opencode-swarm 7.7.0 → 7.8.1

package/dist/commands/full-auto.d.ts

@@ -2,9 +2,20 @@
  * Handles the /swarm full-auto command.
  * Toggles Full-Auto Mode on or off for the active session.
  *
- * @param directory - Project directory (unused but kept for consistency with other commands)
+ * In Full-Auto v2 this also creates a durable run-state record under
+ * .swarm/full-auto-state.json so the permission/oversight infrastructure can
+ * fail-closed across hooks and across process restarts.
+ *
+ * H2 fix: durable write happens BEFORE flipping the legacy
+ * `session.fullAutoMode` flag. If the durable write fails, the command
+ * surfaces the error in its return string and does NOT enable the legacy
+ * reactive intercept — preventing a silent fail-open where reactive checks
+ * would believe Full-Auto is on while the v2 permission hook sees no
+ * durable run.
+ *
+ * @param directory - Project directory (used to persist Full-Auto run state)
  * @param args - Optional argument: "on" | "off" | undefined (toggle behavior)
  * @param sessionID - Session ID for accessing active session state
  * @returns Feedback message about Full-Auto Mode state
  */
-export declare function handleFullAutoCommand(_directory: string, args: string[], sessionID: string): Promise<string>;
+export declare function handleFullAutoCommand(directory: string, args: string[], sessionID: string): Promise<string>;

package/dist/config/evidence-schema.d.ts

@@ -205,9 +205,9 @@ export declare const RetrospectiveEvidenceSchema: z.ZodObject<{
             other: "other";
         }>;
         scope: z.ZodEnum<{
-            project: "project";
             global: "global";
             session: "session";
+            project: "project";
         }>;
     }, z.core.$strip>>>;
     approaches_tried: z.ZodDefault<z.ZodArray<z.ZodObject<{
@@ -651,9 +651,9 @@ export declare const EvidenceSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
             other: "other";
         }>;
         scope: z.ZodEnum<{
-            project: "project";
             global: "global";
             session: "session";
+            project: "project";
         }>;
     }, z.core.$strip>>>;
     approaches_tried: z.ZodDefault<z.ZodArray<z.ZodObject<{
@@ -1070,9 +1070,9 @@ export declare const EvidenceBundleSchema: z.ZodObject<{
                 other: "other";
             }>;
             scope: z.ZodEnum<{
-                project: "project";
                 global: "global";
                 session: "session";
+                project: "project";
             }>;
         }, z.core.$strip>>>;
         approaches_tried: z.ZodDefault<z.ZodArray<z.ZodObject<{

package/dist/config/schema.d.ts

@@ -1,4 +1,5 @@
 import { z } from 'zod';
+import { type AgentName } from './constants';
 /**
  * Test-only dependency-injection seam — see `gitignore-warning.ts:_internals`
  * for the rationale (`mock.module` from `bun:test` leaks across files in
@@ -7,21 +8,62 @@ import { z } from 'zod';
  */
 export declare const _internals: {
     stripKnownSwarmPrefix: typeof stripKnownSwarmPrefix;
+    getCanonicalAgentRole: typeof getCanonicalAgentRole;
     resolveGuardrailsConfig: typeof resolveGuardrailsConfig;
 };
 /**
- * Strips known Swarm prefixes from agent names to get the canonical agent name.
+ * Type guard: returns true when `role` is a canonical agent role recognized
+ * by the plugin (e.g. "architect", "coder", "critic_oversight"). User-defined
+ * swarm IDs must NOT be treated as canonical roles.
+ */
+export declare function isKnownCanonicalRole(role: string): role is AgentName;
+/**
+ * Extract the canonical agent role from a generated agent name, using
+ * suffix-based matching with longest-suffix-wins.
+ *
+ * Generated agent names have the shape `<arbitrary user-defined swarm ID>
+ * <separator> <canonical role>`. The swarm ID is opaque to the plugin —
+ * it can be anything the user configures (e.g. `banana`, `acme-prod`,
+ * `customer123`). Only the canonical role suffix is plugin-defined.
+ *
+ * Behavior:
+ *   - If `agentName` is itself a canonical role, return it unchanged.
+ *   - Else, find the longest canonical role `R` such that `agentName`
+ *     ends with `<sep><R>` for some separator in {"_", "-", " "}; return `R`.
+ *   - Else, return `agentName` unchanged (caller can detect "no role found"
+ *     by comparing the result to `agentName`, or by passing the result
+ *     through `isKnownCanonicalRole`).
  *
- * Strategy:
- * 1. First try stripping known prefixes from the front (e.g., 'paid_architect' -> 'architect')
- * 2. If that doesn't yield a known agent, check if the name ENDS with a known agent name
- *    (e.g., 'not-an-architect' -> 'architect', 'team-alpha-reviewer' -> 'reviewer')
+ * Optional `generatedAgentNames` argument: when supplied (e.g. from
+ * `getAgentConfigs` output at plugin init), the function ONLY infers a role
+ * for names actually present in that registry. Bare user-supplied strings
+ * like `not_an_architect` are NOT treated as roles unless they appear in
+ * the generated-name set. Callers that need this strict behavior should
+ * use `resolveGeneratedAgentRole` instead.
  *
- * Supports underscore, hyphen, and space separators.
- * Case-insensitive matching, but returns the canonical lowercase agent name.
+ * Case-insensitive on the input; the returned role is the canonical
+ * lowercase form from `ALL_AGENT_NAMES`.
+ */
+export declare function getCanonicalAgentRole(agentName: string, generatedAgentNames?: Iterable<string>): AgentName | string;
+/**
+ * Strict variant of {@link getCanonicalAgentRole}: only infers a canonical
+ * role when the agent name is actually present in the supplied generated-
+ * name registry, OR is itself a canonical role. Use this from callers that
+ * must avoid treating arbitrary user-supplied strings as roles.
+ */
+export declare function resolveGeneratedAgentRole(agentName: string, generatedAgentNames: Iterable<string>): AgentName | string;
+/**
+ * Backward-compatible alias for {@link getCanonicalAgentRole}. The previous
+ * implementation stripped a hardcoded list of "known swarm prefixes" from
+ * the front of the agent name. That approach was wrong by design: swarm
+ * IDs are arbitrary user-defined strings — the plugin cannot enumerate
+ * them. The new implementation does suffix-based canonical role extraction
+ * (see `getCanonicalAgentRole`) which works for ANY user-defined swarm ID.
  *
- * @param agentName - The potentially prefixed agent name
- * @returns The canonical agent name, or the original if no known agent found
+ * Existing tests that pass `synthetic_reviewer` / `mega_architect` /
+ * `cloud_critic_oversight` / etc. continue to pass because those names
+ * end with `<sep><canonical role>`, which is exactly what the suffix
+ * extractor matches.
  */
 export declare function stripKnownSwarmPrefix(agentName: string): string;
 export declare const AgentOverrideConfigSchema: z.ZodObject<{
@@ -1073,6 +1115,37 @@ export declare const PluginConfigSchema: z.ZodObject<{
             pause: "pause";
             terminate: "terminate";
         }>>;
+        mode: z.ZodDefault<z.ZodEnum<{
+            strict: "strict";
+            assisted: "assisted";
+            supervised: "supervised";
+        }>>;
+        fail_closed: z.ZodDefault<z.ZodBoolean>;
+        permission_policy: z.ZodDefault<z.ZodObject<{
+            enabled: z.ZodDefault<z.ZodBoolean>;
+            trusted_roots: z.ZodDefault<z.ZodArray<z.ZodString>>;
+            trusted_domains: z.ZodDefault<z.ZodArray<z.ZodString>>;
+            protected_paths: z.ZodDefault<z.ZodArray<z.ZodString>>;
+            allow_defaults: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>;
+        denials: z.ZodDefault<z.ZodObject<{
+            max_consecutive: z.ZodDefault<z.ZodNumber>;
+            max_total: z.ZodDefault<z.ZodNumber>;
+            on_limit: z.ZodDefault<z.ZodEnum<{
+                pause: "pause";
+                terminate: "terminate";
+            }>>;
+        }, z.core.$strip>>;
+        oversight: z.ZodDefault<z.ZodObject<{
+            on_plan_change: z.ZodDefault<z.ZodBoolean>;
+            on_task_completion: z.ZodDefault<z.ZodBoolean>;
+            on_phase_boundary: z.ZodDefault<z.ZodBoolean>;
+            on_high_risk_action: z.ZodDefault<z.ZodBoolean>;
+            on_subagent_return_warning: z.ZodDefault<z.ZodBoolean>;
+            every_tool_calls: z.ZodDefault<z.ZodNumber>;
+            every_architect_turns: z.ZodDefault<z.ZodNumber>;
+            every_minutes: z.ZodDefault<z.ZodNumber>;
+        }, z.core.$strip>>;
     }, z.core.$strip>>>;
 }, z.core.$strip>;
 export type PluginConfig = z.infer<typeof PluginConfigSchema>;

package/dist/full-auto/cadence.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Full-Auto v2 oversight cadence.
+ *
+ * Pure helpers that decide when periodic / risk-triggered oversight should
+ * fire. Wired into the existing tool.execute.after flow (counters increment)
+ * and into the chat.message transform (architect turn increment) by the
+ * orchestrating hook composition in `src/index.ts`.
+ *
+ * Critic oversight sessions and critic-internal tool calls must be exempt
+ * from triggering further Full-Auto oversight. Callers identify those by
+ * passing `excludeAgent: true` for the relevant call.
+ */
+import type { PluginConfig } from '../config';
+import { dispatchFullAutoOversight } from './oversight';
+import { type FullAutoRunState } from './state';
+export type CadenceTrigger = {
+    kind: 'tool_calls';
+    threshold: number;
+} | {
+    kind: 'architect_turns';
+    threshold: number;
+} | {
+    kind: 'minutes';
+    threshold: number;
+    elapsedMinutes: number;
+} | {
+    kind: 'consecutive_no_progress';
+    threshold: number;
+} | {
+    kind: 'denials_near_limit';
+    consecutive: number;
+    max: number;
+};
+export interface CadenceDecision {
+    shouldEscalate: boolean;
+    triggers: CadenceTrigger[];
+}
+export declare function evaluateFullAutoCadence(state: FullAutoRunState, config: PluginConfig, now?: number): CadenceDecision;
+/**
+ * Convenience: increment the relevant counter and evaluate cadence in one
+ * call. Returns undefined when there is no active Full-Auto run.
+ */
+export declare function tickAndEvaluate(directory: string, sessionID: string, counter: 'toolCalls' | 'architectTurns', config: PluginConfig): CadenceDecision | undefined;
+/**
+ * Tick a counter, evaluate cadence, and — if a trigger fires — dispatch the
+ * critic oversight agent in a non-blocking way. The dispatch:
+ *   - increments the durable oversight counter
+ *   - writes a `full_auto_oversight` event/evidence record
+ *   - mutates durable run state (pause / terminate) according to verdict
+ *
+ * The chat.message and tool.execute.after callers do not await the dispatch
+ * — they fire-and-forget. The next tool call by the agent will see the
+ * paused/terminated state and surface a structured error.
+ *
+ * Returns the CadenceDecision so callers can introspect for tests.
+ */
+export declare function tickAndMaybeDispatchCadence(directory: string, sessionID: string, counter: 'toolCalls' | 'architectTurns', config: PluginConfig, options?: {
+    activeAgent?: string;
+    dispatch?: typeof dispatchFullAutoOversight;
+}): CadenceDecision | undefined;
+export declare const _internals: {
+    clearInFlight: () => void;
+    inFlight: Set<string>;
+};

package/dist/full-auto/input-probe.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Full-Auto v2 prompt-injection scanner for tool output.
+ *
+ * The probe inspects the textual content returned by a tool (web_search,
+ * webfetch, fetch, doc_extract, search, evidence dumps, etc.) and detects
+ * the most common prompt-injection / exfiltration shapes. It is intentionally
+ * pattern-based and conservative: false positives produce a warning but do
+ * not block work by themselves; an injection warning combined with a
+ * subsequent risky action escalates to the critic.
+ */
+export type FullAutoInputWarningCategory = 'instruction_override' | 'system_role_override' | 'credential_request' | 'exfiltration_request' | 'guardrail_disable_request' | 'curl_pipe_shell' | 'untrusted_run_command';
+export interface FullAutoInputWarning {
+    category: FullAutoInputWarningCategory;
+    matched: string;
+    excerpt: string;
+}
+export interface FullAutoInputProbeResult {
+    hasWarning: boolean;
+    warnings: FullAutoInputWarning[];
+}
+export declare function probeFullAutoInput(text: string): FullAutoInputProbeResult;
+export declare function shouldEscalateAfterWarning(toolName: string, commandOrUrl: string | undefined): boolean;

package/dist/full-auto/oversight.d.ts

@@ -0,0 +1,93 @@
+export interface FullAutoCriticResult {
+    verdict: string;
+    reasoning: string;
+    evidenceChecked: string[];
+    antiPatternsDetected: string[];
+    escalationNeeded: boolean;
+    rawResponse: string;
+}
+export type FullAutoTriggerSource = 'text_pattern' | 'tool_action' | 'cadence' | 'subagent_return' | 'phase_boundary' | 'task_completion' | 'risk';
+export interface FullAutoOversightEvent {
+    type: 'full_auto_oversight';
+    timestamp: string;
+    session_id: string;
+    plan_id?: string;
+    phase?: number;
+    task_id?: string;
+    trigger_source: FullAutoTriggerSource;
+    trigger_reason: string;
+    critic_agent: string;
+    critic_model: string;
+    architect_model?: string;
+    verdict: string;
+    reasoning: string;
+    evidence_checked: string[];
+    anti_patterns_detected: string[];
+    escalation_needed: boolean;
+    decision: string;
+    full_auto_status_before?: string;
+    full_auto_status_after?: string;
+    oversight_sequence: number;
+}
+export interface DispatchFullAutoOversightInput {
+    directory: string;
+    sessionID: string;
+    trigger: string;
+    triggerSource: FullAutoTriggerSource;
+    phase?: number;
+    taskID?: string;
+    planID?: string;
+    architectOutput?: string;
+    actionContext?: Record<string, unknown>;
+    criticModel: string;
+    oversightAgentName: string;
+    architectModel?: string;
+    /**
+     * Optional Full-Auto config slice. Used to honor `fail_closed` semantics
+     * when oversight event/evidence persistence fails (TASK 6). When
+     * omitted, the dispatcher defaults to `fail_closed = true`.
+     */
+    fullAutoConfig?: {
+        fail_closed?: boolean;
+    };
+}
+export declare function parseFullAutoCriticResponse(rawResponse: string): FullAutoCriticResult;
+/**
+ * Append a Full-Auto oversight event to `.swarm/events.jsonl`.
+ *
+ * TASK 6: persistence failures MUST propagate. When fail_closed is the
+ * active policy (the default), an oversight verdict that cannot be
+ * durably audited is not a real verdict — the dispatcher converts the
+ * thrown error into a BLOCKED/pause outcome.
+ *
+ * The lock acquisition is best-effort (some platforms / test sandboxes
+ * cannot acquire the cross-process lock); the actual append is the
+ * mandatory step and any failure throws.
+ */
+export declare function writeFullAutoOversightEvent(directory: string, event: FullAutoOversightEvent): Promise<void>;
+/**
+ * Persist Full-Auto oversight evidence to `.swarm/evidence/{phase}/full-auto-{seq}.json`.
+ *
+ * TASK 6: persistence failures MUST propagate. For phase_boundary
+ * triggers the evidence write is MANDATORY because phase_complete will
+ * later block on the absence of an APPROVED record. The dispatcher
+ * converts a thrown error into a BLOCKED/pause outcome under
+ * fail_closed = true.
+ *
+ * Returns `undefined` only when `phase` is undefined (no evidence to
+ * write because the trigger isn't phase-scoped). All other failures
+ * throw.
+ */
+export declare function writeFullAutoOversightEvidence(directory: string, phase: number | undefined, event: FullAutoOversightEvent): Promise<string | undefined>;
+export interface FullAutoOversightOutcome extends FullAutoCriticResult {
+    decision: 'allow' | 'deny' | 'pause' | 'escalate_human' | 'pending';
+    event: FullAutoOversightEvent;
+    evidencePath?: string;
+}
+export declare function dispatchFullAutoOversight(input: DispatchFullAutoOversightInput): Promise<FullAutoOversightOutcome>;
+/**
+ * Test-only DI seam.
+ */
+export declare const _internals: {
+    resetSequence: () => void;
+};

package/dist/full-auto/phase-approval.d.ts

@@ -0,0 +1,7 @@
+import type { PluginConfig } from '../config';
+export interface PhaseApprovalDecision {
+    ok: boolean;
+    reason?: string;
+    evidence?: Record<string, unknown>;
+}
+export declare function verifyFullAutoPhaseApproval(directory: string, sessionID: string | undefined, phase: number, config: PluginConfig): PhaseApprovalDecision;

package/dist/full-auto/policy.d.ts

@@ -0,0 +1,85 @@
+export type FullAutoActionTier = 'safe' | 'local' | 'medium' | 'high';
+export type FullAutoDecision = {
+    action: 'allow';
+    reason: string;
+    tier: 'safe' | 'local';
+} | {
+    action: 'deny';
+    reason: string;
+    code: string;
+    recoverable: boolean;
+} | {
+    action: 'escalate_critic';
+    reason: string;
+    risk: 'medium' | 'high';
+    context: Record<string, unknown>;
+} | {
+    action: 'escalate_human';
+    reason: string;
+    code: string;
+} | {
+    action: 'pause';
+    reason: string;
+    code: string;
+};
+export interface FullAutoPolicyConfig {
+    enabled?: boolean;
+    mode?: 'assisted' | 'supervised' | 'strict';
+    permission_policy?: {
+        enabled?: boolean;
+        trusted_roots?: string[];
+        trusted_domains?: string[];
+        protected_paths?: string[];
+        allow_defaults?: boolean;
+    };
+    oversight?: {
+        on_high_risk_action?: boolean;
+        on_task_completion?: boolean;
+    };
+}
+export interface FullAutoClassifierInput {
+    sessionID: string;
+    agentName?: string;
+    normalizedAgentName?: string;
+    toolName: string;
+    args: Record<string, unknown> | undefined;
+    directory: string;
+    workingDirectory?: string;
+    declaredScope?: string[] | null;
+    currentTaskID?: string | null;
+    currentPhase?: number;
+    planSummary?: string;
+    changedFiles?: string[];
+    fullAutoConfig: FullAutoPolicyConfig | undefined;
+}
+export declare function isReadOnlyTool(toolName: string): boolean;
+export declare function isWriteLikeTool(toolName: string): boolean;
+export declare function isSubagentDelegation(toolName: string, args: Record<string, unknown> | undefined): boolean;
+export declare function isProtectedPath(filePath: string, config: FullAutoPolicyConfig | undefined): boolean;
+export declare function classifyPathRisk(filePath: string, context: {
+    directory: string;
+    declaredScope?: string[] | null;
+}): {
+    withinProjectRoot: boolean;
+    withinDeclaredScope: boolean | null;
+    protected: boolean;
+    highRiskBuild: boolean;
+};
+export declare function classifyCommandRisk(command: string, _cwd: string, _context: {
+    directory: string;
+}): {
+    decision: 'allow' | 'deny' | 'escalate_critic';
+    reason: string;
+};
+export declare function classifyFullAutoToolAction(input: FullAutoClassifierInput): FullAutoDecision;
+export interface StructuredDenial {
+    full_auto_denial: true;
+    tool?: string;
+    code: string;
+    reason: string;
+    recoverable: boolean;
+    guidance: string;
+}
+export declare function buildStructuredDenial(decision: Extract<FullAutoDecision, {
+    action: 'deny';
+}>, tool?: string): StructuredDenial;

package/dist/full-auto/state.d.ts

@@ -0,0 +1,121 @@
+export type FullAutoStatus = 'idle' | 'running' | 'paused' | 'terminated';
+export interface FullAutoDenialRecord {
+    timestamp: string;
+    tool?: string;
+    code?: string;
+    reason: string;
+}
+export interface FullAutoCounters {
+    architectTurns: number;
+    toolCalls: number;
+    coderDelegations: number;
+    reviewerRejections: number;
+    testFailures: number;
+    oversightChecks: number;
+    consecutiveNoProgressTurns: number;
+}
+export interface FullAutoRunState {
+    status: FullAutoStatus;
+    sessionID: string;
+    mode: 'assisted' | 'supervised' | 'strict';
+    planID?: string;
+    currentPhase?: number;
+    currentTaskID?: string;
+    startedAt: string;
+    updatedAt: string;
+    lastOversightAt?: string;
+    lastOversightReason?: string;
+    lastOversightVerdict?: string;
+    denialCounters: {
+        consecutive: number;
+        total: number;
+    };
+    denialHistory: FullAutoDenialRecord[];
+    counters: FullAutoCounters;
+    pauseReason?: string;
+    terminateReason?: string;
+}
+export interface FullAutoPersistedState {
+    version: 2;
+    updatedAt: string;
+    /**
+     * Monotonic counter for `full_auto_oversight` evidence-file sequencing.
+     * Persisted so the per-phase filename `full-auto-{seq}.json` does not
+     * collide after a process restart. (C4 fix.)
+     */
+    oversightSequence?: number;
+    sessions: Record<string, FullAutoRunState>;
+}
+export interface FullAutoConfigShape {
+    enabled?: boolean;
+    mode?: 'assisted' | 'supervised' | 'strict';
+    denials?: {
+        max_consecutive?: number;
+        max_total?: number;
+        on_limit?: 'pause' | 'terminate';
+    };
+}
+export declare class FullAutoStateUnreadableError extends Error {
+    constructor(reason: string);
+}
+export declare function isFullAutoStateUnreadable(): {
+    unreadable: boolean;
+    reason: string;
+};
+declare function readPersisted(directory: string): FullAutoPersistedState;
+/**
+ * Atomically persist Full-Auto durable state.
+ *
+ * TASK 3 fix: persistence failures MUST propagate. The previous
+ * implementation caught and logged write errors, which let
+ * `startFullAutoRun` (and the `/swarm full-auto on` command) silently
+ * report success even when nothing was written. Callers relied on the
+ * durable record to fail-closed; that contract is now enforced.
+ *
+ * Behavior:
+ *   - Writes via `tmp -> fsync -> rename`, so a crash mid-write cannot
+ *     truncate the canonical file.
+ *   - Keeps `.bak` of the prior canonical file as a recovery hint.
+ *   - Reads the file back after the rename and confirms the JSON
+ *     round-trips. Any failure throws.
+ */
+declare function writePersisted(directory: string, persisted: FullAutoPersistedState): void;
+export declare function loadFullAutoRunState(directory: string, sessionID: string): FullAutoRunState | undefined;
+export declare function saveFullAutoRunState(directory: string, state: FullAutoRunState): void;
+export declare function startFullAutoRun(directory: string, sessionID: string, config: FullAutoConfigShape | undefined, options?: {
+    planID?: string;
+    phase?: number;
+    taskID?: string;
+}): FullAutoRunState;
+export declare function pauseFullAutoRun(directory: string, sessionID: string, reason: string): FullAutoRunState | undefined;
+export declare function terminateFullAutoRun(directory: string, sessionID: string, reason: string): FullAutoRunState | undefined;
+export declare function isFullAutoRunActive(directory: string, sessionID: string): boolean;
+export type FullAutoCounterKey = keyof FullAutoCounters;
+export declare function incrementFullAutoCounter(directory: string, sessionID: string, counter: FullAutoCounterKey, delta?: number): FullAutoRunState | undefined;
+export declare function recordFullAutoDenial(directory: string, sessionID: string, denial: {
+    tool?: string;
+    code?: string;
+    reason: string;
+}): FullAutoRunState | undefined;
+export declare function resetFullAutoDenials(directory: string, sessionID: string): FullAutoRunState | undefined;
+/**
+ * Atomically increment and return the durable oversight-evidence sequence
+ * counter. Used by `writeFullAutoOversightEvidence` to produce stable,
+ * non-colliding evidence filenames across process restarts. (C4 fix.)
+ */
+export declare function nextFullAutoOversightSequence(directory: string): number;
+export declare function recordFullAutoOversight(directory: string, sessionID: string, verdict: string, reason: string): FullAutoRunState | undefined;
+export interface DenialLimitDecision {
+    pause: boolean;
+    reason?: string;
+    mode?: 'pause' | 'terminate';
+}
+export declare function shouldPauseForDenials(state: FullAutoRunState, config: FullAutoConfigShape | undefined): DenialLimitDecision;
+/**
+ * Test-only DI seam — same rationale as `src/state.ts:_internals`.
+ */
+export declare const _internals: {
+    readPersisted: typeof readPersisted;
+    writePersisted: typeof writePersisted;
+};
+export {};

package/dist/hooks/full-auto-delegation.d.ts

@@ -0,0 +1,28 @@
+import type { PluginConfig } from '../config';
+export interface FullAutoDelegationHookOptions {
+    config: PluginConfig;
+    directory: string;
+}
+interface ToolBeforeInput {
+    tool: string;
+    sessionID: string;
+    callID?: string;
+}
+interface ToolBeforeOutput {
+    args: unknown;
+}
+interface ToolAfterInput {
+    tool: string;
+    sessionID: string;
+    callID?: string;
+    args?: unknown;
+}
+interface ToolAfterOutput {
+    output?: unknown;
+    error?: unknown;
+}
+export declare function createFullAutoDelegationHook(options: FullAutoDelegationHookOptions): {
+    toolBefore: (input: ToolBeforeInput, output: ToolBeforeOutput) => Promise<void>;
+    toolAfter: (input: ToolAfterInput, output: ToolAfterOutput) => Promise<void>;
+};
+export {};

package/dist/hooks/full-auto-input-probe.d.ts

@@ -0,0 +1,27 @@
+import type { PluginConfig } from '../config';
+export interface FullAutoInputProbeHookOptions {
+    config: PluginConfig;
+    directory: string;
+}
+interface ToolAfterInput {
+    tool: string;
+    sessionID: string;
+    callID?: string;
+}
+interface ToolAfterOutput {
+    output?: unknown;
+    error?: unknown;
+}
+export interface PendingInputWarning {
+    tool: string;
+    at: string;
+    categories: string[];
+}
+export declare const fullAutoInputWarningStash: Map<string, PendingInputWarning>;
+export declare function setPendingInputWarning(sessionID: string, warning: PendingInputWarning): void;
+export declare function consumePendingInputWarning(sessionID: string): PendingInputWarning | undefined;
+export declare function peekPendingInputWarning(sessionID: string): PendingInputWarning | undefined;
+export declare function createFullAutoInputProbeHook(options: FullAutoInputProbeHookOptions): {
+    toolAfter: (input: ToolAfterInput, output: ToolAfterOutput) => Promise<void>;
+};
+export {};

package/dist/hooks/full-auto-intercept.d.ts

@@ -58,7 +58,7 @@ export declare function injectVerdictIntoMessages(messages: MessageWithParts[],
  * This function encapsulates the critic invocation and event writing flow.
  * The critic response is awaited before writing the event to events.jsonl.
  */
-export declare function dispatchCriticAndWriteEvent(directory: string, architectOutput: string, criticContext: string, criticModel: string, escalationType: 'phase_completion' | 'question', interactionCount: number, deadlockCount: number, oversightAgentName: string): Promise<CriticDispatchResult>;
+export declare function dispatchCriticAndWriteEvent(directory: string, architectOutput: string, criticContext: string, criticModel: string, escalationType: 'phase_completion' | 'question', interactionCount: number, deadlockCount: number, oversightAgentName: string, sessionID?: string): Promise<CriticDispatchResult>;
 /**
  * Creates the full-auto intercept hook factory.
  *