network-ai 4.15.3 → 5.1.0

package/dist/index.js

@@ -12,8 +12,10 @@
  * @license MIT
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.WORKFLOW_STATES = exports.createDeliveryPipelineFSM = exports.ComplianceViolationError = exports.ComplianceMiddleware = exports.ToolAuthorizationMatrix = exports.JourneyFSM = exports.TimeoutError = exports.ParallelLimitError = exports.AdapterNotInitializedError = exports.AdapterNotFoundError = exports.AdapterAlreadyRegisteredError = exports.ConflictError = exports.LockAcquisitionError = exports.ValidationError = exports.NamespaceViolationError = exports.IdentityVerificationError = exports.NetworkAIError = exports.LogLevel = exports.Logger = exports.McpInProcessTransport = exports.McpBridgeRouter = exports.McpBridgeClient = exports.McpBlackboardBridge = exports.FederatedBudget = exports.isFlushable = exports.ConsistentBackend = exports.mergeEntry = exports.compareClock = exports.isConcurrent = exports.happensBefore = exports.mergeClock = exports.tickClock = exports.CrdtBackend = exports.RedisBackend = exports.MemoryBackend = exports.FileBackend = exports.CustomAdapter = exports.MCPAdapter = exports.CrewAIAdapter = exports.AutoGenAdapter = exports.LangChainAdapter = exports.OpenClawAdapter = exports.BaseAdapter = exports.AdapterRegistry = exports.QualityGateAgent = exports.BlackboardValidator = exports.TaskDecomposer = exports.AuthGuardian = exports.SharedBlackboard = exports.SwarmOrchestrator = void 0;
-exports.NemoClawAdapter = exports.MiniMaxAdapter = exports.CodexAdapter = exports.A2AAdapter = exports.CustomStreamingAdapter = exports.LangChainStreamingAdapter = exports.collectStream = exports.StreamingBaseAdapter = exports.ControlMcpTools = exports.ExtendedMcpTools = exports.McpBlackboardBridgeAdapter = exports.McpCombinedBridge = exports.McpSseTransport = exports.McpSseServer = exports.BLACKBOARD_TOOL_DEFINITIONS = exports.registerBlackboardTools = exports.BlackboardMCPTools = exports.parsePlanJSON = exports.topologicalLayers = exports.validateDAG = exports.createLLMPlanner = exports.runTeam = exports.TeamRunner = exports.GoalDecomposer = exports.adaptiveStrategy = exports.StrategyAgent = exports.WorkloadPartitioner = exports.AgentPool = exports.ansi = exports.ConsoleUI = exports.RuntimeExecutionError = exports.RuntimeApprovalError = exports.RuntimePolicyError = exports.AgentRuntime = exports.ApprovalGate = exports.FileAccessor = exports.ShellExecutor = exports.SandboxPolicy = exports.FanOutFanIn = exports.ConfidenceFilter = exports.PhasePipeline = exports.SemanticMemory = exports.SkillComposer = exports.matchToolPattern = exports.matchGlob = exports.AdapterHookManager = exports.QAOrchestratorAgent = exports.ComplianceMonitor = void 0;
+exports.BaseAdapter = exports.AdapterRegistry = exports.validateJsonSchema = exports.QualityGateAgent = exports.BlackboardValidator = exports.NoOpAuthValidator = exports.ComparisonRunner = exports.CoverageReporter = exports.AgentVCR = exports.compileGoal = exports.validateGoal = exports.goalFromObject = exports.parseGoal = exports.MockAgentRegistry = exports.startPlayground = exports.FileJobStore = exports.JobQueue = exports.SwarmTransportClient = exports.SwarmTransportServer = exports.createAdapterTestSuite = exports.ApprovalInbox = exports.AgentDebate = exports.SpeculativeExecutor = exports.LearningLoop = exports.SharedLongTermMemory = exports.ProceduralMemory = exports.EpisodicMemory = exports.AgentMemory = exports.OrchestratorLifecycleHooks = exports.ConfigWatcher = exports.DryRunSimulator = exports.LookupCostModel = exports.CostGovernor = exports.AnomalyDetector = exports.TimelineScrubber = exports.CostHeatmap = exports.createOrchestratorMetrics = exports.Histogram = exports.Gauge = exports.Counter = exports.MetricsRegistry = exports.SpanStatus = exports.OTelBridge = exports.AgentConversationLog = exports.OrchestratorEventBus = exports.ExplainabilityTracer = exports.TaskDecomposer = exports.AuthGuardian = exports.SharedBlackboard = exports.SwarmOrchestrator = void 0;
+exports.matchGlob = exports.AdapterHookManager = exports.QAOrchestratorAgent = exports.ComplianceMonitor = exports.WORKFLOW_STATES = exports.createDeliveryPipelineFSM = exports.ComplianceViolationError = exports.ComplianceMiddleware = exports.ToolAuthorizationMatrix = exports.JourneyFSM = exports.mapErrorToSkillResult = exports.TimeoutError = exports.ParallelLimitError = exports.AdapterNotInitializedError = exports.AdapterNotFoundError = exports.AdapterAlreadyRegisteredError = exports.ConflictError = exports.LockAcquisitionError = exports.ValidationError = exports.NamespaceViolationError = exports.IdentityVerificationError = exports.NetworkAIError = exports.LogLevel = exports.Logger = exports.McpInProcessTransport = exports.McpBridgeRouter = exports.McpBridgeClient = exports.McpBlackboardBridge = exports.FederatedBudget = exports.isFlushable = exports.ConsistentBackend = exports.mergeEntry = exports.compareClock = exports.isConcurrent = exports.happensBefore = exports.mergeClock = exports.tickClock = exports.CrdtBackend = exports.RedisBackend = exports.MemoryBackend = exports.FileBackend = exports.HttpClientTransport = exports.StdioClientTransport = exports.MCPToolConsumer = exports.CustomAdapter = exports.MCPAdapter = exports.CrewAIAdapter = exports.AutoGenAdapter = exports.LangChainAdapter = exports.OpenClawAdapter = void 0;
+exports.MiniMaxAdapter = exports.CodexAdapter = exports.A2AAdapter = exports.CustomStreamingAdapter = exports.LangChainStreamingAdapter = exports.collectStream = exports.StreamingBaseAdapter = exports.ControlMcpTools = exports.ExtendedMcpTools = exports.McpBlackboardBridgeAdapter = exports.McpCombinedBridge = exports.McpSseTransport = exports.McpSseServer = exports.BLACKBOARD_TOOL_DEFINITIONS = exports.registerBlackboardTools = exports.BlackboardMCPTools = exports.QuadTree = exports.ControlPlane = exports.WorkTreeDashboard = exports.WorkTreeUI = exports.WorkTree = exports.DashboardServer = exports.TopologyTracker = exports.parsePlanJSON = exports.topologicalLayers = exports.validateDAG = exports.createLLMPlanner = exports.runTeam = exports.TeamRunner = exports.GoalDecomposer = exports.adaptiveStrategy = exports.StrategyAgent = exports.WorkloadPartitioner = exports.AgentPool = exports.ansi = exports.ConsoleUI = exports.RuntimeExecutionError = exports.RuntimeApprovalError = exports.RuntimePolicyError = exports.AgentRuntime = exports.ApprovalGate = exports.FileAccessor = exports.ShellExecutor = exports.SandboxPolicy = exports.FanOutFanIn = exports.ConfidenceFilter = exports.PhasePipeline = exports.SemanticMemory = exports.SkillComposer = exports.matchToolPattern = void 0;
+exports.OrchestratorAdapter = exports.BrowserAgentAdapter = exports.PydanticAIAdapter = exports.VertexAIAdapter = exports.OpenAIAgentsAdapter = exports.AnthropicComputerUseAdapter = exports.LangGraphAdapter = exports.CopilotAdapter = exports.NemoClawAdapter = void 0;
 exports.createSwarmOrchestrator = createSwarmOrchestrator;
 exports.getConfig = getConfig;
 exports.setConfig = setConfig;
@@ -27,1069 +29,24 @@ const consistency_1 = require("./lib/consistency");
 const blackboard_validator_1 = require("./lib/blackboard-validator");
 const logger_1 = require("./lib/logger");
 const errors_1 = require("./lib/errors");
+// Extracted modules (Phase 1.1 — split god-file)
+const shared_blackboard_1 = require("./lib/shared-blackboard");
+const auth_guardian_1 = require("./lib/auth-guardian");
+const explainability_1 = require("./lib/explainability");
+const event_bus_1 = require("./lib/event-bus");
+const agent_conversation_1 = require("./lib/agent-conversation");
+const otel_bridge_1 = require("./lib/otel-bridge");
+const metrics_1 = require("./lib/metrics");
+const cost_heatmap_1 = require("./lib/cost-heatmap");
+const anomaly_detector_1 = require("./lib/anomaly-detector");
+const lifecycle_hooks_1 = require("./lib/lifecycle-hooks");
+const task_decomposer_1 = require("./lib/task-decomposer");
+const orchestrator_types_1 = require("./lib/orchestrator-types");
 const log = logger_1.Logger.create('SwarmOrchestrator');
-// ============================================================================
-// CONFIGURATION
-// ============================================================================
-const CONFIG = {
-    blackboardPath: './swarm-blackboard.md',
-    maxParallelAgents: Infinity,
-    defaultTimeout: 30000,
-    enableTracing: true,
-    grantTokenTTL: 300000, // 5 minutes in milliseconds
-    maxBlackboardValueSize: 1024 * 1024, // 1 MB max per entry
-    auditLogPath: './data/audit_log.jsonl',
-    trustConfigPath: './data/trust_levels.json',
-};
-// ============================================================================
-// DEFAULT RESOURCE PROFILES -- Universal, domain-agnostic
-// Users can override/extend these for any domain (coding, finance, devops, etc.)
-// ============================================================================
-const DEFAULT_RESOURCE_PROFILES = {
-    // --- Financial / Enterprise ---
-    SAP_API: { baseRisk: 0.5, defaultRestrictions: ['read_only', 'max_records:100'], description: 'SAP enterprise API' },
-    FINANCIAL_API: { baseRisk: 0.7, defaultRestrictions: ['read_only', 'no_pii_fields', 'audit_required'], description: 'Financial data API' },
-    DATA_EXPORT: { baseRisk: 0.6, defaultRestrictions: ['anonymize_pii', 'local_only'], description: 'Data export operations' },
-    // --- Coding / Development ---
-    FILE_SYSTEM: { baseRisk: 0.5, defaultRestrictions: ['workspace_only', 'no_system_dirs', 'max_file_size:10mb'], description: 'Read/write files in workspace' },
-    SHELL_EXEC: { baseRisk: 0.8, defaultRestrictions: ['sandbox_only', 'no_sudo', 'timeout:30s', 'audit_required'], description: 'Execute shell commands' },
-    GIT: { baseRisk: 0.4, defaultRestrictions: ['local_repo_only', 'no_force_push'], description: 'Git operations' },
-    PACKAGE_MANAGER: { baseRisk: 0.6, defaultRestrictions: ['audit_required', 'no_global_install', 'lockfile_required'], description: 'npm/pip/cargo package management' },
-    BUILD_TOOL: { baseRisk: 0.5, defaultRestrictions: ['workspace_only', 'timeout:120s'], description: 'Build and compilation' },
-    // --- Infrastructure / DevOps ---
-    DOCKER: { baseRisk: 0.7, defaultRestrictions: ['no_privileged', 'no_host_network', 'audit_required'], description: 'Container operations' },
-    CLOUD_DEPLOY: { baseRisk: 0.9, defaultRestrictions: ['staging_only', 'approval_required', 'rollback_ready'], description: 'Cloud deployment' },
-    DATABASE: { baseRisk: 0.6, defaultRestrictions: ['read_only', 'max_records:1000', 'no_schema_changes'], description: 'Database access' },
-    // --- Communication / External ---
-    EXTERNAL_SERVICE: { baseRisk: 0.4, defaultRestrictions: ['rate_limit:10_per_minute'], description: 'External API calls' },
-    EMAIL: { baseRisk: 0.5, defaultRestrictions: ['rate_limit:5_per_minute', 'no_attachments'], description: 'Email sending' },
-    WEBHOOK: { baseRisk: 0.4, defaultRestrictions: ['allowed_domains_only', 'no_credentials'], description: 'Webhook dispatch' },
-};
-const DEFAULT_AGENT_TRUST = [
-    { agentId: 'orchestrator', trustLevel: 0.9, allowedNamespaces: ['*'], allowedResources: ['*'] },
-    { agentId: 'data_analyst', trustLevel: 0.8, allowedNamespaces: ['task:', 'analytics:', 'agent:'], allowedResources: ['SAP_API', 'DATABASE', 'DATA_EXPORT', 'EXTERNAL_SERVICE'] },
-    { agentId: 'strategy_advisor', trustLevel: 0.7, allowedNamespaces: ['task:', 'strategy:'], allowedResources: ['EXTERNAL_SERVICE', 'DATA_EXPORT'] },
-    { agentId: 'risk_assessor', trustLevel: 0.85, allowedNamespaces: ['task:', 'risk:', 'analytics:'], allowedResources: ['EXTERNAL_SERVICE', 'DATABASE'] },
-    // Coding agents
-    { agentId: 'code_writer', trustLevel: 0.75, allowedNamespaces: ['task:', 'code:', 'build:'], allowedResources: ['FILE_SYSTEM', 'GIT', 'BUILD_TOOL', 'PACKAGE_MANAGER'] },
-    { agentId: 'code_reviewer', trustLevel: 0.8, allowedNamespaces: ['task:', 'code:', 'review:'], allowedResources: ['FILE_SYSTEM', 'GIT'] },
-    { agentId: 'test_runner', trustLevel: 0.75, allowedNamespaces: ['task:', 'test:', 'build:'], allowedResources: ['FILE_SYSTEM', 'SHELL_EXEC', 'BUILD_TOOL'] },
-    { agentId: 'devops_agent', trustLevel: 0.7, allowedNamespaces: ['task:', 'deploy:', 'infra:'], allowedResources: ['DOCKER', 'SHELL_EXEC', 'CLOUD_DEPLOY', 'GIT'] },
-];
-// ============================================================================
-// BLACKBOARD MANAGEMENT -- Secured with LockedBlackboard, identity verification,
-// namespace scoping, value validation, and input sanitization
-// ============================================================================
-/**
- * Namespace-scoped, identity-verified shared state for multi-agent coordination.
- *
- * Every write is identity-verified (agent token), namespace-checked,
- * size-validated, input-sanitized, and atomically persisted through
- * {@link LockedBlackboard}.
- *
- * @example
- * ```typescript
- * const bb = new SharedBlackboard('./workspace');
- * bb.registerAgent('analyst', 'secret-token', ['task:', 'analytics:']);
- * bb.write('task:revenue', { q4: 42_000 }, 'analyst', 3600, 'secret-token');
- * const entry = bb.read('task:revenue');
- * ```
- */
-class SharedBlackboard {
-    backend;
-    agentTokens = new Map(); // agentId -> verified token
-    agentNamespaces = new Map(); // agentId -> allowed prefixes
-    constructor(backendOrPath) {
-        if (typeof backendOrPath === 'string') {
-            if (!backendOrPath || backendOrPath.trim() === '') {
-                throw new errors_1.ValidationError('basePath must be a non-empty string');
-            }
-            this.backend = new blackboard_backend_1.FileBackend(backendOrPath);
-        }
-        else {
-            if (!backendOrPath || typeof backendOrPath !== 'object') {
-                throw new errors_1.ValidationError('backend must be a BlackboardBackend instance');
-            }
-            this.backend = backendOrPath;
-        }
-    }
-    /**
-     * Register a verified agent identity. Only agents with registered tokens
-     * can write to the blackboard. The orchestrator registers agents after
-     * verifying their identity through the AuthGuardian.
-     */
-    registerAgent(agentId, verificationToken, allowedNamespaces = ['*']) {
-        if (!agentId || typeof agentId !== 'string' || agentId.trim() === '') {
-            throw new errors_1.ValidationError('agentId must be a non-empty string');
-        }
-        if (!verificationToken || typeof verificationToken !== 'string') {
-            throw new errors_1.ValidationError('verificationToken must be a non-empty string');
-        }
-        if (!Array.isArray(allowedNamespaces)) {
-            throw new errors_1.ValidationError('allowedNamespaces must be an array of strings');
-        }
-        this.agentTokens.set(agentId, verificationToken);
-        this.agentNamespaces.set(agentId, allowedNamespaces);
-    }
-    /**
-     * Check if an agent is allowed to access a key based on namespace rules.
-     */
-    canAccessKey(agentId, key) {
-        const namespaces = this.agentNamespaces.get(agentId);
-        if (!namespaces)
-            return false;
-        if (namespaces.includes('*'))
-            return true;
-        return namespaces.some(ns => key.startsWith(ns));
-    }
-    /**
-     * Verify that the calling agent is who they claim to be.
-     */
-    verifyAgent(agentId, token) {
-        const registeredToken = this.agentTokens.get(agentId);
-        // If no token system is configured for this agent, allow (backward compat)
-        if (!registeredToken)
-            return true;
-        return token === registeredToken;
-    }
-    /**
-     * Validate value size and structure before writing.
-     * Prevents DoS via oversized writes and circular data.
-     */
-    validateValue(value) {
-        try {
-            const serialized = JSON.stringify(value);
-            if (serialized.length > CONFIG.maxBlackboardValueSize) {
-                return { valid: false, reason: `Value exceeds max size (${serialized.length} > ${CONFIG.maxBlackboardValueSize} bytes)` };
-            }
-            return { valid: true };
-        }
-        catch {
-            return { valid: false, reason: 'Value cannot be serialized (circular reference or invalid structure)' };
-        }
-    }
-    /**
-     * Sanitize a key to prevent markdown injection.
-     */
-    sanitizeKey(key) {
-        // Keys must be safe for markdown headings -- no #, newlines, or markdown syntax
-        return key.replace(/[#\n\r|`]/g, '_').slice(0, 256);
-    }
-    /**
-     * Read an entry from the blackboard by key.
-     *
-     * @param key - The entry key to look up
-     * @returns The entry, or `null` if not found or expired
-     * @throws {@link ValidationError} if `key` is not a non-empty string
-     */
-    read(key) {
-        if (!key || typeof key !== 'string') {
-            throw new errors_1.ValidationError('key must be a non-empty string');
-        }
-        const entry = this.backend.read(key);
-        if (!entry)
-            return null;
-        // Normalize field name for backward compatibility
-        return {
-            key: entry.key,
-            value: entry.value,
-            sourceAgent: entry.source_agent ?? entry.sourceAgent ?? 'unknown',
-            timestamp: entry.timestamp,
-            ttl: entry.ttl,
-        };
-    }
-    /**
-     * Write to the blackboard with identity verification, namespace checks,
-     * value validation, and input sanitization. Uses LockedBlackboard for
-     * atomic file-system writes.
-     *
-     * @param key - The key to write
-     * @param value - The value (will be sanitized and size-checked)
-     * @param sourceAgent - Agent claiming to write (verified against registered token)
-     * @param ttl - Optional TTL in seconds
-     * @param agentToken - Optional verification token for identity check
-     */
-    write(key, value, sourceAgent, ttl, agentToken) {
-        // 1. Verify agent identity
-        if (!this.verifyAgent(sourceAgent, agentToken)) {
-            throw new errors_1.IdentityVerificationError(sourceAgent);
-        }
-        // 2. Namespace check
-        if (!this.canAccessKey(sourceAgent, key)) {
-            throw new errors_1.NamespaceViolationError(sourceAgent, key);
-        }
-        // 3. Sanitize key
-        const safeKey = this.sanitizeKey(key);
-        // 4. Validate value size/structure
-        const validation = this.validateValue(value);
-        if (!validation.valid) {
-            throw new errors_1.ValidationError(validation.reason);
-        }
-        // 5. Sanitize value -- strip injection payloads from string content
-        let sanitizedValue;
-        try {
-            sanitizedValue = security_1.InputSanitizer.sanitizeObject(value);
-        }
-        catch {
-            sanitizedValue = value; // Fall back to raw if sanitization can't handle it
-        }
-        // 6. Write through backend (atomic when using FileBackend; in-memory for MemoryBackend)
-        const entry = this.backend.write(safeKey, sanitizedValue, sourceAgent, ttl);
-        // Normalize for backward compat
-        return {
-            key: entry.key,
-            value: entry.value,
-            sourceAgent: entry.source_agent ?? sourceAgent,
-            timestamp: entry.timestamp,
-            ttl: entry.ttl,
-        };
-    }
-    /**
-     * Check whether a key exists on the blackboard (not expired).
-     * @param key - The entry key to check
-     */
-    exists(key) {
-        return this.read(key) !== null;
-    }
-    /**
-     * Get a full snapshot of all blackboard entries.
-     */
-    getSnapshot() {
-        const raw = this.backend.getSnapshot();
-        const normalized = {};
-        for (const [key, entry] of Object.entries(raw)) {
-            normalized[key] = {
-                key: entry.key,
-                value: entry.value,
-                sourceAgent: entry.source_agent ?? entry.sourceAgent ?? 'unknown',
-                timestamp: entry.timestamp,
-                ttl: entry.ttl,
-            };
-        }
-        return normalized;
-    }
-    /**
-     * Get a namespace-scoped snapshot -- only returns keys an agent is allowed to see.
-     * Prevents data leakage between agents.
-     */
-    getScopedSnapshot(agentId) {
-        if (!agentId || typeof agentId !== 'string') {
-            throw new errors_1.ValidationError('agentId must be a non-empty string');
-        }
-        const full = this.getSnapshot();
-        const scoped = {};
-        for (const [key, entry] of Object.entries(full)) {
-            if (this.canAccessKey(agentId, key)) {
-                scoped[key] = entry;
-            }
-        }
-        return scoped;
-    }
-    /**
-     * Clear all entries (for testing).
-     */
-    clear() {
-        // Write an empty state through locked backend
-        const keys = this.backend.listKeys();
-        for (const key of keys) {
-            this.backend.delete(key);
-        }
-    }
-}
-exports.SharedBlackboard = SharedBlackboard;
-// ============================================================================
-// AUTH GUARDIAN - UNIVERSAL PERMISSION WALL IMPLEMENTATION
-// Now domain-agnostic: resource types, risk profiles, trust levels, and
-// restrictions are all configurable. Works for coding, finance, devops, etc.
-// Integrates with SecureSwarmGateway for HMAC tokens, rate limiting, 
-// input sanitization, and cryptographic audit logs.
-// ============================================================================
-/**
- * Universal permission wall for multi-agent systems.
- *
- * Evaluates permission requests using a weighted formula of justification
- * quality (40%), agent trust level (30%), and risk score (30%).
- * Resource types, risk profiles, trust levels, and restrictions are all
- * configurable — works for coding, finance, DevOps, or any domain.
- *
- * @example
- * ```typescript
- * const guardian = new AuthGuardian({
- *   trustLevels: [{ agentId: 'analyst', trustLevel: 0.8 }],
- *   resourceProfiles: { CUSTOM_API: { baseRisk: 0.5, defaultRestrictions: ['audit_required'] } },
- * });
- *
- * const grant = await guardian.requestPermission(
- *   'analyst', 'CUSTOM_API', 'Need to fetch Q4 revenue data for report', 'read'
- * );
- * if (grant.granted) {
- *   // Use grant.grantToken to prove authorization
- * }
- * ```
- */
-class AuthGuardian {
-    activeGrants = new Map();
-    agentTrustLevels = new Map();
-    agentTrustConfigs = new Map();
-    resourceProfiles = new Map();
-    auditLog = [];
-    auditLogPath;
-    trustConfigPath;
-    signingAlgorithm;
-    hmacSecret;
-    ed25519PrivateKey;
-    ed25519PublicKey;
-    constructor(options) {
-        this.auditLogPath = options?.auditLogPath ?? CONFIG.auditLogPath;
-        this.trustConfigPath = options?.trustConfigPath ?? CONFIG.trustConfigPath;
-        this.signingAlgorithm = options?.algorithm ?? 'hmac-sha256';
-        if (this.signingAlgorithm === 'ed25519') {
-            const { publicKey, privateKey } = (0, crypto_1.generateKeyPairSync)('ed25519');
-            this.ed25519PrivateKey = privateKey;
-            this.ed25519PublicKey = publicKey;
-            this.hmacSecret = '';
-        }
-        else {
-            this.ed25519PrivateKey = null;
-            this.ed25519PublicKey = null;
-            this.hmacSecret = options?.hmacSecret ?? (0, crypto_1.randomUUID)();
-        }
-        // Load resource profiles (user-provided + defaults)
-        const profiles = { ...DEFAULT_RESOURCE_PROFILES, ...(options?.resourceProfiles ?? {}) };
-        for (const [name, profile] of Object.entries(profiles)) {
-            this.resourceProfiles.set(name, profile);
-        }
-        // Load trust levels (try disk first, then user-provided, then defaults)
-        const trustConfigs = options?.trustLevels ?? this.loadTrustFromDisk() ?? DEFAULT_AGENT_TRUST;
-        for (const config of trustConfigs) {
-            this.agentTrustLevels.set(config.agentId, config.trustLevel);
-            this.agentTrustConfigs.set(config.agentId, config);
-        }
-        // Load existing audit log from disk
-        this.loadAuditFromDisk();
-    }
-    /**
-     * Register a new resource type at runtime.
-     * Makes the system extensible for any domain.
-     */
-    registerResourceType(name, profile) {
-        if (!name || typeof name !== 'string' || name.trim() === '') {
-            throw new errors_1.ValidationError('resource name must be a non-empty string');
-        }
-        if (!profile || typeof profile !== 'object' || typeof profile.baseRisk !== 'number') {
-            throw new errors_1.ValidationError('profile must be an object with a numeric baseRisk');
-        }
-        if (profile.baseRisk < 0 || profile.baseRisk > 1) {
-            throw new errors_1.ValidationError('profile.baseRisk must be between 0 and 1');
-        }
-        if (!Array.isArray(profile.defaultRestrictions)) {
-            throw new errors_1.ValidationError('profile.defaultRestrictions must be an array');
-        }
-        this.resourceProfiles.set(name, profile);
-    }
-    /**
-     * Register or update an agent's trust configuration at runtime.
-     */
-    registerAgentTrust(config) {
-        if (!config || typeof config !== 'object') {
-            throw new errors_1.ValidationError('config must be an object');
-        }
-        if (!config.agentId || typeof config.agentId !== 'string' || config.agentId.trim() === '') {
-            throw new errors_1.ValidationError('config.agentId must be a non-empty string');
-        }
-        if (typeof config.trustLevel !== 'number' || config.trustLevel < 0 || config.trustLevel > 1) {
-            throw new errors_1.ValidationError('config.trustLevel must be a number between 0 and 1');
-        }
-        this.agentTrustLevels.set(config.agentId, config.trustLevel);
-        this.agentTrustConfigs.set(config.agentId, config);
-        this.persistTrustToDisk();
-    }
-    /**
-     * Request permission to access a resource.
-     * resourceType is now a free string -- validated against registered profiles.
-     */
-    async requestPermission(agentId, resourceType, justification, scope) {
-        if (!agentId || typeof agentId !== 'string') {
-            throw new errors_1.ValidationError('agentId must be a non-empty string');
-        }
-        if (!resourceType || typeof resourceType !== 'string') {
-            throw new errors_1.ValidationError('resourceType must be a non-empty string');
-        }
-        if (!justification || typeof justification !== 'string') {
-            throw new errors_1.ValidationError('justification must be a non-empty string');
-        }
-        // Sanitize inputs
-        let safeAgentId;
-        let safeJustification;
-        try {
-            safeAgentId = security_1.InputSanitizer.sanitizeAgentId(agentId);
-            safeJustification = security_1.InputSanitizer.sanitizeString(justification, 2000);
-        }
-        catch {
-            safeAgentId = agentId.replace(/[^a-zA-Z0-9_-]/g, '').slice(0, 64) || 'unknown';
-            safeJustification = justification.slice(0, 2000);
-        }
-        this.log('permission_request', { agentId: safeAgentId, resourceType, justification: safeJustification, scope });
-        // Check if agent is allowed to access this resource type
-        const agentConfig = this.agentTrustConfigs.get(safeAgentId);
-        if (agentConfig && agentConfig.allowedResources && !agentConfig.allowedResources.includes('*')) {
-            if (!agentConfig.allowedResources.includes(resourceType)) {
-                this.log('permission_denied', { agentId: safeAgentId, resourceType, reason: 'resource_not_in_allowlist' });
-                return {
-                    granted: false,
-                    grantToken: null,
-                    expiresAt: null,
-                    restrictions: [],
-                    reason: `Agent '${safeAgentId}' is not authorized to access '${resourceType}'. Allowed: ${agentConfig.allowedResources.join(', ')}`,
-                };
-            }
-        }
-        // Evaluate the permission request
-        const evaluation = this.evaluateRequest(safeAgentId, resourceType, safeJustification, scope);
-        if (!evaluation.approved) {
-            this.log('permission_denied', { agentId: safeAgentId, resourceType, reason: evaluation.reason });
-            return {
-                granted: false,
-                grantToken: null,
-                expiresAt: null,
-                restrictions: [],
-                reason: evaluation.reason,
-            };
-        }
-        // Generate grant token
-        const grantToken = this.generateGrantToken();
-        const expiresAt = new Date(Date.now() + CONFIG.grantTokenTTL).toISOString();
-        const grant = {
-            grantToken,
-            resourceType,
-            agentId: safeAgentId,
-            expiresAt,
-            restrictions: evaluation.restrictions,
-            scope,
-        };
-        this.activeGrants.set(grantToken, grant);
-        this.log('permission_granted', { grantToken, agentId: safeAgentId, resourceType, expiresAt, restrictions: evaluation.restrictions });
-        return {
-            granted: true,
-            grantToken,
-            expiresAt,
-            restrictions: evaluation.restrictions,
-        };
-    }
-    /**
-     * Validate a grant token and return `true` if it is active and not expired.
-     *
-     * @param token - The grant token to validate
-     * @returns `true` if the token is valid, `false` otherwise
-     */
-    validateToken(token) {
-        if (!token || typeof token !== 'string')
-            return false;
-        const grant = this.activeGrants.get(token);
-        if (!grant)
-            return false;
-        if (new Date(grant.expiresAt) < new Date()) {
-            this.activeGrants.delete(token);
-            return false;
-        }
-        return true;
-    }
-    /**
-     * Validate a token and return the bound restrictions and scope.
-     * Used to enforce restrictions at the point of use.
-     */
-    /**
-     * Validate a token and return the full grant object (including restrictions
-     * and scope) for point-of-use enforcement.
-     *
-     * @param token - The grant token to validate
-     * @returns The grant details, or `null` if invalid/expired
-     */
-    validateTokenWithGrant(token) {
-        if (!token || typeof token !== 'string')
-            return null;
-        const grant = this.activeGrants.get(token);
-        if (!grant)
-            return null;
-        if (new Date(grant.expiresAt) < new Date()) {
-            this.activeGrants.delete(token);
-            return null;
-        }
-        return grant;
-    }
-    /**
-     * Enforce restrictions on an operation. Returns an error string if
-     * the operation violates any restriction, or null if allowed.
-     */
-    /**
-     * Enforce restrictions on an operation. Returns an error string if
-     * the operation violates any restriction, or `null` if all restrictions pass.
-     *
-     * @param grantToken  - The grant token authorizing the operation
-     * @param operation   - Description of the operation to check against restrictions
-     * @returns Error message string if a restriction is violated, or `null` if allowed
-     */
-    enforceRestrictions(grantToken, operation) {
-        if (!grantToken || typeof grantToken !== 'string') {
-            return 'Invalid or expired grant token';
-        }
-        const grant = this.validateTokenWithGrant(grantToken);
-        if (!grant)
-            return 'Invalid or expired grant token';
-        for (const restriction of grant.restrictions) {
-            // Enforce read_only
-            if (restriction === 'read_only' && operation.type && operation.type !== 'read') {
-                return `Restriction 'read_only' violated: attempted '${operation.type}'`;
-            }
-            // Enforce max_records
-            const maxRecordsMatch = restriction.match(/^max_records:(\d+)$/);
-            if (maxRecordsMatch && operation.recordCount) {
-                const max = parseInt(maxRecordsMatch[1], 10);
-                if (operation.recordCount > max) {
-                    return `Restriction '${restriction}' violated: requested ${operation.recordCount} records`;
-                }
-            }
-            // Enforce sandbox_only
-            if (restriction === 'sandbox_only' && operation.targetPath) {
-                if (/^\/|^[A-Z]:\\(?:Windows|Program)/i.test(operation.targetPath)) {
-                    return `Restriction 'sandbox_only' violated: path '${operation.targetPath}' is outside sandbox`;
-                }
-            }
-            // Enforce no_sudo
-            if (restriction === 'no_sudo' && operation.command) {
-                if (/\bsudo\b/i.test(operation.command)) {
-                    return `Restriction 'no_sudo' violated: command contains sudo`;
-                }
-            }
-            // Enforce workspace_only
-            if (restriction === 'workspace_only' && operation.targetPath) {
-                if (/\.\.[/\\]/.test(operation.targetPath)) {
-                    return `Restriction 'workspace_only' violated: path traversal detected`;
-                }
-            }
-            // Enforce no_system_dirs
-            if (restriction === 'no_system_dirs' && operation.targetPath) {
-                if (/(?:\/etc|\/usr|\/var|\\Windows|\\System32)/i.test(operation.targetPath)) {
-                    return `Restriction 'no_system_dirs' violated: system directory access`;
-                }
-            }
-            // Enforce no_attachments
-            if (restriction === 'no_attachments' && operation.hasAttachments) {
-                return `Restriction 'no_attachments' violated`;
-            }
-        }
-        return null; // All restrictions passed
-    }
-    /**
-     * Revoke a grant token, immediately invalidating it.
-     * Silently no-ops if the token doesn't exist.
-     *
-     * @param token - The grant token to revoke
-     */
-    revokeToken(token) {
-        this.activeGrants.delete(token);
-        this.log('permission_revoked', { token });
-    }
-    evaluateRequest(agentId, resourceType, justification, scope) {
-        // 1. Justification Quality (40% weight) -- now includes resource-relevance
-        const justificationScore = this.scoreJustification(justification, resourceType);
-        if (justificationScore < 0.3) {
-            return {
-                approved: false,
-                reason: 'Justification is insufficient. Please provide specific task context.',
-                restrictions: [],
-            };
-        }
-        // 2. Agent Trust Level (30% weight)
-        const trustLevel = this.agentTrustLevels.get(agentId) ?? 0.5;
-        if (trustLevel < 0.4) {
-            return {
-                approved: false,
-                reason: 'Agent trust level is below threshold. Escalate to human operator.',
-                restrictions: [],
-            };
-        }
-        // 3. Risk Assessment (30% weight)
-        const riskScore = this.assessRisk(resourceType, scope);
-        if (riskScore > 0.8) {
-            return {
-                approved: false,
-                reason: 'Risk assessment exceeds acceptable threshold. Narrow the requested scope.',
-                restrictions: [],
-            };
-        }
-        // Get restrictions from resource profile (data-driven, not hardcoded)
-        const profile = this.resourceProfiles.get(resourceType);
-        const restrictions = profile
-            ? [...profile.defaultRestrictions]
-            : ['audit_required']; // Unknown resources get audited by default
-        // Calculate weighted approval
-        const weightedScore = (justificationScore * 0.4) + (trustLevel * 0.3) + ((1 - riskScore) * 0.3);
-        const approved = weightedScore >= 0.5;
-        return {
-            approved,
-            reason: approved ? undefined : 'Combined evaluation score below threshold.',
-            restrictions,
-        };
-    }
-    /**
-     * Improved justification scoring with resource-relevance checking.
-     * Prevents trivial gaming by verifying the justification mentions
-     * concepts relevant to the requested resource.
-     */
-    scoreJustification(justification, resourceType) {
-        let score = 0;
-        // Length scoring
-        if (justification.length > 20)
-            score += 0.15;
-        if (justification.length > 50)
-            score += 0.15;
-        // Intent keywords
-        if (/task|purpose|need|require|generate|analyze|process|build|deploy|test|review/i.test(justification))
-            score += 0.15;
-        // Specificity keywords
-        if (/specific|particular|exact|for\s+the|in\s+order\s+to|because|so\s+that/i.test(justification))
-            score += 0.15;
-        // Penalty for vague/test phrasing
-        if (/^test$|^debug$|^try$|^just\s+testing/i.test(justification.trim()))
-            score -= 0.3;
-        // Resource-relevance check: does the justification mention anything related
-        // to the requested resource? (+0.2 bonus for relevant context)
-        if (resourceType) {
-            const relevancePatterns = {
-                SAP_API: /sap|erp|invoice|procurement|purchase|material|vendor/i,
-                FINANCIAL_API: /financ|revenue|budget|accounting|payment|ledger|balance/i,
-                DATA_EXPORT: /export|report|csv|download|extract|migrate/i,
-                FILE_SYSTEM: /file|read|write|save|load|path|directory|workspace/i,
-                SHELL_EXEC: /command|script|compile|build|run|execute|terminal/i,
-                GIT: /git|commit|branch|merge|pull|push|repository|diff/i,
-                PACKAGE_MANAGER: /package|install|dependency|npm|pip|cargo|module/i,
-                BUILD_TOOL: /build|compile|webpack|tsc|make|gradle|cargo/i,
-                DOCKER: /container|docker|image|deploy|service|compose/i,
-                CLOUD_DEPLOY: /deploy|cloud|staging|production|release|infrastructure/i,
-                DATABASE: /database|query|sql|table|record|schema|migration/i,
-                EXTERNAL_SERVICE: /api|service|endpoint|webhook|request|fetch/i,
-                EMAIL: /email|mail|send|notification|alert|message/i,
-                WEBHOOK: /webhook|callback|notification|event|dispatch/i,
-            };
-            const pattern = relevancePatterns[resourceType];
-            if (pattern && pattern.test(justification)) {
-                score += 0.2;
-            }
-            else if (pattern && !pattern.test(justification)) {
-                // Justification doesn't mention anything relevant -- small penalty
-                score -= 0.1;
-            }
-        }
-        // Bonus for mentioning a task/ticket ID
-        if (/(?:task|ticket|issue|jira|pr|bug)[_\-#]?\s*\d+/i.test(justification))
-            score += 0.1;
-        return Math.max(0, Math.min(score, 1));
-    }
-    assessRisk(resourceType, scope) {
-        // Look up base risk from registered profile (not hardcoded)
-        const profile = this.resourceProfiles.get(resourceType);
-        let risk = profile?.baseRisk ?? 0.5; // Unknown resources get medium risk
-        // Broad scopes increase risk
-        if (!scope || scope === '*' || scope === 'all') {
-            risk += 0.2;
-        }
-        // Write/delete operations increase risk
-        if (scope && /write|delete|update|modify|execute|deploy/i.test(scope)) {
-            risk += 0.2;
-        }
-        return Math.min(risk, 1);
-    }
-    generateGrantToken() {
-        const id = (0, crypto_1.randomUUID)().replace(/-/g, '');
-        const payload = `grant_${id}`;
-        if (this.signingAlgorithm === 'ed25519' && this.ed25519PrivateKey) {
-            const sig = (0, crypto_1.sign)(null, Buffer.from(payload), this.ed25519PrivateKey).toString('base64url');
-            return `${payload}.${sig}`;
-        }
-        // HMAC: append signature so tokens are tamper-evident
-        const sig = (0, crypto_1.createHmac)('sha256', this.hmacSecret).update(payload).digest('base64url');
-        return `${payload}.${sig}`;
-    }
-    /**
-     * Verify a grant token's cryptographic signature.
-     * For Ed25519 tokens, this can be done by any party holding the public key.
-     * For HMAC tokens, only the issuing AuthGuardian can verify.
-     *
-     * @param token - The grant token to verify
-     * @returns `true` if the signature is valid
-     */
-    verifyTokenSignature(token) {
-        const dotIndex = token.lastIndexOf('.');
-        if (dotIndex === -1)
-            return false;
-        const payload = token.slice(0, dotIndex);
-        const sig = token.slice(dotIndex + 1);
-        if (this.signingAlgorithm === 'ed25519' && this.ed25519PublicKey) {
-            try {
-                return (0, crypto_1.verify)(null, Buffer.from(payload), this.ed25519PublicKey, Buffer.from(sig, 'base64url'));
-            }
-            catch {
-                return false;
-            }
-        }
-        const expected = (0, crypto_1.createHmac)('sha256', this.hmacSecret).update(payload).digest('base64url');
-        // Constant-time comparison
-        if (expected.length !== sig.length)
-            return false;
-        let result = 0;
-        for (let i = 0; i < expected.length; i++) {
-            result |= expected.charCodeAt(i) ^ sig.charCodeAt(i);
-        }
-        return result === 0;
-    }
-    /**
-     * Get the signing algorithm used by this AuthGuardian instance.
-     */
-    getSigningAlgorithm() {
-        return this.signingAlgorithm;
-    }
-    /**
-     * Export the Ed25519 public key in PEM format for third-party verification.
-     * Returns `null` if the instance uses HMAC signing.
-     */
-    exportPublicKey() {
-        if (!this.ed25519PublicKey)
-            return null;
-        return this.ed25519PublicKey.export({ type: 'spki', format: 'pem' });
-    }
-    log(action, details) {
-        const entry = {
-            timestamp: new Date().toISOString(),
-            action,
-            details,
-        };
-        this.auditLog.push(entry);
-        // Persist to disk
-        try {
-            const dir = (0, path_1.join)('.', 'data');
-            if (!(0, fs_1.existsSync)(dir)) {
-                require('fs').mkdirSync(dir, { recursive: true });
-            }
-            (0, fs_1.appendFileSync)(this.auditLogPath, JSON.stringify(entry) + '\n');
-        }
-        catch {
-            // Non-fatal -- log is also in memory
-        }
-    }
-    /**
-     * Get all active (non-expired) permission grants.
-     * Automatically cleans up expired grants before returning.
-     */
-    getActiveGrants() {
-        // Clean expired grants
-        const now = new Date();
-        for (const [token, grant] of this.activeGrants.entries()) {
-            if (new Date(grant.expiresAt) < now) {
-                this.activeGrants.delete(token);
-            }
-        }
-        return Array.from(this.activeGrants.values());
-    }
-    /**
-     * Get the full audit log of permission decisions.
-     * Returns a defensive copy.
-     */
-    getAuditLog() {
-        return [...this.auditLog];
-    }
-    /**
-     * Get all registered resource profiles.
-     */
-    getResourceProfiles() {
-        return Object.fromEntries(this.resourceProfiles);
-    }
-    /**
-     * Get the allowed namespaces for an agent (used by blackboard scoping).
-     */
-    getAgentNamespaces(agentId) {
-        if (!agentId || typeof agentId !== 'string')
-            return ['task:'];
-        const config = this.agentTrustConfigs.get(agentId);
-        return config?.allowedNamespaces ?? ['task:'];
-    }
-    // ---- Persistence helpers ----
-    loadTrustFromDisk() {
-        try {
-            if ((0, fs_1.existsSync)(this.trustConfigPath)) {
-                const raw = (0, fs_1.readFileSync)(this.trustConfigPath, 'utf-8');
-                return JSON.parse(raw);
-            }
-        }
-        catch { /* ignore */ }
-        return null;
-    }
-    persistTrustToDisk() {
-        try {
-            const dir = (0, path_1.join)('.', 'data');
-            if (!(0, fs_1.existsSync)(dir)) {
-                require('fs').mkdirSync(dir, { recursive: true });
-            }
-            const configs = Array.from(this.agentTrustConfigs.values());
-            (0, fs_1.writeFileSync)(this.trustConfigPath, JSON.stringify(configs, null, 2));
-        }
-        catch {
-            // Non-fatal
-        }
-    }
-    loadAuditFromDisk() {
-        try {
-            if ((0, fs_1.existsSync)(this.auditLogPath)) {
-                const raw = (0, fs_1.readFileSync)(this.auditLogPath, 'utf-8');
-                const lines = raw.trim().split('\n').filter(l => l);
-                for (const line of lines) {
-                    try {
-                        this.auditLog.push(JSON.parse(line));
-                    }
-                    catch { /* skip malformed */ }
-                }
-            }
-        }
-        catch { /* ignore */ }
-    }
-}
-exports.AuthGuardian = AuthGuardian;
-// ============================================================================
-// TASK DECOMPOSITION ENGINE
-// ============================================================================
-/**
- * Decomposes complex tasks into parallel sub-agent executions.
- *
- * Supports four synthesis strategies (`merge`, `vote`, `chain`, `first-success`)
- * and caches results on the blackboard to avoid redundant work.
- * Routes each sub-task through the {@link AdapterRegistry} so any
- * registered framework can participate.
- */
-class TaskDecomposer {
-    blackboard;
-    authGuardian;
-    adapterRegistry;
-    constructor(blackboard, authGuardian, adapterRegistry) {
-        if (!blackboard || !(blackboard instanceof SharedBlackboard)) {
-            throw new errors_1.ValidationError('blackboard must be an instance of SharedBlackboard');
-        }
-        if (!authGuardian || !(authGuardian instanceof AuthGuardian)) {
-            throw new errors_1.ValidationError('authGuardian must be an instance of AuthGuardian');
-        }
-        if (!adapterRegistry || !(adapterRegistry instanceof adapter_registry_1.AdapterRegistry)) {
-            throw new errors_1.ValidationError('adapterRegistry must be an instance of AdapterRegistry');
-        }
-        this.blackboard = blackboard;
-        this.authGuardian = authGuardian;
-        this.adapterRegistry = adapterRegistry;
-    }
-    /**
-     * Decomposes a complex task into parallel sub-agent calls
-     * This is the "Wall Breaker" - transforms impossible monolithic tasks
-     * into manageable parallel executions
-     */
-    async executeParallel(tasks, synthesisStrategy = 'merge', context) {
-        if (!tasks || !Array.isArray(tasks)) {
-            throw new errors_1.ValidationError('tasks must be an array');
-        }
-        if (tasks.length === 0) {
-            throw new errors_1.ValidationError('tasks array must not be empty');
-        }
-        if (!context || typeof context !== 'object' || !context.agentId) {
-            throw new errors_1.ValidationError('context is required and must include agentId');
-        }
-        // No hard parallel limit — caller controls concurrency via task count
-        const startTime = Date.now();
-        const individualResults = [];
-        // Check blackboard for cached results first
-        const cachedTasks = [];
-        const uncachedTasks = [];
-        for (const task of tasks) {
-            const cacheKey = `task:${task.agentType}:${this.hashPayload(task.taskPayload)}`;
-            const cached = this.blackboard.read(cacheKey);
-            if (cached) {
-                individualResults.push({
-                    agentType: task.agentType,
-                    success: true,
-                    result: cached.value,
-                    executionTime: 0, // From cache
-                });
-                cachedTasks.push(task);
-            }
-            else {
-                uncachedTasks.push(task);
-            }
-        }
-        // Execute uncached tasks in parallel using Promise.all
-        if (uncachedTasks.length > 0) {
-            const parallelPromises = uncachedTasks.map(task => this.executeSingleTask(task, context));
-            const results = await Promise.all(parallelPromises);
-            for (let i = 0; i < results.length; i++) {
-                const task = uncachedTasks[i];
-                const result = results[i];
-                individualResults.push(result);
-                // Cache successful results
-                if (result.success) {
-                    const cacheKey = `task:${task.agentType}:${this.hashPayload(task.taskPayload)}`;
-                    this.blackboard.write(cacheKey, result.result, context.agentId, 3600, 'system-orchestrator-token'); // 1 hour TTL
-                }
-            }
-        }
-        // Synthesize results based on strategy
-        const synthesizedResult = this.synthesize(individualResults, synthesisStrategy);
-        const totalTime = Date.now() - startTime;
-        const successCount = individualResults.filter(r => r.success).length;
-        return {
-            synthesizedResult,
-            individualResults,
-            executionMetrics: {
-                totalTime,
-                successRate: successCount / individualResults.length,
-                synthesisStrategy,
-            },
-        };
-    }
-    async executeSingleTask(task, context) {
-        const taskStart = Date.now();
-        try {
-            // Build the handoff message
-            const handoff = {
-                handoffId: (0, crypto_1.randomUUID)(),
-                sourceAgent: context.agentId,
-                targetAgent: task.agentType,
-                taskType: 'delegate',
-                payload: task.taskPayload,
-                metadata: {
-                    priority: 1,
-                    deadline: Date.now() + CONFIG.defaultTimeout,
-                    parentTaskId: context.taskId ?? null,
-                },
-            };
-            // Sanitize the instruction before sending to adapter
-            let sanitizedInstruction = task.taskPayload.instruction;
-            try {
-                sanitizedInstruction = security_1.InputSanitizer.sanitizeString(task.taskPayload.instruction, 10000);
-            }
-            catch { /* use original if sanitization fails */ }
-            // Use namespace-scoped snapshot -- target agent only sees keys it's allowed to see
-            const scopedSnapshot = this.blackboard.getScopedSnapshot(task.agentType);
-            // Route through the adapter registry (framework-agnostic)
-            const agentPayload = {
-                action: 'execute',
-                params: {},
-                handoff: {
-                    handoffId: handoff.handoffId,
-                    sourceAgent: handoff.sourceAgent,
-                    targetAgent: handoff.targetAgent,
-                    taskType: handoff.taskType,
-                    instruction: sanitizedInstruction,
-                    context: handoff.payload.context,
-                    constraints: handoff.payload.constraints,
-                    expectedOutput: handoff.payload.expectedOutput,
-                    metadata: handoff.metadata,
-                },
-                blackboardSnapshot: scopedSnapshot,
-            };
-            const agentContext = {
-                agentId: context.agentId,
-                taskId: context.taskId,
-                sessionId: context.sessionId,
-            };
-            const result = await this.adapterRegistry.executeAgent(task.agentType, agentPayload, agentContext);
-            // Sanitize adapter output before returning/caching
-            let sanitizedData = result.data;
-            try {
-                sanitizedData = security_1.InputSanitizer.sanitizeObject(result.data);
-            }
-            catch { /* use raw if sanitization fails */ }
-            return {
-                agentType: task.agentType,
-                success: true,
-                result: sanitizedData,
-                executionTime: Date.now() - taskStart,
-            };
-        }
-        catch (error) {
-            return {
-                agentType: task.agentType,
-                success: false,
-                result: {
-                    error: error instanceof Error ? error.message : 'Unknown error',
-                    recoverable: true,
-                },
-                executionTime: Date.now() - taskStart,
-            };
-        }
-    }
-    synthesize(results, strategy) {
-        const successfulResults = results.filter(r => r.success);
-        if (successfulResults.length === 0) {
-            return {
-                error: 'All parallel tasks failed',
-                individualErrors: results.map(r => ({
-                    agent: r.agentType,
-                    error: r.result,
-                })),
-            };
-        }
-        switch (strategy) {
-            case 'merge':
-                // Combine all results into a unified object
-                return {
-                    merged: true,
-                    contributions: successfulResults.map(r => ({
-                        source: r.agentType,
-                        data: r.result,
-                    })),
-                    summary: this.generateMergeSummary(successfulResults),
-                };
-            case 'vote':
-                // Return the result with highest "confidence" (simplified: most data)
-                const scored = successfulResults.map(r => ({
-                    result: r,
-                    score: JSON.stringify(r.result).length,
-                }));
-                scored.sort((a, b) => b.score - a.score);
-                return {
-                    voted: true,
-                    winner: scored[0].result.agentType,
-                    result: scored[0].result.result,
-                };
-            case 'chain':
-                // Results should already be ordered; return the final one
-                return {
-                    chained: true,
-                    finalResult: successfulResults[successfulResults.length - 1].result,
-                    chainLength: successfulResults.length,
-                };
-            case 'first-success':
-                // Return the first successful result
-                return {
-                    firstSuccess: true,
-                    source: successfulResults[0].agentType,
-                    result: successfulResults[0].result,
-                };
-            default:
-                return successfulResults.map(r => r.result);
-        }
-    }
-    generateMergeSummary(results) {
-        const agents = results.map(r => r.agentType).join(', ');
-        return `Synthesized from ${results.length} agents: ${agents}`;
-    }
-    hashPayload(payload) {
-        // Simple hash for cache key generation
-        const str = JSON.stringify(payload);
-        let hash = 0;
-        for (let i = 0; i < str.length; i++) {
-            const char = str.charCodeAt(i);
-            hash = ((hash << 5) - hash) + char;
-            hash = hash & hash;
-        }
-        return Math.abs(hash).toString(16);
-    }
-}
-exports.TaskDecomposer = TaskDecomposer;
+// Types, interfaces, CONFIG, and default profiles are now in ./lib/orchestrator-types.ts
+// SharedBlackboard is now in ./lib/shared-blackboard.ts
+// AuthGuardian is now in ./lib/auth-guardian.ts
+// TaskDecomposer is now in ./lib/task-decomposer.ts
 // ============================================================================
 // SWARM ORCHESTRATOR - MAIN SKILL IMPLEMENTATION
 // ============================================================================
@@ -1124,6 +81,15 @@ class SwarmOrchestrator {
     agentRegistry = new Map();
     gateway;
     qualityGate;
+    injectionShield;
+    tracer;
+    eventBus;
+    conversationLog;
+    otel;
+    metrics;
+    heatmap;
+    anomalyDetector;
+    lifecycleHooks;
     /** Named isolated blackboards, keyed by board name */
     namedBlackboards = new Map();
     /** Root workspace path -- used as the parent for named board subdirectories */
@@ -1138,19 +104,28 @@ class SwarmOrchestrator {
             throw new errors_1.ValidationError('workspacePath must not be empty');
         }
         this._workspacePath = workspacePath;
-        this.blackboard = new SharedBlackboard(workspacePath);
-        this.authGuardian = new AuthGuardian({
+        this.blackboard = new shared_blackboard_1.SharedBlackboard(workspacePath);
+        this.authGuardian = new auth_guardian_1.AuthGuardian({
             trustLevels: options?.trustLevels,
             resourceProfiles: options?.resourceProfiles,
         });
         this.adapters = adapterRegistry ?? new adapter_registry_1.AdapterRegistry();
-        this.taskDecomposer = new TaskDecomposer(this.blackboard, this.authGuardian, this.adapters);
+        this.taskDecomposer = new task_decomposer_1.TaskDecomposer(this.blackboard, this.authGuardian, this.adapters);
         this.gateway = new security_1.SecureSwarmGateway();
         this.qualityGate = new blackboard_validator_1.QualityGateAgent({
             validationConfig: options?.validationConfig,
             qualityThreshold: options?.qualityThreshold,
             aiReviewCallback: options?.aiReviewCallback,
         });
+        this.injectionShield = new security_1.PromptInjectionShield();
+        this.tracer = new explainability_1.ExplainabilityTracer();
+        this.eventBus = new event_bus_1.OrchestratorEventBus({ snapshotInterval: 100 });
+        this.conversationLog = new agent_conversation_1.AgentConversationLog();
+        this.otel = new otel_bridge_1.OTelBridge();
+        this.metrics = (0, metrics_1.createOrchestratorMetrics)();
+        this.heatmap = new cost_heatmap_1.CostHeatmap();
+        this.anomalyDetector = new anomaly_detector_1.AnomalyDetector();
+        this.lifecycleHooks = new lifecycle_hooks_1.OrchestratorLifecycleHooks();
         // Register the orchestrator agent on the blackboard with full access
         this.blackboard.registerAgent('orchestrator', 'system-orchestrator-token', ['*']);
     }
@@ -1219,7 +194,7 @@ class SwarmOrchestrator {
         }
         // Use sanitized params from gateway
         const safeParams = gatewayResult.sanitizedParams ?? params;
-        if (CONFIG.enableTracing) {
+        if (orchestrator_types_1.CONFIG.enableTracing) {
             try {
                 this.blackboard.write(`trace:${traceId}`, {
                     action,
@@ -1276,14 +251,59 @@ class SwarmOrchestrator {
         const targetAgent = params.targetAgent;
         const taskPayload = params.taskPayload;
         const priority = params.priority ?? 'normal';
-        const timeout = params.timeout ?? CONFIG.defaultTimeout;
+        const timeout = params.timeout ?? orchestrator_types_1.CONFIG.defaultTimeout;
         const requiresAuth = params.requiresAuth ?? false;
         const resourceType = params.resourceType ?? 'EXTERNAL_SERVICE';
+        const delegationTraceId = this.tracer.record({
+            source: 'SwarmOrchestrator',
+            decision: 'delegation_start',
+            outcome: 'initiated',
+            agentId: context.agentId,
+            factors: [
+                { name: 'targetAgent', value: targetAgent },
+                { name: 'priority', value: priority },
+                { name: 'requiresAuth', value: requiresAuth },
+                { name: 'timeout', value: timeout },
+            ],
+        });
+        this.eventBus.publish('orchestrator', 'delegation_start', 'info', {
+            targetAgent, priority, requiresAuth, timeout, traceId: delegationTraceId,
+        }, context.agentId, delegationTraceId);
+        this.metrics.delegationsTotal.inc({ agent: targetAgent });
+        const delegationStartMs = Date.now();
+        // Orchestrator-level beforeSpawn hook
+        const spawnCtx = await this.lifecycleHooks.runBeforeSpawn({
+            agentId: targetAgent,
+            instruction: taskPayload.instruction,
+            priority,
+            requiresAuth,
+            metadata: { timeout, resourceType },
+            aborted: false,
+        });
+        if (spawnCtx.aborted) {
+            return {
+                success: false,
+                error: {
+                    code: 'LIFECYCLE_ABORTED',
+                    message: spawnCtx.abortReason ?? 'Aborted by beforeSpawn hook',
+                    recoverable: true,
+                },
+            };
+        }
         // Check permission wall if required -- now returns bound restrictions
         let grantToken = null;
         if (requiresAuth) {
             const authResult = await this.authGuardian.requestPermission(context.agentId, resourceType, `Delegating task to ${targetAgent}: ${taskPayload.instruction}`, 'delegate');
             if (!authResult.granted) {
+                this.tracer.record({
+                    source: 'AuthGuardian', decision: 'permission_check', outcome: 'denied',
+                    agentId: context.agentId, parentTraceId: delegationTraceId,
+                    factors: [{ name: 'reason', value: authResult.reason }],
+                });
+                this.eventBus.publish('auth', 'permission_denied', 'warn', {
+                    reason: authResult.reason, resourceType,
+                }, context.agentId, delegationTraceId);
+                this.metrics.permissionDenials.inc({ agent: context.agentId });
                 return {
                     success: false,
                     error: {
@@ -1349,6 +369,31 @@ class SwarmOrchestrator {
                 sanitizedInstruction = security_1.InputSanitizer.sanitizeString(taskPayload.instruction, 10000);
             }
             catch { /* use original if sanitization fails */ }
+            // Prompt injection detection
+            const injectionResult = this.injectionShield.analyze(sanitizedInstruction);
+            if (!injectionResult.safe) {
+                this.tracer.record({
+                    source: 'PromptInjectionShield', decision: 'injection_scan', outcome: 'blocked',
+                    agentId: context.agentId, parentTraceId: delegationTraceId,
+                    factors: [
+                        { name: 'score', value: injectionResult.score },
+                        { name: 'matchedRules', value: injectionResult.matchedRules },
+                    ],
+                });
+                this.eventBus.publish('injection', 'blocked', 'error', {
+                    score: injectionResult.score, rules: injectionResult.matchedRules,
+                }, context.agentId, delegationTraceId);
+                this.metrics.injectionBlocks.inc({ agent: context.agentId });
+                return {
+                    success: false,
+                    error: {
+                        code: 'PROMPT_INJECTION_BLOCKED',
+                        message: `Prompt injection detected (score=${injectionResult.score.toFixed(2)}, rules: ${injectionResult.matchedRules.join(', ')})`,
+                        recoverable: true,
+                        suggestedAction: 'Rephrase the instruction to remove injection patterns',
+                    },
+                };
+            }
             // P1: Namespace-scoped snapshot -- target agent only sees keys it's allowed to see
             const scopedSnapshot = this.blackboard.getScopedSnapshot(targetAgent);
             const agentPayload = {
@@ -1372,10 +417,13 @@ class SwarmOrchestrator {
                 taskId: context.taskId,
                 sessionId: context.sessionId,
             };
+            const otelSpan = this.otel.startDelegation(context.agentId, targetAgent, handoff.handoffId);
             const result = await Promise.race([
                 this.adapters.executeAgent(targetAgent, agentPayload, agentContext),
                 this.timeoutPromise(timeout),
             ]);
+            otelSpan.setAttribute('agent.result.success', result.success);
+            otelSpan.end();
             // P1: Sanitize adapter output before caching
             let sanitizedResult = result;
             try {
@@ -1387,7 +435,19 @@ class SwarmOrchestrator {
                 taskInstruction: taskPayload.instruction,
                 expectedOutput: taskPayload.expectedOutput,
             });
+            this.tracer.record({
+                source: 'QualityGateAgent', decision: 'quality_gate', outcome: gateResult.decision,
+                agentId: targetAgent, parentTraceId: delegationTraceId,
+                factors: [
+                    { name: 'score', value: gateResult.validation.score },
+                    { name: 'issueCount', value: gateResult.validation.issues.length },
+                ],
+            });
+            this.eventBus.publish('quality', gateResult.decision, gateResult.decision === 'reject' ? 'warn' : 'info', {
+                score: gateResult.validation.score, issueCount: gateResult.validation.issues.length,
+            }, targetAgent, delegationTraceId);
             if (gateResult.decision === 'reject') {
+                this.metrics.qualityRejections.inc({ agent: targetAgent });
                 return {
                     success: false,
                     error: {
@@ -1419,6 +479,35 @@ class SwarmOrchestrator {
             }
             // Approved -- cache result
             this.blackboard.write(cacheKey, sanitizedResult, context.agentId, 1800, 'system-orchestrator-token'); // 30 min TTL
+            this.metrics.delegationDurationMs.observe({ agent: targetAgent }, Date.now() - delegationStartMs);
+            this.heatmap.record(targetAgent, {
+                durationMs: Date.now() - delegationStartMs,
+                inputTokens: 0, outputTokens: 0, success: true,
+            });
+            this.anomalyDetector.observe(targetAgent, {
+                latencyMs: Date.now() - delegationStartMs, tokens: 0, success: true,
+            });
+            const resultMeta = sanitizedResult?.metadata;
+            this.conversationLog.recordTurn(targetAgent, {
+                instruction: taskPayload.instruction,
+                result: JSON.stringify(sanitizedResult).slice(0, 2000),
+                success: true,
+                tokensUsed: resultMeta?.tokensUsed,
+                executionTimeMs: resultMeta?.executionTimeMs,
+                adapter: resultMeta?.adapter,
+                qualityDecision: gateResult.decision,
+                correlationId: delegationTraceId,
+                sourceAgent: context.agentId,
+            });
+            // Orchestrator-level afterComplete hook
+            await this.lifecycleHooks.runAfterComplete({
+                agentId: targetAgent,
+                instruction: taskPayload.instruction,
+                result: sanitizedResult,
+                durationMs: Date.now() - delegationStartMs,
+                tokensUsed: resultMeta?.tokensUsed ?? 0,
+                metadata: { qualityDecision: gateResult.decision },
+            });
             return {
                 success: true,
                 data: {
@@ -1434,6 +523,29 @@ class SwarmOrchestrator {
             };
         }
         catch (error) {
+            this.metrics.delegationErrors.inc({ agent: targetAgent });
+            this.conversationLog.recordTurn(targetAgent, {
+                instruction: taskPayload.instruction,
+                success: false,
+                errorCode: 'DELEGATION_FAILED',
+                correlationId: delegationTraceId,
+                sourceAgent: context.agentId,
+            });
+            this.eventBus.publish('orchestrator', 'delegation_failed', 'error', {
+                error: error instanceof Error ? error.message : 'unknown',
+            }, targetAgent, delegationTraceId);
+            // Orchestrator-level onFailure hook
+            const failCtx = await this.lifecycleHooks.runOnFailure({
+                agentId: targetAgent,
+                instruction: taskPayload.instruction,
+                error: error instanceof Error ? error : String(error),
+                durationMs: Date.now() - delegationStartMs,
+                metadata: {},
+                suppress: false,
+            });
+            if (failCtx.suppress) {
+                return { success: true, data: { status: 'suppressed', agentTrace: [context.agentId, targetAgent] } };
+            }
             return {
                 success: false,
                 error: {
@@ -1707,7 +819,7 @@ class SwarmOrchestrator {
             selectedBackend = new consistency_1.ConsistentBackend(selectedBackend, options.consistency);
             log.info('Named blackboard wrapped with ConsistentBackend', { name, consistency: options.consistency });
         }
-        board = new SharedBlackboard(selectedBackend);
+        board = new shared_blackboard_1.SharedBlackboard(selectedBackend);
         // Register the orchestrator agent on this board
         board.registerAgent('orchestrator', 'system-orchestrator-token', options?.allowedNamespaces ?? ['*']);
         this.namedBlackboards.set(name, board);
@@ -1816,10 +928,85 @@ exports.SwarmOrchestrator = SwarmOrchestrator;
 // ============================================================================
 // Default export for OpenClaw skill loader (backward compatible)
 exports.default = SwarmOrchestrator;
+// Named exports for direct usage (re-exported from extracted modules)
+var shared_blackboard_2 = require("./lib/shared-blackboard");
+Object.defineProperty(exports, "SharedBlackboard", { enumerable: true, get: function () { return shared_blackboard_2.SharedBlackboard; } });
+var auth_guardian_2 = require("./lib/auth-guardian");
+Object.defineProperty(exports, "AuthGuardian", { enumerable: true, get: function () { return auth_guardian_2.AuthGuardian; } });
+var task_decomposer_2 = require("./lib/task-decomposer");
+Object.defineProperty(exports, "TaskDecomposer", { enumerable: true, get: function () { return task_decomposer_2.TaskDecomposer; } });
+var explainability_2 = require("./lib/explainability");
+Object.defineProperty(exports, "ExplainabilityTracer", { enumerable: true, get: function () { return explainability_2.ExplainabilityTracer; } });
+var event_bus_2 = require("./lib/event-bus");
+Object.defineProperty(exports, "OrchestratorEventBus", { enumerable: true, get: function () { return event_bus_2.OrchestratorEventBus; } });
+var agent_conversation_2 = require("./lib/agent-conversation");
+Object.defineProperty(exports, "AgentConversationLog", { enumerable: true, get: function () { return agent_conversation_2.AgentConversationLog; } });
+var otel_bridge_2 = require("./lib/otel-bridge");
+Object.defineProperty(exports, "OTelBridge", { enumerable: true, get: function () { return otel_bridge_2.OTelBridge; } });
+Object.defineProperty(exports, "SpanStatus", { enumerable: true, get: function () { return otel_bridge_2.SpanStatus; } });
+var metrics_2 = require("./lib/metrics");
+Object.defineProperty(exports, "MetricsRegistry", { enumerable: true, get: function () { return metrics_2.MetricsRegistry; } });
+Object.defineProperty(exports, "Counter", { enumerable: true, get: function () { return metrics_2.Counter; } });
+Object.defineProperty(exports, "Gauge", { enumerable: true, get: function () { return metrics_2.Gauge; } });
+Object.defineProperty(exports, "Histogram", { enumerable: true, get: function () { return metrics_2.Histogram; } });
+Object.defineProperty(exports, "createOrchestratorMetrics", { enumerable: true, get: function () { return metrics_2.createOrchestratorMetrics; } });
+var cost_heatmap_2 = require("./lib/cost-heatmap");
+Object.defineProperty(exports, "CostHeatmap", { enumerable: true, get: function () { return cost_heatmap_2.CostHeatmap; } });
+var timeline_scrubber_1 = require("./lib/timeline-scrubber");
+Object.defineProperty(exports, "TimelineScrubber", { enumerable: true, get: function () { return timeline_scrubber_1.TimelineScrubber; } });
+var anomaly_detector_2 = require("./lib/anomaly-detector");
+Object.defineProperty(exports, "AnomalyDetector", { enumerable: true, get: function () { return anomaly_detector_2.AnomalyDetector; } });
+var cost_governor_1 = require("./lib/cost-governor");
+Object.defineProperty(exports, "CostGovernor", { enumerable: true, get: function () { return cost_governor_1.CostGovernor; } });
+Object.defineProperty(exports, "LookupCostModel", { enumerable: true, get: function () { return cost_governor_1.LookupCostModel; } });
+var dry_run_1 = require("./lib/dry-run");
+Object.defineProperty(exports, "DryRunSimulator", { enumerable: true, get: function () { return dry_run_1.DryRunSimulator; } });
+var config_watcher_1 = require("./lib/config-watcher");
+Object.defineProperty(exports, "ConfigWatcher", { enumerable: true, get: function () { return config_watcher_1.ConfigWatcher; } });
+var lifecycle_hooks_2 = require("./lib/lifecycle-hooks");
+Object.defineProperty(exports, "OrchestratorLifecycleHooks", { enumerable: true, get: function () { return lifecycle_hooks_2.OrchestratorLifecycleHooks; } });
+var agent_memory_1 = require("./lib/agent-memory");
+Object.defineProperty(exports, "AgentMemory", { enumerable: true, get: function () { return agent_memory_1.AgentMemory; } });
+Object.defineProperty(exports, "EpisodicMemory", { enumerable: true, get: function () { return agent_memory_1.EpisodicMemory; } });
+Object.defineProperty(exports, "ProceduralMemory", { enumerable: true, get: function () { return agent_memory_1.ProceduralMemory; } });
+Object.defineProperty(exports, "SharedLongTermMemory", { enumerable: true, get: function () { return agent_memory_1.SharedLongTermMemory; } });
+var learning_loop_1 = require("./lib/learning-loop");
+Object.defineProperty(exports, "LearningLoop", { enumerable: true, get: function () { return learning_loop_1.LearningLoop; } });
+var speculative_executor_1 = require("./lib/speculative-executor");
+Object.defineProperty(exports, "SpeculativeExecutor", { enumerable: true, get: function () { return speculative_executor_1.SpeculativeExecutor; } });
+var agent_debate_1 = require("./lib/agent-debate");
+Object.defineProperty(exports, "AgentDebate", { enumerable: true, get: function () { return agent_debate_1.AgentDebate; } });
+var approval_inbox_1 = require("./lib/approval-inbox");
+Object.defineProperty(exports, "ApprovalInbox", { enumerable: true, get: function () { return approval_inbox_1.ApprovalInbox; } });
+var adapter_test_harness_1 = require("./lib/adapter-test-harness");
+Object.defineProperty(exports, "createAdapterTestSuite", { enumerable: true, get: function () { return adapter_test_harness_1.createAdapterTestSuite; } });
+var swarm_transport_1 = require("./lib/swarm-transport");
+Object.defineProperty(exports, "SwarmTransportServer", { enumerable: true, get: function () { return swarm_transport_1.SwarmTransportServer; } });
+Object.defineProperty(exports, "SwarmTransportClient", { enumerable: true, get: function () { return swarm_transport_1.SwarmTransportClient; } });
+var job_queue_1 = require("./lib/job-queue");
+Object.defineProperty(exports, "JobQueue", { enumerable: true, get: function () { return job_queue_1.JobQueue; } });
+Object.defineProperty(exports, "FileJobStore", { enumerable: true, get: function () { return job_queue_1.FileJobStore; } });
+var playground_1 = require("./lib/playground");
+Object.defineProperty(exports, "startPlayground", { enumerable: true, get: function () { return playground_1.startPlayground; } });
+Object.defineProperty(exports, "MockAgentRegistry", { enumerable: true, get: function () { return playground_1.MockAgentRegistry; } });
+var goal_dsl_1 = require("./lib/goal-dsl");
+Object.defineProperty(exports, "parseGoal", { enumerable: true, get: function () { return goal_dsl_1.parseGoal; } });
+Object.defineProperty(exports, "goalFromObject", { enumerable: true, get: function () { return goal_dsl_1.goalFromObject; } });
+Object.defineProperty(exports, "validateGoal", { enumerable: true, get: function () { return goal_dsl_1.validateGoal; } });
+Object.defineProperty(exports, "compileGoal", { enumerable: true, get: function () { return goal_dsl_1.compileGoal; } });
+var agent_vcr_1 = require("./lib/agent-vcr");
+Object.defineProperty(exports, "AgentVCR", { enumerable: true, get: function () { return agent_vcr_1.AgentVCR; } });
+var coverage_reporter_1 = require("./lib/coverage-reporter");
+Object.defineProperty(exports, "CoverageReporter", { enumerable: true, get: function () { return coverage_reporter_1.CoverageReporter; } });
+var comparison_runner_1 = require("./lib/comparison-runner");
+Object.defineProperty(exports, "ComparisonRunner", { enumerable: true, get: function () { return comparison_runner_1.ComparisonRunner; } });
+var auth_validator_1 = require("./lib/auth-validator");
+Object.defineProperty(exports, "NoOpAuthValidator", { enumerable: true, get: function () { return auth_validator_1.NoOpAuthValidator; } });
 // Quality gate & validation exports
 var blackboard_validator_2 = require("./lib/blackboard-validator");
 Object.defineProperty(exports, "BlackboardValidator", { enumerable: true, get: function () { return blackboard_validator_2.BlackboardValidator; } });
 Object.defineProperty(exports, "QualityGateAgent", { enumerable: true, get: function () { return blackboard_validator_2.QualityGateAgent; } });
+Object.defineProperty(exports, "validateJsonSchema", { enumerable: true, get: function () { return blackboard_validator_2.validateJsonSchema; } });
 // Adapter system re-exports for convenience
 var adapter_registry_2 = require("./adapters/adapter-registry");
 Object.defineProperty(exports, "AdapterRegistry", { enumerable: true, get: function () { return adapter_registry_2.AdapterRegistry; } });
@@ -1837,6 +1024,10 @@ var mcp_adapter_1 = require("./adapters/mcp-adapter");
 Object.defineProperty(exports, "MCPAdapter", { enumerable: true, get: function () { return mcp_adapter_1.MCPAdapter; } });
 var custom_adapter_1 = require("./adapters/custom-adapter");
 Object.defineProperty(exports, "CustomAdapter", { enumerable: true, get: function () { return custom_adapter_1.CustomAdapter; } });
+var mcp_tool_consumer_1 = require("./lib/mcp-tool-consumer");
+Object.defineProperty(exports, "MCPToolConsumer", { enumerable: true, get: function () { return mcp_tool_consumer_1.MCPToolConsumer; } });
+Object.defineProperty(exports, "StdioClientTransport", { enumerable: true, get: function () { return mcp_tool_consumer_1.StdioClientTransport; } });
+Object.defineProperty(exports, "HttpClientTransport", { enumerable: true, get: function () { return mcp_tool_consumer_1.HttpClientTransport; } });
 // Phase 5 Part 2: Pluggable Backend API
 var blackboard_backend_2 = require("./lib/blackboard-backend");
 Object.defineProperty(exports, "FileBackend", { enumerable: true, get: function () { return blackboard_backend_2.FileBackend; } });
@@ -1884,6 +1075,7 @@ Object.defineProperty(exports, "AdapterNotFoundError", { enumerable: true, get:
 Object.defineProperty(exports, "AdapterNotInitializedError", { enumerable: true, get: function () { return errors_2.AdapterNotInitializedError; } });
 Object.defineProperty(exports, "ParallelLimitError", { enumerable: true, get: function () { return errors_2.ParallelLimitError; } });
 Object.defineProperty(exports, "TimeoutError", { enumerable: true, get: function () { return errors_2.TimeoutError; } });
+Object.defineProperty(exports, "mapErrorToSkillResult", { enumerable: true, get: function () { return errors_2.mapErrorToSkillResult; } });
 // ============================================================================
 // Phase 4: Behavioral Control Plane
 // ============================================================================
@@ -1950,6 +1142,26 @@ Object.defineProperty(exports, "createLLMPlanner", { enumerable: true, get: func
 Object.defineProperty(exports, "validateDAG", { enumerable: true, get: function () { return goal_decomposer_1.validateDAG; } });
 Object.defineProperty(exports, "topologicalLayers", { enumerable: true, get: function () { return goal_decomposer_1.topologicalLayers; } });
 Object.defineProperty(exports, "parsePlanJSON", { enumerable: true, get: function () { return goal_decomposer_1.parsePlanJSON; } });
+// Live Agent Topology — Real-time agent graph + dashboard (Phase 11)
+var topology_1 = require("./lib/topology");
+Object.defineProperty(exports, "TopologyTracker", { enumerable: true, get: function () { return topology_1.TopologyTracker; } });
+var dashboard_server_1 = require("./lib/dashboard-server");
+Object.defineProperty(exports, "DashboardServer", { enumerable: true, get: function () { return dashboard_server_1.DashboardServer; } });
+// WorkTree — Hierarchical task decomposition tree with rollup
+var work_tree_1 = require("./lib/work-tree");
+Object.defineProperty(exports, "WorkTree", { enumerable: true, get: function () { return work_tree_1.WorkTree; } });
+// WorkTreeUI — Terminal renderer for WorkTree hierarchies
+var work_tree_ui_1 = require("./lib/work-tree-ui");
+Object.defineProperty(exports, "WorkTreeUI", { enumerable: true, get: function () { return work_tree_ui_1.WorkTreeUI; } });
+// WorkTreeDashboard — Browser-based live WorkTree visualization
+var work_tree_dashboard_1 = require("./lib/work-tree-dashboard");
+Object.defineProperty(exports, "WorkTreeDashboard", { enumerable: true, get: function () { return work_tree_dashboard_1.WorkTreeDashboard; } });
+// ControlPlane — Multi-workspace unified dashboard
+var control_plane_1 = require("./lib/control-plane");
+Object.defineProperty(exports, "ControlPlane", { enumerable: true, get: function () { return control_plane_1.ControlPlane; } });
+// QuadTree — Barnes-Hut spatial indexing (Tier 1 scalability)
+var quadtree_1 = require("./lib/quadtree");
+Object.defineProperty(exports, "QuadTree", { enumerable: true, get: function () { return quadtree_1.QuadTree; } });
 // MCP Blackboard Tool Bindings
 var mcp_blackboard_tools_1 = require("./lib/mcp-blackboard-tools");
 Object.defineProperty(exports, "BlackboardMCPTools", { enumerable: true, get: function () { return mcp_blackboard_tools_1.BlackboardMCPTools; } });
@@ -1994,7 +1206,7 @@ function createSwarmOrchestrator(config) {
     }
     if (config) {
         const { adapters: adapterList, adapterRegistry, trustLevels, resourceProfiles, validationConfig, qualityThreshold, aiReviewCallback, ...rest } = config;
-        Object.assign(CONFIG, rest);
+        Object.assign(orchestrator_types_1.CONFIG, rest);
         const registry = adapterRegistry ?? new adapter_registry_1.AdapterRegistry();
         const orchestrator = new SwarmOrchestrator(undefined, registry, {
             trustLevels,
@@ -2013,8 +1225,8 @@ function createSwarmOrchestrator(config) {
 }
 function getConfig(key) {
     if (key !== undefined)
-        return CONFIG[key];
-    return { ...CONFIG };
+        return orchestrator_types_1.CONFIG[key];
+    return { ...orchestrator_types_1.CONFIG };
 }
 /**
  * Update a CONFIG key at runtime.  Changes take effect immediately for all
@@ -2027,7 +1239,7 @@ function getConfig(key) {
  * ```
  */
 function setConfig(key, value) {
-    CONFIG[key] = value;
+    orchestrator_types_1.CONFIG[key] = value;
 }
 // Phase 6: SSE transport + extended/control tools
 var mcp_transport_sse_1 = require("./lib/mcp-transport-sse");
@@ -2059,4 +1271,28 @@ Object.defineProperty(exports, "MiniMaxAdapter", { enumerable: true, get: functi
 // NemoClaw adapter (NVIDIA NemoClaw — sandboxed agent execution via OpenShell)
 var nemoclaw_adapter_1 = require("./adapters/nemoclaw-adapter");
 Object.defineProperty(exports, "NemoClawAdapter", { enumerable: true, get: function () { return nemoclaw_adapter_1.NemoClawAdapter; } });
+// Copilot adapter (GitHub Copilot — code generation, review, analysis)
+var copilot_adapter_1 = require("./adapters/copilot-adapter");
+Object.defineProperty(exports, "CopilotAdapter", { enumerable: true, get: function () { return copilot_adapter_1.CopilotAdapter; } });
+// LangGraph adapter
+var langgraph_adapter_1 = require("./adapters/langgraph-adapter");
+Object.defineProperty(exports, "LangGraphAdapter", { enumerable: true, get: function () { return langgraph_adapter_1.LangGraphAdapter; } });
+// Anthropic Computer Use adapter
+var anthropic_computer_use_adapter_1 = require("./adapters/anthropic-computer-use-adapter");
+Object.defineProperty(exports, "AnthropicComputerUseAdapter", { enumerable: true, get: function () { return anthropic_computer_use_adapter_1.AnthropicComputerUseAdapter; } });
+// OpenAI Agents SDK adapter
+var openai_agents_adapter_1 = require("./adapters/openai-agents-adapter");
+Object.defineProperty(exports, "OpenAIAgentsAdapter", { enumerable: true, get: function () { return openai_agents_adapter_1.OpenAIAgentsAdapter; } });
+// Vertex AI adapter
+var vertex_ai_adapter_1 = require("./adapters/vertex-ai-adapter");
+Object.defineProperty(exports, "VertexAIAdapter", { enumerable: true, get: function () { return vertex_ai_adapter_1.VertexAIAdapter; } });
+// Pydantic AI adapter
+var pydantic_ai_adapter_1 = require("./adapters/pydantic-ai-adapter");
+Object.defineProperty(exports, "PydanticAIAdapter", { enumerable: true, get: function () { return pydantic_ai_adapter_1.PydanticAIAdapter; } });
+// Browser Agent adapter
+var browser_agent_adapter_1 = require("./adapters/browser-agent-adapter");
+Object.defineProperty(exports, "BrowserAgentAdapter", { enumerable: true, get: function () { return browser_agent_adapter_1.BrowserAgentAdapter; } });
+// Orchestrator adapter (hierarchical multi-orchestrator coordination)
+var orchestrator_adapter_1 = require("./adapters/orchestrator-adapter");
+Object.defineProperty(exports, "OrchestratorAdapter", { enumerable: true, get: function () { return orchestrator_adapter_1.OrchestratorAdapter; } });
 //# sourceMappingURL=index.js.map