;
+}
+/** Which layers contributed to a `trap-detected` verdict. */
+export type LoopTrapLayer = 'tool-args' | 'tool-result' | 'workspace';
+/** The detector's verdict for a turn. */
+export type LoopTrapVerdict = {
+    readonly state: 'ok';
+} | {
+    readonly state: 'trap-detected';
+    /** Composite fingerprint of the repeated turns. */
+    readonly fingerprint: string;
+    /** Layers that contributed to the detection. */
+    readonly layers: ReadonlyArray<LoopTrapLayer>;
+    /** Index of the turn that triggered the verdict. */
+    readonly turnIndex: number;
+    /** Number of consecutive equivalent turns. */
+    readonly consecutiveCount: number;
+} | {
+    readonly state: 'hard-abort';
+    /** Composite fingerprint of the repeated turns. */
+    readonly fingerprint: string;
+    /** Number of consecutive equivalent turns. */
+    readonly consecutiveCount: number;
+};
+/** Tunable thresholds. Mirrored under `preferences.safety.loopTrap`. */
+export interface LoopTrapPreferences {
+    /** Number of consecutive equivalent turns that triggers a directive. */
+    readonly triggerCount: number;
+    /** Number of consecutive equivalent turns that triggers a hard abort. */
+    readonly hardAbortCount: number;
+    /** Maximum number of tool-result bytes to include in the fingerprint. */
+    readonly toolResultTailBytes: number;
+    /** Hard cap on in-memory history to bound memory growth. */
+    readonly maxHistory: number;
+}
+/** Default preferences — safe and well-tested. */
+export declare const DEFAULT_LOOP_TRAP_PREFS: LoopTrapPreferences;
+/** Thrown when the loop trap fires its hard-abort threshold. */
+export declare class LoopTrapAbortedError extends Error {
+    readonly compositeFingerprint: string;
+    readonly consecutiveCount: number;
+    constructor(compositeFingerprint: string, consecutiveCount: number);
+}
+/** Tool names whose `path` argument should be tracked by the semantic
+ *  detector. Anything not in this set contributes 0 to F(p). */
+export declare const SEMANTIC_LOOP_TARGET_TOOLS: ReadonlySet<string>;
+/** Tunable thresholds for the semantic detector. */
+export interface SemanticLoopPreferences {
+    /** Master kill-switch. */
+    readonly enabled: boolean;
+    /** Width of the sliding window W. */
+    readonly windowSize: number;
+    /** F(p) >= triggerCount → warn directive. */
+    readonly triggerCount: number;
+    /** F(p) >= hardAbortCount → throw. */
+    readonly hardAbortCount: number;
+}
+/** Default preferences — matches the architectural spec. */
+export declare const DEFAULT_SEMANTIC_LOOP_PREFS: SemanticLoopPreferences;
+/** A single resolved file access within the sliding window. */
+export interface FileAccessRecord {
+    readonly turnIndex: number;
+    readonly tool: string;
+    /** Resolved absolute path. */
+    readonly target: string;
+}
+/** The semantic detector's verdict for a turn. */
+export type SemanticLoopVerdict = {
+    readonly state: 'ok';
+    target: string;
+    count: number;
+} | {
+    readonly state: 'warn';
+    target: string;
+    count: number;
+    windowSize: number;
+} | {
+    readonly state: 'hard-abort';
+    target: string;
+    count: number;
+    windowSize: number;
+};
+/** Thrown when the semantic detector hard-aborts. */
+export declare class SemanticLoopAbortedError extends Error {
+    readonly target: string;
+    readonly count: number;
+    readonly windowSize: number;
+    constructor(target: string, count: number, windowSize: number);
+}
+/**
+ * Canonicalise a tool-call argument object for stable hashing. Sorts
+ * keys, drops `undefined` values, and JSON-stringifies. Order of
+ * keys in the input does not affect the fingerprint.
+ */
+export declare function canonicaliseArgs(args: Record<string, unknown>): string;
+export declare class LoopTrapDetector {
+    private readonly history;
+    private readonly prefs;
+    constructor(prefs?: LoopTrapPreferences);
+    fingerprintToolCall(args: Record<string, unknown>): string;
+    fingerprintToolResult(result: string): string;
+    fingerprintWorkspace(cwd: string, extraExclude?: ReadonlyArray<string>): Promise<string>;
+    getHistory(): ReadonlyArray<LoopSnapshot>;
+    reset(): void;
+    record(snapshot: LoopSnapshot): LoopTrapVerdict;
+    private compositeFingerprint;
+}
+/**
+ * Tracks the frequency of every file target across a sliding window
+ * of the last N turns. Two tool calls with completely different
+ * arguments but the same resolved target still collide here, which
+ * is exactly what the composite (Pillar 1) detector misses.
+ *
+ * The detector is independent of the agent loop and safe to call
+ * from synchronous code.
+ */
+export declare class SemanticLoopDetector {
+    private readonly window;
+    private readonly freq;
+    private readonly prefs;
+    constructor(prefs?: SemanticLoopPreferences);
+    /** Read-only view of the current sliding window. */
+    getWindow(): ReadonlyArray<FileAccessRecord>;
+    /** Frequency map (target → count in window). */
+    getFrequencies(): ReadonlyMap<string, number>;
+    /** Active preferences. Useful for callers that want to read the
+     *  `enabled` flag without re-passing the config object. */
+    get preference(): SemanticLoopPreferences;
+    /** Wipe state — call after a successful compaction. */
+    reset(): void;
+    /**
+     * Record a tool call against a target. Returns the verdict:
+     *
+     *   - 'ok'         — frequency is below triggerCount.
+     *   - 'warn'       — frequency >= triggerCount. The caller should
+     *                    inject the [Safety-Alert] directive.
+     *   - 'hard-abort' — frequency >= hardAbortCount. The caller
+     *                    should throw {@link SemanticLoopAbortedError}.
+     *
+     * Non-file tools (anything not in
+     * {@link SEMANTIC_LOOP_TARGET_TOOLS}) and tools without a `path`
+     * argument do not contribute to F(p).
+     */
+    record(turnIndex: number, tool: string, args: Record<string, unknown>, cwd: string): SemanticLoopVerdict;
+}
+/**
+ * Build the non-negotiable [Safety-Alert] directive the caller
+ * should inject into the next system prompt when the semantic
+ * detector warns. The wording matches the architectural spec.
+ */
+export declare function toSafetyAlertDirective(verdict: SemanticLoopVerdict): string | null;
+/** Build the [Loop-Trap] directive used by the composite detector. */
+export declare function toLoopTrapDirective(verdict: LoopTrapVerdict): string | null;
+//# sourceMappingURL=loop-trap.d.ts.map

package/dist/runtime/loop-trap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loop-trap.d.ts","sourceRoot":"","sources":["../../src/runtime/loop-trap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAUH,+CAA+C;AAC/C,MAAM,WAAW,YAAY;IAC3B,6DAA6D;IAC7D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,mDAAmD;IACnD,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;IACrC,6CAA6C;IAC7C,QAAQ,CAAC,qBAAqB,EAAE,MAAM,CAAC;IACvC,kEAAkE;IAClE,QAAQ,CAAC,oBAAoB,EAAE,MAAM,CAAC;IACtC,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB;AAED,6DAA6D;AAC7D,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,aAAa,GAAG,WAAW,CAAC;AAEtE,yCAAyC;AACzC,MAAM,MAAM,eAAe,GACvB;IAAE,QAAQ,CAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GACxB;IACE,QAAQ,CAAC,KAAK,EAAE,eAAe,CAAC;IAChC,mDAAmD;IACnD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,gDAAgD;IAChD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAC9C,oDAAoD;IACpD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,8CAA8C;IAC9C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC,GACD;IACE,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAC7B,mDAAmD;IACnD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,8CAA8C;IAC9C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;CACnC,CAAC;AAEN,wEAAwE;AACxE,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,yEAAyE;IACzE,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,yEAAyE;IACzE,QAAQ,CAAC,mBAAmB,EAAE,MAAM,CAAC;IACrC,4DAA4D;IAC5D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,kDAAkD;AAClD,eAAO,MAAM,uBAAuB,EAAE,mBAKrC,CAAC;AAEF,gEAAgE;AAChE,qBAAa,oBAAqB,SAAQ,KAAK;IAC7C,SAAgB,oBAAoB,EAAE,MAAM,CAAC;IAC7C,SAAgB,gBAAgB,EAAE,MAAM,CAAC;gBAE7B,oBAAoB,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM;CASnE;AAMD;gEACgE;AAChE,eAAO,MAAM,0BAA0B,EAAE,WAAW,CAAC,MAAM,CAQzD,CAAC;AAEH,oDAAoD;AACpD,MAAM,WAAW,uBAAuB;IACtC,0BAA0B;IAC1B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,6CAA6C;IAC7C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,sCAAsC;IACtC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;CACjC;AAED,4DAA4D;AAC5D,eAAO,MAAM,2BAA2B,EAAE,uBAKzC,CAAC;AAEF,+DAA+D;AAC/D,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,kDAAkD;AAClD,MAAM,MAAM,mBAAmB,GAC3B;IAAE,QAAQ,CAAC,KAAK,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACvD;IACE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEN,qDAAqD;AACrD,qBAAa,wBAAyB,SAAQ,KAAK;IACjD,SAAgB,MAAM,EAAE,MAAM,CAAC;IAC/B,SAAgB,KAAK,EAAE,MAAM,CAAC;IAC9B,SAAgB,UAAU,EAAE,MAAM,CAAC;gBAEvB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAW9D;AAsBD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAStE;AAMD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsB;IAC9C,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;gBAEhC,KAAK,GAAE,mBAA6C;IAgBzD,mBAAmB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAI1D,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAQvC,oBAAoB,CAC/B,GAAG,EAAE,MAAM,EACX,YAAY,GAAE,aAAa,CAAC,MAAM,CAAM,GACvC,OAAO,CAAC,MAAM,CAAC;IAqDX,UAAU,IAAI,aAAa,CAAC,YAAY,CAAC;IAIzC,KAAK,IAAI,IAAI;IAIb,MAAM,CAAC,QAAQ,EAAE,YAAY,GAAG,eAAe;IAkDtD,OAAO,CAAC,oBAAoB;CAO7B;AAMD;;;;;;;;GAQG;AACH,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA0B;IACjD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAA6B;IAClD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA0B;gBAEpC,KAAK,GAAE,uBAAqD;IAaxE,oDAAoD;IAC7C,SAAS,IAAI,aAAa,CAAC,gBAAgB,CAAC;IAInD,gDAAgD;IACzC,cAAc,IAAI,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC;IAIpD;+DAC2D;IAC3D,IAAW,UAAU,IAAI,uBAAuB,CAE/C;IAED,uDAAuD;IAChD,KAAK,IAAI,IAAI;IAKpB;;;;;;;;;;;;OAYG;IACI,MAAM,CACX,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,GAAG,EAAE,MAAM,GACV,mBAAmB;CAwCvB;AAoCD;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,mBAAmB,GAAG,MAAM,GAAG,IAAI,CASlF;AAED,sEAAsE;AACtE,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAM3E"}

package/dist/runtime/loop-trap.js

@@ -0,0 +1,420 @@
+/**
+ * Loop-Trap Defenses — sha256-based repetition detection + semantic
+ * target-frequency detection.
+ *
+ * The module owns two independent detectors that run side-by-side:
+ *
+ *   1. {@link LoopTrapDetector} — the original Pillar 1 detector.
+ *      Operates on a three-layer composite fingerprint (tool-args,
+ *      tool-result, workspace). A model that re-issues the *same*
+ *      tool call with *the same* arguments on the *same* workspace
+ *      triggers it.
+ *
+ *   2. {@link SemanticLoopDetector} — Pillar 2 of the post-mortem
+ *      refit. Operates on the *resolved target path* of every file-
+ *      touching tool call. Two tool calls with completely different
+ *      arguments but the same target still trip this detector. The
+ *      algorithm is the one specified in the architectural refit:
+ *
+ *          F(p) = Σ 𝟙(P(Tᵢ) = p)   over sliding window W of last N turns
+ *
+ *      Defaults: windowSize = 5, triggerCount = 3 (warn), hardAbortCount
+ *      = 6 (throw). All three are tunable.
+ *
+ * Both detectors throw a typed error class (LoopTrapAbortedError /
+ * SemanticLoopAbortedError) when they hard-abort. Both expose a
+ * static {@link toSafetyAlertDirective} helper that produces the
+ * non-negotiable system-prompt directive the caller should inject.
+ *
+ * The module is pure and dependency-free apart from node:crypto,
+ * node:fs, and node:path. The semantic detector is fully
+ * synchronous.
+ */
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import path from 'node:path';
+/** Default preferences — safe and well-tested. */
+export const DEFAULT_LOOP_TRAP_PREFS = {
+    triggerCount: 3,
+    hardAbortCount: 6,
+    toolResultTailBytes: 1024,
+    maxHistory: 64,
+};
+/** Thrown when the loop trap fires its hard-abort threshold. */
+export class LoopTrapAbortedError extends Error {
+    compositeFingerprint;
+    consecutiveCount;
+    constructor(compositeFingerprint, consecutiveCount) {
+        super(`Loop-trap hard-abort after ${consecutiveCount} consecutive equivalent turns ` +
+            `(composite sha256: ${compositeFingerprint.slice(0, 16)}…).`);
+        this.name = 'LoopTrapAbortedError';
+        this.compositeFingerprint = compositeFingerprint;
+        this.consecutiveCount = consecutiveCount;
+    }
+}
+// ---------------------------------------------------------------------------
+// Public types — semantic (Pillar 2) detector
+// ---------------------------------------------------------------------------
+/** Tool names whose `path` argument should be tracked by the semantic
+ *  detector. Anything not in this set contributes 0 to F(p). */
+export const SEMANTIC_LOOP_TARGET_TOOLS = new Set([
+    'read_file',
+    'write_file',
+    'apply_patch',
+    'replace_range',
+    'insert_after',
+    'rename_file',
+    'delete_file',
+]);
+/** Default preferences — matches the architectural spec. */
+export const DEFAULT_SEMANTIC_LOOP_PREFS = {
+    enabled: true,
+    windowSize: 5,
+    triggerCount: 3,
+    hardAbortCount: 6,
+};
+/** Thrown when the semantic detector hard-aborts. */
+export class SemanticLoopAbortedError extends Error {
+    target;
+    count;
+    windowSize;
+    constructor(target, count, windowSize) {
+        super(`Semantic loop-trap hard-abort: target '${target}' was accessed ` +
+            `${count} times within the last ${windowSize} turns. ` +
+            `The agent is forbidden from accessing this file again.`);
+        this.name = 'SemanticLoopAbortedError';
+        this.target = target;
+        this.count = count;
+        this.windowSize = windowSize;
+    }
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const sha256 = (input) => crypto.createHash('sha256').update(input, 'utf-8').digest('hex');
+const DEFAULT_WORKSPACE_EXCLUDES = [
+    '.fixo',
+    '.git',
+    'node_modules',
+    'dist',
+    '.next',
+    'out',
+    'build',
+    'coverage',
+    '.cache',
+    '.turbo',
+];
+/**
+ * Canonicalise a tool-call argument object for stable hashing. Sorts
+ * keys, drops `undefined` values, and JSON-stringifies. Order of
+ * keys in the input does not affect the fingerprint.
+ */
+export function canonicaliseArgs(args) {
+    const sortedKeys = Object.keys(args).sort();
+    const filtered = {};
+    for (const key of sortedKeys) {
+        const value = args[key];
+        if (value === undefined)
+            continue;
+        filtered[key] = value;
+    }
+    return JSON.stringify(filtered);
+}
+// ---------------------------------------------------------------------------
+// LoopTrapDetector (Pillar 1 — composite fingerprint)
+// ---------------------------------------------------------------------------
+export class LoopTrapDetector {
+    history = [];
+    prefs;
+    constructor(prefs = DEFAULT_LOOP_TRAP_PREFS) {
+        if (prefs.triggerCount < 1) {
+            throw new Error('LoopTrapPreferences.triggerCount must be >= 1');
+        }
+        if (prefs.hardAbortCount < prefs.triggerCount) {
+            throw new Error('LoopTrapPreferences.hardAbortCount must be >= triggerCount');
+        }
+        if (prefs.toolResultTailBytes < 64) {
+            throw new Error('LoopTrapPreferences.toolResultTailBytes must be >= 64');
+        }
+        if (prefs.maxHistory < prefs.hardAbortCount) {
+            throw new Error('LoopTrapPreferences.maxHistory must be >= hardAbortCount');
+        }
+        this.prefs = prefs;
+    }
+    fingerprintToolCall(args) {
+        return sha256(canonicaliseArgs(args));
+    }
+    fingerprintToolResult(result) {
+        const tail = result.length > this.prefs.toolResultTailBytes
+            ? result.slice(result.length - this.prefs.toolResultTailBytes)
+            : result;
+        return sha256(tail);
+    }
+    async fingerprintWorkspace(cwd, extraExclude = []) {
+        const exclude = new Set([...DEFAULT_WORKSPACE_EXCLUDES, ...extraExclude]);
+        const root = path.resolve(cwd);
+        const entries = [];
+        const MAX_FILES = 100_000;
+        const walk = (dir) => {
+            if (entries.length >= MAX_FILES)
+                return false;
+            let names;
+            try {
+                names = fs.readdirSync(dir);
+            }
+            catch {
+                return true;
+            }
+            for (const name of names) {
+                if (exclude.has(name))
+                    continue;
+                if (entries.length >= MAX_FILES)
+                    return false;
+                const full = path.join(dir, name);
+                let stat;
+                try {
+                    stat = fs.lstatSync(full);
+                }
+                catch {
+                    continue;
+                }
+                if (stat.isSymbolicLink())
+                    continue;
+                if (stat.isDirectory()) {
+                    if (!walk(full))
+                        return false;
+                }
+                else if (stat.isFile()) {
+                    const rel = path.relative(root, full);
+                    let content;
+                    try {
+                        content = fs.readFileSync(full);
+                    }
+                    catch {
+                        continue;
+                    }
+                    entries.push([rel, sha256(content.toString('binary'))]);
+                }
+            }
+            return true;
+        };
+        try {
+            walk(root);
+        }
+        catch {
+            // Unreadable root — return an empty fingerprint so we still
+            // hash the other two layers deterministically.
+        }
+        entries.sort((a, b) => (a[0] < b[0] ? -1 : a[0] > b[0] ? 1 : 0));
+        const materialised = entries.map(([p, h]) => `${p}\t${h}`).join('\n');
+        return sha256(materialised);
+    }
+    getHistory() {
+        return this.history.slice();
+    }
+    reset() {
+        this.history.length = 0;
+    }
+    record(snapshot) {
+        this.history.push(snapshot);
+        if (this.history.length > this.prefs.maxHistory) {
+            this.history.splice(0, this.history.length - this.prefs.maxHistory);
+        }
+        const composite = this.compositeFingerprint(snapshot);
+        let consecutive = 1;
+        const layers = [];
+        if (this.history.length >= 2) {
+            const prev = this.history[this.history.length - 2];
+            if (prev.toolCallFingerprint === snapshot.toolCallFingerprint) {
+                layers.push('tool-args');
+            }
+            if (prev.toolResultFingerprint === snapshot.toolResultFingerprint) {
+                layers.push('tool-result');
+            }
+            if (prev.workspaceFingerprint === snapshot.workspaceFingerprint) {
+                layers.push('workspace');
+            }
+            for (let i = this.history.length - 2; i >= 0; i--) {
+                const h = this.history[i];
+                if (h.toolCallFingerprint === snapshot.toolCallFingerprint &&
+                    h.toolResultFingerprint === snapshot.toolResultFingerprint &&
+                    h.workspaceFingerprint === snapshot.workspaceFingerprint) {
+                    consecutive += 1;
+                }
+                else {
+                    break;
+                }
+            }
+        }
+        if (consecutive >= this.prefs.hardAbortCount) {
+            return { state: 'hard-abort', fingerprint: composite, consecutiveCount: consecutive };
+        }
+        if (consecutive >= this.prefs.triggerCount) {
+            return {
+                state: 'trap-detected',
+                fingerprint: composite,
+                layers,
+                turnIndex: snapshot.turnIndex,
+                consecutiveCount: consecutive,
+            };
+        }
+        return { state: 'ok' };
+    }
+    compositeFingerprint(snapshot) {
+        return sha256(snapshot.toolCallFingerprint +
+            snapshot.toolResultFingerprint +
+            snapshot.workspaceFingerprint);
+    }
+}
+// ---------------------------------------------------------------------------
+// SemanticLoopDetector (Pillar 2 — sliding-window target frequency)
+// ---------------------------------------------------------------------------
+/**
+ * Tracks the frequency of every file target across a sliding window
+ * of the last N turns. Two tool calls with completely different
+ * arguments but the same resolved target still collide here, which
+ * is exactly what the composite (Pillar 1) detector misses.
+ *
+ * The detector is independent of the agent loop and safe to call
+ * from synchronous code.
+ */
+export class SemanticLoopDetector {
+    window = [];
+    freq = new Map();
+    prefs;
+    constructor(prefs = DEFAULT_SEMANTIC_LOOP_PREFS) {
+        if (prefs.windowSize < 1) {
+            throw new Error('SemanticLoopPreferences.windowSize must be >= 1');
+        }
+        if (prefs.triggerCount < 1) {
+            throw new Error('SemanticLoopPreferences.triggerCount must be >= 1');
+        }
+        if (prefs.hardAbortCount < prefs.triggerCount) {
+            throw new Error('SemanticLoopPreferences.hardAbortCount must be >= triggerCount');
+        }
+        this.prefs = prefs;
+    }
+    /** Read-only view of the current sliding window. */
+    getWindow() {
+        return this.window.slice();
+    }
+    /** Frequency map (target → count in window). */
+    getFrequencies() {
+        return new Map(this.freq);
+    }
+    /** Active preferences. Useful for callers that want to read the
+     *  `enabled` flag without re-passing the config object. */
+    get preference() {
+        return this.prefs;
+    }
+    /** Wipe state — call after a successful compaction. */
+    reset() {
+        this.window.length = 0;
+        this.freq.clear();
+    }
+    /**
+     * Record a tool call against a target. Returns the verdict:
+     *
+     *   - 'ok'         — frequency is below triggerCount.
+     *   - 'warn'       — frequency >= triggerCount. The caller should
+     *                    inject the [Safety-Alert] directive.
+     *   - 'hard-abort' — frequency >= hardAbortCount. The caller
+     *                    should throw {@link SemanticLoopAbortedError}.
+     *
+     * Non-file tools (anything not in
+     * {@link SEMANTIC_LOOP_TARGET_TOOLS}) and tools without a `path`
+     * argument do not contribute to F(p).
+     */
+    record(turnIndex, tool, args, cwd) {
+        if (!this.prefs.enabled) {
+            return { state: 'ok', target: '', count: 0 };
+        }
+        if (!SEMANTIC_LOOP_TARGET_TOOLS.has(tool)) {
+            return { state: 'ok', target: '', count: 0 };
+        }
+        const rawTarget = pickTargetArg(tool, args);
+        if (!rawTarget) {
+            return { state: 'ok', target: '', count: 0 };
+        }
+        const resolved = safeResolve(cwd, rawTarget);
+        if (!resolved) {
+            return { state: 'ok', target: '', count: 0 };
+        }
+        // Slide the window: evict the oldest record if full.
+        if (this.window.length >= this.prefs.windowSize) {
+            const dropped = this.window.shift();
+            if (dropped) {
+                const cur = this.freq.get(dropped.target) ?? 1;
+                if (cur <= 1)
+                    this.freq.delete(dropped.target);
+                else
+                    this.freq.set(dropped.target, cur - 1);
+            }
+        }
+        const rec = { turnIndex, tool, target: resolved };
+        this.window.push(rec);
+        const f = (this.freq.get(resolved) ?? 0) + 1;
+        this.freq.set(resolved, f);
+        if (f >= this.prefs.hardAbortCount) {
+            return { state: 'hard-abort', target: resolved, count: f, windowSize: this.window.length };
+        }
+        if (f >= this.prefs.triggerCount) {
+            return { state: 'warn', target: resolved, count: f, windowSize: this.window.length };
+        }
+        return { state: 'ok', target: resolved, count: f };
+    }
+}
+// ---------------------------------------------------------------------------
+// Shared helpers
+// ---------------------------------------------------------------------------
+/** Pick the right argument to fingerprint for each tool. */
+function pickTargetArg(tool, args) {
+    switch (tool) {
+        case 'read_file':
+        case 'write_file':
+        case 'replace_range':
+        case 'insert_after':
+        case 'delete_file':
+            return typeof args.path === 'string' ? args.path : null;
+        case 'rename_file':
+            return typeof args.to === 'string' ? args.to : typeof args.from === 'string' ? args.from : null;
+        case 'apply_patch': {
+            // apply_patch takes a unified diff — we can't resolve individual
+            // targets synchronously, so return null and let the caller
+            // fall back to the composite detector.
+            return null;
+        }
+        default:
+            return null;
+    }
+}
+function safeResolve(cwd, target) {
+    try {
+        return path.resolve(cwd, target);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Build the non-negotiable [Safety-Alert] directive the caller
+ * should inject into the next system prompt when the semantic
+ * detector warns. The wording matches the architectural spec.
+ */
+export function toSafetyAlertDirective(verdict) {
+    if (verdict.state !== 'warn' && verdict.state !== 'hard-abort')
+        return null;
+    return (`[Safety-Alert] You have queried or modified the target path '${verdict.target}' ` +
+        `more than 3 times in your recent sequence. Your current approach is looping. ` +
+        `You are forbidden from calling read_file or replace_file on this path in your next turn. ` +
+        `You must either analyze alternative file dependencies, consult different workspace ` +
+        `symbols, or request direct user guidance.`);
+}
+/** Build the [Loop-Trap] directive used by the composite detector. */
+export function toLoopTrapDirective(verdict) {
+    if (verdict.state !== 'trap-detected')
+        return null;
+    return (`[Loop-Trap] Detected ${verdict.consecutiveCount} consecutive equivalent turns. ` +
+        `Reconsider your strategy before issuing the next tool call.`);
+}
+//# sourceMappingURL=loop-trap.js.map

package/dist/runtime/loop-trap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loop-trap.js","sourceRoot":"","sources":["../../src/runtime/loop-trap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAyD7B,kDAAkD;AAClD,MAAM,CAAC,MAAM,uBAAuB,GAAwB;IAC1D,YAAY,EAAE,CAAC;IACf,cAAc,EAAE,CAAC;IACjB,mBAAmB,EAAE,IAAI;IACzB,UAAU,EAAE,EAAE;CACf,CAAC;AAEF,gEAAgE;AAChE,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IAC7B,oBAAoB,CAAS;IAC7B,gBAAgB,CAAS;IAEzC,YAAY,oBAA4B,EAAE,gBAAwB;QAChE,KAAK,CACH,8BAA8B,gBAAgB,gCAAgC;YAC5E,sBAAsB,oBAAoB,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAC/D,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;QACnC,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAC;QACjD,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;IAC3C,CAAC;CACF;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;gEACgE;AAChE,MAAM,CAAC,MAAM,0BAA0B,GAAwB,IAAI,GAAG,CAAC;IACrE,WAAW;IACX,YAAY;IACZ,aAAa;IACb,eAAe;IACf,cAAc;IACd,aAAa;IACb,aAAa;CACd,CAAC,CAAC;AAcH,4DAA4D;AAC5D,MAAM,CAAC,MAAM,2BAA2B,GAA4B;IAClE,OAAO,EAAE,IAAI;IACb,UAAU,EAAE,CAAC;IACb,YAAY,EAAE,CAAC;IACf,cAAc,EAAE,CAAC;CAClB,CAAC;AA0BF,qDAAqD;AACrD,MAAM,OAAO,wBAAyB,SAAQ,KAAK;IACjC,MAAM,CAAS;IACf,KAAK,CAAS;IACd,UAAU,CAAS;IAEnC,YAAY,MAAc,EAAE,KAAa,EAAE,UAAkB;QAC3D,KAAK,CACH,0CAA0C,MAAM,iBAAiB;YAC/D,GAAG,KAAK,0BAA0B,UAAU,UAAU;YACtD,wDAAwD,CAC3D,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,MAAM,GAAG,CAAC,KAAa,EAAU,EAAE,CACvC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAEnE,MAAM,0BAA0B,GAA0B;IACxD,OAAO;IACP,MAAM;IACN,cAAc;IACd,MAAM;IACN,OAAO;IACP,KAAK;IACL,OAAO;IACP,UAAU;IACV,QAAQ;IACR,QAAQ;CACT,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAA6B;IAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAC7C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAClC,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACxB,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,8EAA8E;AAC9E,sDAAsD;AACtD,8EAA8E;AAE9E,MAAM,OAAO,gBAAgB;IACV,OAAO,GAAmB,EAAE,CAAC;IAC7B,KAAK,CAAsB;IAE5C,YAAY,QAA6B,uBAAuB;QAC9D,IAAI,KAAK,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,KAAK,CAAC,mBAAmB,GAAG,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAEM,mBAAmB,CAAC,IAA6B;QACtD,OAAO,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IAEM,qBAAqB,CAAC,MAAc;QACzC,MAAM,IAAI,GACR,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB;YAC5C,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;YAC9D,CAAC,CAAC,MAAM,CAAC;QACb,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IAEM,KAAK,CAAC,oBAAoB,CAC/B,GAAW,EACX,eAAsC,EAAE;QAExC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,CAAC,GAAG,0BAA0B,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC;QAClF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/B,MAAM,OAAO,GAA4B,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,OAAO,CAAC;QAE1B,MAAM,IAAI,GAAG,CAAC,GAAW,EAAW,EAAE;YACpC,IAAI,OAAO,CAAC,MAAM,IAAI,SAAS;gBAAE,OAAO,KAAK,CAAC;YAC9C,IAAI,KAAe,CAAC;YACpB,IAAI,CAAC;gBACH,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;YAC9B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;YACD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAChC,IAAI,OAAO,CAAC,MAAM,IAAI,SAAS;oBAAE,OAAO,KAAK,CAAC;gBAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAClC,IAAI,IAAc,CAAC;gBACnB,IAAI,CAAC;oBACH,IAAI,GAAG,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBAC5B,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;gBACD,IAAI,IAAI,CAAC,cAAc,EAAE;oBAAE,SAAS;gBACpC,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;oBACvB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;wBAAE,OAAO,KAAK,CAAC;gBAChC,CAAC;qBAAM,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;oBACzB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;oBACtC,IAAI,OAAe,CAAC;oBACpB,IAAI,CAAC;wBACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;oBAClC,CAAC;oBAAC,MAAM,CAAC;wBACP,SAAS;oBACX,CAAC;oBACD,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,CAAC;QAAC,MAAM,CAAC;YACP,4DAA4D;YAC5D,+CAA+C;QACjD,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,OAAO,MAAM,CAAC,YAAY,CAAC,CAAC;IAC9B,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAEM,KAAK;QACV,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1B,CAAC;IAEM,MAAM,CAAC,QAAsB;QAClC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5B,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YAChD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAEtD,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,MAAM,MAAM,GAAoB,EAAE,CAAC;QACnC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAE,CAAC;YACpD,IAAI,IAAI,CAAC,mBAAmB,KAAK,QAAQ,CAAC,mBAAmB,EAAE,CAAC;gBAC9D,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC3B,CAAC;YACD,IAAI,IAAI,CAAC,qBAAqB,KAAK,QAAQ,CAAC,qBAAqB,EAAE,CAAC;gBAClE,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,IAAI,CAAC,oBAAoB,KAAK,QAAQ,CAAC,oBAAoB,EAAE,CAAC;gBAChE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC3B,CAAC;YACD,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAClD,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAE,CAAC;gBAC3B,IACE,CAAC,CAAC,mBAAmB,KAAK,QAAQ,CAAC,mBAAmB;oBACtD,CAAC,CAAC,qBAAqB,KAAK,QAAQ,CAAC,qBAAqB;oBAC1D,CAAC,CAAC,oBAAoB,KAAK,QAAQ,CAAC,oBAAoB,EACxD,CAAC;oBACD,WAAW,IAAI,CAAC,CAAC;gBACnB,CAAC;qBAAM,CAAC;oBACN,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,WAAW,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,SAAS,EAAE,gBAAgB,EAAE,WAAW,EAAE,CAAC;QACxF,CAAC;QACD,IAAI,WAAW,IAAI,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YAC3C,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,WAAW,EAAE,SAAS;gBACtB,MAAM;gBACN,SAAS,EAAE,QAAQ,CAAC,SAAS;gBAC7B,gBAAgB,EAAE,WAAW;aAC9B,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAEO,oBAAoB,CAAC,QAAsB;QACjD,OAAO,MAAM,CACX,QAAQ,CAAC,mBAAmB;YAC1B,QAAQ,CAAC,qBAAqB;YAC9B,QAAQ,CAAC,oBAAoB,CAChC,CAAC;IACJ,CAAC;CACF;AAED,8EAA8E;AAC9E,oEAAoE;AACpE,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,OAAO,oBAAoB;IACd,MAAM,GAAuB,EAAE,CAAC;IAChC,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACjC,KAAK,CAA0B;IAEhD,YAAY,QAAiC,2BAA2B;QACtE,IAAI,KAAK,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,KAAK,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,GAAG,KAAK,CAAC,YAAY,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,oDAAoD;IAC7C,SAAS;QACd,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAED,gDAAgD;IACzC,cAAc;QACnB,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED;+DAC2D;IAC3D,IAAW,UAAU;QACnB,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED,uDAAuD;IAChD,KAAK;QACV,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;IAED;;;;;;;;;;;;OAYG;IACI,MAAM,CACX,SAAiB,EACjB,IAAY,EACZ,IAA6B,EAC7B,GAAW;QAEX,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QACD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QAED,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAC/C,CAAC;QAED,qDAAqD;QACrD,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACpC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC/C,IAAI,GAAG,IAAI,CAAC;oBAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;;oBAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAqB,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QACpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAE3B,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YACnC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC7F,CAAC;QACD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YACjC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACvF,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IACrD,CAAC;CACF;AAED,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,4DAA4D;AAC5D,SAAS,aAAa,CAAC,IAAY,EAAE,IAA6B;IAChE,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,eAAe,CAAC;QACrB,KAAK,cAAc,CAAC;QACpB,KAAK,aAAa;YAChB,OAAO,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1D,KAAK,aAAa;YAChB,OAAO,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAClG,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,iEAAiE;YACjE,2DAA2D;YAC3D,uCAAuC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC;QACD;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,MAAc;IAC9C,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAA4B;IACjE,IAAI,OAAO,CAAC,KAAK,KAAK,MAAM,IAAI,OAAO,CAAC,KAAK,KAAK,YAAY;QAAE,OAAO,IAAI,CAAC;IAC5E,OAAO,CACL,gEAAgE,OAAO,CAAC,MAAM,IAAI;QAClF,+EAA+E;QAC/E,2FAA2F;QAC3F,qFAAqF;QACrF,2CAA2C,CAC5C,CAAC;AACJ,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,mBAAmB,CAAC,OAAwB;IAC1D,IAAI,OAAO,CAAC,KAAK,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC;IACnD,OAAO,CACL,wBAAwB,OAAO,CAAC,gBAAgB,iCAAiC;QACjF,6DAA6D,CAC9D,CAAC;AACJ,CAAC"}

package/dist/runtime/policy.d.ts

@@ -0,0 +1,15 @@
+export type PolicyProfile = 'read-only' | 'workspace-write' | 'shell-confirm' | 'trusted-project' | 'dangerous-deny';
+export type RiskLevel = 'low' | 'medium' | 'high' | 'blocked';
+export interface PolicyDecision {
+    allowed: boolean;
+    needsConfirmation: boolean;
+    risk: RiskLevel;
+    reason: string;
+}
+export interface AllowRuleStore {
+    commands: string[];
+}
+export declare const DANGEROUS_COMMANDS: RegExp[];
+export declare function classifyCommand(command: string): RiskLevel;
+export declare function decidePolicy(profile: PolicyProfile, action: 'read' | 'write' | 'delete' | 'command', detail?: string, allowRules?: AllowRuleStore): PolicyDecision;
+//# sourceMappingURL=policy.d.ts.map

package/dist/runtime/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/runtime/policy.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,iBAAiB,GACjB,eAAe,GACf,iBAAiB,GACjB,gBAAgB,CAAC;AAErB,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,CAAC;AAE9D,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AASD,eAAO,MAAM,kBAAkB,UAa9B,CAAC;AAEF,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,CAQ1D;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,EAAE,MAAM,SAAK,EAAE,UAAU,GAAE,cAAiC,GAAG,cAAc,CAwBhL"}