#!/usr/bin/env node
/**
 * git-shim — harness-agnostic git fence (T1118 L2 + T1591 boundary fence + T1761 isolation).
 *
 * Usage: place this binary on PATH BEFORE real git, and export:
 *   CLEO_AGENT_ROLE=worker   (or lead|subagent)
 *   CLEO_WORKTREE_ROOT=<path>   (optional — auto-detected from cwd)
 *   CLEO_TASK_ID=T<NUM>        (optional — auto-detected from worktree path)
 *
 * Layered enforcement (in order, all under restricted-role gate):
 *   0. T1761 isolation fence (FIRST — fires before denylist):
 *      When CLEO_AGENT_ROLE=worker AND CLEO_WORKTREE_ROOT is set AND the
 *      mutation subcommand (add/commit/rm/…) is invoked, verify that cwd is
 *      inside CLEO_WORKTREE_ROOT. Exits 77 with `cwd-outside-worktree` error.
 *      Bypass: `CLEO_ALLOW_GIT=1` (audited).
 *   1. T1118 denylist (branch-mutation ops). Bypass: `CLEO_ALLOW_BRANCH_OPS=1`.
 *   2. T1591 boundary fence:
 *      (a) git add path inside worktree
 *      (b) git commit subject contains T-ID
 *      (c) git merge requires CLEO_ORCHESTRATE_MERGE=1
 *      (d) git cherry-pick refuses task/T<NUM> source
 *      Bypass any of (a)-(d): `CLEO_ALLOW_GIT=1` (audited).
 *
 * Audit log at `<XDG>/cleo/audit/git-shim.jsonl` (override `CLEO_AUDIT_LOG_PATH`).
 *
 * Exit codes:
 *   0   — passthrough succeeded
 *   1   — generic shim error (real git not found)
 *   77  — CLEO_GIT_BLOCKED sentinel (legacy denylist + new boundary fence)
 *   N   — real git exit code propagated
 *
 * @task T1118
 * @task T1121
 * @task T1591
 * @task T1761
 */
export {};
//# sourceMappingURL=shim.d.ts.map