terramend 0.2.0

package/dist/mcp/terraform/cost.d.ts

@@ -0,0 +1,55 @@
+import { type RunResult } from "#app/mcp/terraform/types";
+export interface CostBreakdown {
+    /** total estimated monthly cost, or null when no resources are priced. */
+    totalMonthlyCost: number | null;
+    currency: string;
+}
+/**
+ * Parse `infracost breakdown --format json`. The top-level `totalMonthlyCost`
+ * is a decimal string (absent / null when a project has no priced resources);
+ * `currency` defaults to USD. A missing/unparseable cost becomes null so the
+ * caller reports "unpriced" rather than a misleading $0.00.
+ */
+export declare function parseInfracostBreakdown(stdout: string): CostBreakdown;
+export interface ResourceCost {
+    name: string;
+    monthlyCost: number;
+}
+/**
+ * Parse the per-resource monthly costs from `infracost breakdown --format json`
+ * (`projects[].breakdown.resources[]`), so a cost increase can be attributed to
+ * the specific resources that drove it instead of just a total. Skips unpriced
+ * (null/zero) resources; returns them sorted most-expensive first. Pure.
+ */
+export declare function parseInfracostResources(stdout: string): ResourceCost[];
+export interface CostDelta {
+    currency: string;
+    baselineMonthly: number | null;
+    currentMonthly: number | null;
+    /** current − baseline, rounded to cents; null when either side is unknown. */
+    deltaMonthly: number | null;
+    direction: "increase" | "decrease" | "no-change" | "unknown";
+}
+/** Pure cost-delta computation: current (post-fix) vs the base-branch baseline. */
+export declare function computeCostDelta(baseline: CostBreakdown | null, current: CostBreakdown): CostDelta;
+export interface CostEscalation {
+    /** true when the monthly increase meets/exceeds the operator's threshold. */
+    escalate: boolean;
+    reason?: string;
+}
+/**
+ * §4.16-next — decide whether a cost increase is large enough to escalate the PR
+ * to human review (`needs-human`). Compares the monthly delta against the
+ * operator's `cost_increase_block_usd` threshold. No threshold set, an unknown
+ * delta, or a decrease/no-change ⇒ no escalation. Pure + deterministic so the
+ * decision is auditable, not a model judgement.
+ */
+export declare function classifyCostEscalation(deltaMonthly: number | null, thresholdUsd: number | undefined): CostEscalation;
+export declare function runInfracostBreakdown(scanCwd: string, key: string): RunResult;
+/**
+ * Cost of the base-branch version of the same Terraform, computed in a detached
+ * git worktree so the current (fixed) checkout is never disturbed. Best-effort:
+ * any failure (no base ref, worktree add fails, infracost errors) returns null
+ * and the caller falls back to reporting current cost only.
+ */
+export declare function infracostBaseline(cwd: string, key: string, tmpdir: string): CostBreakdown | null;

package/dist/mcp/terraform/currency.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Version currency (§P1 provider currency / M3 module upgrades).
+ *
+ * Answers one question the scanners can't: "is a NEWER version available?"
+ * tflint checks that versions are *pinned*; nothing we run checks that they're
+ * *current*. This module compares the workspace's pinned provider requirements
+ * and registry-module pins against the Terraform Registry's published versions.
+ *
+ * Deliberately NOT a scanner source: results are advisory intelligence the
+ * Remediate mode turns into `chore(deps)` upgrade PRs, not `Concern`s — the
+ * finding baseline stays scanner-owned (see docs/workplan/04-implementation-plan.md).
+ *
+ * Degrades green everywhere: a per-source lookup failure is reported on that
+ * row (`lookup: "error" | "not_found" | "unsupported_source"`), and only a
+ * fully-unreachable registry (every lookup failed) becomes a tool-level skip.
+ */
+export declare const DEFAULT_REGISTRY_BASE_URL = "https://registry.terraform.io";
+/**
+ * Convert ONE Terraform version constraint string (comma-separated comparators,
+ * AND semantics) into an npm semver range, or null when any comparator is
+ * unparseable. `~>` is Terraform's pessimistic operator: the RIGHTMOST given
+ * component may float (`~> 5.0` → `>=5.0.0 <6.0.0`, `~> 5.1.2` → `>=5.1.2 <5.2.0`,
+ * `~> 5` → `>=5.0.0 <6.0.0`). `!=` comparators have no single-range npm
+ * equivalent and are skipped — acceptable here because the result only ranks
+ * candidate versions, it never selects what gets installed.
+ */
+export declare function terraformConstraintToRange(constraint: string): string | null;
+export interface CurrencyVerdict {
+    /** newest stable version the registry publishes (null: nothing published). */
+    latest: string | null;
+    /** newest published version the written constraint admits (null: no
+     * constraint, unparseable constraint, or nothing satisfies). */
+    newestSatisfying: string | null;
+    /** true when the registry has a stable version the constraint does NOT admit
+     * — i.e. an upgrade PR is available. Always false without a constraint. */
+    outdated: boolean;
+    /** how many MAJORs the constraint's best version trails the latest by —
+     * >0 signals an interface-risk upgrade that must be `needs-human`. */
+    majorsBehind: number;
+}
+export declare function classifyCurrency(params: {
+    constraint: string | null;
+    available: string[];
+}): CurrencyVerdict;
+export type LookupStatus = "ok" | "not_found" | "error" | "unsupported_source";
+/** GET /v1/providers/{namespace}/{type}/versions — provider release list. */
+export declare function fetchProviderVersions(source: string, opts?: {
+    baseUrl?: string;
+}): Promise<{
+    status: LookupStatus;
+    versions: string[];
+}>;
+/** GET /v1/modules/{namespace}/{name}/{provider}/versions — registry-module
+ * release list (the response nests per-module records; the first is the
+ * requested module, the rest are dependency records we don't want). */
+export declare function fetchModuleVersions(sourceBase: string, opts?: {
+    baseUrl?: string;
+}): Promise<{
+    status: LookupStatus;
+    versions: string[];
+}>;
+export interface ProviderCurrencyRow {
+    name: string;
+    source: string;
+    constraint: string | null;
+    latest: string | null;
+    newest_satisfying: string | null;
+    outdated: boolean;
+    majors_behind: number;
+    lookup: LookupStatus;
+}
+export interface ModuleCurrencyRow {
+    name: string;
+    source: string;
+    version: string | null;
+    latest: string | null;
+    newest_satisfying: string | null;
+    outdated: boolean;
+    /** registry module with no `version` attribute — pin it (to `latest`). */
+    unpinned: boolean;
+    lookup: LookupStatus;
+    declared_in: string;
+}
+export interface CurrencyReport {
+    providers: ProviderCurrencyRow[];
+    modules: ModuleCurrencyRow[];
+    outdated_count: number;
+    unpinned_count: number;
+    lookups_attempted: number;
+    lookups_failed: number;
+}
+export declare function checkVersionCurrency(cwd: string, opts?: {
+    baseUrl?: string;
+}): Promise<CurrencyReport>;

package/dist/mcp/terraform/decisions.d.ts

@@ -0,0 +1,178 @@
+import type { CostDelta } from "#app/mcp/terraform/cost";
+import { type Autonomy, type BlastTier, type Concern, type ConcernGroup, type Severity } from "#app/mcp/terraform/types";
+/** group concerns by file into scoped units, sorted by max severity. */
+export declare function groupConcerns(concerns: Concern[]): ConcernGroup[];
+/**
+ * §3.11 — group concerns by RULE across files instead of by file. When a single
+ * rule fires in many files ("add `tags` to every resource", "enable encryption
+ * on every bucket"), fixing it as ONE coherent change is far better than N
+ * near-identical per-file PRs. Each group covers one `rule_id` and lists every
+ * `file` it spans; the branch key (`remediate/<id>`) is rule-derived and stable.
+ * Opt-in (scan `group_by: "rule"`) — by-file stays the default because it keeps
+ * each PR's blast radius smaller; by-rule suits sweeping, low-risk rules.
+ */
+export declare function groupConcernsByRule(concerns: Concern[]): ConcernGroup[];
+/**
+ * §3.9 — annotate each group with an autonomy decision. Works for BOTH grouping
+ * modes: it resolves a group's concerns by `concern_ids` membership (not by
+ * `file`, which is just a label for by-rule groups), so the severity/category
+ * policy applies identically. Blast radius isn't known until terraform_plan
+ * runs, so it can only escalate a group later (the plan tool + prompt apply the
+ * `high`-blast override); at scan time autonomy is severity/category-driven.
+ */
+export declare function annotateGroups(groups: ConcernGroup[], all: Concern[], threshold: Severity): ConcernGroup[];
+export interface BatchPlan {
+    /** group ids safe to combine into ONE low-risk PR (`remediate/batch-<hash>`). */
+    batchable: string[];
+    /** group ids that must each get their own PR (security / higher severity /
+     * needs-human / large blast). */
+    isolated: string[];
+    /** deterministic branch name for the batch (stable for the same member set). */
+    batch_branch: string | null;
+}
+/**
+ * §3.10 — split annotated groups into a single low-risk BATCH (merged into one
+ * easy-to-review PR) and the riskier groups that each stay ISOLATED in their own
+ * PR (so they can be reviewed/reverted independently). The batch branch name
+ * hashes the sorted member ids, so re-runs over the same set reuse the branch
+ * (idempotent). Returns `batch_branch: null` when fewer than two groups are
+ * batchable (one group is just a normal single-group PR, not a batch).
+ */
+export declare function planBatches(groups: ConcernGroup[]): BatchPlan;
+/**
+ * Resolve the canonical documentation URL for a concern's rule, for the PR's
+ * per-finding explanation. Prefers the scanner's own `remediation_hint` when it
+ * is already a URL (checkov guideline, tflint rule link, trivy reference).
+ * Otherwise derives the well-known page deterministically: a trivy `AVD-*` rule
+ * maps to its Aqua Vulnerability Database page. Returns null when no canonical
+ * URL is known (the agent then explains from `evidence` alone).
+ */
+export declare function ruleDocUrl(concern: Pick<Concern, "rule_id" | "remediation_hint">): string | null;
+/** distinct rule→doc-url map for a group, for the PR body's per-finding links. */
+export declare function docUrlsForGroup(g: ConcernGroup, all: Concern[]): Record<string, string>;
+export interface AutonomyDecision {
+    autonomy: Autonomy;
+    /** human-readable reasons a group was escalated (empty for `auto`). */
+    reasons: string[];
+}
+/**
+ * Decide whether a group of concerns can be auto-fixed and opened as a normal
+ * PR (`auto`), or must be flagged for human review (`needs-human`). Trivial
+ * findings (style/correctness, deprecated args, missing tags, formatting) open
+ * as normal; high-severity SECURITY findings escalate by default, as does a
+ * `high` blast radius regardless of finding severity (§2.6 overrides upward).
+ *
+ * `threshold` is the minimum severity at which a *security* concern escalates
+ * (default `high`, so critical/high security → human; medium/low → auto). The
+ * decision is deterministic and computed from the `Concern` model's existing
+ * `severity` + `category` — no model self-assessment.
+ */
+export declare function classifyAutonomy(concerns: Pick<Concern, "severity" | "category">[], threshold?: Severity, blastTier?: BlastTier): AutonomyDecision;
+export interface SuggestionDecision {
+    /** true ⇒ post a GitHub one-click `suggestion` instead of opening a full PR. */
+    suggest: boolean;
+    reason: string;
+}
+/**
+ * §5.18 — decide whether a fix is small/low-risk enough to post as a GitHub
+ * one-click **suggested change** (a ` ```suggestion ` block on the existing PR)
+ * rather than opening a whole `remediate/*` branch + PR. Much lower friction for
+ * trivial fixes. Only when ALL hold: there IS an existing PR context (a comment
+ * trigger on a PR); the group is `low`/`info` severity; the fix is a single hunk
+ * in a single file; and the blast radius (when known) is `low`. Anything bigger
+ * keeps full-PR mode.
+ */
+export declare function shouldSuggestInline(opts: {
+    hasPrContext: boolean;
+    severity: Severity;
+    fileCount: number;
+    hunkCount: number;
+    blastTier?: BlastTier | undefined;
+}): SuggestionDecision;
+export type Confidence = "high" | "medium" | "low";
+export interface ConfidenceSignals {
+    /** §1.1 — every targeted concern id was cleared by the re-scan. */
+    verified: boolean;
+    /** §1.4 — count of NEW concern ids the fix introduced (0 is good). */
+    regressionCount: number;
+    /** §1.3 — second plan matched the first. undefined when plan didn't run. */
+    idempotent?: boolean | undefined;
+    /** §2.6 — blast tier. undefined when plan didn't run. */
+    blastTier?: BlastTier | undefined;
+    /** §4.16 — cost direction. undefined when infracost didn't run. */
+    costDirection?: CostDelta["direction"] | undefined;
+}
+export interface ConfidenceResult {
+    level: Confidence;
+    reasons: string[];
+}
+/**
+ * Derive a fix's confidence DETERMINISTICALLY from the verification evidence
+ * already gathered — never a model self-assessment, which keeps it honest.
+ *
+ * - A fix that didn't verify (§1.1) or introduced a regression (§1.4) is `low`:
+ *   the proof failed, full stop.
+ * - Otherwise it starts `high` and is capped to `medium` by any weaker signal:
+ *   a non-deterministic plan (§1.3 `idempotent: false`), a `high` blast radius
+ *   (§2.6), a cost increase (§4.16), or a signal that was *skipped* (plan /
+ *   infracost didn't run, so we have less proof — `high` requires the full
+ *   stack). A skipped signal lowers confidence but does not, by itself, make a
+ *   verified, regression-free fix `low`.
+ */
+export declare function computeConfidence(signals: ConfidenceSignals): ConfidenceResult;
+export interface RefusalDecision {
+    /** true ⇒ this concern needs a human decision; prefer a structured non-fix
+     * (an issue) over guessing a fix that could break the stack. */
+    refuse: boolean;
+    reason?: string;
+}
+/**
+ * §29 — advisory check: would auto-fixing this concern require a judgement only
+ * a human can make? If so, the Remediate flow should post a STRUCTURED refusal
+ * (an issue describing the concern, why it won't auto-fix, and what a human
+ * should do) rather than guess a fix that could break the stack. Deterministic
+ * and conservative — it only flags the well-known human-decision classes.
+ */
+export declare function classifyRefusal(concern: Pick<Concern, "rule_id" | "evidence">): RefusalDecision;
+/**
+ * §29 — format a structured non-fix for a concern Terramend won't auto-fix. The
+ * output is a Markdown issue body: what's wrong, why it isn't auto-fixed, and
+ * the concrete next step for a human. Pure (string in → string out).
+ */
+export declare function buildRefusalReport(input: {
+    concern: Pick<Concern, "rule_id" | "evidence" | "location">;
+    whyNoAutoFix: string;
+    humanAction: string;
+}): string;
+export interface PreventiveControl {
+    /** the mechanism that stops this class of concern recurring. */
+    mechanism: string;
+    /** a copy-pasteable config/CI snippet. */
+    snippet: string;
+    note: string;
+}
+/**
+ * §21 — alongside the patch, suggest the guardrail that stops the concern
+ * RECURRING: a CI gate keyed on the producing scanner. Deterministic by source
+ * (the scanner is the right enforcement point), parameterised by the rule id.
+ * Returns null for sources with no natural preventive gate.
+ */
+export declare function preventiveControlFor(concern: Pick<Concern, "source" | "rule_id">): PreventiveControl | null;
+export interface LocationCluster {
+    file: string;
+    line: number | null;
+    /** the concern ids at this exact location (likely the same underlying defect). */
+    concern_ids: string[];
+    /** the distinct scanners that flagged this location. */
+    sources: string[];
+}
+/**
+ * §30 — surface concerns that DIFFERENT scanners flagged at the same `file:line`
+ * — almost always the same underlying defect (trivy ∩ checkov overlap heavily on
+ * e.g. S3 encryption). Reported so the agent writes ONE canonical fix + ONE
+ * explanation for the cluster rather than treating each as separate work. This
+ * is purely advisory: it NEVER removes a concern from the verification set (a
+ * missing id must still provably clear), so it can't drop a real finding. Only
+ * clusters spanning more than one scanner are returned.
+ */
+export declare function clusterByLocation(concerns: Concern[]): LocationCluster[];

package/dist/mcp/terraform/findings.d.ts

@@ -0,0 +1,75 @@
+import { type Concern } from "#app/mcp/terraform/types";
+/**
+ * Map a reviewer `findings.json` body into Concern[]. Drops `human_only`
+ * findings (out of scope — not auto-remediable). Paths are normalized to
+ * repo-relative POSIX (same as the scanners) so ids and grouping stay portable.
+ */
+export declare function parseReviewerFindings(json: string, cwd?: string): Concern[];
+interface SarifLocation {
+    physicalLocation?: {
+        artifactLocation?: {
+            uri?: string;
+        };
+        region?: {
+            startLine?: number;
+        };
+    };
+}
+interface SarifResult {
+    ruleId?: string;
+    level?: string;
+    message?: {
+        text?: string;
+    };
+    locations?: SarifLocation[];
+    properties?: {
+        "security-severity"?: string;
+    };
+}
+interface SarifRule {
+    id?: string;
+    helpUri?: string;
+    shortDescription?: {
+        text?: string;
+    };
+}
+interface SarifRun {
+    tool?: {
+        driver?: {
+            name?: string;
+            rules?: SarifRule[];
+        };
+    };
+    results?: SarifResult[];
+}
+interface SarifReport {
+    version?: string;
+    $schema?: string;
+    runs?: SarifRun[];
+}
+/** true when a parsed JSON object looks like a SARIF report (the standard
+ * scanner-output format) rather than a terraform-reviewer findings.json. */
+export declare function isSarif(parsed: unknown): boolean;
+/**
+ * Parse a SARIF 2.1.0 report (the standard scanner-output format Trivy /
+ * Checkov / tflint all emit) into Concern[]. The driver name picks the source so
+ * a finding from a scanner Terramend re-runs reproduces the SAME content id
+ * (✗→✓ verifiable); other tools collapse to `reviewer`. Rule docs come from the
+ * matching `tool.driver.rules[].helpUri`. Non-Terraform files are dropped.
+ */
+export declare function parseSarifFindings(json: string, cwd?: string): Concern[];
+/** dispatch a findings file to the right parser: SARIF (standard scanner
+ * output) or a terraform-reviewer findings.json. */
+export declare function parseFindingsFile(json: string, cwd?: string): Concern[];
+/**
+ * Emit a set of concerns as a SARIF 2.1.0 report for GitHub code-scanning (the
+ * inverse of `parseSarifFindings` — close the loop so a Terramend scan can
+ * populate the repo's Security tab via `github/codeql-action/upload-sarif`). One
+ * `run` with the `terramend` driver, a deduped `rules` array (each rule's
+ * `helpUri` from `ruleDocUrl`), and one `result` per concern carrying its
+ * `level`, `security-severity`, message, and `file:line`. Pure + deterministic
+ * (rules sorted, stable partialFingerprints from the content id) so re-emitting
+ * an unchanged scan yields a byte-identical report.
+ */
+export declare function buildSarifReport(concerns: Concern[]): SarifReport;
+export {};

package/dist/mcp/terraform/plan.d.ts

@@ -0,0 +1,157 @@
+import type { BlastTier } from "#app/mcp/terraform/types";
+export interface PlanSummary {
+    /** resources to add / change / destroy, from the plan's change_summary. */
+    add: number;
+    change: number;
+    destroy: number;
+    /** every resource with a real action (create/update/delete/replace) — the set
+     * that powers blast-radius (§2.6) and plan-stability (§1.3). */
+    changed: {
+        address: string;
+        action: string;
+    }[];
+    /** resources that would be deleted or replaced — the destructive set. */
+    destructive: {
+        address: string;
+        action: string;
+    }[];
+    hasDestroyOrReplace: boolean;
+    /** state-only moves (`moved {}` blocks / refactors): the new address and the
+     * address it came from. Moves don't mutate live infrastructure, so they are
+     * NOT in `changed` — they power the M2 modularization gate (`isPureMovePlan`). */
+    moved: {
+        address: string;
+        previousAddress: string | null;
+    }[];
+}
+export declare function parseTerraformPlanJson(stdout: string): PlanSummary;
+/**
+ * §M2 modularization gate — true when the plan is PURELY state moves: at least
+ * one `moved` entry and zero create/update/delete/replace. That proves a
+ * resources→module refactor preserved every resource address (via `moved {}`
+ * blocks) and is a no-op on live infrastructure — the condition under which a
+ * modularization PR may proceed without human escalation.
+ */
+export declare function isPureMovePlan(plan: {
+    add: number;
+    change: number;
+    destroy: number;
+    changed: {
+        address: string;
+    }[];
+    moved: {
+        address: string;
+    }[];
+}): boolean;
+/**
+ * Resource types that hold data/state — destroying or replacing one of these
+ * means data loss, not just recreation. A remediation that would delete or
+ * replace one is hard-blocked at push time unless the operator opts in via the
+ * `allow_replace` input. Not exhaustive: it covers the common managed
+ * datastores across AWS / Azure / GCP; extend as new ones come up.
+ */
+export declare const STATEFUL_RESOURCE_TYPES: ReadonlySet<string>;
+/**
+ * Extract the Terraform resource TYPE from a plan address, stripping any
+ * `module.<name>.` prefixes and an instance index/key suffix:
+ *   `module.db.aws_db_instance.main`               -> `aws_db_instance`
+ *   `aws_s3_bucket.data["prod"]`                   -> `aws_s3_bucket`
+ *   `module.a.module.b.google_storage_bucket.x[0]` -> `google_storage_bucket`
+ * Returns "" when the address has no parseable `type.name` pair.
+ */
+export declare function resourceTypeOf(address: string): string;
+export interface DestroyClassification {
+    /** destroy/replace of a data-bearing type — high-risk, blocked by default. */
+    stateful: {
+        address: string;
+        action: string;
+        type: string;
+    }[];
+    /** destroy/replace of a recreatable type — recorded, not blocked. */
+    ephemeral: {
+        address: string;
+        action: string;
+        type: string;
+    }[];
+}
+/** partition a plan's destructive set into stateful (blocked) vs ephemeral. */
+export declare function classifyDestructive(destructive: {
+    address: string;
+    action: string;
+}[]): DestroyClassification;
+export interface BlastRadius {
+    tier: BlastTier;
+    /** count of resources the plan would create/update/delete/replace. */
+    resourceCount: number;
+    /** distinct module addresses touched (root resources count as `root`). */
+    modules: string[];
+}
+/**
+ * Extract the module address from a resource address: the `module.X[.module.Y]`
+ * call path, or `root` for a top-level resource. Strips instance index/key from
+ * EVERY segment — a `count`/`for_each` MODULE carries its key on the module
+ * segment (`module.net[0]`), so all instances of one module collapse to one
+ * address (else a single-module fix would look cross-module). Removing keys
+ * first also tolerates a `.` inside a `for_each` string key.
+ *   `aws_s3_bucket.b`                  -> `root`
+ *   `module.db.aws_db_instance.main`   -> `module.db`
+ *   `module.net[0].aws_vpc.main`       -> `module.net`
+ *   `module.a.module.b.google_x.y[0]`  -> `module.a.module.b`
+ */
+export declare function moduleAddressOf(address: string): string;
+/**
+ * Score how much a fix touches, to route large changes through stricter review:
+ * 1–2 resources = `low`, 3–10 = `medium`, more than 10 OR spanning more than one
+ * module = `high`. A `high` blast radius should force human-in-the-loop
+ * regardless of finding severity (feeds §3.9). 0 changes is `low` (nothing to do).
+ */
+export declare function computeBlastRadius(changed: {
+    address: string;
+}[]): BlastRadius;
+export interface StabilityResult {
+    /** true when a second plan produced the identical change set. */
+    stable: boolean;
+    reason?: string;
+}
+/**
+ * Compare two consecutive plans for stability. Terramend never `apply`s (it only
+ * opens PRs), so a true "no perpetual diff after apply" cannot be proven here —
+ * but a fix whose plan is non-deterministic (e.g. `timestamp()`, `uuid()`, an
+ * unkeyed `random_*`, or a data source that varies run-to-run) yields a DIFFERENT
+ * plan on the second run, and that is a real perpetual-diff smell we can catch
+ * without applying. Stable ⇒ the two plans matched; unstable ⇒ report it.
+ */
+export declare function comparePlanStability(first: PlanSummary, second: PlanSummary): StabilityResult;
+export interface RootPlan {
+    /** display label for the root ("." for the top-level root). */
+    dir: string;
+    summary: PlanSummary;
+    stable: boolean;
+}
+export interface AggregatedPlan {
+    add: number;
+    change: number;
+    destroy: number;
+    changed: {
+        address: string;
+        action: string;
+    }[];
+    destructive: {
+        address: string;
+        action: string;
+    }[];
+    hasDestroyOrReplace: boolean;
+    idempotent: boolean;
+    moved: {
+        address: string;
+        previousAddress: string | null;
+    }[];
+}
+/**
+ * Aggregate per-root plan results into one view: SUM the add/change/destroy
+ * counts, UNION the changed + destructive sets (so blast-radius and the
+ * destroy-block see every root's effect), and treat the whole run as
+ * non-idempotent if ANY root's plan was unstable. Pure. Single-root input passes
+ * straight through (identical to the pre-multi-root behaviour).
+ */
+export declare function aggregatePlans(roots: RootPlan[]): AggregatedPlan;