opencode-swarm 7.62.1 → 7.64.0

package/dist/memory/schema.d.ts

@@ -213,9 +213,9 @@ export declare const MemoryProposalSchema: z.ZodObject<{
     rationale: z.ZodString;
     evidenceRefs: z.ZodArray<z.ZodString>;
     status: z.ZodEnum<{
-        approved: "approved";
-        rejected: "rejected";
         pending: "pending";
+        rejected: "rejected";
+        approved: "approved";
         applied: "applied";
         superseded: "superseded";
     }>;

package/dist/services/directive-predicate-runner.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Directive verification predicate runner (Swarm Learning System, Change 2 /
+ * Task 2.2).
+ *
+ * Executes a small, fail-closed predicate DSL attached to a knowledge directive
+ * (`verification_predicate`). Handlers:
+ *
+ *   grep:<regex>:<path-glob>   PASS when ripgrep finds zero matches in the glob.
+ *                              (A "forbidden pattern" predicate: absence = pass.)
+ *   tool:<argv>                PASS when the command exits 0. Shell-free (argv
+ *                              array), binary must be on a conservative allowlist.
+ *   file_not_modified:<path>   PASS when <path> is unchanged in the working tree.
+ *   file_modified:<path>       PASS when <path> is changed in the working tree.
+ *
+ * Security posture (the adversarial contract):
+ *   - No shell, ever. Commands run via argv arrays (`bunSpawn`), so shell
+ *     metacharacters (; | && $() ` > <) are inert literals.
+ *   - Path/glob arguments are validated to stay inside the working directory:
+ *     null bytes, absolute paths, and `..` traversal are rejected.
+ *   - `tool:` binaries are restricted to a conservative read-only allowlist;
+ *     code interpreters (node/bun/python/deno/npx) are intentionally excluded.
+ *   - Hard 15s timeout; the child is killed on timeout.
+ *   - Fail-closed: any parse error, unknown handler, disallowed path, or
+ *     unexpected state returns `result:'error'` (never silently `pass`).
+ *
+ * Residual risk: true network isolation is not available in this runtime. The
+ * mitigation is the absence of network-capable binaries from the allowlist plus
+ * the hard timeout. Build tools that can run arbitrary scripts (cargo/go) are
+ * NOT on the allowlist for this reason.
+ */
+export type PredicateResult = 'pass' | 'fail' | 'error';
+export interface PredicateOutcome {
+    result: PredicateResult;
+    detail: string;
+}
+/** Hard wall-clock cap for any single predicate execution. */
+export declare const PREDICATE_TIMEOUT_MS = 15000;
+/**
+ * Conservative allowlist of `tool:` binaries. Read-only verification/lint tools
+ * only. Code interpreters and arbitrary build runners are deliberately excluded
+ * because they can execute attacker-influenced code or reach the network.
+ */
+export declare const TOOL_BINARY_ALLOWLIST: ReadonlySet<string>;
+/**
+ * Validate that a repo-relative path/glob stays inside `directory`. Returns the
+ * trimmed value on success or null when it is unsafe. Globs (`*`, `**`, `?`,
+ * `{}`) are permitted; traversal and absolute paths are not.
+ */
+export declare function validateRepoRelativeGlob(directory: string, value: string): string | null;
+interface RunResult {
+    exitCode: number | null;
+    stdout: string;
+    stderr: string;
+    timedOut: boolean;
+}
+/** Run an argv array, shell-free, with a hard timeout. Never throws.
+ *  AGENTS.md invariant 3: stdin is 'ignore' (a never-closed stdin pipe can
+ *  block the child from exiting under Bun on Windows) and the child is
+ *  best-effort killed in `finally` so no code path leaks a process. */
+export declare function runArgv(argv: string[], cwd: string): Promise<RunResult>;
+/**
+ * Run a single verification predicate. Fail-closed: any parse error, unknown
+ * handler, or unexpected state returns `result:'error'`. Never throws.
+ */
+export declare function runDirectivePredicate(predicate: string, directory: string): Promise<PredicateOutcome>;
+export declare const _internals: {
+    validateRepoRelativeGlob: typeof validateRepoRelativeGlob;
+    runArgv: typeof runArgv;
+    runDirectivePredicate: typeof runDirectivePredicate;
+    TOOL_BINARY_ALLOWLIST: ReadonlySet<string>;
+};
+export {};

package/dist/services/external-skill-store.d.ts

@@ -0,0 +1,96 @@
+/**
+ * External skill candidate quarantine store.
+ *
+ * Manages external skill candidates persisted as individual JSON files under
+ * `.swarm/skills/candidates/<uuid>.json`.  Each candidate goes through a
+ * quarantine lifecycle (pending → in_review → quarantined → passed/rejected →
+ * promoted/revoked) before it can be activated as a generated skill.
+ *
+ * All writes are atomic (temp-file + rename) via `atomicWriteFile` from the
+ * evidence subsystem.  File-system I/O is funnelled through `_internals` so
+ * that tests can replace individual operations without cross-module mock
+ * leakage (Bun's `mock.module` is intentionally avoided for I/O seams).
+ *
+ * Invariants:
+ *   - Candidate IDs are UUID v4 (cryptographically random), never derived from
+ *     user input, to prevent path-traversal attacks.
+ *   - `passed`, `promoted`, and `revoked` candidates are NEVER evicted.
+ *   - The store directory is derived from the injected `directory` parameter
+ *     (typically `ctx.directory`); no `process.cwd()` calls.
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs/promises';
+import type { ExternalSkillCandidate, ExternalSkillCandidateEvaluationVerdict } from '../config/schema';
+import { atomicWriteFile } from '../evidence/task-file';
+/** Configuration for the store. */
+export interface ExternalSkillStoreConfig {
+    /** Maximum number of candidates before FIFO eviction kicks in. */
+    max_candidates: number;
+}
+/** Optional filters for listing candidates. */
+export interface ExternalSkillListFilter {
+    /** Restrict to candidates with this evaluation verdict. */
+    verdict?: ExternalSkillCandidateEvaluationVerdict;
+    /** Restrict to candidates from this source type (e.g. 'github'). */
+    source_type?: string;
+    /** Restrict to candidates with this exact source URL. */
+    source_url?: string;
+    /** ISO datetime — only return candidates fetched at or after this time. */
+    since?: string;
+}
+/** Patch fields accepted by `update`. */
+export type ExternalSkillCandidatePatch = Partial<Pick<ExternalSkillCandidate, 'evaluation_verdict' | 'risk_flags' | 'evaluation_history' | 'skill_name' | 'skill_description'>>;
+/**
+ * Public interface returned by the factory function.
+ *
+ * Every method is scoped to the store directory derived at creation time.
+ */
+export interface ExternalSkillStore {
+    /** Create a new candidate and persist it atomically. */
+    add(candidate: Omit<ExternalSkillCandidate, 'id'>): Promise<ExternalSkillCandidate>;
+    /** Read a single candidate by UUID. Returns `null` if not found. */
+    get(id: string): Promise<ExternalSkillCandidate | null>;
+    /** List candidates with optional filters, sorted by `fetched_at` descending. */
+    list(filter?: ExternalSkillListFilter): Promise<ExternalSkillCandidate[]>;
+    /** Patch an existing candidate (read-modify-write). Appends to `evaluation_history`. */
+    update(id: string, patch: ExternalSkillCandidatePatch): Promise<ExternalSkillCandidate | null>;
+    /** Remove a candidate file. Returns `true` if the file existed and was deleted. */
+    delete(id: string): Promise<boolean>;
+    /**
+     * Evict the oldest `pending` or `rejected` candidates when the store
+     * exceeds `max_candidates`.  Never evicts `passed`, `promoted`, or
+     * `revoked` candidates.  Returns the number of evicted files.
+     */
+    evictIfNeeded(): Promise<number>;
+}
+/**
+ * Dependency-injection seam for testing.
+ *
+ * Tests can temporarily replace individual entries to exercise failure paths
+ * (e.g. file-not-found, permission errors) without `mock.module` leakage.
+ * Restore each entry in `afterEach` via the saved original reference.
+ */
+export declare const _internals: {
+    /** UUID generator — default is `crypto.randomUUID()`. */
+    randomUUID: typeof crypto.randomUUID;
+    /** Async filesystem operations. */
+    fs: {
+        mkdir: typeof fs.mkdir;
+        readFile: typeof fs.readFile;
+        readdir: typeof fs.readdir;
+        unlink: typeof fs.unlink;
+    };
+    /** Atomic write primitive (temp-file + rename). */
+    atomicWriteFile: typeof atomicWriteFile;
+};
+/**
+ * Create an `ExternalSkillStore` scoped to the given project root directory.
+ *
+ * The store persists candidate files under
+ * `<directory>/.swarm/skills/candidates/<uuid>.json`.
+ *
+ * @param directory — Project root (typically `ctx.directory`). Must NOT contain
+ *                   user-controlled path components.
+ * @param config   — Store configuration including capacity limits.
+ */
+export declare function createExternalSkillStore(directory: string, config: ExternalSkillStoreConfig): ExternalSkillStore;

package/dist/services/external-skill-validator.d.ts

@@ -0,0 +1,160 @@
+/**
+ * Validation gates for external skill candidates.
+ *
+ * Provides shared types and individual gate functions that scan candidate
+ * fields for security threats (prompt injection, unsafe instructions,
+ * provenance integrity).  Each gate returns a structured `ValidationGateResult`
+ * that the curation pipeline can use to block, warn, or pass a candidate.
+ *
+ * Gate 1 — `scanPromptInjection`: static regex-based detection of prompt-
+ * injection patterns, prototype pollution, script injection, and obfuscated
+ * content in candidate fields.  Severity is modulated by the candidate's trust
+ * level (FR-004).
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillCandidate } from '../config/schema';
+/** Result from a single validation gate scan. */
+export interface ValidationGateResult {
+    /** Which gate produced this result. */
+    gate: 'prompt_injection' | 'unsafe_instructions' | 'provenance_integrity';
+    /** Overall pass/fail/warn verdict. */
+    verdict: 'pass' | 'fail' | 'warn';
+    /** Individual findings from the scan. */
+    findings: ValidationFinding[];
+    /** The candidate fields that were scanned. */
+    fields_scanned: string[];
+}
+/** A single finding from a validation gate. */
+export interface ValidationFinding {
+    /** What was detected. */
+    pattern: string;
+    /** Which candidate field triggered the finding. */
+    field: string;
+    /** Human-readable description. */
+    description: string;
+    /**
+     * Severity: 'error' blocks promotion, 'warning' is advisory
+     * (unless trust_level=low).
+     */
+    severity: 'error' | 'warning';
+    /** The matched text snippet (truncated to 100 chars for safety). */
+    match: string;
+}
+/** Result of running all validation gates against a candidate. */
+export interface CandidateEvaluationResult {
+    /** Individual gate results. */
+    gate_results: ValidationGateResult[];
+    /** Aggregated verdict across all gates. */
+    overall_verdict: 'passed' | 'quarantined';
+    /** All findings from all gates combined. */
+    all_findings: ValidationFinding[];
+    /** Risk flags derived from findings (unique pattern names). */
+    risk_flags: string[];
+}
+/** Describes a single detection pattern used by the prompt-injection gate. */
+export interface PromptInjectionPattern {
+    /** Regex to test against field text. */
+    pattern: RegExp;
+    /** Human-readable name for the pattern. */
+    name: string;
+    /** Description shown in findings. */
+    description: string;
+    /** Base severity before trust-level modulation. */
+    severity: 'error' | 'warning';
+}
+/**
+ * Static regex patterns for the prompt-injection gate (FR-004).
+ *
+ * ERROR-severity patterns always block promotion.  WARNING-severity patterns
+ * are modulated by the candidate's trust level:
+ *   - trust_level='low'  → warnings promoted to errors
+ *   - trust_level='medium'/'high' → warnings stay warnings
+ */
+export declare const PROMPT_INJECTION_PATTERNS: PromptInjectionPattern[];
+/** Describes a single detection pattern used by the unsafe-instruction gate. */
+export interface UnsafeInstructionPattern {
+    /** Regex to test against field text. */
+    pattern: RegExp;
+    /** Human-readable name for the pattern. */
+    name: string;
+    /** Description shown in findings. */
+    description: string;
+    /** Base severity before trust-level modulation. */
+    severity: 'error' | 'warning';
+}
+/**
+ * Static regex patterns for the unsafe-instruction gate.
+ *
+ * Extends the DANGEROUS_COMMAND_PATTERNS and SECURITY_DEGRADING_PATTERNS from
+ * knowledge-validator.ts with additional destructive command, privilege
+ * escalation, shell execution, security bypass, and data exfiltration patterns.
+ *
+ * ERROR-severity patterns always block promotion.  WARNING-severity patterns
+ * are modulated by the candidate's trust level:
+ *   - trust_level='low'  → warnings promoted to errors
+ *   - trust_level='medium'/'high' → warnings stay warnings
+ */
+export declare const UNSAFE_INSTRUCTION_PATTERNS: UnsafeInstructionPattern[];
+/** Rate limit defaults for validation operations (FR-007). */
+export declare const VALIDATION_RATE_LIMITS: {
+    /** Maximum candidates per discovery invocation. */
+    readonly max_candidates_per_discovery: 50;
+    /** Maximum concurrent fetch operations. */
+    readonly max_concurrent_fetches: 5;
+    /** Timeout for individual fetch operations in milliseconds. */
+    readonly fetch_timeout_ms: 30000;
+};
+/**
+ * Scan an external skill candidate for prompt-injection patterns.
+ *
+ * Returns a `ValidationGateResult` with gate=`'prompt_injection'`.
+ * The verdict is modulated by `trustLevel`:
+ *   - `'low'`: warnings promoted to errors → verdict is `'fail'` if any finding.
+ *   - `'medium'`/`'high'`: warnings stay warnings → verdict is `'warn'` if only
+ *     warnings, `'fail'` if any error-severity finding.
+ */
+export declare function scanPromptInjection(candidate: ExternalSkillCandidate, trustLevel?: 'low' | 'medium' | 'high'): ValidationGateResult;
+/**
+ * Scan an external skill candidate for unsafe instruction patterns.
+ *
+ * Covers destructive commands, privilege escalation, shell execution
+ * vectors, security bypass instructions, and data exfiltration indicators.
+ *
+ * Returns a `ValidationGateResult` with gate=`'unsafe_instructions'`.
+ * The verdict is modulated by `trustLevel`:
+ *   - `'low'`: warnings promoted to errors → verdict is `'fail'` if any finding.
+ *   - `'medium'`/`'high'`: warnings stay warnings → verdict is `'warn'` if only
+ *     warnings, `'fail'` if any error-severity finding.
+ */
+export declare function scanUnsafeInstructions(candidate: ExternalSkillCandidate, trustLevel?: 'low' | 'medium' | 'high'): ValidationGateResult;
+/**
+ * Scan an external skill candidate for provenance field integrity.
+ *
+ * Validates SHA-256 hash format, fetched_at timing (not in future, not stale),
+ * source_url validity, publisher presence, and content-hash verification.
+ *
+ * Returns a `ValidationGateResult` with gate=`'provenance_integrity'`.
+ * The verdict is modulated by `trustLevel`:
+ *   - `'low'`: warnings promoted to errors → verdict is `'fail'` if any finding.
+ *   - `'medium'`/`'high'`: warnings stay warnings → verdict is `'warn'` if only
+ *     warnings, `'fail'` if any error-severity finding.
+ */
+export declare function scanProvenanceIntegrity(candidate: ExternalSkillCandidate, trustLevel?: 'low' | 'medium' | 'high', ttlDays?: number): ValidationGateResult;
+/**
+ * Run all three validation gates against a candidate and produce an
+ * aggregated evaluation result (FR-004, FR-007).
+ *
+ * Gates are run sequentially: prompt-injection → unsafe-instructions →
+ * provenance-integrity.  Any gate that returns `'fail'` causes the overall
+ * verdict to be `'quarantined'`.  Warnings are advisory unless trust_level
+ * is `'low'` (which promotes them to errors inside each gate).
+ */
+export declare function evaluateCandidate(candidate: ExternalSkillCandidate, options?: {
+    trust_level?: 'low' | 'medium' | 'high';
+    ttl_days?: number;
+}): CandidateEvaluationResult;
+export declare const _internals: {
+    getTimestamp: () => string;
+    computeSha256: (content: string) => string;
+};

package/dist/services/knowledge-diagnostics.d.ts

@@ -27,6 +27,25 @@ export interface KnowledgeDebugMeta {
     event_count: number;
     retrieval_events_7d: number;
     cache_status: 'fresh' | 'stale' | 'unknown';
+    /**
+     * Learning-loop telemetry (Changes 1–6). Surfaces the health of the
+     * self-improvement pipeline: directives awaiting curation, reflection
+     * candidates not yet folded in, learned synonyms, and enforcement posture.
+     */
+    learning: {
+        /** Lessons withheld from the active store pending actionability (Change 4). */
+        unactionable_queue_depth: number;
+        /** Micro-reflection insight candidates not yet consumed by the curator (Change 6). */
+        insight_candidates_pending: number;
+        /** Learned tag co-occurrence synonym pairs on disk (Change 5). */
+        synonym_pairs: number;
+        /** Active directives in `enforce` posture (Change 3). */
+        enforced_directives: number;
+        /** Active directives that have been auto-escalated at least once (Change 3). */
+        escalated_directives: number;
+        /** Knowledge-event volume bucketed by type (applied/ignored/violated/...). */
+        events_by_type: Record<string, number>;
+    };
 }
 /**
  * Compute the debug-metadata block for the knowledge system. Best-effort: never

package/dist/services/skill-improver.d.ts

@@ -62,6 +62,17 @@ export interface SkillImproveResult {
         sourceKnowledgeIds: string[];
     }>;
     model?: string;
+    /** Change 4 (Task 4.3): outcome of the unactionable-knowledge hardening pass. */
+    unactionableHardening?: {
+        hardened: number;
+        retired: number;
+        remaining: number;
+    };
+    /** Change 6 (Task 5.3): macro trajectory-motif proposals written this run. */
+    macroMotifs?: {
+        motifs: number;
+        proposalsWritten: number;
+    };
 }
 interface InventorySnapshot {
     knowledge: {

package/dist/services/status-service.d.ts

@@ -1,4 +1,5 @@
 import type { AgentDefinition } from '../agents';
+import { type RecentEscalation } from '../hooks/knowledge-escalator';
 import { hasActiveFullAuto, hasActiveLeanTurbo } from '../state';
 import { loadLeanTurboRunState } from '../turbo/lean/state';
 /**
@@ -54,6 +55,8 @@ export interface StatusData {
     specStaleStoredHash?: string;
     /** Current spec.md hash on disk (null when spec.md is missing) */
     specStaleCurrentHash?: string | null;
+    /** Directives auto-escalated in the last 7 days (Change 3). */
+    recentEscalations?: RecentEscalation[];
 }
 /**
  * Get status data from the swarm directory.

package/dist/services/synonym-map.d.ts

@@ -0,0 +1,136 @@
+/**
+ * Tag co-occurrence synonym map (Change 5 / Task 6.2).
+ *
+ * Retrieval is brittle when a query phrases a concept differently from the
+ * stored directive ("module mocks" vs "dependency seams"). Rather than ship a
+ * hand-curated thesaurus or a new NLP dependency, we learn synonyms from the
+ * corpus itself: tokens that repeatedly co-occur across an entry's
+ * triggers / tags / applies_to_tools / applies_to_agents are treated as
+ * related. A pair seen at or above `synonym_min_cooccurrence` distinct entries
+ * becomes a synonym edge that retrieval can expand a query along.
+ *
+ * State file: `.swarm/synonym-map.json` (validated through validateSwarmPath).
+ *
+ * SECURITY: the map is derived from on-disk knowledge entries, which can be
+ * attacker-influenced (auto-enrichment, hive imports). Every token is
+ * sanitised against control characters and length-bounded BEFORE it ever
+ * reaches the map, and the map is hard-capped (`synonym_map_max_pairs`,
+ * LRU-evicted by recency) so a flood of junk pairs cannot grow it without
+ * bound. Expansion is therefore bounded and cannot inject paths, regex
+ * metacharacters with effect, or arbitrarily long strings into the scorer.
+ */
+export declare const SYNONYM_MAP_FILENAME = "synonym-map.json";
+/** A single learned co-occurrence edge between two distinct tokens. */
+export interface SynonymPair {
+    /** Lexicographically-first member (sanitised). */
+    a: string;
+    /** Lexicographically-second member (sanitised). */
+    b: string;
+    /** Number of distinct entries in which both tokens co-occurred. */
+    count: number;
+    /** Monotonic recency marker (for LRU eviction). Higher = more recent. */
+    seq: number;
+}
+/** On-disk shape of `.swarm/synonym-map.json`. */
+export interface SynonymMap {
+    version: 1;
+    /** Monotonic counter; the next recorded/touched pair takes `seq = ++cursor`. */
+    cursor: number;
+    /** Keyed by `pairKey(a, b)`. */
+    pairs: Record<string, SynonymPair>;
+}
+export declare function emptySynonymMap(): SynonymMap;
+export declare function resolveSynonymMapPath(directory: string): string;
+/**
+ * Normalise a candidate token to its canonical synonym-map form, or return
+ * `null` if it is unusable. Strips control characters (poisoning defence),
+ * lowercases, collapses internal whitespace to single spaces, trims, and
+ * enforces a length bound. Non-string input yields `null`.
+ */
+export declare function sanitizeToken(raw: unknown): string | null;
+export declare function pairKey(a: string, b: string): string;
+/** A subset of KnowledgeEntry fields relevant to synonym learning. */
+export interface SynonymSourceEntry {
+    triggers?: string[];
+    tags?: string[];
+    applies_to_tools?: string[];
+    applies_to_agents?: string[];
+}
+/**
+ * Collect the sanitised, de-duplicated token set that represents one entry for
+ * co-occurrence learning. Draws from the entry's triggers, tags,
+ * applies_to_tools, and applies_to_agents.
+ */
+export declare function tokensForEntry(entry: SynonymSourceEntry): string[];
+/**
+ * Evict the least-recently-touched pairs until `map.pairs` is within
+ * `maxPairs`. Mutates `map` in place. Eviction order is by ascending `seq`
+ * (oldest first); ties broken by key for determinism.
+ */
+declare function evictToCap(map: SynonymMap, maxPairs: number): void;
+/**
+ * Pure: fold one entry's token set into the map, incrementing the co-occurrence
+ * count of every distinct token pair and refreshing its recency. Applies the
+ * LRU cap afterward. Returns the same `map` reference (mutated) for chaining.
+ *
+ * Each entry contributes at most +1 to any given pair (the token set is already
+ * de-duplicated), so a single entry repeating a tag cannot inflate a pair.
+ */
+export declare function recordEntryCooccurrences(map: SynonymMap, entry: SynonymSourceEntry, maxPairs?: number): SynonymMap;
+/**
+ * Pure: rebuild the synonym map from scratch over a list of entries. Used by the
+ * curator after phase_complete so the map reflects the current corpus rather
+ * than drifting monotonically. Returns a fresh map.
+ */
+export declare function buildSynonymMap(entries: SynonymSourceEntry[], maxPairs?: number): SynonymMap;
+/**
+ * Pure: derive an undirected adjacency index of synonyms from the map, keeping
+ * only pairs whose count is at or above `minCooccurrence`. Returns a Map from
+ * each token to the set of its synonym tokens.
+ */
+export declare function buildSynonymIndex(map: SynonymMap, minCooccurrence?: number): Map<string, Set<string>>;
+/**
+ * Pure: expand a list of query tokens with their learned synonyms. Input tokens
+ * are sanitised first so the caller can pass raw query terms. Returns only the
+ * NEW synonym tokens (never the originals), de-duplicated, with a per-token cap
+ * so one over-connected token cannot dominate the candidate pool. Synonyms are
+ * emitted in sorted order and sliced — recency is deliberately ignored so the
+ * result is deterministic regardless of insertion order.
+ */
+export declare function expandTokens(index: Map<string, Set<string>>, queryTokens: string[], maxPerToken?: number): string[];
+declare function isSynonymPair(value: unknown): value is SynonymPair;
+/**
+ * Coerce arbitrary parsed JSON into a valid SynonymMap, dropping any malformed
+ * or unsafe pairs. Re-sanitises every token and re-derives the canonical key so
+ * a tampered file (control chars, mismatched key) cannot smuggle a poisoned
+ * token into retrieval. Enforces the same `maxPairs` LRU cap on READ that the
+ * write path enforces, so a tampered file with a huge pair count cannot make
+ * every retrieval pay an unbounded coerce/index cost. Returns a fresh empty map
+ * on any structural failure.
+ */
+export declare function coerceSynonymMap(parsed: unknown, maxPairs?: number): SynonymMap;
+/**
+ * Read and validate the synonym map. Returns an empty map if absent/invalid.
+ * Bounded: a file larger than the `maxPairs`-derived byte ceiling is ignored
+ * WITHOUT being parsed, so a tampered/oversized map cannot blow up memory or CPU
+ * on the retrieval hot path. `maxPairs` is also enforced as an LRU cap on the
+ * coerced result.
+ */
+export declare function readSynonymMap(directory: string, maxPairs?: number): Promise<SynonymMap>;
+declare function writeSynonymMapAtomic(filePath: string, map: SynonymMap): Promise<void>;
+/**
+ * Atomically rebuild the synonym map from the supplied entries under a
+ * directory lock and persist it. Returns the written map. Intended to be called
+ * by the curator after phase_complete. Bounded by `maxPairs`.
+ */
+export declare function rebuildSynonymMap(directory: string, entries: SynonymSourceEntry[], maxPairs?: number): Promise<SynonymMap>;
+export declare const _internals: {
+    MAX_TOKEN_LENGTH: number;
+    DEFAULT_MAX_PAIRS: number;
+    DEFAULT_MIN_COOCCURRENCE: number;
+    DEFAULT_MAX_EXPANSIONS_PER_TOKEN: number;
+    evictToCap: typeof evictToCap;
+    isSynonymPair: typeof isSynonymPair;
+    writeSynonymMapAtomic: typeof writeSynonymMapAtomic;
+};
+export {};

package/dist/services/trajectory-cluster.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Macro-reflector trajectory clustering (Swarm Learning System, Change 6 /
+ * Task 5.3).
+ *
+ * On the skill-improver's scheduled (quota-gated) cadence, scan the last N task
+ * trajectories (`.swarm/evidence/<taskId>/trajectory.jsonl`), cluster repeated
+ * FAILURE motifs by a (tool, kind) signature, and emit one skill PROPOSAL per
+ * recurring motif to `.swarm/skills/proposals/`. Each proposal carries full
+ * provenance: a draft SKILL.md body, the cluster of source task ids (and any
+ * source knowledge ids), a verification predicate, and `applies_to_agents`.
+ *
+ * Read-only over the knowledge store; writes only proposal markdown (never
+ * active skills). Fail-open.
+ */
+/** Trajectories scanned per macro pass (the plan's N=200 window). */
+export declare const MACRO_TRAJECTORY_WINDOW = 200;
+/** A motif must recur across at least this many distinct tasks to propose. */
+export declare const MOTIF_MIN_TASKS = 2;
+export interface FailureMotif {
+    signature: string;
+    tool: string;
+    kind: string;
+    agent: string;
+    taskIds: string[];
+    sampleVerdicts: string[];
+}
+/**
+ * Cluster failure motifs across the recent trajectory window. Returns motifs
+ * that recur across >= MOTIF_MIN_TASKS distinct tasks, most-frequent first.
+ */
+export declare function gatherFailureMotifs(directory: string, opts?: {
+    window?: number;
+    minTasks?: number;
+}): Promise<FailureMotif[]>;
+/** Render a draft SKILL.md proposal body for a motif (with full provenance). */
+export declare function buildMotifProposal(motif: FailureMotif): string;
+export interface MotifProposalResult {
+    motifs: number;
+    proposalsWritten: string[];
+}
+/**
+ * Run the macro motif pass and write one proposal per recurring motif. Returns
+ * the written proposal paths. Fail-open; never throws.
+ */
+export declare function writeMotifProposals(directory: string, opts?: {
+    window?: number;
+    minTasks?: number;
+    maxProposals?: number;
+}): Promise<MotifProposalResult>;

package/dist/services/unactionable-hardening.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Unactionable-knowledge hardening loop (Swarm Learning System, Change 4 /
+ * Task 4.3).
+ *
+ * Consumes `.swarm/knowledge-unactionable.jsonl` (entries quarantined by the
+ * Layer-5 actionability gate) during the skill-improver macro loop. For each
+ * queued entry it attempts to produce a hardened version with predicates +
+ * scope tags via the same quota-gated v3 enrichment used by the curator
+ * (Task 4.2). Entries that pass Layer 5 after hardening move from quarantined
+ * to the active store as candidates; entries that fail are marked
+ * `retire_candidate:true` (left in the queue for human review / eventual
+ * retirement). Already-marked retire candidates are never re-processed.
+ *
+ * Quota: every LLM attempt goes through `enrichLessonToV3`, which reserves one
+ * skill-improver quota slot per call — the loop can never exceed the shared
+ * daily budget. A per-run batch cap bounds worst-case cost further.
+ */
+import type { CuratorLLMDelegate } from '../hooks/curator.js';
+import { type EnrichmentQuotaOptions } from '../hooks/knowledge-curator.js';
+import { type UnactionableRecord } from '../hooks/knowledge-validator.js';
+/** Max queue entries processed per improver run (bounds LLM cost per run). */
+export declare const HARDENING_BATCH_LIMIT = 5;
+/** Queue record shape with the retire flag added by this loop. */
+export interface HardenableRecord extends UnactionableRecord {
+    retire_candidate?: boolean;
+}
+export interface HardeningResult {
+    /** Entries promoted from the queue to the active store. */
+    hardened: number;
+    /** Entries newly marked retire_candidate (hardening failed). */
+    retired: number;
+    /** Entries left in the queue (including pre-existing retire candidates). */
+    remaining: number;
+}
+/**
+ * Run one hardening pass. Never throws; on any error the queue is left as-is
+ * and zeros are reported. No-op (besides counting) when no delegate is
+ * available — without an LLM there is no hardening attempt, and auto-retiring
+ * without an attempt would be wrong.
+ */
+export declare function hardenUnactionableEntries(params: {
+    directory: string;
+    llmDelegate?: CuratorLLMDelegate;
+    quota?: EnrichmentQuotaOptions;
+    batchLimit?: number;
+    dedupThreshold?: number;
+}): Promise<HardeningResult>;

package/dist/tools/external-skill-delete.d.ts

@@ -0,0 +1,16 @@
+/**
+ * external_skill_delete — Delete an external skill candidate from the quarantine store.
+ *
+ * Removes a candidate by ID.  If the candidate was previously promoted, the
+ * promoted skill in `.opencode/skills/generated/` is NOT affected — it must be
+ * separately retired or revoked.  Returns a disabled message when
+ * external_skills.curation_enabled is false.
+ *
+ * Uses an `_internals` DI seam for testability — no `mock.module` leakage.
+ */
+import type { ExternalSkillsConfig } from '../config/schema.js';
+import { createSwarmTool } from './create-tool.js';
+export declare const _internals: {
+    loadConfig: (directory: string) => ExternalSkillsConfig | undefined;
+};
+export declare const external_skill_delete: ReturnType<typeof createSwarmTool>;