npm - nexus-agents - Versions diffs - 2.26.1 → 2.28.0 - Mend

nexus-agents 2.26.1 → 2.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/README.md +7 -7
package/dist/{chunk-X33QNBGA.js → chunk-E7EX2KQJ.js} +3 -5
package/dist/{chunk-X33QNBGA.js.map → chunk-E7EX2KQJ.js.map} +1 -1
package/dist/{chunk-BOWNZMPH.js → chunk-L2SHSW4T.js} +3017 -1300
package/dist/chunk-L2SHSW4T.js.map +1 -0
package/dist/{chunk-ARNVVQ5W.js → chunk-LKSTILEE.js} +1213 -117
package/dist/chunk-LKSTILEE.js.map +1 -0
package/dist/{chunk-L3LQ3RP5.js → chunk-QZEAD6AG.js} +10339 -6289
package/dist/chunk-QZEAD6AG.js.map +1 -0
package/dist/{chunk-LCHCASB7.js → chunk-UGNLR4NZ.js} +2 -2
package/dist/{chunk-UVQ7R4C4.js → chunk-YSDUVCCZ.js} +137 -717
package/dist/chunk-YSDUVCCZ.js.map +1 -0
package/dist/cli.d.ts +8 -1
package/dist/cli.js +644 -216
package/dist/cli.js.map +1 -1
package/dist/{dist-Y5F6UM2N.js → dist-H5XNXVAV.js} +1384 -1295
package/dist/dist-H5XNXVAV.js.map +1 -0
package/dist/doctor-deep-BDE2PHVX.js +11 -0
package/dist/index.d.ts +4299 -7411
package/dist/index.js +588 -132
package/dist/index.js.map +1 -1
package/dist/{setup-command-VNF3KTCJ.js → setup-command-SS7LMN7Y.js} +5 -6
package/dist/setup-config-DSMOOLVW.js +9 -0
package/dist/workflows/templates/code-review.yaml +1 -1
package/dist/workflows/templates/refactoring.yaml +1 -1
package/dist/workflows/templates/research-review.yaml +19 -4
package/dist/workflows/templates/security-audit.yaml +1 -1
package/dist/workflows/templates/standards-review.yaml +1 -1
package/package.json +12 -12
package/src/workflows/templates/code-review.yaml +1 -1
package/src/workflows/templates/refactoring.yaml +1 -1
package/src/workflows/templates/research-review.yaml +19 -4
package/src/workflows/templates/security-audit.yaml +1 -1
package/src/workflows/templates/standards-review.yaml +1 -1
package/dist/chunk-ARNVVQ5W.js.map +0 -1
package/dist/chunk-BOWNZMPH.js.map +0 -1
package/dist/chunk-L3LQ3RP5.js.map +0 -1
package/dist/chunk-LCDOP543.js +0 -365
package/dist/chunk-LCDOP543.js.map +0 -1
package/dist/chunk-PGNRXCYY.js +0 -776
package/dist/chunk-PGNRXCYY.js.map +0 -1
package/dist/chunk-UVQ7R4C4.js.map +0 -1
package/dist/dist-Y5F6UM2N.js.map +0 -1
package/dist/doctor-deep-I2J5CRFG.js +0 -13
package/dist/setup-config-VQSWWJ5O.js +0 -9
/package/dist/{chunk-LCHCASB7.js.map → chunk-UGNLR4NZ.js.map} +0 -0
/package/dist/{doctor-deep-I2J5CRFG.js.map → doctor-deep-BDE2PHVX.js.map} +0 -0
/package/dist/{setup-command-VNF3KTCJ.js.map → setup-command-SS7LMN7Y.js.map} +0 -0
/package/dist/{setup-config-VQSWWJ5O.js.map → setup-config-DSMOOLVW.js.map} +0 -0

package/dist/index.js CHANGED Viewed

@@ -3,6 +3,7 @@ import {
   ARTIFACT_TYPES,
   ActivationStrategySchema,
   AdapterModelError,
+  AgentActionSchema,
   AgentEventSchema,
   AgentFindingSchema,
   AgentMessageSchema,
@@ -28,6 +29,7 @@ import {
   AuditQueryCriteriaSchema,
   AuditResourceSchema,
   AuditSeveritySchema,
+  AuditTrail,
   AuthorizationMethodSchema,
   AvailabilityCache,
   BUILT_IN_EXPERTS,
@@ -166,6 +168,7 @@ import {
   GitHubProvider,
   GitHubReviewer,
   GitHubUserInfo,
+  GitHubUserRoleSchema,
   GraphBuilder,
   HarnessExecutor,
   HarnessExecutorError,
@@ -177,6 +180,7 @@ import {
   InMemoryAuditStorage,
   InMemoryCheckpointStore,
   IndependentSubsetSchema,
+  InjectionFlagSchema,
   InputDefinitionSchema,
   InputDefinitionSchema2,
   InputTypeSchema,
@@ -185,6 +189,7 @@ import {
   ListExpertsInputSchema,
   ListWorkflowsInputSchema,
   LoadedSkillSetSchema,
+  LockedWriter,
   LoggingConfigSchema,
   MAX_EXECUTION_TIME_MS,
   MIN_EXPERTS_FOR_PATTERN,
@@ -219,6 +224,7 @@ import {
   PatchApplicatorError,
   PathScoreBreakdownSchema,
   PathScoreSchema,
+  PersistentOutcomeStore,
   PipelineRunner,
   PlanContractSchema,
   PluginManifestSchema,
@@ -238,6 +244,8 @@ import {
   PruningStrategy,
   QualitySignalsSchema,
   REJECTION_CATEGORIES,
+  REPO_COMPLEXITY,
+  ROLE_DEFAULT_TRUST,
   RateLimiter,
   ReasoningDepthSchema,
   ReasoningNodeMetadataSchema,
@@ -250,6 +258,7 @@ import {
   RepoSecurityPlanInputSchema,
   ReportGenerationError,
   ReportGenerator,
+  ReputationCache,
   RestApiConfigSchema,
   RestApiServer,
   ResultAggregator,
@@ -266,6 +275,8 @@ import {
   SWEBenchRunnerError,
   SWE_BENCH_DATASETS,
   SWE_BENCH_SYSTEM_PROMPT,
+  SanitizedInputSchema,
+  SanitizerConfigSchema,
   ScmError,
   ScoreBreakdownSchema,
   SdkAdapter,
@@ -295,16 +306,19 @@ import {
   SkillProvenanceSchema,
   SkillRBACSchema,
   SkillSecurityErrorSchema,
+  SourceCitationSchema,
   StageResultSchema,
   StageSpecSchema,
   StepExecutor,
   StreamCancelledError,
   StreamController,
   StreamError,
+  StrippedElementSchema,
   SubTaskSchema,
   SubtaskPrioritySchema,
   SubtaskStatusSchema,
   SupermajorityStrategy,
+  SuspiciousSignalSchema,
   SwarmObserver,
   SwarmObserver2,
   SwarmObserverConfigSchema,
@@ -317,6 +331,7 @@ import {
   TRINITY_ROLE_MAX_TOKENS,
   TRINITY_ROLE_PROMPTS,
   TRINITY_ROLE_TEMPERATURES,
+  TRUST_TIER_NUMERIC,
   TaskAnalysisResultSchema,
   TaskAnalysisSchema,
   TaskComplexity,
@@ -334,6 +349,7 @@ import {
   TestingExpert,
   TextDashboardRenderer,
   ToolSetSchema,
+  TraceLogger,
   TreeStateSchema,
   TreeStatisticsSchema,
   TrinityConfigSchema,
@@ -341,10 +357,12 @@ import {
   TrinityPhaseSchema,
   TrinityRoleSchema,
   TrinityStopReasonSchema,
+  TrustTierSchema,
   UnanimousStrategy,
   VOTING_THRESHOLDS,
   ValidationDashboard,
   VerifierVerdictSchema,
+  ViolationSchema,
   VoteDecisionSchema,
   VoteMessageSchema,
   VoteSchema,
@@ -376,10 +394,12 @@ import {
   append,
   applyPatch,
   areStepsCompleted,
+  assessReputation,
   bufferStream,
   buildDependencyGraph,
   buildDependencyGraph2,
   buildDockerArgs,
+  buildEnrichedPrompt,
   buildFinalResult,
   buildHarnessArgs,
   buildHarnessCommand,
@@ -399,10 +419,13 @@ import {
   calculateWinLoss,
   canApplyPatch,
   canExecuteSkill,
+  canInfluenceDecisions,
+  canProceed,
   cancelExecution,
   checkPermissionBoundary,
   checkPipelinePolicy,
   chunkByDirectory,
+  classifyTrust,
   clearRegistryCache,
   clearTemplateCache,
   collectRealVotes,
@@ -418,6 +441,8 @@ import {
   createArchitectureExpert,
   createAttestation,
   createAuditLogger,
+  createAuditTrail,
+  createBenchmarkMemory,
   createCheckpoint,
   createCheckpointStore,
   createClaudeAdapter,
@@ -440,6 +465,7 @@ import {
   createDependencyError,
   createDocumentationExpert,
   createDryRunHandler,
+  createEmptyContext,
   createEvaluationHarness,
   createEventBusBridge,
   createExecutionContext,
@@ -448,6 +474,7 @@ import {
   createExplorationPrompt,
   createFeedbackIntegration,
   createFullGitHubProvider,
+  createGraphAuditBridge,
   createHarnessExecutor,
   createHigherOrderVotingStrategy,
   createInitialCostMetrics,
@@ -525,14 +552,24 @@ import {
   denyMutationsWithoutModeRule,
   detectTestFramework,
   determineFinalStatus,
+  emitCorroborationEvent,
   emitExecutionComplete,
+  emitGraphExecutionEvent,
   emitNodeResults,
   emitNodeStarted,
+  emitPolicyEvent,
+  emitReputationEvent,
+  emitSanitizationEvent,
   emitStateUpdated,
   emitStepCompleted,
+  emitThresholdUpdate,
+  emitTrendDetected,
+  emitTrustEvent,
+  estimateDifficulty,
   estimateTokens,
   evaluatePolicy,
   evaluatePolicy2,
+  evaluatePolicy3,
   evaluatePredictions,
   executeDelegatePipeline,
   executeGraph,
@@ -542,12 +579,17 @@ import {
   executeParallel,
   executeSpec,
   exportReport,
+  extractApproach,
   extractBooleanField,
   extractExpressions,
+  extractFilesFromResponse,
+  extractHypothesis,
   extractModelName,
   extractNumberField,
+  extractPastSuccessRates,
   extractPatch,
   extractRepoFromInstanceId,
+  extractRepoName,
   extractSessionId,
   extractStringArrayField,
   extractStringField,
@@ -558,8 +600,10 @@ import {
   findActiveSession,
   findMissingDependencies,
   formatCompileError,
+  formatContextForPrompt,
   formatValidationResult,
   fromArray,
+  generateMcpConfig,
   generateProposalId,
   generateReport,
   generateSecurityPlan,
@@ -572,8 +616,10 @@ import {
   getCliForModelId,
   getCompletedInstanceIds,
   getCompletedSteps,
+  getCorroborationRules,
   getCpuCores,
   getDatasetInfo,
+  getDefaultAllowedTools,
   getDockerVersion,
   getEventBusStats,
   getExecutionDuration,
@@ -592,6 +638,7 @@ import {
   getRecommendedRole,
   getReferencedSteps,
   getRegistryManifest,
+  getRequiredTrustTier,
   getResultsFilePath,
   getSkillSetForTask,
   getSkillsForTask,
@@ -610,6 +657,8 @@ import {
   initializeEventBusBridge,
   isCancelled,
   isCliAvailable as isCliAvailable2,
+  isMutatingAction,
+  isReadOnlyAction,
   isStepCompleted,
   listInstances,
   loadDataset,
@@ -622,6 +671,7 @@ import {
   logToolInvocationAudit,
   logToolStart,
   logToolSuccess,
+  mapAuthorAssociation,
   mapResolutionStatus,
   mapStateToPhase,
   mapTestStatus,
@@ -645,6 +695,7 @@ import {
   quickSelect,
   readJsonResults,
   readPredictions,
+  recordOutcome,
   reduceStream,
   registerConsensusVoteTool,
   registerCorePlugins,
@@ -666,6 +717,9 @@ import {
   registerRunGraphWorkflowTool,
   registerRunWorkflowTool,
   registerTools,
+  requireApiKey,
+  requiresCitation,
+  requiresCorroboration,
   resetAvailabilityCache,
   resetPipelinePluginRegistry,
   resetRegistry,
@@ -680,11 +734,14 @@ import {
   resultToOutcome,
   runAgentOnInstance,
   runBenchmarkInstances,
+  runBenchmarkParallel,
   runPreconditions,
+  runSingleInstance,
   runTests,
   runVerification,
   safePathsRule,
   safeValidateExpertConfig,
+  sanitizeInput,
   scoreByHybrid,
   scoreByImportance,
   scoreByRecency,
@@ -694,6 +751,7 @@ import {
   setVariable,
   skip,
   snapshotContext,
+  sortByPriority,
   storeStepResult,
   take,
   takeUntil,
@@ -706,8 +764,12 @@ import {
   transformInstanceResult,
   transformStream,
   transformTestResult,
+  updateContext,
+  validateAgentAction,
+  validateApiKeyPresence,
   validateCapabilities,
   validateCommand,
+  validateCorroboration,
   validateDependencyGraph,
   validateDiskSpace,
   validateDocker,
@@ -733,7 +795,7 @@ import {
   withLogging,
   withTimeout,
   writePredictions
-} from "./chunk-L3LQ3RP5.js";
+} from "./chunk-QZEAD6AG.js";
 import {
   BaseCliAdapter,
   CLI_TIMEOUT_PROFILES,
@@ -763,14 +825,8 @@ import {
   isCliAvailable,
   sleep,
   startStdioServer
-} from "./chunk-ARNVVQ5W.js";
+} from "./chunk-LKSTILEE.js";
 import "./chunk-X2M7OF27.js";
-import {
-  generateWeatherReport
-} from "./chunk-PGNRXCYY.js";
-import {
-  PER_CLI_TASK_TIMEOUTS
-} from "./chunk-LCDOP543.js";
 import {
   AgentCapability,
   AgentError,
@@ -793,8 +849,8 @@ import {
   OrchestratorError,
   OutcomeFailureCategorySchema,
   OutcomeStore,
+  PER_CLI_TASK_TIMEOUTS,
   ParseError,
-  PersistentOutcomeStore,
   PreferenceRouter,
   PreferenceRouterConfigSchema,
   QueryFeatureExtractor,
@@ -818,11 +874,11 @@ import {
   detectLatencyPatterns,
   detectSuccessPatterns,
   detectTrend,
-  emitThresholdUpdate,
-  emitTrendDetected,
   ensureLearningDir,
   err,
+  extractNonErrorMessage,
   formatZodError,
+  generateWeatherReport,
   getErrorMessage,
   getOutcomeStore,
   getRandomProvider,
@@ -841,7 +897,7 @@ import {
   toError,
   unwrap,
   unwrapOr
-} from "./chunk-BOWNZMPH.js";
+} from "./chunk-L2SHSW4T.js";
 import "./chunk-UP2VWCW5.js";
 // src/adapters/factory.ts
@@ -854,7 +910,7 @@ var AdapterConfigSchema = z.object({
   /** API key for authentication (optional, may come from environment) */
   apiKey: z.string().optional(),
   /** Base URL for the API (optional, uses provider default) */
-  baseUrl: z.string().url("Base URL must be a valid URL").optional(),
+  baseUrl: z.url("Base URL must be a valid URL").optional(),
   /** Request timeout in milliseconds */
   timeout: z.number().positive("Timeout must be positive").optional(),
   /** Maximum number of retries for failed requests */
@@ -1739,11 +1795,7 @@ var OpenAIAdapter = class extends BaseAdapter {
     }
     super(baseConfig);
     this.resolvedModelId = resolvedModelId;
-    if (!config.apiKey || config.apiKey.trim() === "") {
-      throw new ConfigError("OpenAI API key is required", {
-        context: { providerId: "openai", modelId: config.modelId }
-      });
-    }
+    requireApiKey(config.apiKey, "OpenAI", config.modelId);
     this.client = this.createClient(config);
   }
   /**
@@ -1774,14 +1826,8 @@ var OpenAIAdapter = class extends BaseAdapter {
     if (!baseResult.ok) {
       return baseResult;
     }
-    const apiKey = this.config.apiKey;
-    if (apiKey === void 0 || apiKey === "" || apiKey.trim() === "") {
-      return err(
-        new ConfigError("OpenAI API key is required", {
-          context: { providerId: this.providerId, modelId: this.modelId }
-        })
-      );
-    }
+    const keyResult = validateApiKeyPresence(this.config.apiKey, this.providerId, this.modelId);
+    if (!keyResult.ok) return keyResult;
     return ok(void 0);
   }
   /**
@@ -2324,11 +2370,7 @@ var GeminiAdapter = class extends BaseAdapter {
     }
     super(baseConfig);
     this.resolvedModelId = resolvedModelId;
-    if (!config.apiKey || config.apiKey.trim() === "") {
-      throw new ConfigError("Google API key is required", {
-        context: { providerId: "google", modelId: config.modelId }
-      });
-    }
+    requireApiKey(config.apiKey, "Google", config.modelId);
     this.client = new GoogleGenAI({ apiKey: config.apiKey });
   }
   /**
@@ -2340,14 +2382,8 @@ var GeminiAdapter = class extends BaseAdapter {
     if (!baseResult.ok) {
       return baseResult;
     }
-    const apiKey = this.config.apiKey;
-    if (apiKey === void 0 || apiKey === "" || apiKey.trim() === "") {
-      return err(
-        new ConfigError("Google API key is required", {
-          context: { providerId: this.providerId, modelId: this.modelId }
-        })
-      );
-    }
+    const keyResult = validateApiKeyPresence(this.config.apiKey, this.providerId, this.modelId);
+    if (!keyResult.ok) return keyResult;
     return ok(void 0);
   }
   /**
@@ -2899,13 +2935,13 @@ var JournalEventTypeSchema = z2.enum([
   "session_end"
 ]);
 var JournalEntrySchema = z2.object({
-  timestamp: z2.string().datetime(),
+  timestamp: z2.iso.datetime(),
   event: JournalEventTypeSchema,
   sessionId: z2.string().min(1),
   taskId: z2.string().optional(),
   summary: z2.string(),
   tokensUsed: z2.number().int().nonnegative().optional(),
-  metadata: z2.record(z2.unknown()).optional()
+  metadata: z2.record(z2.string(), z2.unknown()).optional()
 });
 // src/context/session-journal.ts
@@ -2985,16 +3021,26 @@ function createIndexes(db) {
   db.exec(`CREATE INDEX IF NOT EXISTS idx_outcomes_timestamp ON task_outcomes(timestamp)`);
 }
 function rowToDecision(row) {
+  let alternativeModels = [];
+  let taskProfile = {};
+  try {
+    alternativeModels = JSON.parse(row.alternative_models);
+  } catch {
+  }
+  try {
+    taskProfile = JSON.parse(row.task_profile);
+  } catch {
+  }
   return {
     id: row.id,
     traceId: row.trace_id,
     timestamp: new Date(row.timestamp).toISOString(),
     routerType: row.router_type,
     selectedModel: row.selected_model,
-    alternativeModels: JSON.parse(row.alternative_models),
+    alternativeModels,
     confidence: row.confidence,
     reason: row.reason,
-    taskProfile: JSON.parse(row.task_profile),
+    taskProfile,
     requestId: row.request_id ?? void 0
   };
 }
@@ -3073,6 +3119,7 @@ var SQLiteOutcomeStorage = class {
   logger;
   db = null;
   initialized = false;
+  initPromise;
   constructor(config) {
     const validation = OutcomeStorageConfigSchema.safeParse(config);
     if (!validation.success) {
@@ -3096,6 +3143,12 @@ var SQLiteOutcomeStorage = class {
   /** Initialize the storage backend. */
   async initialize() {
     if (this.initialized) return ok(void 0);
+    this.initPromise ??= this.doInitialize().finally(() => {
+      this.initPromise = void 0;
+    });
+    return this.initPromise;
+  }
+  async doInitialize() {
     try {
       const betterSqlite3Module = await import("better-sqlite3").catch((error) => {
         this.logger.debug("Failed to import better-sqlite3", { error: String(error) });
@@ -3653,7 +3706,7 @@ var AbTestTracker = class {
     );
     const relativeImprovement = control.successRate > 0 ? (treatment.successRate - control.successRate) / control.successRate : 0;
     const recommendedSampleSize = calculateMinSampleSize(
-      control.successRate || 0.5,
+      control.successRate,
       experiment.minimumDetectableEffect
     );
     const hasMinimumSampleSize = control.n >= experiment.minSampleSize && treatment.n >= experiment.minSampleSize;
@@ -4632,39 +4685,370 @@ function getSafetyTaxonomySummary() {
   };
 }
-// src/orchestration/spec-parser-types.ts
+// src/security/firewall/firewall-types.ts
 import { z as z7 } from "zod";
-var IssueReferenceSchema = z7.object({
+var FirewallStagesSchema = z7.object({
+  sanitization: z7.boolean().default(true),
+  trustClassification: z7.boolean().default(true),
+  reputationAssessment: z7.boolean().default(false),
+  policyEnforcement: z7.boolean().default(true),
+  corroboration: z7.boolean().default(false),
+  audit: z7.boolean().default(true)
+});
+var FirewallConfigSchema = z7.object({
+  stages: FirewallStagesSchema.default(() => ({
+    sanitization: true,
+    trustClassification: true,
+    reputationAssessment: false,
+    policyEnforcement: true,
+    corroboration: false,
+    audit: true
+  })),
+  allowlistedMaintainers: z7.array(z7.string().min(1)).default([]),
+  maxInputLength: z7.number().int().positive().default(5e4),
+  context: z7.object({
+    hasWriteAccess: z7.boolean().default(false),
+    hasSecretAccess: z7.boolean().default(false)
+  }).default(() => ({
+    hasWriteAccess: false,
+    hasSecretAccess: false
+  }))
+});
+var ATLDataSchema = z7.object({
+  tier: z7.enum(["1", "2", "3", "4"]),
+  source: z7.string().min(1),
+  user: z7.string().min(1),
+  sanitized: z7.boolean(),
+  rep: z7.number().min(0).max(1).optional()
+});
+// src/security/firewall/agent-trust-labels.ts
+var ATL_PREFIX = "[ATL:";
+var ATL_SUFFIX = "]";
+var ATL_PATTERN = /^\[ATL:(.+)\]$/;
+function generateATL(data) {
+  const validated = ATLDataSchema.parse(data);
+  const parts = [
+    `tier=${validated.tier}`,
+    `source=${encodeATLValue(validated.source)}`,
+    `user=${encodeATLValue(validated.user)}`,
+    `sanitized=${String(validated.sanitized)}`
+  ];
+  if (validated.rep !== void 0) {
+    parts.push(`rep=${validated.rep.toFixed(2)}`);
+  }
+  return `${ATL_PREFIX}${parts.join(",")}${ATL_SUFFIX}`;
+}
+function parseATL(atl) {
+  const match = ATL_PATTERN.exec(atl.trim());
+  if (match === null) return void 0;
+  const body = match[1];
+  if (body === void 0) return void 0;
+  const raw = parseKeyValuePairs(body);
+  if (raw === void 0) return void 0;
+  return validateParsedATL(raw);
+}
+function parseKeyValuePairs(body) {
+  const pairs = body.split(",");
+  const raw = {};
+  for (const pair of pairs) {
+    const eqIndex = pair.indexOf("=");
+    if (eqIndex < 1) return void 0;
+    raw[pair.slice(0, eqIndex)] = pair.slice(eqIndex + 1);
+  }
+  return raw;
+}
+function validateParsedATL(raw) {
+  const tier = raw["tier"];
+  const source = raw["source"];
+  const user = raw["user"];
+  const sanitized = raw["sanitized"];
+  if (tier === void 0 || source === void 0 || user === void 0 || sanitized === void 0) {
+    return void 0;
+  }
+  const parsed = {
+    tier,
+    source: decodeATLValue(source),
+    user: decodeATLValue(user),
+    sanitized: sanitized === "true",
+    ...raw["rep"] !== void 0 ? { rep: parseFloat(raw["rep"]) } : {}
+  };
+  const result = ATLDataSchema.safeParse(parsed);
+  return result.success ? result.data : void 0;
+}
+function encodeATLValue(value) {
+  return value.replace(/,/g, "%2C").replace(/=/g, "%3D").replace(/\]/g, "%5D");
+}
+function decodeATLValue(value) {
+  return value.replace(/%2C/g, ",").replace(/%3D/g, "=").replace(/%5D/g, "]");
+}
+// src/security/firewall/firewall-pipeline.ts
+var HostileInputFirewall = class {
+  stages;
+  allowlisted;
+  maxInputLength;
+  adapter;
+  reputationCache;
+  auditTrail;
+  constructor(config) {
+    const validated = FirewallConfigSchema.parse({
+      stages: config.stages,
+      allowlistedMaintainers: config.allowlistedMaintainers,
+      maxInputLength: config.maxInputLength,
+      context: config.context
+    });
+    this.stages = validated.stages;
+    this.allowlisted = validated.allowlistedMaintainers;
+    this.maxInputLength = validated.maxInputLength;
+    this.adapter = config.adapter;
+    this.reputationCache = new ReputationCache();
+    this.auditTrail = createAuditTrail();
+  }
+  /**
+   * Processes untrusted input through the firewall pipeline.
+   * Returns a structured FirewallResult or a typed FirewallError.
+   */
+  process(input) {
+    const start = Date.now();
+    this.auditTrail.clear();
+    const metaResult = this.runExtraction(input);
+    if (!metaResult.ok) return metaResult;
+    const meta = metaResult.value;
+    const sanitized = this.runSanitization(meta);
+    const trust = this.runClassification(meta, sanitized);
+    const reputation = this.runReputation(meta, sanitized);
+    const atl = this.buildATL(meta, trust, sanitized, reputation);
+    const auditEvents = this.auditTrail.query().map((e) => ({ id: e.id, type: e.type }));
+    return ok({
+      sanitized,
+      trust,
+      ...reputation !== void 0 ? { reputation } : {},
+      atl,
+      auditEvents,
+      durationMs: Date.now() - start
+    });
+  }
+  /** Returns the internal audit trail for inspection. */
+  getAuditTrail() {
+    return this.auditTrail;
+  }
+  // ==========================================================================
+  // Pipeline Stages (private)
+  // ==========================================================================
+  runExtraction(input) {
+    try {
+      const meta = this.adapter.extractMetadata(input);
+      return ok(meta);
+    } catch (cause) {
+      const message = cause instanceof Error ? cause.message : String(cause);
+      return err({
+        code: "EXTRACTION_FAILED",
+        message: `Adapter extraction failed: ${message}`,
+        stage: "extraction"
+      });
+    }
+  }
+  runSanitization(meta) {
+    if (!this.stages.sanitization) {
+      return createPassthroughSanitized(meta);
+    }
+    const result = sanitizeInput(
+      meta.content,
+      meta.authorAssociation,
+      meta.username,
+      {
+        allowlistedMaintainers: [...this.allowlisted],
+        maxInputLength: this.maxInputLength
+      }
+    );
+    if (this.stages.audit) {
+      emitSanitizationEvent(this.auditTrail, {
+        source: meta.sourceType,
+        wasModified: result.wasModified,
+        strippedCount: result.strippedElements.length,
+        injectionFlagCount: result.injectionFlags.length
+      });
+    }
+    return result;
+  }
+  runClassification(meta, sanitized) {
+    if (!this.stages.trustClassification) {
+      return createPassthroughClassification(meta);
+    }
+    const result = classifyTrust({
+      username: meta.username,
+      authorAssociation: meta.authorAssociation,
+      sanitizedInput: sanitized,
+      config: {
+        allowlistedMaintainers: [...this.allowlisted]
+      }
+    });
+    if (this.stages.audit) {
+      emitTrustEvent(this.auditTrail, {
+        username: meta.username,
+        assignedTier: result.trustTier,
+        userRole: result.userRole,
+        isAllowlisted: result.isAllowlisted,
+        wasDowngraded: result.wasDowngraded,
+        reason: result.reason
+      });
+    }
+    return result;
+  }
+  runReputation(meta, sanitized) {
+    if (!this.stages.reputationAssessment) return void 0;
+    const metadata = {
+      username: meta.username,
+      accountAgeDays: 365,
+      priorContributions: 0,
+      recentCommentCount: 0,
+      recentCommentWindowMinutes: 60,
+      authorAssociation: meta.authorAssociation.toUpperCase(),
+      injectionFlags: sanitized.injectionFlags
+    };
+    const result = assessReputation(metadata, this.reputationCache);
+    if (this.stages.audit) {
+      emitReputationEvent(this.auditTrail, {
+        username: meta.username,
+        reputationScore: result.reputationScore,
+        isSuspicious: result.isSuspicious,
+        effectiveTier: result.effectiveTrustTier,
+        signalCount: result.suspiciousSignals.length
+      });
+    }
+    return result;
+  }
+  buildATL(meta, trust, sanitized, reputation) {
+    const data = {
+      tier: trust.trustTier,
+      source: meta.sourceType,
+      user: meta.username,
+      sanitized: sanitized.wasModified,
+      ...reputation !== void 0 ? { rep: reputation.reputationScore / 100 } : {}
+    };
+    return generateATL(data);
+  }
+};
+function createPassthroughSanitized(meta) {
+  return {
+    content: meta.content,
+    originalLength: meta.content.length,
+    trustTier: "3",
+    userRole: meta.authorAssociation,
+    injectionFlags: [],
+    strippedElements: [],
+    wasModified: false,
+    sanitizedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createPassthroughClassification(meta) {
+  return {
+    trustTier: "3",
+    userRole: meta.authorAssociation,
+    isAllowlisted: false,
+    wasDowngraded: false,
+    reason: "Trust classification disabled \u2014 default Tier 3"
+  };
+}
+// src/security/firewall/github-adapter.ts
+import { z as z8 } from "zod";
+var GitHubIssueSchema = z8.object({
+  type: z8.literal("issue"),
+  username: z8.string().min(1),
+  authorAssociation: z8.string().min(1),
+  title: z8.string().default(""),
+  body: z8.string().default("")
+});
+var GitHubCommentSchema = z8.object({
+  type: z8.literal("comment"),
+  username: z8.string().min(1),
+  authorAssociation: z8.string().min(1),
+  body: z8.string().default("")
+});
+var GitHubPRSchema = z8.object({
+  type: z8.literal("pull_request"),
+  username: z8.string().min(1),
+  authorAssociation: z8.string().min(1),
+  title: z8.string().default(""),
+  body: z8.string().default("")
+});
+var GitHubInputSchema = z8.discriminatedUnion("type", [
+  GitHubIssueSchema,
+  GitHubCommentSchema,
+  GitHubPRSchema
+]);
+function toSourceType(type) {
+  const mapping = {
+    issue: "github-issue",
+    comment: "github-comment",
+    pull_request: "github-pr"
+  };
+  return mapping[type];
+}
+function extractContent(input) {
+  if (input.type === "comment") return input.body;
+  const title = input.title;
+  const body = input.body;
+  return title && body ? `${title}
+${body}` : title || body;
+}
+function createGitHubAdapter() {
+  return {
+    platform: "github",
+    extractMetadata(input) {
+      const result = GitHubInputSchema.safeParse(input);
+      if (!result.success) {
+        const issues = result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`GitHub input validation failed: ${issues}`);
+      }
+      const parsed = result.data;
+      const role = mapAuthorAssociation(parsed.authorAssociation);
+      return {
+        username: parsed.username,
+        authorAssociation: role,
+        content: extractContent(parsed),
+        sourceType: toSourceType(parsed.type)
+      };
+    }
+  };
+}
+// src/orchestration/spec-parser-types.ts
+import { z as z9 } from "zod";
+var IssueReferenceSchema = z9.object({
   /** Issue/PR number */
-  number: z7.number().int().positive(),
+  number: z9.number().int().positive(),
   /** Raw text (e.g., "#123") */
-  raw: z7.string()
+  raw: z9.string()
 });
-var FileReferenceSchema = z7.object({
+var FileReferenceSchema = z9.object({
   /** File path (e.g., "src/foo.ts") */
-  path: z7.string(),
+  path: z9.string(),
   /** Optional line number */
-  line: z7.number().int().positive().optional()
+  line: z9.number().int().positive().optional()
 });
-var ParsedSpecSchema = z7.object({
+var ParsedSpecSchema = z9.object({
   /** Spec title (from first H1 or H2 heading) */
-  title: z7.string().min(1),
+  title: z9.string().min(1),
   /** Overview/description text */
-  overview: z7.string(),
+  overview: z9.string(),
   /** List of requirements */
-  requirements: z7.array(z7.string()),
+  requirements: z9.array(z9.string()),
   /** Acceptance criteria (checklist items) */
-  acceptanceCriteria: z7.array(z7.string()),
+  acceptanceCriteria: z9.array(z9.string()),
   /** Constraints or limitations */
-  constraints: z7.array(z7.string()),
+  constraints: z9.array(z9.string()),
   /** Issue/PR references found in the spec */
-  issueReferences: z7.array(IssueReferenceSchema),
+  issueReferences: z9.array(IssueReferenceSchema),
   /** File path references found in the spec */
-  fileReferences: z7.array(FileReferenceSchema),
+  fileReferences: z9.array(FileReferenceSchema),
   /** Sections that were missing from the spec */
-  missingSections: z7.array(z7.string()),
+  missingSections: z9.array(z9.string()),
   /** Raw markdown source */
-  rawMarkdown: z7.string()
+  rawMarkdown: z9.string()
 });
 var KNOWN_SECTIONS = [
   "overview",
@@ -4678,119 +5062,119 @@ var KNOWN_SECTIONS = [
 ];
 // src/orchestration/spec-decomposer-types.ts
-import { z as z8 } from "zod";
-var SubtaskTypeSchema = z8.enum(["code", "test", "docs", "config", "refactor"]);
-var ComplexityLevelSchema = z8.enum(["simple", "moderate", "complex", "expert"]);
-var SubtaskNodeSchema = z8.object({
+import { z as z10 } from "zod";
+var SubtaskTypeSchema = z10.enum(["code", "test", "docs", "config", "refactor"]);
+var ComplexityLevelSchema = z10.enum(["simple", "moderate", "complex", "expert"]);
+var SubtaskNodeSchema = z10.object({
   /** Unique identifier for this subtask */
-  id: z8.string().min(1),
+  id: z10.string().min(1),
   /** Human-readable description of what this subtask does */
-  description: z8.string().min(1),
+  description: z10.string().min(1),
   /** The type of work */
   type: SubtaskTypeSchema,
   /** Estimated complexity */
   complexity: ComplexityLevelSchema,
   /** Required capabilities for the executing agent */
-  capabilities: z8.array(z8.string()),
+  capabilities: z10.array(z10.string()),
   /** IDs of subtasks this depends on */
-  dependsOn: z8.array(z8.string()),
+  dependsOn: z10.array(z10.string()),
   /** Source requirement text that generated this subtask */
-  sourceRequirement: z8.string().optional()
+  sourceRequirement: z10.string().optional()
 });
-var DagEdgeSchema = z8.object({
+var DagEdgeSchema = z10.object({
   /** Source subtask ID */
-  from: z8.string().min(1),
+  from: z10.string().min(1),
   /** Target subtask ID */
-  to: z8.string().min(1)
+  to: z10.string().min(1)
 });
-var TaskDagSchema = z8.object({
+var TaskDagSchema = z10.object({
   /** All subtask nodes */
-  nodes: z8.array(SubtaskNodeSchema),
+  nodes: z10.array(SubtaskNodeSchema),
   /** Dependency edges (from must complete before to) */
-  edges: z8.array(DagEdgeSchema),
+  edges: z10.array(DagEdgeSchema),
   /** Subtask IDs that can execute in parallel (no dependencies) */
-  roots: z8.array(z8.string()),
+  roots: z10.array(z10.string()),
   /** Total estimated complexity across all subtasks */
   totalComplexity: ComplexityLevelSchema,
   /** Source spec title for traceability */
-  specTitle: z8.string()
+  specTitle: z10.string()
 });
 // src/orchestration/scenario-validator-types.ts
-import { z as z9 } from "zod";
-var CriterionResultSchema = z9.object({
+import { z as z11 } from "zod";
+var CriterionResultSchema = z11.object({
   /** The original acceptance criterion text */
-  criterion: z9.string(),
+  criterion: z11.string(),
   /** Whether this criterion was satisfied */
-  met: z9.boolean(),
+  met: z11.boolean(),
   /** Which result(s) matched this criterion */
-  matchedResults: z9.array(z9.string())
+  matchedResults: z11.array(z11.string())
 });
-var ScenarioResultSchema = z9.object({
+var ScenarioResultSchema = z11.object({
   /** Satisfaction score from 0 (none met) to 1 (all met) */
-  satisfaction: z9.number().min(0).max(1),
+  satisfaction: z11.number().min(0).max(1),
   /** Total acceptance criteria count */
-  totalCriteria: z9.number().int().nonnegative(),
+  totalCriteria: z11.number().int().nonnegative(),
   /** Number of criteria met */
-  metCount: z9.number().int().nonnegative(),
+  metCount: z11.number().int().nonnegative(),
   /** Per-criterion results */
-  criteria: z9.array(CriterionResultSchema),
+  criteria: z11.array(CriterionResultSchema),
   /** Whether all criteria are met */
-  allMet: z9.boolean()
+  allMet: z11.boolean()
 });
 // src/orchestration/parallel-exploration-types.ts
-import { z as z10 } from "zod";
-var ParallelExplorationConfigSchema = z10.object({
+import { z as z12 } from "zod";
+var ParallelExplorationConfigSchema = z12.object({
   /** Max CLIs to dispatch to in parallel (default: 3) */
-  maxParallelClis: z10.number().int().min(1).max(4).default(3),
-  /** Timeout per CLI invocation in ms (default: 60_000) */
-  perCliTimeoutMs: z10.number().int().min(1e3).max(3e5).default(6e4),
-  /** Maximum output chars per CLI response (default: 4000) */
-  maxOutputCharsPerCli: z10.number().int().min(100).max(2e4).default(4e3)
+  maxParallelClis: z12.number().int().min(1).max(4).default(3),
+  /** Timeout per CLI invocation in ms (default: explorationMs from centralized timeouts). */
+  perCliTimeoutMs: z12.number().int().min(1e3).max(3e5).default(PER_CLI_TASK_TIMEOUTS.explorationMs),
+  /** Maximum output chars per CLI response (default: 8000, raised from 4k for exploration depth). */
+  maxOutputCharsPerCli: z12.number().int().min(100).max(2e4).default(8e3)
 });
 // src/orchestration/triangulated-review-types.ts
-import { z as z11 } from "zod";
-var TriangulatedReviewConfigSchema = z11.object({
+import { z as z13 } from "zod";
+var TriangulatedReviewConfigSchema = z13.object({
   /** Max CLIs to dispatch to (default: 3). */
-  maxClis: z11.number().int().min(1).max(4).default(3),
+  maxClis: z13.number().int().min(1).max(4).default(3),
   /** Per-CLI timeout in ms (default from config/timeouts.ts, Issue #984). */
-  perCliTimeoutMs: z11.number().int().min(PER_CLI_TASK_TIMEOUTS.minMs).max(PER_CLI_TASK_TIMEOUTS.maxMs).default(PER_CLI_TASK_TIMEOUTS.defaultMs),
+  perCliTimeoutMs: z13.number().int().min(PER_CLI_TASK_TIMEOUTS.minMs).max(PER_CLI_TASK_TIMEOUTS.maxMs).default(PER_CLI_TASK_TIMEOUTS.defaultMs),
   /** Max chars per CLI response (default: 8000). */
-  maxOutputCharsPerCli: z11.number().int().min(100).max(3e4).default(8e3),
+  maxOutputCharsPerCli: z13.number().int().min(100).max(3e4).default(8e3),
   /** Line proximity for dedup: findings within N lines are considered same (default: 5). */
-  lineProximity: z11.number().int().min(0).max(50).default(5)
+  lineProximity: z13.number().int().min(0).max(50).default(5)
 });
 // src/orchestration/triangulated-review.ts
 var moduleLogger = createLogger({ component: "triangulated-review" });
 // src/orchestration/consensus-plan-types.ts
-import { z as z12 } from "zod";
-var PlanStepSchema = z12.object({
+import { z as z14 } from "zod";
+var PlanStepSchema = z14.object({
   /** Step description. */
-  description: z12.string(),
+  description: z14.string(),
   /** Estimated complexity: low, medium, high. */
-  complexity: z12.enum(["low", "medium", "high"]).default("medium"),
+  complexity: z14.enum(["low", "medium", "high"]).default("medium"),
   /** Dependencies on other step indices. */
-  dependencies: z12.array(z12.number().int().min(0)).default([])
+  dependencies: z14.array(z14.number().int().min(0)).default([])
 });
-var PlanRiskSchema = z12.object({
+var PlanRiskSchema = z14.object({
   /** Risk description. */
-  description: z12.string(),
+  description: z14.string(),
   /** Impact level. */
-  impact: z12.enum(["low", "medium", "high"]).default("medium"),
+  impact: z14.enum(["low", "medium", "high"]).default("medium"),
   /** Mitigation strategy. */
-  mitigation: z12.string().default("")
+  mitigation: z14.string().default("")
 });
-var ConsensusPlanConfigSchema = z12.object({
+var ConsensusPlanConfigSchema = z14.object({
   /** Max CLIs to dispatch to (default: 3). */
-  maxClis: z12.number().int().min(1).max(4).default(3),
+  maxClis: z14.number().int().min(1).max(4).default(3),
   /** Per-CLI timeout in ms (default from config/timeouts.ts, Issue #984). */
-  perCliTimeoutMs: z12.number().int().min(PER_CLI_TASK_TIMEOUTS.minMs).max(PER_CLI_TASK_TIMEOUTS.maxMs).default(PER_CLI_TASK_TIMEOUTS.defaultMs),
+  perCliTimeoutMs: z14.number().int().min(PER_CLI_TASK_TIMEOUTS.minMs).max(PER_CLI_TASK_TIMEOUTS.maxMs).default(PER_CLI_TASK_TIMEOUTS.defaultMs),
   /** Max chars per CLI response (default: 8000). */
-  maxOutputCharsPerCli: z12.number().int().min(100).max(3e4).default(8e3)
+  maxOutputCharsPerCli: z14.number().int().min(100).max(3e4).default(8e3)
 });
 // src/orchestration/consensus-plan.ts
@@ -4864,7 +5248,9 @@ var PIPELINE_EVENT_TYPES = [
   "learning.threshold_updated",
   "learning.trend_detected",
   "tool.invoked",
-  "tool.completed"
+  "tool.completed",
+  "wave.started",
+  "wave.completed"
 ];
 // src/pipeline/artifact-store.ts
@@ -4992,7 +5378,9 @@ function recordStageFailed(event, store) {
     success: false,
     durationMs: 0,
     timestamp: new Date(event.timestamp).toISOString(),
-    source: "delegate"
+    source: "delegate",
+    failureCategory: categorizeOutcomeErrorMessage(event.error),
+    errorMessage: event.error.slice(0, 500)
   };
   store.append(outcome);
 }
@@ -5005,34 +5393,40 @@ function normalizeCli(cli) {
 }
 // src/pipeline/trace-schema.ts
-import { z as z13 } from "zod";
-var ExecutionTraceEntrySchema = z13.object({
+import { z as z15 } from "zod";
+var ExecutionTraceEntrySchema = z15.object({
   /** Unix timestamp (ms). */
-  timestamp: z13.number(),
+  timestamp: z15.number(),
   /** Run identifier (typically TaskContract.id). */
-  runId: z13.string().min(1),
+  runId: z15.string().min(1),
   /** Pipeline event type that produced this trace entry. */
-  eventType: z13.string().min(1),
+  eventType: z15.string().min(1),
   /** Execution ID for pipeline correlation. */
-  executionId: z13.string().optional(),
+  executionId: z15.string().optional(),
   /** Graph node or stage that produced this event. */
-  nodeId: z13.string().optional(),
+  nodeId: z15.string().optional(),
   /** Agent that executed this step. */
-  agentId: z13.string().optional(),
+  agentId: z15.string().optional(),
   /** Model used for this step. */
-  modelId: z13.string().optional(),
+  modelId: z15.string().optional(),
   /** Agent role (e.g., code_expert, security_expert). */
-  role: z13.string().optional(),
+  role: z15.string().optional(),
   /** Duration in milliseconds. */
-  durationMs: z13.number().optional(),
+  durationMs: z15.number().optional(),
   /** Human-readable model selection reasoning. */
-  reasoning: z13.string().optional(),
+  reasoning: z15.string().optional(),
   /** Routing decision path (stage:result pairs). */
-  decisionPath: z13.array(z13.string()).optional(),
+  decisionPath: z15.array(z15.string()).optional(),
   /** Error classification. */
-  errorTaxonomy: z13.enum(["retriable", "fatal"]).optional(),
+  errorTaxonomy: z15.enum(["retriable", "fatal"]).optional(),
   /** Error message if this is a failure event. */
-  error: z13.string().optional()
+  error: z15.string().optional(),
+  /** Wave number (1-based) for wave dispatch events. */
+  waveNumber: z15.number().optional(),
+  /** Total waves in the dispatch plan. */
+  totalWaves: z15.number().optional(),
+  /** Number of workers in this wave. */
+  workerCount: z15.number().optional()
 });
 // src/scm/factory.ts
@@ -5070,6 +5464,7 @@ export {
   AdapterFactory,
   AdapterModelError,
   RateLimiter2 as AdapterRateLimiter,
+  AgentActionSchema,
   AgentCapability,
   AgentError,
   AgentEventSchema,
@@ -5097,6 +5492,7 @@ export {
   AuditQueryCriteriaSchema,
   AuditResourceSchema,
   AuditSeveritySchema,
+  AuditTrail,
   AuthorizationMethodSchema,
   AvailabilityCache,
   BIAS_CATEGORY,
@@ -5270,6 +5666,7 @@ export {
   GitHubProvider,
   GitHubReviewer,
   GitHubUserInfo,
+  GitHubUserRoleSchema,
   GraphBuilder,
   HARM_EMOTIONAL_CATEGORY,
   HARM_FINANCIAL_CATEGORY,
@@ -5279,6 +5676,7 @@ export {
   HigherOrderVotingConfigSchema,
   HigherOrderVotingResultSchema,
   HigherOrderVotingStrategy,
+  HostileInputFirewall,
   ICTMConfigSchema,
   ICTMInferenceResultSchema,
   INSTRUCTION_SAFETY_CATEGORY,
@@ -5286,6 +5684,7 @@ export {
   InMemoryCheckpointStore,
   InMemoryPreferenceStore,
   IndependentSubsetSchema,
+  InjectionFlagSchema,
   InputDefinitionSchema2 as InputDefinitionSchema,
   InputTypeSchema,
   SwarmObserverConfigSchema2 as InteractionObserverConfigSchema,
@@ -5297,6 +5696,7 @@ export {
   ListExpertsInputSchema,
   ListWorkflowsInputSchema,
   LoadedSkillSetSchema,
+  LockedWriter,
   LoggingConfigSchema,
   MANIPULATION_CATEGORY,
   MAX_EXECUTION_TIME_MS,
@@ -5374,8 +5774,10 @@ export {
   QualitySignalsSchema,
   QueryFeatureExtractor,
   REJECTION_CATEGORIES,
+  REPO_COMPLEXITY,
   RISK_AWARENESS_CATEGORY,
   ROBUSTNESS_CATEGORY,
+  ROLE_DEFAULT_TRUST,
   RateLimitError,
   ReasoningDepthSchema,
   ReasoningNodeMetadataSchema,
@@ -5388,6 +5790,7 @@ export {
   RepoSecurityPlanInputSchema,
   ReportGenerationError,
   ReportGenerator,
+  ReputationCache,
   RestApiConfigSchema,
   RestApiServer,
   DelegateRequestSchema as RestDelegateRequestSchema,
@@ -5421,6 +5824,8 @@ export {
   SafetyCategoryIdSchema,
   SafetyCategorySchema,
   SafetyTestCaseSchema,
+  SanitizedInputSchema,
+  SanitizerConfigSchema,
   ScenarioResultSchema,
   ScmError,
   ScoreBreakdownSchema,
@@ -5453,6 +5858,7 @@ export {
   SkillProvenanceSchema,
   SkillRBACSchema,
   SkillSecurityErrorSchema,
+  SourceCitationSchema,
   StageResultSchema,
   StageSpecSchema,
   StrategyDistiller,
@@ -5463,6 +5869,7 @@ export {
   InputDefinitionSchema as StrictInputDefinitionSchema,
   WorkflowDefinitionSchema as StrictWorkflowDefinitionSchema,
   WorkflowStepSchema as StrictWorkflowStepSchema,
+  StrippedElementSchema,
   SubTaskSchema,
   SubprocessCliAdapter,
   SubtaskNodeSchema,
@@ -5470,6 +5877,7 @@ export {
   SubtaskStatusSchema,
   SubtaskTypeSchema,
   SupermajorityStrategy,
+  SuspiciousSignalSchema,
   SwarmObserver,
   SwarmObserverConfigSchema,
   SynthesizedResultSchema,
@@ -5480,6 +5888,7 @@ export {
   TRINITY_ROLE_MAX_TOKENS,
   TRINITY_ROLE_PROMPTS,
   TRINITY_ROLE_TEMPERATURES,
+  TRUST_TIER_NUMERIC,
   TaskAnalysisResultSchema,
   TaskAnalysisSchema,
   TaskComplexity,
@@ -5502,6 +5911,7 @@ export {
   TokenCounter,
   TokenCounterProvider,
   ToolSetSchema,
+  TraceLogger,
   TreeStateSchema,
   TreeStatisticsSchema,
   TrinityConfigSchema,
@@ -5509,12 +5919,14 @@ export {
   TrinityPhaseSchema,
   TrinityRoleSchema,
   TrinityStopReasonSchema,
+  TrustTierSchema,
   UnanimousStrategy,
   VERSION,
   VOTING_THRESHOLDS,
   ValidationDashboard,
   ValidationError,
   VerifierVerdictSchema,
+  ViolationSchema,
   VoteDecisionSchema,
   VoteMessageSchema,
   VoteSchema,
@@ -5545,9 +5957,11 @@ export {
   append,
   applyPatch,
   areStepsCompleted,
+  assessReputation,
   bufferStream,
   buildDependencyGraph2 as buildDependencyGraph,
   buildDockerArgs,
+  buildEnrichedPrompt,
   buildFinalResult,
   buildHarnessArgs,
   buildHarnessCommand,
@@ -5569,12 +5983,15 @@ export {
   calculateWinLoss,
   canApplyPatch,
   canExecuteSkill,
+  canInfluenceDecisions,
+  canProceed,
   cancelExecution,
   categorizeOutcomeError,
   categorizeOutcomeErrorMessage,
   checkPermissionBoundary,
   checkPipelinePolicy,
   chunkByDirectory,
+  classifyTrust,
   clearRegistryCache,
   clearTemplateCache,
   closeServer,
@@ -5596,6 +6013,8 @@ export {
   createArchitectureExpert,
   createAttestation,
   createAuditLogger,
+  createAuditTrail,
+  createBenchmarkMemory,
   createCheckpoint,
   createCheckpointStore,
   createClaudeAdapter,
@@ -5621,6 +6040,7 @@ export {
   createDependencyError,
   createDocumentationExpert,
   createDryRunHandler,
+  createEmptyContext,
   createEvaluationHarness,
   createEventBusBridge,
   createExecutionContext,
@@ -5631,7 +6051,9 @@ export {
   createFeedbackSubscriber,
   createFullGitHubProvider,
   createGeminiAdapter,
+  createGitHubAdapter,
   createGitHubProvider,
+  createGraphAuditBridge,
   createHarnessExecutor,
   createHigherOrderVotingStrategy,
   createInitialCostMetrics,
@@ -5722,19 +6144,27 @@ export {
   detectTestFramework,
   detectTrend,
   determineFinalStatus,
+  emitCorroborationEvent,
   emitExecutionComplete,
+  emitGraphExecutionEvent,
   emitNodeResults,
   emitNodeStarted,
+  emitPolicyEvent,
+  emitReputationEvent,
+  emitSanitizationEvent,
   emitStateUpdated,
   emitStepCompleted,
   emitThresholdUpdate,
   emitTrendDetected,
+  emitTrustEvent,
   err,
+  estimateDifficulty,
   estimateTaskComplexity,
   estimateTokens,
   evaluatePolicy2 as evaluatePipelinePolicy,
   evaluatePolicy,
   evaluatePredictions,
+  evaluatePolicy3 as evaluateSecurityPolicy,
   executeDelegatePipeline,
   executeGraph,
   executeHarness,
@@ -5743,12 +6173,18 @@ export {
   executeParallel,
   executeSpec,
   exportReport,
+  extractApproach,
   extractBooleanField,
   extractExpressions,
+  extractFilesFromResponse,
+  extractHypothesis,
   extractModelName,
+  extractNonErrorMessage,
   extractNumberField,
+  extractPastSuccessRates,
   extractPatch,
   extractRepoFromInstanceId,
+  extractRepoName,
   extractSessionId,
   extractStringArrayField,
   extractStringField,
@@ -5759,8 +6195,11 @@ export {
   findActiveSession,
   findMissingDependencies,
   formatCompileError,
+  formatContextForPrompt,
   formatValidationResult,
   fromArray,
+  generateATL,
+  generateMcpConfig,
   generateProposalId,
   generateReport,
   generateSecurityPlan,
@@ -5777,8 +6216,10 @@ export {
   getCliForModelId,
   getCompletedInstanceIds,
   getCompletedSteps,
+  getCorroborationRules,
   getCpuCores,
   getDatasetInfo,
+  getDefaultAllowedTools,
   getDockerVersion,
   getEventBusStats,
   getExecutionDuration,
@@ -5799,6 +6240,7 @@ export {
   getRecommendedRole,
   getReferencedSteps,
   getRegistryManifest,
+  getRequiredTrustTier,
   getResultsFilePath,
   getSafetyCategory,
   getSafetyTaxonomySummary,
@@ -5823,7 +6265,9 @@ export {
   isCancelled,
   isCliAvailable,
   isErr,
+  isMutatingAction,
   isOk,
+  isReadOnlyAction,
   isRetryableError,
   isCliAvailable2 as isSWEBenchCliAvailable,
   isStepCompleted,
@@ -5841,6 +6285,7 @@ export {
   logToolSuccess,
   logger,
   map,
+  mapAuthorAssociation,
   mapErr,
   mapResolutionStatus,
   mapStateToPhase,
@@ -5851,6 +6296,7 @@ export {
   ok,
   orchestrateInputToTaskContract,
   overwrite,
+  parseATL,
   parseAgentPairKey,
   parseExpression,
   parseJsonResults,
@@ -5866,6 +6312,7 @@ export {
   quickSelect,
   readJsonResults,
   readPredictions,
+  recordOutcome,
   reduceStream,
   registerConsensusVoteTool,
   registerCorePlugins,
@@ -5887,6 +6334,8 @@ export {
   registerRunGraphWorkflowTool,
   registerRunWorkflowTool,
   registerTools,
+  requiresCitation,
+  requiresCorroboration,
   resetAvailabilityCache,
   resetPipelineArtifactStore,
   resetPipelinePluginRegistry,
@@ -5902,12 +6351,15 @@ export {
   resultToOutcome,
   runAgentOnInstance,
   runBenchmarkInstances,
+  runBenchmarkParallel,
   runPreconditions,
+  runSingleInstance,
   runTests,
   runVerification,
   safePathsRule,
   safeValidateExpertConfig,
   sanitize,
+  sanitizeInput,
   scoreByHybrid,
   scoreByImportance,
   scoreByRecency,
@@ -5919,6 +6371,7 @@ export {
   skip,
   sleep,
   snapshotContext,
+  sortByPriority,
   startStdioServer,
   storeStepResult,
   take,
@@ -5935,7 +6388,10 @@ export {
   transformTestResult,
   unwrap,
   unwrapOr,
+  updateContext,
+  validateAgentAction,
   validateCommand,
+  validateCorroboration,
   validateDependencyGraph,
   validateDiskSpace,
   validateDocker,