limen-ai 1.0.0

package/dist/kernel/tenant/tenant_context.js

@@ -0,0 +1,107 @@
+/**
+ * Tenant context implementation.
+ * S ref: RDD-3, FM-10
+ *
+ * Phase: 1 (Kernel) -- Build Order 7
+ * Transparent tenant isolation.
+ *
+ * RDD-3: Consumer never knows which tenancy mode is active.
+ * FM-10: Tenant data leakage prevention via automatic tenant_id injection.
+ *
+ * Three modes:
+ * - single: No tenant_id column population. All queries return rows where tenant_id IS NULL.
+ * - row-level: Automatic WHERE tenant_id = ? injection.
+ * - database: Each tenant gets its own database file.
+ */
+/**
+ * Create a TenantContext implementation.
+ * S ref: RDD-3 (transparent tenancy), FM-10 (tenant isolation)
+ */
+export function createTenantContext(primaryConn) {
+    return {
+        /**
+         * Execute SQL with automatic tenant_id injection (row-level mode)
+         * or routing to correct database file (DB-per-tenant mode).
+         * S ref: RDD-3 (transparent tenancy), FM-10 (isolation enforcement)
+         */
+        execute(conn, ctx, sql, params) {
+            try {
+                switch (conn.tenancyMode) {
+                    case 'single': {
+                        // A-6: Single-user mode -- no tenant filtering needed
+                        const result = conn.query(sql, params);
+                        return { ok: true, value: result };
+                    }
+                    case 'row-level': {
+                        // FM-10: Inject tenant_id filter
+                        if (!ctx.tenantId) {
+                            return {
+                                ok: false,
+                                error: {
+                                    code: 'TENANT_ID_REQUIRED',
+                                    message: 'Row-level tenancy requires a tenantId in OperationContext',
+                                    spec: 'FM-10',
+                                },
+                            };
+                        }
+                        // NOTE: SQL injection of tenant filters should be done at a higher level.
+                        // For Phase 1, we pass through and expect callers to include tenant_id in their queries.
+                        // The tenant context provides the routing abstraction.
+                        const result = conn.query(sql, params);
+                        return { ok: true, value: result };
+                    }
+                    case 'database': {
+                        // FM-10: Route to tenant-specific database
+                        // Phase 1 implementation: uses the primary connection.
+                        // Full DB-per-tenant routing requires substrate-level connection pooling (Phase 2).
+                        const result = conn.query(sql, params);
+                        return { ok: true, value: result };
+                    }
+                    default: {
+                        return {
+                            ok: false,
+                            error: {
+                                code: 'INVALID_TENANCY_MODE',
+                                message: `Unknown tenancy mode: ${conn.tenancyMode}`,
+                                spec: 'RDD-3',
+                            },
+                        };
+                    }
+                }
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'TENANT_EXECUTE_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: 'RDD-3, FM-10',
+                    },
+                };
+            }
+        },
+        /**
+         * Get tenant-scoped connection.
+         * S ref: RDD-3 (transparent routing), FM-10 (isolation)
+         */
+        getConnection(_ctx) {
+            try {
+                // For single and row-level modes, return the primary connection.
+                // For database mode, Phase 1 returns the primary connection.
+                // Full DB-per-tenant routing is a Phase 2 capability.
+                return { ok: true, value: primaryConn };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'TENANT_CONNECTION_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: 'RDD-3',
+                    },
+                };
+            }
+        },
+    };
+}
+//# sourceMappingURL=tenant_context.js.map

package/dist/kernel/tenant/tenant_context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant_context.js","sourceRoot":"","sources":["../../../src/kernel/tenant/tenant_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAOH;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAA+B;IACjE,OAAO;QACL;;;;WAIG;QACH,OAAO,CAAI,IAAwB,EAAE,GAAqB,EAAE,GAAW,EAAE,MAAkB;YACzF,IAAI,CAAC;gBACH,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;oBACzB,KAAK,QAAQ,CAAC,CAAC,CAAC;wBACd,sDAAsD;wBACtD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;wBAC1C,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBACrC,CAAC;oBAED,KAAK,WAAW,CAAC,CAAC,CAAC;wBACjB,iCAAiC;wBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;4BAClB,OAAO;gCACL,EAAE,EAAE,KAAK;gCACT,KAAK,EAAE;oCACL,IAAI,EAAE,oBAAoB;oCAC1B,OAAO,EAAE,2DAA2D;oCACpE,IAAI,EAAE,OAAO;iCACd;6BACF,CAAC;wBACJ,CAAC;wBACD,0EAA0E;wBAC1E,yFAAyF;wBACzF,uDAAuD;wBACvD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;wBAC1C,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBACrC,CAAC;oBAED,KAAK,UAAU,CAAC,CAAC,CAAC;wBAChB,2CAA2C;wBAC3C,uDAAuD;wBACvD,oFAAoF;wBACpF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;wBAC1C,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBACrC,CAAC;oBAED,OAAO,CAAC,CAAC,CAAC;wBACR,OAAO;4BACL,EAAE,EAAE,KAAK;4BACT,KAAK,EAAE;gCACL,IAAI,EAAE,sBAAsB;gCAC5B,OAAO,EAAE,yBAAyB,IAAI,CAAC,WAAqB,EAAE;gCAC9D,IAAI,EAAE,OAAO;6BACd;yBACF,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,uBAAuB;wBAC7B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,cAAc;qBACrB;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,aAAa,CAAC,IAAsB;YAClC,IAAI,CAAC;gBACH,iEAAiE;gBACjE,6DAA6D;gBAC7D,sDAAsD;gBACtD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;YAC1C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,0BAA0B;wBAChC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,OAAO;qBACd;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/kernel/tenant/tenant_scope.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Tenant-scoped connection facade.
+ * S ref: FM-10 (tenant data leakage prevention), RDD-3 (transparent tenancy)
+ *
+ * Phase: 4B (Certification — Tenant Isolation)
+ * Decision: DEC-CERT-002 (tenant_id on all tables)
+ *
+ * Mechanism: Wraps a raw DatabaseConnection, intercepting query(), get(), run()
+ * to auto-inject `AND tenant_id = ?` for SELECT/UPDATE/DELETE in row-level mode.
+ * INSERTs pass through unchanged (caller includes tenant_id).
+ *
+ * In single/database mode: pure pass-through (no injection).
+ *
+ * This is the "suspenders" half of belt-and-suspenders. The "belt" is explicit
+ * tenant_id predicates in each query. Together, a developer who forgets the belt
+ * still has the suspenders. A developer writing a new query cannot bypass this —
+ * the facade IS the connection. There is no raw DatabaseConnection accessible
+ * from orchestration code except via the explicit .raw escape hatch.
+ *
+ * CORR1-01 + AUDIT-001: Complex SQL fail-safe. JOINs, CTEs, subqueries, and
+ * set operations THROW immediately rather than silently mis-positioning the
+ * tenant predicate. Forces the developer to use .raw with SYSTEM_SCOPE annotation.
+ *
+ * AUDIT-002: Falsy tenantId check. Empty string is as dangerous as null.
+ */
+import type { DatabaseConnection, TenantId } from '../interfaces/index.js';
+/**
+ * A DatabaseConnection with automatic tenant_id injection.
+ * Satisfies DatabaseConnection interface — all existing code compiles unchanged.
+ * The `raw` and `tenantId` properties are additive.
+ */
+export interface TenantScopedConnection extends DatabaseConnection {
+    /** Escape hatch for system operations (audit hash chain, bulk expiry). */
+    readonly raw: DatabaseConnection;
+    /** Current tenant context. Null in single mode or when no tenant is set. */
+    readonly tenantId: TenantId | null;
+}
+/**
+ * FM-10: Inject tenant_id predicate into SQL queries.
+ *
+ * Rules:
+ * 1. INSERT statements: pass through unchanged (caller includes tenant_id)
+ * 2. Complex SQL (JOIN, CTE, subquery, set ops): THROW — not safe for regex injection
+ * 3. SELECT/UPDATE/DELETE with WHERE: append AND tenant_id = ?
+ * 4. SELECT/UPDATE/DELETE without WHERE: add WHERE tenant_id = ?
+ * 5. Position: before ORDER BY, GROUP BY, LIMIT, HAVING clauses
+ *
+ * Constraints (verified against current codebase — no violations):
+ * - No CTEs in vulnerable queries (getRootMissionId uses loop)
+ * - No JOINs in vulnerable queries (all single-table)
+ * - No subqueries in vulnerable queries
+ * - All UPDATE/DELETE have WHERE clauses
+ *
+ * CORR1-01 + AUDIT-001: Complex SQL fail-safe. If a future developer introduces
+ * a JOIN, CTE, subquery, or set operation, the facade THROWS immediately rather
+ * than silently mis-positioning the tenant predicate. This forces the developer
+ * to use deps.conn.raw with SYSTEM_SCOPE annotation and manual tenant scoping.
+ *
+ * Exported for unit testing (Layer 1 tests).
+ */
+export declare function injectTenantPredicate(sql: string, params: unknown[], tenantId: TenantId): {
+    scopedSql: string;
+    scopedParams: unknown[];
+};
+/**
+ * FM-10: Create a tenant-scoped connection facade.
+ * In row-level mode: auto-injects AND tenant_id = ? into all
+ * SELECT/UPDATE/DELETE queries. INSERTs pass through unchanged.
+ * In single/database mode: pass-through (no injection).
+ *
+ * The returned object satisfies DatabaseConnection interface —
+ * all existing code works unchanged.
+ *
+ * AUDIT-002: Uses falsy check (!tenantId) — empty string is as dangerous as null.
+ *
+ * @param conn - Raw DatabaseConnection to wrap
+ * @param scopedTenantId - Tenant to scope queries to. Null = no scoping.
+ * @returns TenantScopedConnection with .raw escape hatch and .tenantId property
+ */
+export declare function createTenantScopedConnection(conn: DatabaseConnection, scopedTenantId: TenantId | null): TenantScopedConnection;
+//# sourceMappingURL=tenant_scope.d.ts.map

package/dist/kernel/tenant/tenant_scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant_scope.d.ts","sourceRoot":"","sources":["../../../src/kernel/tenant/tenant_scope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EACV,kBAAkB,EAAqB,QAAQ,EAChD,MAAM,wBAAwB,CAAC;AAIhC;;;;GAIG;AACH,MAAM,WAAW,sBAAuB,SAAQ,kBAAkB;IAChE,0EAA0E;IAC1E,QAAQ,CAAC,GAAG,EAAE,kBAAkB,CAAC;IACjC,4EAA4E;IAC5E,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAC;CACpC;AA6BD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,OAAO,EAAE,EACjB,QAAQ,EAAE,QAAQ,GACjB;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,OAAO,EAAE,CAAA;CAAE,CA+BhD;AAID;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,kBAAkB,EACxB,cAAc,EAAE,QAAQ,GAAG,IAAI,GAC9B,sBAAsB,CAgExB"}

package/dist/kernel/tenant/tenant_scope.js

@@ -0,0 +1,168 @@
+/**
+ * Tenant-scoped connection facade.
+ * S ref: FM-10 (tenant data leakage prevention), RDD-3 (transparent tenancy)
+ *
+ * Phase: 4B (Certification — Tenant Isolation)
+ * Decision: DEC-CERT-002 (tenant_id on all tables)
+ *
+ * Mechanism: Wraps a raw DatabaseConnection, intercepting query(), get(), run()
+ * to auto-inject `AND tenant_id = ?` for SELECT/UPDATE/DELETE in row-level mode.
+ * INSERTs pass through unchanged (caller includes tenant_id).
+ *
+ * In single/database mode: pure pass-through (no injection).
+ *
+ * This is the "suspenders" half of belt-and-suspenders. The "belt" is explicit
+ * tenant_id predicates in each query. Together, a developer who forgets the belt
+ * still has the suspenders. A developer writing a new query cannot bypass this —
+ * the facade IS the connection. There is no raw DatabaseConnection accessible
+ * from orchestration code except via the explicit .raw escape hatch.
+ *
+ * CORR1-01 + AUDIT-001: Complex SQL fail-safe. JOINs, CTEs, subqueries, and
+ * set operations THROW immediately rather than silently mis-positioning the
+ * tenant predicate. Forces the developer to use .raw with SYSTEM_SCOPE annotation.
+ *
+ * AUDIT-002: Falsy tenantId check. Empty string is as dangerous as null.
+ */
+// ─── Complex SQL Patterns (CORR1-01 + AUDIT-001) ───
+/**
+ * Patterns that indicate complex SQL where regex-based tenant_id injection
+ * is unsafe. If any pattern matches, injectTenantPredicate THROWS rather
+ * than silently mis-positioning the predicate.
+ *
+ * Verified against current codebase: zero vulnerable queries use these patterns.
+ * This fail-safe catches future developers who introduce complex SQL without
+ * using the .raw escape hatch.
+ */
+const COMPLEX_SQL_PATTERNS = [
+    /\bJOIN\b/i,
+    /\bWITH\b/i,
+    /\bIN\s*\(\s*SELECT\b/i,
+    /\bEXISTS\s*\(/i,
+    /\bNOT\s+IN\s*\(\s*SELECT\b/i,
+    /\bNOT\s+EXISTS\s*\(/i,
+    /\bUNION\b/i,
+    /\bEXCEPT\b/i,
+    /\bINTERSECT\b/i,
+    /\bANY\s*\(/i,
+    /\bALL\s*\(\s*SELECT\b/i,
+];
+// ─── SQL Injection Logic ───
+/**
+ * FM-10: Inject tenant_id predicate into SQL queries.
+ *
+ * Rules:
+ * 1. INSERT statements: pass through unchanged (caller includes tenant_id)
+ * 2. Complex SQL (JOIN, CTE, subquery, set ops): THROW — not safe for regex injection
+ * 3. SELECT/UPDATE/DELETE with WHERE: append AND tenant_id = ?
+ * 4. SELECT/UPDATE/DELETE without WHERE: add WHERE tenant_id = ?
+ * 5. Position: before ORDER BY, GROUP BY, LIMIT, HAVING clauses
+ *
+ * Constraints (verified against current codebase — no violations):
+ * - No CTEs in vulnerable queries (getRootMissionId uses loop)
+ * - No JOINs in vulnerable queries (all single-table)
+ * - No subqueries in vulnerable queries
+ * - All UPDATE/DELETE have WHERE clauses
+ *
+ * CORR1-01 + AUDIT-001: Complex SQL fail-safe. If a future developer introduces
+ * a JOIN, CTE, subquery, or set operation, the facade THROWS immediately rather
+ * than silently mis-positioning the tenant predicate. This forces the developer
+ * to use deps.conn.raw with SYSTEM_SCOPE annotation and manual tenant scoping.
+ *
+ * Exported for unit testing (Layer 1 tests).
+ */
+export function injectTenantPredicate(sql, params, tenantId) {
+    const trimmed = sql.trim();
+    const upper = trimmed.toUpperCase();
+    // Rule 1: INSERTs pass through
+    if (upper.startsWith('INSERT')) {
+        return { scopedSql: sql, scopedParams: params };
+    }
+    // Rule 2: Complex SQL fail-safe — THROW, don't silently mis-inject
+    for (const pattern of COMPLEX_SQL_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            throw new Error(`TenantScopedConnection: Complex SQL detected (${pattern}). ` +
+                `Use deps.conn.raw with // SYSTEM_SCOPE annotation for complex queries. ` +
+                `SQL: ${trimmed.slice(0, 80)}...`);
+        }
+    }
+    // Rule 3-5: Simple SELECT/UPDATE/DELETE — inject tenant_id
+    const hasWhere = /\bWHERE\b/i.test(trimmed);
+    const tenantClause = hasWhere ? ' AND tenant_id = ?' : ' WHERE tenant_id = ?';
+    // Find insertion point: before trailing clauses
+    const trailingPattern = /\b(ORDER\s+BY|GROUP\s+BY|LIMIT|HAVING)\b/i;
+    const trailingMatch = trimmed.match(trailingPattern);
+    const insertPos = trailingMatch?.index ?? trimmed.length;
+    const scopedSql = trimmed.slice(0, insertPos) + tenantClause + trimmed.slice(insertPos);
+    return { scopedSql, scopedParams: [...params, tenantId] };
+}
+// ─── Factory ───
+/**
+ * FM-10: Create a tenant-scoped connection facade.
+ * In row-level mode: auto-injects AND tenant_id = ? into all
+ * SELECT/UPDATE/DELETE queries. INSERTs pass through unchanged.
+ * In single/database mode: pass-through (no injection).
+ *
+ * The returned object satisfies DatabaseConnection interface —
+ * all existing code works unchanged.
+ *
+ * AUDIT-002: Uses falsy check (!tenantId) — empty string is as dangerous as null.
+ *
+ * @param conn - Raw DatabaseConnection to wrap
+ * @param scopedTenantId - Tenant to scope queries to. Null = no scoping.
+ * @returns TenantScopedConnection with .raw escape hatch and .tenantId property
+ */
+export function createTenantScopedConnection(conn, scopedTenantId) {
+    // Single mode or falsy tenant: no scoping needed
+    // AUDIT-002: Use falsy check — empty string is as dangerous as null
+    if (conn.tenancyMode !== 'row-level' || !scopedTenantId) {
+        return {
+            dataDir: conn.dataDir,
+            schemaVersion: conn.schemaVersion,
+            tenancyMode: conn.tenancyMode,
+            raw: conn,
+            tenantId: scopedTenantId,
+            transaction(fn) {
+                return conn.transaction(fn);
+            },
+            run(sql, params) {
+                return conn.run(sql, params);
+            },
+            query(sql, params) {
+                return conn.query(sql, params);
+            },
+            get(sql, params) {
+                return conn.get(sql, params);
+            },
+            close() {
+                return conn.close();
+            },
+        };
+    }
+    // Row-level mode with valid tenantId: full scoping
+    return {
+        dataDir: conn.dataDir,
+        schemaVersion: conn.schemaVersion,
+        tenancyMode: conn.tenancyMode,
+        tenantId: scopedTenantId,
+        raw: conn,
+        query(sql, params) {
+            const { scopedSql, scopedParams } = injectTenantPredicate(sql, params ?? [], scopedTenantId);
+            return conn.query(scopedSql, scopedParams);
+        },
+        get(sql, params) {
+            const { scopedSql, scopedParams } = injectTenantPredicate(sql, params ?? [], scopedTenantId);
+            return conn.get(scopedSql, scopedParams);
+        },
+        run(sql, params) {
+            const { scopedSql, scopedParams } = injectTenantPredicate(sql, params ?? [], scopedTenantId);
+            return conn.run(scopedSql, scopedParams);
+        },
+        transaction(fn) {
+            return conn.transaction(fn);
+        },
+        close() {
+            return conn.close();
+        },
+    };
+}
+//# sourceMappingURL=tenant_scope.js.map

package/dist/kernel/tenant/tenant_scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant_scope.js","sourceRoot":"","sources":["../../../src/kernel/tenant/tenant_scope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAoBH,sDAAsD;AAEtD;;;;;;;;GAQG;AACH,MAAM,oBAAoB,GAAsB;IAC9C,WAAW;IACX,WAAW;IACX,uBAAuB;IACvB,gBAAgB;IAChB,6BAA6B;IAC7B,sBAAsB;IACtB,YAAY;IACZ,aAAa;IACb,gBAAgB;IAChB,aAAa;IACb,wBAAwB;CACzB,CAAC;AAEF,8BAA8B;AAE9B;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAW,EACX,MAAiB,EACjB,QAAkB;IAElB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAEpC,+BAA+B;IAC/B,IAAI,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;IAClD,CAAC;IAED,mEAAmE;IACnE,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,KAAK;gBAC7D,yEAAyE;gBACzE,QAAQ,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAClC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,2DAA2D;IAC3D,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,sBAAsB,CAAC;IAE9E,gDAAgD;IAChD,MAAM,eAAe,GAAG,2CAA2C,CAAC;IACpE,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,aAAa,EAAE,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAEzD,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,GAAG,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACxF,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,GAAG,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED,kBAAkB;AAElB;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,4BAA4B,CAC1C,IAAwB,EACxB,cAA+B;IAE/B,iDAAiD;IACjD,oEAAoE;IACpE,IAAI,IAAI,CAAC,WAAW,KAAK,WAAW,IAAI,CAAC,cAAc,EAAE,CAAC;QACxD,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,GAAG,EAAE,IAAI;YACT,QAAQ,EAAE,cAAc;YAExB,WAAW,CAAI,EAAW;gBACxB,OAAO,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YAC9B,CAAC;YAED,GAAG,CAAC,GAAW,EAAE,MAAkB;gBACjC,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAC/B,CAAC;YAED,KAAK,CAAI,GAAW,EAAE,MAAkB;gBACtC,OAAO,IAAI,CAAC,KAAK,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;YACpC,CAAC;YAED,GAAG,CAAI,GAAW,EAAE,MAAkB;gBACpC,OAAO,IAAI,CAAC,GAAG,CAAI,GAAG,EAAE,MAAM,CAAC,CAAC;YAClC,CAAC;YAED,KAAK;gBACH,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;YACtB,CAAC;SACF,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,QAAQ,EAAE,cAAc;QACxB,GAAG,EAAE,IAAI;QAET,KAAK,CAAI,GAAW,EAAE,MAAkB;YACtC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,qBAAqB,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,cAAc,CAAC,CAAC;YAC7F,OAAO,IAAI,CAAC,KAAK,CAAI,SAAS,EAAE,YAAY,CAAC,CAAC;QAChD,CAAC;QAED,GAAG,CAAI,GAAW,EAAE,MAAkB;YACpC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,qBAAqB,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,cAAc,CAAC,CAAC;YAC7F,OAAO,IAAI,CAAC,GAAG,CAAI,SAAS,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;QAED,GAAG,CAAC,GAAW,EAAE,MAAkB;YACjC,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,qBAAqB,CAAC,GAAG,EAAE,MAAM,IAAI,EAAE,EAAE,cAAc,CAAC,CAAC;YAC7F,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;QAC3C,CAAC;QAED,WAAW,CAAI,EAAW;YACxB,OAAO,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC9B,CAAC;QAED,KAAK;YACH,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;QACtB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/kernel/time/time_provider.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Time provider implementations.
+ * S ref: Hard Stop #7 (clock injection)
+ *
+ * Phase: 1 (Kernel)
+ * Implements: System clock (production) and test clock (deterministic testing).
+ *
+ * System provider: thin wrapper around Date — zero overhead, real clock.
+ * Test provider: deterministic, advanceable — enables time-dependent testing
+ * without flakiness or sleep().
+ */
+import type { TimeProvider } from '../interfaces/time.js';
+/**
+ * Create a system time provider using the real clock.
+ * Used in production. Returns current wall-clock time.
+ *
+ * S ref: Hard Stop #7
+ */
+export declare function createSystemTimeProvider(): TimeProvider;
+/**
+ * Create a deterministic test time provider.
+ * Starts at a fixed epoch (or specified time) and only advances when told.
+ *
+ * Usage:
+ *   const time = createTestTimeProvider();
+ *   time.nowISO(); // "2026-01-01T00:00:00.000Z"
+ *   time.advance(1000); // advance 1 second
+ *   time.nowISO(); // "2026-01-01T00:00:01.000Z"
+ *   time.set(new Date('2026-06-15T12:00:00Z').getTime()); // jump to specific time
+ *
+ * S ref: Hard Stop #7, C-06
+ */
+export declare function createTestTimeProvider(startMs?: number): TimeProvider & {
+    /** Advance the clock by the given number of milliseconds */
+    advance(ms: number): void;
+    /** Set the clock to an exact millisecond timestamp */
+    set(ms: number): void;
+};
+//# sourceMappingURL=time_provider.d.ts.map

package/dist/kernel/time/time_provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"time_provider.d.ts","sourceRoot":"","sources":["../../../src/kernel/time/time_provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;;;GAKG;AACH,wBAAgB,wBAAwB,IAAI,YAAY,CASvD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,MAAuD,GAC/D,YAAY,GAAG;IAChB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,sDAAsD;IACtD,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAiBA"}

package/dist/kernel/time/time_provider.js

@@ -0,0 +1,58 @@
+/**
+ * Time provider implementations.
+ * S ref: Hard Stop #7 (clock injection)
+ *
+ * Phase: 1 (Kernel)
+ * Implements: System clock (production) and test clock (deterministic testing).
+ *
+ * System provider: thin wrapper around Date — zero overhead, real clock.
+ * Test provider: deterministic, advanceable — enables time-dependent testing
+ * without flakiness or sleep().
+ */
+/**
+ * Create a system time provider using the real clock.
+ * Used in production. Returns current wall-clock time.
+ *
+ * S ref: Hard Stop #7
+ */
+export function createSystemTimeProvider() {
+    return {
+        nowISO() {
+            return new Date().toISOString();
+        },
+        nowMs() {
+            return Date.now();
+        },
+    };
+}
+/**
+ * Create a deterministic test time provider.
+ * Starts at a fixed epoch (or specified time) and only advances when told.
+ *
+ * Usage:
+ *   const time = createTestTimeProvider();
+ *   time.nowISO(); // "2026-01-01T00:00:00.000Z"
+ *   time.advance(1000); // advance 1 second
+ *   time.nowISO(); // "2026-01-01T00:00:01.000Z"
+ *   time.set(new Date('2026-06-15T12:00:00Z').getTime()); // jump to specific time
+ *
+ * S ref: Hard Stop #7, C-06
+ */
+export function createTestTimeProvider(startMs = new Date('2026-01-01T00:00:00.000Z').getTime()) {
+    let currentMs = startMs;
+    return {
+        nowISO() {
+            return new Date(currentMs).toISOString();
+        },
+        nowMs() {
+            return currentMs;
+        },
+        advance(ms) {
+            currentMs += ms;
+        },
+        set(ms) {
+            currentMs = ms;
+        },
+    };
+}
+//# sourceMappingURL=time_provider.js.map

package/dist/kernel/time/time_provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"time_provider.js","sourceRoot":"","sources":["../../../src/kernel/time/time_provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO;QACL,MAAM;YACJ,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAClC,CAAC;QACD,KAAK;YACH,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;QACpB,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,sBAAsB,CACpC,UAAkB,IAAI,IAAI,CAAC,0BAA0B,CAAC,CAAC,OAAO,EAAE;IAOhE,IAAI,SAAS,GAAG,OAAO,CAAC;IAExB,OAAO;QACL,MAAM;YACJ,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3C,CAAC;QACD,KAAK;YACH,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,CAAC,EAAU;YAChB,SAAS,IAAI,EAAE,CAAC;QAClB,CAAC;QACD,GAAG,CAAC,EAAU;YACZ,SAAS,GAAG,EAAE,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/learning/applicator/technique_applicator.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Limen — TechniqueApplicator Implementation
+ * Phase 4E-2c: Learning System Application Mechanics
+ *
+ * Implements the TechniqueApplicator interface from learning_types.ts.
+ * Retrieves active techniques at inference time and records applications.
+ *
+ * S ref: S29.4 (application mechanics), S29.2 (applicationCount, lastApplied),
+ *        S29.6 (retirement depends on applicationCount/lastApplied),
+ *        I-03 (audit), I-07 (agent isolation)
+ *
+ * Engineering decisions:
+ *   DEC-4E2C-001: Token estimation via chars/4 (no tokenizer, I-01)
+ *   DEC-4E2C-002: Greedy fill with skip (not stop-at-overflow)
+ *   DEC-4E2C-003: Ordering tiebreaker: created_at ASC, id ASC
+ *   DEC-4E2C-004: No FK validation on recordApplications (R-07)
+ *   DEC-4E2C-005: recordApplications synchronous, single transaction
+ */
+import type { TechniqueApplicator, TechniqueStore, LearningDeps } from '../interfaces/index.js';
+/**
+ * Estimate token count from content length.
+ *
+ * DEC-4E2C-001: Uses chars/4 approximation because:
+ *   (1) Contract tests use Math.ceil(content.length / 4)
+ *   (2) No tokenizer dependency permitted (I-01: single production dependency)
+ *   (3) Caller controls maxTokenBudget — overestimation is safe (conservative)
+ *
+ * Risk-if-wrong: Non-ASCII content (CJK, emoji) has higher tokens/char ratio,
+ * causing underestimation. Mitigated by conservative maxTokenBudget from caller
+ * and by the 20% ceiling being a safety margin, not a precision target.
+ */
+export declare function estimateTokens(content: string): number;
+/**
+ * Create a TechniqueApplicator implementation.
+ * Follows the Limen factory pattern: factory → Object.freeze.
+ *
+ * @param deps - Learning system dependencies (audit, events, etc.)
+ * @param store - TechniqueStore for R-06 applicationCount/lastApplied updates
+ */
+export declare function createTechniqueApplicator(deps: LearningDeps, store: TechniqueStore): TechniqueApplicator;
+//# sourceMappingURL=technique_applicator.d.ts.map

package/dist/learning/applicator/technique_applicator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"technique_applicator.d.ts","sourceRoot":"","sources":["../../../src/learning/applicator/technique_applicator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,KAAK,EACV,mBAAmB,EAAE,cAAc,EACe,YAAY,EAC/D,MAAM,wBAAwB,CAAC;AA6ChC;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEtD;AAgBD;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,YAAY,EAClB,KAAK,EAAE,cAAc,GACpB,mBAAmB,CAqLrB"}