switchman-dev 0.1.6 → 0.1.8

package/src/core/licence.js

@@ -0,0 +1,365 @@
+/**
+ * switchman licence module
+ * Handles Pro licence validation, credential storage, and caching.
+ *
+ * Credentials file: ~/.switchman/credentials.json
+ * Cache file:       ~/.switchman/licence-cache.json
+ *
+ * The CLI calls checkLicence() before any Pro-gated feature.
+ * It returns { valid, plan, email, cached } and never throws —
+ * if anything goes wrong it returns { valid: false }.
+ */
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+
+// ─── Config ───────────────────────────────────────────────────────────────────
+//
+// Defaults point at the hosted Switchman Pro backend.
+// Override with environment variables if self-hosting:
+//   SWITCHMAN_SUPABASE_URL=https://your-project.supabase.co
+//   SWITCHMAN_SUPABASE_ANON=your-anon-key
+
+const SUPABASE_URL  = process.env.SWITCHMAN_SUPABASE_URL
+  ?? 'https://afilbolhlkiingnsupgr.supabase.co';
+
+const SUPABASE_ANON = process.env.SWITCHMAN_SUPABASE_ANON
+  ?? 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFmaWxib2xobGtpaW5nbnN1cGdyIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzM1OTIzOTIsImV4cCI6MjA4OTE2ODM5Mn0.8TBfHfRB0vEyKPMWBd6i1DNwx1nS9UqprIAsJf35n88';
+const VALIDATE_URL      = `${SUPABASE_URL}/functions/v1/validate-licence`;
+const AUTH_URL          = `${SUPABASE_URL}/auth/v1`;
+const PRO_PAGE_URL      = 'https://switchman.dev/pro';
+
+const FREE_AGENT_LIMIT  = 3;
+const FREE_RETENTION_DAYS = 7;
+const PRO_RETENTION_DAYS = 90;
+const CACHE_TTL_MS      = 24 * 60 * 60 * 1000;   // 24 hours
+const OFFLINE_GRACE_MS  = 7 * 24 * 60 * 60 * 1000; // 7 days
+
+// ─── Paths ────────────────────────────────────────────────────────────────────
+
+function getSwitchmanConfigDir() {
+  return join(homedir(), '.switchman');
+}
+
+function getCredentialsPath() {
+  return join(getSwitchmanConfigDir(), 'credentials.json');
+}
+
+function getLicenceCachePath() {
+  return join(getSwitchmanConfigDir(), 'licence-cache.json');
+}
+
+function ensureConfigDir() {
+  const dir = getSwitchmanConfigDir();
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true, mode: 0o700 });
+}
+
+// ─── Credentials ─────────────────────────────────────────────────────────────
+
+export function readCredentials() {
+  try {
+    const path = getCredentialsPath();
+    if (!existsSync(path)) return null;
+    return JSON.parse(readFileSync(path, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+export function writeCredentials(creds) {
+  ensureConfigDir();
+  writeFileSync(getCredentialsPath(), JSON.stringify(creds, null, 2), { mode: 0o600 });
+}
+
+export function clearCredentials() {
+  try {
+    const path = getCredentialsPath();
+    if (existsSync(path)) {
+      writeFileSync(path, JSON.stringify({}), { mode: 0o600 });
+    }
+  } catch { /* no-op */ }
+}
+
+// ─── Cache ────────────────────────────────────────────────────────────────────
+
+function readLicenceCache() {
+  try {
+    const path = getLicenceCachePath();
+    if (!existsSync(path)) return null;
+    return JSON.parse(readFileSync(path, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeLicenceCache(result) {
+  try {
+    ensureConfigDir();
+    writeFileSync(getLicenceCachePath(), JSON.stringify({
+      ...result,
+      cached_at: Date.now(),
+    }, null, 2), { mode: 0o600 });
+  } catch { /* no-op */ }
+}
+
+function clearLicenceCache() {
+  try {
+    const path = getLicenceCachePath();
+    if (existsSync(path)) writeFileSync(path, '{}');
+  } catch { /* no-op */ }
+}
+
+// ─── Validation ──────────────────────────────────────────────────────────────
+
+/**
+ * Check whether the current user has a valid Pro licence.
+ * Returns { valid, plan, email, cached, offline }
+ * Never throws.
+ */
+export async function checkLicence() {
+  const creds = readCredentials();
+  if (!creds?.access_token) {
+    return { valid: false, reason: 'not_logged_in' };
+  }
+
+  // Check the 24-hour cache first
+  const cache = readLicenceCache();
+  if (cache?.valid && cache.cached_at) {
+    const age = Date.now() - cache.cached_at;
+    if (age < CACHE_TTL_MS) {
+      return { ...cache, cached: true, offline: false };
+    }
+  }
+
+  // Try live validation
+  try {
+    const res = await fetch(VALIDATE_URL, {
+      headers: {
+        'Authorization': `Bearer ${creds.access_token}`,
+        'apikey': SUPABASE_ANON,
+      },
+    });
+
+    if (!res.ok) {
+      // If token is expired, try to refresh
+      if (res.status === 401 && creds.refresh_token) {
+        const refreshed = await refreshToken(creds.refresh_token);
+        if (refreshed) {
+          return checkLicence(); // retry with new token
+        }
+      }
+      // Fall through to offline grace check
+      throw new Error(`HTTP ${res.status}`);
+    }
+
+    const data = await res.json();
+    const result = {
+      valid: data.valid === true,
+      plan: data.plan ?? null,
+      email: data.email ?? null,
+      current_period_end: data.current_period_end ?? null,
+      reason: data.valid ? null : (data.reason ?? 'no_licence'),
+    };
+
+    writeLicenceCache(result);
+    return { ...result, cached: false, offline: false };
+
+  } catch {
+    // Network error — fall back to offline grace period
+    if (cache?.valid && cache.cached_at) {
+      const age = Date.now() - cache.cached_at;
+      if (age < OFFLINE_GRACE_MS) {
+        return { ...cache, cached: true, offline: true };
+      }
+    }
+    return { valid: false, reason: 'offline', cached: false, offline: true };
+  }
+}
+
+export async function getRetentionDaysForCurrentPlan() {
+  const licence = await checkLicence();
+  return licence.valid ? PRO_RETENTION_DAYS : FREE_RETENTION_DAYS;
+}
+
+// ─── Token refresh ────────────────────────────────────────────────────────────
+
+async function refreshToken(refreshToken) {
+  try {
+    const res = await fetch(`${AUTH_URL}/token?grant_type=refresh_token`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'apikey': SUPABASE_ANON,
+      },
+      body: JSON.stringify({ refresh_token: refreshToken }),
+    });
+
+    if (!res.ok) return null;
+    const data = await res.json();
+
+    if (data.access_token) {
+      const creds = readCredentials() || {};
+      writeCredentials({
+        ...creds,
+        access_token: data.access_token,
+        refresh_token: data.refresh_token ?? refreshToken,
+        expires_at: Date.now() + (data.expires_in ?? 3600) * 1000,
+      });
+      clearLicenceCache();
+      return true;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// ─── GitHub Device Flow login ─────────────────────────────────────────────────
+
+/**
+ * Run the GitHub OAuth device flow via Supabase.
+ * Opens the browser, polls for the token, saves credentials.
+ * Returns { success, email } or { success: false, error }
+ */
+export async function loginWithGitHub() {
+  // Use Supabase's PKCE/implicit flow by opening the browser
+  // with a special device-style URL that redirects to a local callback
+  const { default: open } = await import('open');
+
+  // We use a simple approach: direct the user to the Pro page sign-in
+  // which sets the session, then we poll Supabase for the session
+  // using a one-time code approach via the CLI callback server
+
+  // Start a tiny local HTTP server to catch the OAuth callback
+  const { createServer } = await import('http');
+
+  return new Promise((resolve) => {
+    let server;
+    const timeout = setTimeout(() => {
+      server?.close();
+      resolve({ success: false, error: 'timeout' });
+    }, 5 * 60 * 1000); // 5 minute timeout
+
+    server = createServer(async (req, res) => {
+      const url = new URL(req.url, 'http://localhost:7429');
+
+      if (url.pathname === '/callback') {
+        const code = url.searchParams.get('code');
+        const error = url.searchParams.get('error');
+
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(`
+          <!DOCTYPE html>
+          <html>
+          <head><style>
+            body { background: #0b1020; color: #e6eef8; font-family: monospace;
+                   display: flex; align-items: center; justify-content: center;
+                   min-height: 100vh; margin: 0; }
+            .box { text-align: center; }
+            .ok { color: #4ade80; font-size: 48px; }
+            h2 { font-size: 24px; margin: 16px 0 8px; }
+            p { color: #5f7189; }
+          </style></head>
+          <body>
+            <div class="box">
+              <div class="ok">${error ? '✕' : '✓'}</div>
+              <h2>${error ? 'Sign in failed' : 'Signed in successfully'}</h2>
+              <p>${error ? 'You can close this tab.' : 'You can close this tab and return to your terminal.'}</p>
+            </div>
+          </body>
+          </html>
+        `);
+
+        clearTimeout(timeout);
+        server.close();
+
+        if (error || !code) {
+          resolve({ success: false, error: error || 'no_code' });
+          return;
+        }
+
+        // Exchange the code for a session via Supabase
+        try {
+          const tokenRes = await fetch(`${AUTH_URL}/token?grant_type=pkce`, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'apikey': SUPABASE_ANON,
+            },
+            body: JSON.stringify({ auth_code: code }),
+          });
+
+          if (!tokenRes.ok) {
+            // Try the standard exchange endpoint
+            const exchangeRes = await fetch(`${AUTH_URL}/token?grant_type=authorization_code`, {
+              method: 'POST',
+              headers: {
+                'Content-Type': 'application/json',
+                'apikey': SUPABASE_ANON,
+              },
+              body: JSON.stringify({ code }),
+            });
+
+            if (!exchangeRes.ok) {
+              resolve({ success: false, error: 'token_exchange_failed' });
+              return;
+            }
+
+            const session = await exchangeRes.json();
+            saveSession(session);
+            resolve({ success: true, email: session.user?.email });
+            return;
+          }
+
+          const session = await tokenRes.json();
+          saveSession(session);
+          resolve({ success: true, email: session.user?.email });
+        } catch (err) {
+          resolve({ success: false, error: err.message });
+        }
+      }
+    });
+
+    server.listen(7429, 'localhost', () => {
+      // Build the Supabase GitHub OAuth URL with our local callback
+      const params = new URLSearchParams({
+        provider: 'github',
+        redirect_to: 'http://localhost:7429/callback',
+        scopes: 'read:user user:email',
+      });
+
+      const loginUrl = `${AUTH_URL}/authorize?${params}`;
+      console.log('');
+      console.log('  Opening GitHub sign-in in your browser...');
+      console.log(`  If it doesn\'t open, visit: ${loginUrl}`);
+      console.log('');
+
+      open(loginUrl).catch(() => {
+        console.log(`  Could not open browser automatically.`);
+        console.log(`  Please visit: ${loginUrl}`);
+      });
+    });
+
+    server.on('error', (err) => {
+      clearTimeout(timeout);
+      resolve({ success: false, error: err.message });
+    });
+  });
+}
+
+function saveSession(session) {
+  if (!session?.access_token) return;
+  writeCredentials({
+    access_token: session.access_token,
+    refresh_token: session.refresh_token ?? null,
+    expires_at: Date.now() + (session.expires_in ?? 3600) * 1000,
+    email: session.user?.email ?? null,
+    user_id: session.user?.id ?? null,
+  });
+  clearLicenceCache();
+}
+
+// ─── Helpers for CLI commands ─────────────────────────────────────────────────
+
+export { FREE_AGENT_LIMIT, FREE_RETENTION_DAYS, PRO_PAGE_URL, PRO_RETENTION_DAYS };

package/src/core/mcp.js

@@ -1,6 +1,6 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
 import { homedir } from 'os';
-import { join } from 'path';
+import { dirname, join } from 'path';
 
 export function getSwitchmanMcpServers() {
   return {
@@ -26,7 +26,7 @@ function upsertMcpConfigFile(configPath) {
     const raw = readFileSync(configPath, 'utf8').trim();
     config = raw ? JSON.parse(raw) : {};
   } else {
-    mkdirSync(join(configPath, '..'), { recursive: true });
+    mkdirSync(dirname(configPath), { recursive: true });
   }
 
   const nextConfig = {
@@ -52,6 +52,45 @@ function upsertMcpConfigFile(configPath) {
   };
 }
 
+export function ensureProjectLocalMcpGitExcludes(repoRoot) {
+  const excludePath = join(repoRoot, '.git', 'info', 'exclude');
+  const requiredEntries = ['.mcp.json', '.cursor/mcp.json'];
+  let existing = '';
+
+  try {
+    if (existsSync(excludePath)) {
+      existing = readFileSync(excludePath, 'utf8');
+    } else {
+      mkdirSync(dirname(excludePath), { recursive: true });
+    }
+  } catch {
+    return {
+      path: excludePath,
+      changed: false,
+      managed: false,
+    };
+  }
+
+  const lines = existing.split('\n').map((line) => line.trim());
+  const missing = requiredEntries.filter((entry) => !lines.includes(entry));
+  if (missing.length === 0) {
+    return {
+      path: excludePath,
+      changed: false,
+      managed: true,
+    };
+  }
+
+  const prefix = existing.length > 0 && !existing.endsWith('\n') ? '\n' : '';
+  const next = `${existing}${prefix}${missing.join('\n')}\n`;
+  writeFileSync(excludePath, next);
+  return {
+    path: excludePath,
+    changed: true,
+    managed: true,
+  };
+}
+
 export function upsertCursorProjectMcpConfig(targetDir) {
   return upsertMcpConfigFile(join(targetDir, '.cursor', 'mcp.json'));
 }

package/src/core/merge-gate.js

@@ -189,15 +189,17 @@ function summarizeOverall(pairAnalyses, worktreeAnalyses, boundaryValidations, d
       summary: `AI merge gate blocked: ${blockedPairs.length} risky pair(s), ${blockedValidations.length} boundary validation issue(s), and ${blockedInvalidations.length} stale dependency issue(s) need resolution.`,
     };
   }
-  if (warnedPairs.length > 0 || riskyWorktrees.length > 0 || warnedValidations.length > 0 || warnedInvalidations.length > 0) {
+  if (warnedPairs.length > 0 || warnedValidations.length > 0 || warnedInvalidations.length > 0) {
     return {
       status: 'warn',
-      summary: `AI merge gate warns: ${warnedPairs.length} pair(s), ${riskyWorktrees.length} worktree(s), ${warnedValidations.length} boundary validation issue(s), or ${warnedInvalidations.length} stale dependency issue(s) need review.`,
+      summary: `AI merge gate warns: ${warnedPairs.length} pair(s), ${warnedValidations.length} boundary validation issue(s), or ${warnedInvalidations.length} stale dependency issue(s) need review.`,
     };
   }
   return {
     status: 'pass',
-    summary: 'AI merge gate passed: no elevated semantic merge risks detected.',
+    summary: riskyWorktrees.length > 0
+      ? `AI merge gate passed: no cross-worktree merge risks detected. ${riskyWorktrees.length} worktree(s) still have local risk signals worth reviewing if you are about to merge them.`
+      : 'AI merge gate passed: no elevated semantic merge risks detected.',
   };
 }
 
@@ -225,10 +227,24 @@ function evaluateDependencyInvalidations(db) {
   return listDependencyInvalidations(db, { status: 'stale' })
     .map((state) => {
       const affectedTask = getTask(db, state.affected_task_id);
-      const severity = affectedTask?.status === 'done' ? 'blocked' : 'warn';
+      const details = state.details || {};
+      const severity = details.severity || (affectedTask?.status === 'done' ? 'blocked' : 'warn');
       const staleArea = state.reason_type === 'subsystem_overlap'
         ? `subsystem:${state.subsystem_tag}`
+        : state.reason_type === 'semantic_contract_drift'
+          ? `contract:${(details.contract_names || []).join('|') || 'unknown'}`
+        : state.reason_type === 'semantic_object_overlap'
+          ? `object:${(details.object_names || []).join('|') || 'unknown'}`
+        : state.reason_type === 'shared_module_drift'
+          ? `module:${(details.module_paths || []).join('|') || 'unknown'}`
         : `${state.source_scope_pattern} ↔ ${state.affected_scope_pattern}`;
+      const summary = state.reason_type === 'semantic_contract_drift'
+        ? `${details.source_task_title || state.source_task_id} changed shared contract ${(details.contract_names || []).join(', ') || 'unknown'}`
+        : state.reason_type === 'semantic_object_overlap'
+          ? `${details.source_task_title || state.source_task_id} changed shared exported object ${(details.object_names || []).join(', ') || 'unknown'}`
+          : state.reason_type === 'shared_module_drift'
+            ? `${details.source_task_title || state.source_task_id} changed shared module ${(details.module_paths || []).join(', ') || 'unknown'} used by ${(details.dependent_files || []).join(', ') || state.affected_task_id}`
+          : `${affectedTask?.title || state.affected_task_id} is stale because ${details?.source_task_title || state.source_task_id} changed shared ${staleArea}`;
       return {
         source_lease_id: state.source_lease_id,
         source_task_id: state.source_task_id,
@@ -243,9 +259,10 @@ function evaluateDependencyInvalidations(db) {
         subsystem_tag: state.subsystem_tag,
         source_scope_pattern: state.source_scope_pattern,
         affected_scope_pattern: state.affected_scope_pattern,
-        summary: `${affectedTask?.title || state.affected_task_id} is stale because ${state.details?.source_task_title || state.source_task_id} changed shared ${staleArea}`,
+        summary,
         stale_area: staleArea,
         created_at: state.created_at,
+        details,
       };
     });
 }

package/src/core/outcome.js

@@ -20,60 +20,39 @@ function fileMatchesKeyword(filePath, keyword) {
   return normalizedKeyword.length >= 3 && normalizedPath.includes(normalizedKeyword);
 }
 
-function resolveExecution(db, { taskId = null, leaseId = null } = {}) {
-  if (leaseId) {
-    const execution = getLeaseExecutionContext(db, leaseId);
-    if (!execution?.task) {
-      return { task: null, taskSpec: null, worktree: null, leaseId };
-    }
-    return {
-      task: execution.task,
-      taskSpec: execution.task_spec,
-      worktree: execution.worktree,
-      leaseId: execution.lease?.id || leaseId,
-    };
-  }
-
-  if (!taskId) {
-    return { task: null, taskSpec: null, worktree: null, leaseId: null };
-  }
-
-  const task = getTask(db, taskId);
-  return {
-    task,
-    taskSpec: task ? getTaskSpec(db, taskId) : null,
-    worktree: task?.worktree ? getWorktree(db, task.worktree) : null,
-    leaseId: null,
-  };
-}
-
-export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = null } = {}) {
-  const execution = resolveExecution(db, { taskId, leaseId });
-  const task = execution.task;
-  const taskSpec = execution.taskSpec;
+export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = null }) {
+  const execution = leaseId ? getLeaseExecutionContext(db, leaseId) : null;
+  const task = execution?.task || (taskId ? getTask(db, taskId) : null);
+  const taskSpec = execution?.task_spec || (task ? getTaskSpec(db, task.id) : null);
+  const resolvedTaskId = task?.id || taskId || execution?.lease?.task_id || null;
+  const resolvedLeaseId = execution?.lease?.id || leaseId || null;
 
   if (!task || !task.worktree) {
     return {
       status: 'failed',
-      reason_code: taskId || leaseId ? 'task_not_assigned' : 'task_identity_required',
+      reason_code: 'task_not_assigned',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: [],
       findings: [taskId || leaseId ? 'task has no assigned worktree' : 'task outcome requires a taskId or leaseId'],
     };
   }
 
-  const worktree = execution.worktree;
+  const worktree = execution?.worktree || getWorktree(db, task.worktree);
   if (!worktree) {
     return {
       status: 'failed',
       reason_code: 'worktree_missing',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: [],
       findings: ['assigned worktree is not registered'],
     };
   }
 
   const changedFiles = getWorktreeChangedFiles(worktree.path, repoRoot);
-  const activeClaims = getActiveFileClaims(db)
-    .filter((claim) => claim.task_id === task.id && claim.worktree === task.worktree)
+  const activeClaims = (execution?.claims || getActiveFileClaims(db)
+    .filter((claim) => claim.task_id === task.id && claim.worktree === task.worktree))
     .map((claim) => claim.file_path);
   const changedOutsideClaims = changedFiles.filter((filePath) => !activeClaims.includes(filePath));
   const changedInsideClaims = changedFiles.filter((filePath) => activeClaims.includes(filePath));
@@ -91,6 +70,8 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
     return {
       status: 'needs_followup',
       reason_code: 'no_changes_detected',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       findings,
     };
@@ -101,6 +82,8 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
     return {
       status: 'needs_followup',
       reason_code: 'changes_outside_claims',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       findings,
     };
@@ -111,6 +94,8 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
     return {
       status: 'needs_followup',
       reason_code: 'changes_outside_task_scope',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       findings,
     };
@@ -129,6 +114,8 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
     return {
       status: 'needs_followup',
       reason_code: 'missing_expected_tests',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       findings,
     };
@@ -139,6 +126,8 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
     return {
       status: 'needs_followup',
       reason_code: 'missing_expected_docs',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       findings,
     };
@@ -149,6 +138,8 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
     return {
       status: 'needs_followup',
       reason_code: 'missing_expected_source_changes',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       findings,
     };
@@ -157,34 +148,42 @@ export function evaluateTaskOutcome(db, repoRoot, { taskId = null, leaseId = nul
   const matchedObjectiveKeywords = objectiveKeywords.filter((keyword) =>
     changedFiles.some((filePath) => fileMatchesKeyword(filePath, keyword)),
   );
-  const minimumKeywordMatches = Math.min(1, objectiveKeywords.length);
+  const minimumKeywordMatches = taskSpec?.task_type === 'governance'
+    ? (taskSpec?.risk_level === 'high'
+      ? Math.min(2, objectiveKeywords.length)
+      : Math.min(1, objectiveKeywords.length))
+    : Math.min(1, objectiveKeywords.length);
 
   if (objectiveKeywords.length > 0 && matchedObjectiveKeywords.length < minimumKeywordMatches) {
     findings.push(`changed files do not clearly satisfy task objective keywords: ${objectiveKeywords.join(', ')}`);
     return {
       status: 'needs_followup',
       reason_code: 'objective_not_evidenced',
+      lease_id: resolvedLeaseId,
+      task_id: resolvedTaskId,
       changed_files: changedFiles,
       task_id: task.id,
-      lease_id: execution.leaseId,
+      lease_id: execution.lease?.id,
       findings,
     };
   }
 
-  const result = {
+  const acceptedResult = {
     status: 'accepted',
     reason_code: null,
+    lease_id: resolvedLeaseId,
+    task_id: resolvedTaskId,
     changed_files: changedFiles,
     task_id: task.id,
-    lease_id: execution.leaseId,
+    lease_id: execution.lease?.id,
     task_spec: taskSpec,
     claimed_files: activeClaims,
     findings: changedInsideClaims.length > 0 ? ['changes stayed within claimed scope'] : [],
   };
-
-  if (execution.leaseId) {
-    touchBoundaryValidationState(db, execution.leaseId, 'task_outcome_accepted');
+  if (resolvedLeaseId) {
+    touchBoundaryValidationState(db, resolvedLeaseId, 'outcome:accepted', {
+      changed_files: changedFiles,
+    });
   }
-
-  return result;
+  return acceptedResult;
 }