wholestack 0.4.0

package/dist/index.d.ts

@@ -0,0 +1,1394 @@
+import * as ai from 'ai';
+import { ToolSet, LanguageModel, ModelMessage } from 'ai';
+
+/**
+ * Two ways to drive the ZETA build pipeline:
+ *
+ *   http  — POST /api/zeta/build on a running Next app. Zero local toolchain,
+ *           but the engine must be up (and reachable).
+ *   local — spawn the SAME worker the route spawns
+ *           (scripts/zeta-build-worker.mts via `node --import tsx`), skipping
+ *           HTTP, Turbopack, and the docker sandbox entirely. No server needed,
+ *           but you must be inside the monorepo with tsx + build env present.
+ *
+ * Both speak the identical NDJSON event protocol, so we normalize once.
+ */
+interface BuildResult {
+    ok: boolean;
+    error?: string;
+    buildId?: unknown;
+    verdict?: "SHIP" | "NO_SHIP";
+    themeId?: unknown;
+    fileCount?: number;
+    spec?: string | null;
+    verifyErrors?: string[];
+    fileList?: (string | null | undefined)[];
+    /** True when the engine returned a preview only (no code) — needs membership. */
+    paywalled?: boolean;
+    /** Where to subscribe when paywalled. */
+    upgradeUrl?: string;
+}
+interface DeliverResult {
+    ok: boolean;
+    written?: number;
+    dir?: string;
+    error?: string;
+    paywalled?: boolean;
+    upgradeUrl?: string;
+}
+
+type TodoStatus = "pending" | "in_progress" | "completed";
+interface Todo {
+    content: string;
+    status: TodoStatus;
+}
+
+/**
+ * Permission modes — the safety dial:
+ *
+ *   default     — ask before every edit and shell command (with an "always"
+ *                 escape hatch per command and a "yes to all edits" toggle).
+ *   acceptEdits — file edits apply without asking; shell commands still gated.
+ *   plan        — read-only. Edits, writes, builds, and commands are refused so
+ *                 the agent researches and proposes a plan instead of acting.
+ *   yolo        — nothing is gated (the old `--yes`). For trusted, scripted runs.
+ */
+type PermissionMode = "default" | "acceptEdits" | "plan" | "yolo";
+declare const PERMISSION_MODES: PermissionMode[];
+declare function isPermissionMode(v: unknown): v is PermissionMode;
+interface ConfirmChoice {
+    key: string;
+    label: string;
+}
+/** Prompt the user to pick one of `choices`; resolves to the chosen `key`. */
+type ConfirmFn = (prompt: string, choices: ConfirmChoice[]) => Promise<string>;
+type Decision = "allow" | "deny";
+declare class Permissions {
+    mode: PermissionMode;
+    private readonly confirm?;
+    private alwaysCommands;
+    private acceptAllEdits;
+    constructor(mode: PermissionMode, confirm?: ConfirmFn | undefined);
+    isPlan(): boolean;
+    setMode(mode: PermissionMode): void;
+    /** Message a tool returns when an action is blocked by plan mode. */
+    planRefusal(): string;
+    /** Gate a file mutation. The caller has already rendered the diff. */
+    requestEdit(path: string): Promise<Decision>;
+    /** Gate a shell command. `display` is the command line shown to the user. */
+    requestCommand(display: string): Promise<Decision>;
+    /** Gate a heavier action (e.g. generate_app) — allowed unless plan mode. */
+    guardMutation(): Decision;
+}
+
+/**
+ * Edit checkpoints — the safety net under the agent's hands. Every file mutation
+ * (write_file / edit_file / multi_edit) snapshots the prior on-disk state before
+ * touching the file, grouped per tool call into one undoable checkpoint. `/undo`
+ * restores the previous state (re-creating or deleting files as needed) and pushes
+ * the just-undone state onto a redo stack; `/redo` replays it.
+ *
+ * In-memory, scoped to the running session — the point is fast, trustworthy
+ * rollback of agent edits while you work, not a durable VCS (that's git's job).
+ */
+interface FileSnap {
+    path: string;
+    /** Content before the change; null means the file did not exist. */
+    before: string | null;
+}
+interface Checkpoint {
+    id: number;
+    label: string;
+    at: number;
+    snaps: FileSnap[];
+}
+/** Outcome of an undo/redo, for the REPL to report. */
+interface RestoreResult {
+    ok: boolean;
+    label?: string;
+    restored?: string[];
+    deleted?: string[];
+    error?: string;
+}
+declare class CheckpointStore {
+    private undoStack;
+    private redoStack;
+    private seq;
+    /** Snaps accumulated for the in-flight tool call (multi_edit groups several). */
+    private pending;
+    /** Begin a new group; call before a mutating tool touches any file. */
+    begin(): void;
+    /** Record a file's pre-edit state once per path within the current group. */
+    capture(path: string, before: string | null): void;
+    /** Seal the group into an undoable checkpoint. A redo stack is invalidated by new edits. */
+    commit(label: string): void;
+    get canUndo(): boolean;
+    get canRedo(): boolean;
+    list(limit?: number): Checkpoint[];
+    /** Restore the most recent checkpoint; the displaced state becomes redoable. */
+    undo(): Promise<RestoreResult>;
+    /** Re-apply the most recently undone checkpoint. */
+    redo(): Promise<RestoreResult>;
+    /** Read the current on-disk state of each path so it can be re-applied later. */
+    private captureCurrent;
+    /** Write each snap's `before` back to disk (or delete when it was absent). */
+    private apply;
+}
+
+/**
+ * The agent's hands. Three families:
+ *
+ *   ZETA verbs   — generate_app / verify_contract — the reason this CLI exists.
+ *                  They drive the real engine, not a mock.
+ *   Code edits   — read / write / edit / grep / glob — a real coding agent's
+ *                  toolset, with diff previews and permission gates on writes.
+ *   Shell        — run_command — gated through the permission layer.
+ *
+ * Every tool keeps its side effects honest: failures come back as
+ * { ok:false, error } the model can read and react to, never a silent success.
+ */
+interface ToolContext {
+    /** Where file ops are rooted + sandboxed. */
+    cwd: string;
+    /** ZETA build engine base URL (the running Next app). */
+    zetaApiUrl: string;
+    /** How generate_app drives the pipeline: auto | local | http. */
+    buildMode: "auto" | "local" | "http";
+    /** The permission gate — diffs, command confirms, plan-mode refusals. */
+    permissions: Permissions;
+    /** Snapshots taken before each file mutation, for /undo + /redo. */
+    checkpoints?: CheckpointStore;
+}
+declare function buildTools(ctx: ToolContext): {
+    todo_write: ai.Tool<{
+        todos: {
+            status: "pending" | "in_progress" | "completed";
+            content: string;
+        }[];
+    }, {
+        ok: boolean;
+        remaining: number;
+        total: number;
+    }>;
+    todo_read: ai.Tool<{}, {
+        ok: boolean;
+        todos: Todo[];
+    }>;
+    generate_app: ai.Tool<{
+        idea: string;
+        scope: "full" | "static" | "component" | "page";
+        buildModel: "zeta-g1" | "zeta-g1-max";
+        install: boolean;
+        keep: boolean;
+    }, BuildResult | {
+        ok: boolean;
+        liveUrl: string | undefined;
+        buildId: string | undefined;
+        files: number | undefined;
+        loc: number | undefined;
+        verdict: string | undefined;
+        trust: number | undefined;
+        note: string;
+    } | {
+        delivered: DeliverResult;
+        ok: boolean;
+        error?: string;
+        buildId?: unknown;
+        verdict?: "SHIP" | "NO_SHIP";
+        themeId?: unknown;
+        fileCount?: number;
+        spec?: string | null;
+        verifyErrors?: string[];
+        fileList?: (string | null | undefined)[];
+        paywalled?: boolean;
+        upgradeUrl?: string;
+        liveUrl?: undefined;
+        files?: undefined;
+        loc?: undefined;
+        trust?: undefined;
+        note?: undefined;
+    }>;
+    verify_contract: ai.Tool<{
+        projectDir: string;
+        contract: string;
+        property?: "conservation" | "no-value-extraction" | "reentrancy-safety" | "asset-conservation" | "monotonic-supply" | "access-control" | "initialization-safety" | "pausability" | "supply-cap" | "allowance-correctness" | undefined;
+        certPath?: string | undefined;
+        address?: string | undefined;
+        rpc?: string | undefined;
+    }, {
+        ok: boolean;
+        error: string;
+        verified?: undefined;
+        property?: undefined;
+        exitCode?: undefined;
+        output?: undefined;
+    } | {
+        ok: boolean;
+        verified: boolean;
+        property: string;
+        exitCode: number;
+        output: string;
+        error?: undefined;
+    }>;
+    read_file: ai.Tool<{
+        path: string;
+        offset?: number | undefined;
+        limit?: number | undefined;
+    }, {
+        ok: boolean;
+        path: string;
+        content: string;
+        startLine?: undefined;
+        error?: undefined;
+    } | {
+        ok: boolean;
+        path: string;
+        content: string;
+        startLine: number;
+        error?: undefined;
+    } | {
+        ok: boolean;
+        error: string;
+        path?: undefined;
+        content?: undefined;
+        startLine?: undefined;
+    }>;
+    write_file: ai.Tool<{
+        path: string;
+        content: string;
+    }, {
+        ok: boolean;
+        declined: boolean;
+        error: string;
+        path?: undefined;
+        bytes?: undefined;
+    } | {
+        ok: boolean;
+        path: string;
+        bytes: number;
+        declined?: undefined;
+        error?: undefined;
+    } | {
+        ok: boolean;
+        error: string;
+        declined?: undefined;
+        path?: undefined;
+        bytes?: undefined;
+    }>;
+    edit_file: ai.Tool<{
+        path: string;
+        old_string: string;
+        new_string: string;
+        replace_all: boolean;
+    }, {
+        ok: boolean;
+        error: string;
+        declined?: undefined;
+        path?: undefined;
+        added?: undefined;
+        removed?: undefined;
+    } | {
+        ok: boolean;
+        declined: boolean;
+        error: string;
+        path?: undefined;
+        added?: undefined;
+        removed?: undefined;
+    } | {
+        ok: boolean;
+        path: string;
+        added: number;
+        removed: number;
+        error?: undefined;
+        declined?: undefined;
+    }>;
+    multi_edit: ai.Tool<{
+        edits: {
+            path: string;
+            old_string: string;
+            new_string: string;
+            replace_all: boolean;
+        }[];
+    }, {
+        ok: boolean;
+        error: string;
+        declined?: undefined;
+        files?: undefined;
+        added?: undefined;
+        removed?: undefined;
+    } | {
+        ok: boolean;
+        declined: boolean;
+        error: string;
+        files?: undefined;
+        added?: undefined;
+        removed?: undefined;
+    } | {
+        ok: boolean;
+        files: string[];
+        added: number;
+        removed: number;
+        error?: undefined;
+        declined?: undefined;
+    }>;
+    list_dir: ai.Tool<{
+        path: string;
+    }, {
+        ok: boolean;
+        path: string;
+        entries: {
+            name: string;
+            dir: boolean;
+        }[];
+        error?: undefined;
+    } | {
+        ok: boolean;
+        error: string;
+        path?: undefined;
+        entries?: undefined;
+    }>;
+    glob: ai.Tool<{
+        path: string;
+        pattern: string;
+    }, {
+        ok: boolean;
+        count: number;
+        files: string[];
+        error?: undefined;
+    } | {
+        ok: boolean;
+        error: string;
+        count?: undefined;
+        files?: undefined;
+    }>;
+    grep: ai.Tool<{
+        path: string;
+        pattern: string;
+        ignoreCase: boolean;
+        maxResults: number;
+        glob?: string | undefined;
+    }, {
+        ok: boolean;
+        count: number;
+        matches: {
+            file: string;
+            line: number;
+            text: string;
+        }[];
+        error?: undefined;
+    } | {
+        ok: boolean;
+        error: string;
+        count?: undefined;
+        matches?: undefined;
+    }>;
+    run_command: ai.Tool<{
+        args: string[];
+        command: string;
+    }, {
+        ok: boolean;
+        declined: boolean;
+        error: string;
+        exitCode?: undefined;
+        output?: undefined;
+    } | {
+        ok: boolean;
+        exitCode: number;
+        output: string;
+        declined?: undefined;
+        error?: undefined;
+    }>;
+    run_app: ai.Tool<{
+        dir: string;
+        timeoutSeconds: number;
+        script?: string | undefined;
+    }, {
+        ok: boolean;
+        error: string;
+        declined?: undefined;
+        url?: undefined;
+        serving?: undefined;
+        log?: undefined;
+    } | {
+        ok: boolean;
+        declined: boolean;
+        error: string;
+        url?: undefined;
+        serving?: undefined;
+        log?: undefined;
+    } | {
+        ok: boolean;
+        url: string | undefined;
+        serving: boolean;
+        log: string;
+        error?: undefined;
+        declined?: undefined;
+    } | {
+        ok: boolean;
+        error: string | undefined;
+        log: string;
+        declined?: undefined;
+        url?: undefined;
+        serving?: undefined;
+    }>;
+};
+
+/**
+ * Hooks — shell commands the user (or a plugin) wires to agent events, the
+ * familiar event-hook idea. A PreToolUse hook can BLOCK a tool call (a
+ * conscience/guardrail); PostToolUse and UserPromptSubmit hooks inject extra
+ * context. Each hook receives a JSON event on stdin and may answer with JSON or
+ * an exit code.
+ */
+type HookEvent = "PreToolUse" | "PostToolUse" | "UserPromptSubmit" | "Stop";
+interface HookDef {
+    /** Regex tested against the tool name (tool events only). */
+    matcher?: string;
+    command: string;
+    source?: string;
+}
+type HookSet = Partial<Record<HookEvent, HookDef[]>>;
+interface HookPayload {
+    toolName?: string;
+    toolInput?: unknown;
+    toolResult?: unknown;
+    prompt?: string;
+}
+interface HookOutcome {
+    /** Set on a PreToolUse block — the reason fed back to the model. */
+    block?: string;
+    /** Extra context strings to surface (PostToolUse / UserPromptSubmit). */
+    context: string[];
+}
+declare class HookRunner {
+    private readonly hooks;
+    private readonly cwd;
+    constructor(hooks: HookSet, cwd: string);
+    any(): boolean;
+    has(event: HookEvent): boolean;
+    run(event: HookEvent, payload: HookPayload): Promise<HookOutcome>;
+}
+/** Merge hook sets (later wins on nothing — they all concatenate). */
+declare function mergeHookSets(...sets: HookSet[]): HookSet;
+/** Load hooks.json from the global config dir and the project's .zeta-g/. */
+declare function loadHookFiles(cwd: string): HookSet;
+/**
+ * Wrap every tool's execute so PreToolUse hooks can block it and PostToolUse
+ * hooks can append context. No-op when there are no tool hooks.
+ */
+declare function applyHooks(tools: ToolSet, runner: HookRunner): ToolSet;
+
+/**
+ * Zeta-G's brain — one family, three tiers, all branded Zeta:
+ *
+ *   Zeta-G1.0 Lite — light & cheap
+ *   Zeta-G1.0      — the default
+ *   Zeta-G1.0 MAX  — the most capable
+ *
+ * The transport underneath is an implementation detail and never surfaced to
+ * the user — only the Zeta tier names are shown. (The ZETA build engine writes
+ * ISL on its own fast lane; that's separate from the conversational brain here.)
+ * We resolve lazily so the CLI boots even with no key; it errors the moment you
+ * actually ask it to think.
+ */
+type ModelKey = string;
+declare function resolveModelKey(raw: string | undefined): ModelKey;
+declare function modelLabel(key: ModelKey): string;
+declare function modelId(key: ModelKey): string;
+declare function modelContextWindow(key: ModelKey): number;
+declare function supportsThinking(key: ModelKey): boolean;
+declare function listModels(): {
+    key: ModelKey;
+    label: string;
+    thinking: boolean;
+}[];
+/**
+ * Provider-specific reasoning options. Every tier runs on Cerebras' OpenAI-
+ * compatible endpoint, which honors `reasoning_effort` (the @ai-sdk/openai
+ * provider maps `openai.reasoningEffort` → that body field). We keep effort
+ * "low" by default — the measured-safe setting that stops gpt-oss from starving
+ * its `content` budget — and only raise it to "high" when the user opts into
+ * thinking via --think / /think. Custom (OpenRouter) lanes get no override.
+ */
+declare function buildProviderOptions(key: ModelKey, thinkingOn: boolean): Record<string, unknown> | undefined;
+declare function resolveModel(key: ModelKey): LanguageModel;
+
+/**
+ * Token + cost accounting. The model reports usage after every turn; we keep a
+ * running total so `/cost` can answer "what has this session cost me?" honestly.
+ *
+ * Prices are approximate list rates ($ per 1M tokens). The fast Zeta-g1 lanes
+ * are billed on a flat plan, so we surface 0 rather than invent a per-token
+ * number. Costs are internal estimates only — the user never sees an upstream id.
+ */
+interface TokenUsage {
+    inputTokens?: number;
+    outputTokens?: number;
+    totalTokens?: number;
+    cachedInputTokens?: number;
+    reasoningTokens?: number;
+}
+declare function estimateCost(modelId: string, u: TokenUsage): number;
+/** Running totals across a session, keyed for a clean `/cost` readout. */
+declare class UsageMeter {
+    private input;
+    private output;
+    private cached;
+    private reasoning;
+    private turns;
+    private cost;
+    add(modelId: string, u: TokenUsage): void;
+    get totalTokens(): number;
+    get totalCost(): number;
+    snapshot(): {
+        input: number;
+        output: number;
+        cached: number;
+        reasoning: number;
+        total: number;
+        turns: number;
+        cost: number;
+    };
+}
+
+interface SessionMeta {
+    id: string;
+    cwd: string;
+    model: string;
+    startedAt: string;
+}
+interface SessionSummary extends SessionMeta {
+    preview: string;
+    turns: number;
+    updatedAt: number;
+}
+declare class Session {
+    readonly meta: SessionMeta;
+    private readonly path;
+    private constructor();
+    /** Start a fresh session and write its meta header. */
+    static create(cwd: string, model: string): Session;
+    /** Reopen an existing session and replay its messages. */
+    static resume(id: string): {
+        session: Session;
+        messages: ModelMessage[];
+    } | null;
+    /** The most recent session (optionally scoped to a working directory). */
+    static latestId(cwd?: string): string | null;
+    /** List sessions newest-first, with a preview of the first user message. */
+    static list(limit?: number, cwd?: string): SessionSummary[];
+    appendUser(text: string): void;
+    appendMessages(messages: ModelMessage[]): void;
+}
+
+/**
+ * SP-21 — Prompt / Policy Runtime: the shared contract.
+ *
+ * The single source of truth for the prompt-governance layer. Every module in
+ * src/prompts, src/policy, and src/security implements against THESE types so
+ * the pieces compose without interface drift.
+ *
+ * Core idea: a turn's context is split into isolated, authority-stamped
+ * CHANNELS. SYSTEM/DEVELOPER/USER carry instruction authority (descending);
+ * RETRIEVED/TOOL/MCP/WEB are UNTRUSTED data and can never issue instructions —
+ * "ignore previous instructions" buried in a tool result or a fetched page is
+ * neutralized and fenced as data before it ever reaches the provider.
+ */
+/** Authority tiers — higher binds harder; a lower tier NEVER overrides a higher one. */
+type Authority = "system" | "developer" | "user" | "untrusted";
+/** The isolated channels that make up a turn's context. */
+type ChannelKind = "system" | "developer" | "user" | "retrieved" | "tool" | "mcp" | "memory" | "web";
+interface Channel {
+    kind: ChannelKind;
+    authority: Authority;
+    /** Provenance for linting + display (tool name, url, file path, server key). */
+    source?: string;
+    content: string;
+    /** Untrusted channels are firewall-scanned and fenced as data, never as instructions. */
+    trusted: boolean;
+}
+declare function channelAuthority(kind: ChannelKind): Authority;
+declare function isUntrusted(kind: ChannelKind): boolean;
+/** Channels whose content is untrusted external input — derived from the one
+ *  source of truth (AUTHORITY_OF) so it can never drift from isUntrusted(). */
+declare const UNTRUSTED_CHANNELS: ChannelKind[];
+type FsAccess = "none" | "read" | "write";
+/** What a tool/plugin/MCP server is permitted to touch. */
+interface CapabilitySet {
+    fs: FsAccess;
+    network: boolean;
+    shell: boolean;
+    secrets: boolean;
+}
+interface CapabilityManifest {
+    /** Tool / plugin / MCP id this manifest governs (e.g. "edit_file", "mcp__github__*"). */
+    name: string;
+    capabilities: CapabilitySet;
+    /** Where it came from: "builtin" | "plugin:<name>" | "mcp:<server>" | "web". */
+    origin: string;
+}
+declare const NO_CAPS: CapabilitySet;
+/** True iff `have` covers everything in `need`. */
+declare function capsAllow(have: CapabilitySet, need: Partial<CapabilitySet>): boolean;
+type PolicyAction = "allow" | "warn" | "strip" | "block";
+interface PolicyDecision {
+    action: PolicyAction;
+    reason?: string;
+    /** Sanitized content when action is "strip" (or "allow" with redactions). */
+    sanitized?: string;
+}
+type Severity = "none" | "low" | "medium" | "high";
+declare function maxSeverity(a: Severity, b: Severity): Severity;
+declare function severityRank(s: Severity): number;
+interface Detection {
+    /** Stable rule id, e.g. "instruction-override". */
+    rule: string;
+    severity: Severity;
+    /** The offending snippet (bounded ≤200 chars). */
+    match: string;
+    note: string;
+}
+interface ScanResult {
+    detections: Detection[];
+    /** Max severity across all detections (or "none"). */
+    severity: Severity;
+}
+interface FirewallVerdict {
+    /** What the policy decided to do with this channel. */
+    action: PolicyAction;
+    scan: ScanResult;
+    /** Content after neutralization (instructions defanged, secrets redacted, fenced). */
+    safe: string;
+    source?: string;
+    kind?: ChannelKind;
+}
+/** A detector inspects untrusted text and returns any detections it finds. */
+type Detector = (text: string, ctx?: {
+    source?: string;
+    kind?: ChannelKind;
+}) => Detection[];
+
+interface AgentOptions {
+    model: LanguageModel;
+    modelKey: ModelKey;
+    ctx: ToolContext;
+    /** Web + MCP tools merged alongside the built-in toolset. */
+    extraTools?: ToolSet;
+    /** Hooks applied to the merged toolset + run on UserPromptSubmit. */
+    hooks?: HookRunner;
+    /** Project memory + plugin system text, appended to the system prompt. */
+    memoryText?: string;
+    thinking?: boolean;
+    maxSteps?: number;
+    contextWindow?: number;
+    session?: Session | null;
+    usage?: UsageMeter;
+    onUsage?: (u: TokenUsage) => void;
+}
+interface TurnResult {
+    aborted: boolean;
+    usage: TokenUsage | null;
+}
+declare class Agent {
+    private readonly opts;
+    private history;
+    private tools;
+    private thinking;
+    private modelKey;
+    private model;
+    private session;
+    private contextWindow;
+    /** Real input-token count the provider reported last turn (beats the char estimate). */
+    private lastInputTokens;
+    /** Output throughput of the last turn (tokens/sec, first token → stream end). */
+    lastTps: number;
+    /** SP-21 prompt/policy runtime: authority preamble + injection firewall + capability model. */
+    private readonly policy;
+    private readonly caps;
+    readonly usage: UsageMeter;
+    constructor(opts: AgentOptions);
+    get toolNames(): string[];
+    /** The declared capability manifests (for /caps + /doctor). */
+    capabilities(): CapabilityManifest[];
+    get thinkingOn(): boolean;
+    setThinking(on: boolean): void;
+    setModel(model: LanguageModel, key: ModelKey, contextWindow?: number): void;
+    setSession(session: Session | null): void;
+    reset(): void;
+    replaceHistory(messages: ModelMessage[]): void;
+    /** % of the model's context window the current history occupies. */
+    contextPct(): number;
+    private system;
+    /**
+     * Auto-compact when the history nears the context window. We budget against
+     * the MAX of the provider's last real input-token count and a char estimate
+     * that includes the system prompt (tool list, memory) — so tool/JSON-dense
+     * histories that the naive estimate under-counts still trigger in time.
+     */
+    private maybeCompact;
+    /** Force or auto compaction; prints a one-line note. Returns true if it ran. */
+    runCompaction(announce: boolean): Promise<boolean>;
+    /** Run one user turn end-to-end; streams to stdout, updates history. */
+    send(userInput: string, signal?: AbortSignal): Promise<TurnResult>;
+}
+
+interface MemorySource {
+    path: string;
+    bytes: number;
+    truncated: boolean;
+}
+interface ProjectMemory {
+    sources: MemorySource[];
+    text: string;
+}
+/**
+ * Collect memory files from the global config dir and every directory between
+ * the repo root and the cwd (root first, so cwd-local files win on conflict).
+ */
+declare function loadProjectMemory(cwd: string): Promise<ProjectMemory>;
+
+/**
+ * A slim MCP client — the extensibility layer. It reads the standard `.mcp.json`
+ * format (so a project's servers Just Work), connects to each,
+ * and exposes their tools to the agent namespaced `mcp__<server>__<tool>`.
+ *
+ * Fail-soft by design: a server that won't start is reported and skipped, never
+ * fatal. We support both stdio servers ({command,args,env}) and HTTP servers
+ * ({url,headers}). No tier policy here — a CLI on your own machine trusts the
+ * servers you configured.
+ */
+interface StdioServerConfig {
+    command: string;
+    args?: string[];
+    env?: Record<string, string>;
+}
+interface HttpServerConfig {
+    url: string;
+    headers?: Record<string, string>;
+}
+type ServerConfig = StdioServerConfig | HttpServerConfig;
+interface LoadedMcp {
+    tools: ToolSet;
+    mounted: {
+        key: string;
+        tools: number;
+    }[];
+    failed: {
+        key: string;
+        error: string;
+    }[];
+    close: () => Promise<void>;
+}
+interface LoadMcpOptions {
+    cwd: string;
+    /** Only mount these server keys (from --mcp). Empty/undefined → all configured. */
+    only?: string[];
+    /** Skip MCP entirely. */
+    disabled?: boolean;
+    /** Extra servers (e.g. contributed by plugins). File configs override these. */
+    extraServers?: Record<string, ServerConfig>;
+    connectTimeoutMs?: number;
+    /**
+     * Deferred mode (DEFAULT). Instead of binding every MCP tool's full JSON schema
+     * to the model on every turn — which can cost tens of thousands of tokens before
+     * the user types anything — expose just two tiny tools: `mcp_list_tools` (a
+     * compact catalog) and `mcp_call_tool` (the dispatcher). The model discovers and
+     * calls MCP tools on demand. Set `defer: false` to bind all schemas eagerly.
+     */
+    defer?: boolean;
+}
+declare function loadMcpTools(opts: LoadMcpOptions): Promise<LoadedMcp>;
+
+/**
+ * Slash commands — the in-session control surface. An extensible registry, not
+ * a hardcoded if/else: built-ins live here, plugins and ~/.zeta-g/commands/*.md
+ * register more. A command returns a CommandResult the REPL acts on, so the
+ * registry stays decoupled from the agent it drives.
+ */
+type CommandResult = {
+    type: "handled";
+} | {
+    type: "exit";
+} | {
+    type: "clear";
+} | {
+    type: "compact";
+} | {
+    type: "prompt";
+    text: string;
+} | {
+    type: "switchModel";
+    modelKey: ModelKey;
+} | {
+    type: "setMode";
+    mode: PermissionMode;
+} | {
+    type: "toggleThinking";
+    on: boolean;
+} | {
+    type: "resume";
+    sessionId: string;
+};
+interface CommandContext {
+    args: string;
+    cwd: string;
+    modelKey: ModelKey;
+    modelLabel: string;
+    thinkingOn: boolean;
+    permissions: Permissions;
+    usage: UsageMeter;
+    memory: ProjectMemory;
+    mcp: LoadedMcp;
+    toolNames: string[];
+    capabilities: CapabilityManifest[];
+    checkpoints: CheckpointStore;
+    commands: SlashCommand[];
+    print: (s?: string) => void;
+}
+interface SlashCommand {
+    name: string;
+    aliases?: string[];
+    summary: string;
+    hidden?: boolean;
+    /** Where it came from — "builtin", "custom", or a plugin name. */
+    source?: string;
+    run: (ctx: CommandContext) => Promise<CommandResult> | CommandResult;
+}
+/** Parse every *.md in `dir` into slash commands tagged with `source`. */
+declare function loadMdCommands(dir: string, source: string): SlashCommand[];
+declare class CommandRegistry {
+    private map;
+    private ordered;
+    constructor();
+    register(cmd: SlashCommand): void;
+    get(name: string): SlashCommand | undefined;
+    list(): SlashCommand[];
+    names(): string[];
+    /** Load *.md commands from ~/.zeta-g/commands and <cwd>/.zeta-g/commands. */
+    loadCustom(cwd: string): void;
+    dispatch(input: string, base: Omit<CommandContext, "args" | "commands">): Promise<CommandResult | null>;
+}
+
+interface LoadedPlugins {
+    plugins: {
+        name: string;
+        description?: string;
+        version?: string;
+        dir: string;
+    }[];
+    systemText: string;
+    commands: SlashCommand[];
+    mcpServers: Record<string, ServerConfig>;
+    hooks: HookSet;
+    failed: {
+        dir: string;
+        error: string;
+    }[];
+}
+declare function loadPlugins(cwd: string): LoadedPlugins;
+
+interface SearchHit {
+    title: string;
+    url: string;
+    snippet: string;
+}
+declare function buildWebTools(): {
+    web_fetch: ai.Tool<{
+        url: string;
+    }, {
+        ok: boolean;
+        error: string;
+        status?: undefined;
+        url?: undefined;
+        contentType?: undefined;
+        content?: undefined;
+        truncated?: undefined;
+    } | {
+        ok: boolean;
+        status: number;
+        url: string;
+        contentType: string;
+        content: string;
+        truncated: boolean;
+        error?: undefined;
+    }>;
+    web_search: ai.Tool<{
+        query: string;
+    }, {
+        ok: boolean;
+        note: string;
+        query?: undefined;
+        results?: undefined;
+        error?: undefined;
+    } | {
+        ok: boolean;
+        query: string;
+        results: SearchHit[];
+        note?: undefined;
+        error?: undefined;
+    } | {
+        ok: boolean;
+        error: string;
+        note?: undefined;
+        query?: undefined;
+        results?: undefined;
+    }>;
+};
+
+/** Rough token estimate — ~4 chars/token over the serialized messages. */
+declare function estimateTokens(messages: ModelMessage[]): number;
+interface CompactResult {
+    messages: ModelMessage[];
+    summary: string;
+    before: number;
+    after: number;
+    degraded: boolean;
+}
+interface CompactOptions {
+    /** How many trailing user turns to keep verbatim. */
+    keepUserTurns?: number;
+    /** Max chars of transcript fed to the summarizer. */
+    maxTranscript?: number;
+}
+/**
+ * Compact `messages`. Returns a new history: [summary, ack, ...recent turns].
+ * Falls back to a plain recency window (with `degraded: true`) if the model
+ * call to summarize fails — never silently claims success it didn't get.
+ */
+declare function compact(messages: ModelMessage[], model: LanguageModel, opts?: CompactOptions): Promise<CompactResult>;
+
+/**
+ * SP-21 — System-prompt REGISTRY: identity, role layering, and safety overlays.
+ *
+ * One deterministic place to keep the agent's system prompts. A prompt is
+ * assembled from three layers, in a fixed order so the same inputs always
+ * yield the same bytes:
+ *
+ *   1. a BASE system body (versioned per id — register a new version, the old
+ *      one stays reachable for replay/audit),
+ *   2. an optional ROLE layer (e.g. "coder" / "planner") that sharpens behavior,
+ *   3. zero or more SAFETY overlays appended last (the safety + verify reflexes),
+ *      so they read as the final, binding word.
+ *
+ * Nothing here reaches for wall-clock time or randomness: composition is a pure
+ * function of what was registered. The single source of truth for shared shapes
+ * lives in ./types.js — this module only adds the registry-specific structures.
+ */
+/** A behavior layer for a named role, layered on top of the base system body. */
+interface RoleLayer {
+    role: string;
+    body: string;
+}
+/** A safety rule appended after the base + role, so it reads as the last word. */
+interface SafetyOverlay {
+    id: string;
+    body: string;
+}
+/**
+ * The registry. Holds versioned system bodies, role layers, and safety
+ * overlays, and composes them deterministically. Registration order is
+ * preserved (insertion-ordered Maps) so "latest" and "all overlays" are stable.
+ */
+declare class PromptRegistry {
+    /** id → list of versions, in registration order (last = latest). */
+    private readonly systems;
+    /** role name → its layer body. */
+    private readonly roles;
+    /** overlay id → overlay, in registration order. */
+    private readonly safety;
+    /**
+     * Register a system body under `id`. If `version` is omitted, an auto label
+     * `v<N>` is assigned from the count already stored for that id. Re-registering
+     * the same explicit version replaces that revision in place (it keeps its
+     * original slot); a new version is appended and becomes the latest.
+     */
+    registerSystem(id: string, body: string, version?: string): void;
+    /**
+     * Fetch a system body. With no `version`, returns the latest (last
+     * registered). Throws if the id — or the requested version — is unknown.
+     */
+    getSystem(id: string, version?: string): string;
+    /** The versions stored for `id`, in registration order. Empty if unknown. */
+    versions(id: string): string[];
+    /** Register (or replace) the layer body for a role. */
+    registerRole(layer: RoleLayer): void;
+    /** The body for a role, or undefined if the role is unknown. */
+    getRole(role: string): string | undefined;
+    /** Register (or replace) a safety overlay by its id. */
+    registerOverlay(o: SafetyOverlay): void;
+    /** All registered safety overlays, in registration order. */
+    overlays(): SafetyOverlay[];
+    /**
+     * Compose a full system prompt: base body, then the role layer (when a known
+     * role is given), then the safety overlays — joined by a blank line.
+     *
+     * Overlay selection: if `overlayIds` is provided, those overlays are appended
+     * in the order listed (unknown ids are skipped); if omitted, ALL registered
+     * overlays are appended in registration order.
+     */
+    composeSystem(opts: {
+        id: string;
+        version?: string;
+        role?: string;
+        overlayIds?: string[];
+    }): string;
+}
+/**
+ * The default registry, seeded with Zeta-G's core identity, the safety and
+ * verify overlays, and the coder/planner roles. Importers get a ready-to-use
+ * registry; they can register additional versions, roles, or overlays on top.
+ */
+declare const DEFAULT_REGISTRY: PromptRegistry;
+
+/**
+ * Deterministic template rendering + token budgeting.
+ *
+ * Two small, pure jobs. First, {{key}} substitution that treats values as
+ * literal text — a value containing "$1" or "$&" must never be reinterpreted
+ * as a regex replacement pattern, so we substitute through a FUNCTION replacer.
+ * Second, fitting a turn's CHANNELS inside a token budget by trimming the
+ * lowest-authority content first: a SYSTEM channel is sacred and is never
+ * touched, untrusted data goes first, then user, then developer.
+ *
+ * Everything here is deterministic — no clock, no randomness — so the same
+ * inputs always produce the same prompt.
+ */
+
+/**
+ * Replace every {{key}} in `tpl` with `vars[key]`. The replacer is a function,
+ * so any "$" sequences inside a value stay literal rather than being treated as
+ * replacement patterns. Unknown keys: throw under `strict`, else collapse to "".
+ */
+declare function renderTemplate(tpl: string, vars: Record<string, string>, opts?: {
+    strict?: boolean;
+}): string;
+/** Cheap, provider-agnostic token estimate: ~4 chars per token. */
+declare function estimateTextTokens(text: string): number;
+interface BudgetInput {
+    channels: Channel[];
+    maxTokens: number;
+    /** Tokens to hold back for the response / scaffolding (default 0). */
+    reserve?: number;
+}
+interface BudgetResult {
+    channels: Channel[];
+    /** Per-kind tally of tokens removed by trimming. */
+    trimmed: {
+        kind: ChannelKind;
+        droppedTokens: number;
+    }[];
+    total: number;
+}
+/**
+ * Fit `channels` within (maxTokens - reserve) by truncating the lowest-priority
+ * channels first. Truncation keeps the HEAD of the content and appends a trim
+ * marker. Returns fresh channel objects, the per-kind dropped-token counts, and
+ * the final total estimate. Never trims a "system" channel.
+ */
+declare function budgetChannels(input: BudgetInput): BudgetResult;
+
+/**
+ * Prompt linting — catch "string soup" mistakes before a turn is sent.
+ *
+ * The channel model (see ./types.ts) keeps authority tiers separated, but it
+ * can't stop a caller from assembling a malformed prompt: an empty system
+ * message, a leaked API key pasted into a developer note, an untrusted tool
+ * result mislabeled as trusted, or a template that never got its variables
+ * filled in. These are cheap to detect and expensive to ship, so we surface
+ * them as plain findings the CLI can print (or refuse on) before the provider
+ * ever sees the text.
+ *
+ * Everything here is pure and deterministic — same channels in, same findings
+ * out, no clock and no randomness.
+ */
+
+/** How loudly a finding should be surfaced. Mirrors the firewall's tone, not its scale. */
+type LintSeverity = "error" | "warning" | "info";
+interface LintFinding {
+    /** Stable rule id, e.g. "empty-body" or "leaked-secret". */
+    rule: string;
+    severity: LintSeverity;
+    message: string;
+    /** Which channel kind the finding belongs to, when it came from a specific channel. */
+    channel?: ChannelKind;
+}
+/**
+ * Lint a single system- or developer-class body. These channels carry
+ * instruction authority, so mistakes here are the most damaging: an empty
+ * system prompt silently neuters the agent, and a secret pasted into one rides
+ * straight to the provider with full trust.
+ */
+declare function lintSystemText(body: string): LintFinding[];
+/**
+ * Lint a fully assembled prompt — the ordered list of channels for one turn.
+ * Checks the shape of the prompt as a whole (a system channel must exist, the
+ * trust labels must match each channel's kind) and folds in per-body linting
+ * for every instruction-bearing channel.
+ */
+declare function lintPrompt(channels: Channel[]): LintFinding[];
+
+/**
+ * The POLICY ENGINE — the layer that turns a firewall SCAN into an ACTION.
+ *
+ * A detector tells us *what* it saw; the policy decides *what to do about it*.
+ * Severity maps to one of four actions (allow / warn / strip / block) per a
+ * small, overridable config, so an operator can tighten or loosen the firewall
+ * without touching detection code. The engine also owns the AUTHORITY PREAMBLE:
+ * the SYSTEM-prompt block that teaches the model the prompt-authority tiers and
+ * the one inviolable rule — text inside fenced UNTRUSTED blocks is DATA, never
+ * an instruction. Pure and deterministic: same scan in, same decision out.
+ */
+
+/** How the firewall behaves: the per-severity action table plus two hard switches. */
+interface PolicyConfig {
+    /** Action to take for each injection severity the scanner reports. */
+    onInjection: Record<Severity, PolicyAction>;
+    /** Redact detected secrets/credentials before content reaches the provider. */
+    blockSecrets: boolean;
+    /** Neutralize exfiltration attempts (data-routed-outward) found in untrusted data. */
+    stripExfil: boolean;
+}
+/** The safe default: clean passes through, suspicion is stripped, blatant injection is blocked. */
+declare const DEFAULT_POLICY: PolicyConfig;
+/**
+ * Maps firewall severity to a policy action and frames the prompt-authority
+ * contract. Stateless aside from its merged config — construct once, reuse.
+ */
+declare class PolicyEngine {
+    readonly config: PolicyConfig;
+    constructor(config?: Partial<PolicyConfig>);
+    /**
+     * Decide what to do with a scanned channel. The action is read straight off
+     * the severity table; the reason summarizes the detections that drove it so
+     * the choice is legible in logs and to the user.
+     */
+    decideChannel(scan: ScanResult): PolicyDecision;
+    /**
+     * The SYSTEM-prompt block that establishes prompt authority and the
+     * untrusted-data rule. Prepended ahead of any external content so the model
+     * carries the contract into every turn.
+     */
+    authorityPreamble(): string;
+}
+
+/**
+ * SP-21 — The anti-prompt-injection FIREWALL.
+ *
+ * Untrusted channels (tool output, RAG hits, MCP results, fetched pages) are
+ * data, not instructions. This module is the chokepoint they pass through
+ * before reaching the provider: every detector runs over the text, the policy
+ * engine decides what to do, and whatever survives is fenced inside a clearly
+ * labelled DATA-ONLY block so the model treats it as content to reason ABOUT,
+ * never as commands to obey.
+ *
+ * Pure and deterministic: same text in, same verdict out. No clock, no random.
+ */
+
+declare class PromptFirewall {
+    private readonly detectors;
+    constructor(detectors?: Detector[]);
+    /**
+     * Run every detector over the (bounded) text and fold their findings into a
+     * single ScanResult. Severity starts at "none" and climbs via maxSeverity.
+     */
+    scan(text: string, ctx?: {
+        source?: string;
+        kind?: ChannelKind;
+    }): ScanResult;
+    /**
+     * Wrap content in the labelled DATA-ONLY fence. Credential material and the
+     * override imperative itself are ALWAYS scrubbed first via live regex over the
+     * body (redactSensitive) — not by string-matching a lossy clipped snippet — so
+     * collapsed-whitespace or oversized spans can't slip through. `opts` is kept
+     * for API compatibility; redaction is unconditional now.
+     */
+    neutralize(text: string, _scan: ScanResult, _opts?: {
+        redactSecrets?: boolean;
+    }): string;
+    /**
+     * The full pipeline for one untrusted channel: normalize (defang homoglyph /
+     * zero-width evasion), scan, ask the policy what to do, then produce the safe
+     * rendering. We scan AND forward the SAME normalized+bounded body, so nothing
+     * unscanned ever reaches the model.
+     *   block → withhold entirely (just a breadcrumb of what was dropped)
+     *   strip / warn / allow → fenced + redacted untrusted data
+     */
+    guard(channel: Channel, policy: PolicyEngine): FirewallVerdict;
+}
+/** Shared default firewall wired to the full detector suite. */
+declare const DEFAULT_FIREWALL: PromptFirewall;
+
+/**
+ * ChannelStack — the assembler that keeps prompt authority tiers isolated.
+ *
+ * You add content as typed channels; on render() the trusted channels
+ * (system/developer/user) are concatenated as authoritative instructions, while
+ * every UNTRUSTED channel (tool/mcp/web/retrieved/memory) is run through the
+ * firewall and emitted as fenced DATA — so "ignore previous instructions" inside
+ * a tool result or a fetched page can't seize control. Optionally budgeted so a
+ * giant retrieved blob can't blow the context window (system is never trimmed).
+ */
+declare class ChannelStack {
+    private list;
+    add(kind: ChannelKind, content: string, opts?: {
+        source?: string;
+    }): this;
+    /** Convenience for the untrusted families — always firewall-fenced on render. */
+    addUntrusted(kind: Extract<ChannelKind, "retrieved" | "tool" | "mcp" | "web" | "memory">, content: string, source?: string): this;
+    channels(): Channel[];
+    /**
+     * Render the stack into provider-ready text, with hard tier isolation:
+     *   · `system`     — system + developer channels (authoritative)
+     *   · `user`       — user channels (the human's literal input)
+     *   · `dataBlocks` — every untrusted channel, firewalled + fenced as data
+     * Returns the firewall verdicts so the caller can warn on detections.
+     */
+    render(opts: {
+        policy: PolicyEngine;
+        firewall: PromptFirewall;
+        budget?: number;
+    }): {
+        system: string;
+        user: string;
+        dataBlocks: string;
+        findings: FirewallVerdict[];
+    };
+}
+
+/**
+ * SP-21 — Capability security model.
+ *
+ * Every tool, plugin, and MCP server runs with the LEAST authority it needs:
+ * a small, declared set of { fs, network, shell, secrets } capabilities. This
+ * module is the single chokepoint where those grants are declared and checked.
+ *
+ * The flow: on registration a caller `declare`s a manifest (or asks
+ * `defaultManifestFor` to infer one from a known tool name); `check` resolves a
+ * requirement against it. Anything we don't recognise gets NO_CAPS — grant
+ * nothing until someone declares otherwise.
+ *
+ * STATUS: this layer is ADVISORY this pass — manifests are declared and shown
+ * (`/caps`), and runtime side-effects are still gated by the permission layer
+ * (shell/writes/commands) and the prompt firewall. `check()` is the hook a
+ * future sandbox (SP-24) calls to hard-enforce caps before a syscall; it is not
+ * yet on the execute path, so treat the manifest as a declared contract, not an
+ * enforced boundary.
+ */
+
+/** Infer a conservative capability set from a known tool name + its origin. */
+declare function defaultManifestFor(toolName: string, origin: string): CapabilityManifest;
+/**
+ * The central capability registry + gatekeeper. Manifests are declared once;
+ * every privileged action is checked against the resolved grant. Pure and
+ * deterministic — the only state is the declared manifest map.
+ */
+declare class CapabilityEnforcer {
+    private readonly manifests;
+    /** Register (or overwrite) the manifest governing a tool/plugin/MCP id. */
+    declare(manifest: CapabilityManifest): void;
+    /**
+     * Resolve the manifest for a name. Prefers an exact match; otherwise falls
+     * back to a declared wildcard ("mcp__github__*" governs "mcp__github__x").
+     * Returns undefined when nothing covers the name.
+     */
+    get(name: string): CapabilityManifest | undefined;
+    /**
+     * Decide whether `name` may exercise the requested capabilities. The grant
+     * is the resolved manifest, or NO_CAPS when nothing is declared — so an
+     * unknown tool is denied anything beyond the empty set.
+     */
+    check(name: string, need: Partial<CapabilitySet>): PolicyDecision;
+    /** All declared manifests, in declaration order. */
+    list(): CapabilityManifest[];
+}
+
+/**
+ * SP-21 — Prompt-injection DETECTORS.
+ *
+ * A detector reads a slice of UNTRUSTED text (a tool result, a fetched page, a
+ * RAG chunk) and reports anything that looks like it is trying to seize the
+ * conversation, smuggle secrets out, or hijack a tool. Detectors NEVER mutate
+ * the text — they only describe what they saw. The firewall layer decides what
+ * to do (warn / strip / block) with the verdicts these produce.
+ *
+ * Two house rules keep this file safe and predictable:
+ *   1. Every regex is LINEAR-TIME. No nested quantifiers over open text
+ *      (`(a+)+`, `(.*)*`), so a hostile input can never trigger ReDoS — the
+ *      worst case is a single linear pass. Where we'd want "anything", we use a
+ *      bounded character run (`[^\n]{0,80}`) instead of an unbounded `.*`.
+ *   2. Every reported `match` is clamped to ≤200 chars so a giant payload can't
+ *      blow up logs or the verdict it rides in.
+ *
+ * Pure and deterministic: no clock, no randomness, no I/O.
+ */
+
+/** The full battery, in the order the firewall runs them. */
+declare const ALL_DETECTORS: Detector[];
+
+declare function isUntrustedTool(name: string): boolean;
+interface FirewallToolOptions {
+    firewall: PromptFirewall;
+    policy: PolicyEngine;
+    /** Notified for every untrusted output processed (for terminal warnings). */
+    onFinding?: (verdict: FirewallVerdict, tool: string) => void;
+}
+declare function applyFirewall(tools: ToolSet, opts: FirewallToolOptions): ToolSet;
+
+/**
+ * Colored unified-diff rendering — the inline edit preview. We show the
+ * user exactly what an edit changes before it touches disk, so an approval is
+ * an informed one. Built on the `diff` package's line differ, then painted with
+ * our calm ANSI palette: green +, red -, dim context, with collapsed runs of
+ * unchanged lines so a one-line edit doesn't print the whole file.
+ */
+interface DiffStat {
+    added: number;
+    removed: number;
+}
+/** Count added / removed lines between two texts. */
+declare function diffStat(before: string, after: string): DiffStat;
+/** Print a colored diff for an edit (before → after) under a path header. */
+declare function renderEditDiff(path: string, before: string, after: string, opts?: {
+    context?: number;
+    maxLines?: number;
+}): void;
+/** Print a new-file preview (first N lines, all green). */
+declare function renderNewFileDiff(path: string, content: string, opts?: {
+    maxLines?: number;
+}): void;
+
+interface InputOptions {
+    /** Live list of slash-command names (without the leading /), for completion. */
+    commandNames: () => string[];
+    /** Called when the user asks to quit (empty line + Ctrl-C, or twice). */
+    onExit: () => void;
+}
+declare class InputController {
+    private readonly opts;
+    private rl;
+    constructor(opts: InputOptions);
+    /** Tab completion: /commands when the line starts with /, @paths otherwise. */
+    private complete;
+    /** Read one logical line, joining trailing-backslash continuations. */
+    readLine(promptStr: string): Promise<string>;
+    private saveHistory;
+    /**
+     * Ask a y/n/a-style question; resolves to the chosen choice key. Safe to call
+     * mid-turn: if an interrupt-watch is active (raw mode) we suspend it, ask in
+     * cooked mode, then re-arm — so ESC works before AND after a confirm, and the
+     * prompt itself reads a normal line.
+     */
+    confirm(question: string, choices: ConfirmChoice[]): Promise<string>;
+    private activeWatch;
+    private onKey?;
+    private startWatch;
+    private stopWatch;
+    /**
+     * Run `fn` with an AbortSignal that fires on ESC / Ctrl-C — a streaming turn
+     * can be interrupted cleanly without killing the process.
+     */
+    runInterruptible<T>(fn: (signal: AbortSignal) => Promise<T>): Promise<T>;
+    close(): void;
+}
+
+export { ALL_DETECTORS, Agent, type AgentOptions, type Authority, CapabilityEnforcer, type CapabilityManifest, type CapabilitySet, type Channel, type ChannelKind, ChannelStack, type CommandContext, CommandRegistry, type CommandResult, type ConfirmFn, DEFAULT_FIREWALL, DEFAULT_POLICY, DEFAULT_REGISTRY, type Detection, type Detector, type FirewallVerdict, type FsAccess, type HookEvent, HookRunner, type HookSet, InputController, type LintFinding, type LoadedMcp, type LoadedPlugins, type ModelKey, NO_CAPS, PERMISSION_MODES, type PermissionMode, Permissions, type PolicyAction, type PolicyConfig, type PolicyDecision, PolicyEngine, type ProjectMemory, PromptFirewall, PromptRegistry, type RoleLayer, type SafetyOverlay, type ScanResult, type ServerConfig, Session, type SessionMeta, type SessionSummary, type Severity, type SlashCommand, type TokenUsage, type ToolContext, type TurnResult, UNTRUSTED_CHANNELS, UsageMeter, applyFirewall, applyHooks, budgetChannels, buildProviderOptions, buildTools, buildWebTools, capsAllow, channelAuthority, compact, defaultManifestFor, diffStat, estimateCost, estimateTextTokens, estimateTokens, isPermissionMode, isUntrusted, isUntrustedTool, lintPrompt, lintSystemText, listModels, loadHookFiles, loadMcpTools, loadMdCommands, loadPlugins, loadProjectMemory, maxSeverity, mergeHookSets, modelContextWindow, modelId, modelLabel, renderEditDiff, renderNewFileDiff, renderTemplate, resolveModel, resolveModelKey, severityRank, supportsThinking };