npm - smol-symphony - Versions diffs - 0.2.0 → 0.3.0 - Mend

smol-symphony 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (716) hide show

package/AGENTS.md +41 -22
package/DESIGN.md +494 -273
package/README.md +109 -57
package/SPEC.md +33 -24
package/WORKFLOW.minimal.yaml +34 -0
package/{WORKFLOW.template.md → WORKFLOW.template.yaml} +409 -256
package/WORKFLOW.yaml +487 -0
package/assets/skills/symphony-issues/SKILL.md +136 -0
package/assets/symphony-mise.system.toml +68 -0
package/dist/src/bin/symphony.js +30 -0
package/dist/src/bin/symphony.js.map +1 -0
package/dist/src/core/actions/context.js +109 -0
package/dist/src/core/actions/context.js.map +1 -0
package/dist/{actions/parsing.js → src/core/actions/parse.js} +33 -114
package/dist/src/core/actions/parse.js.map +1 -0
package/dist/src/core/actions/plan.js +197 -0
package/dist/src/core/actions/plan.js.map +1 -0
package/dist/src/core/actions/predicates.js +111 -0
package/dist/src/core/actions/predicates.js.map +1 -0
package/dist/src/core/actions/run-fold.js +248 -0
package/dist/src/core/actions/run-fold.js.map +1 -0
package/dist/src/core/actions/template.js +118 -0
package/dist/src/core/actions/template.js.map +1 -0
package/dist/src/core/cli/args.js +116 -0
package/dist/src/core/cli/args.js.map +1 -0
package/dist/src/core/coerce.js +75 -0
package/dist/src/core/coerce.js.map +1 -0
package/dist/src/core/credential/account-id.js +20 -0
package/dist/src/core/credential/account-id.js.map +1 -0
package/dist/src/core/credential/adapter-config.js +136 -0
package/dist/src/core/credential/adapter-config.js.map +1 -0
package/dist/src/core/credential/availability.js +98 -0
package/dist/src/core/credential/availability.js.map +1 -0
package/dist/src/core/credential/extract.js +228 -0
package/dist/src/core/credential/extract.js.map +1 -0
package/dist/src/core/credential/fake-creds.js +171 -0
package/dist/src/core/credential/fake-creds.js.map +1 -0
package/dist/src/core/credential/identity.js +125 -0
package/dist/src/core/credential/identity.js.map +1 -0
package/dist/src/core/credential/shape.js +230 -0
package/dist/src/core/credential/shape.js.map +1 -0
package/dist/src/core/credential/strings.js +15 -0
package/dist/src/core/credential/strings.js.map +1 -0
package/dist/src/core/doctor/checks.js +303 -0
package/dist/src/core/doctor/checks.js.map +1 -0
package/dist/src/core/git/result.js +107 -0
package/dist/src/core/git/result.js.map +1 -0
package/dist/src/core/http/decisions.js +225 -0
package/dist/src/core/http/decisions.js.map +1 -0
package/dist/{http.js → src/core/http/render.js} +472 -738
package/dist/src/core/http/render.js.map +1 -0
package/dist/{http-handlers.js → src/core/http/routes.js} +52 -87
package/dist/src/core/http/routes.js.map +1 -0
package/dist/src/core/http/views.js +181 -0
package/dist/src/core/http/views.js.map +1 -0
package/dist/src/core/image/managed-image.js +95 -0
package/dist/src/core/image/managed-image.js.map +1 -0
package/dist/src/core/issue/file.js +149 -0
package/dist/src/core/issue/file.js.map +1 -0
package/dist/src/core/issue/parse.js +210 -0
package/dist/src/core/issue/parse.js.map +1 -0
package/dist/src/core/mcp/dispatch.js +239 -0
package/dist/src/core/mcp/dispatch.js.map +1 -0
package/dist/src/core/mcp/post-move.js +92 -0
package/dist/src/core/mcp/post-move.js.map +1 -0
package/dist/src/core/mcp/protocol.js +293 -0
package/dist/src/core/mcp/protocol.js.map +1 -0
package/dist/src/core/mcp/url.js +162 -0
package/dist/src/core/mcp/url.js.map +1 -0
package/dist/src/core/path.js +63 -0
package/dist/src/core/path.js.map +1 -0
package/dist/src/core/reconcile/image-decide.js +48 -0
package/dist/src/core/reconcile/image-decide.js.map +1 -0
package/dist/src/core/reconcile/ledger.js +142 -0
package/dist/src/core/reconcile/ledger.js.map +1 -0
package/dist/src/core/reconcile/pr-classify.js +62 -0
package/dist/src/core/reconcile/pr-classify.js.map +1 -0
package/dist/{reconciler → src/core/reconcile}/pr-decide.js +25 -12
package/dist/src/core/reconcile/pr-decide.js.map +1 -0
package/dist/src/core/reconcile/pr-loop.js +161 -0
package/dist/src/core/reconcile/pr-loop.js.map +1 -0
package/dist/src/core/reconcile/pr-notes.js +35 -0
package/dist/src/core/reconcile/pr-notes.js.map +1 -0
package/dist/src/core/reconcile/vm-decide.js +70 -0
package/dist/src/core/reconcile/vm-decide.js.map +1 -0
package/dist/src/core/reconcile/vm-reap.js +207 -0
package/dist/src/core/reconcile/vm-reap.js.map +1 -0
package/dist/src/core/reconcile/workspace-decide.js +162 -0
package/dist/src/core/reconcile/workspace-decide.js.map +1 -0
package/dist/src/core/runlog/summary.js +231 -0
package/dist/src/core/runlog/summary.js.map +1 -0
package/dist/src/core/runner/dispatch-config.js +95 -0
package/dist/src/core/runner/dispatch-config.js.map +1 -0
package/dist/src/core/runner/injection.js +61 -0
package/dist/src/core/runner/injection.js.map +1 -0
package/dist/src/core/runner/mise.js +210 -0
package/dist/src/core/runner/mise.js.map +1 -0
package/dist/src/core/runner/prompt.js +720 -0
package/dist/src/core/runner/prompt.js.map +1 -0
package/dist/src/core/runner/turn.js +242 -0
package/dist/src/core/runner/turn.js.map +1 -0
package/dist/src/core/runner/vm-plan.js +390 -0
package/dist/src/core/runner/vm-plan.js.map +1 -0
package/dist/src/core/schedule/admission.js +123 -0
package/dist/src/core/schedule/admission.js.map +1 -0
package/dist/src/core/schedule/circuit-breaker.js +111 -0
package/dist/src/core/schedule/circuit-breaker.js.map +1 -0
package/dist/src/core/schedule/eligibility.js +83 -0
package/dist/src/core/schedule/eligibility.js.map +1 -0
package/dist/src/core/schedule/reconcile-issue.js +82 -0
package/dist/src/core/schedule/reconcile-issue.js.map +1 -0
package/dist/src/core/schedule/retry.js +96 -0
package/dist/src/core/schedule/retry.js.map +1 -0
package/dist/src/core/schedule/sleep-cycle.js +133 -0
package/dist/src/core/schedule/sleep-cycle.js.map +1 -0
package/dist/src/core/schedule/slots.js +124 -0
package/dist/src/core/schedule/slots.js.map +1 -0
package/dist/src/core/schedule/tick.js +553 -0
package/dist/src/core/schedule/tick.js.map +1 -0
package/dist/src/core/schedule/token-fold.js +181 -0
package/dist/src/core/schedule/token-fold.js.map +1 -0
package/dist/src/core/state-resolve.js +86 -0
package/dist/src/core/state-resolve.js.map +1 -0
package/dist/src/core/vm-guards.js +278 -0
package/dist/src/core/vm-guards.js.map +1 -0
package/dist/src/core/workflow/derive.js +107 -0
package/dist/src/core/workflow/derive.js.map +1 -0
package/dist/src/core/workflow/parse.js +687 -0
package/dist/src/core/workflow/parse.js.map +1 -0
package/dist/src/core/workflow/prompt-probe.js +78 -0
package/dist/src/core/workflow/prompt-probe.js.map +1 -0
package/dist/src/core/workflow/validate.js +189 -0
package/dist/src/core/workflow/validate.js.map +1 -0
package/dist/src/core/workspace-key.js +19 -0
package/dist/src/core/workspace-key.js.map +1 -0
package/dist/src/shell/actions-runner.js +356 -0
package/dist/src/shell/actions-runner.js.map +1 -0
package/dist/src/shell/adapter/adapter-registry.js +45 -0
package/dist/src/shell/adapter/adapter-registry.js.map +1 -0
package/dist/src/shell/adapter/clock-random.js +96 -0
package/dist/src/shell/adapter/clock-random.js.map +1 -0
package/dist/src/shell/adapter/gondolin-dispatch-helpers.js +158 -0
package/dist/src/shell/adapter/gondolin-dispatch-helpers.js.map +1 -0
package/dist/src/shell/adapter/gondolin-dispatch.js +385 -0
package/dist/src/shell/adapter/gondolin-dispatch.js.map +1 -0
package/dist/src/shell/adapter/gondolin-image-converter.js +233 -0
package/dist/src/shell/adapter/gondolin-image-converter.js.map +1 -0
package/dist/src/shell/adapter/gondolin-image-fetch.js +180 -0
package/dist/src/shell/adapter/gondolin-image-fetch.js.map +1 -0
package/dist/src/shell/adapter/launcher-asset.js +57 -0
package/dist/src/shell/adapter/launcher-asset.js.map +1 -0
package/dist/src/shell/adapter/mise-config-asset.js +65 -0
package/dist/src/shell/adapter/mise-config-asset.js.map +1 -0
package/dist/src/shell/adapter/workflow-loader.js +304 -0
package/dist/src/shell/adapter/workflow-loader.js.map +1 -0
package/dist/src/shell/cli/doctor.js +268 -0
package/dist/src/shell/cli/doctor.js.map +1 -0
package/dist/src/shell/effect-interpreter-families.js +314 -0
package/dist/src/shell/effect-interpreter-families.js.map +1 -0
package/dist/src/shell/effect-interpreter.js +29 -0
package/dist/src/shell/effect-interpreter.js.map +1 -0
package/dist/src/shell/interp/acp-frame.js +137 -0
package/dist/src/shell/interp/acp-frame.js.map +1 -0
package/dist/src/shell/interp/acp-ws-conn.js +320 -0
package/dist/src/shell/interp/acp-ws-conn.js.map +1 -0
package/dist/src/shell/interp/acp-ws-frames.js +159 -0
package/dist/src/shell/interp/acp-ws-frames.js.map +1 -0
package/dist/src/shell/interp/acp-ws.js +197 -0
package/dist/src/shell/interp/acp-ws.js.map +1 -0
package/dist/src/shell/interp/acp.js +319 -0
package/dist/src/shell/interp/acp.js.map +1 -0
package/dist/src/shell/interp/credential-defaults.js +128 -0
package/dist/src/shell/interp/credential-defaults.js.map +1 -0
package/dist/src/shell/interp/credential-hooks.js +149 -0
package/dist/src/shell/interp/credential-hooks.js.map +1 -0
package/dist/src/shell/interp/credential-registry.js +226 -0
package/dist/src/shell/interp/credential-registry.js.map +1 -0
package/dist/src/shell/interp/credential.js +103 -0
package/dist/src/shell/interp/credential.js.map +1 -0
package/dist/src/shell/interp/gh.js +163 -0
package/dist/src/shell/interp/gh.js.map +1 -0
package/dist/src/shell/interp/git.js +28 -0
package/dist/src/shell/interp/git.js.map +1 -0
package/dist/src/shell/interp/log.js +213 -0
package/dist/src/shell/interp/log.js.map +1 -0
package/dist/src/shell/interp/process.js +178 -0
package/dist/src/shell/interp/process.js.map +1 -0
package/dist/src/shell/interp/runlog.js +193 -0
package/dist/src/shell/interp/runlog.js.map +1 -0
package/dist/src/shell/interp/timer.js +64 -0
package/dist/src/shell/interp/timer.js.map +1 -0
package/dist/src/shell/interp/tracker-disk.js +99 -0
package/dist/src/shell/interp/tracker-disk.js.map +1 -0
package/dist/src/shell/interp/tracker-parse.js +71 -0
package/dist/src/shell/interp/tracker-parse.js.map +1 -0
package/dist/src/shell/interp/tracker-scan.js +238 -0
package/dist/src/shell/interp/tracker-scan.js.map +1 -0
package/dist/src/shell/interp/tracker-write.js +91 -0
package/dist/src/shell/interp/tracker-write.js.map +1 -0
package/dist/src/shell/interp/tracker.js +41 -0
package/dist/src/shell/interp/tracker.js.map +1 -0
package/dist/src/shell/interp/tty.js +48 -0
package/dist/src/shell/interp/tty.js.map +1 -0
package/dist/src/shell/interp/vm.js +199 -0
package/dist/src/shell/interp/vm.js.map +1 -0
package/dist/src/shell/interp/workspace.js +310 -0
package/dist/src/shell/interp/workspace.js.map +1 -0
package/dist/src/shell/main-acp.js +78 -0
package/dist/src/shell/main-acp.js.map +1 -0
package/dist/src/shell/main-adapters.js +222 -0
package/dist/src/shell/main-adapters.js.map +1 -0
package/dist/src/shell/main-credential.js +122 -0
package/dist/src/shell/main-credential.js.map +1 -0
package/dist/src/shell/main-doctor.js +22 -0
package/dist/src/shell/main-doctor.js.map +1 -0
package/dist/src/shell/main-entry.js +46 -0
package/dist/src/shell/main-entry.js.map +1 -0
package/dist/src/shell/main-http-csrf.js +45 -0
package/dist/src/shell/main-http-csrf.js.map +1 -0
package/dist/src/shell/main-http-handler.js +389 -0
package/dist/src/shell/main-http-handler.js.map +1 -0
package/dist/src/shell/main-http-mcp.js +122 -0
package/dist/src/shell/main-http-mcp.js.map +1 -0
package/dist/src/shell/main-http-views.js +253 -0
package/dist/src/shell/main-http-views.js.map +1 -0
package/dist/src/shell/main-http.js +76 -0
package/dist/src/shell/main-http.js.map +1 -0
package/dist/src/shell/main-loops.js +130 -0
package/dist/src/shell/main-loops.js.map +1 -0
package/dist/src/shell/main-mcp.js +129 -0
package/dist/src/shell/main-mcp.js.map +1 -0
package/dist/src/shell/main-orchestrator.js +120 -0
package/dist/src/shell/main-orchestrator.js.map +1 -0
package/dist/src/shell/main-preflight.js +43 -0
package/dist/src/shell/main-preflight.js.map +1 -0
package/dist/src/shell/main-reconcilers-helpers.js +244 -0
package/dist/src/shell/main-reconcilers-helpers.js.map +1 -0
package/dist/src/shell/main-reconcilers-pr.js +148 -0
package/dist/src/shell/main-reconcilers-pr.js.map +1 -0
package/dist/src/shell/main-reconcilers.js +225 -0
package/dist/src/shell/main-reconcilers.js.map +1 -0
package/dist/src/shell/main-runner.js +355 -0
package/dist/src/shell/main-runner.js.map +1 -0
package/dist/src/shell/main-scaffold.js +116 -0
package/dist/src/shell/main-scaffold.js.map +1 -0
package/dist/src/shell/main-shutdown.js +115 -0
package/dist/src/shell/main-shutdown.js.map +1 -0
package/dist/src/shell/main-startup.js +48 -0
package/dist/src/shell/main-startup.js.map +1 -0
package/dist/src/shell/main-substrates.js +43 -0
package/dist/src/shell/main-substrates.js.map +1 -0
package/dist/src/shell/main.js +385 -0
package/dist/src/shell/main.js.map +1 -0
package/dist/src/shell/orchestrator-feedback.js +69 -0
package/dist/src/shell/orchestrator-feedback.js.map +1 -0
package/dist/src/shell/orchestrator-image.js +167 -0
package/dist/src/shell/orchestrator-image.js.map +1 -0
package/dist/src/shell/orchestrator-loop.js +468 -0
package/dist/src/shell/orchestrator-loop.js.map +1 -0
package/dist/src/shell/orchestrator-reconcile.js +36 -0
package/dist/src/shell/orchestrator-reconcile.js.map +1 -0
package/dist/src/shell/reconciler-loop.js +228 -0
package/dist/src/shell/reconciler-loop.js.map +1 -0
package/dist/src/shell/runner-loop-turn.js +301 -0
package/dist/src/shell/runner-loop-turn.js.map +1 -0
package/dist/src/shell/runner-loop.js +338 -0
package/dist/src/shell/runner-loop.js.map +1 -0
package/dist/src/shell/server/http.js +208 -0
package/dist/src/shell/server/http.js.map +1 -0
package/dist/src/shell/server/mcp-runtime-effects.js +237 -0
package/dist/src/shell/server/mcp-runtime-effects.js.map +1 -0
package/dist/src/shell/server/mcp-runtime.js +99 -0
package/dist/src/shell/server/mcp-runtime.js.map +1 -0
package/dist/src/shell/workspace-key.js +14 -0
package/dist/src/shell/workspace-key.js.map +1 -0
package/dist/src/types/acp.js +8 -0
package/dist/src/types/acp.js.map +1 -0
package/dist/src/types/actions/plan.js +6 -0
package/dist/src/types/actions/plan.js.map +1 -0
package/dist/src/types/actions/predicates.js +6 -0
package/dist/src/types/actions/predicates.js.map +1 -0
package/dist/src/types/actions/run-fold.js +8 -0
package/dist/src/types/actions/run-fold.js.map +1 -0
package/dist/src/types/actions.js +7 -0
package/dist/src/types/actions.js.map +1 -0
package/dist/src/types/adapter/clock-random.js +4 -0
package/dist/src/types/adapter/clock-random.js.map +1 -0
package/dist/src/types/adapter/gondolin-image-converter.js +5 -0
package/dist/src/types/adapter/gondolin-image-converter.js.map +1 -0
package/dist/src/types/adapter/gondolin-image-fetch.js +5 -0
package/dist/src/types/adapter/gondolin-image-fetch.js.map +1 -0
package/dist/src/types/adapter/workflow-loader.js +4 -0
package/dist/src/types/adapter/workflow-loader.js.map +1 -0
package/dist/src/types/cli/args.js +8 -0
package/dist/src/types/cli/args.js.map +1 -0
package/dist/src/types/config.js +8 -0
package/dist/src/types/config.js.map +1 -0
package/dist/src/types/credential-interp.js +6 -0
package/dist/src/types/credential-interp.js.map +1 -0
package/dist/src/types/credentials.js +10 -0
package/dist/src/types/credentials.js.map +1 -0
package/dist/src/types/doctor.js +7 -0
package/dist/src/types/doctor.js.map +1 -0
package/dist/src/types/domain.js +7 -0
package/dist/src/types/domain.js.map +1 -0
package/dist/src/types/effect.js +15 -0
package/dist/src/types/effect.js.map +1 -0
package/dist/src/types/errors.js +39 -0
package/dist/src/types/errors.js.map +1 -0
package/dist/src/types/http/decisions.js +6 -0
package/dist/src/types/http/decisions.js.map +1 -0
package/dist/src/types/http/render.js +10 -0
package/dist/src/types/http/render.js.map +1 -0
package/dist/src/types/http/views.js +6 -0
package/dist/src/types/http/views.js.map +1 -0
package/dist/src/types/http.js +9 -0
package/dist/src/types/http.js.map +1 -0
package/dist/src/types/image/managed-image.js +7 -0
package/dist/src/types/image/managed-image.js.map +1 -0
package/dist/src/types/interp/effect-interpreter.js +8 -0
package/dist/src/types/interp/effect-interpreter.js.map +1 -0
package/dist/src/types/interp/tracker.js +7 -0
package/dist/src/types/interp/tracker.js.map +1 -0
package/dist/src/types/issue/file.js +6 -0
package/dist/src/types/issue/file.js.map +1 -0
package/dist/src/types/issue/parse.js +8 -0
package/dist/src/types/issue/parse.js.map +1 -0
package/dist/src/types/main-acp.js +13 -0
package/dist/src/types/main-acp.js.map +1 -0
package/dist/src/types/main-adapters.js +5 -0
package/dist/src/types/main-adapters.js.map +1 -0
package/dist/src/types/main-credential.js +21 -0
package/dist/src/types/main-credential.js.map +1 -0
package/dist/src/types/main-doctor.js +6 -0
package/dist/src/types/main-doctor.js.map +1 -0
package/dist/src/types/main-http-handler.js +12 -0
package/dist/src/types/main-http-handler.js.map +1 -0
package/dist/src/types/main-http.js +5 -0
package/dist/src/types/main-http.js.map +1 -0
package/dist/src/types/main-loops.js +5 -0
package/dist/src/types/main-loops.js.map +1 -0
package/dist/src/types/main-mcp.js +12 -0
package/dist/src/types/main-mcp.js.map +1 -0
package/dist/src/types/main-orchestrator.js +5 -0
package/dist/src/types/main-orchestrator.js.map +1 -0
package/dist/src/types/main-reconcilers.js +11 -0
package/dist/src/types/main-reconcilers.js.map +1 -0
package/dist/src/types/main-runner.js +13 -0
package/dist/src/types/main-runner.js.map +1 -0
package/dist/src/types/main-startup.js +5 -0
package/dist/src/types/main-startup.js.map +1 -0
package/dist/src/types/main-substrates.js +5 -0
package/dist/src/types/main-substrates.js.map +1 -0
package/dist/src/types/mcp/dispatch.js +4 -0
package/dist/src/types/mcp/dispatch.js.map +1 -0
package/dist/src/types/mcp/post-move.js +7 -0
package/dist/src/types/mcp/post-move.js.map +1 -0
package/dist/src/types/mcp.js +9 -0
package/dist/src/types/mcp.js.map +1 -0
package/dist/src/types/ports.js +12 -0
package/dist/src/types/ports.js.map +1 -0
package/dist/src/types/reconcile/image-decide.js +5 -0
package/dist/src/types/reconcile/image-decide.js.map +1 -0
package/dist/src/types/reconcile/ledger.js +7 -0
package/dist/src/types/reconcile/ledger.js.map +1 -0
package/dist/src/types/reconcile/pr-loop.js +8 -0
package/dist/src/types/reconcile/pr-loop.js.map +1 -0
package/dist/src/types/reconcile/vm-reap.js +8 -0
package/dist/src/types/reconcile/vm-reap.js.map +1 -0
package/dist/src/types/reconcile/workspace-decide.js +7 -0
package/dist/src/types/reconcile/workspace-decide.js.map +1 -0
package/dist/src/types/reconcile.js +9 -0
package/dist/src/types/reconcile.js.map +1 -0
package/dist/src/types/runlog.js +7 -0
package/dist/src/types/runlog.js.map +1 -0
package/dist/src/types/runner/actions-runner.js +12 -0
package/dist/src/types/runner/actions-runner.js.map +1 -0
package/dist/src/types/runner/gondolin-dispatch.js +5 -0
package/dist/src/types/runner/gondolin-dispatch.js.map +1 -0
package/dist/src/types/runner/injection.js +6 -0
package/dist/src/types/runner/injection.js.map +1 -0
package/dist/src/types/runner/runner-loop.js +5 -0
package/dist/src/types/runner/runner-loop.js.map +1 -0
package/dist/src/types/runner/turn.js +4 -0
package/dist/src/types/runner/turn.js.map +1 -0
package/dist/src/types/runner/vm-plan.js +4 -0
package/dist/src/types/runner/vm-plan.js.map +1 -0
package/dist/src/types/runtime.js +9 -0
package/dist/src/types/runtime.js.map +1 -0
package/dist/src/types/schedule/admission.js +7 -0
package/dist/src/types/schedule/admission.js.map +1 -0
package/dist/src/types/schedule/circuit-breaker.js +2 -0
package/dist/src/types/schedule/circuit-breaker.js.map +1 -0
package/dist/src/types/schedule/eligibility.js +9 -0
package/dist/src/types/schedule/eligibility.js.map +1 -0
package/dist/src/types/schedule/orchestrator-loop.js +10 -0
package/dist/src/types/schedule/orchestrator-loop.js.map +1 -0
package/dist/src/types/schedule/sleep-cycle.js +4 -0
package/dist/src/types/schedule/sleep-cycle.js.map +1 -0
package/dist/src/types/schedule/slots.js +8 -0
package/dist/src/types/schedule/slots.js.map +1 -0
package/dist/src/types/schedule/tick.js +9 -0
package/dist/src/types/schedule/tick.js.map +1 -0
package/dist/src/types/server/mcp-runtime.js +8 -0
package/dist/src/types/server/mcp-runtime.js.map +1 -0
package/dist/src/types/workflow/parse.js +4 -0
package/dist/src/types/workflow/parse.js.map +1 -0
package/dist/tests/core/account-id.test.js +35 -0
package/dist/tests/core/account-id.test.js.map +1 -0
package/dist/tests/core/actions-parse.test.js +176 -0
package/dist/tests/core/actions-parse.test.js.map +1 -0
package/dist/tests/core/adapter-config.test.js +133 -0
package/dist/tests/core/adapter-config.test.js.map +1 -0
package/dist/tests/core/admission.test.js +215 -0
package/dist/tests/core/admission.test.js.map +1 -0
package/dist/tests/core/args.test.js +132 -0
package/dist/tests/core/args.test.js.map +1 -0
package/dist/tests/core/availability.test.js +62 -0
package/dist/tests/core/availability.test.js.map +1 -0
package/dist/tests/core/checks.test.js +395 -0
package/dist/tests/core/checks.test.js.map +1 -0
package/dist/tests/core/circuit-breaker.test.js +172 -0
package/dist/tests/core/circuit-breaker.test.js.map +1 -0
package/dist/tests/core/coerce.test.js +87 -0
package/dist/tests/core/coerce.test.js.map +1 -0
package/dist/tests/core/context.test.js +228 -0
package/dist/tests/core/context.test.js.map +1 -0
package/dist/tests/core/decisions.test.js +310 -0
package/dist/tests/core/decisions.test.js.map +1 -0
package/dist/tests/core/derive.test.js +205 -0
package/dist/tests/core/derive.test.js.map +1 -0
package/dist/tests/core/dispatch-config.test.js +164 -0
package/dist/tests/core/dispatch-config.test.js.map +1 -0
package/dist/tests/core/dispatch.test.js +302 -0
package/dist/tests/core/dispatch.test.js.map +1 -0
package/dist/tests/core/eligibility.test.js +163 -0
package/dist/tests/core/eligibility.test.js.map +1 -0
package/dist/tests/core/extract.test.js +139 -0
package/dist/tests/core/extract.test.js.map +1 -0
package/dist/tests/core/fake-creds.test.js +134 -0
package/dist/tests/core/fake-creds.test.js.map +1 -0
package/dist/tests/core/file.test.js +197 -0
package/dist/tests/core/file.test.js.map +1 -0
package/dist/tests/core/git-result.test.js +113 -0
package/dist/tests/core/git-result.test.js.map +1 -0
package/dist/tests/core/identity.test.js +180 -0
package/dist/tests/core/identity.test.js.map +1 -0
package/dist/tests/core/image-decide.test.js +59 -0
package/dist/tests/core/image-decide.test.js.map +1 -0
package/dist/tests/core/injection.test.js +163 -0
package/dist/tests/core/injection.test.js.map +1 -0
package/dist/tests/core/ledger.test.js +218 -0
package/dist/tests/core/ledger.test.js.map +1 -0
package/dist/tests/core/managed-image.test.js +68 -0
package/dist/tests/core/managed-image.test.js.map +1 -0
package/dist/tests/core/mise.test.js +138 -0
package/dist/tests/core/mise.test.js.map +1 -0
package/dist/tests/core/parse.test.js +174 -0
package/dist/tests/core/parse.test.js.map +1 -0
package/dist/tests/core/path.test.js +50 -0
package/dist/tests/core/path.test.js.map +1 -0
package/dist/tests/core/plan.test.js +218 -0
package/dist/tests/core/plan.test.js.map +1 -0
package/dist/tests/core/post-move.test.js +162 -0
package/dist/tests/core/post-move.test.js.map +1 -0
package/dist/tests/core/pr-classify.test.js +117 -0
package/dist/tests/core/pr-classify.test.js.map +1 -0
package/dist/tests/core/pr-decide.test.js +298 -0
package/dist/tests/core/pr-decide.test.js.map +1 -0
package/dist/tests/core/pr-loop.test.js +301 -0
package/dist/tests/core/pr-loop.test.js.map +1 -0
package/dist/tests/core/pr-notes.test.js +165 -0
package/dist/tests/core/pr-notes.test.js.map +1 -0
package/dist/tests/core/predicates.test.js +154 -0
package/dist/tests/core/predicates.test.js.map +1 -0
package/dist/tests/core/prompt.test.js +189 -0
package/dist/tests/core/prompt.test.js.map +1 -0
package/dist/tests/core/protocol.test.js +195 -0
package/dist/tests/core/protocol.test.js.map +1 -0
package/dist/tests/core/reconcile-issue.test.js +116 -0
package/dist/tests/core/reconcile-issue.test.js.map +1 -0
package/dist/tests/core/render.test.js +549 -0
package/dist/tests/core/render.test.js.map +1 -0
package/dist/tests/core/retry.test.js +186 -0
package/dist/tests/core/retry.test.js.map +1 -0
package/dist/tests/core/routes.test.js +247 -0
package/dist/tests/core/routes.test.js.map +1 -0
package/dist/tests/core/run-fold.test.js +299 -0
package/dist/tests/core/run-fold.test.js.map +1 -0
package/dist/tests/core/shape.test.js +185 -0
package/dist/tests/core/shape.test.js.map +1 -0
package/dist/tests/core/sleep-cycle.test.js +150 -0
package/dist/tests/core/sleep-cycle.test.js.map +1 -0
package/dist/tests/core/slots.test.js +201 -0
package/dist/tests/core/slots.test.js.map +1 -0
package/dist/tests/core/state-resolve.test.js +80 -0
package/dist/tests/core/state-resolve.test.js.map +1 -0
package/dist/tests/core/summary.test.js +200 -0
package/dist/tests/core/summary.test.js.map +1 -0
package/dist/tests/core/template.test.js +116 -0
package/dist/tests/core/template.test.js.map +1 -0
package/dist/tests/core/tick.test.js +558 -0
package/dist/tests/core/tick.test.js.map +1 -0
package/dist/tests/core/token-fold.test.js +176 -0
package/dist/tests/core/token-fold.test.js.map +1 -0
package/dist/tests/core/turn.test.js +388 -0
package/dist/tests/core/turn.test.js.map +1 -0
package/dist/tests/core/url.test.js +118 -0
package/dist/tests/core/url.test.js.map +1 -0
package/dist/tests/core/validate.test.js +247 -0
package/dist/tests/core/validate.test.js.map +1 -0
package/dist/tests/core/views.test.js +252 -0
package/dist/tests/core/views.test.js.map +1 -0
package/dist/tests/core/vm-decide.test.js +110 -0
package/dist/tests/core/vm-decide.test.js.map +1 -0
package/dist/tests/core/vm-guards.test.js +153 -0
package/dist/tests/core/vm-guards.test.js.map +1 -0
package/dist/tests/core/vm-plan.test.js +332 -0
package/dist/tests/core/vm-plan.test.js.map +1 -0
package/dist/tests/core/vm-reap.test.js +196 -0
package/dist/tests/core/vm-reap.test.js.map +1 -0
package/dist/tests/core/workflow-parse.test.js +493 -0
package/dist/tests/core/workflow-parse.test.js.map +1 -0
package/dist/tests/core/workspace-decide.test.js +236 -0
package/dist/tests/core/workspace-decide.test.js.map +1 -0
package/dist/tests/helpers/fixtures.js +167 -0
package/dist/tests/helpers/fixtures.js.map +1 -0
package/dist/tests/shell/acp-substrate.test.js +101 -0
package/dist/tests/shell/acp-substrate.test.js.map +1 -0
package/dist/tests/shell/actions-runner-push.test.js +203 -0
package/dist/tests/shell/actions-runner-push.test.js.map +1 -0
package/dist/tests/shell/credential-hooks.test.js +36 -0
package/dist/tests/shell/credential-hooks.test.js.map +1 -0
package/dist/tests/shell/credential-registry.test.js +165 -0
package/dist/tests/shell/credential-registry.test.js.map +1 -0
package/dist/tests/shell/credential-substrate.test.js +179 -0
package/dist/tests/shell/credential-substrate.test.js.map +1 -0
package/dist/tests/shell/dockerfile-mise-pin.test.js +51 -0
package/dist/tests/shell/dockerfile-mise-pin.test.js.map +1 -0
package/dist/tests/shell/doctor.test.js +101 -0
package/dist/tests/shell/doctor.test.js.map +1 -0
package/dist/tests/shell/effect-vm-create.test.js +52 -0
package/dist/tests/shell/effect-vm-create.test.js.map +1 -0
package/dist/tests/shell/gh-port.test.js +63 -0
package/dist/tests/shell/gh-port.test.js.map +1 -0
package/dist/tests/shell/gondolin-dispatch-guard.test.js +144 -0
package/dist/tests/shell/gondolin-dispatch-guard.test.js.map +1 -0
package/dist/tests/shell/gondolin-dispatch-shquote.test.js +168 -0
package/dist/tests/shell/gondolin-dispatch-shquote.test.js.map +1 -0
package/dist/tests/shell/gondolin-image-converter.test.js +208 -0
package/dist/tests/shell/gondolin-image-converter.test.js.map +1 -0
package/dist/tests/shell/gondolin-image-fetch.test.js +93 -0
package/dist/tests/shell/gondolin-image-fetch.test.js.map +1 -0
package/dist/tests/shell/http-handler.test.js +608 -0
package/dist/tests/shell/http-handler.test.js.map +1 -0
package/dist/tests/shell/http-server.test.js +53 -0
package/dist/tests/shell/http-server.test.js.map +1 -0
package/dist/tests/shell/mcp-runtime.test.js +366 -0
package/dist/tests/shell/mcp-runtime.test.js.map +1 -0
package/dist/tests/shell/mise-config-asset.test.js +87 -0
package/dist/tests/shell/mise-config-asset.test.js.map +1 -0
package/dist/tests/shell/orchestrator-loop.test.js +583 -0
package/dist/tests/shell/orchestrator-loop.test.js.map +1 -0
package/dist/tests/shell/reconciler-passes.test.js +314 -0
package/dist/tests/shell/reconciler-passes.test.js.map +1 -0
package/dist/tests/shell/runner-loop-turn.test.js +97 -0
package/dist/tests/shell/runner-loop-turn.test.js.map +1 -0
package/dist/tests/shell/runner-slice.test.js +536 -0
package/dist/tests/shell/runner-slice.test.js.map +1 -0
package/dist/tests/shell/scaffold.test.js +65 -0
package/dist/tests/shell/scaffold.test.js.map +1 -0
package/dist/tests/shell/tick-config.test.js +83 -0
package/dist/tests/shell/tick-config.test.js.map +1 -0
package/dist/tests/shell/tracker-parse-dates.test.js +44 -0
package/dist/tests/shell/tracker-parse-dates.test.js.map +1 -0
package/dist/tests/shell/tracker-write-issue.test.js +154 -0
package/dist/tests/shell/tracker-write-issue.test.js.map +1 -0
package/dist/tests/shell/workflow-prompt-split.test.js +208 -0
package/dist/tests/shell/workflow-prompt-split.test.js.map +1 -0
package/dist/tests/shell/workspace-live-config.test.js +140 -0
package/dist/tests/shell/workspace-live-config.test.js.map +1 -0
package/package.json +21 -9
package/patches/@earendil-works+gondolin+0.12.0.patch +173 -0
package/prompts/Reflect.md +91 -0
package/prompts/Review.md +97 -0
package/prompts/Todo.md +96 -0
package/prompts/_footer.md +41 -0
package/prompts/_preamble.md +42 -0
package/prompts-minimal/Todo.md +26 -0
package/scripts/postinstall.mjs +63 -0
package/scripts/vm-agent.mjs +312 -90
package/WORKFLOW.md +0 -744
package/dist/acp-bridge.js +0 -324
package/dist/acp-bridge.js.map +0 -1
package/dist/actions/cache.js +0 -191
package/dist/actions/cache.js.map +0 -1
package/dist/actions/effects.js +0 -41
package/dist/actions/effects.js.map +0 -1
package/dist/actions/executor.js +0 -570
package/dist/actions/executor.js.map +0 -1
package/dist/actions/index.js +0 -13
package/dist/actions/index.js.map +0 -1
package/dist/actions/parsing.js.map +0 -1
package/dist/actions/predicate-env.js +0 -27
package/dist/actions/predicate-env.js.map +0 -1
package/dist/actions/predicates.js +0 -49
package/dist/actions/predicates.js.map +0 -1
package/dist/actions/templating.js +0 -66
package/dist/actions/templating.js.map +0 -1
package/dist/actions/types.js +0 -15
package/dist/actions/types.js.map +0 -1
package/dist/agent/acp.js +0 -473
package/dist/agent/acp.js.map +0 -1
package/dist/agent/adapter-names.js +0 -159
package/dist/agent/adapter-names.js.map +0 -1
package/dist/agent/adapters.js +0 -511
package/dist/agent/adapters.js.map +0 -1
package/dist/agent/credential-extractors.js +0 -342
package/dist/agent/credential-extractors.js.map +0 -1
package/dist/agent/credential-secrets.js +0 -628
package/dist/agent/credential-secrets.js.map +0 -1
package/dist/agent/credential-ticker.js +0 -57
package/dist/agent/credential-ticker.js.map +0 -1
package/dist/agent/gondolin-creds-staging.js +0 -356
package/dist/agent/gondolin-creds-staging.js.map +0 -1
package/dist/agent/gondolin-dispatch.js +0 -375
package/dist/agent/gondolin-dispatch.js.map +0 -1
package/dist/agent/gondolin.js +0 -124
package/dist/agent/gondolin.js.map +0 -1
package/dist/agent/runner-decisions.js +0 -134
package/dist/agent/runner-decisions.js.map +0 -1
package/dist/agent/runner.js +0 -1456
package/dist/agent/runner.js.map +0 -1
package/dist/agent/tool-call-summary.js +0 -102
package/dist/agent/tool-call-summary.js.map +0 -1
package/dist/agent/vm-acp-mapping.js +0 -73
package/dist/agent/vm-acp-mapping.js.map +0 -1
package/dist/agent/vm-guards.js +0 -262
package/dist/agent/vm-guards.js.map +0 -1
package/dist/agent/vm-port.js +0 -22
package/dist/agent/vm-port.js.map +0 -1
package/dist/agent/vm-process-registry.js +0 -79
package/dist/agent/vm-process-registry.js.map +0 -1
package/dist/bin/cli-args.js +0 -105
package/dist/bin/cli-args.js.map +0 -1
package/dist/bin/symphony.js +0 -794
package/dist/bin/symphony.js.map +0 -1
package/dist/errors.js +0 -15
package/dist/errors.js.map +0 -1
package/dist/http-disk.js +0 -135
package/dist/http-disk.js.map +0 -1
package/dist/http-handlers.js.map +0 -1
package/dist/http.js.map +0 -1
package/dist/issues.js +0 -178
package/dist/issues.js.map +0 -1
package/dist/logging.js +0 -203
package/dist/logging.js.map +0 -1
package/dist/mcp.js +0 -706
package/dist/mcp.js.map +0 -1
package/dist/memory.js +0 -85
package/dist/memory.js.map +0 -1
package/dist/orchestrator-decisions.js +0 -331
package/dist/orchestrator-decisions.js.map +0 -1
package/dist/orchestrator.js +0 -1569
package/dist/orchestrator.js.map +0 -1
package/dist/prompt.js +0 -65
package/dist/prompt.js.map +0 -1
package/dist/reconciler/cache.js +0 -65
package/dist/reconciler/cache.js.map +0 -1
package/dist/reconciler/index.js +0 -448
package/dist/reconciler/index.js.map +0 -1
package/dist/reconciler/ledger.js +0 -131
package/dist/reconciler/ledger.js.map +0 -1
package/dist/reconciler/pr-adapters.js +0 -174
package/dist/reconciler/pr-adapters.js.map +0 -1
package/dist/reconciler/pr-decide.js.map +0 -1
package/dist/reconciler/pr.js +0 -422
package/dist/reconciler/pr.js.map +0 -1
package/dist/reconciler/types.js +0 -12
package/dist/reconciler/types.js.map +0 -1
package/dist/reconciler/vm.js +0 -243
package/dist/reconciler/vm.js.map +0 -1
package/dist/reconciler/workspace-defaults.js +0 -83
package/dist/reconciler/workspace-defaults.js.map +0 -1
package/dist/reconciler/workspace.js +0 -272
package/dist/reconciler/workspace.js.map +0 -1
package/dist/runlog.js +0 -403
package/dist/runlog.js.map +0 -1
package/dist/scaffold.js +0 -165
package/dist/scaffold.js.map +0 -1
package/dist/trackers/local.js +0 -445
package/dist/trackers/local.js.map +0 -1
package/dist/trackers/types.js +0 -10
package/dist/trackers/types.js.map +0 -1
package/dist/types.js +0 -3
package/dist/types.js.map +0 -1
package/dist/util/clock.js +0 -12
package/dist/util/clock.js.map +0 -1
package/dist/util/crypto.js +0 -25
package/dist/util/crypto.js.map +0 -1
package/dist/util/frontmatter.js +0 -70
package/dist/util/frontmatter.js.map +0 -1
package/dist/util/fs-issues.js +0 -22
package/dist/util/fs-issues.js.map +0 -1
package/dist/util/process.js +0 -152
package/dist/util/process.js.map +0 -1
package/dist/util/workspace-key.js +0 -10
package/dist/util/workspace-key.js.map +0 -1
package/dist/workflow-loader.js +0 -147
package/dist/workflow-loader.js.map +0 -1
package/dist/workflow.js +0 -822
package/dist/workflow.js.map +0 -1
package/dist/workspace-types.js +0 -8
package/dist/workspace-types.js.map +0 -1
package/dist/workspace.js +0 -443
package/dist/workspace.js.map +0 -1

package/dist/src/core/schedule/token-fold.js ADDED Viewed

@@ -0,0 +1,181 @@
+// FCIS rewrite — pure token-usage / runtime-event / tool-call-lifecycle folds.
+//
+// Ported faithfully from the original orchestrator (`reportTokenUsage`,
+// `reportRuntimeEvent`, `reportTurnStarted`, the `detectStalls` in-flight guard)
+// and `src/agent/tool-call-summary.ts:toolCallLifecycle`. The original mutated
+// the live `RunningEntry` map and the aggregate `SessionTotals` in place; here
+// every fold is a pure, SYNCHRONOUS `(data) -> data` returning the next state
+// (and, for the token fold, the per-report delta so the shell can add it into
+// the aggregate SessionTotals). No clock, no randomness, no IO, no Effects —
+// these are in-memory state folds, not side effects. Imports are restricted to
+// src/types.
+//
+// Three responsibilities, one per concern in the original:
+//   1. foldTokenUsage  — absolute totals → session deltas (no double counting).
+//   2. foldRuntimeEvent — append into the recent_events ring + last_event/at.
+//   3. tool-call lifecycle — active-tool-call set updates + stall-reaper guard.
+// ─── 1. Token-usage delta accounting ─────────────────────────────────────────
+/**
+ * Cap on the recent-events ring buffer. The original kept the last 50 events
+ * (`if (e.recent_events.length > 50) e.recent_events.shift()`).
+ */
+export const RECENT_EVENTS_CAP = 50;
+/**
+ * §9.4 token accounting: prefer the adapter's ABSOLUTE running totals, but only
+ * add the per-report DELTA into the aggregate so re-reported totals are not
+ * double counted.
+ *
+ * Mirrors the original `reportTokenUsage`:
+ *   - `dX = max(0, usage.X - last_reported_X)` (clamped at 0 — a regression /
+ *     reset in the absolute counter never SUBTRACTS from the aggregate),
+ *   - the entry's visible totals become the new absolute values,
+ *   - the baselines advance to the new absolute values.
+ *
+ * Pure: takes the prior baselines + the new reading, returns the TokenDelta the
+ * shell folds. The shell adds `*_delta` into the aggregate SessionTotals (see
+ * `addDeltaToTotals`) and stores the new `last_reported_*` + absolute totals on
+ * the running entry.
+ */
+export function foldTokenUsage(prior, usage) {
+    const input_delta = Math.max(0, usage.input_tokens - prior.last_reported_input);
+    const output_delta = Math.max(0, usage.output_tokens - prior.last_reported_output);
+    const total_delta = Math.max(0, usage.total_tokens - prior.last_reported_total);
+    return {
+        input_delta,
+        output_delta,
+        total_delta,
+        last_reported_input: usage.input_tokens,
+        last_reported_output: usage.output_tokens,
+        last_reported_total: usage.total_tokens,
+    };
+}
+/**
+ * Add a TokenDelta into the aggregate SessionTotals (no double counting — the
+ * delta is already de-duplicated by `foldTokenUsage`). `seconds_running` is
+ * carried through unchanged; it is accrued elsewhere (on attempt exit). Returns
+ * a new SessionTotals; does not mutate the input.
+ */
+export function addDeltaToTotals(totals, delta) {
+    return {
+        input_tokens: totals.input_tokens + delta.input_delta,
+        output_tokens: totals.output_tokens + delta.output_delta,
+        total_tokens: totals.total_tokens + delta.total_delta,
+        seconds_running: totals.seconds_running,
+    };
+}
+/**
+ * Fold one RuntimeEvent into a running entry's event slice. Mirrors the
+ * original `reportRuntimeEvent` (minus the live tool-call-set mutation, which is
+ * a separate concern handled by `foldToolCall`): updates `last_event` /
+ * `last_event_at` / `last_message` and pushes onto the recent-events ring,
+ * trimming the OLDEST when it exceeds `RECENT_EVENTS_CAP`.
+ *
+ * Pure: returns a new RuntimeEventState (and a fresh `recent_events` array); the
+ * input is not mutated.
+ */
+export function foldRuntimeEvent(state, ev) {
+    const recent_events = [...state.recent_events, ev];
+    while (recent_events.length > RECENT_EVENTS_CAP)
+        recent_events.shift();
+    return {
+        last_event: ev.event,
+        last_event_at: ev.at,
+        last_message: ev.message,
+        recent_events,
+    };
+}
+// ─── 3. Active-tool-call lifecycle / stall-reaper suppression ─────────────────
+/**
+ * Map an ACP tool notification to its effect on the in-flight tool-call set.
+ * Ported verbatim from `src/agent/tool-call-summary.ts:toolCallLifecycle`.
+ *
+ * ACP `ToolCallStatus` is `pending | in_progress | completed | failed`;
+ * `completed` / `failed` are terminal. A `tool_call` STARTS a tool (in-flight)
+ * unless it already carries a terminal status. A `tool_call_update` acts ONLY on
+ * a known status: terminal → ended, pending / in_progress → in-flight; an
+ * omitted / null / unknown status is a content-or-title-only delta and must NOT
+ * mutate the set (returns `undefined` = "no change").
+ */
+export function toolCallLifecycle(event, status) {
+    const terminal = status === 'completed' || status === 'failed';
+    if (event === 'tool_call')
+        return { ended: terminal };
+    if (terminal)
+        return { ended: true };
+    if (status === 'pending' || status === 'in_progress')
+        return { ended: false };
+    return undefined;
+}
+/**
+ * Apply a tool-call lifecycle delta to the in-flight set. Mirrors the original
+ * `reportRuntimeEvent` tool branch: a non-terminal delta ADDS the id (in
+ * flight), a terminal delta DELETES it (ended). The set is modeled as a sorted,
+ * de-duplicated array of ids so core stays free of live `Set` handles and the
+ * result is deterministic. Pure: returns a new array; the input is not mutated.
+ *
+ * Pass `undefined` (the "no change" case from `toolCallLifecycle`) and the set
+ * is returned unchanged. An empty `id` is ignored (matches the original guard
+ * `if (ev.tool && ev.tool.id)`).
+ */
+export function applyToolDelta(active, delta) {
+    if (!delta || !delta.id)
+        return [...active];
+    if (delta.ended)
+        return active.filter((id) => id !== delta.id);
+    if (active.includes(delta.id))
+        return [...active];
+    return [...active, delta.id].sort();
+}
+/**
+ * Turn-boundary reset of the in-flight set. Mirrors the original
+ * `reportTurnStarted`, which `e.active_tool_calls.clear()`s at every turn
+ * boundary: the prior turn's `session/prompt` has resolved, so no tool call from
+ * it can still be in flight. Clearing here backstops a leaked terminal
+ * `tool_call_update` so a stale id can't mask a real mid-turn stall (RCA
+ * 2026-06-02). Pure: always returns an empty set.
+ */
+export function clearToolCallsAtTurnBoundary() {
+    return [];
+}
+/**
+ * Whether the no-activity stall reaper should be SUPPRESSED for a running entry.
+ * Mirrors the two `continue` guards in the original `detectStalls`:
+ *   - `steeringRequested` — the agent is intentionally paused while the human
+ *     composes a reply, which can legitimately exceed `stall_timeout_ms`.
+ *   - `activeToolCallCount > 0` — a long silent tool (e.g. `… | tail`) produces
+ *     no ACP frames for its whole duration, so the no-activity timer would reap a
+ *     legitimately-busy agent merely blocked on the tool.
+ *
+ * The hard `prompt_timeout_ms` cap (a separate concern) backstops a tool that
+ * genuinely hangs, and operator/terminal cancel still applies regardless.
+ */
+export function shouldSuppressStallReaper(args) {
+    return args.steeringRequested || args.activeToolCallCount > 0;
+}
+/**
+ * Whether a running entry has stalled: the no-activity reaper fires when the
+ * timeout is positive, the entry is NOT suppressed, and the elapsed time since
+ * the last reference point (`last_event_at` ?? `started_at`) exceeds the
+ * timeout. Mirrors the body of the original `detectStalls` loop.
+ *
+ * The clock is INJECTED as `nowMs` (core never reads the wall clock).
+ * `lastReferenceMs` is the parsed `last_event_at ?? started_at` epoch ms (the
+ * shell parses the ISO timestamp; core stays free of `Date.parse`). A
+ * non-finite `lastReferenceMs` is treated as "cannot decide" → not stalled
+ * (matches the original `Number.isFinite(elapsed)` guard). Returns the elapsed
+ * ms when stalled so the shell can format the terminate reason
+ * (`stalled after <elapsed>ms`), or `null` when not stalled.
+ */
+export function detectStall(args) {
+    if (args.stallTimeoutMs <= 0)
+        return { stalled: false };
+    if (shouldSuppressStallReaper(args))
+        return { stalled: false };
+    const elapsed = args.nowMs - args.lastReferenceMs;
+    if (!Number.isFinite(elapsed))
+        return { stalled: false };
+    if (elapsed > args.stallTimeoutMs)
+        return { stalled: true, elapsedMs: elapsed };
+    return { stalled: false };
+}
+//# sourceMappingURL=token-fold.js.map

package/dist/src/core/schedule/token-fold.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"token-fold.js","sourceRoot":"","sources":["../../../../src/core/schedule/token-fold.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,wEAAwE;AACxE,iFAAiF;AACjF,+EAA+E;AAC/E,+EAA+E;AAC/E,8EAA8E;AAC9E,8EAA8E;AAC9E,6EAA6E;AAC7E,+EAA+E;AAC/E,aAAa;AACb,EAAE;AACF,2DAA2D;AAC3D,gFAAgF;AAChF,8EAA8E;AAC9E,gFAAgF;AAKhF,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,EAAE,CAAC;AASpC;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,cAAc,CAAC,KAAqB,EAAE,KAAwB;IAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,mBAAmB,CAAC,CAAC;IAChF,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,aAAa,GAAG,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACnF,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,mBAAmB,CAAC,CAAC;IAChF,OAAO;QACL,WAAW;QACX,YAAY;QACZ,WAAW;QACX,mBAAmB,EAAE,KAAK,CAAC,YAAY;QACvC,oBAAoB,EAAE,KAAK,CAAC,aAAa;QACzC,mBAAmB,EAAE,KAAK,CAAC,YAAY;KACxC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAqB,EAAE,KAAiB;IACvE,OAAO;QACL,YAAY,EAAE,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC,WAAW;QACrD,aAAa,EAAE,MAAM,CAAC,aAAa,GAAG,KAAK,CAAC,YAAY;QACxD,YAAY,EAAE,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC,WAAW;QACrD,eAAe,EAAE,MAAM,CAAC,eAAe;KACxC,CAAC;AACJ,CAAC;AAYD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAwB,EAAE,EAAgB;IACzE,MAAM,aAAa,GAAG,CAAC,GAAG,KAAK,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,aAAa,CAAC,MAAM,GAAG,iBAAiB;QAAE,aAAa,CAAC,KAAK,EAAE,CAAC;IACvE,OAAO;QACL,UAAU,EAAE,EAAE,CAAC,KAAK;QACpB,aAAa,EAAE,EAAE,CAAC,EAAE;QACpB,YAAY,EAAE,EAAE,CAAC,OAAO;QACxB,aAAa;KACd,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAuC,EACvC,MAAc;IAEd,MAAM,QAAQ,GAAG,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,QAAQ,CAAC;IAC/D,IAAI,KAAK,KAAK,WAAW;QAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IACtD,IAAI,QAAQ;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACrC,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,aAAa;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC9E,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAC5B,MAAyB,EACzB,KAAiD;IAEjD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,EAAE;QAAE,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;IAC5C,IAAI,KAAK,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,KAAK,KAAK,CAAC,EAAE,CAAC,CAAC;IAC/D,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAAE,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,4BAA4B;IAC1C,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,yBAAyB,CAAC,IAGzC;IACC,OAAO,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,mBAAmB,GAAG,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,WAAW,CAAC,IAM3B;IACC,IAAI,IAAI,CAAC,cAAc,IAAI,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACxD,IAAI,yBAAyB,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC;IAClD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACzD,IAAI,OAAO,GAAG,IAAI,CAAC,cAAc;QAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IAChF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;AAC5B,CAAC"}

package/dist/src/core/state-resolve.js ADDED Viewed

@@ -0,0 +1,86 @@
+// FCIS rewrite — the ONE canonical case-insensitive declared-state-name resolver.
+//
+// Functional core: pure, synchronous (data) -> data. No IO, no clock, no
+// randomness, no node: imports. Imports ONLY from src/types.
+//
+// Collapses what used to be FIVE byte-equivalent copies of the same
+// case-insensitive declared-name lookup (the original spread it across
+// src/issues.ts, src/agent/runner.ts, and src/mcp.ts):
+//   - core/states.ts:resolveStateKey            (deleted — orphan module)
+//   - core/runner/dispatch-config.ts:resolveStateKey (re-points here)
+//   - core/mcp/url.ts:canonicalStateName        (re-points here)
+//   - core/mcp/dispatch.ts:canonicalStateName    (re-points to resolveDeclaredName)
+//   - core/schedule/eligibility.ts:canonicalStateKey (re-points here)
+//   - inlined in core/workflow/derive.ts:resolveActionsForState (re-points here)
+//
+// Resolution contract (ported verbatim from every copy): an exact own-property
+// match wins; failing that, a case-insensitive scan over the declared keys in
+// declaration order (first match wins). Matches the rest of symphony, where
+// eligibility, reconciliation, and the local-tracker directories all compare
+// lowercase, so a workflow that declares `Todo` and a tracker file living under
+// `todo/` still resolves correctly.
+/**
+ * Resolve `name` to its canonical declared form given the declared names in
+ * declaration order. Exact match wins; otherwise a case-insensitive scan
+ * (first match in declaration order). Returns null when no declared name
+ * matches.
+ *
+ * This is the shape-agnostic core: callers that hold a `Record<string,
+ * StateConfig>` use {@link resolveStateKey}; callers that hold a precomputed
+ * declared-name list (e.g. the MCP `McpStatesView.order`) call this directly.
+ */
+export function resolveDeclaredName(order, name) {
+    for (const declared of order) {
+        if (declared === name)
+            return declared;
+    }
+    const lower = name.toLowerCase();
+    for (const declared of order) {
+        if (declared.toLowerCase() === lower)
+            return declared;
+    }
+    return null;
+}
+/**
+ * Resolve a (possibly differently-cased) state name to its canonical declared
+ * key in `states`, or null when no state matches. Thin wrapper over
+ * {@link resolveDeclaredName} keyed by `Object.keys(states)` (which is the
+ * declaration order). An exact own-property hit short-circuits the scan.
+ */
+export function resolveStateKey(states, state) {
+    if (Object.prototype.hasOwnProperty.call(states, state))
+        return state;
+    const lower = state.toLowerCase();
+    for (const name of Object.keys(states)) {
+        if (name.toLowerCase() === lower)
+            return name;
+    }
+    return null;
+}
+/**
+ * Is moving `fromState -> toState` *in-flow* given the from-state's
+ * `allowed_transitions`? The ONE definition shared by the agent's hard gate
+ * (`decideTransition`, src/core/mcp/dispatch.ts — it rejects an off-flow move
+ * with `transition_not_allowed`) and the operator's soft warning
+ * (`decideMoveTransition`, src/core/http/decisions.ts — it merely flags
+ * `off_flow` and lets the move through). Factoring it here keeps the two from
+ * drifting (issue 126).
+ *
+ * A move is in-flow when ANY of:
+ *   - it is a self-transition (case-insensitive `from === to`) — always a no-op;
+ *   - the from-state's `allowed_transitions` is null/undefined — the open
+ *     default ("any declared state is reachable");
+ *   - the target is a member of a non-null `allowed_transitions` list
+ *     (case-insensitive).
+ * It is OFF-flow only when the list is non-null and does not include the target.
+ * An empty list (`[]`) therefore makes every non-self target off-flow.
+ */
+export function isInFlowTransition(allowedTransitions, fromState, toState) {
+    if (fromState.toLowerCase() === toState.toLowerCase())
+        return true;
+    if (allowedTransitions == null)
+        return true;
+    const wanted = toState.toLowerCase();
+    return allowedTransitions.some((s) => s.toLowerCase() === wanted);
+}
+//# sourceMappingURL=state-resolve.js.map

package/dist/src/core/state-resolve.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"state-resolve.js","sourceRoot":"","sources":["../../../src/core/state-resolve.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,EAAE;AACF,yEAAyE;AACzE,6DAA6D;AAC7D,EAAE;AACF,oEAAoE;AACpE,uEAAuE;AACvE,uDAAuD;AACvD,0EAA0E;AAC1E,sEAAsE;AACtE,iEAAiE;AACjE,oFAAoF;AACpF,sEAAsE;AACtE,iFAAiF;AACjF,EAAE;AACF,+EAA+E;AAC/E,8EAA8E;AAC9E,4EAA4E;AAC5E,6EAA6E;AAC7E,gFAAgF;AAChF,oCAAoC;AAIpC;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAwB,EAAE,IAAY;IACxE,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,IAAI,QAAQ,KAAK,IAAI;YAAE,OAAO,QAAQ,CAAC;IACzC,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,IAAI,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK;YAAE,OAAO,QAAQ,CAAC;IACxD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAmC,EACnC,KAAa;IAEb,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAClC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,WAAW,EAAE,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,kBAAkB,CAChC,kBAAwD,EACxD,SAAiB,EACjB,OAAe;IAEf,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,kBAAkB,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC;AACpE,CAAC"}

package/dist/src/core/vm-guards.js ADDED Viewed

@@ -0,0 +1,278 @@
+// FCIS rewrite — pure VM safety guards (the *teeth* of the host-only-refresh
+// invariant). These are the createVm-options-building checks the Gondolin
+// dispatch path runs so the guest is enforced-by-construction to hold only
+// placeholders: real refresh / durable tokens never leave the host.
+//
+// 100% PURE + SYNCHRONOUS. No IO, no node: imports, no clock/randomness. POSIX
+// path normalization is done LEXICALLY and inline (the original leaned on
+// `node:path` + an injected `fs.realpath`; core may import neither). The lexical
+// denylist check is *more conservative* than a symlink-resolving one — it cannot
+// be widened by a symlink that resolves out of a denied dir, and a non-existent
+// path can't be mounted anyway.
+//
+// The reference's `realpath` symlink-resolution (codex HIGH) is IO and lives in
+// the shell: the shell canonicalizes the mount source through `fs.realpathSync`
+// and passes BOTH the lexical and resolved forms through assertNoCredentialMounts.
+// This pure core does only the lexical check by design.
+import { CredentialMountError } from '../types/errors.js';
+import { joinPosix } from './path.js';
+// The synthetic guest↔host control-plane vocabulary lives canonically in
+// core/mcp/url.ts (the dedicated MCP/ACP URL module); only MCP_GUEST_BASE_URL is
+// used locally (by guestMcpBaseUrl below) — the rest is re-exported, see the
+// "ACP / MCP guest control-plane URL derivation" section at the bottom.
+import { MCP_GUEST_BASE_URL } from './mcp/url.js';
+// ---------------------------------------------------------------------------
+// Lexical POSIX path helpers. `joinPosix` is the canonical one from core/path.ts
+// (this module's old copy lacked the empty-base/absolute-rel handling that the
+// canonical adopts — behaviour-identical for every call here, which only ever
+// passes a non-empty base + a relative rel). `resolvePosix` (with `.`/`..`
+// collapse) stays local — it is a stronger, security-load-bearing canonicalizer.
+// ---------------------------------------------------------------------------
+const SEP = '/';
+/**
+ * Lexically resolve an absolute POSIX path, collapsing `.` / `..` and
+ * duplicate separators WITHOUT touching the filesystem. A relative input is
+ * resolved against `base` (default the POSIX root `/`), mirroring how the
+ * original relied on `path.resolve` to absolutize a relative mount source. We do
+ * not consult cwd (that would be ambient state); the shell passes absolute mount
+ * sources, and `base` is supplied explicitly for any relative input.
+ */
+function resolvePosix(input, base = SEP) {
+    // Normalize Windows-style separators defensively, then anchor.
+    const raw = input.replace(/\\/g, SEP);
+    const anchored = raw.startsWith(SEP) ? raw : joinPosix(base, raw);
+    const out = [];
+    for (const part of anchored.split(SEP)) {
+        if (part === '' || part === '.')
+            continue;
+        if (part === '..') {
+            if (out.length > 0)
+                out.pop();
+            continue;
+        }
+        out.push(part);
+    }
+    return SEP + out.join(SEP);
+}
+/**
+ * Lexically canonicalize a host path WITHOUT touching the filesystem: expand a
+ * leading `~` / `~/…` against `homeDir`, then lexically resolve (collapse
+ * `.`/`..`, make absolute). Mirrors the reference's `canonicalizeHostPath` but
+ * uses inline POSIX logic instead of `node:path` so it stays importable from the
+ * functional core. We deliberately do NOT `fs.realpath` — the path need not
+ * exist, and a symlink-following resolve is IO + a TOCTOU surface; the deny check
+ * is a prefix test on the lexical canonical form, which is strictly more
+ * conservative.
+ */
+export function canonicalizeHostPath(hostPath, homeDir) {
+    let p = hostPath;
+    if (p === '~') {
+        p = homeDir;
+    }
+    else if (p.startsWith('~/') || p.startsWith('~\\')) {
+        p = joinPosix(homeDir, p.slice(2));
+    }
+    return resolvePosix(p, resolvePosix(homeDir));
+}
+/**
+ * True when `child` is `parent` or lies beneath it. Compares canonical absolute
+ * paths with a trailing-separator guard so `/home/u/.codexible` does not count as
+ * under `/home/u/.codex`.
+ */
+function isUnder(child, parent) {
+    if (child === parent)
+        return true;
+    const withSep = parent.endsWith(SEP) ? parent : parent + SEP;
+    return child.startsWith(withSep);
+}
+// ---------------------------------------------------------------------------
+// Credential-mount denylist guard.
+// ---------------------------------------------------------------------------
+/**
+ * Built-in credential directories/files, `~`-relative. `~/.claude` and `~/.codex`
+ * hold the adapter OAuth credentials; `~/.config`, `~/.ssh`, and `~/.symphony/oauth`
+ * round out the denylist.
+ */
+const BUILTIN_CRED_RELATIVE = [
+    '.claude',
+    '.codex',
+    '.config',
+    '.ssh',
+    '.symphony/oauth',
+];
+/** Resolve the full denylist (built-ins + extras) to canonical absolute paths. */
+function resolveDenylist(homeDir, extra) {
+    const home = resolvePosix(homeDir);
+    const out = new Set();
+    for (const rel of BUILTIN_CRED_RELATIVE)
+        out.add(joinPosix(home, rel));
+    for (const e of extra)
+        out.add(canonicalizeHostPath(e, homeDir));
+    return [...out];
+}
+/** Throw if `candidate` is the home root or overlaps any denylist entry. */
+function assertCandidateAllowed(candidate, homeRoot, denylist) {
+    // The home root is always denied — mounting it exposes every credential dir at
+    // once, and a workspace legitimately lives *under* home so the root can't just
+    // go in the per-dir denylist.
+    if (candidate === homeRoot) {
+        throw new CredentialMountError(`refusing to mount the home directory root ${candidate} into a guest VM ` +
+            `(exposes every credential directory at once)`);
+    }
+    for (const denied of denylist) {
+        // Bidirectional overlap: reject if the mount is UNDER a credential dir, IS
+        // one, OR is an ANCESTOR that contains one (e.g. mounting `~/.symphony`
+        // exposes `~/.symphony/oauth`). Read-only sources are NOT exempt.
+        if (isUnder(candidate, denied) || isUnder(denied, candidate)) {
+            throw new CredentialMountError(`refusing to mount ${candidate} into a guest VM: it overlaps the credential ` +
+                `path ${denied} (mounting it, a parent of it, or a child of it all expose ` +
+                `the credential tree; read-only sources are NOT exempt)`);
+        }
+    }
+}
+/**
+ * HARD-FAIL if any mount's host path OVERLAPS a credential directory (the mount
+ * is under one, IS one, or is an ancestor that contains one) or is the home-dir
+ * root. Lexical-only (see module header). Read-only mounts are NOT exempt. Throws
+ * {@link CredentialMountError} on the first offender; returns void on success.
+ */
+export function assertNoCredentialMounts(mounts, opts) {
+    const homeRoot = resolvePosix(opts.homeDir);
+    const denylist = resolveDenylist(opts.homeDir, opts.extraDenylist ?? []);
+    for (const m of mounts) {
+        const candidate = canonicalizeHostPath(m.host, opts.homeDir);
+        assertCandidateAllowed(candidate, homeRoot, denylist);
+    }
+}
+// ---------------------------------------------------------------------------
+// assertContained — path-escape guard for workspace restore (critic gap).
+// ---------------------------------------------------------------------------
+/**
+ * HARD-FAIL if `target` escapes `root` after lexical normalization. The
+ * workspace-restore path materializes agent-named entries under a workspace root;
+ * an entry like `../../.ssh/authorized_keys` (or an absolute path) would write
+ * outside the sandbox. This guard rejects any `target` that does not resolve to
+ * `root` itself or a path strictly beneath it.
+ *
+ * `target` is resolved RELATIVE TO `root` (so a bare relative path is anchored at
+ * the workspace), but an absolute `target` resolves to itself and is rejected
+ * unless it already lies under `root`. Returns the canonical contained path on
+ * success; throws {@link CredentialMountError} on escape — reused as the typed
+ * sandbox-violation error (the closest existing boundary-violation class; no
+ * separate `PathEscapeError` exists in src/types).
+ */
+export function assertContained(root, target) {
+    const canonRoot = resolvePosix(root);
+    // An absolute target resolves to itself; a relative one anchors at the root.
+    const canonTarget = target.startsWith(SEP)
+        ? resolvePosix(target)
+        : resolvePosix(joinPosix(canonRoot, target));
+    if (!isUnder(canonTarget, canonRoot)) {
+        throw new CredentialMountError(`refusing to write ${canonTarget}: it escapes the workspace root ${canonRoot} ` +
+            `(path-traversal guard for workspace restore)`);
+    }
+    return canonTarget;
+}
+// ---------------------------------------------------------------------------
+// Credential env-var stripping.
+// ---------------------------------------------------------------------------
+/**
+ * Exact credential env-var names dropped regardless of the family-suffix rules.
+ * Covers each adapter's token var plus the GitHub durable-token vars.
+ */
+const NAMED_CREDENTIAL_VARS = new Set([
+    'ANTHROPIC_AUTH_TOKEN',
+    'ANTHROPIC_API_KEY',
+    'OPENAI_API_KEY',
+    'GITHUB_TOKEN',
+    'GH_TOKEN',
+]);
+/**
+ * Vendor name prefixes whose entire family is credential-bearing under the strict
+ * boot-env policy.
+ */
+const CREDENTIAL_NAME_PREFIXES = [
+    'ANTHROPIC_',
+    'OPENAI_',
+    'GITHUB_',
+    'GH_',
+];
+/** Secret-bearing name suffixes across any vendor (`*_API_KEY` / `*_TOKEN` / `*_SECRET`). */
+const CREDENTIAL_NAME_SUFFIXES = ['_API_KEY', '_TOKEN', '_SECRET'];
+/**
+ * True when a name is a *secret-bearing token* by the named-set or the
+ * `*_API_KEY`/`*_TOKEN`/`*_SECRET` suffix rule. Deliberately does NOT include the
+ * vendor *prefix* families — this is the strip applied to adapter-injected runtime
+ * env, which legitimately carries non-secret config like `ANTHROPIC_MODEL` /
+ * `OPENAI_BASE_URL`.
+ */
+export function isCredentialTokenName(name) {
+    const upper = name.toUpperCase();
+    if (NAMED_CREDENTIAL_VARS.has(upper))
+        return true;
+    for (const suffix of CREDENTIAL_NAME_SUFFIXES) {
+        if (upper.endsWith(suffix))
+            return true;
+    }
+    return false;
+}
+/**
+ * True when an env var name is credential-bearing under ANY rule: the named set,
+ * the vendor prefix families, or the secret suffix families. The strict boot-env policy.
+ */
+export function isCredentialEnvName(name) {
+    if (isCredentialTokenName(name))
+        return true;
+    const upper = name.toUpperCase();
+    for (const prefix of CREDENTIAL_NAME_PREFIXES) {
+        if (upper.startsWith(prefix))
+            return true;
+    }
+    return false;
+}
+function stripBy(env, drop) {
+    const out = {};
+    for (const [k, v] of Object.entries(env)) {
+        if (drop(k))
+            continue;
+        out[k] = v;
+    }
+    return out;
+}
+/**
+ * Return a copy of `env` with every credential-bearing var removed (the strict
+ * boot-env policy — named set + vendor prefix families + secret suffixes). Use
+ * for the operator-forwarded boot env.
+ */
+export function stripCredentialEnv(env) {
+    return stripBy(env, isCredentialEnvName);
+}
+/**
+ * Return a copy of `env` with only secret-bearing TOKENS removed (named set +
+ * secret suffixes), preserving non-secret vendor-prefixed config like
+ * `ANTHROPIC_MODEL` / `OPENAI_BASE_URL`. Defense-in-depth for the adapter runtime env.
+ */
+export function stripCredentialTokenVars(env) {
+    return stripBy(env, isCredentialTokenName);
+}
+// ---------------------------------------------------------------------------
+// ACP / MCP guest control-plane URL derivation.
+// ---------------------------------------------------------------------------
+//
+// The synthetic guest↔host control-plane vocabulary (the `symphony-mcp:7001`
+// tunnel constants + the ACP-URL / tcp.hosts derivations) lives canonically in
+// core/mcp/url.ts — the dedicated MCP/ACP URL module. It is re-exported here so
+// vm-guards importers keep their `vm-guards.js` specifier WITHOUT a second
+// source of truth: a single home for MCP_GUEST_PORT / MCP_SYNTHETIC_HOST means a
+// port changed in one place can't silently desync the `tcp.hosts` rewire from
+// the URLs it's supposed to back. `guestMcpBaseUrl` is vm-guards-only (no
+// equivalent in url.ts) and stays defined here.
+export { MCP_SYNTHETIC_HOST, MCP_GUEST_PORT, MCP_GUEST_BASE_URL, ACP_WS_PATH, ACP_WS_GUEST_URL, acpWsUrlFromExplicit, guestAcpWsUrl, buildMcpTcpHostEntry, } from './mcp/url.js';
+/**
+ * The guest MCP base URL: the synthetic-tunnel base unless an explicit host URL
+ * is configured (in which case the guest reaches the orchestrator directly).
+ */
+export function guestMcpBaseUrl(mcp) {
+    return mcp.explicit_host_url ?? MCP_GUEST_BASE_URL;
+}
+//# sourceMappingURL=vm-guards.js.map

package/dist/src/core/vm-guards.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"vm-guards.js","sourceRoot":"","sources":["../../../src/core/vm-guards.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,0EAA0E;AAC1E,2EAA2E;AAC3E,oEAAoE;AACpE,EAAE;AACF,+EAA+E;AAC/E,0EAA0E;AAC1E,iFAAiF;AACjF,iFAAiF;AACjF,gFAAgF;AAChF,gCAAgC;AAChC,EAAE;AACF,gFAAgF;AAChF,gFAAgF;AAChF,mFAAmF;AACnF,wDAAwD;AAGxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,yEAAyE;AACzE,iFAAiF;AACjF,6EAA6E;AAC7E,wEAAwE;AACxE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,8EAA8E;AAC9E,iFAAiF;AACjF,+EAA+E;AAC/E,8EAA8E;AAC9E,2EAA2E;AAC3E,iFAAiF;AACjF,8EAA8E;AAE9E,MAAM,GAAG,GAAG,GAAG,CAAC;AAEhB;;;;;;;GAOG;AACH,SAAS,YAAY,CAAC,KAAa,EAAE,OAAe,GAAG;IACrD,+DAA+D;IAC/D,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAClE,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,IAAI,IAAI,KAAK,EAAE,IAAI,IAAI,KAAK,GAAG;YAAE,SAAS;QAC1C,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;gBAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAAC,QAAgB,EAAE,OAAe;IACpE,IAAI,CAAC,GAAG,QAAQ,CAAC;IACjB,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QACd,CAAC,GAAG,OAAO,CAAC;IACd,CAAC;SAAM,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACrD,CAAC,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,YAAY,CAAC,CAAC,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;AAChD,CAAC;AAED;;;;GAIG;AACH,SAAS,OAAO,CAAC,KAAa,EAAE,MAAc;IAC5C,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,CAAC;IAC7D,OAAO,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;AACnC,CAAC;AAED,8EAA8E;AAC9E,mCAAmC;AACnC,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,qBAAqB,GAAsB;IAC/C,SAAS;IACT,QAAQ;IACR,SAAS;IACT,MAAM;IACN,iBAAiB;CAClB,CAAC;AAYF,kFAAkF;AAClF,SAAS,eAAe,CAAC,OAAe,EAAE,KAAwB;IAChE,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,qBAAqB;QAAE,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;IACvE,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC;AAClB,CAAC;AAED,4EAA4E;AAC5E,SAAS,sBAAsB,CAC7B,SAAiB,EACjB,QAAgB,EAChB,QAA2B;IAE3B,+EAA+E;IAC/E,+EAA+E;IAC/E,8BAA8B;IAC9B,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,MAAM,IAAI,oBAAoB,CAC5B,6CAA6C,SAAS,mBAAmB;YACvE,8CAA8C,CACjD,CAAC;IACJ,CAAC;IACD,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,2EAA2E;QAC3E,wEAAwE;QACxE,kEAAkE;QAClE,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,IAAI,oBAAoB,CAC5B,qBAAqB,SAAS,+CAA+C;gBAC3E,QAAQ,MAAM,6DAA6D;gBAC3E,wDAAwD,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CACtC,MAA0B,EAC1B,IAAiC;IAEjC,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC;IACzE,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,oBAAoB,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7D,sBAAsB,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACxD,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,0EAA0E;AAC1E,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,MAAc;IAC1D,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACrC,6EAA6E;IAC7E,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;QACxC,CAAC,CAAC,YAAY,CAAC,MAAM,CAAC;QACtB,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,oBAAoB,CAC5B,qBAAqB,WAAW,mCAAmC,SAAS,GAAG;YAC7E,8CAA8C,CACjD,CAAC;IACJ,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,sBAAsB;IACtB,mBAAmB;IACnB,gBAAgB;IAChB,cAAc;IACd,UAAU;CACX,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,wBAAwB,GAAsB;IAClD,YAAY;IACZ,SAAS;IACT,SAAS;IACT,KAAK;CACN,CAAC;AAEF,6FAA6F;AAC7F,MAAM,wBAAwB,GAAsB,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AAEtF;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,qBAAqB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,KAAK,MAAM,MAAM,IAAI,wBAAwB,EAAE,CAAC;QAC9C,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC1C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,IAAI,qBAAqB,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,KAAK,MAAM,MAAM,IAAI,wBAAwB,EAAE,CAAC;QAC9C,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,OAAO,CACd,GAA2B,EAC3B,IAA+B;IAE/B,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,IAAI,IAAI,CAAC,CAAC,CAAC;YAAE,SAAS;QACtB,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACb,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAA2B;IAC5D,OAAO,OAAO,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;AAC3C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,GAA2B;IAClE,OAAO,OAAO,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC;AAC7C,CAAC;AAED,8EAA8E;AAC9E,gDAAgD;AAChD,8EAA8E;AAC9E,EAAE;AACF,6EAA6E;AAC7E,+EAA+E;AAC/E,gFAAgF;AAChF,2EAA2E;AAC3E,iFAAiF;AACjF,8EAA8E;AAC9E,0EAA0E;AAC1E,gDAAgD;AAEhD,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,kBAAkB,EAClB,WAAW,EACX,gBAAgB,EAChB,oBAAoB,EACpB,aAAa,EACb,oBAAoB,GACrB,MAAM,cAAc,CAAC;AAEtB;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAyC;IACvE,OAAO,GAAG,CAAC,iBAAiB,IAAI,kBAAkB,CAAC;AACrD,CAAC"}