npm - voratiq - Versions diffs - 0.1.0-beta.22 → 0.1.0-beta.24 - Mend

voratiq 0.1.0-beta.22 → 0.1.0-beta.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

package/README.md +1 -1
package/dist/agents/runtime/harness.js +10 -1
package/dist/agents/runtime/launcher.d.ts +2 -0
package/dist/agents/runtime/launcher.js +2 -1
package/dist/agents/runtime/operator-access.d.ts +68 -0
package/dist/agents/runtime/operator-access.js +95 -0
package/dist/agents/runtime/policy.d.ts +2 -1
package/dist/agents/runtime/policy.js +16 -42
package/dist/agents/runtime/registry.d.ts +4 -0
package/dist/agents/runtime/registry.js +132 -0
package/dist/auth/providers/utils.js +1 -1
package/dist/bin.js +2 -71
package/dist/cli/auto.js +3 -16
package/dist/cli/contract.d.ts +2 -32
package/dist/cli/contract.js +0 -54
package/dist/cli/list.js +2 -1
package/dist/cli/message.js +16 -11
package/dist/cli/operator-envelope.d.ts +8 -8
package/dist/cli/operator-envelope.js +34 -24
package/dist/cli/option-parsers.d.ts +2 -0
package/dist/cli/option-parsers.js +7 -0
package/dist/cli/output.d.ts +1 -5
package/dist/cli/reduce.js +5 -13
package/dist/cli/run.js +3 -12
package/dist/cli/spec.js +4 -10
package/dist/cli/verify.js +8 -18
package/dist/commands/apply/command.js +7 -1
package/dist/commands/auto/command.js +0 -3
package/dist/commands/auto/validation.js +3 -1
package/dist/commands/doctor/agents.js +3 -1
package/dist/commands/doctor/command.js +2 -1
package/dist/commands/doctor/environment.js +3 -1
package/dist/commands/doctor/fix.js +3 -1
package/dist/commands/doctor/reconcile.js +3 -1
package/dist/commands/fetch.d.ts +0 -1
package/dist/commands/fetch.js +1 -5
package/dist/commands/interactive/lifecycle.js +22 -0
package/dist/commands/list/command.js +34 -16
package/dist/commands/list/normalization.d.ts +2 -7
package/dist/commands/list/normalization.js +11 -16
package/dist/commands/list/records.d.ts +9 -0
package/dist/commands/list/records.js +6 -0
package/dist/commands/message/command.d.ts +0 -1
package/dist/commands/message/command.js +42 -43
package/dist/commands/message/lifecycle.d.ts +2 -0
package/dist/commands/message/lifecycle.js +141 -36
package/dist/commands/reduce/command.js +115 -62
package/dist/commands/reduce/lifecycle.d.ts +16 -0
package/dist/commands/reduce/lifecycle.js +219 -0
package/dist/commands/reduce/targets.js +8 -11
package/dist/commands/run/command.js +115 -25
package/dist/commands/run/lifecycle.d.ts +4 -1
package/dist/commands/run/lifecycle.js +183 -84
package/dist/commands/run/record-init.js +6 -1
package/dist/commands/shared/resolve-stage-competitors.js +2 -1
package/dist/commands/shared/teardown-registry.d.ts +12 -0
package/dist/commands/shared/teardown-registry.js +35 -0
package/dist/commands/spec/command.js +155 -225
package/dist/commands/spec/lifecycle.d.ts +16 -0
package/dist/commands/spec/lifecycle.js +205 -0
package/dist/commands/verify/command.js +40 -26
package/dist/commands/verify/lifecycle.d.ts +2 -0
package/dist/commands/verify/lifecycle.js +167 -45
package/dist/commands/verify/targets.js +4 -7
package/dist/competition/shared/prompt-helpers.d.ts +7 -3
package/dist/competition/shared/prompt-helpers.js +41 -8
package/dist/competition/shared/sandbox-policy.d.ts +13 -3
package/dist/competition/shared/sandbox-policy.js +215 -4
package/dist/competition/shared/teardown.d.ts +19 -0
package/dist/competition/shared/teardown.js +66 -4
package/dist/configs/agents/defaults.js +13 -44
package/dist/configs/agents/loader.js +1 -1
package/dist/configs/environment/loader.js +2 -1
package/dist/configs/orchestration/loader.js +2 -1
package/dist/configs/sandbox/loader.js +2 -1
package/dist/configs/settings/loader.js +1 -1
package/dist/configs/verification/loader.js +2 -1
package/dist/domain/interactive/model/types.d.ts +2 -0
package/dist/domain/interactive/model/types.js +16 -1
package/dist/domain/interactive/persistence/adapter.js +25 -5
package/dist/domain/interactive/prompt.d.ts +1 -1
package/dist/domain/interactive/prompt.js +1 -1
package/dist/domain/interactive/session-env.d.ts +10 -0
package/dist/domain/interactive/session-env.js +25 -0
package/dist/domain/message/competition/adapter.js +14 -10
package/dist/domain/message/competition/prompt.js +3 -2
package/dist/domain/message/model/mutators.js +11 -6
package/dist/domain/message/model/types.d.ts +0 -1
package/dist/domain/message/model/types.js +0 -1
package/dist/domain/reduce/competition/adapter.d.ts +2 -0
package/dist/domain/reduce/competition/adapter.js +25 -17
package/dist/domain/reduce/competition/prompt.d.ts +1 -1
package/dist/domain/reduce/competition/prompt.js +4 -3
package/dist/domain/run/competition/agent-preparation.js +18 -10
package/dist/domain/run/competition/agents/artifacts.js +27 -5
package/dist/domain/run/competition/agents/lifecycle.js +13 -3
package/dist/domain/run/competition/agents/preparation.js +2 -0
package/dist/domain/run/competition/agents/types.d.ts +1 -0
package/dist/domain/run/competition/agents/workspace.js +2 -1
package/dist/domain/run/competition/prompt.d.ts +1 -0
package/dist/domain/run/competition/prompt.js +4 -3
package/dist/domain/run/competition/reports.js +2 -1
package/dist/domain/run/model/enhanced.d.ts +1 -2
package/dist/domain/run/model/enhanced.js +2 -4
package/dist/domain/run/model/mutators.js +11 -9
package/dist/domain/run/model/types.d.ts +8 -10
package/dist/domain/run/model/types.js +5 -4
package/dist/domain/run/persistence/adapter.d.ts +0 -1
package/dist/domain/run/persistence/adapter.js +2 -2
package/dist/domain/spec/competition/adapter.d.ts +2 -0
package/dist/domain/spec/competition/adapter.js +23 -20
package/dist/domain/spec/competition/prompt.js +3 -2
package/dist/domain/spec/model/mutators.d.ts +20 -0
package/dist/domain/spec/model/mutators.js +151 -0
package/dist/domain/spec/persistence/adapter.d.ts +1 -0
package/dist/domain/spec/persistence/adapter.js +7 -2
package/dist/domain/verify/competition/adapter.d.ts +1 -1
package/dist/domain/verify/competition/adapter.js +24 -25
package/dist/domain/verify/competition/blinding.d.ts +4 -0
package/dist/domain/verify/competition/blinding.js +7 -0
package/dist/domain/verify/competition/programmatic.js +2 -1
package/dist/domain/verify/competition/prompt.js +22 -3
package/dist/domain/verify/competition/shared-layout.js +1 -1
package/dist/interactive/providers/launch.d.ts +2 -0
package/dist/interactive/providers/launch.js +19 -2
package/dist/interactive/substrate.js +12 -2
package/dist/mcp/server.d.ts +3 -2
package/dist/mcp/server.js +311 -70
package/dist/policy/auto.d.ts +0 -1
package/dist/policy/auto.js +3 -14
package/dist/preflight/index.js +2 -1
package/dist/render/transcripts/apply.js +2 -1
package/dist/render/transcripts/message.d.ts +1 -4
package/dist/render/transcripts/message.js +10 -54
package/dist/render/transcripts/reduce.d.ts +1 -4
package/dist/render/transcripts/reduce.js +10 -54
package/dist/render/transcripts/run.d.ts +4 -6
package/dist/render/transcripts/run.js +8 -45
package/dist/render/transcripts/spec.d.ts +1 -4
package/dist/render/transcripts/spec.js +10 -54
package/dist/render/transcripts/stage-progress.d.ts +1 -1
package/dist/render/transcripts/verify.d.ts +1 -4
package/dist/render/transcripts/verify.js +10 -54
package/dist/render/utils/cli-writer.d.ts +4 -0
package/dist/render/utils/progressive-render.d.ts +3 -0
package/dist/render/utils/progressive-render.js +44 -0
package/dist/render/utils/transcript-shell.js +3 -3
package/dist/status/colors.js +0 -1
package/dist/status/index.d.ts +1 -2
package/dist/status/index.js +0 -1
package/dist/utils/diff.d.ts +2 -0
package/dist/utils/diff.js +1 -0
package/dist/utils/git.d.ts +6 -0
package/dist/utils/git.js +15 -0
package/dist/utils/slug.d.ts +0 -1
package/dist/utils/slug.js +0 -4
package/dist/utils/swarm-session-ack.d.ts +9 -0
package/dist/utils/swarm-session-ack.js +17 -0
package/dist/workspace/agents.js +1 -0
package/dist/workspace/artifact-paths.d.ts +55 -0
package/dist/workspace/artifact-paths.js +106 -0
package/dist/workspace/chat/artifacts.js +1 -1
package/dist/workspace/chat/native-usage.js +1 -1
package/dist/workspace/chat/sources.d.ts +2 -5
package/dist/workspace/chat/sources.js +4 -4
package/dist/workspace/cleanup.d.ts +8 -0
package/dist/workspace/cleanup.js +28 -0
package/dist/workspace/constants.d.ts +47 -0
package/dist/workspace/constants.js +47 -0
package/dist/workspace/dependencies.d.ts +11 -0
package/dist/workspace/dependencies.js +150 -13
package/dist/workspace/layout.js +3 -1
package/dist/workspace/managed-state.js +2 -1
package/dist/workspace/path-formatters.d.ts +9 -0
package/dist/workspace/path-formatters.js +46 -0
package/dist/workspace/path-resolvers.d.ts +1 -0
package/dist/workspace/path-resolvers.js +5 -0
package/dist/workspace/session-paths.d.ts +16 -0
package/dist/workspace/session-paths.js +59 -0
package/dist/workspace/setup.js +2 -1
package/package.json +2 -1
package/dist/cli/prune.d.ts +0 -18
package/dist/cli/prune.js +0 -99
package/dist/commands/prune/command.d.ts +0 -3
package/dist/commands/prune/command.js +0 -388
package/dist/commands/prune/errors.d.ts +0 -17
package/dist/commands/prune/errors.js +0 -33
package/dist/commands/prune/types.d.ts +0 -63
package/dist/competition/shared/prune.d.ts +0 -1
package/dist/competition/shared/prune.js +0 -4
package/dist/render/transcripts/prune.d.ts +0 -21
package/dist/render/transcripts/prune.js +0 -97
package/dist/workspace/prune.d.ts +0 -8
package/dist/workspace/prune.js +0 -29
package/dist/workspace/structure.d.ts +0 -144
package/dist/workspace/structure.js +0 -320
/package/dist/{commands/prune/types.js → render/utils/cli-writer.js} +0 -0

package/README.md CHANGED Viewed

@@ -15,7 +15,7 @@ npm install -g voratiq
 - Node 20+
 - git
-- 1+ AI coding agent (Claude [>=2.1.63](https://github.com/anthropics/claude-code?tab=readme-ov-file#get-started), Codex [>=0.107.0](https://github.com/openai/codex?tab=readme-ov-file#quickstart), or Gemini [>=0.31.0](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quick-install))
+- 1+ AI coding agent (Claude [>=2.1.111](https://github.com/anthropics/claude-code?tab=readme-ov-file#get-started), Codex [>=0.122.0](https://github.com/openai/codex?tab=readme-ov-file#quickstart), or Gemini [>=0.31.0](https://github.com/google-gemini/gemini-cli?tab=readme-ov-file#quick-install))
 - macOS: `ripgrep`
 - Linux (Debian/Ubuntu): `bubblewrap`, `socat`, `ripgrep`

package/dist/agents/runtime/harness.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { captureAgentChatArtifacts } from "./chat.js";
 import { AgentRuntimeError, AgentRuntimeProcessError, AgentRuntimeSandboxError, } from "./errors.js";
 import { configureSandboxSettings, runAgentProcess } from "./launcher.js";
 import { writeAgentManifest } from "./manifest.js";
-import { registerStagedAuthContext, teardownRegisteredAuthContext, } from "./registry.js";
+import { registerSessionProcess, registerStagedAuthContext, teardownRegisteredAuthContext, unregisterSessionProcess, } from "./registry.js";
 import { DEFAULT_DENIAL_BACKOFF } from "./sandbox.js";
 export async function runSandboxedAgent(input) {
     const { root, agent, prompt, environment, paths, sandboxStageId = "run", sessionId, sandboxProviderId, sandboxPolicyOverrides, extraWriteProtectedPaths, extraReadProtectedPaths, captureChat = true, teardownAuthOnExit = true, onWatchdogTrigger, } = input;
@@ -25,6 +25,7 @@ export async function runSandboxedAgent(input) {
         prompt,
     });
     let authContext;
+    let spawnedProcess;
     try {
         const staged = await stageAgentAuth({
             agent,
@@ -71,6 +72,10 @@ export async function runSandboxedAgent(input) {
             providerId,
             denialBackoff,
             onWatchdogTrigger,
+            onSpawnedProcess: (child) => {
+                spawnedProcess = child;
+                registerSessionProcess(sessionId, child);
+            },
         });
         const chat = captureChat
             ? await captureAgentChatArtifacts({
@@ -96,6 +101,10 @@ export async function runSandboxedAgent(input) {
         throw new AgentRuntimeProcessError(error instanceof Error ? error.message : toErrorMessage(error));
     }
     finally {
+        if (spawnedProcess &&
+            (spawnedProcess.exitCode !== null || spawnedProcess.signalCode !== null)) {
+            unregisterSessionProcess(sessionId, spawnedProcess);
+        }
         await rm(promptPath, { force: true }).catch(() => { });
         if (teardownAuthOnExit || !sessionId) {
             await teardownRegisteredAuthContext(sessionId ?? "runtime", authContext).catch(() => { });

package/dist/agents/runtime/launcher.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import type { ChildProcess } from "node:child_process";
 import type { DenialBackoffConfig } from "../../configs/sandbox/types.js";
 import type { WatchdogMetadata } from "../../domain/run/model/types.js";
 import type { SandboxStageId } from "./policy.js";
@@ -16,6 +17,7 @@ export interface AgentProcessOptions {
     providerId?: string;
     /** Callback fired immediately when watchdog triggers, before process exits. */
     onWatchdogTrigger?: (trigger: WatchdogTrigger, reason: string, failFast?: SandboxFailFastInfo) => void;
+    onSpawnedProcess?: (child: ChildProcess) => void;
 }
 export interface AgentProcessResult {
     exitCode: number;

package/dist/agents/runtime/launcher.js CHANGED Viewed

@@ -50,7 +50,7 @@ async function defaultResolveRunInvocation(context) {
     return { command, args };
 }
 export async function runAgentProcess(options) {
-    const { runtimeManifestPath, agentRoot, stdoutPath, stderrPath, sandboxSettingsPath, denialBackoff, resolveRunInvocation, providerId = "", onWatchdogTrigger, } = options;
+    const { runtimeManifestPath, agentRoot, stdoutPath, stderrPath, sandboxSettingsPath, denialBackoff, resolveRunInvocation, providerId = "", onWatchdogTrigger, onSpawnedProcess, } = options;
     const stdoutStream = createWriteStream(stdoutPath, { flags: "w" });
     const stderrStream = createWriteStream(stderrPath, { flags: "w" });
     const shimEntryPath = resolveShimEntryPath();
@@ -87,6 +87,7 @@ export async function runAgentProcess(options) {
             stderr: { writable: stderrStream },
             detached: true,
             onSpawn: (child) => {
+                onSpawnedProcess?.(child);
                 watchdogController = createWatchdog(child, stderrStream, {
                     providerId,
                     onWatchdogTrigger,

package/dist/agents/runtime/operator-access.d.ts ADDED Viewed

@@ -0,0 +1,68 @@
+export declare const SANDBOX_STAGE_IDS: readonly ["spec", "run", "reduce", "verify", "message"];
+export type SandboxStageId = (typeof SANDBOX_STAGE_IDS)[number];
+export type SandboxGitAccessLevel = "deny-read" | "deny-read-write";
+export type SandboxReadRoot = "repo-root" | "workspace-root";
+export type SandboxWriteRoot = "workspace-root";
+export type OperatorAccessProtectedOperatorDirKey = "spec-dir" | "run-dir" | "reduce-dir" | "verify-dir" | "message-dir";
+export type OperatorAccessProtectedMetadataPathKey = "run-index" | "run-history-lock";
+export type ReadonlyWorkspaceMountKey = "context" | "inputs" | "reference_repo";
+export interface OperatorAccessProfile {
+    readonly readRoot: SandboxReadRoot;
+    readonly writeRoot: SandboxWriteRoot;
+    readonly gitAccess: SandboxGitAccessLevel;
+    readonly protectedOperatorDirs: readonly OperatorAccessProtectedOperatorDirKey[];
+    readonly protectedMetadataPaths: readonly OperatorAccessProtectedMetadataPathKey[];
+    readonly restrictRepositoryReads: boolean;
+    readonly readonlyWorkspaceMounts: readonly ReadonlyWorkspaceMountKey[];
+}
+export declare const OPERATOR_ACCESS_PROFILES: {
+    readonly spec: {
+        readonly readRoot: "repo-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["run-dir", "reduce-dir", "verify-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: false;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+    readonly run: {
+        readonly readRoot: "workspace-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read-write";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "reduce-dir", "verify-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly ["run-index", "run-history-lock"];
+        readonly restrictRepositoryReads: true;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+    readonly reduce: {
+        readonly readRoot: "workspace-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "run-dir", "verify-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: true;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+    readonly verify: {
+        readonly readRoot: "workspace-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "run-dir", "reduce-dir", "message-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: true;
+        readonly readonlyWorkspaceMounts: readonly ["context", "inputs", "reference_repo"];
+    };
+    readonly message: {
+        readonly readRoot: "repo-root";
+        readonly writeRoot: "workspace-root";
+        readonly gitAccess: "deny-read";
+        readonly protectedOperatorDirs: readonly ["spec-dir", "run-dir", "reduce-dir", "verify-dir"];
+        readonly protectedMetadataPaths: readonly [];
+        readonly restrictRepositoryReads: false;
+        readonly readonlyWorkspaceMounts: readonly [];
+    };
+};
+export declare function getOperatorAccessProfile(stageId: SandboxStageId): OperatorAccessProfile;
+export declare function resolveProtectedOperatorDir(root: string, key: OperatorAccessProtectedOperatorDirKey): string;
+export declare function resolveProtectedMetadataPath(root: string, key: OperatorAccessProtectedMetadataPathKey): string;
+export declare function resolveRepositoryGitPath(root: string): string;

package/dist/agents/runtime/operator-access.js ADDED Viewed

@@ -0,0 +1,95 @@
+import { resolve as resolveAbsolute } from "node:path";
+import { VORATIQ_HISTORY_LOCK_FILENAME, VORATIQ_MESSAGE_DIR, VORATIQ_REDUCTION_DIR, VORATIQ_RUN_DIR, VORATIQ_RUN_FILE, VORATIQ_SPEC_DIR, VORATIQ_VERIFICATION_DIR, } from "../../workspace/constants.js";
+import { resolveWorkspacePath } from "../../workspace/path-resolvers.js";
+export const SANDBOX_STAGE_IDS = [
+    "spec",
+    "run",
+    "reduce",
+    "verify",
+    "message",
+];
+export const OPERATOR_ACCESS_PROFILES = {
+    spec: {
+        readRoot: "repo-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: [
+            "run-dir",
+            "reduce-dir",
+            "verify-dir",
+            "message-dir",
+        ],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: false,
+        readonlyWorkspaceMounts: [],
+    },
+    run: {
+        readRoot: "workspace-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read-write",
+        protectedOperatorDirs: [
+            "spec-dir",
+            "reduce-dir",
+            "verify-dir",
+            "message-dir",
+        ],
+        protectedMetadataPaths: ["run-index", "run-history-lock"],
+        restrictRepositoryReads: true,
+        readonlyWorkspaceMounts: [],
+    },
+    reduce: {
+        readRoot: "workspace-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: ["spec-dir", "run-dir", "verify-dir", "message-dir"],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: true,
+        readonlyWorkspaceMounts: [],
+    },
+    verify: {
+        readRoot: "workspace-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: ["spec-dir", "run-dir", "reduce-dir", "message-dir"],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: true,
+        readonlyWorkspaceMounts: ["context", "inputs", "reference_repo"],
+    },
+    message: {
+        readRoot: "repo-root",
+        writeRoot: "workspace-root",
+        gitAccess: "deny-read",
+        protectedOperatorDirs: ["spec-dir", "run-dir", "reduce-dir", "verify-dir"],
+        protectedMetadataPaths: [],
+        restrictRepositoryReads: false,
+        readonlyWorkspaceMounts: [],
+    },
+};
+export function getOperatorAccessProfile(stageId) {
+    return OPERATOR_ACCESS_PROFILES[stageId];
+}
+export function resolveProtectedOperatorDir(root, key) {
+    switch (key) {
+        case "spec-dir":
+            return resolveWorkspacePath(root, VORATIQ_SPEC_DIR);
+        case "run-dir":
+            return resolveWorkspacePath(root, VORATIQ_RUN_DIR);
+        case "reduce-dir":
+            return resolveWorkspacePath(root, VORATIQ_REDUCTION_DIR);
+        case "verify-dir":
+            return resolveWorkspacePath(root, VORATIQ_VERIFICATION_DIR);
+        case "message-dir":
+            return resolveWorkspacePath(root, VORATIQ_MESSAGE_DIR);
+    }
+}
+export function resolveProtectedMetadataPath(root, key) {
+    switch (key) {
+        case "run-index":
+            return resolveWorkspacePath(root, VORATIQ_RUN_FILE);
+        case "run-history-lock":
+            return resolveWorkspacePath(root, VORATIQ_RUN_DIR, VORATIQ_HISTORY_LOCK_FILENAME);
+    }
+}
+export function resolveRepositoryGitPath(root) {
+    return resolveAbsolute(root, ".git");
+}

package/dist/agents/runtime/policy.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { SandboxFilesystemConfig, SandboxNetworkConfig } from "../../configs/sandbox/types.js";
+import { type SandboxStageId } from "./operator-access.js";
 import type { SandboxPolicyOverrides } from "./types.js";
-export type SandboxStageId = "spec" | "run" | "reduce" | "verify" | "message";
+export type { SandboxStageId } from "./operator-access.js";
 export interface BuildSandboxPolicyInput {
     stageId: SandboxStageId;
     root: string;

package/dist/agents/runtime/policy.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import { isAbsolute, relative, resolve as resolveAbsolute } from "node:path";
-import { resolveWorkspacePath, VORATIQ_AGENTS_FILE, VORATIQ_ENVIRONMENT_FILE, VORATIQ_HISTORY_LOCK_FILENAME, VORATIQ_ORCHESTRATION_FILE, VORATIQ_REDUCTION_DIR, VORATIQ_RUN_DIR, VORATIQ_RUN_FILE, VORATIQ_SANDBOX_FILE, VORATIQ_SPEC_DIR, VORATIQ_VERIFICATION_DIR, } from "../../workspace/structure.js";
+import { VORATIQ_AGENTS_FILE, VORATIQ_ENVIRONMENT_FILE, VORATIQ_ORCHESTRATION_FILE, VORATIQ_SANDBOX_FILE, } from "../../workspace/constants.js";
+import { resolveWorkspacePath } from "../../workspace/path-resolvers.js";
+import { getOperatorAccessProfile, resolveProtectedMetadataPath, resolveProtectedOperatorDir, resolveRepositoryGitPath, } from "./operator-access.js";
 export function buildSandboxPolicy(input) {
     const { stageId, root, workspacePath, sandboxHomePath, sandboxSettingsPath, runtimePath, artifactsPath, repoRootPath, providerFilesystem, providerNetwork, policyOverrides, stageDenyWritePaths = [], stageDenyReadPaths = [], } = input;
     const baseline = buildBaselineFilesystemPolicy({
@@ -115,55 +117,27 @@ function buildBaselineFilesystemPolicy(options) {
         resolveWorkspacePath(root, VORATIQ_ORCHESTRATION_FILE),
         resolveWorkspacePath(root, VORATIQ_SANDBOX_FILE),
     ];
-    const stageRoots = resolveStageRoots(stageId, root);
+    const stagePaths = resolveStageProtectedPaths(stageId, root);
     // Default deny rules stay symmetric; read-only divergences are explicit.
-    const symmetricDeny = [...commonSensitivePaths, ...stageRoots.symmetric];
+    const symmetricDeny = [...commonSensitivePaths, ...stagePaths.symmetric];
     return {
         allowWrite: [],
-        denyRead: [...symmetricDeny, ...stageRoots.readOnly],
+        denyRead: [...symmetricDeny, ...stagePaths.readOnly],
         denyWrite: [...symmetricDeny],
     };
 }
-function resolveStageRoots(stageId, root) {
-    if (stageId === "run") {
-        return {
-            symmetric: [
-                resolveAbsolute(root, ".git"),
-                resolveWorkspacePath(root, VORATIQ_RUN_FILE),
-                resolveWorkspacePath(root, VORATIQ_RUN_DIR, VORATIQ_HISTORY_LOCK_FILENAME),
-                resolveWorkspacePath(root, VORATIQ_VERIFICATION_DIR),
-            ],
-            readOnly: [],
-        };
-    }
-    if (stageId === "spec") {
-        return {
-            symmetric: [
-                resolveWorkspacePath(root, VORATIQ_RUN_DIR),
-                resolveWorkspacePath(root, VORATIQ_VERIFICATION_DIR),
-                resolveWorkspacePath(root, VORATIQ_REDUCTION_DIR),
-            ],
-            readOnly: [],
-        };
-    }
-    if (stageId === "verify") {
-        return {
-            symmetric: [
-                resolveWorkspacePath(root, VORATIQ_RUN_DIR),
-                resolveWorkspacePath(root, VORATIQ_SPEC_DIR),
-                resolveWorkspacePath(root, VORATIQ_REDUCTION_DIR),
-            ],
-            // Verification agents should never inspect repository metadata during
-            // blinded review.
-            readOnly: [resolveAbsolute(root, ".git")],
-        };
+function resolveStageProtectedPaths(stageId, root) {
+    const profile = getOperatorAccessProfile(stageId);
+    const symmetric = [
+        ...profile.protectedOperatorDirs.map((key) => resolveProtectedOperatorDir(root, key)),
+        ...profile.protectedMetadataPaths.map((key) => resolveProtectedMetadataPath(root, key)),
+    ];
+    if (profile.gitAccess === "deny-read-write") {
+        symmetric.unshift(resolveRepositoryGitPath(root));
     }
     return {
-        symmetric: [
-            resolveWorkspacePath(root, VORATIQ_RUN_DIR),
-            resolveWorkspacePath(root, VORATIQ_SPEC_DIR),
-        ],
-        readOnly: [resolveAbsolute(root, ".git")],
+        symmetric,
+        readOnly: profile.gitAccess === "deny-read" ? [resolveRepositoryGitPath(root)] : [],
     };
 }
 function resolveFilesystemOverrides(overrides, workspacePath) {

package/dist/agents/runtime/registry.d.ts CHANGED Viewed

@@ -1,4 +1,8 @@
+import type { ChildProcess } from "node:child_process";
 import type { StagedAuthContext } from "./auth.js";
 export declare function registerStagedAuthContext(sessionId: string, context: StagedAuthContext): void;
 export declare function teardownRegisteredAuthContext(sessionId: string, context: StagedAuthContext | undefined): Promise<void>;
 export declare function teardownSessionAuth(sessionId: string | undefined): Promise<void>;
+export declare function registerSessionProcess(sessionId: string | undefined, child: ChildProcess | undefined): void;
+export declare function unregisterSessionProcess(sessionId: string | undefined, child: ChildProcess | undefined): void;
+export declare function terminateSessionProcesses(sessionId: string | undefined): Promise<void>;

package/dist/agents/runtime/registry.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import { teardownAuthContext } from "./auth.js";
 const registry = new Map();
+const processRegistry = new Map();
+const PROCESS_EXIT_WAIT_MS = 2_000;
 export function registerStagedAuthContext(sessionId, context) {
     const existing = registry.get(sessionId);
     if (existing) {
@@ -42,6 +44,48 @@ export async function teardownSessionAuth(sessionId) {
         throw new AggregateError(failures, `Failed to teardown ${failures.length} auth contexts for session ${sessionId}`);
     }
 }
+export function registerSessionProcess(sessionId, child) {
+    if (!sessionId || !child || child.pid === undefined) {
+        return;
+    }
+    const existing = processRegistry.get(sessionId);
+    if (existing) {
+        existing.add(child);
+        return;
+    }
+    processRegistry.set(sessionId, new Set([child]));
+}
+export function unregisterSessionProcess(sessionId, child) {
+    if (!sessionId || !child) {
+        return;
+    }
+    removeProcess(sessionId, child);
+}
+export async function terminateSessionProcesses(sessionId) {
+    if (!sessionId) {
+        return;
+    }
+    const children = processRegistry.get(sessionId);
+    if (!children || children.size === 0) {
+        processRegistry.delete(sessionId);
+        return;
+    }
+    const failures = [];
+    await Promise.all([...children].map(async (child) => {
+        try {
+            await terminateRegisteredProcess(sessionId, child);
+        }
+        catch (error) {
+            failures.push(error instanceof Error ? error : new Error(String(error)));
+        }
+    }));
+    if (failures.length === 1) {
+        throw failures[0];
+    }
+    if (failures.length > 1) {
+        throw new AggregateError(failures, `Failed to terminate ${failures.length} session processes for ${sessionId}`);
+    }
+}
 function removeContext(sessionId, context) {
     const contexts = registry.get(sessionId);
     if (!contexts) {
@@ -52,3 +96,91 @@ function removeContext(sessionId, context) {
         registry.delete(sessionId);
     }
 }
+function removeProcess(sessionId, child) {
+    const children = processRegistry.get(sessionId);
+    if (!children) {
+        return;
+    }
+    children.delete(child);
+    if (children.size === 0) {
+        processRegistry.delete(sessionId);
+    }
+}
+async function terminateRegisteredProcess(sessionId, child) {
+    if (hasExited(child) || child.pid === undefined) {
+        removeProcess(sessionId, child);
+        return;
+    }
+    if (tryTerminateProcessGroup(child.pid, "SIGTERM")) {
+        const exitedOnTerm = await waitForProcessExit(child, PROCESS_EXIT_WAIT_MS);
+        if (exitedOnTerm) {
+            removeProcess(sessionId, child);
+            return;
+        }
+    }
+    else {
+        removeProcess(sessionId, child);
+        return;
+    }
+    if (tryTerminateProcessGroup(child.pid, "SIGKILL")) {
+        const exitedOnKill = await waitForProcessExit(child, PROCESS_EXIT_WAIT_MS);
+        if (exitedOnKill) {
+            removeProcess(sessionId, child);
+            return;
+        }
+    }
+    else {
+        removeProcess(sessionId, child);
+        return;
+    }
+    throw new Error(`Detached agent process ${child.pid} did not exit after SIGTERM and SIGKILL.`);
+}
+function hasExited(child) {
+    return child.exitCode !== null || child.signalCode !== null;
+}
+function tryTerminateProcessGroup(pid, signal) {
+    try {
+        process.kill(-pid, signal);
+        return true;
+    }
+    catch {
+        try {
+            process.kill(pid, signal);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+async function waitForProcessExit(child, timeoutMs) {
+    if (hasExited(child)) {
+        return true;
+    }
+    if (typeof child.once !== "function") {
+        return false;
+    }
+    return await new Promise((resolve) => {
+        let settled = false;
+        const finish = (exited) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            if (typeof child.removeListener === "function") {
+                child.removeListener("exit", handleExit);
+                child.removeListener("close", handleExit);
+            }
+            clearTimeout(timer);
+            resolve(exited);
+        };
+        const handleExit = () => {
+            finish(true);
+        };
+        const timer = setTimeout(() => {
+            finish(hasExited(child));
+        }, timeoutMs);
+        child.once("exit", handleExit);
+        child.once("close", handleExit);
+    });
+}

package/dist/auth/providers/utils.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { constants as fsConstants } from "node:fs";
 import { access, chmod, copyFile, mkdir, rm, stat, writeFile, } from "node:fs/promises";
 import { isAbsolute, resolve as resolveNative } from "node:path";
 import { isMissing } from "../../utils/fs.js";
-import { SANDBOX_DIRNAME } from "../../workspace/structure.js";
+import { SANDBOX_DIRNAME } from "../../workspace/constants.js";
 const STAGED_FILE_MODE = 0o600;
 export function resolveProviderHome(runtime, envVar, defaultSubdir) {
     const configured = runtime.env[envVar]?.trim();

package/dist/bin.js CHANGED Viewed

@@ -108,73 +108,9 @@ async function flushPendingHistory() {
         console.warn(`[voratiq] Failed to flush interactive history buffers: ${error.message}`);
     }
 }
-async function terminateActiveRunSafe(status, context) {
-    try {
-        const { terminateActiveRun } = await import("./commands/run/lifecycle.js");
-        await terminateActiveRun(status);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown run after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
-async function terminateActiveVerificationSafe(status, context) {
-    try {
-        const { terminateActiveVerification } = await import("./commands/verify/lifecycle.js");
-        await terminateActiveVerification(status);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown verification after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
-async function terminateActiveInteractiveSafe(status, context) {
-    try {
-        const { terminateActiveInteractive } = await import("./commands/interactive/lifecycle.js");
-        await terminateActiveInteractive(status, context);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown interactive session after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
-async function terminateActiveMessageSafe(status, context) {
-    try {
-        const { terminateActiveMessage } = await import("./commands/message/lifecycle.js");
-        await terminateActiveMessage(status);
-        return null;
-    }
-    catch (error) {
-        const { toErrorMessage } = await import("./utils/errors.js");
-        const normalizedError = error instanceof Error ? error : new Error(toErrorMessage(error));
-        console.error(`[voratiq] Failed to teardown message after ${context}: ${toErrorMessage(error)}`);
-        return normalizedError;
-    }
-}
 async function terminateActiveSessionsSafe(status, context) {
-    const runError = await terminateActiveRunSafe(status, context);
-    const verificationError = await terminateActiveVerificationSafe(status, context);
-    const interactiveError = await terminateActiveInteractiveSafe(status, context);
-    const messageError = await terminateActiveMessageSafe(status, context);
-    const errors = [
-        runError,
-        verificationError,
-        interactiveError,
-        messageError,
-    ].filter((error) => error instanceof Error);
-    if (errors.length > 1) {
-        return new AggregateError(errors, `Failed to teardown active sessions after ${context}`);
-    }
-    return errors[0] ?? null;
+    const { terminateRegisteredActiveSessions } = await import("./commands/shared/teardown-registry.js");
+    return await terminateRegisteredActiveSessions(status, context);
 }
 function renderRootLauncherGitGuidance(options) {
     const lines = [];
@@ -359,7 +295,6 @@ async function registerCommands(program, argv) {
         "auto",
         "apply",
         "list",
-        "prune",
         "doctor",
         "mcp",
     ]);
@@ -378,7 +313,6 @@ async function registerCommands(program, argv) {
         program.addCommand((await import("./cli/auto.js")).createAutoCommand());
         program.addCommand((await import("./cli/apply.js")).createApplyCommand());
         program.addCommand((await import("./cli/list.js")).createListCommand());
-        program.addCommand((await import("./cli/prune.js")).createPruneCommand());
         program.addCommand((await import("./cli/doctor.js")).createDoctorCommand());
         program.addCommand((await import("./cli/mcp.js")).createMcpCommand());
         return;
@@ -408,9 +342,6 @@ async function registerCommands(program, argv) {
         case "list":
             program.addCommand((await import("./cli/list.js")).createListCommand());
             break;
-        case "prune":
-            program.addCommand((await import("./cli/prune.js")).createPruneCommand());
-            break;
         case "doctor":
             program.addCommand((await import("./cli/doctor.js")).createDoctorCommand());
             break;

package/dist/cli/auto.js CHANGED Viewed

@@ -9,22 +9,13 @@ import { renderWorkspaceAutoInitializedNotice } from "../render/transcripts/shar
 import { renderCliError } from "../render/utils/errors.js";
 import { HintedError } from "../utils/errors.js";
 import { formatAlertMessage } from "../utils/output.js";
-import { parsePositiveInteger } from "../utils/validators.js";
 import { runApplyCommand } from "./apply.js";
 import { toCliError } from "./errors.js";
+import { collectRepeatedStringOption, parseMaxParallelOption, } from "./option-parsers.js";
 import { beginChainedCommandOutput, writeCommandOutput } from "./output.js";
 import { runRunCommand } from "./run.js";
 import { runSpecCommand } from "./spec.js";
 import { runVerifyCommand } from "./verify.js";
-function parseMaxParallelOption(value) {
-    return parsePositiveInteger(value, "Expected positive integer after --max-parallel", "--max-parallel must be greater than 0");
-}
-function collectRunAgentOption(value, previous) {
-    return [...previous, value];
-}
-function collectVerifyAgentOption(value, previous) {
-    return [...previous, value];
-}
 function replayAutoCommandEvent(event) {
     if (event.kind === "body") {
         writeCommandOutput({
@@ -45,10 +36,6 @@ function replayAutoCommandEvent(event) {
         writeCommandOutput({ body: renderCliError(toCliError(event.error)) });
         return;
     }
-    const warningBody = formatAlertMessage("Action required", "yellow", event.detail);
-    writeCommandOutput({
-        body: event.separateWithDivider ? `---\n\n${warningBody}` : warningBody,
-    });
 }
 async function persistAutoOutcome(options) {
     const { runId, outcome } = options;
@@ -207,10 +194,10 @@ export function createAutoCommand() {
         .option("--description <text>", "Generate a spec, then run and verify it")
         .addOption(new Option("--run-agent <agent-id>", "Set run-stage agents directly (repeatable; order preserved)")
         .default([], "")
-        .argParser(collectRunAgentOption))
+        .argParser(collectRepeatedStringOption))
         .addOption(new Option("--verify-agent <agent-id>", "Set verify-stage agents directly (repeatable)")
         .default([], "")
-        .argParser(collectVerifyAgentOption))
+        .argParser(collectRepeatedStringOption))
         .option("--profile <name>", 'Orchestration profile (default: "default")')
         .option("--max-parallel <count>", "Max concurrent agents/verifiers", parseMaxParallelOption)
         .option("--branch", "Create or checkout a branch named after the spec")