@aperant/framework 0.8.1 → 0.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (308) hide show
  1. package/CHANGELOG.md +443 -1
  2. package/agents/apt-planner.md +39 -7
  3. package/dist/cli/commands/adr.mjs +1 -1
  4. package/dist/cli/commands/audit-branch-current.d.mts +25 -0
  5. package/dist/cli/commands/audit-branch-current.d.mts.map +1 -0
  6. package/dist/cli/commands/audit-branch-current.mjs +252 -0
  7. package/dist/cli/commands/audit-branch-current.mjs.map +1 -0
  8. package/dist/cli/commands/audit.d.mts.map +1 -1
  9. package/dist/cli/commands/audit.mjs +13 -2
  10. package/dist/cli/commands/audit.mjs.map +1 -1
  11. package/dist/cli/commands/check-version.d.mts.map +1 -1
  12. package/dist/cli/commands/check-version.mjs +19 -1
  13. package/dist/cli/commands/check-version.mjs.map +1 -1
  14. package/dist/cli/commands/context.mjs +3 -3
  15. package/dist/cli/commands/context.mjs.map +1 -1
  16. package/dist/cli/commands/coverage-check.d.mts.map +1 -1
  17. package/dist/cli/commands/coverage-check.mjs +74 -7
  18. package/dist/cli/commands/coverage-check.mjs.map +1 -1
  19. package/dist/cli/commands/detect-runtime.d.mts +6 -0
  20. package/dist/cli/commands/detect-runtime.d.mts.map +1 -0
  21. package/dist/cli/commands/detect-runtime.mjs +142 -0
  22. package/dist/cli/commands/detect-runtime.mjs.map +1 -0
  23. package/dist/cli/commands/driver-doctor.d.mts +29 -0
  24. package/dist/cli/commands/driver-doctor.d.mts.map +1 -0
  25. package/dist/cli/commands/driver-doctor.mjs +291 -0
  26. package/dist/cli/commands/driver-doctor.mjs.map +1 -0
  27. package/dist/cli/commands/gate.mjs +14 -0
  28. package/dist/cli/commands/gate.mjs.map +1 -1
  29. package/dist/cli/commands/init.d.mts.map +1 -1
  30. package/dist/cli/commands/init.mjs +9 -6
  31. package/dist/cli/commands/init.mjs.map +1 -1
  32. package/dist/cli/commands/install-from-source.d.mts +2 -0
  33. package/dist/cli/commands/install-from-source.d.mts.map +1 -0
  34. package/dist/cli/commands/install-from-source.mjs +2 -0
  35. package/dist/cli/commands/install-from-source.mjs.map +1 -0
  36. package/dist/cli/commands/modes.mjs +1 -1
  37. package/dist/cli/commands/route.d.mts.map +1 -1
  38. package/dist/cli/commands/route.mjs +38 -1
  39. package/dist/cli/commands/route.mjs.map +1 -1
  40. package/dist/cli/commands/triage.mjs +1 -1
  41. package/dist/cli/config/load.d.mts.map +1 -1
  42. package/dist/cli/config/load.mjs +9 -3
  43. package/dist/cli/config/load.mjs.map +1 -1
  44. package/dist/cli/coordination/auto-emit-artifact-ready.mjs +1 -1
  45. package/dist/cli/coordination/event-schema.d.mts.map +1 -1
  46. package/dist/cli/coordination/event-schema.mjs +18 -0
  47. package/dist/cli/coordination/event-schema.mjs.map +1 -1
  48. package/dist/cli/coverage-check/user-outcomes.d.mts +84 -0
  49. package/dist/cli/coverage-check/user-outcomes.d.mts.map +1 -0
  50. package/dist/cli/coverage-check/user-outcomes.mjs +265 -0
  51. package/dist/cli/coverage-check/user-outcomes.mjs.map +1 -0
  52. package/dist/cli/dispatch.d.mts.map +1 -1
  53. package/dist/cli/dispatch.mjs +18 -1
  54. package/dist/cli/dispatch.mjs.map +1 -1
  55. package/dist/cli/gate/context.d.mts +1 -0
  56. package/dist/cli/gate/context.d.mts.map +1 -1
  57. package/dist/cli/gate/context.mjs +14 -1
  58. package/dist/cli/gate/context.mjs.map +1 -1
  59. package/dist/cli/gate/gates/consistency-check.d.mts +1 -0
  60. package/dist/cli/gate/gates/consistency-check.d.mts.map +1 -1
  61. package/dist/cli/gate/gates/consistency-check.mjs +1 -0
  62. package/dist/cli/gate/gates/consistency-check.mjs.map +1 -1
  63. package/dist/cli/gate/gates/review-clean.d.mts +1 -0
  64. package/dist/cli/gate/gates/review-clean.d.mts.map +1 -1
  65. package/dist/cli/gate/gates/review-clean.mjs +1 -0
  66. package/dist/cli/gate/gates/review-clean.mjs.map +1 -1
  67. package/dist/cli/gate/gates/verify-approved.d.mts +1 -0
  68. package/dist/cli/gate/gates/verify-approved.d.mts.map +1 -1
  69. package/dist/cli/gate/gates/verify-approved.mjs +1 -0
  70. package/dist/cli/gate/gates/verify-approved.mjs.map +1 -1
  71. package/dist/cli/gate/registry.d.mts.map +1 -1
  72. package/dist/cli/gate/registry.mjs +9 -1
  73. package/dist/cli/gate/registry.mjs.map +1 -1
  74. package/dist/cli/host/detect.mjs +1 -1
  75. package/dist/cli/host/detect.mjs.map +1 -1
  76. package/dist/cli/install/find-workspace-framework-version.d.mts +16 -0
  77. package/dist/cli/install/find-workspace-framework-version.d.mts.map +1 -0
  78. package/dist/cli/install/find-workspace-framework-version.mjs +85 -0
  79. package/dist/cli/install/find-workspace-framework-version.mjs.map +1 -0
  80. package/dist/cli/install/install-from-source.d.mts +10 -0
  81. package/dist/cli/install/install-from-source.d.mts.map +1 -0
  82. package/dist/cli/install/install-from-source.mjs +271 -0
  83. package/dist/cli/install/install-from-source.mjs.map +1 -0
  84. package/dist/cli/install/install-kernel.d.mts.map +1 -1
  85. package/dist/cli/install/install-kernel.mjs +24 -0
  86. package/dist/cli/install/install-kernel.mjs.map +1 -1
  87. package/dist/cli/install/legacy-paths.d.mts +33 -11
  88. package/dist/cli/install/legacy-paths.d.mts.map +1 -1
  89. package/dist/cli/install/legacy-paths.mjs +163 -39
  90. package/dist/cli/install/legacy-paths.mjs.map +1 -1
  91. package/dist/cli/install/runtime-detect.mjs +1 -1
  92. package/dist/cli/install/runtime-detect.mjs.map +1 -1
  93. package/dist/cli/install/runtime-migrate.d.mts +34 -14
  94. package/dist/cli/install/runtime-migrate.d.mts.map +1 -1
  95. package/dist/cli/install/runtime-migrate.mjs +63 -30
  96. package/dist/cli/install/runtime-migrate.mjs.map +1 -1
  97. package/dist/cli/install/transforms/codex.d.mts.map +1 -1
  98. package/dist/cli/install/transforms/codex.mjs +28 -17
  99. package/dist/cli/install/transforms/codex.mjs.map +1 -1
  100. package/dist/cli/skill-author/contract.mjs +2 -2
  101. package/dist/cli/skill-author/contract.mjs.map +1 -1
  102. package/dist/cli/verify-proof/audit.d.mts +34 -0
  103. package/dist/cli/verify-proof/audit.d.mts.map +1 -0
  104. package/dist/cli/verify-proof/audit.mjs +53 -0
  105. package/dist/cli/verify-proof/audit.mjs.map +1 -0
  106. package/dist/cli/verify-proof/exec.d.mts +20 -0
  107. package/dist/cli/verify-proof/exec.d.mts.map +1 -0
  108. package/dist/cli/verify-proof/exec.mjs +74 -0
  109. package/dist/cli/verify-proof/exec.mjs.map +1 -0
  110. package/dist/cli/verify-proof/idl/index.d.mts +2 -0
  111. package/dist/cli/verify-proof/idl/index.d.mts.map +1 -0
  112. package/dist/cli/verify-proof/idl/index.mjs +13 -0
  113. package/dist/cli/verify-proof/idl/index.mjs.map +1 -0
  114. package/dist/cli/verify-proof/idl/types.d.ts +10 -0
  115. package/dist/cli/verify-proof/idl/types.d.ts.map +1 -0
  116. package/dist/cli/verify-proof/idl/types.js +10 -0
  117. package/dist/cli/verify-proof/idl/types.js.map +1 -0
  118. package/dist/cli/verify-proof/manifest-validator.d.mts +19 -0
  119. package/dist/cli/verify-proof/manifest-validator.d.mts.map +1 -0
  120. package/dist/cli/verify-proof/manifest-validator.mjs +182 -0
  121. package/dist/cli/verify-proof/manifest-validator.mjs.map +1 -0
  122. package/dist/cli/verify-proof/resolver.d.mts +105 -0
  123. package/dist/cli/verify-proof/resolver.d.mts.map +1 -0
  124. package/dist/cli/verify-proof/resolver.mjs +320 -0
  125. package/dist/cli/verify-proof/resolver.mjs.map +1 -0
  126. package/dist/cli/verify-proof/runtime-detect.d.mts +30 -0
  127. package/dist/cli/verify-proof/runtime-detect.d.mts.map +1 -0
  128. package/dist/cli/verify-proof/runtime-detect.mjs +209 -0
  129. package/dist/cli/verify-proof/runtime-detect.mjs.map +1 -0
  130. package/dist/cli/verify-proof/trust.d.mts +70 -0
  131. package/dist/cli/verify-proof/trust.d.mts.map +1 -0
  132. package/dist/cli/verify-proof/trust.mjs +174 -0
  133. package/dist/cli/verify-proof/trust.mjs.map +1 -0
  134. package/dist/driver-sdk/conformance.d.ts +41 -0
  135. package/dist/driver-sdk/conformance.d.ts.map +1 -0
  136. package/dist/driver-sdk/conformance.js +123 -0
  137. package/dist/driver-sdk/conformance.js.map +1 -0
  138. package/dist/driver-sdk/errors.d.ts +75 -0
  139. package/dist/driver-sdk/errors.d.ts.map +1 -0
  140. package/dist/driver-sdk/errors.js +80 -0
  141. package/dist/driver-sdk/errors.js.map +1 -0
  142. package/dist/driver-sdk/idl.d.ts +221 -0
  143. package/dist/driver-sdk/idl.d.ts.map +1 -0
  144. package/dist/driver-sdk/idl.js +140 -0
  145. package/dist/driver-sdk/idl.js.map +1 -0
  146. package/dist/driver-sdk/index.d.ts +28 -0
  147. package/dist/driver-sdk/index.d.ts.map +1 -0
  148. package/dist/driver-sdk/index.js +28 -0
  149. package/dist/driver-sdk/index.js.map +1 -0
  150. package/dist/driver-sdk/manifest.d.ts +93 -0
  151. package/dist/driver-sdk/manifest.d.ts.map +1 -0
  152. package/dist/driver-sdk/manifest.js +12 -0
  153. package/dist/driver-sdk/manifest.js.map +1 -0
  154. package/dist/driver-sdk/retry.d.ts +33 -0
  155. package/dist/driver-sdk/retry.d.ts.map +1 -0
  156. package/dist/driver-sdk/retry.js +50 -0
  157. package/dist/driver-sdk/retry.js.map +1 -0
  158. package/dist/plugin/.claude-plugin/plugin.json +4 -1
  159. package/dist/plugin/agents/apt-planner.md +39 -7
  160. package/dist/plugin/skills/apt/SKILL.md +75 -6
  161. package/dist/plugin/skills/apt-caveman/SKILL.md +64 -0
  162. package/dist/plugin/skills/apt-debug/SKILL.md +36 -4
  163. package/dist/plugin/skills/apt-debug/appendices/diagnose-discipline.md +2 -11
  164. package/dist/plugin/skills/apt-discuss/SKILL.md +4 -4
  165. package/dist/plugin/skills/apt-discuss/appendices/grill-discipline.md +2 -11
  166. package/dist/plugin/skills/apt-discuss/appendices/zoom-out-helper.md +0 -8
  167. package/dist/plugin/skills/apt-execute/SKILL.md +27 -4
  168. package/dist/plugin/skills/apt-execute/appendices/tdd-mode.md +2 -10
  169. package/dist/plugin/skills/apt-fan-out/SKILL.md +36 -1
  170. package/dist/plugin/skills/apt-handoff/SKILL.md +228 -0
  171. package/dist/plugin/skills/apt-improve/DEEPENING.md +0 -8
  172. package/dist/plugin/skills/apt-improve/INTERFACE-DESIGN.md +0 -8
  173. package/dist/plugin/skills/apt-improve/LANGUAGE.md +0 -8
  174. package/dist/plugin/skills/apt-improve/SKILL.md +4 -4
  175. package/dist/plugin/skills/apt-plan/SKILL.md +73 -5
  176. package/dist/plugin/skills/apt-plan/adapters/conductor.md +1 -1
  177. package/dist/plugin/skills/apt-pr-review/SKILL.md +1 -1
  178. package/dist/plugin/skills/apt-prototype/LOGIC.md +0 -8
  179. package/dist/plugin/skills/apt-prototype/SKILL.md +4 -4
  180. package/dist/plugin/skills/apt-prototype/UI.md +0 -8
  181. package/dist/plugin/skills/apt-quick/SKILL.md +31 -1
  182. package/dist/plugin/skills/apt-research/SKILL.md +526 -0
  183. package/dist/plugin/skills/apt-research/appendices/budget-loop.md +397 -0
  184. package/dist/plugin/skills/apt-research/appendices/claim-graph-schema.md +206 -0
  185. package/dist/plugin/skills/apt-research/appendices/domain-tools.md +236 -0
  186. package/dist/plugin/skills/apt-resume/SKILL.md +54 -31
  187. package/dist/plugin/skills/apt-run/SKILL.md +114 -16
  188. package/dist/plugin/skills/apt-setup/SKILL.md +97 -8
  189. package/dist/plugin/skills/apt-ship/SKILL.md +165 -9
  190. package/dist/plugin/skills/apt-spar/SKILL.md +84 -23
  191. package/dist/plugin/skills/apt-triage/AGENT-BRIEF.md +0 -8
  192. package/dist/plugin/skills/apt-triage/OUT-OF-SCOPE.md +0 -7
  193. package/dist/plugin/skills/apt-triage/SKILL.md +2 -2
  194. package/dist/plugin/skills/apt-update/SKILL.md +74 -17
  195. package/dist/plugin/skills/apt-verify-proof/SKILL.md +87 -1
  196. package/dist/plugin/skills/apt-zoom-out/SKILL.md +3 -3
  197. package/dist/schemas/quick-task.d.ts +17 -17
  198. package/dist/schemas/quick-task.d.ts.map +1 -1
  199. package/dist/schemas/quick-task.js +2 -2
  200. package/dist/schemas/quick-task.js.map +1 -1
  201. package/dist/types/config.d.ts +33 -0
  202. package/dist/types/config.d.ts.map +1 -1
  203. package/dist/types/state.d.ts +1 -1
  204. package/dist/types/state.d.ts.map +1 -1
  205. package/dist/types/task-record.d.ts +1 -1
  206. package/dist/types/task-record.d.ts.map +1 -1
  207. package/drivers/.gitkeep +0 -0
  208. package/drivers/api/README.md +40 -0
  209. package/drivers/api/driver.mjs +59 -0
  210. package/drivers/api/manifest.json +26 -0
  211. package/drivers/browser/README.md +105 -0
  212. package/drivers/browser/driver.mjs +134 -0
  213. package/drivers/browser/manifest.json +35 -0
  214. package/drivers/cli/README.md +44 -0
  215. package/drivers/cli/driver.mjs +62 -0
  216. package/drivers/cli/manifest.json +28 -0
  217. package/drivers/electron/README.md +64 -0
  218. package/drivers/electron/driver.mjs +87 -0
  219. package/drivers/electron/manifest.json +37 -0
  220. package/package.json +138 -133
  221. package/prompts/planner.md +1 -1
  222. package/prompts/spec_writer.md +1 -1
  223. package/skills/apt/SKILL.md +75 -6
  224. package/skills/apt-caveman/SKILL.md +64 -0
  225. package/skills/apt-debug/SKILL.md +36 -4
  226. package/skills/apt-debug/appendices/diagnose-discipline.md +2 -11
  227. package/skills/apt-discuss/SKILL.md +4 -4
  228. package/skills/apt-discuss/appendices/grill-discipline.md +2 -11
  229. package/skills/apt-discuss/appendices/zoom-out-helper.md +0 -8
  230. package/skills/apt-execute/SKILL.md +27 -4
  231. package/skills/apt-execute/appendices/tdd-mode.md +2 -10
  232. package/skills/apt-fan-out/SKILL.md +36 -1
  233. package/skills/apt-handoff/SKILL.md +228 -0
  234. package/skills/apt-improve/DEEPENING.md +0 -8
  235. package/skills/apt-improve/INTERFACE-DESIGN.md +0 -8
  236. package/skills/apt-improve/LANGUAGE.md +0 -8
  237. package/skills/apt-improve/SKILL.md +4 -4
  238. package/skills/apt-plan/SKILL.md +73 -5
  239. package/skills/apt-plan/adapters/conductor.md +1 -1
  240. package/skills/apt-planner.md +17 -1
  241. package/skills/apt-pr-review/SKILL.md +1 -1
  242. package/skills/apt-prototype/LOGIC.md +0 -8
  243. package/skills/apt-prototype/SKILL.md +4 -4
  244. package/skills/apt-prototype/UI.md +0 -8
  245. package/skills/apt-quick/SKILL.md +31 -1
  246. package/skills/apt-research/SKILL.md +526 -0
  247. package/skills/apt-research/appendices/budget-loop.md +397 -0
  248. package/skills/apt-research/appendices/claim-graph-schema.md +206 -0
  249. package/skills/apt-research/appendices/domain-tools.md +236 -0
  250. package/skills/apt-resume/SKILL.md +54 -31
  251. package/skills/apt-run/SKILL.md +114 -16
  252. package/skills/apt-setup/SKILL.md +97 -8
  253. package/skills/apt-ship/SKILL.md +165 -9
  254. package/skills/apt-spar/SKILL.md +84 -23
  255. package/skills/apt-triage/AGENT-BRIEF.md +0 -8
  256. package/skills/apt-triage/OUT-OF-SCOPE.md +0 -7
  257. package/skills/apt-triage/SKILL.md +2 -2
  258. package/skills/apt-update/SKILL.md +74 -17
  259. package/skills/apt-verify-proof/SKILL.md +87 -1
  260. package/skills/apt-zoom-out/SKILL.md +3 -3
  261. package/src/cli/commands/adr.mjs +1 -1
  262. package/src/cli/commands/audit-branch-current.mjs +250 -0
  263. package/src/cli/commands/audit.mjs +13 -2
  264. package/src/cli/commands/check-version.mjs +20 -1
  265. package/src/cli/commands/context.mjs +3 -3
  266. package/src/cli/commands/coverage-check.mjs +126 -44
  267. package/src/cli/commands/detect-runtime.mjs +143 -0
  268. package/src/cli/commands/driver-doctor.mjs +294 -0
  269. package/src/cli/commands/gate.mjs +15 -0
  270. package/src/cli/commands/init.mjs +9 -6
  271. package/src/cli/commands/install-from-source.mjs +1 -0
  272. package/src/cli/commands/modes.mjs +1 -1
  273. package/src/cli/commands/route.mjs +42 -1
  274. package/src/cli/commands/triage.mjs +1 -1
  275. package/src/cli/config/load.mjs +9 -3
  276. package/src/cli/coordination/auto-emit-artifact-ready.mjs +1 -1
  277. package/src/cli/coordination/event-schema.mjs +19 -0
  278. package/src/cli/coverage-check/user-outcomes.mjs +273 -0
  279. package/src/cli/dispatch.mjs +17 -1
  280. package/src/cli/gate/context.mjs +20 -1
  281. package/src/cli/gate/gates/consistency-check.mjs +1 -0
  282. package/src/cli/gate/gates/review-clean.mjs +1 -0
  283. package/src/cli/gate/gates/verify-approved.mjs +1 -0
  284. package/src/cli/gate/registry.mjs +11 -1
  285. package/src/cli/host/detect.mjs +1 -1
  286. package/src/cli/install/find-workspace-framework-version.mjs +88 -0
  287. package/src/cli/install/install-from-source.mjs +276 -0
  288. package/src/cli/install/install-kernel.mjs +24 -0
  289. package/src/cli/install/legacy-paths.mjs +164 -39
  290. package/src/cli/install/runtime-detect.mjs +1 -1
  291. package/src/cli/install/runtime-migrate.mjs +63 -30
  292. package/src/cli/install/transforms/codex.mjs +26 -17
  293. package/src/cli/skill-author/contract.mjs +2 -2
  294. package/src/cli/verify-proof/.gitkeep +0 -0
  295. package/src/cli/verify-proof/audit.mjs +55 -0
  296. package/src/cli/verify-proof/exec.mjs +74 -0
  297. package/src/cli/verify-proof/idl/index.mjs +23 -0
  298. package/src/cli/verify-proof/idl/types.ts +42 -0
  299. package/src/cli/verify-proof/manifest-schema.json +212 -0
  300. package/src/cli/verify-proof/manifest-validator.mjs +184 -0
  301. package/src/cli/verify-proof/resolver.mjs +330 -0
  302. package/src/cli/verify-proof/runtime-detect.mjs +211 -0
  303. package/src/cli/verify-proof/trust.mjs +187 -0
  304. package/templates/adr-format.md +0 -8
  305. package/templates/aperant-claude-md-appendix.md +1 -1
  306. package/templates/context-format.md +1 -9
  307. package/templates/proof-verification.md +51 -8
  308. package/workflows/verify-proof.md +130 -19
@@ -31,8 +31,8 @@ This skill moves a task through a 5-state machine. The state machine
31
31
  runs identically regardless of backend (local-only / github-issues /
32
32
  app-inbox); only the mirror destination changes.
33
33
 
34
- **Pocock adoption attribution.** State machine + AGENT-BRIEF.md +
35
- OUT-OF-SCOPE.md sub-files ported from Matt Pocock's MIT-licensed
34
+ **Aperant adoption attribution.** State machine + AGENT-BRIEF.md +
35
+ OUT-OF-SCOPE.md sub-files ported from
36
36
  `triage` skill. Aperant-specific extensions:
37
37
 
38
38
  - Backend abstraction (configured at `apt:setup` Batch 8 — task_tracking.backend)
@@ -49,13 +49,14 @@ The cache file is at `~/.cache/aperant/apt-update-check.json`. It contains `runt
49
49
  node .aperant/deps/node_modules/@aperant/framework/bin/apt-tools.mjs check-version . --json
50
50
  ```
51
51
 
52
- Parse the JSON. From 0.6.7 the envelope merges the SessionStart worker's cache (when fresh — written within the last hour to `~/.cache/aperant/apt-update-check.json`). Capture:
52
+ Parse the JSON. From 0.6.7 the envelope merges the SessionStart worker's cache (when fresh — written within the last hour to `~/.cache/aperant/apt-update-check.json`). From 0.8.3 it also carries the workspace-aware `framework.workspace_version` field (Bundle A). Capture:
53
53
 
54
54
  - `framework.installed_version` — what's currently on disk
55
55
  - `framework.latest_version` — what npm reports as the latest published version (MAY BE `null` when the worker cache is stale / missing / wrong schema)
56
+ - `framework.workspace_version` — set when a workspace `packages/framework/package.json` (with `name === "@aperant/framework"`) is found above the project root; null otherwise. When non-null AND ahead of `installed_version`, the workspace is the source of truth for self-host contributors (auto-detect, no `--from-source` required).
56
57
  - `runtimes[]` — list of installed runtime ids + per-runtime `stale_files` count
57
58
  - `stale_files_total` — drift tally across runtimes
58
- - `update_available` — true when worker cache is fresh AND `installed_version < latest_version`
59
+ - `update_available` — true when worker cache is fresh AND `installed_version < latest_version`, OR when `workspace_version > installed_version` (Bundle A — fires regardless of npm cache state)
59
60
  - `dev_install_ahead` — true when local kernel is ahead of published (typical local dev)
60
61
  - `not_published` — true when npm returned 404 (package not yet on registry)
61
62
  - `lookup_error` — non-null when npm view failed for any non-404 reason (timeout, ENETDOWN, etc.)
@@ -64,11 +65,20 @@ The envelope is **single-shape** — every field above is always present. When t
64
65
 
65
66
  If `runtimes[]` is empty, tell the user they haven't installed Aperant into any runtime yet and suggest `apt-tools init . --claude` (or their preferred runtime). Stop.
66
67
 
67
- ## 1.5. Bump the local kernel from npm when newer is available
68
+ ## 1.5. Workspace-aware bump auto-detect dev-host self-host (Bundle A)
68
69
 
69
- The Aperant kernel lives at `.aperant/deps/node_modules/@aperant/framework/`. `apt-tools init` re-installs runtime files at THE LOCAL KERNEL'S VERSION — so a stale kernel means `/apt:update` re-stamps manifests at the OLD version even when npm has a newer release. Bump the kernel BEFORE invoking init.
70
+ The Aperant kernel lives at `.aperant/deps/node_modules/@aperant/framework/`. `apt-tools init` re-installs runtime files at THE LOCAL KERNEL'S VERSION — so a stale kernel means `/apt:update` re-stamps manifests at the OLD version. Bump the kernel BEFORE invoking init.
70
71
 
71
- First, resolve `latest_version` when the envelope had `null` (stale cache).
72
+ **FIRST**, branch on `framework.workspace_version` from step 1's envelope (Bundle A — automatic on every `/apt:update` run, no flag required):
73
+
74
+ - When `workspace_version` is non-null AND ahead of `installed_version` — the user is an Aperant contributor self-hosting the framework, and a same-PR change bumped `packages/framework/package.json:version`. The workspace is the source of truth (NOT npm). Proceed to §1.7's workspace-pack mechanism. Skip §1.6 (npm view).
75
+ - When `workspace_version` is null OR equal to `installed_version` — no workspace package, OR workspace + kernel already match. Fall through to §1.6 (npm bump path).
76
+
77
+ This auto-detection replaces the previous "user must remember `--from-source`" footgun. The `--from-source` flag is still honored as an explicit override (§1.7) for: (a) testing pre-publish bumps even when auto-detect didn't fire, (b) forcing the workspace path when a stale `latest_version > workspace_version`.
78
+
79
+ ## 1.6. Bump the local kernel from npm when newer is available
80
+
81
+ When §1.5 fell through (no workspace-ahead signal), resolve `latest_version` from npm. First, resolve `latest_version` when the envelope had `null` (stale cache).
72
82
 
73
83
  **Timeout enforcement (ID-04):** The `npm view` call must complete within 10 s — never block the user longer than the SessionStart worker would. Use npm's `--fetch-timeout` flag as the primary mechanism (universally portable across all npm versions); it sets the HTTP fetch timeout in milliseconds:
74
84
 
@@ -90,17 +100,47 @@ npm install --prefix .aperant/deps @aperant/framework@<latest_version> --no-save
90
100
 
91
101
  On `npm 404` (`E404` in stderr) treat it as `not_published` and skip the kernel bump (proceed to step 3). On any other npm failure, surface the npm stderr verbatim and STOP — do NOT proceed to init with a half-installed kernel.
92
102
 
93
- ## 1.6. Self-host case — bump from local workspace (FRAMEWORK-BUG-017)
103
+ ## 1.7. Self-host case — bump from local workspace (FRAMEWORK-BUG-017)
104
+
105
+ Fires when EITHER §1.5's workspace-ahead auto-detect signaled it, OR the user invoked `/apt:update --from-source` as an explicit override, OR the route envelope's `update_check.reason` mentions `workspace source ahead of installed kernel`. The source of truth is the local `packages/framework/` workspace — NOT npm. This is the Aperant-contributor self-host case: a same-PR framework fix bumps the workspace `packages/framework/package.json:version` but the kernel under `.aperant/deps/node_modules/@aperant/framework/` still reflects the previous version. §1.6's `npm view` would fetch the published version (still the OLD one), so we skip it.
106
+
107
+ The reliable bump mechanism is the `apt-tools install-from-source` subcommand (Bundle D), which packs the framework AND every `workspace:*` dep (transitively) into a single `npm install --prefix` invocation. Handles the same-PR unpublished-pair case (e.g. `framework@0.8.3` + `driver-sdk@0.2.0` both at `workspace:*`, both unpublished) without `EUNSUPPORTEDPROTOCOL`.
108
+
109
+ ```bash
110
+ node .aperant/deps/node_modules/@aperant/framework/bin/apt-tools.mjs install-from-source . --json
111
+ ```
112
+
113
+ Parse the returned envelope:
114
+
115
+ ```json
116
+ {
117
+ "status": "ok",
118
+ "command": "install-from-source",
119
+ "tarballs": ["/tmp/aperant-driver-sdk-0.2.0.tgz", "/tmp/aperant-framework-0.8.3.tgz"],
120
+ "kernel_path": "/path/to/project/.aperant/deps/node_modules/@aperant/framework/bin/apt-tools.mjs"
121
+ }
122
+ ```
123
+
124
+ Capture `tarballs[]` count and `kernel_path` for the Scenario A summary line (the kernel-version slot reads from `kernel_path`'s parent `package.json` rather than a static `{latest_version}` format string when this branch fired).
125
+
126
+ On `status: 'error'`, the envelope carries an `error` field with the underlying failure (e.g. `pnpm pack ... exited with N`, `no @aperant/framework workspace found`, etc.). Surface it verbatim and STOP — do NOT proceed to init with a half-installed kernel.
127
+
128
+ If `--from-source` was passed but `install-from-source` returns `no @aperant/framework workspace found`, surface a one-line error (`⚠ --from-source: no workspace package.json found — falling back to npm`) and proceed with the standard §1.6 npm path.
129
+
130
+ Then proceed to step 3 to re-install the runtime files at the new kernel version. Skip step 4 (cache clear) — the cache is keyed on `latest_version` from npm, and a `--from-source` bump never wrote to it, so there's nothing to invalidate.
94
131
 
95
- When the user invokes `/apt:update --from-source` OR the route envelope's `update_check.reason` mentions `workspace source ahead of installed kernel`, the source of truth is the local `packages/framework/` workspace — NOT npm. This is the Aperant-contributor self-host case: a same-PR framework fix bumps the workspace `packages/framework/package.json:version` but the kernel under `.aperant/deps/node_modules/@aperant/framework/` still reflects the previous version. Step 1.5's `npm view` would fetch the published version (still the OLD one), so we must skip it.
132
+ ### What `install-from-source` does under the hood
96
133
 
97
- The reliable bump mechanism mirrors what `runKernelInstall` does today`pnpm pack` produces a versioned tarball, then `npm install --prefix` consumes it. Symlinking is fragile across re-installs and `pnpm install --filter` doesn't relocate the published artifact into `.aperant/deps`.
134
+ The `apt-tools install-from-source` helper materializes the workspace chain end-to-end. This is the equivalent manual recipe useful for debugging or for users who want to understand the mechanism. **Prefer the one-line invocation above** unless you have a reason to do it by hand:
98
135
 
99
- Walk up from the project root looking for a sibling `packages/framework/package.json`. When found AND its `name === "@aperant/framework"`:
136
+ Do NOT substitute `npm pack` it leaves `workspace:*` literal in the tarball's package.json and breaks `npm install --prefix` with `EUNSUPPORTEDPROTOCOL`. Only `pnpm pack` resolves workspace protocols.
100
137
 
101
138
  ```bash
102
- # 1. Pack the workspace source into a versioned tarball.
139
+ # 0. Ensure the dep closure is materialized the `...` suffix installs transitive workspace deps.
103
140
  cd <workspace-root>
141
+ pnpm install --filter @aperant/framework... --frozen-lockfile=false
142
+
143
+ # 1. Pack the workspace source into a versioned tarball.
104
144
  pnpm --filter @aperant/framework pack --pack-destination /tmp
105
145
 
106
146
  # 2. Install the tarball into the project's kernel root.
@@ -108,19 +148,16 @@ cd <project-root>
108
148
  npm install --prefix .aperant/deps /tmp/aperant-framework-<version>.tgz --no-save --no-package-lock --no-audit --no-fund
109
149
  ```
110
150
 
111
- Replace `<version>` with the workspace `package.json:version` you just read. The tarball name follows npm's `pack` convention (`@aperant/framework@X.Y.Z` `aperant-framework-X.Y.Z.tgz`).
112
-
113
- If `--from-source` was passed but no `packages/framework/package.json` is found anywhere above the project root, surface a one-line error (`⚠ --from-source: no workspace package.json found — falling back to npm`) and proceed with the standard step 1.5 npm path.
114
-
115
- Then proceed to step 3 to re-install the runtime files at the new kernel version. Skip step 4 (cache clear) — the cache is keyed on `latest_version` from npm, and a `--from-source` bump never wrote to it, so there's nothing to invalidate.
151
+ The manual recipe DOES NOT handle workspace:* deps transitively — for a same-PR pair (framework + driver-sdk both at `workspace:*`), you would need to pnpm-pack each dep separately and pass every tarball to the single `npm install --prefix` call. The `apt-tools install-from-source` subcommand walks `dependencies` + `peerDependencies` automatically.
116
152
 
117
153
  ## 2. Classify the update scenario
118
154
 
119
155
  Pick ONE of three scenarios based on what you parsed in step 1:
120
156
 
121
- - **A. Version bump available** — `installed_version !== latest_version` (regardless of drift). Users see this most often. Step 1.5 bumped the kernel; step 3 re-stamps manifests at the new version.
122
- - **B. Drift only** — `installed_version === latest_version` but `stale_files_total > 0`. User hand-edited an installed file or something was partially overwritten. Step 1.5 was a no-op; step 3 still needs `--force-runtimes` to re-stamp.
157
+ - **A. Version bump available** — `latest_version != null && installed_version !== latest_version` (regardless of drift). Users see this most often. Step 1.5 (workspace) or 1.6 (npm) bumped the kernel; step 3 re-stamps manifests at the new version. **Important:** the `latest_version != null` guard prevents this scenario from firing when npm-latest is unknown (cache stale, package not published, network down — see Scenario E for that case).
158
+ - **B. Drift only** — `installed_version === latest_version` but `stale_files_total > 0`. User hand-edited an installed file or something was partially overwritten. Steps 1.5 / 1.6 were no-ops; step 3 still needs `--force-runtimes` to re-stamp.
123
159
  - **C. Nothing to do** — `installed_version === latest_version` AND `stale_files_total === 0`. Still re-run init with `--force-runtimes` to refresh manifests + cache, but tell the user plainly that no version change happened.
160
+ - **E. No version info available** — `latest_version === null` (cache stale OR package not published OR network down) AND `stale_files_total === 0`. Step 1.5 was a no-op (no workspace-ahead signal), step 1.6 found no usable npm version. Step 3 still re-stamps runtime files for safety, but the skill does NOT claim a version bump happened.
124
161
 
125
162
  ## 3. Re-install the currently-installed runtimes
126
163
 
@@ -169,6 +206,7 @@ Use the format in `<output_format>` below, tailored to the scenario from step 2.
169
206
  {install_root_basename} {file_count} files refreshed
170
207
  {install_root_basename} {file_count} files refreshed
171
208
  .aperant/deps/ kernel v{latest_version}
209
+ Migrated: legacy .codex/agents/* swept ({removed_count} files removed)
172
210
 
173
211
  Next: restart Claude Code / Codex to activate the refreshed skills.
174
212
  ```
@@ -194,6 +232,7 @@ Example:
194
232
 
195
233
  {install_root_basename} {file_count} files ({stale_count} refreshed)
196
234
  {install_root_basename} {file_count} files
235
+ Migrated: legacy .codex/agents/* swept ({removed_count} files removed)
197
236
 
198
237
  Statusline chip cleared.
199
238
  ```
@@ -205,10 +244,28 @@ Example:
205
244
 
206
245
  {install_root_basename} {file_count} files
207
246
  {install_root_basename} {file_count} files
247
+ Migrated: legacy .codex/agents/* swept ({removed_count} files removed)
208
248
 
209
249
  No changes applied. Statusline cache cleared.
210
250
  ```
211
251
 
252
+ ## Scenario E — no version info available
253
+
254
+ ```
255
+ ⚠ Aperant version info unavailable — refreshed runtime files only
256
+
257
+ Reason: {lookup_error || 'cache stale / not published'}
258
+ {install_root_basename} {file_count} files
259
+ {install_root_basename} {file_count} files
260
+ Migrated: legacy .codex/agents/* swept ({removed_count} files removed)
261
+
262
+ Run /apt:update again later to bump the kernel when npm view becomes reachable.
263
+ ```
264
+
265
+ Scenario E fires when `latest_version === null` AND `stale_files_total === 0`. Step 1.5 (workspace-aware) was a no-op (no workspace-ahead signal); step 1.6 (npm view) returned null (cache stale, not published, or network down). The runtime refresh in step 3 still happens — the skill just does NOT claim a bump occurred.
266
+
267
+ **`Migrated:` slot — conditional render.** The `Migrated:` line in Scenarios A / B / C / E fires ONLY when `init.legacy_cleanup?.ran === true && init.legacy_cleanup.rmdirs.some(p => p.includes('.codex'))`. When no migration happened, OMIT the line entirely (do NOT render an empty placeholder). The label reports the legacy Codex topology sweep (v0.7/v0.8 `.codex/agents/` + `.codex/commands/` misdirect → v0.8.2+ canonical `.agents/skills/<folder>/SKILL.md`) so users understand what changed under `.codex/` on disk.
268
+
212
269
  ## Scenario D — kernel install failed
213
270
 
214
271
  If init's `kernel.status !== "installed"`, append a warning ABOVE the summary:
@@ -40,9 +40,95 @@ an action, evidence, and a verdict. No hallucinated passes.
40
40
  - For code review — use `/apt:review`
41
41
  - If no UI/visual changes were made — `/apt:verify` is faster
42
42
 
43
+ ## Driver Architecture
44
+
45
+ `/apt:verify-proof` is **runtime-agnostic** — the workflow refers to IDL
46
+ verbs (`driver.click`, `driver.screenshot`, `driver.navigate`, ...) and
47
+ NEVER to concrete MCP tool names (per ID-01). The driver layer at
48
+ `packages/framework/drivers/<id>/` maps verbs to transports.
49
+
50
+ ### Auto-detect
51
+
52
+ The resolver auto-selects the highest-scoring driver per ID-02
53
+ (capability_coverage > compatibility > stability > priority > locality).
54
+ Preview the selection before running verify-proof:
55
+
56
+ ```bash
57
+ apt-tools detect-runtime .
58
+ # → { runtime: {is_electron, is_nextjs, ...}, selected_driver_id: "..." }
59
+ ```
60
+
61
+ v0.8.6 — the runtime detector now walks `apps/*/package.json` by
62
+ default and OR-merges each child's capabilities into the root. The
63
+ canonical Aperant monorepo (Electron at `apps/desktop`, Next.js at
64
+ `apps/web`) now reports `is_electron: true` AND `is_nextjs: true`
65
+ without any config override.
66
+
67
+ ### Per-outcome dispatch (v0.8.6+)
68
+
69
+ When the spec ships `## User Outcomes` (the verify-proof input
70
+ contract — see CLAUDE.md), the workflow runner imports
71
+ `resolveDriversForOutcomes()` from the resolver module and picks a
72
+ driver PER OUTCOME SURFACE instead of a single per-run driver pick.
73
+
74
+ ```js
75
+ import { resolveDriversForOutcomes } from '.aperant/deps/node_modules/@aperant/framework/src/cli/verify-proof/resolver.mjs'
76
+
77
+ const entries = resolveDriversForOutcomes({
78
+ drivers, runtime,
79
+ outcomes: parsed.outcomes, // from parseUserOutcomes(spec)
80
+ })
81
+ // → [{outcome_id: "O1", surface: "electron", driver: {...}}, ...]
82
+ // For [electron+web] outcomes, two entries share the same outcome_id.
83
+ ```
84
+
85
+ The legacy `apt-tools detect-runtime` still answers the per-run
86
+ "which driver would be picked?" question for the override preview.
87
+ For the per-outcome dispatch (the new contract), import
88
+ `resolveDriversForOutcomes` directly.
89
+
90
+ ### Override
91
+
92
+ Force a specific driver chain in `.aperant/config.json`:
93
+
94
+ ```json
95
+ { "verification": { "runtimes": ["electron", "cli"] } }
96
+ ```
97
+
98
+ v0.8.6 — `verification.monorepo_globs` is the new opt-out for the
99
+ monorepo walk. The walk now runs by default — adopters whose
100
+ monorepo lives at a non-canonical prefix
101
+ (`packages/apps/*`, `services/*`) override via
102
+ `verification.monorepo_globs: ["packages/apps/*"]`; set to `[]` to
103
+ disable the walk entirely (root-only behaviour, backwards compat).
104
+ The `verification.runtimes[]` override stays the final escape hatch
105
+ and is now usually unnecessary because the walk runs by default.
106
+
107
+ ### Bundled drivers (4)
108
+
109
+ - **browser** (priority=100, ga) — Next.js / vanilla web frontends.
110
+ - **electron** (priority=90, ga) — Electron desktop apps.
111
+ - **cli** (priority=60, ga) — headless CI, output-shape assertions.
112
+ - **api** (priority=50, ga) — HTTP / JSON-API regression tests.
113
+
114
+ ### Driver authors
115
+
116
+ Third-party driver authors should run `apt-tools driver doctor .` before
117
+ publishing to validate manifest schema + IDL conformance:
118
+
119
+ ```bash
120
+ apt-tools driver doctor .
121
+ # → { drivers: [{driverId, manifest_valid, idl_conformant, ...}], summary: {...} }
122
+ ```
123
+
124
+ IDL types, error taxonomy, and conformance kit live inside the framework
125
+ itself under `packages/framework/src/driver-sdk/` — see that directory's
126
+ public-api-lock test for the surface contract.
127
+
43
128
  ## Execution
44
129
 
45
- Execute the verify-proof workflow end-to-end:
130
+ Execute the verify-proof workflow end-to-end using IDL verbs (the driver
131
+ maps verbs to its transport — MCP server, local command, HTTP):
46
132
 
47
133
  <execution_context>
48
134
  @packages/framework/workflows/verify-proof.md
@@ -26,8 +26,8 @@ Tiny skill. High signal. The user named an area; you produce a one-page
26
26
  orientation so they (or a future agent) can plan or edit without
27
27
  re-learning the codebase from scratch.
28
28
 
29
- **Pocock adoption note.** This skill descends from Matt Pocock's `zoom-out`
30
- discipline. Aperant's router is dynamic and LLM-driven, so unlike Pocock's
29
+ **Aperant adoption note.** This skill descends from 's `zoom-out`
30
+ discipline. Aperant's router is dynamic and LLM-driven, so unlike 's
31
31
  upstream this skill is **router-invocable** (no `disable-model-invocation:
32
32
  true` flag). The work-intent — "give me a broader picture of X" — is
33
33
  genuine and the router resolves natural-language triggers without forcing
@@ -37,7 +37,7 @@ the user to remember the verb name.
37
37
 
38
38
  - Dropped into a new module / package / area of the monorepo
39
39
  - About to plan a feature that crosses an unfamiliar boundary
40
- - The codebase has CONTEXT.md (Pocock glossary) and you want to load it
40
+ - The codebase has CONTEXT.md (Aperant glossary) and you want to load it
41
41
  alongside the structural map
42
42
 
43
43
  ## When Not to Use
@@ -1,5 +1,5 @@
1
1
  /**
2
- * commands/adr.mjs — `apt-tools adr write` (Pocock adoption ST-6, AC5).
2
+ * commands/adr.mjs — `apt-tools adr write`.
3
3
  *
4
4
  * Writes an ADR under `docs/adr/NNNN-slug.md` ONLY when all three Nygard
5
5
  * gates pass: hard-to-reverse AND surprising-without-context AND
@@ -0,0 +1,250 @@
1
+ /**
2
+ * commands/audit-branch-current.mjs — pre-PR rebase gate envelope for apt:ship §0.7.
3
+ *
4
+ * Pure read-only branch-drift audit. Given a base ref (default `main`), reports
5
+ * how many commits HEAD is ahead/behind `origin/<base>`, captures the current
6
+ * `origin/<base>` tip SHA (the lease target for any subsequent
7
+ * `--force-with-lease=refs/heads/<branch>:<sha>` push), and probes whether a
8
+ * trial merge against the remote tip would conflict.
9
+ *
10
+ * Single network call: `git fetch origin <base>`. Fetch failure is recovered
11
+ * as `audit_warning: 'fetch-failed'` — the envelope still returns, just with
12
+ * stale counts. No `git rebase`, no `git push`, no `git reset` — the SKILL.md
13
+ * prose owns history rewrites.
14
+ *
15
+ * Envelope:
16
+ *
17
+ * {
18
+ * status: 'ok',
19
+ * command: 'audit-branch-current',
20
+ * projectDir: string,
21
+ * base: string,
22
+ * ahead: number, // commits HEAD has over origin/<base>
23
+ * behind: number, // commits origin/<base> has over HEAD
24
+ * remote_tip_sha: string | null, // origin/<base> after fetch
25
+ * mergeable: boolean | null, // null when probe unavailable
26
+ * conflicts_preview?: string[], // populated only when mergeable=false
27
+ * audit_warning?: string // 'fetch-failed' | 'git-version-too-old' | ...
28
+ * }
29
+ *
30
+ * Spec cross-ref: .aperant/tasks/apt-ship-pre-pr-rebase-gate-audit-branch_21-05-26/spec.md
31
+ *
32
+ * @internal
33
+ */
34
+
35
+ import { execFileSync } from 'node:child_process'
36
+ import { resolve } from 'node:path'
37
+ import { err, ok } from '../util/result.mjs'
38
+
39
+ /**
40
+ * Try-execute a git command, returning {ok, stdout, stderr, code}. Never throws.
41
+ *
42
+ * @param {string} cwd
43
+ * @param {string[]} args
44
+ */
45
+ function gitTry(cwd, args) {
46
+ try {
47
+ const stdout = execFileSync('git', args, {
48
+ cwd,
49
+ encoding: 'utf-8',
50
+ stdio: ['ignore', 'pipe', 'pipe'],
51
+ })
52
+ return { ok: true, stdout, stderr: '', code: 0 }
53
+ } catch (e) {
54
+ // execFileSync throws an error whose `stdout`, `stderr`, and `status`
55
+ // properties carry the captured output and exit code.
56
+ return {
57
+ ok: false,
58
+ stdout: typeof e?.stdout === 'string' ? e.stdout : (e?.stdout?.toString() ?? ''),
59
+ stderr: typeof e?.stderr === 'string' ? e.stderr : (e?.stderr?.toString() ?? ''),
60
+ code: typeof e?.status === 'number' ? e.status : 1,
61
+ }
62
+ }
63
+ }
64
+
65
+ /**
66
+ * Parse `--base <ref>` (or `--base=<ref>`) from extraArgs. Defaults to 'main'.
67
+ *
68
+ * @param {string[]} extraArgs
69
+ * @returns {string}
70
+ */
71
+ function parseBaseFlag(extraArgs) {
72
+ for (let i = 0; i < extraArgs.length; i++) {
73
+ const a = extraArgs[i]
74
+ if (a === '--base' && i + 1 < extraArgs.length) return extraArgs[i + 1]
75
+ if (a.startsWith('--base=')) return a.slice('--base='.length)
76
+ }
77
+ return 'main'
78
+ }
79
+
80
+ /**
81
+ * Parse `git merge-tree --write-tree --no-messages HEAD origin/<base>` output
82
+ * for conflict file paths. Modern (git ≥ 2.38) merge-tree emits, on conflict:
83
+ *
84
+ * <tree-OID>
85
+ * <conflict report lines, each "<mode> <stage> <oid>\t<path>" for stage > 0>
86
+ * (NUL separator)
87
+ * <textual conflict messages>
88
+ *
89
+ * Older variants emit a `+<<<<<<< ... +======= ... +>>>>>>>` diff per file.
90
+ * For correctness we use the stable form: extract file paths from the conflict
91
+ * report. The report includes the SAME path multiple times (once per non-zero
92
+ * stage), so we de-dupe.
93
+ *
94
+ * @param {string} stdout
95
+ * @returns {string[]}
96
+ */
97
+ function parseConflictPaths(stdout) {
98
+ const paths = new Set()
99
+ for (const rawLine of stdout.split('\n')) {
100
+ const line = rawLine.replace(/\0/g, '')
101
+ if (!line.trim()) continue
102
+ // Match "<mode> <oid> <stage>\t<path>" — git merge-tree --write-tree
103
+ // emits conflict report lines as "<mode> <oid> <stage>\t<path>".
104
+ // Stage 0 means no conflict, so we only surface stage ≥ 1.
105
+ const m = line.match(/^(\d{6})\s+([0-9a-f]{4,40})\s+(\d)\t(.+)$/)
106
+ if (m) {
107
+ const stage = Number.parseInt(m[3], 10)
108
+ if (stage >= 1) paths.add(m[4])
109
+ continue
110
+ }
111
+ // Fallback (older git): the textual report block prefixes paths with
112
+ // "CONFLICT (content): Merge conflict in <path>".
113
+ const c = line.match(/Merge conflict in (.+)$/)
114
+ if (c) paths.add(c[1].trim())
115
+ }
116
+ return Array.from(paths).sort()
117
+ }
118
+
119
+ /**
120
+ * Detect "git too old" from merge-tree stderr. Pre-2.38 git rejects
121
+ * `--write-tree` outright; older still rejects merge-tree's modern arg
122
+ * shape entirely. We treat any non-zero-with-no-output as "version too old"
123
+ * — callers are expected to fall back gracefully.
124
+ *
125
+ * @param {string} stderr
126
+ * @returns {boolean}
127
+ */
128
+ function isGitVersionTooOld(stderr) {
129
+ return /unknown option|did you mean|usage: git merge-tree/i.test(stderr)
130
+ }
131
+
132
+ /**
133
+ * @param {string} projectDir
134
+ * @param {string[]} extraArgs
135
+ */
136
+ export function auditBranchCurrent(projectDir, extraArgs = []) {
137
+ if (!projectDir) {
138
+ return err('Usage: apt-tools audit branch-current <project-dir> [--base <ref>]')
139
+ }
140
+ const targetDir = resolve(projectDir)
141
+ const base = parseBaseFlag(extraArgs)
142
+
143
+ /** @type {string | undefined} */
144
+ let auditWarning
145
+ /** @type {string[]} */
146
+ const warnings = []
147
+
148
+ // 1. Fetch origin <base>. Tolerate failure (offline, no remote, etc.).
149
+ const fetch = gitTry(targetDir, ['fetch', 'origin', base])
150
+ if (!fetch.ok) {
151
+ auditWarning = 'fetch-failed'
152
+ warnings.push(fetch.stderr.trim().split('\n').slice(0, 3).join(' | '))
153
+ }
154
+
155
+ // 2. Resolve origin/<base> tip.
156
+ let remoteTipSha = null
157
+ const tip = gitTry(targetDir, ['rev-parse', `origin/${base}`])
158
+ if (tip.ok) {
159
+ remoteTipSha = tip.stdout.trim()
160
+ } else {
161
+ // No origin/<base> ref at all — emit an envelope with null counts so the
162
+ // caller can recognise the gap. The SKILL.md prose treats null counts as
163
+ // "audit unavailable, STOP with a clear message" rather than proceeding.
164
+ return ok({
165
+ status: 'ok',
166
+ command: 'audit-branch-current',
167
+ projectDir: targetDir,
168
+ base,
169
+ ahead: null,
170
+ behind: null,
171
+ remote_tip_sha: null,
172
+ mergeable: null,
173
+ audit_warning: auditWarning ?? 'no-remote-base-ref',
174
+ warnings,
175
+ })
176
+ }
177
+
178
+ // 3. Counts.
179
+ let ahead = 0
180
+ let behind = 0
181
+ const aheadOut = gitTry(targetDir, ['rev-list', '--count', `origin/${base}..HEAD`])
182
+ const behindOut = gitTry(targetDir, ['rev-list', '--count', `HEAD..origin/${base}`])
183
+ if (aheadOut.ok) ahead = Number.parseInt(aheadOut.stdout.trim(), 10) || 0
184
+ if (behindOut.ok) behind = Number.parseInt(behindOut.stdout.trim(), 10) || 0
185
+
186
+ // 4. Mergeability.
187
+ // - When behind === 0, the branch is current or strictly ahead — no
188
+ // remote changes to integrate, mergeable = true by definition.
189
+ // - When behind > 0 AND ahead === 0, the branch is strictly fast-forward
190
+ // behind — a clean fast-forward rebase is always mergeable.
191
+ // - When diverged (behind > 0 AND ahead > 0), probe via git merge-tree.
192
+ let mergeable
193
+ /** @type {string[] | undefined} */
194
+ let conflictsPreview
195
+ if (behind === 0) {
196
+ mergeable = true
197
+ } else if (behind > 0 && ahead === 0) {
198
+ mergeable = true
199
+ } else {
200
+ // Diverged. Run modern merge-tree trial.
201
+ const probe = gitTry(targetDir, [
202
+ 'merge-tree',
203
+ '--write-tree',
204
+ '--no-messages',
205
+ 'HEAD',
206
+ `origin/${base}`,
207
+ ])
208
+ if (probe.ok) {
209
+ mergeable = true
210
+ } else if (probe.code === 1) {
211
+ // Documented merge-tree exit-code semantics: 0 clean, 1 conflict,
212
+ // other = invocation error.
213
+ mergeable = false
214
+ conflictsPreview = parseConflictPaths(probe.stdout)
215
+ } else if (isGitVersionTooOld(probe.stderr)) {
216
+ mergeable = null
217
+ auditWarning = auditWarning ?? 'git-version-too-old'
218
+ warnings.push(`git merge-tree --write-tree unsupported: ${probe.stderr.trim().slice(0, 200)}`)
219
+ } else {
220
+ // Unknown probe failure — treat as unknown rather than asserting
221
+ // clean.
222
+ mergeable = null
223
+ auditWarning = auditWarning ?? 'merge-tree-probe-failed'
224
+ warnings.push(
225
+ `git merge-tree probe failed (code ${probe.code}): ${probe.stderr.trim().slice(0, 200)}`,
226
+ )
227
+ }
228
+ }
229
+
230
+ const envelope = {
231
+ status: 'ok',
232
+ command: 'audit-branch-current',
233
+ projectDir: targetDir,
234
+ base,
235
+ ahead,
236
+ behind,
237
+ remote_tip_sha: remoteTipSha,
238
+ mergeable,
239
+ }
240
+ if (conflictsPreview && conflictsPreview.length > 0) {
241
+ envelope.conflicts_preview = conflictsPreview
242
+ }
243
+ if (auditWarning) envelope.audit_warning = auditWarning
244
+ if (warnings.length > 0) envelope.warnings = warnings
245
+ return ok(envelope)
246
+ }
247
+
248
+ // Test-only export for unit-level parser coverage (not part of the public CLI
249
+ // contract).
250
+ export { parseConflictPaths as __parseConflictPathsForTests }
@@ -28,6 +28,14 @@
28
28
  * committable bucket is non-empty after staging (CI-friendly gate).
29
29
  * Default: report-only, exits 0 regardless.
30
30
  *
31
+ * apt-tools audit branch-current <project-dir> [--base <ref>]
32
+ * Pre-PR rebase gate envelope for apt:ship §0.7. Pure read-only:
33
+ * `git fetch origin <base>`, captures origin/<base> tip SHA, counts
34
+ * ahead/behind, and (when diverged) probes mergeability with
35
+ * `git merge-tree --write-tree`. Returns {ahead, behind,
36
+ * remote_tip_sha, mergeable, conflicts_preview?}. Never mutates
37
+ * HEAD, the index, the worktree, or any remote ref.
38
+ *
31
39
  * Single source of truth: buildPolicyIgnoreMatcher in share-policy.mjs is
32
40
  * the ONLY matcher anywhere in the CLI. If you add a new taxonomy class or
33
41
  * toggle, update share-policy and this command follows automatically.
@@ -46,6 +54,7 @@ import { selfStageCommittableWrites } from '../artifacts/self-stage.mjs'
46
54
  import { buildPolicyIgnoreMatcher, resolveSharePolicy } from '../config/share-policy.mjs'
47
55
  import { detectPublicRemote } from '../git/remote.mjs'
48
56
  import { err, exitWith, ok } from '../util/result.mjs'
57
+ import { auditBranchCurrent } from './audit-branch-current.mjs'
49
58
 
50
59
  /**
51
60
  * Dispatch an `audit <subcommand>` call.
@@ -59,7 +68,7 @@ import { err, exitWith, ok } from '../util/result.mjs'
59
68
  export function cmdAudit(subcommand, projectDir, extraArgs = []) {
60
69
  if (!subcommand) {
61
70
  return err(
62
- 'Usage: apt-tools audit <privacy|visibility-signals|pending-artifacts> <project-dir> [flags]',
71
+ 'Usage: apt-tools audit <privacy|visibility-signals|pending-artifacts|branch-current> <project-dir> [flags]',
63
72
  )
64
73
  }
65
74
  if (!projectDir) {
@@ -73,9 +82,11 @@ export function cmdAudit(subcommand, projectDir, extraArgs = []) {
73
82
  return auditVisibilitySignals(targetDir)
74
83
  case 'pending-artifacts':
75
84
  return auditPendingArtifacts(targetDir, extraArgs)
85
+ case 'branch-current':
86
+ return auditBranchCurrent(targetDir, extraArgs)
76
87
  default:
77
88
  return err(
78
- `Unknown audit subcommand: ${subcommand}. Expected 'privacy', 'visibility-signals', or 'pending-artifacts'.`,
89
+ `Unknown audit subcommand: ${subcommand}. Expected 'privacy', 'visibility-signals', 'pending-artifacts', or 'branch-current'.`,
79
90
  )
80
91
  }
81
92
  }
@@ -29,7 +29,13 @@
29
29
  * // `framework_version` field (read from package.json, never from
30
30
  * // the cache).
31
31
  * framework: {
32
- * latest_version: '0.6.7' | null
32
+ * latest_version: '0.6.7' | null,
33
+ * // Bundle A (0.8.3) — additive nullable field. Set when a workspace
34
+ * // `packages/framework/package.json` is found above the project root
35
+ * // and its `name === '@aperant/framework'`. When workspace_version
36
+ * // is ahead of the running kernel, `update_available` flips true
37
+ * // regardless of cache state (workspace wins on self-host).
38
+ * workspace_version: '0.8.3' | null
33
39
  * },
34
40
  * update_available: false,
35
41
  * dev_install_ahead: false,
@@ -48,11 +54,13 @@
48
54
  import { existsSync, readFileSync } from 'node:fs'
49
55
  import { dirname, join, resolve } from 'node:path'
50
56
  import { fileURLToPath } from 'node:url'
57
+ import { findWorkspaceFrameworkVersion } from '../install/find-workspace-framework-version.mjs'
51
58
  import { readManifest } from '../install/manifest.mjs'
52
59
  import { detectInstalledRuntimes } from '../install/runtime-detect.mjs'
53
60
  import { readFreshUpdateCache } from '../install/update-chips.mjs'
54
61
  import { inspectManifestFiles } from '../install/version-header.mjs'
55
62
  import { err, ok } from '../util/result.mjs'
63
+ import { compareVersions } from '../util/semver.mjs'
56
64
 
57
65
  const __filename = fileURLToPath(import.meta.url)
58
66
  const __dirname = dirname(__filename)
@@ -167,6 +175,16 @@ export function cmdCheckVersion(projectDir) {
167
175
  if (typeof c.lookup_error === 'string') lookupError = c.lookup_error
168
176
  }
169
177
 
178
+ // Bundle A — additive `framework.workspace_version` field. When the
179
+ // workspace package.json is ahead of the running kernel, flip
180
+ // `update_available` true regardless of cache state (the workspace is
181
+ // the source of truth on self-host). schema_version stays at 1 (D-01).
182
+ const workspace = findWorkspaceFrameworkVersion(targetDir)
183
+ const workspaceVersion = workspace?.source_version ?? null
184
+ if (workspaceVersion && compareVersions(workspaceVersion, frameworkVersion) > 0) {
185
+ updateAvailable = true
186
+ }
187
+
170
188
  return ok({
171
189
  status,
172
190
  command: 'check-version',
@@ -178,6 +196,7 @@ export function cmdCheckVersion(projectDir) {
178
196
  // file-header schema comment.
179
197
  framework: {
180
198
  latest_version: latestVersion,
199
+ workspace_version: workspaceVersion,
181
200
  },
182
201
  update_available: updateAvailable,
183
202
  dev_install_ahead: devInstallAhead,