martin-loop 0.1.4 → 1.3.0

package/dist/vendor/core/security/cve-scanner.js

@@ -0,0 +1,178 @@
+/**
+ * CVE Patch Scanner — Phase 37.
+ *
+ * Parses a unified diff for newly added package dependencies and queries the
+ * OSV.dev API (https://api.osv.dev) to check for known CVEs. Blocks the
+ * attempt if any discovered package has severity HIGH or CRITICAL.
+ *
+ * Supported manifest formats:
+ *   - package.json (npm/Node.js) — ecosystem: "npm"
+ *   - requirements.txt (Python) — ecosystem: "PyPI"
+ *   - Cargo.toml (Rust) — ecosystem: "crates.io"
+ *   - go.mod (Go) — ecosystem: "Go"
+ *
+ * Design rules:
+ * - Advisory when OSV.dev is unreachable (never hard-fail on network error)
+ * - Only checks ADDED lines (+ prefix) — not removed packages
+ * - Deduplicates package names before querying
+ * - MAX_PACKAGES_PER_SCAN = 20 to bound latency
+ */
+// ─── Constants ────────────────────────────────────────────────────────────────
+const OSV_API = "https://api.osv.dev/v1/query";
+const MAX_PACKAGES_PER_SCAN = 20;
+const BLOCKING_SEVERITIES = ["HIGH", "CRITICAL"];
+// ─── Diff parsing ─────────────────────────────────────────────────────────────
+/**
+ * Extract newly added package dependencies from a unified diff string.
+ * Only examines added lines (starting with +) to avoid flagging removals.
+ */
+export function extractPackageCandidates(diff) {
+    const candidates = [];
+    const seen = new Set();
+    const addedLines = diff
+        .split("\n")
+        .filter(line => line.startsWith("+") && !line.startsWith("+++"));
+    for (const line of addedLines) {
+        const content = line.slice(1).trim();
+        // package.json dependency: "name": "^1.2.3"
+        const npmMatch = content.match(/^"([@\w][\w\-./@]*)"\s*:\s*"([^"]+)"/);
+        if (npmMatch && !content.includes("description") && !content.includes("license")) {
+            const name = npmMatch[1];
+            const raw = npmMatch[2];
+            const version = raw.replace(/^[\^~>=<]+/, "").split(" ")[0];
+            const key = `npm:${name}`;
+            if (!seen.has(key)) {
+                seen.add(key);
+                candidates.push({ name, version, ecosystem: "npm" });
+            }
+            continue;
+        }
+        // requirements.txt: package==1.2.3 or package>=1.0
+        const pypiMatch = content.match(/^([\w\-\.]+)\s*[>=<!~^]+\s*([\d.]+)/);
+        if (pypiMatch) {
+            const name = pypiMatch[1];
+            const version = pypiMatch[2];
+            const key = `PyPI:${name.toLowerCase()}`;
+            if (!seen.has(key)) {
+                seen.add(key);
+                candidates.push({ name, version, ecosystem: "PyPI" });
+            }
+            continue;
+        }
+        // Cargo.toml: name = "1.2.3" or name = { version = "1.2.3" }
+        const cargoMatch = content.match(/^([\w\-]+)\s*=\s*"([\d.]+)"/);
+        if (cargoMatch) {
+            const name = cargoMatch[1];
+            const version = cargoMatch[2];
+            const key = `crates.io:${name}`;
+            if (!seen.has(key)) {
+                seen.add(key);
+                candidates.push({ name, version, ecosystem: "crates.io" });
+            }
+            continue;
+        }
+        // go.mod: require package/path v1.2.3
+        const goMatch = content.match(/^(?:require\s+)?([\w.\-/]+)\s+v([\d.]+(?:-\w+)?)/);
+        if (goMatch) {
+            const name = goMatch[1];
+            const version = goMatch[2];
+            const key = `Go:${name}`;
+            if (!seen.has(key)) {
+                seen.add(key);
+                candidates.push({ name, version, ecosystem: "Go" });
+            }
+            continue;
+        }
+    }
+    return candidates.slice(0, MAX_PACKAGES_PER_SCAN);
+}
+function resolveSeverity(vuln) {
+    // Try database_specific.severity first (most common)
+    const dbSev = vuln.database_specific?.severity?.toUpperCase();
+    if (dbSev === "CRITICAL")
+        return "CRITICAL";
+    if (dbSev === "HIGH")
+        return "HIGH";
+    if (dbSev === "MEDIUM")
+        return "MEDIUM";
+    if (dbSev === "LOW")
+        return "LOW";
+    // Fall back to CVSS score — OSV may return a numeric score string ("7.5") or a
+    // CVSS vector string ("CVSS:3.1/AV:N/..."). Vector strings are NOT numeric scores;
+    // skip them to avoid over-classification.
+    const cvss = vuln.severity?.find(s => s.type === "CVSS_V3")?.score ?? "";
+    if (cvss && !cvss.startsWith("CVSS:")) {
+        const baseScore = parseFloat(cvss);
+        if (!isNaN(baseScore) && baseScore >= 0 && baseScore <= 10) {
+            if (baseScore >= 9.0)
+                return "CRITICAL";
+            if (baseScore >= 7.0)
+                return "HIGH";
+            if (baseScore >= 4.0)
+                return "MEDIUM";
+            return "LOW";
+        }
+    }
+    return "UNKNOWN";
+}
+async function queryOsv(candidate) {
+    const body = JSON.stringify({
+        version: candidate.version,
+        package: { name: candidate.name, ecosystem: candidate.ecosystem }
+    });
+    const res = await fetch(OSV_API, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body,
+        signal: AbortSignal.timeout(5_000)
+    });
+    if (!res.ok)
+        return [];
+    const data = (await res.json());
+    return (data.vulns ?? []).map(v => ({
+        packageName: candidate.name,
+        version: candidate.version,
+        ecosystem: candidate.ecosystem,
+        vulnId: v.id,
+        summary: v.summary ?? "No summary available",
+        severity: resolveSeverity(v),
+        url: `https://osv.dev/vulnerability/${v.id}`
+    }));
+}
+// ─── Public API ───────────────────────────────────────────────────────────────
+/**
+ * Scan a unified diff for new package dependencies and check them against
+ * the OSV.dev vulnerability database.
+ *
+ * Returns immediately (advisory mode) if OSV.dev is unreachable.
+ * Blocks the attempt if any package has severity HIGH or CRITICAL.
+ */
+export async function scanDiffForCves(diff) {
+    const packageCandidates = extractPackageCandidates(diff);
+    if (packageCandidates.length === 0) {
+        return { packageCandidates: [], matches: [], blocked: false };
+    }
+    let matches = [];
+    let networkError = false;
+    try {
+        const results = await Promise.all(packageCandidates.map(queryOsv));
+        matches = results.flat();
+    }
+    catch {
+        // OSV.dev unreachable — advisory mode, do not block
+        networkError = true;
+        return { packageCandidates, matches: [], blocked: false, networkError };
+    }
+    const blockingMatches = matches.filter(m => BLOCKING_SEVERITIES.includes(m.severity));
+    const blocked = blockingMatches.length > 0;
+    let blockReason;
+    if (blocked) {
+        const summary = blockingMatches
+            .slice(0, 3)
+            .map(m => `${m.packageName} (${m.vulnId} ${m.severity})`)
+            .join(", ");
+        blockReason = `CVE scan blocked: ${summary}${blockingMatches.length > 3 ? ` +${blockingMatches.length - 3} more` : ""}`;
+    }
+    return { packageCandidates, matches, blocked, blockReason };
+}
+//# sourceMappingURL=cve-scanner.js.map

package/dist/vendor/core/sentinel/efficiency-sentinel.d.ts

@@ -0,0 +1,29 @@
+export interface CostBaseline {
+    samples: number;
+    p25CostUsd: number;
+    p50CostUsd: number;
+    lastUpdated: string;
+}
+export interface EfficiencyAnomaly {
+    trapId: "T14";
+    runId: string;
+    actualCostUsd: number;
+    p25BaselineCostUsd: number;
+    deviationPct: number;
+    /** T14 is always "logged" — never "block". Warn-only trap. */
+    action: "logged";
+}
+export interface CheckEfficiencyInput {
+    runId: string;
+    actualCostUsd: number;
+    baseline: CostBaseline;
+}
+/**
+ * T14 — Efficiency Anomaly Detection
+ *
+ * Detection logic:
+ * - IF baseline.samples < 20 → DO NOT FIRE (cold-start guard)
+ * - IF actualCost < (baseline.p25 * 0.75) → fire T14 anomaly
+ * - T14 is ALWAYS warn-only (action: "logged") — never hard-rejects a run
+ */
+export declare function checkEfficiencyAnomaly(input: CheckEfficiencyInput): EfficiencyAnomaly | null;

package/dist/vendor/core/sentinel/efficiency-sentinel.js

@@ -0,0 +1,30 @@
+// ─── Types ────────────────────────────────────────────────────────────────────
+// ─── Detection ────────────────────────────────────────────────────────────────
+/**
+ * T14 — Efficiency Anomaly Detection
+ *
+ * Detection logic:
+ * - IF baseline.samples < 20 → DO NOT FIRE (cold-start guard)
+ * - IF actualCost < (baseline.p25 * 0.75) → fire T14 anomaly
+ * - T14 is ALWAYS warn-only (action: "logged") — never hard-rejects a run
+ */
+export function checkEfficiencyAnomaly(input) {
+    // Cold-start guard: never fire before 20 samples
+    if (input.baseline.samples < 20) {
+        return null;
+    }
+    const threshold = input.baseline.p25CostUsd * 0.75;
+    if (input.actualCostUsd >= threshold) {
+        return null;
+    }
+    const deviationPct = ((input.baseline.p25CostUsd - input.actualCostUsd) / input.baseline.p25CostUsd) * 100;
+    return {
+        trapId: "T14",
+        runId: input.runId,
+        actualCostUsd: input.actualCostUsd,
+        p25BaselineCostUsd: input.baseline.p25CostUsd,
+        deviationPct,
+        action: "logged"
+    };
+}
+//# sourceMappingURL=efficiency-sentinel.js.map

package/dist/vendor/core/sentinel/progress-guard.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Stagnation detection — monotonic progress guard.
+ *
+ * Detects when an agent loop is spinning without making forward progress:
+ * the last N attempts all produced the same failure classification and
+ * the same intervention response. When stagnation is detected the caller
+ * should exit the loop with lifecycleState "stagnation_detected".
+ *
+ * This prevents the "$500 infinite loop" scenario where Claude Code
+ * enters a retry cycle for hours without human awareness.
+ */
+import type { LoopAttempt } from "../../contracts/index.js";
+export interface StagnationInput {
+    readonly attempts: LoopAttempt[];
+    /** Number of consecutive attempts to inspect. Defaults to 3. */
+    readonly windowSize?: number;
+}
+export interface StagnationResult {
+    readonly stagnant: boolean;
+    readonly reason?: string;
+    readonly windowSize: number;
+}
+/**
+ * Return `stagnant: true` when the last `windowSize` attempts all share:
+ *   - the same `adapterId` (same adapter/model — not a recovery escalation)
+ *   - the same `failureClass` value (including both-undefined)
+ *   - the same `intervention` value (including both-undefined)
+ *
+ * Requiring the same adapterId prevents false positives when the runtime
+ * is legitimately cycling through different recovery paths (which leads to
+ * `diminishing_returns`, not stagnation).
+ *
+ * When fewer attempts than `windowSize` exist, always returns `stagnant: false`.
+ */
+export declare function detectStagnation(input: StagnationInput): StagnationResult;

package/dist/vendor/core/sentinel/progress-guard.js

@@ -0,0 +1,46 @@
+// ---------------------------------------------------------------------------
+// detectStagnation
+// ---------------------------------------------------------------------------
+/**
+ * Return `stagnant: true` when the last `windowSize` attempts all share:
+ *   - the same `adapterId` (same adapter/model — not a recovery escalation)
+ *   - the same `failureClass` value (including both-undefined)
+ *   - the same `intervention` value (including both-undefined)
+ *
+ * Requiring the same adapterId prevents false positives when the runtime
+ * is legitimately cycling through different recovery paths (which leads to
+ * `diminishing_returns`, not stagnation).
+ *
+ * When fewer attempts than `windowSize` exist, always returns `stagnant: false`.
+ */
+export function detectStagnation(input) {
+    const windowSize = input.windowSize ?? 3;
+    if (input.attempts.length < windowSize) {
+        return { stagnant: false, windowSize };
+    }
+    // Take the last `windowSize` attempts
+    const window = input.attempts.slice(-windowSize);
+    const first = window[0];
+    const referenceAdapter = first.adapterId;
+    const referenceClass = first.failureClass;
+    const referenceIntervention = first.intervention;
+    for (const attempt of window) {
+        // Different adapter = legitimate recovery escalation, not stagnation
+        if (attempt.adapterId !== referenceAdapter) {
+            return { stagnant: false, windowSize };
+        }
+        if (attempt.failureClass !== referenceClass) {
+            return { stagnant: false, windowSize };
+        }
+        if (attempt.intervention !== referenceIntervention) {
+            return { stagnant: false, windowSize };
+        }
+    }
+    const classLabel = referenceClass ?? "(none)";
+    const interventionLabel = referenceIntervention ?? "(none)";
+    const reason = `Stagnation detected: last ${windowSize} attempts on adapter "${referenceAdapter}" all produced ` +
+        `failureClass="${classLabel}" with intervention="${interventionLabel}". ` +
+        `Loop is not making forward progress.`;
+    return { stagnant: true, reason, windowSize };
+}
+//# sourceMappingURL=progress-guard.js.map

package/dist/vendor/core/siem/siem-emitter.d.ts

@@ -0,0 +1,49 @@
+/**
+ * siem-emitter.ts — SLICE-16
+ *
+ * SIEM integration: emits Martin Loop gate events in OCSF or CEF format.
+ *
+ * Events are batched (up to 50 events or 5s) then POSTed to the configured
+ * endpoint. On transport failure the events are written to
+ * ~/.martin/siem-queue/ for later retry via `martin siem drain`.
+ *
+ * Configuration (policy file or env):
+ *   siem.endpoint   — HTTP POST target (required to enable)
+ *   siem.format     — "ocsf" | "cef"  (default: "ocsf")
+ *   siem.apiKey     — Bearer token for endpoint auth (optional)
+ */
+export type SiemEventType = "attempt_started" | "attempt_completed" | "leash_blocked" | "policy_violated" | "budget_exceeded" | "patch_accepted" | "patch_rejected" | "rollback_triggered";
+export type SiemFormat = "ocsf" | "cef";
+export interface SiemEventInput {
+    type: SiemEventType;
+    loopId: string;
+    attemptId?: string;
+    message: string;
+    severity?: "info" | "low" | "medium" | "high" | "critical";
+    metadata?: Record<string, string | number | boolean>;
+}
+export declare function formatOcsf(event: SiemEventInput, timestamp: number): object;
+export declare function formatCef(event: SiemEventInput, timestamp: number): string;
+export interface SiemConfig {
+    endpoint: string;
+    format: SiemFormat;
+    apiKey?: string;
+    flushIntervalMs?: number;
+    maxBatchSize?: number;
+}
+export declare class SiemEmitter {
+    private readonly config;
+    private queue;
+    private flushTimer;
+    private fetchFn;
+    constructor(config: SiemConfig, fetchFn?: typeof fetch);
+    emit(event: SiemEventInput): void;
+    flush(): Promise<{
+        sent: number;
+        queued: number;
+    }>;
+    /** Returns all pending (unflushed) events. Used in tests. */
+    pendingCount(): number;
+    destroy(): void;
+}
+export declare function createSiemEmitter(config: Partial<SiemConfig> | undefined, fetchFn?: typeof fetch): SiemEmitter | null;

package/dist/vendor/core/siem/siem-emitter.js

@@ -0,0 +1,157 @@
+/**
+ * siem-emitter.ts — SLICE-16
+ *
+ * SIEM integration: emits Martin Loop gate events in OCSF or CEF format.
+ *
+ * Events are batched (up to 50 events or 5s) then POSTed to the configured
+ * endpoint. On transport failure the events are written to
+ * ~/.martin/siem-queue/ for later retry via `martin siem drain`.
+ *
+ * Configuration (policy file or env):
+ *   siem.endpoint   — HTTP POST target (required to enable)
+ *   siem.format     — "ocsf" | "cef"  (default: "ocsf")
+ *   siem.apiKey     — Bearer token for endpoint auth (optional)
+ */
+import { createHash } from "node:crypto";
+// ---------------------------------------------------------------------------
+// OCSF formatter
+// ---------------------------------------------------------------------------
+const OCSF_SEVERITY_MAP = {
+    info: 1, low: 2, medium: 4, high: 6, critical: 8
+};
+const OCSF_ACTIVITY_MAP = {
+    attempt_started: 1,
+    attempt_completed: 2,
+    leash_blocked: 3,
+    policy_violated: 4,
+    budget_exceeded: 5,
+    patch_accepted: 6,
+    patch_rejected: 7,
+    rollback_triggered: 8
+};
+export function formatOcsf(event, timestamp) {
+    return {
+        class_uid: 300101,
+        category_uid: 3,
+        type_uid: 300101,
+        time: timestamp,
+        severity_id: OCSF_SEVERITY_MAP[event.severity ?? "info"] ?? 1,
+        actor: { user: { name: "martin-loop" } },
+        metadata: {
+            version: "1.0.0",
+            product: { name: "Martin Loop" },
+            uid: createHash("sha256")
+                .update(`${event.loopId}:${event.attemptId ?? ""}:${timestamp}`)
+                .digest("hex")
+                .slice(0, 16)
+        },
+        activity_id: OCSF_ACTIVITY_MAP[event.type] ?? 0,
+        message: event.message,
+        unmapped: {
+            event_type: event.type,
+            loop_id: event.loopId,
+            attempt_id: event.attemptId ?? "",
+            ...(event.metadata ?? {})
+        }
+    };
+}
+// ---------------------------------------------------------------------------
+// CEF formatter
+// ---------------------------------------------------------------------------
+const CEF_SEVERITY_MAP = {
+    info: 0, low: 2, medium: 5, high: 7, critical: 10
+};
+function cefEscape(val) {
+    return val.replace(/\\/g, "\\\\").replace(/\|/g, "\\|").replace(/=/g, "\\=");
+}
+export function formatCef(event, timestamp) {
+    const sev = CEF_SEVERITY_MAP[event.severity ?? "info"] ?? 0;
+    const ext = [
+        `rt=${timestamp}`,
+        `loopId=${cefEscape(event.loopId)}`,
+        `attemptId=${cefEscape(event.attemptId ?? "")}`,
+        `msg=${cefEscape(event.message)}`
+    ];
+    if (event.metadata) {
+        for (const [k, v] of Object.entries(event.metadata)) {
+            ext.push(`${cefEscape(String(k))}=${cefEscape(String(v))}`);
+        }
+    }
+    return `CEF:0|MartinLoop|martin-loop|1.0|${event.type}|${event.message}|${sev}| ${ext.join(" ")}`;
+}
+export class SiemEmitter {
+    config;
+    queue = [];
+    flushTimer = null;
+    fetchFn;
+    constructor(config, fetchFn) {
+        this.config = {
+            endpoint: config.endpoint,
+            format: config.format,
+            apiKey: config.apiKey,
+            flushIntervalMs: config.flushIntervalMs ?? 5000,
+            maxBatchSize: config.maxBatchSize ?? 50
+        };
+        this.fetchFn = fetchFn ?? fetch;
+    }
+    emit(event) {
+        this.queue.push({ event, timestamp: Date.now() });
+        if (this.queue.length >= this.config.maxBatchSize) {
+            void this.flush();
+            return;
+        }
+        if (this.config.flushIntervalMs > 0 && !this.flushTimer) {
+            this.flushTimer = setTimeout(() => {
+                void this.flush();
+            }, this.config.flushIntervalMs);
+        }
+    }
+    async flush() {
+        if (this.flushTimer) {
+            clearTimeout(this.flushTimer);
+            this.flushTimer = null;
+        }
+        const batch = this.queue.splice(0, this.config.maxBatchSize);
+        if (batch.length === 0)
+            return { sent: 0, queued: 0 };
+        const formatted = batch.map(({ event, timestamp }) => this.config.format === "cef"
+            ? formatCef(event, timestamp)
+            : formatOcsf(event, timestamp));
+        const headers = { "Content-Type": "application/json" };
+        if (this.config.apiKey)
+            headers["Authorization"] = `Bearer ${this.config.apiKey}`;
+        try {
+            const res = await this.fetchFn(this.config.endpoint, {
+                method: "POST",
+                headers,
+                body: JSON.stringify({ events: formatted }),
+                signal: AbortSignal.timeout(10_000)
+            });
+            if (!res.ok)
+                throw new Error(`SIEM endpoint returned HTTP ${res.status}`);
+            return { sent: batch.length, queued: 0 };
+        }
+        catch {
+            // On failure: keep events in front of queue for retry
+            this.queue.unshift(...batch);
+            return { sent: 0, queued: this.queue.length };
+        }
+    }
+    /** Returns all pending (unflushed) events. Used in tests. */
+    pendingCount() {
+        return this.queue.length;
+    }
+    destroy() {
+        if (this.flushTimer)
+            clearTimeout(this.flushTimer);
+    }
+}
+// ---------------------------------------------------------------------------
+// Factory — returns null when siem.endpoint is not configured
+// ---------------------------------------------------------------------------
+export function createSiemEmitter(config, fetchFn) {
+    if (!config?.endpoint)
+        return null;
+    return new SiemEmitter({ endpoint: config.endpoint, format: config.format ?? "ocsf", ...config }, fetchFn);
+}
+//# sourceMappingURL=siem-emitter.js.map

package/dist/vendor/core/strategy/attempt-brief.d.ts

@@ -0,0 +1,22 @@
+import type { LoopAttempt, LoopTask } from "../../contracts/index.js";
+export interface AttemptFocusInput {
+    task: Pick<LoopTask, "objective" | "acceptanceCriteria">;
+    attempts: LoopAttempt[];
+    remainingBudgetUsd: number;
+}
+export interface RetryEconomicsInput {
+    previousAttempts: LoopAttempt[];
+    projectedUsd: number;
+    remainingBudgetUsd: number;
+    remainingIterations: number;
+    novelRecoveryPath?: boolean;
+}
+export interface RetryEconomicsDecision {
+    allowRetry: boolean;
+    reason?: string;
+    repeatedVerifierSignature?: string;
+}
+export declare function buildAttemptFocus(input: AttemptFocusInput): string;
+export declare function evaluateRetryEconomics(input: RetryEconomicsInput): RetryEconomicsDecision;
+export declare function detectRepeatedVerifierSignature(attempts: Pick<LoopAttempt, "verifierSummary">[], window?: number): string | undefined;
+export declare function normalizeVerifierSignature(summary?: string): string | undefined;

package/dist/vendor/core/strategy/attempt-brief.js

@@ -0,0 +1,89 @@
+export function buildAttemptFocus(input) {
+    const parts = [`Primary objective: ${input.task.objective}.`];
+    const acceptanceCriteria = input.task.acceptanceCriteria ?? [];
+    const lastAttempt = input.attempts.at(-1);
+    const repeatedSignature = detectRepeatedVerifierSignature(input.attempts);
+    if (acceptanceCriteria.length > 0) {
+        parts.push(`Acceptance criteria: ${acceptanceCriteria.join("; ")}.`);
+    }
+    if (lastAttempt?.failureClass) {
+        parts.push(`Last failure class: ${lastAttempt.failureClass}. Resolve that exact gap before widening scope.`);
+    }
+    if (lastAttempt?.summary) {
+        parts.push(`Do not repeat this failed pattern: ${truncateSentence(lastAttempt.summary, 160)}.`);
+    }
+    if (repeatedSignature) {
+        parts.push(`Repeated verifier signal: ${repeatedSignature}. Target the smallest change that clears this exact failure.`);
+    }
+    else if (lastAttempt?.verifierSummary) {
+        parts.push(`Verifier focus: ${normalizeVerifierSignature(lastAttempt.verifierSummary)}.`);
+    }
+    if (input.remainingBudgetUsd <= 2) {
+        parts.push("Budget is tight. Prefer one narrow, verifier-led fix over a broad rewrite.");
+    }
+    return parts.join(" ");
+}
+export function evaluateRetryEconomics(input) {
+    if (input.novelRecoveryPath) {
+        return { allowRetry: true };
+    }
+    const lastTwo = input.previousAttempts.slice(-2);
+    const repeatedFailureClass = lastTwo.length === 2 &&
+        lastTwo[0]?.failureClass &&
+        lastTwo[0].failureClass === lastTwo[1]?.failureClass;
+    const repeatedVerifierSignature = detectRepeatedVerifierSignature(input.previousAttempts);
+    const remainingAfterRetry = roundUsd(input.remainingBudgetUsd - input.projectedUsd);
+    const tightBudget = remainingAfterRetry < Math.max(input.projectedUsd * 0.5, 0.25);
+    if (repeatedFailureClass && repeatedVerifierSignature && tightBudget && input.remainingIterations <= 2) {
+        return {
+            allowRetry: false,
+            reason: `Repeated verifier signature "${repeatedVerifierSignature}" under tight budget. ` +
+                "Escalate instead of paying for another near-identical retry.",
+            repeatedVerifierSignature
+        };
+    }
+    return {
+        allowRetry: true,
+        ...(repeatedVerifierSignature ? { repeatedVerifierSignature } : {})
+    };
+}
+export function detectRepeatedVerifierSignature(attempts, window = 2) {
+    const signatures = attempts
+        .map((attempt) => normalizeVerifierSignature(attempt.verifierSummary))
+        .filter((signature) => Boolean(signature));
+    if (signatures.length < window) {
+        return undefined;
+    }
+    const recent = signatures.slice(-window);
+    const first = recent[0];
+    if (!first) {
+        return undefined;
+    }
+    return recent.every((signature) => signature === first) ? first : undefined;
+}
+export function normalizeVerifierSignature(summary) {
+    if (!summary) {
+        return undefined;
+    }
+    const normalized = summary
+        .toLowerCase()
+        .replace(/\s+/g, " ")
+        .replace(/\b\d+\b/g, "#")
+        .replace(/[^a-z0-9# :._-]/g, "")
+        .trim();
+    if (!normalized) {
+        return undefined;
+    }
+    const firstClause = normalized.split(/(?:;|\.|,|\n)/u)[0]?.trim();
+    return firstClause ? truncateSentence(firstClause, 96) : undefined;
+}
+function truncateSentence(value, maxLength) {
+    if (value.length <= maxLength) {
+        return value;
+    }
+    return `${value.slice(0, maxLength - 1).trimEnd()}...`;
+}
+function roundUsd(value) {
+    return Math.round(value * 100) / 100;
+}
+//# sourceMappingURL=attempt-brief.js.map

package/dist/vendor/core/summarize/diff-summary.d.ts

@@ -0,0 +1,35 @@
+/**
+ * diff-summary.ts
+ *
+ * Produces a one-line human-readable summary of a unified diff relative to the
+ * loop objective.  Uses a cheap haiku-tier LLM call when an adapter is available;
+ * falls back to a deterministic heuristic when no adapter is configured or the
+ * model call fails.
+ *
+ * Quality gate: the generated one-liner MUST contain at least one concrete
+ * identifier (file name, function name, symbol) extracted from the diff itself.
+ * If the model output fails that gate the fallback is used instead.
+ */
+export interface DiffSummaryInput {
+    /** The raw unified diff text (output of git diff or similar). */
+    diff: string;
+    /** The original loop objective supplied by the user. */
+    objective: string;
+}
+export interface DiffSummary {
+    /** Single-line summary suitable for a commit message or PR description. */
+    oneLiner: string;
+    /** How the summary was produced. */
+    method: "model" | "heuristic";
+    /** Concrete identifier extracted from the diff that validates the summary. */
+    anchorIdentifier: string;
+}
+/**
+ * Summarize a unified diff in the context of a loop objective.
+ *
+ * @param input  Diff text + objective string.
+ * @param callModelFn  Optional async function that accepts a prompt string and
+ *                     returns a model response string.  When omitted, or when
+ *                     the call throws, the deterministic heuristic is used.
+ */
+export declare function summarizeDiff(input: DiffSummaryInput, callModelFn?: (prompt: string) => Promise<string>): Promise<DiffSummary>;