wyrm-mcp 7.2.1 → 7.2.2

package/dist/wyrm-guard.js

@@ -1,425 +1,15 @@
 #!/usr/bin/env node
-/**
- * wyrm-guard — deterministic PreToolUse hook bin (v7 F2, T016; spec FR-2/G2).
- *
- * Harness-side negative learning: Claude Code pipes the PreToolUse payload for
- * Bash/Edit/Write(/MultiEdit/NotebookEdit) to this bin; the bin runs the SAME
- * deterministic failure_check the MCP tool runs (FailurePatterns.checkVerdict —
- * Article III: bm25/match-tier arithmetic, zero LLM calls, zero network)
- * against the LOCAL SQLite DB opened READ-ONLY, and answers on the Claude Code
- * hook contract:
- *
- *   BLOCK  — exit 2, the failure pattern on stderr (Claude Code feeds stderr
- *            back to the model and does not execute the tool call).
- *            The deterministic block rule — identity blocks, similarity warns:
- *              · an EXACT signature match (checkVerdict tier 'exact'), or
- *              · a TARGET-IDENTITY match: a stored failure whose scope+target
- *                normalize identical to the probed command / file path under
- *                normalizeIdentity — the FULL, UNCAPPED form of the signature
- *                normalization. Identity spans the whole command/path: the
- *                200-char signature cap is range-scan recall only, so two
- *                long actions differing only past it never alias into one
- *                block, and the lookup filters identity BEFORE its result
- *                cap, so same-prefix cousins can never crowd an
- *                identical-target row out. v7 F2 review fix: this tier runs
- *                as a DEDICATED signature-prefix lookup
- *                (FailurePatterns.targetIdentityMatches) — production rows
- *                always carry a non-empty description, so full-signature
- *                equality against this bin's empty-description probe could
- *                never fire, and a block never depends on FTS recall.
- *   WARN   — exit 0, hookSpecificOutput.additionalContext JSON on stdout
- *            (non-blocking context injection — the wyrm-push.py shape) for any
- *            other match.
- *   SILENT — exit 0, no output, when clean.
- *
- * Run/scope semantics (T014/T015): the caller's run identity comes from
- * WYRM_RUN_ID (the F2 fleet convention — the orchestrator exports it once for
- * the whole fleet) and is passed EXPLICITLY to checkVerdict, so same-run
- * quarantined failures bite instantly while runless callers only ever see the
- * project/global tiers. Project scoping: the payload `cwd` (or the edited
- * file's directory) is walked up against projects.path — unenrolled paths
- * still check the global (project-NULL) failures.
- *
- * Probe construction (recall under FTS5 implicit-AND, see query() in
- * failure-patterns.ts):
- *   · Bash  → scope 'command', probe target = the command string.
- *   · Files → scopes 'file' + 'edit', probe target = the BASENAME (a full path
- *     would AND-in every directory token and miss relpath-keyed rows); the
- *     identity rule then compares the stored target against the absolute,
- *     project-relative, and as-given path forms — equality on any blocks.
- *     The edit content signal is extracted/validated but NOT fed to the FTS
- *     probe: under implicit-AND it strictly narrows recall, and it can never
- *     produce an exact signature against recorder-authored descriptions.
- *
- * Budget (the wyrm-push.py ~200ms discipline): readonly open + fileMustExist,
- * busy_timeout=100ms (a locked DB fails open instead of hanging the harness),
- * a small fixed number of prepared statements per scope (the two checkVerdict
- * stages + one identity range-probe per identity candidate), no migrations,
- * no index work. Measured by bench/guard-budget.mjs (Article VIII).
- *
- * Analytics (v7 F2 review fix): a BLOCK files one failure_blocks row — the
- * prevented-repeat ROI counter behind `wyrm_stats view=failures` — via a
- * separate short-lived RW connection (busy_timeout=50ms). Strictly
- * best-effort and fail-open: the CHECK connection stays readonly, and any
- * ledger failure is swallowed without affecting the verdict. Blocks are rare
- * (they abort the tool call), so the extra write never touches the hot path.
- *
- * A broken guard must NEVER block the operator's harness: ANY internal error →
- * silent exit 0 (fail-open). Set WYRM_GUARD_DEBUG=1 to surface the swallowed
- * reason on stderr (still exit 0 — debug output never blocks).
- *
- * Operator escape hatch: WYRM_GUARD_MODE=warn (downgrade blocks to warns) |
- * off (disable entirely). Article I: fully offline, local DB only. Article
- * VII: read-only handle, every value a bound parameter (inside
- * FailurePatterns), stored text control-char-stripped + length-capped before
- * it is rendered into hook output.
- *
- * Install: scripts/hooks/install.sh wires the PreToolUse matchers
- * (`Bash` and `Edit|Write|MultiEdit|NotebookEdit`) into ~/.claude/settings.json.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later — dual-licensed; commercial terms: ghosts.lk@proton.me. See LICENSE.
- */
-import Database from 'better-sqlite3';
-import { readFileSync, realpathSync } from 'node:fs';
-import { homedir } from 'node:os';
-import { basename, dirname, isAbsolute, join, relative, resolve, sep } from 'node:path';
-import { fileURLToPath } from 'node:url';
-import { FailurePatterns, normalizeIdentity, } from './failure-patterns.js';
-import { LEGACY_ENVELOPE, runWithActor, sanitizeActorId } from './handlers/boundary.js';
-const SILENT = { exitCode: 0, stdout: '', stderr: '' };
-/** Tools whose signal is a file path (+ content). Mirrors wyrm-push.py. */
-const FILE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit', 'NotebookEdit']);
-/** How many warn-context matches to render at most. */
-const WARN_MATCH_CAP = 3;
-/** Max levels walked up when resolving cwd → projects.path. */
-const PROJECT_WALK_LEVELS = 10;
-// ── small helpers (all pure) ────────────────────────────────────────────────
-function asString(v) {
-    return typeof v === 'string' && v.length > 0 ? v : null;
-}
-/** Strip control chars + cap length before stored text reaches hook output. */
-function clean(s, max) {
-    if (!s)
-        return '';
-    // eslint-disable-next-line no-control-regex
-    return s.replace(/[\x00-\x1f\x7f]/g, ' ').replace(/\s+/g, ' ').trim().slice(0, max);
-}
-/** Extract the deterministic check signal from a PreToolUse payload, or null
- * when the payload is not ours to judge (wrong event/tool/shape → SILENT). */
-function extractSignal(payload) {
-    const event = payload['hook_event_name'];
-    if (event !== undefined && event !== 'PreToolUse')
-        return null;
-    const toolName = payload['tool_name'];
-    const input = payload['tool_input'];
-    if (typeof toolName !== 'string' || typeof input !== 'object' || input === null)
-        return null;
-    const toolInput = input;
-    const cwd = asString(payload['cwd']);
-    if (toolName === 'Bash') {
-        const command = asString(toolInput['command'])?.trim();
-        if (!command)
-            return null;
-        const capped = command.slice(0, 1000); // FTS probe + display stay bounded
-        return {
-            scopes: ['command'],
-            probeTarget: capped,
-            // Identity is the FULL command, uncapped: commands differing only past
-            // any cap are DIFFERENT actions, and the comparison cost is one linear
-            // normalize pass — the cap above bounds only the recall/display paths.
-            identity: [command],
-            display: clean(capped, 80),
-            startDir: cwd,
-            absPath: null,
-        };
-    }
-    if (FILE_TOOLS.has(toolName)) {
-        const filePath = asString(toolInput['file_path']) ?? asString(toolInput['notebook_path']);
-        if (!filePath)
-            return null;
-        // Content signal — extracted/shape-checked (see header for why it is not
-        // fed to the FTS probe).
-        const edits = toolInput['edits'];
-        const content = asString(toolInput['new_string'])
-            ?? asString(toolInput['content'])
-            ?? asString(toolInput['new_source'])
-            ?? (Array.isArray(edits)
-                ? edits.map((e) => asString(e?.['new_string']) ?? '').join(' ')
-                : '');
-        void content; // reserved for a future contains-pattern tier
-        const abs = isAbsolute(filePath)
-            ? resolve(filePath)
-            : cwd && isAbsolute(cwd) ? resolve(cwd, filePath) : null;
-        return {
-            scopes: ['file', 'edit'],
-            probeTarget: basename(filePath).slice(0, 200),
-            // identity candidates: as-given + absolute, RAW and uncapped (same
-            // full-identity rule as the Bash candidate — deep paths must not alias
-            // at a truncation boundary); the project-relative form is appended in
-            // runGuard once the project root is known.
-            identity: dedupe([filePath, ...(abs ? [abs] : [])]),
-            display: clean(filePath, 80),
-            startDir: abs ? dirname(abs) : cwd,
-            absPath: abs,
-        };
-    }
-    return null;
-}
-/** Dedupe identity candidates by their normalizeIdentity image (the form
- * every identity comparison uses), keeping the first raw spelling. */
-function dedupe(xs) {
-    const seen = new Set();
-    const out = [];
-    for (const x of xs) {
-        const key = normalizeIdentity(x);
-        if (key.length === 0 || seen.has(key))
-            continue;
-        seen.add(key);
-        out.push(x);
-    }
-    return out;
-}
-/** Walk up from startDir matching projects.path (indexed UNIQUE lookup per
- * level, ≤PROJECT_WALK_LEVELS). Unenrolled → null (global failures still apply). */
-function resolveProject(db, startDir) {
-    if (!startDir)
-        return { id: null, root: null };
-    const stmt = db.prepare('SELECT id FROM projects WHERE path = ?');
-    let p = resolve(startDir);
-    for (let i = 0; i < PROJECT_WALK_LEVELS; i++) {
-        const row = stmt.get(p);
-        if (row)
-            return { id: row.id, root: p };
-        const parent = dirname(p);
-        if (parent === p)
-            break;
-        p = parent;
-    }
-    return { id: null, root: null };
-}
-// ── rendering (plain ASCII — spec FR-3 renderer discipline) ─────────────────
-function attributionLine(m) {
-    if (m.recorded_by_agent === 'legacy' && m.run_id === null)
-        return '';
-    const run = m.run_id
-        ? ` (run ${clean(m.run_id, 32)}${m.quarantine_scope === 'run' ? ', run-quarantined' : ''})`
-        : '';
-    return `  recorded by: ${clean(m.recorded_by_agent, 64)}${run}\n`;
-}
-function renderBlock(m, reason, extra) {
-    const desc = m.description ? `  description: ${clean(m.description, 200)}\n` : '';
-    const why = m.why_failed ? `  failed because: ${clean(m.why_failed, 300)}\n` : '';
-    const reasonText = reason === 'exact'
-        ? 'this exact action is a recorded unresolved failure'
-        : 'this exact target previously failed and the failure is unresolved';
-    return (`wyrm-guard: BLOCKED — ${reasonText} (deterministic ${reason} match).\n` +
-        `  failure #${m.id} [${m.severity}/${m.scope}] seen ${m.occurrences}x, last ${clean(m.last_seen, 32)}\n` +
-        `  target: ${clean(m.target, 120)}\n` +
-        desc +
-        why +
-        attributionLine(m) +
-        'Do NOT retry the same action — pick a different approach. If the underlying\n' +
-        `issue is truly fixed, resolve the failure first (wyrm_failure_resolve id=${m.id})\n` +
-        'and then retry.\n' +
-        (extra > 0 ? `(+${extra} more recorded match${extra === 1 ? '' : 'es'} — wyrm_failure_list)\n` : ''));
-}
-function renderWarn(matches, display) {
-    const shown = matches.slice(0, WARN_MATCH_CAP);
-    const lines = shown.map((m) => {
-        const why = m.why_failed ?? m.description;
-        return `- #${m.id} [${m.severity}/${m.scope}] ${clean(m.target, 80)} ` +
-            `(seen ${m.occurrences}x, confidence ${m.confidence}): ${clean(why, 160)}`;
-    });
-    const extra = matches.length - shown.length;
-    return [
-        '<wyrm-memory>',
-        `wyrm-guard: ${matches.length} recorded unresolved failure(s) look similar to \`${display}\` — check before proceeding:`,
-        ...lines,
-        ...(extra > 0 ? [`(+${extra} more — wyrm_failure_list)`] : []),
-        'If one applies, do not repeat it — adjust the approach or resolve it first (wyrm_failure_resolve).',
-        '</wyrm-memory>',
-    ].join('\n');
-}
-function warnResult(matches, display) {
-    const body = {
-        hookSpecificOutput: {
-            hookEventName: 'PreToolUse',
-            additionalContext: renderWarn(matches, display),
-        },
-    };
-    return { exitCode: 0, stdout: JSON.stringify(body) + '\n', stderr: '' };
-}
-// ── the guard ───────────────────────────────────────────────────────────────
-/**
- * The whole guard as a pure-ish function of (stdin, env) — exported so tests
- * exercise every path in-process. NEVER throws: any internal error returns
- * SILENT (fail-open — a broken guard must never block the operator's harness).
- */
-export function runGuard(stdinText, env = process.env) {
-    let db = null;
-    try {
-        const mode = (env.WYRM_GUARD_MODE ?? 'block').toLowerCase();
-        if (mode === 'off')
-            return SILENT;
-        if (!stdinText || !stdinText.trim())
-            return SILENT;
-        const parsed = JSON.parse(stdinText);
-        if (typeof parsed !== 'object' || parsed === null)
-            return SILENT;
-        const signal = extractSignal(parsed);
-        if (!signal)
-            return SILENT;
-        const dbPath = env.WYRM_DB_PATH ?? join(homedir(), '.wyrm', 'wyrm.db');
-        db = new Database(dbPath, { readonly: true, fileMustExist: true });
-        db.pragma('busy_timeout = 100'); // a locked DB fails open, never hangs the harness
-        const { id: projectId, root } = resolveProject(db, signal.startDir);
-        // Project-relative identity candidate for file probes (recorders commonly
-        // key file failures by relpath). RAW like every identity candidate.
-        const identity = [...signal.identity];
-        if (root && signal.absPath && signal.absPath.startsWith(root + sep)) {
-            identity.push(relative(root, signal.absPath));
-        }
-        // The caller's run identity — explicit (deterministic in (stdin, env)),
-        // honoring the same WYRM_RUN_ID convention the ambient envelope uses.
-        const callerRunId = sanitizeActorId(env.WYRM_RUN_ID) ?? null;
-        const failures = new FailurePatterns(db);
-        const seen = new Set();
-        const matches = [];
-        const identityCandidates = dedupe(identity);
-        // (a) The checkVerdict stages: the exact-signature tier + FTS fuzzy
-        // recall for the WARN context. Runs first so a genuine full-signature
-        // match keeps its 'exact' classification.
-        for (const scope of signal.scopes) {
-            try {
-                const verdict = failures.checkVerdict(scope, signal.probeTarget, '', projectId, { callerRunId });
-                for (const m of verdict.matches) {
-                    if (!seen.has(m.id)) {
-                        seen.add(m.id);
-                        matches.push(m);
-                    }
-                }
-            }
-            catch {
-                // e.g. a probe that sanitizes to an empty FTS query — skip this scope
-            }
-        }
-        // (b) The deterministic TARGET-IDENTITY tier (v7 F2 review fix): a
-        // dedicated description-independent signature-prefix lookup per identity
-        // candidate — production rows (whose descriptions are never empty) block
-        // on it. Candidates go in RAW: identity equality runs over the FULL
-        // normalizeIdentity forms, and the lookup filters identity before its
-        // result cap — so neither the 200-char signature cap nor higher-ranked
-        // same-prefix cousins (colon-extended npm scripts, URLs, host:port) can
-        // alias or crowd out an identical-target row. Stage (a)'s FTS LIMIT 5
-        // can still be crowded, but it only feeds WARN context — a block never
-        // depends on FTS recall.
-        for (const scope of signal.scopes) {
-            for (const cand of identityCandidates) {
-                try {
-                    for (const row of failures.targetIdentityMatches(scope, cand, projectId, { callerRunId })) {
-                        if (!seen.has(row.id)) {
-                            seen.add(row.id);
-                            matches.push(failures.toVerdictMatch(row, 'target'));
-                        }
-                    }
-                }
-                catch {
-                    // identity probe failure is never fatal — the other stages still ran
-                }
-            }
-        }
-        if (matches.length === 0)
-            return SILENT;
-        // Fuzzy→target upgrade set: FULL normalized identity forms — same truth
-        // predicate as targetIdentityMatches, so a fuzzy-recalled row upgrades to
-        // a block only on whole-string identity, never on a shared capped prefix.
-        const identitySet = new Set(identityCandidates.map((c) => normalizeIdentity(c)));
-        const blockers = matches
-            .map((m) => ({
-            m,
-            reason: m.match === 'exact'
-                ? 'exact'
-                : m.match === 'target' || identitySet.has(normalizeIdentity(m.target))
-                    ? 'target' : null,
-        }))
-            .filter((x) => x.reason !== null)
-            // exact signature identity outranks target identity
-            .sort((a, b) => (a.reason === b.reason ? 0 : a.reason === 'exact' ? -1 : 1));
-        if (blockers.length > 0 && mode !== 'warn') {
-            const top = blockers[0];
-            // v7 F2 review fix: count the prevented repeat (the FR-2 ROI number).
-            // The check connection stays READONLY; the block row rides a separate
-            // short-lived RW connection — strictly best-effort and fail-open.
-            try {
-                const rw = new Database(dbPath, { fileMustExist: true });
-                try {
-                    rw.pragma('busy_timeout = 50'); // a contended ledger is dropped, never waited on
-                    const agentId = sanitizeActorId(env.WYRM_AGENT_ID);
-                    const envelope = agentId !== null || callerRunId !== null
-                        ? { agent_id: agentId, run_id: callerRunId, source: 'env' }
-                        : LEGACY_ENVELOPE;
-                    runWithActor(envelope, () => new FailurePatterns(rw).recordBlock({
-                        blocked: true,
-                        matches: [top.m],
-                        recorded_by_agent: top.m.recorded_by_agent,
-                        run_id: top.m.run_id,
-                        confidence: top.m.confidence,
-                    }, projectId));
-                }
-                finally {
-                    rw.close();
-                }
-            }
-            catch {
-                // fail-open: analytics must never affect the block verdict
-            }
-            return {
-                exitCode: 2,
-                stdout: '',
-                stderr: renderBlock(top.m, top.reason, matches.length - 1),
-            };
-        }
-        return warnResult(matches, signal.display);
-    }
-    catch (err) {
-        if (env.WYRM_GUARD_DEBUG === '1') {
-            const msg = err instanceof Error ? err.message : String(err);
-            return { exitCode: 0, stdout: '', stderr: `wyrm-guard: internal error (fail-open): ${clean(msg, 200)}\n` };
-        }
-        return SILENT;
-    }
-    finally {
-        try {
-            db?.close();
-        }
-        catch { /* readonly close failure is irrelevant */ }
-    }
-}
-// ── bin entry ───────────────────────────────────────────────────────────────
-// realpathSync so the npm bin symlink (wyrm-guard → dist/wyrm-guard.js) still
-// counts as "run directly"; importing this module (tests) never reads stdin.
-const __filename = fileURLToPath(import.meta.url);
-let isMain = false;
-try {
-    isMain = typeof process.argv[1] === 'string' && realpathSync(process.argv[1]) === __filename;
-}
-catch {
-    isMain = false;
-}
-if (isMain) {
-    let stdinText = '';
-    try {
-        stdinText = readFileSync(0, 'utf-8'); // fd 0 — blocks to EOF, like wyrm-push.py
-    }
-    catch {
-        stdinText = '';
-    }
-    const result = runGuard(stdinText);
-    if (result.stdout)
-        process.stdout.write(result.stdout);
-    if (result.stderr)
-        process.stderr.write(result.stderr);
-    process.exit(result.exitCode);
-}
-//# sourceMappingURL=wyrm-guard.js.map
+import S from"better-sqlite3";import{readFileSync as M,realpathSync as I}from"node:fs";import{homedir as L}from"node:os";import{basename as D,dirname as k,isAbsolute as P,join as W,relative as N,resolve as b,sep as O}from"node:path";import{fileURLToPath as j}from"node:url";import{FailurePatterns as R,normalizeIdentity as $}from"./failure-patterns.js";import{LEGACY_ENVELOPE as U,runWithActor as B,sanitizeActorId as T}from"./handlers/boundary.js";const _={exitCode:0,stdout:"",stderr:""},G=new Set(["Edit","Write","MultiEdit","NotebookEdit"]),Y=3,F=10;function p(e){return typeof e=="string"&&e.length>0?e:null}function a(e,t){return e?e.replace(/[\x00-\x1f\x7f]/g," ").replace(/\s+/g," ").trim().slice(0,t):""}function V(e){const t=e.hook_event_name;if(t!==void 0&&t!=="PreToolUse")return null;const o=e.tool_name,s=e.tool_input;if(typeof o!="string"||typeof s!="object"||s===null)return null;const n=s,r=p(e.cwd);if(o==="Bash"){const c=p(n.command)?.trim();if(!c)return null;const d=c.slice(0,1e3);return{scopes:["command"],probeTarget:d,identity:[c],display:a(d,80),startDir:r,absPath:null}}if(G.has(o)){const c=p(n.file_path)??p(n.notebook_path);if(!c)return null;const d=n.edits,g=p(n.new_string)??p(n.content)??p(n.new_source)??(Array.isArray(d)?d.map(h=>p(h?.new_string)??"").join(" "):""),f=P(c)?b(c):r&&P(r)?b(r,c):null;return{scopes:["file","edit"],probeTarget:D(c).slice(0,200),identity:A([c,...f?[f]:[]]),display:a(c,80),startDir:f?k(f):r,absPath:f}}return null}function A(e){const t=new Set,o=[];for(const s of e){const n=$(s);n.length===0||t.has(n)||(t.add(n),o.push(s))}return o}function H(e,t){if(!t)return{id:null,root:null};const o=e.prepare("SELECT id FROM projects WHERE path = ?");let s=b(t);for(let n=0;n<F;n++){const r=o.get(s);if(r)return{id:r.id,root:s};const c=k(s);if(c===s)break;s=c}return{id:null,root:null}}function J(e){if(e.recorded_by_agent==="legacy"&&e.run_id===null)return"";const t=e.run_id?` (run ${a(e.run_id,32)}${e.quarantine_scope==="run"?", run-quarantined":""})`:"";return`  recorded by: ${a(e.recorded_by_agent,64)}${t}
+`}function q(e,t,o){const s=e.description?`  description: ${a(e.description,200)}
+`:"",n=e.why_failed?`  failed because: ${a(e.why_failed,300)}
+`:"";return`wyrm-guard: BLOCKED \u2014 ${t==="exact"?"this exact action is a recorded unresolved failure":"this exact target previously failed and the failure is unresolved"} (deterministic ${t} match).
+  failure #${e.id} [${e.severity}/${e.scope}] seen ${e.occurrences}x, last ${a(e.last_seen,32)}
+  target: ${a(e.target,120)}
+`+s+n+J(e)+`Do NOT retry the same action \u2014 pick a different approach. If the underlying
+issue is truly fixed, resolve the failure first (wyrm_failure_resolve id=${e.id})
+and then retry.
+`+(o>0?`(+${o} more recorded match${o===1?"":"es"} \u2014 wyrm_failure_list)
+`:"")}function z(e,t){const o=e.slice(0,Y),s=o.map(r=>{const c=r.why_failed??r.description;return`- #${r.id} [${r.severity}/${r.scope}] ${a(r.target,80)} (seen ${r.occurrences}x, confidence ${r.confidence}): ${a(c,160)}`}),n=e.length-o.length;return["<wyrm-memory>",`wyrm-guard: ${e.length} recorded unresolved failure(s) look similar to \`${t}\` \u2014 check before proceeding:`,...s,...n>0?[`(+${n} more \u2014 wyrm_failure_list)`]:[],"If one applies, do not repeat it \u2014 adjust the approach or resolve it first (wyrm_failure_resolve).","</wyrm-memory>"].join(`
+`)}function K(e,t){const o={hookSpecificOutput:{hookEventName:"PreToolUse",additionalContext:z(e,t)}};return{exitCode:0,stdout:JSON.stringify(o)+`
+`,stderr:""}}function Q(e,t=process.env){let o=null;try{const s=(t.WYRM_GUARD_MODE??"block").toLowerCase();if(s==="off"||!e||!e.trim())return _;const n=JSON.parse(e);if(typeof n!="object"||n===null)return _;const r=V(n);if(!r)return _;const c=t.WYRM_DB_PATH??W(L(),".wyrm","wyrm.db");o=new S(c,{readonly:!0,fileMustExist:!0}),o.pragma("busy_timeout = 100");const{id:d,root:g}=H(o,r.startDir),f=[...r.identity];g&&r.absPath&&r.absPath.startsWith(g+O)&&f.push(N(g,r.absPath));const h=T(t.WYRM_RUN_ID)??null,w=new R(o),m=new Set,y=[],E=A(f);for(const i of r.scopes)try{const u=w.checkVerdict(i,r.probeTarget,"",d,{callerRunId:h});for(const l of u.matches)m.has(l.id)||(m.add(l.id),y.push(l))}catch{}for(const i of r.scopes)for(const u of E)try{for(const l of w.targetIdentityMatches(i,u,d,{callerRunId:h}))m.has(l.id)||(m.add(l.id),y.push(w.toVerdictMatch(l,"target")))}catch{}if(y.length===0)return _;const C=new Set(E.map(i=>$(i))),v=y.map(i=>({m:i,reason:i.match==="exact"?"exact":i.match==="target"||C.has($(i.target))?"target":null})).filter(i=>i.reason!==null).sort((i,u)=>i.reason===u.reason?0:i.reason==="exact"?-1:1);if(v.length>0&&s!=="warn"){const i=v[0];try{const u=new S(c,{fileMustExist:!0});try{u.pragma("busy_timeout = 50");const l=T(t.WYRM_AGENT_ID);B(l!==null||h!==null?{agent_id:l,run_id:h,source:"env"}:U,()=>new R(u).recordBlock({blocked:!0,matches:[i.m],recorded_by_agent:i.m.recorded_by_agent,run_id:i.m.run_id,confidence:i.m.confidence},d))}finally{u.close()}}catch{}return{exitCode:2,stdout:"",stderr:q(i.m,i.reason,y.length-1)}}return K(y,r.display)}catch(s){if(t.WYRM_GUARD_DEBUG==="1"){const n=s instanceof Error?s.message:String(s);return{exitCode:0,stdout:"",stderr:`wyrm-guard: internal error (fail-open): ${a(n,200)}
+`}}return _}finally{try{o?.close()}catch{}}}const X=j(import.meta.url);let x=!1;try{x=typeof process.argv[1]=="string"&&I(process.argv[1])===X}catch{x=!1}if(x){let e="";try{e=M(0,"utf-8")}catch{e=""}const t=Q(e);t.stdout&&process.stdout.write(t.stdout),t.stderr&&process.stderr.write(t.stderr),process.exit(t.exitCode)}export{Q as runGuard};

package/dist/wyrm-loop.js

@@ -1,62 +1,6 @@
 #!/usr/bin/env node
-/**
- * wyrm-loop — the autonomous scheduler.
- *
- * Long-lived daemon. Wakes up every N seconds, picks the highest-priority
- * active goal that hasn't hit its iteration cap, runs ONE OODA iteration
- * via AgentLoop, logs to agent_actions + goal_iterations, and goes back
- * to sleep. Stops a goal once it completes / blocks / errors.
- *
- * Usage:
- *   wyrm-loop                     # default 10-minute interval, loop forever
- *   wyrm-loop --interval 60       # 60-second interval
- *   wyrm-loop --once              # one iteration, then exit (cron-friendly)
- *   wyrm-loop --goal 42           # only this goal
- *   wyrm-loop --max-steps 3       # max iterations per goal per tick
- *   wyrm-loop --project /path     # scope to project
- *
- * Environment:
- *   WYRM_DB_PATH              path to wyrm.db (default ~/.wyrm/wyrm.db)
- *   WYRM_OLLAMA_URL           default http://localhost:11434
- *   OPENAI_API_KEY            optional fallback
- *   WYRM_LOOP_LOG             '1' to log every tick to stderr
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- */
-import { WyrmDB } from './database.js';
-import { Goals } from './goals.js';
-import { AgentLoop } from './agent-loop.js';
-import { OutboundMcpClient } from './mcp-client.js';
-function parseArgs(argv) {
-    const out = {
-        interval: 600,
-        once: false,
-        maxSteps: 3,
-        verbose: process.env.WYRM_LOOP_LOG === '1',
-    };
-    for (let i = 0; i < argv.length; i++) {
-        const a = argv[i];
-        if (a === '--interval')
-            out.interval = Math.max(10, parseInt(argv[++i], 10) || 600);
-        else if (a === '--once')
-            out.once = true;
-        else if (a === '--goal')
-            out.goalId = parseInt(argv[++i], 10);
-        else if (a === '--max-steps')
-            out.maxSteps = Math.max(1, Math.min(20, parseInt(argv[++i], 10) || 3));
-        else if (a === '--project')
-            out.projectPath = argv[++i];
-        else if (a === '--verbose' || a === '-v')
-            out.verbose = true;
-        else if (a === '--help' || a === '-h') {
-            console.log(USAGE);
-            process.exit(0);
-        }
-    }
-    return out;
-}
-const USAGE = `
-wyrm-loop — autonomous OODA scheduler
+import{WyrmDB as m}from"./database.js";import{Goals as f}from"./goals.js";import{AgentLoop as d}from"./agent-loop.js";import{OutboundMcpClient as h}from"./mcp-client.js";function g(e){const t={interval:600,once:!1,maxSteps:3,verbose:process.env.WYRM_LOOP_LOG==="1"};for(let s=0;s<e.length;s++){const o=e[s];o==="--interval"?t.interval=Math.max(10,parseInt(e[++s],10)||600):o==="--once"?t.once=!0:o==="--goal"?t.goalId=parseInt(e[++s],10):o==="--max-steps"?t.maxSteps=Math.max(1,Math.min(20,parseInt(e[++s],10)||3)):o==="--project"?t.projectPath=e[++s]:o==="--verbose"||o==="-v"?t.verbose=!0:(o==="--help"||o==="-h")&&(console.log(w),process.exit(0))}return t}const w=`
+wyrm-loop \u2014 autonomous OODA scheduler
 
   wyrm-loop [options]
 
@@ -68,95 +12,4 @@ Options
   --project PATH        Scope to a project root
   --verbose, -v         Log every tick to stderr
   --help, -h            Show this help
-`;
-function log(args, msg) {
-    if (args.verbose)
-        console.error(`[wyrm-loop ${new Date().toISOString()}] ${msg}`);
-}
-/** Run a single tick. Returns true if work was done, false on idle. */
-async function tick(args, db, goals, agent) {
-    let goalId = args.goalId;
-    if (!goalId) {
-        let projectId;
-        if (args.projectPath) {
-            const p = db.getProject(args.projectPath);
-            if (!p) {
-                log(args, `project '${args.projectPath}' not registered — idle`);
-                return false;
-            }
-            projectId = p.id;
-        }
-        const next = goals.nextToPursue(projectId);
-        if (!next) {
-            log(args, 'no active goals — idle');
-            return false;
-        }
-        goalId = next.id;
-    }
-    const goal = goals.get(goalId);
-    if (!goal || goal.status !== 'active') {
-        log(args, `goal #${goalId} not active — skipping`);
-        return false;
-    }
-    log(args, `pursuing goal #${goalId}: ${goal.title.slice(0, 80)}`);
-    const results = await agent.pursue(goalId, { max_steps: args.maxSteps });
-    if (results.length === 0) {
-        log(args, `goal #${goalId} returned no iterations`);
-        return false;
-    }
-    const last = results[results.length - 1];
-    log(args, `goal #${goalId} ran ${results.length} iteration(s); last outcome=${last.outcome} (${last.latency_ms}ms, model=${last.model}${last.degraded ? ' DEGRADED' : ''})`);
-    return true;
-}
-async function main() {
-    const args = parseArgs(process.argv.slice(2));
-    const db = new WyrmDB(process.env.WYRM_DB_PATH);
-    const goals = new Goals(db.getDatabase());
-    const mcp = new OutboundMcpClient(db.getDatabase());
-    // Minimal dispatcher for wyrm-loop — reads only, since this is the
-    // autonomous path and we want safe defaults. Goals can still call
-    // write tools via the standard MCP path (wyrm-mcp server), but loop
-    // ticks stick to a conservative subset.
-    const dispatcher = async () => {
-        return { ok: false, error: 'wyrm-loop does not enable internal tool dispatch in this build — use the wyrm-mcp server for full agent runs' };
-    };
-    const agent = new AgentLoop(db.getDatabase(), mcp, dispatcher);
-    let stopped = false;
-    const stop = () => {
-        if (stopped)
-            return;
-        stopped = true;
-        log(args, 'shutting down…');
-        mcp.shutdown().finally(() => {
-            try {
-                db.close();
-            }
-            catch { /* best-effort */ }
-            process.exit(0);
-        });
-    };
-    process.on('SIGINT', stop);
-    process.on('SIGTERM', stop);
-    if (args.verbose) {
-        console.error(`wyrm-loop starting · interval=${args.interval}s · once=${args.once} · max-steps=${args.maxSteps}`);
-    }
-    // Loop
-    while (!stopped) {
-        try {
-            await tick(args, db, goals, agent);
-        }
-        catch (err) {
-            console.error(`wyrm-loop tick error: ${err.message}`);
-        }
-        if (args.once) {
-            stop();
-            return;
-        }
-        await new Promise(r => { setTimeout(r, args.interval * 1000); });
-    }
-}
-main().catch(err => {
-    console.error(`wyrm-loop fatal: ${err.message}`);
-    process.exit(1);
-});
-//# sourceMappingURL=wyrm-loop.js.map
+`;function i(e,t){e.verbose&&console.error(`[wyrm-loop ${new Date().toISOString()}] ${t}`)}async function v(e,t,s,o){let r=e.goalId;if(!r){let l;if(e.projectPath){const u=t.getProject(e.projectPath);if(!u)return i(e,`project '${e.projectPath}' not registered \u2014 idle`),!1;l=u.id}const p=s.nextToPursue(l);if(!p)return i(e,"no active goals \u2014 idle"),!1;r=p.id}const c=s.get(r);if(!c||c.status!=="active")return i(e,`goal #${r} not active \u2014 skipping`),!1;i(e,`pursuing goal #${r}: ${c.title.slice(0,80)}`);const n=await o.pursue(r,{max_steps:e.maxSteps});if(n.length===0)return i(e,`goal #${r} returned no iterations`),!1;const a=n[n.length-1];return i(e,`goal #${r} ran ${n.length} iteration(s); last outcome=${a.outcome} (${a.latency_ms}ms, model=${a.model}${a.degraded?" DEGRADED":""})`),!0}async function x(){const e=g(process.argv.slice(2)),t=new m(process.env.WYRM_DB_PATH),s=new f(t.getDatabase()),o=new h(t.getDatabase()),r=async()=>({ok:!1,error:"wyrm-loop does not enable internal tool dispatch in this build \u2014 use the wyrm-mcp server for full agent runs"}),c=new d(t.getDatabase(),o,r);let n=!1;const a=()=>{n||(n=!0,i(e,"shutting down\u2026"),o.shutdown().finally(()=>{try{t.close()}catch{}process.exit(0)}))};for(process.on("SIGINT",a),process.on("SIGTERM",a),e.verbose&&console.error(`wyrm-loop starting \xB7 interval=${e.interval}s \xB7 once=${e.once} \xB7 max-steps=${e.maxSteps}`);!n;){try{await v(e,t,s,c)}catch(l){console.error(`wyrm-loop tick error: ${l.message}`)}if(e.once){a();return}await new Promise(l=>{setTimeout(l,e.interval*1e3)})}}x().catch(e=>{console.error(`wyrm-loop fatal: ${e.message}`),process.exit(1)});

package/dist/wyrm-manifest.json

@@ -1,6 +1,6 @@
 {
   "contract": "wyrm-cloud-memory-v1",
-  "version": "7.2.1",
+  "version": "7.2.2",
   "generatedBy": "scripts/gen-tool-manifest.mjs (from the dist/ registry modules — never hand-edited)",
   "tiers": {
     "core": [

package/dist/wyrm-statusline-daemon.js

@@ -1,12 +1,2 @@
 #!/usr/bin/env node
-/**
- * wyrm-statusline-daemon — long-lived process serving statusline queries.
- *
- * Auto-spawned by the wyrm-statusline binary on first call. Listens on
- * ~/.wyrm/statusline.sock. Idle-times-out after 5 minutes of no requests.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- */
-import { runDaemon } from './statusline.js';
-runDaemon();
-//# sourceMappingURL=wyrm-statusline-daemon.js.map
+import{runDaemon as m}from"./statusline.js";m();