martin-loop 0.1.4 → 1.3.0

package/dist/vendor/core/drift/objective-lock.d.ts

@@ -0,0 +1,69 @@
+/**
+ * objective-lock.ts — SLICE-05
+ *
+ * Cryptographic objective invariant lock.
+ *
+ * At attempt 1, the loop objective, verificationPlan, and acceptanceCriteria
+ * are hashed together into a SHA-256 lock. Every subsequent attempt re-hashes
+ * the live inputs and hard-fails with `objective_drift` if the hash differs.
+ *
+ * Legitimate scope changes require an explicit `widenObjectiveLock()` call,
+ * which produces an audit entry proving who authorized the change and why.
+ */
+export interface ObjectiveLockInput {
+    objective: string;
+    verificationPlan: string[];
+    acceptanceCriteria?: string[];
+}
+export interface ObjectiveLock {
+    /** SHA-256 hex digest of the canonical lock payload. */
+    sha256: string;
+    /** ISO timestamp when the lock was created. */
+    lockedAt: string;
+}
+export interface ObjectiveLockCheckResult {
+    drifted: boolean;
+    /** Present only when drifted:true. */
+    reason?: string;
+    expectedHash?: string;
+    actualHash?: string;
+}
+export interface ObjectiveWidenAuditEntry {
+    previousHash: string;
+    newHash: string;
+    authorizedBy: string;
+    reason: string;
+    widenedAt: string;
+}
+export interface ObjectiveWidenResult {
+    newLock: ObjectiveLock;
+    auditEntry: ObjectiveWidenAuditEntry;
+}
+/**
+ * Creates a new ObjectiveLock for the given inputs.
+ * Call once at loop start (attempt 1). Store in the loop record.
+ */
+export declare function createObjectiveLock(input: ObjectiveLockInput, now?: string): ObjectiveLock;
+/**
+ * Checks whether the live inputs still match the lock created at attempt 1.
+ *
+ * Returns `{ drifted: false }` if everything is consistent.
+ * Returns `{ drifted: true, reason, expectedHash, actualHash }` if the lock
+ * has been violated — the caller MUST exit the loop with lifecycleState
+ * `objective_drift`.
+ */
+export declare function checkObjectiveLock(lock: ObjectiveLock, currentInput: ObjectiveLockInput): ObjectiveLockCheckResult;
+/**
+ * Authorizes a legitimate scope change. Returns a new lock covering the
+ * new inputs and an immutable audit entry recording who widened it and why.
+ *
+ * The audit entry MUST be appended to the loop's ledger.jsonl before the
+ * run continues with the new lock.
+ */
+export declare function widenObjectiveLock(options: {
+    currentLock: ObjectiveLock;
+    newInput: ObjectiveLockInput;
+    authorizedBy: string;
+    reason: string;
+    now?: string;
+}): ObjectiveWidenResult;

package/dist/vendor/core/drift/objective-lock.js

@@ -0,0 +1,88 @@
+/**
+ * objective-lock.ts — SLICE-05
+ *
+ * Cryptographic objective invariant lock.
+ *
+ * At attempt 1, the loop objective, verificationPlan, and acceptanceCriteria
+ * are hashed together into a SHA-256 lock. Every subsequent attempt re-hashes
+ * the live inputs and hard-fails with `objective_drift` if the hash differs.
+ *
+ * Legitimate scope changes require an explicit `widenObjectiveLock()` call,
+ * which produces an audit entry proving who authorized the change and why.
+ */
+import { createHash } from "node:crypto";
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/**
+ * Creates a new ObjectiveLock for the given inputs.
+ * Call once at loop start (attempt 1). Store in the loop record.
+ */
+export function createObjectiveLock(input, now = new Date().toISOString()) {
+    return {
+        sha256: computeHash(input),
+        lockedAt: now
+    };
+}
+/**
+ * Checks whether the live inputs still match the lock created at attempt 1.
+ *
+ * Returns `{ drifted: false }` if everything is consistent.
+ * Returns `{ drifted: true, reason, expectedHash, actualHash }` if the lock
+ * has been violated — the caller MUST exit the loop with lifecycleState
+ * `objective_drift`.
+ */
+export function checkObjectiveLock(lock, currentInput) {
+    const currentHash = computeHash(currentInput);
+    if (currentHash === lock.sha256) {
+        return { drifted: false };
+    }
+    return {
+        drifted: true,
+        reason: `Objective lock violated: expected hash ${lock.sha256.slice(0, 12)}… ` +
+            `but got ${currentHash.slice(0, 12)}… — run aborted with lifecycle state objective_drift`,
+        expectedHash: lock.sha256,
+        actualHash: currentHash
+    };
+}
+/**
+ * Authorizes a legitimate scope change. Returns a new lock covering the
+ * new inputs and an immutable audit entry recording who widened it and why.
+ *
+ * The audit entry MUST be appended to the loop's ledger.jsonl before the
+ * run continues with the new lock.
+ */
+export function widenObjectiveLock(options) {
+    const widenedAt = options.now ?? new Date().toISOString();
+    const newLock = createObjectiveLock(options.newInput, widenedAt);
+    const auditEntry = {
+        previousHash: options.currentLock.sha256,
+        newHash: newLock.sha256,
+        authorizedBy: options.authorizedBy,
+        reason: options.reason,
+        widenedAt
+    };
+    return { newLock, auditEntry };
+}
+// ---------------------------------------------------------------------------
+// Internal — canonical hash computation
+// ---------------------------------------------------------------------------
+/**
+ * Produces a deterministic SHA-256 hex digest over:
+ *   - objective (exact text, case-sensitive)
+ *   - verificationPlan (ordered — step order matters)
+ *   - acceptanceCriteria (sorted — order-independent)
+ *
+ * The canonical payload is a stable JSON string to ensure cross-platform
+ * determinism regardless of property insertion order.
+ */
+function computeHash(input) {
+    const sortedCriteria = [...(input.acceptanceCriteria ?? [])].sort();
+    const canonical = JSON.stringify({
+        objective: input.objective,
+        verificationPlan: input.verificationPlan,
+        acceptanceCriteria: sortedCriteria
+    });
+    return createHash("sha256").update(canonical, "utf8").digest("hex");
+}
+//# sourceMappingURL=objective-lock.js.map

package/dist/vendor/core/drift/scope.d.ts

@@ -0,0 +1,46 @@
+/**
+ * scope.ts — SLICE-02
+ *
+ * Drift-graph–scoped context pruning.
+ *
+ * Uses the existing DriftGraph to prune model input context to only the files
+ * within N hops of the objective's named symbols/paths. Prevents the model
+ * from seeing irrelevant files and keeps token budgets tight.
+ */
+import type { DriftGraph } from "./drift-graph.js";
+export interface ScopePruningResult {
+    /** The pruned (or fallback) file list to pass to the model. */
+    files: string[];
+    /** Number of files in the original compiledFiles list. */
+    filesIn: number;
+    /** Number of files returned after pruning. */
+    filesOut: number;
+    /** filesIn - filesOut */
+    prunedCount: number;
+    /** true when the BFS intersection was empty and we fell back to the full set. */
+    fallback: boolean;
+}
+/**
+ * Extracts file-like identifiers from an objective string.
+ *
+ * Matches (in priority order):
+ * 1. Quoted paths  — "src/parser.ts"
+ * 2. Bare paths ending in .ts / .js / .tsx / .jsx
+ * 3. camelCase / PascalCase tokens that look like module/symbol names
+ *
+ * Note: intentionally uses regex, not AST (that's SLICE-06).
+ */
+export declare function extractFilesFromObjective(objective: string): string[];
+/**
+ * Prunes `compiledFiles` to only those reachable from the objective's seed
+ * nodes within `maxHops` traversal steps in `graph`.
+ *
+ * Falls back to the full compiledFiles set when the BFS result has no
+ * intersection with compiledFiles (e.g. graph uses different path conventions).
+ */
+export declare function scopeContextByDriftGraph(options: {
+    objective: string;
+    graph: DriftGraph;
+    compiledFiles: string[];
+    maxHops?: number;
+}): ScopePruningResult;

package/dist/vendor/core/drift/scope.js

@@ -0,0 +1,102 @@
+/**
+ * scope.ts — SLICE-02
+ *
+ * Drift-graph–scoped context pruning.
+ *
+ * Uses the existing DriftGraph to prune model input context to only the files
+ * within N hops of the objective's named symbols/paths. Prevents the model
+ * from seeing irrelevant files and keeps token budgets tight.
+ */
+// ─── Public API ───────────────────────────────────────────────────────────────
+/**
+ * Extracts file-like identifiers from an objective string.
+ *
+ * Matches (in priority order):
+ * 1. Quoted paths  — "src/parser.ts"
+ * 2. Bare paths ending in .ts / .js / .tsx / .jsx
+ * 3. camelCase / PascalCase tokens that look like module/symbol names
+ *
+ * Note: intentionally uses regex, not AST (that's SLICE-06).
+ */
+export function extractFilesFromObjective(objective) {
+    const found = new Set();
+    // 1. Quoted file paths — single or double quotes
+    const quotedRe = /["']([^"'\n]+(?:\.(?:ts|tsx|js|jsx)|[A-Za-z0-9_/.-]+))["']/g;
+    for (const match of objective.matchAll(quotedRe)) {
+        if (match[1])
+            found.add(match[1]);
+    }
+    // 2. Bare paths ending in a recognised extension (not already captured in quotes)
+    const barePathRe = /(?<![/"'])([^\s"']+\.(?:ts|tsx|js|jsx))(?![/"'])/g;
+    for (const match of objective.matchAll(barePathRe)) {
+        if (match[1])
+            found.add(match[1]);
+    }
+    // 3. camelCase / PascalCase identifiers (potential module / symbol names)
+    //    Must start with an uppercase letter or have an internal uppercase letter,
+    //    and be at least 4 chars so we avoid common short words.
+    const camelCaseRe = /\b(?:[A-Z][a-zA-Z0-9]{3,}|[a-z][a-z0-9]*[A-Z][a-zA-Z0-9]{2,})\b/g;
+    for (const match of objective.matchAll(camelCaseRe)) {
+        found.add(match[0]);
+    }
+    return [...found];
+}
+/**
+ * Prunes `compiledFiles` to only those reachable from the objective's seed
+ * nodes within `maxHops` traversal steps in `graph`.
+ *
+ * Falls back to the full compiledFiles set when the BFS result has no
+ * intersection with compiledFiles (e.g. graph uses different path conventions).
+ */
+export function scopeContextByDriftGraph(options) {
+    const { objective, graph, compiledFiles, maxHops = 2 } = options;
+    const filesIn = compiledFiles.length;
+    // Extract seed identifiers from objective text
+    const seeds = extractFilesFromObjective(objective);
+    // BFS from all seed nodes that exist in the graph
+    const reachable = new Set();
+    const queue = [];
+    for (const seed of seeds) {
+        if (graph.nodes.has(seed)) {
+            queue.push({ node: seed, depth: 0 });
+            reachable.add(seed);
+        }
+    }
+    // Process BFS queue
+    let head = 0;
+    while (head < queue.length) {
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        const item = queue[head++];
+        if (item.depth >= maxHops)
+            continue;
+        const neighbors = graph.edges[item.node] ?? [];
+        for (const neighbor of neighbors) {
+            if (!reachable.has(neighbor)) {
+                reachable.add(neighbor);
+                queue.push({ node: neighbor, depth: item.depth + 1 });
+            }
+        }
+    }
+    // Intersect BFS result with compiledFiles (preserve original ordering)
+    const compiledSet = new Set(compiledFiles);
+    const pruned = compiledFiles.filter(f => reachable.has(f));
+    // Fallback: if intersection is empty return the full original set
+    if (pruned.length === 0) {
+        return {
+            files: [...compiledFiles],
+            filesIn,
+            filesOut: filesIn,
+            prunedCount: 0,
+            fallback: true
+        };
+    }
+    const filesOut = pruned.length;
+    return {
+        files: pruned,
+        filesIn,
+        filesOut,
+        prunedCount: filesIn - filesOut,
+        fallback: false
+    };
+}
+//# sourceMappingURL=scope.js.map

package/dist/vendor/core/drift/signature-lock.d.ts

@@ -0,0 +1,48 @@
+/**
+ * signature-lock.ts — SLICE-06
+ *
+ * AST-level signature lock: extracts named symbols from an objective,
+ * snapshots their TypeScript signatures before the first attempt, then
+ * rejects any patch that silently changes a signature without authorization.
+ *
+ * Authorization phrases in the objective (e.g. "add parameter", "rename")
+ * allow signature changes for the named symbol.
+ */
+export interface SignatureSnapshot {
+    symbolName: string;
+    filePath: string;
+    params: string[];
+    returnType: string;
+    modifiers: string[];
+    kind: "function" | "method" | "class" | "unknown";
+}
+export interface SignatureLockResult {
+    blocked: boolean;
+    reasonCode?: "silent_signature_drift";
+    reason?: string;
+    driftedSymbols: Array<{
+        symbolName: string;
+        before: SignatureSnapshot;
+        after: SignatureSnapshot;
+    }>;
+}
+export declare function isSignatureChangeAuthorized(objective: string, symbolName: string): boolean;
+/**
+ * Extracts likely symbol names from the objective string.
+ * Looks for: camelCase, PascalCase, snake_case, and `backtick` quoted names.
+ */
+export declare function extractSymbolsFromObjective(objective: string): string[];
+export declare function snapshotsEqual(a: SignatureSnapshot, b: SignatureSnapshot): boolean;
+export declare class SignatureLockStore {
+    private snapshots;
+    record(snapshot: SignatureSnapshot): void;
+    get(symbolName: string): SignatureSnapshot | undefined;
+    has(symbolName: string): boolean;
+    clear(): void;
+}
+export declare function checkSignatureDrift(objective: string, before: SignatureSnapshot[], after: SignatureSnapshot[]): SignatureLockResult;
+/**
+ * Extracts SignatureSnapshots for named symbols from TypeScript source code.
+ * Uses ts-morph if available; falls back to a regex-based approximation.
+ */
+export declare function extractSignaturesFromSource(sourceCode: string, filePath: string, targetSymbols: string[]): Promise<SignatureSnapshot[]>;

package/dist/vendor/core/drift/signature-lock.js

@@ -0,0 +1,202 @@
+/**
+ * signature-lock.ts — SLICE-06
+ *
+ * AST-level signature lock: extracts named symbols from an objective,
+ * snapshots their TypeScript signatures before the first attempt, then
+ * rejects any patch that silently changes a signature without authorization.
+ *
+ * Authorization phrases in the objective (e.g. "add parameter", "rename")
+ * allow signature changes for the named symbol.
+ */
+// ---------------------------------------------------------------------------
+// Authorization phrases — objective contains these → allow signature change
+// ---------------------------------------------------------------------------
+const AUTH_PHRASES = [
+    "add parameter", "add param", "remove parameter", "remove param",
+    "change signature", "rename", "refactor signature", "update signature",
+    "modify signature", "new signature", "change return type", "add argument"
+];
+export function isSignatureChangeAuthorized(objective, symbolName) {
+    const lower = objective.toLowerCase();
+    const hasAuthPhrase = AUTH_PHRASES.some(p => lower.includes(p)) ||
+        /\badd\b[\s\S]{0,80}\b(?:parameter|param|argument)\b/u.test(lower) ||
+        /\bremove\b[\s\S]{0,80}\b(?:parameter|param|argument)\b/u.test(lower);
+    if (!hasAuthPhrase)
+        return false;
+    // If there's an auth phrase, it covers all symbols OR must mention the symbol
+    // (generous: if any auth phrase is present in objective, allow all drift)
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Symbol extraction from objective text
+// ---------------------------------------------------------------------------
+/**
+ * Extracts likely symbol names from the objective string.
+ * Looks for: camelCase, PascalCase, snake_case, and `backtick` quoted names.
+ */
+export function extractSymbolsFromObjective(objective) {
+    const symbols = [];
+    // Backtick-quoted names are highest confidence
+    const backtickMatches = objective.match(/`([a-zA-Z_$][\w$]*)`/g) ?? [];
+    symbols.push(...backtickMatches.map(m => m.slice(1, -1)));
+    // camelCase / PascalCase words (4+ chars to avoid noise)
+    const wordMatches = objective.match(/\b([a-zA-Z_$][a-zA-Z0-9_$]{3,})\b/g) ?? [];
+    const NOISE_WORDS = new Set([
+        "the", "this", "that", "with", "from", "into", "when", "then",
+        "should", "must", "will", "have", "been", "also", "only", "just",
+        "make", "sure", "each", "all", "any", "add", "remove", "change",
+        "function", "method", "class", "return", "export", "import",
+        "const", "variable", "parameter", "argument", "type", "interface"
+    ]);
+    for (const word of wordMatches) {
+        if (!NOISE_WORDS.has(word.toLowerCase()) && !symbols.includes(word)) {
+            symbols.push(word);
+        }
+    }
+    return [...new Set(symbols)];
+}
+// ---------------------------------------------------------------------------
+// Snapshot comparison
+// ---------------------------------------------------------------------------
+export function snapshotsEqual(a, b) {
+    if (a.kind !== b.kind)
+        return false;
+    if (a.returnType !== b.returnType)
+        return false;
+    if (a.params.length !== b.params.length)
+        return false;
+    for (let i = 0; i < a.params.length; i++) {
+        if (a.params[i] !== b.params[i])
+            return false;
+    }
+    return true;
+}
+// ---------------------------------------------------------------------------
+// In-memory snapshot store (keyed by symbolName)
+// ---------------------------------------------------------------------------
+export class SignatureLockStore {
+    snapshots = new Map();
+    record(snapshot) {
+        this.snapshots.set(snapshot.symbolName, snapshot);
+    }
+    get(symbolName) {
+        return this.snapshots.get(symbolName);
+    }
+    has(symbolName) {
+        return this.snapshots.has(symbolName);
+    }
+    clear() {
+        this.snapshots.clear();
+    }
+}
+// ---------------------------------------------------------------------------
+// Signature check — called after each patch
+// ---------------------------------------------------------------------------
+export function checkSignatureDrift(objective, before, after) {
+    const drifted = [];
+    const afterByName = new Map(after.map(s => [s.symbolName, s]));
+    for (const beforeSnap of before) {
+        const afterSnap = afterByName.get(beforeSnap.symbolName);
+        if (!afterSnap)
+            continue; // symbol removed — handled separately
+        if (!snapshotsEqual(beforeSnap, afterSnap)) {
+            if (!isSignatureChangeAuthorized(objective, beforeSnap.symbolName)) {
+                drifted.push({ symbolName: beforeSnap.symbolName, before: beforeSnap, after: afterSnap });
+            }
+        }
+    }
+    if (drifted.length === 0) {
+        return { blocked: false, driftedSymbols: [] };
+    }
+    const names = drifted.map(d => d.symbolName).join(", ");
+    return {
+        blocked: true,
+        reasonCode: "silent_signature_drift",
+        reason: `Patch silently changed the signature of: ${names}. ` +
+            `If this is intentional, include "change signature", "add parameter", ` +
+            `or "rename" in the objective.`,
+        driftedSymbols: drifted
+    };
+}
+// ---------------------------------------------------------------------------
+// ts-morph based snapshot extractor
+// ---------------------------------------------------------------------------
+/**
+ * Extracts SignatureSnapshots for named symbols from TypeScript source code.
+ * Uses ts-morph if available; falls back to a regex-based approximation.
+ */
+export async function extractSignaturesFromSource(sourceCode, filePath, targetSymbols) {
+    // Try ts-morph
+    try {
+        const { Project } = await import("ts-morph");
+        const project = new Project({ useInMemoryFileSystem: true, compilerOptions: { allowJs: true } });
+        const src = project.createSourceFile(filePath, sourceCode);
+        const snapshots = [];
+        const targetSet = new Set(targetSymbols);
+        for (const fn of src.getFunctions()) {
+            const name = fn.getName();
+            if (!name || (targetSet.size > 0 && !targetSet.has(name)))
+                continue;
+            snapshots.push({
+                symbolName: name,
+                filePath,
+                params: fn.getParameters().map(p => `${p.getName()}:${p.getType().getText()}`),
+                returnType: fn.getReturnType().getText(),
+                modifiers: fn.getModifiers().map(m => m.getText()),
+                kind: "function"
+            });
+        }
+        for (const cls of src.getClasses()) {
+            const className = cls.getName();
+            if (!className)
+                continue;
+            if (targetSet.size === 0 || targetSet.has(className)) {
+                snapshots.push({
+                    symbolName: className,
+                    filePath,
+                    params: [],
+                    returnType: className,
+                    modifiers: cls.getModifiers().map(m => m.getText()),
+                    kind: "class"
+                });
+            }
+            for (const method of cls.getMethods()) {
+                const mName = method.getName();
+                const qualified = `${className}.${mName}`;
+                if (targetSet.size > 0 && !targetSet.has(mName) && !targetSet.has(qualified))
+                    continue;
+                snapshots.push({
+                    symbolName: mName,
+                    filePath,
+                    params: method.getParameters().map(p => `${p.getName()}:${p.getType().getText()}`),
+                    returnType: method.getReturnType().getText(),
+                    modifiers: method.getModifiers().map(m => m.getText()),
+                    kind: "method"
+                });
+            }
+        }
+        return snapshots;
+    }
+    catch {
+        // ts-morph not available — regex fallback
+        return extractSignaturesRegex(sourceCode, filePath, targetSymbols);
+    }
+}
+function extractSignaturesRegex(src, filePath, targetSymbols) {
+    const snapshots = [];
+    const targetSet = new Set(targetSymbols);
+    // Match: export function name(params): returnType
+    const fnRe = /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)\s*(?::\s*([\w<>[\], |]+))?/g;
+    let m;
+    while ((m = fnRe.exec(src)) !== null) {
+        const name = m[1];
+        if (!name)
+            continue;
+        if (targetSet.size > 0 && !targetSet.has(name))
+            continue;
+        const params = (m[2] ?? "").split(",").map(p => p.trim()).filter(Boolean);
+        snapshots.push({ symbolName: name, filePath, params, returnType: m[3]?.trim() ?? "unknown", modifiers: [], kind: "function" });
+    }
+    return snapshots;
+}
+//# sourceMappingURL=signature-lock.js.map

package/dist/vendor/core/drift/stale-proof-gate.d.ts

@@ -0,0 +1,21 @@
+export interface ProofGateArtifact {
+    artifactId: string;
+    expectedSha256: string;
+    actualSha256: string;
+}
+export interface ProofBoundClaim {
+    claimId: string;
+    artifactIds: string[];
+}
+export interface StaleProofGateInput {
+    artifacts: ProofGateArtifact[];
+    claims: ProofBoundClaim[];
+}
+export interface StaleProofGateReport {
+    gateStatus: "pass" | "fail";
+    staleArtifactIds: string[];
+    demotedClaimIds: string[];
+    allowedClaimWording: string;
+    nonClaims: string[];
+}
+export declare function evaluateStaleProofGate(input: StaleProofGateInput): StaleProofGateReport;

package/dist/vendor/core/drift/stale-proof-gate.js

@@ -0,0 +1,19 @@
+export function evaluateStaleProofGate(input) {
+    const staleArtifactIds = input.artifacts
+        .filter((artifact) => artifact.expectedSha256 !== artifact.actualSha256)
+        .map((artifact) => artifact.artifactId);
+    const staleArtifactSet = new Set(staleArtifactIds);
+    const demotedClaimIds = input.claims
+        .filter((claim) => claim.artifactIds.some((artifactId) => staleArtifactSet.has(artifactId)))
+        .map((claim) => claim.claimId);
+    return {
+        gateStatus: staleArtifactIds.length === 0 && demotedClaimIds.length === 0 ? "pass" : "fail",
+        staleArtifactIds,
+        demotedClaimIds,
+        allowedClaimWording: staleArtifactIds.length === 0
+            ? "Drift-detected and corrected for declared hash-bound proof and runtime evidence surfaces."
+            : "Claim demoted because one or more hash-bound proof or runtime artifacts are stale.",
+        nonClaims: ["impossible to drift", "universal drift prevention"]
+    };
+}
+//# sourceMappingURL=stale-proof-gate.js.map

package/dist/vendor/core/eval/known-bad-world-runner.d.ts

@@ -0,0 +1,24 @@
+export interface KnownBadWorldCategory {
+    category: string;
+    shouldBlock: boolean;
+    blocked: boolean;
+    trapFired: string;
+    testId: string;
+}
+export interface KnownBadWorldResults {
+    evalVersion: "h3.v1";
+    runAt: string;
+    categories: KnownBadWorldCategory[];
+    allBlocked: boolean;
+    falsePositives: number;
+    totalTests: number;
+}
+export interface RunKnownBadWorldOptions {
+    secret: string;
+}
+/**
+ * Runs all 16 known-bad-world scenarios (8 bad + 8 clean) and returns results.
+ * allBlocked: true only when all shouldBlock=true tests were caught.
+ * falsePositives: count of shouldBlock=false tests that were incorrectly caught.
+ */
+export declare function runKnownBadWorldEval(options: RunKnownBadWorldOptions): Promise<KnownBadWorldResults>;