@agentplate/cli 1.0.0

package/agents/verifier.md

@@ -0,0 +1,106 @@
+# Verifier Agent
+
+You are a **verifier** in the Agentplate delivery pipeline. Your job is to **prove the
+deployment actually works**: smoke-test the live URL and health endpoints the
+deployer produced, report a pass/fail backed by concrete evidence, and — on failure
+— optionally request a rollback. You are a **leaf node** — you never spawn other
+agents.
+
+The reusable HOW lives in this file. The per-task WHAT (your task ID, the target,
+environment, the deployment's URLs/`deploymentId`, your agent name, parent) comes
+from the overlay `CLAUDE.md` in your worktree. Read it first; it overrides anything
+generic here.
+
+## Core Discipline: Read-Only, But Networked
+
+You **never modify source files** — no edits, no writes to the repo, no commits,
+no config. Your output is a *verdict*, delivered as mail.
+
+What you *do* get is **network access**: you reach out to the deployed URL and
+probe it for real. Verification is empirical — you confirm the running deployment,
+not the plan or the config.
+
+The only things you may write are scratch notes under `/tmp` (never inside the
+repo).
+
+### Failure Mode (avoid this above all)
+
+- **FALSE_GREEN** — reporting `healthy` / `verify_done` without a real probe. This
+  is the one failure that defeats the whole pipeline: it lets a broken deploy look
+  shipped. **Never** assert health you did not observe. Every "ok" in your verdict
+  must be backed by an actual response (a status code, a body match, a latency).
+  If you could not reach the deployment, that is a **fail**, not an unknown-pass.
+
+## When to Act Immediately
+
+Begin the moment you are spawned.
+
+1. Read your overlay `CLAUDE.md` for the target, environment, and the
+   deployment's URLs and `deploymentId`.
+2. `agentplate mail check` for the deployer's `deploy_done` (with the live URLs) and
+   any specific checks your parent wants run.
+3. Probe the deployment.
+
+## How to Verify
+
+Drive verification through the engine; it invokes the target adapter's `verify()`
+(read-only, health/smoke checks) and returns a `VerifyResult` (`healthy`, a list
+of named `checks` with `ok` + `detail`, and the `probedUrl`).
+
+```bash
+agentplate verify --target <target> --env <environment>
+```
+
+Probe like you mean it:
+
+- **Hit the real URL.** Request the deployed endpoint(s); confirm an actual
+  `2xx`/expected status, not just DNS resolving.
+- **Check the health endpoint** if the app exposes one; confirm the body, not only
+  the code.
+- **Exercise a representative path** when the overlay names one (a critical route,
+  an API ping), so "healthy" means *serving*, not merely *listening*.
+- **Record the evidence** — status codes, body snippets, latencies — so each
+  check's `detail` shows *why* it passed or failed.
+
+## Optional: Request Rollback on Failure
+
+You do **not** roll back yourself — that is an outward-facing mutation, the
+deployer's gated job. If the deployment is unhealthy and your overlay/parent wants
+the environment restored, **request** a rollback via mail (include the
+`deploymentId` so the deployer can target it), then let the deployer execute it.
+
+## Communication Protocol
+
+You report to your parent via mail. Lead with the verdict, then the evidence.
+
+- **Progress** — `--type status` for interim notes during a longer probe sweep.
+- **Rollback request** — `--type escalation` when the deployment is unhealthy and
+  the environment should be rolled back; name the `deploymentId` and the failing
+  checks so the deployer can act.
+
+## Completion Protocol
+
+Your terminal mail is **`verify_done`** when the deployment is genuinely healthy or
+**`verify_failed`** when it is not — this is what the runner watches to close your
+session.
+
+**On a verified pass** (real probes, all green):
+
+```bash
+agentplate mail send --to <parent> \
+  --subject "Verify done: <taskId>" \
+  --body "Healthy. Probed https://app-staging.example.com → 200 (12ms); /health → 200 {\"status\":\"ok\"}; GET /api/ping → 200. All checks green." \
+  --type verify_done
+```
+
+**On a fail** (a probe failed, or the deployment was unreachable):
+
+```bash
+agentplate mail send --to <parent> \
+  --subject "Verify failed: <taskId>" \
+  --body "Unhealthy. https://app-staging.example.com → 502 on /; /health unreachable. Rollback requested (deploymentId sha256:abc123) — see escalation." \
+  --type verify_failed
+```
+
+Send exactly one terminal mail (`verify_done` **or** `verify_failed`), grounded in
+probes you actually ran, then stop. Never green a deployment you did not observe.

package/package.json

@@ -0,0 +1,64 @@
+{
+	"name": "@agentplate/cli",
+	"version": "1.0.0",
+	"publishConfig": {
+		"access": "public"
+	},
+	"description": "Self-improving multi-agent orchestration that takes you from build → CI/CD → deploy. Interactive setup wizard, pluggable AI providers, agent swarms in git worktrees.",
+	"type": "module",
+	"license": "MIT",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/agentplate/agentplate.git"
+	},
+	"homepage": "https://github.com/agentplate/agentplate",
+	"keywords": [
+		"ai",
+		"agents",
+		"orchestration",
+		"multi-agent",
+		"swarm",
+		"deploy",
+		"ci-cd",
+		"self-improving",
+		"cli",
+		"developer-tools"
+	],
+	"bin": {
+		"agentplate": "src/index.ts",
+		"ap": "src/index.ts"
+	},
+	"main": "src/index.ts",
+	"files": [
+		"src",
+		"agents",
+		"templates",
+		"ui/dist",
+		"LICENSE",
+		"CHANGELOG.md"
+	],
+	"engines": {
+		"bun": ">=1.0"
+	},
+	"scripts": {
+		"test": "bun test",
+		"lint": "biome check .",
+		"lint:fix": "biome check --write .",
+		"typecheck": "tsc --noEmit",
+		"check": "bun test && biome check . && tsc --noEmit",
+		"build:ui": "cd ui && bun install && bun run build",
+		"prepack": "bun run build:ui"
+	},
+	"dependencies": {
+		"@clack/prompts": "^0.11.0",
+		"chalk": "^5.6.2",
+		"commander": "^14.0.3",
+		"js-yaml": "^4.1.1"
+	},
+	"devDependencies": {
+		"@biomejs/biome": "2.3.15",
+		"@types/bun": "latest",
+		"@types/js-yaml": "^4.0.9",
+		"typescript": "^5.9.0"
+	}
+}

package/src/agents/guard-rules.ts

@@ -0,0 +1,55 @@
+/**
+ * Shared guard rules.
+ *
+ * Single source of truth for "what is a dangerous shell command" and similar
+ * safety constants. Used by skill safety scrubbing (Phase 3) and, later, by
+ * agent tool guards and deploy guards (Phase 4). Centralized so the definition
+ * of "dangerous" never drifts between subsystems.
+ */
+
+/**
+ * Regexes matching shell commands that must never appear in a distilled skill's
+ * snippets (destructive, networked-pipe-to-shell, privilege escalation, or
+ * outward-facing mutations that belong only to a gated deployer).
+ */
+export const DANGEROUS_BASH_PATTERNS: RegExp[] = [
+	/\brm\s+-rf?\b/i, // recursive force delete
+	/\b(curl|wget)\b[^\n|]*\|\s*(sudo\s+)?(ba)?sh\b/i, // curl … | sh
+	/\bsudo\b/i, // privilege escalation
+	/\bgit\s+push\b/i, // pushing from inside a skill
+	/\bgit\s+reset\s+--hard\b/i, // destructive reset
+	/\b(mkfs|dd)\b/i, // disk-level operations
+	/\bchmod\s+-R\s+0?777\b/i, // world-writable recursion
+	/:\(\)\s*\{\s*:\|:&\s*\}\s*;/, // fork bomb
+	/>\s*\/dev\/sd[a-z]/i, // writing to a raw disk
+	/\beval\b\s+["'`$]/i, // eval of dynamic input
+];
+
+/** Outward-facing deploy/apply verbs (reserved for the gated deployer, Phase 4). */
+export const DEPLOY_VERB_PATTERNS: RegExp[] = [
+	/\bterraform\s+apply\b/i,
+	/\bkubectl\s+apply\b/i,
+	/\bhelm\s+(install|upgrade)\b/i,
+	/\bdocker\s+push\b/i,
+	/\bvercel\b[^\n]*--prod\b/i,
+];
+
+/** Does the text contain a dangerous shell command? */
+export function hasDangerousCommand(text: string): boolean {
+	return DANGEROUS_BASH_PATTERNS.some((re) => re.test(text));
+}
+
+/** Return every dangerous pattern that matches (for reporting which line tripped). */
+export function findDangerousCommands(text: string): string[] {
+	const hits: string[] = [];
+	for (const re of DANGEROUS_BASH_PATTERNS) {
+		const m = text.match(re);
+		if (m) hits.push(m[0]);
+	}
+	return hits;
+}
+
+/** Does the text contain an outward-facing deploy/apply verb? */
+export function hasDeployVerb(text: string): boolean {
+	return DEPLOY_VERB_PATTERNS.some((re) => re.test(text));
+}

package/src/agents/identity.test.ts

@@ -0,0 +1,161 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { existsSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import yaml from "js-yaml";
+import { ConfigError } from "../errors.ts";
+import { type AgentIdentity, createIdentity, loadIdentity, updateIdentity } from "./identity.ts";
+
+// Real filesystem against a throwaway temp dir — no mocks. The module only
+// touches the fs + YAML, so a plain temp root (no git) is sufficient.
+let root: string;
+
+beforeEach(() => {
+	root = mkdtempSync(join(tmpdir(), "agentplate-identity-"));
+});
+
+afterEach(() => {
+	rmSync(root, { recursive: true, force: true });
+});
+
+/** Path where the module is expected to store an agent's CV. */
+function identityFile(name: string): string {
+	return join(root, ".agentplate", "agents", name, "identity.yaml");
+}
+
+describe("createIdentity", () => {
+	test("creates the directory and file with sane defaults", () => {
+		const id = createIdentity(root, "alice", "builder");
+
+		expect(id.name).toBe("alice");
+		expect(id.capability).toBe("builder");
+		expect(id.sessionsCompleted).toBe(0);
+		expect(id.expertiseDomains).toEqual([]);
+		expect(id.recentTasks).toEqual([]);
+		// created is an ISO-8601 string.
+		expect(new Date(id.created).toISOString()).toBe(id.created);
+		expect(existsSync(identityFile("alice"))).toBe(true);
+	});
+
+	test("is idempotent: returns existing identity without clobbering history", () => {
+		createIdentity(root, "bob", "scout");
+		updateIdentity(root, "bob", { taskId: "t-1", summary: "did a thing" });
+
+		// Re-create with a different capability — must NOT reset the CV.
+		const again = createIdentity(root, "bob", "reviewer");
+		expect(again.capability).toBe("scout"); // original preserved
+		expect(again.sessionsCompleted).toBe(1);
+		expect(again.recentTasks).toHaveLength(1);
+	});
+});
+
+describe("loadIdentity", () => {
+	test("returns null when no identity exists", () => {
+		expect(loadIdentity(root, "ghost")).toBeNull();
+	});
+
+	test("round-trips a created identity", () => {
+		const created = createIdentity(root, "carol", "lead");
+		const loaded = loadIdentity(root, "carol");
+		expect(loaded).not.toBeNull();
+		expect(loaded).toEqual(created);
+	});
+
+	test("treats an empty file as no identity", () => {
+		const path = identityFile("empty");
+		// Create the dir via a real identity first, then blank the file.
+		createIdentity(root, "empty", "builder");
+		writeFileSync(path, "", "utf8");
+		expect(loadIdentity(root, "empty")).toBeNull();
+	});
+
+	test("throws ConfigError on malformed YAML", () => {
+		const path = identityFile("broken");
+		createIdentity(root, "broken", "builder");
+		writeFileSync(path, "name: [unclosed\n", "utf8");
+		expect(() => loadIdentity(root, "broken")).toThrow(ConfigError);
+	});
+});
+
+describe("updateIdentity", () => {
+	test("increments sessionsCompleted on each update", () => {
+		createIdentity(root, "dave", "builder");
+
+		const first = updateIdentity(root, "dave", { domains: ["api"] });
+		expect(first.sessionsCompleted).toBe(1);
+
+		const second = updateIdentity(root, "dave", { domains: ["db"] });
+		expect(second.sessionsCompleted).toBe(2);
+
+		// Persisted, not just in-memory.
+		const reloaded = loadIdentity(root, "dave");
+		expect(reloaded?.sessionsCompleted).toBe(2);
+		expect(reloaded?.expertiseDomains).toEqual(["api", "db"]);
+	});
+
+	test("merges domains uniquely, preserving first-seen order", () => {
+		createIdentity(root, "erin", "builder");
+		updateIdentity(root, "erin", { domains: ["api", "db"] });
+		const out = updateIdentity(root, "erin", { domains: ["db", "ui", "api"] });
+		expect(out.expertiseDomains).toEqual(["api", "db", "ui"]);
+	});
+
+	test("appends a task only when taskId is provided", () => {
+		createIdentity(root, "frank", "builder");
+
+		// No taskId -> no task appended, but session still counts.
+		const noTask = updateIdentity(root, "frank", { domains: ["api"] });
+		expect(noTask.recentTasks).toHaveLength(0);
+		expect(noTask.sessionsCompleted).toBe(1);
+
+		const withTask = updateIdentity(root, "frank", {
+			taskId: "task-42",
+			summary: "implemented endpoint",
+		});
+		expect(withTask.recentTasks).toHaveLength(1);
+		const last = withTask.recentTasks.at(-1);
+		expect(last?.taskId).toBe("task-42");
+		expect(last?.summary).toBe("implemented endpoint");
+		const completedAt = last?.completedAt ?? "";
+		expect(new Date(completedAt).toISOString()).toBe(completedAt);
+	});
+
+	test("creates an identity on the fly if none exists", () => {
+		// No createIdentity call first.
+		const id = updateIdentity(root, "grace", { taskId: "t-1", summary: "s" });
+		expect(id.sessionsCompleted).toBe(1);
+		expect(id.recentTasks).toHaveLength(1);
+		expect(existsSync(identityFile("grace"))).toBe(true);
+	});
+
+	test("caps recentTasks at 20, keeping the newest (push 25, expect 20)", () => {
+		createIdentity(root, "heidi", "builder");
+
+		for (let i = 0; i < 25; i++) {
+			updateIdentity(root, "heidi", { taskId: `task-${i}`, summary: `summary ${i}` });
+		}
+
+		const loaded = loadIdentity(root, "heidi");
+		expect(loaded).not.toBeNull();
+		expect(loaded?.recentTasks).toHaveLength(20);
+		// Oldest five (task-0..task-4) dropped; newest is last.
+		expect(loaded?.recentTasks[0]?.taskId).toBe("task-5");
+		expect(loaded?.recentTasks.at(-1)?.taskId).toBe("task-24");
+		// 25 updates -> 25 sessions counted regardless of the cap.
+		expect(loaded?.sessionsCompleted).toBe(25);
+	});
+});
+
+describe("on-disk format", () => {
+	test("identity.yaml is valid YAML round-trippable by js-yaml", () => {
+		createIdentity(root, "ivan", "merger");
+		updateIdentity(root, "ivan", { taskId: "t-1", summary: "x", domains: ["api"] });
+
+		const text = readFileSync(identityFile("ivan"), "utf8");
+		const parsed = yaml.load(text) as AgentIdentity;
+		expect(parsed.name).toBe("ivan");
+		expect(parsed.capability).toBe("merger");
+		expect(parsed.expertiseDomains).toEqual(["api"]);
+		expect(parsed.recentTasks[0]?.taskId).toBe("t-1");
+	});
+});

package/src/agents/identity.ts

@@ -0,0 +1,229 @@
+/**
+ * Persistent agent identity (CV).
+ *
+ * Each agent accumulates a small "CV" across the sessions it runs: how many it
+ * has completed, which expertise domains it has touched, and a rolling list of
+ * its most recent tasks. This survives worktree cleanup because it is stored
+ * under the *main* project's `.agentplate/` tree (not inside the agent's throwaway
+ * worktree), so a long-lived named agent keeps its history run after run.
+ *
+ * Storage is one YAML file per agent at
+ * `<root>/.agentplate/agents/<agentName>/identity.yaml`. We use js-yaml (the same
+ * dependency and read/write style as `config.ts` and `secrets.ts`) rather than a
+ * hand-rolled serializer so the format stays human-editable and robust.
+ *
+ * Why local types: {@link AgentIdentity} is not part of the shared `types.ts`
+ * surface — it is an implementation detail of this module — so it is declared
+ * here to keep the cross-module type barrel lean.
+ */
+
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import yaml from "js-yaml";
+import { AGENTPLATE_DIR } from "../config.ts";
+import { ConfigError } from "../errors.ts";
+
+/** Filename of an agent's CV within its identity directory. */
+const IDENTITY_FILENAME = "identity.yaml";
+
+/**
+ * Maximum number of recent tasks retained on an identity. Older entries are
+ * dropped from the front so the file stays small; the newest task is last.
+ */
+const MAX_RECENT_TASKS = 20;
+
+/** One entry in an agent's rolling task history. */
+export interface RecentTask {
+	taskId: string;
+	summary: string;
+	/** ISO-8601 timestamp of when the task completed. */
+	completedAt: string;
+}
+
+/** A persistent agent CV. */
+export interface AgentIdentity {
+	/** Unique agent name (also the directory name under `.agentplate/agents/`). */
+	name: string;
+	/** The capability this agent was created for (e.g. "builder"). */
+	capability: string;
+	/** ISO-8601 timestamp of first creation. */
+	created: string;
+	/** Count of sessions this agent has completed. */
+	sessionsCompleted: number;
+	/** Distinct expertise domains the agent has worked in. */
+	expertiseDomains: string[];
+	/** Rolling history of the most recent tasks (newest last), capped at 20. */
+	recentTasks: RecentTask[];
+}
+
+/** Absolute path to an agent's identity directory under the project root. */
+function identityDir(root: string, name: string): string {
+	return join(root, AGENTPLATE_DIR, "agents", name);
+}
+
+/** Absolute path to an agent's `identity.yaml`. */
+function identityPath(root: string, name: string): string {
+	return join(identityDir(root, name), IDENTITY_FILENAME);
+}
+
+/**
+ * Coerce an unknown parsed YAML value into a normalized {@link AgentIdentity}.
+ *
+ * We do not trust the on-disk shape (it may be hand-edited or written by an
+ * older version), so every field is validated/defaulted defensively. Unknown or
+ * malformed entries are skipped rather than crashing a long-lived agent.
+ */
+function coerceIdentity(parsed: unknown, name: string): AgentIdentity {
+	if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+		throw new ConfigError(`Expected a mapping in identity file for agent "${name}"`);
+	}
+	const obj = parsed as Record<string, unknown>;
+
+	const expertiseDomains: string[] = [];
+	if (Array.isArray(obj.expertiseDomains)) {
+		for (const domain of obj.expertiseDomains) {
+			if (typeof domain === "string" && domain !== "") expertiseDomains.push(domain);
+		}
+	}
+
+	const recentTasks: RecentTask[] = [];
+	if (Array.isArray(obj.recentTasks)) {
+		for (const entry of obj.recentTasks) {
+			if (entry === null || typeof entry !== "object" || Array.isArray(entry)) continue;
+			const task = entry as Record<string, unknown>;
+			recentTasks.push({
+				taskId: typeof task.taskId === "string" ? task.taskId : "",
+				summary: typeof task.summary === "string" ? task.summary : "",
+				completedAt: typeof task.completedAt === "string" ? task.completedAt : "",
+			});
+		}
+	}
+
+	return {
+		// The on-disk name is advisory; the lookup key (`name`) is authoritative.
+		name: typeof obj.name === "string" && obj.name !== "" ? obj.name : name,
+		capability: typeof obj.capability === "string" ? obj.capability : "",
+		created: typeof obj.created === "string" ? obj.created : new Date().toISOString(),
+		sessionsCompleted:
+			typeof obj.sessionsCompleted === "number" && Number.isFinite(obj.sessionsCompleted)
+				? obj.sessionsCompleted
+				: 0,
+		expertiseDomains,
+		recentTasks,
+	};
+}
+
+/** Serialize an identity to YAML and write it atomically-ish to disk. */
+function writeIdentity(root: string, identity: AgentIdentity): void {
+	const path = identityPath(root, identity.name);
+	mkdirSync(dirname(path), { recursive: true });
+	const header =
+		"# Agentplate agent identity (CV). Survives worktree cleanup.\n" +
+		"# Managed by src/agents/identity.ts — safe to read, edit with care.\n";
+	writeFileSync(path, header + yaml.dump(identity, { indent: 2, sortKeys: false }), "utf8");
+}
+
+/**
+ * Create an agent identity, or return the existing one if already present.
+ *
+ * Creating is idempotent: if the identity file already exists it is loaded and
+ * returned unchanged (so the agent's accumulated history is never clobbered by a
+ * re-spawn). Only the first call writes a fresh CV.
+ */
+export function createIdentity(root: string, name: string, capability: string): AgentIdentity {
+	const existing = loadIdentity(root, name);
+	if (existing !== null) return existing;
+
+	const identity: AgentIdentity = {
+		name,
+		capability,
+		created: new Date().toISOString(),
+		sessionsCompleted: 0,
+		expertiseDomains: [],
+		recentTasks: [],
+	};
+	writeIdentity(root, identity);
+	return identity;
+}
+
+/**
+ * Load an agent's identity, or `null` if it has none yet.
+ *
+ * @throws ConfigError if the file exists but contains invalid YAML or a
+ * non-mapping top level.
+ */
+export function loadIdentity(root: string, name: string): AgentIdentity | null {
+	const path = identityPath(root, name);
+	if (!existsSync(path)) return null;
+
+	let parsed: unknown;
+	try {
+		parsed = yaml.load(readFileSync(path, "utf8"));
+	} catch (error) {
+		throw new ConfigError(`Invalid YAML in ${path}: ${(error as Error).message}`);
+	}
+	// An empty file parses to null/undefined — treat it as "no identity".
+	if (parsed === null || parsed === undefined) return null;
+	return coerceIdentity(parsed, name);
+}
+
+/** Fields accepted by {@link updateIdentity}. */
+export interface IdentityPatch {
+	/** Task id to append to recent history (also required to record a task). */
+	taskId?: string;
+	/** Human-readable summary of the completed task. */
+	summary?: string;
+	/** Expertise domains to merge into the CV (deduplicated). */
+	domains?: string[];
+}
+
+/**
+ * Apply a patch to an agent's identity and persist it.
+ *
+ * Semantics (each is independent):
+ * - `sessionsCompleted` is always incremented by one (an update marks the end of
+ *   a session of work).
+ * - `domains` are merged into `expertiseDomains`, preserving first-seen order and
+ *   keeping each domain unique.
+ * - A task is appended to `recentTasks` **only if `taskId` is provided**; the
+ *   list is then capped at {@link MAX_RECENT_TASKS}, dropping the oldest entries.
+ *   `completedAt` is stamped now (ISO-8601).
+ *
+ * If the agent has no identity yet, one is created on the fly (with an empty
+ * capability) so callers never have to pre-create before recording.
+ *
+ * @throws ConfigError if an existing identity file is unreadable/invalid.
+ */
+export function updateIdentity(root: string, name: string, patch: IdentityPatch): AgentIdentity {
+	const identity = loadIdentity(root, name) ?? createIdentity(root, name, "");
+
+	// A patch represents one completed session of work.
+	identity.sessionsCompleted += 1;
+
+	// Merge domains, preserving order and uniqueness.
+	if (patch.domains !== undefined && patch.domains.length > 0) {
+		const seen = new Set(identity.expertiseDomains);
+		for (const domain of patch.domains) {
+			if (domain !== "" && !seen.has(domain)) {
+				seen.add(domain);
+				identity.expertiseDomains.push(domain);
+			}
+		}
+	}
+
+	// Append a task only when a taskId is given (summary is optional).
+	if (patch.taskId !== undefined) {
+		identity.recentTasks.push({
+			taskId: patch.taskId,
+			summary: patch.summary ?? "",
+			completedAt: new Date().toISOString(),
+		});
+		if (identity.recentTasks.length > MAX_RECENT_TASKS) {
+			// Drop oldest from the front; keep the newest MAX_RECENT_TASKS.
+			identity.recentTasks = identity.recentTasks.slice(-MAX_RECENT_TASKS);
+		}
+	}
+
+	writeIdentity(root, identity);
+	return identity;
+}