opensip-cli 0.1.14 → 0.1.16

package/dist/bootstrap/artifact-retention.d.ts

@@ -0,0 +1,62 @@
+/**
+ * artifact-retention — host-owned pruning of the per-tool artifact store.
+ *
+ * The host writes every scanner/baseline/catalog artifact through the
+ * `writeArtifact` seam into `<project>/.runtime/artifacts/<tool>/<runId>/<name>`
+ * (the substrate composes the `<runId>` segment; ADR-0090 Phase-0 decision 1).
+ * Unbounded, that store would grow one run-dir per invocation forever. This
+ * helper keeps the N most-recent run-dirs per tool and removes the rest.
+ *
+ * A separate, pure-IO testable unit (mirroring `atomic-artifact-write.ts` vs
+ * `artifact-seams.ts`): the write seam calls it after a successful artifact
+ * write, gated on the target living inside the artifact store. Every failure
+ * path is defensive — a prune problem must NEVER fail the run, so nothing here
+ * throws (the seam additionally wraps the call).
+ */
+/**
+ * Default number of per-tool run-dirs retained when `cli.artifacts.keep` is not
+ * set in `opensip-cli.config.yml`. MUST match the Zod default declared on
+ * `cliConfigSchema.artifacts.keep` (in `@opensip-cli/config`); kept here as a
+ * literal because the config layer cannot import from the cli layer.
+ */
+export declare const DEFAULT_ARTIFACT_RETENTION_KEEP = 10;
+/**
+ * In-flight grace window (A12): a run-dir whose mtime is within this many ms of
+ * `now` is NEVER evicted, regardless of its rank past `keep`.
+ *
+ * A slow CONCURRENT same-tool run creates its dir at scan start and only appends
+ * to the report inside it — directory mtime is set at creation and report appends
+ * do NOT bump it — so under load that dir can rank below `keep` while the peer is
+ * still scanning. A naive rank-only prune would `rmSync` it mid-scan, faulting the
+ * peer with a spurious `artifactValid=false`. The window MUST be >= the scanner
+ * process budget (`DEFAULT_TIMEOUT_MS` = 300_000 ms in the substrate run loop): a
+ * run cannot legitimately be in flight longer than its timeout, so any dir older
+ * than this is guaranteed finished and safe to prune. Kept a literal (with a
+ * margin over the substrate timeout) because the cli layer must not import the
+ * substrate; the comment is the sync point.
+ */
+export declare const ARTIFACT_INFLIGHT_GRACE_MS: number;
+/** Options for {@link pruneArtifactRetention}'s in-flight-safety floor (A12). */
+export interface PruneRetentionOptions {
+    /** `Date.now()` by default; injectable for deterministic tests. */
+    readonly now?: number;
+    /** The current run's dir name (== `runId`) — never pruned even if it ranks low. */
+    readonly currentRunId?: string;
+}
+/**
+ * Prune `<artifactsDir>/<tool>` down to the `keep` most-recent run-dirs.
+ *
+ * Run-dirs are ordered newest-first by mtime (tie-broken by name, descending,
+ * for determinism); everything past the first `keep` is removed
+ * (`rmSync({ recursive: true, force: true })`). Defensive throughout:
+ *   - missing tool dir → no-op;
+ *   - `keep <= 0` (or non-finite) → treated as disabled, no-op;
+ *   - a failed removal is swallowed (best-effort) and never propagated.
+ *
+ * A12 in-flight safety: a dir is RANK-INDEPENDENTLY retained when it is the
+ * current run's own dir (`opts.currentRunId`) or its mtime is within
+ * {@link ARTIFACT_INFLIGHT_GRACE_MS} of `now` — a peer run that could still be
+ * scanning is never deleted out from under it, regardless of how it ranks.
+ */
+export declare function pruneArtifactRetention(tool: string, artifactsDir: string, keep: number, opts?: PruneRetentionOptions): void;
+//# sourceMappingURL=artifact-retention.d.ts.map

package/dist/bootstrap/artifact-retention.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact-retention.d.ts","sourceRoot":"","sources":["../../src/bootstrap/artifact-retention.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH;;;;;GAKG;AACH,eAAO,MAAM,+BAA+B,KAAK,CAAC;AAElD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,0BAA0B,QAAgB,CAAC;AAExD,iFAAiF;AACjF,MAAM,WAAW,qBAAqB;IACpC,mEAAmE;IACnE,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,mFAAmF;IACnF,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AA+CD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,qBAA0B,GAC/B,IAAI,CAeN"}

package/dist/bootstrap/artifact-retention.js

@@ -0,0 +1,117 @@
+/**
+ * artifact-retention — host-owned pruning of the per-tool artifact store.
+ *
+ * The host writes every scanner/baseline/catalog artifact through the
+ * `writeArtifact` seam into `<project>/.runtime/artifacts/<tool>/<runId>/<name>`
+ * (the substrate composes the `<runId>` segment; ADR-0090 Phase-0 decision 1).
+ * Unbounded, that store would grow one run-dir per invocation forever. This
+ * helper keeps the N most-recent run-dirs per tool and removes the rest.
+ *
+ * A separate, pure-IO testable unit (mirroring `atomic-artifact-write.ts` vs
+ * `artifact-seams.ts`): the write seam calls it after a successful artifact
+ * write, gated on the target living inside the artifact store. Every failure
+ * path is defensive — a prune problem must NEVER fail the run, so nothing here
+ * throws (the seam additionally wraps the call).
+ */
+import { readdirSync, rmSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+/**
+ * Default number of per-tool run-dirs retained when `cli.artifacts.keep` is not
+ * set in `opensip-cli.config.yml`. MUST match the Zod default declared on
+ * `cliConfigSchema.artifacts.keep` (in `@opensip-cli/config`); kept here as a
+ * literal because the config layer cannot import from the cli layer.
+ */
+export const DEFAULT_ARTIFACT_RETENTION_KEEP = 10;
+/**
+ * In-flight grace window (A12): a run-dir whose mtime is within this many ms of
+ * `now` is NEVER evicted, regardless of its rank past `keep`.
+ *
+ * A slow CONCURRENT same-tool run creates its dir at scan start and only appends
+ * to the report inside it — directory mtime is set at creation and report appends
+ * do NOT bump it — so under load that dir can rank below `keep` while the peer is
+ * still scanning. A naive rank-only prune would `rmSync` it mid-scan, faulting the
+ * peer with a spurious `artifactValid=false`. The window MUST be >= the scanner
+ * process budget (`DEFAULT_TIMEOUT_MS` = 300_000 ms in the substrate run loop): a
+ * run cannot legitimately be in flight longer than its timeout, so any dir older
+ * than this is guaranteed finished and safe to prune. Kept a literal (with a
+ * margin over the substrate timeout) because the cli layer must not import the
+ * substrate; the comment is the sync point.
+ */
+export const ARTIFACT_INFLIGHT_GRACE_MS = 6 * 60 * 1000;
+/**
+ * Order run-dirs newest-first by mtime, with a deterministic name tie-break
+ * (descending) so equal-mtime dirs prune in a stable order.
+ */
+function byMostRecent(a, b) {
+    if (a.mtimeMs !== b.mtimeMs)
+        return b.mtimeMs - a.mtimeMs;
+    if (a.name === b.name)
+        return 0;
+    return a.name < b.name ? 1 : -1;
+}
+/**
+ * List the immediate child directories of `<artifactsDir>/<tool>` as candidate
+ * per-run dirs, each stamped with its mtime. A missing dir (or a path that is a
+ * file, not a dir) yields `[]` — nothing to prune. Non-directory entries (a tool
+ * writing a file directly under `<tool>/`) are ignored.
+ */
+function listRunDirs(toolDir) {
+    let entries;
+    try {
+        entries = readdirSync(toolDir, { withFileTypes: true });
+    }
+    catch {
+        // @swallow-ok missing/!dir tool subdir → nothing to prune
+        return [];
+    }
+    return entries
+        .filter((entry) => entry.isDirectory())
+        .map((entry) => {
+        const full = join(toolDir, entry.name);
+        let mtimeMs = 0;
+        try {
+            mtimeMs = statSync(full).mtimeMs;
+        }
+        catch {
+            // @swallow-ok unreadable run dir sorts oldest (mtime 0) so it is pruned first
+            mtimeMs = 0;
+        }
+        return { name: entry.name, full, mtimeMs };
+    });
+}
+/**
+ * Prune `<artifactsDir>/<tool>` down to the `keep` most-recent run-dirs.
+ *
+ * Run-dirs are ordered newest-first by mtime (tie-broken by name, descending,
+ * for determinism); everything past the first `keep` is removed
+ * (`rmSync({ recursive: true, force: true })`). Defensive throughout:
+ *   - missing tool dir → no-op;
+ *   - `keep <= 0` (or non-finite) → treated as disabled, no-op;
+ *   - a failed removal is swallowed (best-effort) and never propagated.
+ *
+ * A12 in-flight safety: a dir is RANK-INDEPENDENTLY retained when it is the
+ * current run's own dir (`opts.currentRunId`) or its mtime is within
+ * {@link ARTIFACT_INFLIGHT_GRACE_MS} of `now` — a peer run that could still be
+ * scanning is never deleted out from under it, regardless of how it ranks.
+ */
+export function pruneArtifactRetention(tool, artifactsDir, keep, opts = {}) {
+    if (!Number.isFinite(keep) || keep <= 0)
+        return;
+    const now = opts.now ?? Date.now();
+    const toolDir = join(artifactsDir, tool);
+    const runDirs = listRunDirs(toolDir).sort(byMostRecent);
+    for (const stale of runDirs.slice(keep)) {
+        // A12: never evict a possibly-in-flight peer run even when it ranks past keep.
+        if (opts.currentRunId !== undefined && stale.name === opts.currentRunId)
+            continue;
+        if (now - stale.mtimeMs < ARTIFACT_INFLIGHT_GRACE_MS)
+            continue;
+        try {
+            rmSync(stale.full, { recursive: true, force: true });
+        }
+        catch {
+            // @swallow-ok best-effort prune; a removal failure must not fail the run
+        }
+    }
+}
+//# sourceMappingURL=artifact-retention.js.map

package/dist/bootstrap/artifact-retention.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact-retention.js","sourceRoot":"","sources":["../../src/bootstrap/artifact-retention.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAe,MAAM,SAAS,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC;;;;;GAKG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG,EAAE,CAAC;AAElD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAgBxD;;;GAGG;AACH,SAAS,YAAY,CAAC,CAAS,EAAE,CAAS;IACxC,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO;QAAE,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;IAC1D,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI;QAAE,OAAO,CAAC,CAAC;IAChC,OAAO,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,WAAW,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;QAC1D,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,OAAO;SACX,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;SACtC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACb,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,IAAI,CAAC;YACH,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,8EAA8E;YAC9E,OAAO,GAAG,CAAC,CAAC;QACd,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC7C,CAAC,CAAC,CAAC;AACP,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAAY,EACZ,YAAoB,EACpB,IAAY,EACZ,OAA8B,EAAE;IAEhC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;QAAE,OAAO;IAChD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACxD,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,+EAA+E;QAC/E,IAAI,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,YAAY;YAAE,SAAS;QAClF,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,GAAG,0BAA0B;YAAE,SAAS;QAC/D,IAAI,CAAC;YACH,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,yEAAyE;QAC3E,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/bootstrap/artifact-seams.d.ts

@@ -2,6 +2,26 @@
  * Host-owned general artifact write seam.
  */
 import { type Logger } from '@opensip-cli/core';
+/** Options for {@link createWriteArtifactSeam}. */
+export interface WriteArtifactSeamOptions {
+    /**
+     * Number of per-tool run-dirs to retain under `.runtime/artifacts/<tool>/`
+     * (`cli.artifacts.keep`). Undefined → {@link DEFAULT_ARTIFACT_RETENTION_KEEP}.
+     * The host prunes the store after each write whose target lives inside it.
+     */
+    readonly retentionKeep?: number;
+}
+/**
+ * Build the public `cli.ensureArtifactDir(artifactPath)` implementation
+ * (ADR-0091; External Tool Adapter A1/A7).
+ *
+ * Creates `dirname(artifactPath)` recursively at {@link ARTIFACT_DIR_MODE}. This
+ * is the HOST seam a tool calls BEFORE handing the path to an external scanner as
+ * its output target, so the per-run dir exists for a scanner that does a bare
+ * `open(path, 'w')`. Idempotent (`recursive: true`); a pre-existing dir keeps its
+ * mode (only freshly-created dirs get `0o700`, which is exactly the per-run dir).
+ */
+export declare function createEnsureArtifactDirSeam(logger?: Logger): (artifactPath: string) => Promise<void>;
 /** Build the public `cli.writeArtifact(path, bytes)` implementation. */
-export declare function createWriteArtifactSeam(logger?: Logger): (path: string, bytes: string) => Promise<void>;
+export declare function createWriteArtifactSeam(logger?: Logger, options?: WriteArtifactSeamOptions): (path: string, bytes: string) => Promise<void>;
 //# sourceMappingURL=artifact-seams.d.ts.map

package/dist/bootstrap/artifact-seams.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"artifact-seams.d.ts","sourceRoot":"","sources":["../../src/bootstrap/artifact-seams.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAML,KAAK,MAAM,EACZ,MAAM,mBAAmB,CAAC;AA2B3B,wEAAwE;AACxE,wBAAgB,uBAAuB,CACrC,MAAM,GAAE,MAAsB,GAC7B,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAwBhD"}
+{"version":3,"file":"artifact-seams.d.ts","sourceRoot":"","sources":["../../src/bootstrap/artifact-seams.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,OAAO,EAQL,KAAK,MAAM,EAEZ,MAAM,mBAAmB,CAAC;AAM3B,mDAAmD;AACnD,MAAM,WAAW,wBAAwB;IACvC;;;;OAIG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;CACjC;AAwED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,GAAE,MAAsB,GAC7B,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAczC;AAED,wEAAwE;AACxE,wBAAgB,uBAAuB,CACrC,MAAM,GAAE,MAAsB,EAC9B,OAAO,GAAE,wBAA6B,GACrC,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CA4BhD"}

package/dist/bootstrap/artifact-seams.js

@@ -1,11 +1,47 @@
 /**
  * Host-owned general artifact write seam.
  */
-import { statSync } from 'node:fs';
-import { basename, resolve } from 'node:path';
-import { ConfigurationError, currentScope, SystemError, ToolError, logger as defaultLogger, } from '@opensip-cli/core';
+import { mkdirSync, statSync } from 'node:fs';
+import { basename, dirname, relative, resolve, sep } from 'node:path';
+import { ConfigurationError, currentScope, isPathInside, resolveProjectPaths, SystemError, ToolError, logger as defaultLogger, } from '@opensip-cli/core';
+import { DEFAULT_ARTIFACT_RETENTION_KEEP, pruneArtifactRetention } from './artifact-retention.js';
 import { writeArtifactAtomically } from './atomic-artifact-write.js';
 import { resolveStateLockPolicy } from './state-lock-policy.js';
+/**
+ * After a successful artifact write, prune the per-tool run-dirs IFF the target
+ * lives inside the project's host-owned artifact store
+ * (`.runtime/artifacts/<tool>/<runId>/<name>`). Generic writes outside the store
+ * (e.g. a graph `--catalog-output` to an arbitrary path) skip pruning naturally.
+ *
+ * Fully defensive: a no-project run (no `projectContext`) skips; an unreadable
+ * store skips; ANY prune error is logged at debug and never thrown out of the
+ * write seam (a retention problem must not fail the run).
+ */
+function maybePruneArtifactStore(target, scope, retentionKeep, log) {
+    try {
+        const projectRoot = scope?.projectContext?.projectRoot;
+        if (projectRoot === undefined)
+            return; // project-less run: no store to prune
+        const { artifactsDir } = resolveProjectPaths(projectRoot);
+        if (!isPathInside(target, artifactsDir))
+            return; // not an artifact-store write
+        // The dir immediately under the store is the `<tool>` segment; the substrate
+        // composes `<tool>/<runId>/<name>` underneath it.
+        const tool = relative(artifactsDir, target).split(sep)[0];
+        if (tool === undefined || tool === '' || tool === '..')
+            return;
+        // A12: pass the current run id so its own dir is never pruned, and let the
+        // grace-window floor protect concurrent in-flight peers.
+        pruneArtifactRetention(tool, artifactsDir, retentionKeep, { currentRunId: scope?.runId });
+    }
+    catch (error) {
+        log.debug({
+            evt: 'state.artifact.retention.prune.skipped',
+            module: 'cli:artifact-seams',
+            error: error instanceof Error ? error.message : String(error),
+        });
+    }
+}
 /**
  * @throws {ConfigurationError} When the target already exists as a directory.
  * @throws {Error} When filesystem metadata cannot be read for another reason.
@@ -27,8 +63,41 @@ function assertWritableFileTarget(path) {
         throw error;
     }
 }
+/**
+ * Owner-only mode for the host-owned per-run artifact directory (A7).
+ *
+ * The dir holds a scanner's raw report, which can carry live secrets/matches.
+ * Creating it `0o700` means even a report file the scanner writes at its default
+ * umask (typically 0644) is not world-readable, because no other user can
+ * traverse the parent dir — closing the window between the scanner's first write
+ * and the host's `0o600` re-write through {@link createWriteArtifactSeam}.
+ */
+const ARTIFACT_DIR_MODE = 0o700;
+/**
+ * Build the public `cli.ensureArtifactDir(artifactPath)` implementation
+ * (ADR-0091; External Tool Adapter A1/A7).
+ *
+ * Creates `dirname(artifactPath)` recursively at {@link ARTIFACT_DIR_MODE}. This
+ * is the HOST seam a tool calls BEFORE handing the path to an external scanner as
+ * its output target, so the per-run dir exists for a scanner that does a bare
+ * `open(path, 'w')`. Idempotent (`recursive: true`); a pre-existing dir keeps its
+ * mode (only freshly-created dirs get `0o700`, which is exactly the per-run dir).
+ */
+export function createEnsureArtifactDirSeam(logger = defaultLogger) {
+    return (artifactPath) => Promise.resolve().then(() => {
+        const dir = dirname(resolve(artifactPath));
+        try {
+            mkdirSync(dir, { recursive: true, mode: ARTIFACT_DIR_MODE });
+        }
+        catch (error) {
+            throw new SystemError(`ensureArtifactDir failed for '${dir}': ${error instanceof Error ? error.message : String(error)}`, { code: 'SYSTEM.ARTIFACT_DIR_FAILED' });
+        }
+        logger.debug({ evt: 'state.artifact.dir.ensured', module: 'cli:artifact-seams', dir });
+    });
+}
 /** Build the public `cli.writeArtifact(path, bytes)` implementation. */
-export function createWriteArtifactSeam(logger = defaultLogger) {
+export function createWriteArtifactSeam(logger = defaultLogger, options = {}) {
+    const retentionKeep = options.retentionKeep ?? DEFAULT_ARTIFACT_RETENTION_KEEP;
     return (path, bytes) => Promise.resolve().then(() => {
         const target = resolve(path);
         const scope = currentScope();
@@ -48,6 +117,9 @@ export function createWriteArtifactSeam(logger = defaultLogger) {
                 throw error;
             throw new SystemError(`writeArtifact failed for '${target}': ${error instanceof Error ? error.message : String(error)}`, { code: 'SYSTEM.ARTIFACT_WRITE_FAILED' });
         }
+        // Retention runs AFTER the write succeeds and covers worker writes too (the
+        // worker RPC routes through this same host seam). Never fails the run.
+        maybePruneArtifactStore(target, scope, retentionKeep, scope?.logger ?? logger);
     });
 }
 //# sourceMappingURL=artifact-seams.js.map

package/dist/bootstrap/artifact-seams.js.map

@@ -1 +1 @@
-{"version":3,"file":"artifact-seams.js","sourceRoot":"","sources":["../../src/bootstrap/artifact-seams.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE9C,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,WAAW,EACX,SAAS,EACT,MAAM,IAAI,aAAa,GAExB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE;;;GAGG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,IAAI,kBAAkB,CAC1B,+DAA+D,IAAI,GAAG,EACtE;gBACE,IAAI,EAAE,4CAA4C;aACnD,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,kBAAkB;YAAE,MAAM,KAAK,CAAC;QACrD,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO;QAC/D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,uBAAuB,CACrC,SAAiB,aAAa;IAE9B,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CACrB,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;QAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,wBAAwB,CAAC,MAAM,CAAC,CAAC;YACjC,uBAAuB,CAAC,MAAM,EAAE,KAAK,EAAE;gBACrC,MAAM,EAAE,sBAAsB,EAAE;gBAChC,MAAM,EAAE,KAAK,EAAE,MAAM,IAAI,MAAM;gBAC/B,KAAK,EAAE,KAAK,EAAE,KAAK;gBACnB,WAAW,EACT,KAAK,EAAE,cAAc,EAAE,WAAW,KAAK,SAAS;oBAC9C,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBACzB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,CAAC,WAAW,CAAC;aACjD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,SAAS;gBAAE,MAAM,KAAK,CAAC;YAC5C,MAAM,IAAI,WAAW,CACnB,6BAA6B,MAAM,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACjG,EAAE,IAAI,EAAE,8BAA8B,EAAE,CACzC,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
+{"version":3,"file":"artifact-seams.js","sourceRoot":"","sources":["../../src/bootstrap/artifact-seams.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AAEtE,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACZ,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,MAAM,IAAI,aAAa,GAGxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,+BAA+B,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAClG,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAYhE;;;;;;;;;GASG;AACH,SAAS,uBAAuB,CAC9B,MAAc,EACd,KAA2B,EAC3B,aAAqB,EACrB,GAAW;IAEX,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,KAAK,EAAE,cAAc,EAAE,WAAW,CAAC;QACvD,IAAI,WAAW,KAAK,SAAS;YAAE,OAAO,CAAC,sCAAsC;QAC7E,MAAM,EAAE,YAAY,EAAE,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,YAAY,CAAC;YAAE,OAAO,CAAC,8BAA8B;QAC/E,6EAA6E;QAC7E,kDAAkD;QAClD,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,EAAE,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO;QAC/D,2EAA2E;QAC3E,yDAAyD;QACzD,sBAAsB,CAAC,IAAI,EAAE,YAAY,EAAE,aAAa,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5F,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,GAAG,CAAC,KAAK,CAAC;YACR,GAAG,EAAE,wCAAwC;YAC7C,MAAM,EAAE,oBAAoB;YAC5B,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC9D,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACvB,MAAM,IAAI,kBAAkB,CAC1B,+DAA+D,IAAI,GAAG,EACtE;gBACE,IAAI,EAAE,4CAA4C;aACnD,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,kBAAkB;YAAE,MAAM,KAAK,CAAC;QACrD,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO;QAC/D,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAEhC;;;;;;;;;GASG;AACH,MAAM,UAAU,2BAA2B,CACzC,SAAiB,aAAa;IAE9B,OAAO,CAAC,YAAY,EAAE,EAAE,CACtB,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;QAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC;QAC3C,IAAI,CAAC;YACH,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,WAAW,CACnB,iCAAiC,GAAG,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EAClG,EAAE,IAAI,EAAE,4BAA4B,EAAE,CACvC,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,4BAA4B,EAAE,MAAM,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;AACP,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,uBAAuB,CACrC,SAAiB,aAAa,EAC9B,UAAoC,EAAE;IAEtC,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,+BAA+B,CAAC;IAC/E,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CACrB,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE;QAC1B,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,wBAAwB,CAAC,MAAM,CAAC,CAAC;YACjC,uBAAuB,CAAC,MAAM,EAAE,KAAK,EAAE;gBACrC,MAAM,EAAE,sBAAsB,EAAE;gBAChC,MAAM,EAAE,KAAK,EAAE,MAAM,IAAI,MAAM;gBAC/B,KAAK,EAAE,KAAK,EAAE,KAAK;gBACnB,WAAW,EACT,KAAK,EAAE,cAAc,EAAE,WAAW,KAAK,SAAS;oBAC9C,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBACzB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,CAAC,WAAW,CAAC;aACjD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,SAAS;gBAAE,MAAM,KAAK,CAAC;YAC5C,MAAM,IAAI,WAAW,CACnB,6BAA6B,MAAM,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,EACjG,EAAE,IAAI,EAAE,8BAA8B,EAAE,CACzC,CAAC;QACJ,CAAC;QACD,4EAA4E;QAC5E,uEAAuE;QACvE,uBAAuB,CAAC,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,IAAI,MAAM,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/bootstrap/atomic-artifact-write.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"atomic-artifact-write.d.ts","sourceRoot":"","sources":["../../src/bootstrap/atomic-artifact-write.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,EAIL,KAAK,MAAM,EACX,KAAK,eAAe,EACrB,MAAM,mBAAmB,CAAC;AAI3B,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,oBAAoB,GACxB,IAAI,CAuDN"}
+{"version":3,"file":"atomic-artifact-write.d.ts","sourceRoot":"","sources":["../../src/bootstrap/atomic-artifact-write.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAaH,OAAO,EAIL,KAAK,MAAM,EACX,KAAK,eAAe,EACrB,MAAM,mBAAmB,CAAC;AAI3B,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,oBAAoB,GACxB,IAAI,CA4DN"}

package/dist/bootstrap/atomic-artifact-write.js

@@ -3,7 +3,7 @@
  *
  * Owns SARIF and baseline fingerprint JSON exports at the CLI composition root.
  */
-import { closeSync, mkdirSync, openSync, renameSync, unlinkSync, writeSync } from 'node:fs';
+import { chmodSync, closeSync, mkdirSync, openSync, renameSync, unlinkSync, writeSync, } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { currentScope, generateUUID, withFileLock, } from '@opensip-cli/core';
 import { createStateLockEventBridge } from './state-lock-policy.js';
@@ -26,7 +26,11 @@ export function writeArtifactAtomically(targetPath, bytes, ctx) {
         onEvent: createStateLockEventBridge(ctx.logger),
     }, () => {
         try {
-            const fd = openSync(tempPath, 'w');
+            // Owner-only read/write (0600). Artifacts can carry findings (and, for
+            // external scanners, redacted-but-sensitive context), so they are never
+            // group/world-readable. The open mode is umask-masked on some platforms,
+            // so we also chmod the rename target below (belt-and-suspenders).
+            const fd = openSync(tempPath, 'w', 0o600);
             try {
                 writeSync(fd, bytes);
             }
@@ -34,6 +38,7 @@ export function writeArtifactAtomically(targetPath, bytes, ctx) {
                 closeSync(fd);
             }
             renameSync(tempPath, targetPath);
+            chmodSync(targetPath, 0o600);
             ctx.logger.info({
                 evt: 'state.artifact.write.complete',
                 module: 'cli:atomic-artifact-write',

package/dist/bootstrap/atomic-artifact-write.js.map

@@ -1 +1 @@
-{"version":3,"file":"atomic-artifact-write.js","sourceRoot":"","sources":["../../src/bootstrap/atomic-artifact-write.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC5F,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,GAGb,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAUpE;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAkB,EAClB,KAAa,EACb,GAAyB;IAEzB,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,QAAQ,GAAG,GAAG,UAAU,gBAAgB,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,YAAY,EAAE,MAAM,CAAC,CAAC;IAErD,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,YAAY,CACV,QAAQ,EACR;QACE,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,gBAAgB;QAC3B,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,OAAO,EAAE,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC;KAChD,EACD,GAAG,EAAE;QACH,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACnC,IAAI,CAAC;gBACH,SAAS,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACvB,CAAC;oBAAS,CAAC;gBACT,SAAS,CAAC,EAAE,CAAC,CAAC;YAChB,CAAC;YACD,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YACjC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,GAAG,EAAE,+BAA+B;gBACpC,MAAM,EAAE,2BAA2B;gBACnC,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;YACH,yEAAyE;YACzE,yEAAyE;YACzE,YAAY,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,+BAA+B,EAAE;gBACrF,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,UAAU,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;YAAC,MAAM,CAAC;gBACP,iBAAiB;YACnB,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC;gBACf,GAAG,EAAE,4BAA4B;gBACjC,MAAM,EAAE,2BAA2B;gBACnC,KAAK,EAAE,OAAO;aACf,CAAC,CAAC;YACH,YAAY,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,4BAA4B,EAAE;gBACnF,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"atomic-artifact-write.js","sourceRoot":"","sources":["../../src/bootstrap/atomic-artifact-write.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,SAAS,EACT,SAAS,EACT,SAAS,EACT,QAAQ,EACR,UAAU,EACV,UAAU,EACV,SAAS,GACV,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,YAAY,GAGb,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAUpE;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAkB,EAClB,KAAa,EACb,GAAyB;IAEzB,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,QAAQ,GAAG,GAAG,UAAU,gBAAgB,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,YAAY,EAAE,MAAM,CAAC,CAAC;IAErD,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,YAAY,CACV,QAAQ,EACR;QACE,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,gBAAgB;QAC3B,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,OAAO,EAAE,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC;KAChD,EACD,GAAG,EAAE;QACH,IAAI,CAAC;YACH,uEAAuE;YACvE,wEAAwE;YACxE,yEAAyE;YACzE,kEAAkE;YAClE,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAC1C,IAAI,CAAC;gBACH,SAAS,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACvB,CAAC;oBAAS,CAAC;gBACT,SAAS,CAAC,EAAE,CAAC,CAAC;YAChB,CAAC;YACD,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;YACjC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;YAC7B,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;gBACd,GAAG,EAAE,+BAA+B;gBACpC,MAAM,EAAE,2BAA2B;gBACnC,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;YACH,yEAAyE;YACzE,yEAAyE;YACzE,YAAY,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,MAAM,EAAE,+BAA+B,EAAE;gBACrF,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC;gBACH,UAAU,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;YAAC,MAAM,CAAC;gBACP,iBAAiB;YACnB,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC;gBACf,GAAG,EAAE,4BAA4B;gBACjC,MAAM,EAAE,2BAA2B;gBACnC,KAAK,EAAE,OAAO;aACf,CAAC,CAAC;YACH,YAAY,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,4BAA4B,EAAE;gBACnF,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/bootstrap/bundled-tools.manifest.json

@@ -5,7 +5,8 @@
     "@opensip-cli/fitness",
     "@opensip-cli/simulation",
     "@opensip-cli/graph",
-    "@opensip-cli/yagni"
+    "@opensip-cli/yagni",
+    "@opensip-cli/mcp"
   ],
   "scaffoldingToolIds": ["fit", "sim"],
   "bundledCapabilityPacks": {

package/dist/bootstrap/dispatch-fork-core.d.ts

@@ -43,6 +43,19 @@ export declare function runWorkerSpec(args: {
     readonly cliScript?: string;
     readonly timeoutMs?: number;
 }): Promise<ToolCommandResult>;
-/** Build a structured supervisor-side dispatch error, logged with its failure class. */
-export declare function dispatchError(spec: ToolCommandWorkerSpec, message: string, failureClass: string, stderrTail?: string): ToolError;
+/**
+ * Build a structured supervisor-side dispatch error, logged with its failure
+ * class. `code` is the worker error's canonical exit-class `ToolErrorCode` (when
+ * the worker threw a typed `ToolError`); it preserves the typed exit code across
+ * the fork boundary, which flattens the prototype chain. Reconstruction order:
+ *
+ *   1. `config-invalid` → `ConfigurationError` (exit 2). The frozen config
+ *      contract — set for a thrown `ConfigurationError` (binary-not-found /
+ *      no-project / baseline-missing) AND for the deep-config-pass failure.
+ *   2. a recognized canonical `code` → that subclass (NotFound → 3, Network → 4,
+ *      Validation/Configuration → 2, PluginIncompatible → 5, Timeout → 1).
+ *   3. otherwise → `SystemError` (exit 1) — genuine worker/transport faults
+ *      (`spawn` / `exit_nonzero` / `rpc_flood` / `timeout` / `ipc_error`).
+ */
+export declare function dispatchError(spec: ToolCommandWorkerSpec, message: string, failureClass: string, stderrTail?: string, code?: string): ToolError;
 //# sourceMappingURL=dispatch-fork-core.d.ts.map

package/dist/bootstrap/dispatch-fork-core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dispatch-fork-core.d.ts","sourceRoot":"","sources":["../../src/bootstrap/dispatch-fork-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAOH,OAAO,EAOL,KAAK,SAAS,EACd,KAAK,cAAc,EAEpB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAEnE,OAAO,KAAK,EAGV,iBAAiB,EACjB,qBAAqB,EACtB,MAAM,kCAAkC,CAAC;AAE1C,4EAA4E;AAC5E,eAAO,MAAM,2BAA2B,SAAU,CAAC;AAEnD,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB,0BAA0B,CAAC;AAQzD,qFAAqF;AACrF,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,cAAc,GAAG,MAAM,CASpE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,GAAG,EAAE,eAAe,CAAC;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAoB7B;AAqKD,wFAAwF;AACxF,wBAAgB,aAAa,CAC3B,IAAI,EAAE,qBAAqB,EAC3B,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,UAAU,CAAC,EAAE,MAAM,GAClB,SAAS,CAqBX"}
+{"version":3,"file":"dispatch-fork-core.d.ts","sourceRoot":"","sources":["../../src/bootstrap/dispatch-fork-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAOH,OAAO,EAQL,KAAK,SAAS,EACd,KAAK,cAAc,EAEpB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAEnE,OAAO,KAAK,EAGV,iBAAiB,EACjB,qBAAqB,EACtB,MAAM,kCAAkC,CAAC;AAE1C,4EAA4E;AAC5E,eAAO,MAAM,2BAA2B,SAAU,CAAC;AAEnD,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB,0BAA0B,CAAC;AAQzD,qFAAqF;AACrF,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,cAAc,GAAG,MAAM,CASpE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE;IACxC,QAAQ,CAAC,IAAI,EAAE,qBAAqB,CAAC;IACrC,QAAQ,CAAC,GAAG,EAAE,eAAe,CAAC;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAoB7B;AAqKD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,qBAAqB,EAC3B,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,UAAU,CAAC,EAAE,MAAM,EACnB,IAAI,CAAC,EAAE,MAAM,GACZ,SAAS,CAyBX"}

package/dist/bootstrap/dispatch-fork-core.js

@@ -24,7 +24,7 @@
 import { mkdtempSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
-import { ConfigurationError, currentScope, currentTraceparent, forkAndSettle, getWorkerLimits, SystemError, } from '@opensip-cli/core';
+import { ConfigurationError, currentScope, currentTraceparent, forkAndSettle, getWorkerLimits, SystemError, toolErrorFromCanonicalCode, } from '@opensip-cli/core';
 import { buildExternalWorkerChildEnv } from './build-external-worker-child-env.js';
 import { BOOTSTRAP_MODULE } from './constants.js';
 import { handleHostRpc } from './dispatch-host-rpc-handler.js';
@@ -176,8 +176,21 @@ function specLabel(spec) {
     /* v8 ignore next -- defensive: a valid spec always carries a commandName OR a hook (the worker entry rejects one that has neither as bad-spec); the 'unknown' fallback is structurally unreachable. */
     return spec.commandName ?? spec.hook ?? 'unknown';
 }
-/** Build a structured supervisor-side dispatch error, logged with its failure class. */
-export function dispatchError(spec, message, failureClass, stderrTail) {
+/**
+ * Build a structured supervisor-side dispatch error, logged with its failure
+ * class. `code` is the worker error's canonical exit-class `ToolErrorCode` (when
+ * the worker threw a typed `ToolError`); it preserves the typed exit code across
+ * the fork boundary, which flattens the prototype chain. Reconstruction order:
+ *
+ *   1. `config-invalid` → `ConfigurationError` (exit 2). The frozen config
+ *      contract — set for a thrown `ConfigurationError` (binary-not-found /
+ *      no-project / baseline-missing) AND for the deep-config-pass failure.
+ *   2. a recognized canonical `code` → that subclass (NotFound → 3, Network → 4,
+ *      Validation/Configuration → 2, PluginIncompatible → 5, Timeout → 1).
+ *   3. otherwise → `SystemError` (exit 1) — genuine worker/transport faults
+ *      (`spawn` / `exit_nonzero` / `rpc_flood` / `timeout` / `ipc_error`).
+ */
+export function dispatchError(spec, message, failureClass, stderrTail, code) {
     const label = specLabel(spec);
     currentScope()?.logger.error({
         evt: 'cli.tool.dispatch_failed',
@@ -193,6 +206,11 @@ export function dispatchError(spec, message, failureClass, stderrTail) {
             stderrTail,
         });
     }
+    if (code !== undefined) {
+        const rebuilt = toolErrorFromCanonicalCode(code, message, { code, failureClass, stderrTail });
+        if (rebuilt !== undefined)
+            return rebuilt;
+    }
     return new SystemError(`external tool '${spec.toolId}' ${label} failed: ${message}`, {
         code: 'SYSTEM.DISPATCH.WORKER_FAILED',
         failureClass,
@@ -201,6 +219,6 @@ export function dispatchError(spec, message, failureClass, stderrTail) {
 }
 /** Convert a worker `error` IPC message into a logged, structured {@link ToolError}. */
 function workerErrorToToolError(spec, msg, stderrTail) {
-    return dispatchError(spec, msg.message, msg.failureClass ?? 'ipc_error', stderrTail);
+    return dispatchError(spec, msg.message, msg.failureClass ?? 'ipc_error', stderrTail, msg.code);
 }
 //# sourceMappingURL=dispatch-fork-core.js.map

package/dist/bootstrap/dispatch-fork-core.js.map

@@ -1 +1 @@
-{"version":3,"file":"dispatch-fork-core.js","sourceRoot":"","sources":["../../src/bootstrap/dispatch-fork-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,WAAW,GAIZ,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAU/D,4EAA4E;AAC5E,MAAM,CAAC,MAAM,2BAA2B,GAAG,OAAO,CAAC;AAEnD,+EAA+E;AAC/E,MAAM,CAAC,MAAM,iBAAiB,GAAG,uBAAuB,CAAC;AAQzD,qFAAqF;AACrF,MAAM,UAAU,iBAAiB,CAAC,UAA0B;IAC1D,MAAM,GAAG,GAAG,UAAU,CAAC,YAAY,CAAC;IACpC,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,WAAW,CACnB,kBAAkB,UAAU,CAAC,EAAE,iDAAiD,EAChF,EAAE,IAAI,EAAE,gCAAgC,EAAE,CAC3C,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAMnC;IACC,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IACxC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IAE3D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,2BAA2B,CAAC;IAEhE,IAAI,CAAC;QACH,OAAO,MAAM,YAAY,CAAC;YACxB,SAAS;YACT,QAAQ;YACR,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS;YACT,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAsBD,SAAS,YAAY,CAAC,EACpB,SAAS,EACT,QAAQ,EACR,GAAG,EACH,IAAI,EACJ,SAAS,EACT,GAAG,GACe;IAClB,OAAO,IAAI,OAAO,CAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxD,MAAM,KAAK,GAAG,YAAY,EAAE,EAAE,KAAK,CAAC;QACpC,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;QACzC,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,QAAQ,GAAG,CAAC,CAAC;QAEjB,MAAM,MAAM,GAAG,aAAa,CAC1B;YACE,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE,CAAC,iBAAiB,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC;YACjD,GAAG;YACH,SAAS;YACT,eAAe,EAAE,IAAI;YACrB,wBAAwB,EAAE,IAAI;YAC9B,aAAa,EAAE,CAAC,SAAS,EAAE,EAAE,CAC3B,2BAA2B,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;YAChE,SAAS,EAAE,CAAC,GAAY,EAAE,EAAE;gBAC1B,MAAM,KAAK,GAAG,GAA4B,CAAC;gBAC3C,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;oBAC9B,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACxB,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;wBACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBACvB,CAAC,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAClC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;wBACf,MAAM,CAAC,sBAAsB,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;oBACtE,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,cAAc,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,EAAE;gBACvC,MAAM,CACJ,aAAa,CACX,IAAI,EACJ,MAAM,KAAK,SAAS;oBAClB,CAAC,CAAC,kBAAkB,YAAY,EAAE;oBAClC,CAAC,CAAC,kBAAkB,YAAY,KAAK,MAAM,GAAG,EAChD,YAAY,EACZ,MAAM,CAAC,aAAa,EAAE,CACvB,CACF,CAAC;YACJ,CAAC;SACF,EACD,EAAE,KAAK,EAAE,CACV,CAAC;QAEF,MAAM,QAAQ,GAAG,CAAC,OAAuB,EAAQ,EAAE;YACjD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;YACvC,QAAQ,IAAI,CAAC,CAAC;YACd,IAAI,QAAQ,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;gBAC3B,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;oBACf,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,4CAA4C,EAAE,WAAW,CAAC,CAAC,CAAC;gBACzF,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,IAAI,WAAW,IAAI,YAAY,CAAC,gBAAgB,EAAE,CAAC;gBACjD,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;gBAC3B,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;oBACf,MAAM,CACJ,aAAa,CAAC,IAAI,EAAE,kDAAkD,EAAE,WAAW,CAAC,CACrF,CAAC;gBACJ,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,WAAW,IAAI,CAAC,CAAC;YACjB,KAAK,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC;iBAC7B,IAAI,CAAC,CAAC,KAAe,EAAE,EAAE;gBACxB,WAAW,IAAI,CAAC,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;oBAAE,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;YACnE,CAAC,CAAC;iBACD,KAAK,CAAC,GAAG,EAAE;gBACV,WAAW,IAAI,CAAC,CAAC;YACnB,CAAC,CAAC,CAAC;QACP,CAAC,CAAC;QAEF,imBAAimB;QACjmB,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YACtC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;gBACf,MAAM,CACJ,aAAa,CACX,IAAI,EACJ,iCAAiC,IAAI,CAAC,MAAM,0BAA0B,GAAG,CAAC,OAAO,KAAK;oBACpF,+BAA+B,EACjC,OAAO,CACR,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAmB,EAAE,EAAE;YAC9C,IAAI,MAAM,CAAC,SAAS,EAAE;gBAAE,OAAO;YAC/B,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;gBACf,MAAM,CACJ,aAAa,CACX,IAAI,EACJ,uBAAuB,IAAI,IAAI,MAAM,6BAA6B,EAClE,cAAc,EACd,MAAM,CAAC,aAAa,EAAE,CACvB,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,KAAmB,EAAE,KAAe,EAAE,IAA2B;IACrF,IAAI,CAAC,KAAK,CAAC,SAAS;QAAE,OAAO;IAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO;QACzB,gWAAgW;QAChW,YAAY,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC;YAC3B,GAAG,EAAE,qCAAqC;YAC1C,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,IAAI,SAAS;SACpD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,IAA2B;IAC5C,uMAAuM;IACvM,OAAO,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;AACpD,CAAC;AAED,wFAAwF;AACxF,MAAM,UAAU,aAAa,CAC3B,IAA2B,EAC3B,OAAe,EACf,YAAoB,EACpB,UAAmB;IAEnB,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9B,YAAY,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC;QAC3B,GAAG,EAAE,0BAA0B;QAC/B,MAAM,EAAE,gBAAgB;QACxB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,KAAK;QACd,YAAY;KACb,CAAC,CAAC;IACH,IAAI,YAAY,KAAK,gBAAgB,EAAE,CAAC;QACtC,OAAO,IAAI,kBAAkB,CAAC,OAAO,EAAE;YACrC,IAAI,EAAE,qBAAqB;YAC3B,YAAY;YACZ,UAAU;SACX,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,WAAW,CAAC,kBAAkB,IAAI,CAAC,MAAM,KAAK,KAAK,YAAY,OAAO,EAAE,EAAE;QACnF,IAAI,EAAE,+BAA+B;QACrC,YAAY;QACZ,UAAU;KACX,CAAC,CAAC;AACL,CAAC;AAED,wFAAwF;AACxF,SAAS,sBAAsB,CAC7B,IAA2B,EAC3B,GAAwB,EACxB,UAAmB;IAEnB,OAAO,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,YAAY,IAAI,WAAW,EAAE,UAAU,CAAC,CAAC;AACvF,CAAC"}
+{"version":3,"file":"dispatch-fork-core.js","sourceRoot":"","sources":["../../src/bootstrap/dispatch-fork-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EACL,kBAAkB,EAClB,YAAY,EACZ,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,WAAW,EACX,0BAA0B,GAI3B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,2BAA2B,EAAE,MAAM,sCAAsC,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAU/D,4EAA4E;AAC5E,MAAM,CAAC,MAAM,2BAA2B,GAAG,OAAO,CAAC;AAEnD,+EAA+E;AAC/E,MAAM,CAAC,MAAM,iBAAiB,GAAG,uBAAuB,CAAC;AAQzD,qFAAqF;AACrF,MAAM,UAAU,iBAAiB,CAAC,UAA0B;IAC1D,MAAM,GAAG,GAAG,UAAU,CAAC,YAAY,CAAC;IACpC,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,WAAW,CACnB,kBAAkB,UAAU,CAAC,EAAE,iDAAiD,EAChF,EAAE,IAAI,EAAE,gCAAgC,EAAE,CAC3C,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAMnC;IACC,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IACxC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;IAE3D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,2BAA2B,CAAC;IAEhE,IAAI,CAAC;QACH,OAAO,MAAM,YAAY,CAAC;YACxB,SAAS;YACT,QAAQ;YACR,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS;YACT,GAAG,EAAE,IAAI,CAAC,GAAG;SACd,CAAC,CAAC;IACL,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAsBD,SAAS,YAAY,CAAC,EACpB,SAAS,EACT,QAAQ,EACR,GAAG,EACH,IAAI,EACJ,SAAS,EACT,GAAG,GACe;IAClB,OAAO,IAAI,OAAO,CAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACxD,MAAM,KAAK,GAAG,YAAY,EAAE,EAAE,KAAK,CAAC;QACpC,MAAM,WAAW,GAAG,kBAAkB,EAAE,CAAC;QACzC,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,QAAQ,GAAG,CAAC,CAAC;QAEjB,MAAM,MAAM,GAAG,aAAa,CAC1B;YACE,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE,CAAC,iBAAiB,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC;YACjD,GAAG;YACH,SAAS;YACT,eAAe,EAAE,IAAI;YACrB,wBAAwB,EAAE,IAAI;YAC9B,aAAa,EAAE,CAAC,SAAS,EAAE,EAAE,CAC3B,2BAA2B,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;YAChE,SAAS,EAAE,CAAC,GAAY,EAAE,EAAE;gBAC1B,MAAM,KAAK,GAAG,GAA4B,CAAC;gBAC3C,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;oBAC9B,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBACxB,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;wBACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;oBACvB,CAAC,CAAC,CAAC;gBACL,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAClC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;wBACf,MAAM,CAAC,sBAAsB,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;oBACtE,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,cAAc,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,EAAE;gBACvC,MAAM,CACJ,aAAa,CACX,IAAI,EACJ,MAAM,KAAK,SAAS;oBAClB,CAAC,CAAC,kBAAkB,YAAY,EAAE;oBAClC,CAAC,CAAC,kBAAkB,YAAY,KAAK,MAAM,GAAG,EAChD,YAAY,EACZ,MAAM,CAAC,aAAa,EAAE,CACvB,CACF,CAAC;YACJ,CAAC;SACF,EACD,EAAE,KAAK,EAAE,CACV,CAAC;QAEF,MAAM,QAAQ,GAAG,CAAC,OAAuB,EAAQ,EAAE;YACjD,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;YACvC,QAAQ,IAAI,CAAC,CAAC;YACd,IAAI,QAAQ,GAAG,YAAY,CAAC,WAAW,EAAE,CAAC;gBACxC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;gBAC3B,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;oBACf,MAAM,CAAC,aAAa,CAAC,IAAI,EAAE,4CAA4C,EAAE,WAAW,CAAC,CAAC,CAAC;gBACzF,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,IAAI,WAAW,IAAI,YAAY,CAAC,gBAAgB,EAAE,CAAC;gBACjD,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;gBAC3B,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;oBACf,MAAM,CACJ,aAAa,CAAC,IAAI,EAAE,kDAAkD,EAAE,WAAW,CAAC,CACrF,CAAC;gBACJ,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,WAAW,IAAI,CAAC,CAAC;YACjB,KAAK,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC;iBAC7B,IAAI,CAAC,CAAC,KAAe,EAAE,EAAE;gBACxB,WAAW,IAAI,CAAC,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;oBAAE,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;YACnE,CAAC,CAAC;iBACD,KAAK,CAAC,GAAG,EAAE;gBACV,WAAW,IAAI,CAAC,CAAC;YACnB,CAAC,CAAC,CAAC;QACP,CAAC,CAAC;QAEF,imBAAimB;QACjmB,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YACtC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;gBACf,MAAM,CACJ,aAAa,CACX,IAAI,EACJ,iCAAiC,IAAI,CAAC,MAAM,0BAA0B,GAAG,CAAC,OAAO,KAAK;oBACpF,+BAA+B,EACjC,OAAO,CACR,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAmB,EAAE,EAAE;YAC9C,IAAI,MAAM,CAAC,SAAS,EAAE;gBAAE,OAAO;YAC/B,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE;gBACf,MAAM,CACJ,aAAa,CACX,IAAI,EACJ,uBAAuB,IAAI,IAAI,MAAM,6BAA6B,EAClE,cAAc,EACd,MAAM,CAAC,aAAa,EAAE,CACvB,CACF,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,KAAmB,EAAE,KAAe,EAAE,IAA2B;IACrF,IAAI,CAAC,KAAK,CAAC,SAAS;QAAE,OAAO;IAC7B,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE;QACxB,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO;QACzB,gWAAgW;QAChW,YAAY,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC;YAC3B,GAAG,EAAE,qCAAqC;YAC1C,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,IAAI,SAAS;SACpD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,IAA2B;IAC5C,uMAAuM;IACvM,OAAO,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;AACpD,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,aAAa,CAC3B,IAA2B,EAC3B,OAAe,EACf,YAAoB,EACpB,UAAmB,EACnB,IAAa;IAEb,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9B,YAAY,EAAE,EAAE,MAAM,CAAC,KAAK,CAAC;QAC3B,GAAG,EAAE,0BAA0B;QAC/B,MAAM,EAAE,gBAAgB;QACxB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,KAAK;QACd,YAAY;KACb,CAAC,CAAC;IACH,IAAI,YAAY,KAAK,gBAAgB,EAAE,CAAC;QACtC,OAAO,IAAI,kBAAkB,CAAC,OAAO,EAAE;YACrC,IAAI,EAAE,qBAAqB;YAC3B,YAAY;YACZ,UAAU;SACX,CAAC,CAAC;IACL,CAAC;IACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,0BAA0B,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;QAC9F,IAAI,OAAO,KAAK,SAAS;YAAE,OAAO,OAAO,CAAC;IAC5C,CAAC;IACD,OAAO,IAAI,WAAW,CAAC,kBAAkB,IAAI,CAAC,MAAM,KAAK,KAAK,YAAY,OAAO,EAAE,EAAE;QACnF,IAAI,EAAE,+BAA+B;QACrC,YAAY;QACZ,UAAU;KACX,CAAC,CAAC;AACL,CAAC;AAED,wFAAwF;AACxF,SAAS,sBAAsB,CAC7B,IAA2B,EAC3B,GAAwB,EACxB,UAAmB;IAEnB,OAAO,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,YAAY,IAAI,WAAW,EAAE,UAAU,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;AACjG,CAAC"}

package/dist/bootstrap/dispatch-host-rpc-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dispatch-host-rpc-handler.d.ts","sourceRoot":"","sources":["../../src/bootstrap/dispatch-host-rpc-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAIV,cAAc,EACd,QAAQ,EACT,MAAM,kCAAkC,CAAC;AAC1C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAiJxD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,cAAc,EACvB,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,QAAQ,CAAC,CAuBnB"}
+{"version":3,"file":"dispatch-host-rpc-handler.d.ts","sourceRoot":"","sources":["../../src/bootstrap/dispatch-host-rpc-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,KAAK,EAIV,cAAc,EACd,QAAQ,EACT,MAAM,kCAAkC,CAAC;AAC1C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAqJxD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,cAAc,EACvB,GAAG,EAAE,cAAc,GAClB,OAAO,CAAC,QAAQ,CAAC,CA4BnB"}

package/dist/bootstrap/dispatch-host-rpc-handler.js

@@ -15,6 +15,7 @@
  * reply (the worker shim re-throws it into the handler) — never an unhandled
  * host crash, never a silent no-op.
  */
+import { canonicalToolErrorCode, ToolError } from '@opensip-cli/core';
 /**
  * The closed set of seam names the host will dispatch. The IPC `request` crosses
  * a trust boundary (it arrives over the worker's IPC channel), so the host
@@ -26,6 +27,7 @@ const RECOGNIZED_SEAMS = new Set([
     'deliverSignals',
     'writeSarif',
     'writeArtifact',
+    'ensureArtifactDir',
     'saveBaseline',
     'compareBaseline',
     'exportBaselineSarif',
@@ -109,6 +111,9 @@ async function performHostRpc(request, ctx) {
         case 'writeArtifact': {
             return ctx.writeArtifact(request.path, request.bytes);
         }
+        case 'ensureArtifactDir': {
+            return ctx.ensureArtifactDir(request.path);
+        }
         case 'saveBaseline': {
             return ctx.saveBaseline(request.tool, request.envelope);
         }
@@ -171,6 +176,11 @@ export async function handleHostRpc(request, ctx) {
                     ? { code: error.code }
                     : {}),
                 ...(error instanceof Error && error.stack !== undefined ? { stack: error.stack } : {}),
+                // Carry the canonical exit-class code for a typed ToolError (e.g. a
+                // compareBaseline BASELINE_MISSING rejection → CONFIGURATION_ERROR) so the
+                // worker shim re-throws a TYPED error and the exit class survives the
+                // boundary instead of degrading to a plain Error → SystemError → exit 1.
+                ...(error instanceof ToolError ? { toolErrorCode: canonicalToolErrorCode(error) } : {}),
             },
         };
     }

package/dist/bootstrap/dispatch-host-rpc-handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"dispatch-host-rpc-handler.js","sourceRoot":"","sources":["../../src/bootstrap/dispatch-host-rpc-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAcH;;;;;;GAMG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAsB;IACpD,gBAAgB;IAChB,YAAY;IACZ,eAAe;IACf,cAAc;IACd,iBAAiB;IACjB,qBAAqB;IACrB,4BAA4B;IAC5B,eAAe;IACf,eAAe;IACf,kBAAkB;IAClB,gBAAgB;IAChB,iBAAiB;IACjB,aAAa;IACb,WAAW;CACoB,CAAC,CAAC;AAEnC;;;;;;;GAOG;AACH,SAAS,sBAAsB,CAAC,OAAuB;IACrD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,SAAS,CAAC,gCAAgC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,GAAmB,EAAE,KAAoB;IAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,KAAK,CAA8B,CAAC;IAClE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,wBAAwB,KAAK,+BAA+B,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,aAAa,CACpB,GAAmB,EACnB,KAAoB,EACpB,MAAc,EACd,IAAwB;IAExB,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IACxB,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,wBAAwB,KAAK,IAAI,MAAM,iCAAiC,CAAC,CAAC;IAChG,CAAC;IACD,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;AACrB,CAAC;AAED,iFAAiF;AACjF,SAAS,WAAW,CAAC,IAAwB;IAC3C,OAAO;QACL,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnE,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;QAC7D,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,cAAc,CAAC,OAAuB,EAAE,GAAmB;IACxE,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,OAAO,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACzE,CAAC;QACD,KAAK,YAAY,CAAC,CAAC,CAAC;YAClB,OAAO,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,OAAO,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,OAAO,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,qBAAqB,CAAC,CAAC,CAAC;YAC3B,OAAO,GAAG,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,4BAA4B,CAAC,CAAC,CAAC;YAClC,OAAO,GAAG,CAAC,0BAA0B,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACtD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACvE,CAAC;QACD,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,OAAO,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACzD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;QACD,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,OAAO,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,OAAO,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;QAC7B,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,OAAO,aAAa,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAuB,EACvB,GAAmB;IAEnB,IAAI,CAAC;QACH,yEAAyE;QACzE,4EAA4E;QAC5E,wEAAwE;QACxE,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACtE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC/D,GAAG,CAAE,KAA4B,CAAC,IAAI,KAAK,SAAS;oBACpD,OAAQ,KAA4B,CAAC,IAAI,KAAK,QAAQ;oBACpD,CAAC,CAAC,EAAE,IAAI,EAAG,KAA0B,CAAC,IAAI,EAAE;oBAC5C,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACvF;SACF,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"dispatch-host-rpc-handler.js","sourceRoot":"","sources":["../../src/bootstrap/dispatch-host-rpc-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,sBAAsB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AActE;;;;;;GAMG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAsB;IACpD,gBAAgB;IAChB,YAAY;IACZ,eAAe;IACf,mBAAmB;IACnB,cAAc;IACd,iBAAiB;IACjB,qBAAqB;IACrB,4BAA4B;IAC5B,eAAe;IACf,eAAe;IACf,kBAAkB;IAClB,gBAAgB;IAChB,iBAAiB;IACjB,aAAa;IACb,WAAW;CACoB,CAAC,CAAC;AAEnC;;;;;;;GAOG;AACH,SAAS,sBAAsB,CAAC,OAAuB;IACrD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,SAAS,CAAC,gCAAgC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,YAAY,CAAC,GAAmB,EAAE,KAAoB;IAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,KAAK,CAA8B,CAAC;IAClE,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,wBAAwB,KAAK,+BAA+B,CAAC,CAAC;IAChF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,aAAa,CACpB,GAAmB,EACnB,KAAoB,EACpB,MAAc,EACd,IAAwB;IAExB,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IACxB,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,wBAAwB,KAAK,IAAI,MAAM,iCAAiC,CAAC,CAAC;IAChG,CAAC;IACD,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;AACrB,CAAC;AAED,iFAAiF;AACjF,SAAS,WAAW,CAAC,IAAwB;IAC3C,OAAO;QACL,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnE,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;QAC7D,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,cAAc,CAAC,OAAuB,EAAE,GAAmB;IACxE,QAAQ,OAAO,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,OAAO,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACzE,CAAC;QACD,KAAK,YAAY,CAAC,CAAC,CAAC;YAClB,OAAO,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;QACD,KAAK,mBAAmB,CAAC,CAAC,CAAC;YACzB,OAAO,GAAG,CAAC,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7C,CAAC;QACD,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,OAAO,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,OAAO,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,qBAAqB,CAAC,CAAC,CAAC;YAC3B,OAAO,GAAG,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,4BAA4B,CAAC,CAAC,CAAC;YAClC,OAAO,GAAG,CAAC,0BAA0B,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACpE,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACtD,CAAC;QACD,KAAK,eAAe,CAAC,CAAC,CAAC;YACrB,OAAO,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACvE,CAAC;QACD,KAAK,kBAAkB,CAAC,CAAC,CAAC;YACxB,OAAO,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACzD,CAAC;QACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;YACtB,OAAO,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;QACD,KAAK,iBAAiB,CAAC,CAAC,CAAC;YACvB,OAAO,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,OAAO,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;QAC7B,CAAC;QACD,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,OAAO,aAAa,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAuB,EACvB,GAAmB;IAEnB,IAAI,CAAC;QACH,yEAAyE;QACzE,4EAA4E;QAC5E,wEAAwE;QACxE,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACtE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,EAAE,EAAE,KAAK;YACT,KAAK,EAAE;gBACL,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC/D,GAAG,CAAE,KAA4B,CAAC,IAAI,KAAK,SAAS;oBACpD,OAAQ,KAA4B,CAAC,IAAI,KAAK,QAAQ;oBACpD,CAAC,CAAC,EAAE,IAAI,EAAG,KAA0B,CAAC,IAAI,EAAE;oBAC5C,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtF,oEAAoE;gBACpE,2EAA2E;gBAC3E,sEAAsE;gBACtE,yEAAyE;gBACzE,GAAG,CAAC,KAAK,YAAY,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,sBAAsB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACxF;SACF,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/bootstrap/load-tool-capabilities.js

@@ -60,14 +60,16 @@ export async function loadOwningToolCapabilities(options) {
         const descriptor = domain.discovery;
         if (descriptor === undefined)
             continue;
-        const preferences = augmentBundledCapabilityPreferences(descriptor, resolveCapabilityPreferences(descriptor, pluginsConfig));
+        const configuredPreferences = resolveCapabilityPreferences(descriptor, pluginsConfig);
+        const explicitlyConfiguredPackages = new Set(configuredPreferences.packages);
+        const preferences = augmentBundledCapabilityPreferences(descriptor, configuredPreferences);
         await loadCapabilityDomain({
             registry,
             domainId: domain.id,
             projectDir,
             cliDir,
             preferences,
-            shouldLoadPackage: (pkg) => admitCapabilityPackage(descriptor, pkg),
+            shouldLoadPackage: (pkg) => admitCapabilityPackage(descriptor, pkg, explicitlyConfiguredPackages),
             onDiagnostic: (diagnostic) => {
                 currentScope()?.bootstrapDiagnostics.record(capabilityDiscoveryToCliDiagnostic(diagnostic, domain.id, {
                     toolId: owningTool.metadata.id,
@@ -79,14 +81,19 @@ export async function loadOwningToolCapabilities(options) {
     }
     return driven;
 }
-function admitCapabilityPackage(descriptor, pkg) {
+function admitCapabilityPackage(descriptor, pkg, explicitlyConfiguredPackages) {
     if (isBundledCapabilityPack(descriptor, pkg.name)) {
         return capabilityPackProvenancePassthrough(pkg, { admit: true });
     }
+    if (explicitlyConfiguredPackages.has(pkg.name)) {
+        return capabilityPackProvenancePassthrough(pkg, { admit: true });
+    }
     if (isCapabilityPackTrusted(pkg.name)) {
         return capabilityPackProvenancePassthrough(pkg, { admit: true });
     }
-    const reason = `set ${CAPABILITY_PACK_ALLOWLIST_ENV} to '${pkg.name}'`;
+    const configuredPackageKey = descriptor.configKeys.packages;
+    const configuredPackageHint = configuredPackageKey === undefined ? '' : ` or list it in plugins.${configuredPackageKey}`;
+    const reason = `set ${CAPABILITY_PACK_ALLOWLIST_ENV} to '${pkg.name}'${configuredPackageHint}`;
     logger.warn({
         evt: 'cli.capability.trust_denied',
         module: 'cli:capability',