@besales/ops-framework 0.1.0

package/bin/run-verify.mjs

@@ -0,0 +1,627 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import {
+  appendOrchestrationLog,
+  getFlag,
+  normalizeMarkdownBody,
+  parseCliArgs,
+  readAgentsConfig,
+  readPrompt,
+  readTaskFile,
+  repoRoot,
+  resolveConfigValue,
+  resolveTaskDir,
+  sha256,
+  validateExecutionEvidenceForPlan,
+  writeTaskFile,
+} from './lib/check-context-utils.mjs';
+import {
+  resolveExternalCliProvider,
+  runExternalCliChecker,
+} from './providers/external-cli-checker.mjs';
+import {
+  buildContextModeSequence,
+  buildVerifierLlmInputPack,
+  isContextInsufficientResult,
+  resolveLlmContextMode,
+  summarizePackForConsole,
+} from './lib/llm-input-pack-utils.mjs';
+import { recordLlmInputUsage } from './lib/task-manifest-utils.mjs';
+
+function main() {
+  runMain().catch((error) => {
+    console.error(`Error: ${error.message}`);
+    process.exit(1);
+  });
+}
+
+async function runMain() {
+  const args = parseCliArgs(process.argv.slice(2));
+  const taskArg = args.positional[0];
+  if (!taskArg) {
+    throw new Error('Usage: node ops/agent-pipeline/bin/run-verify.mjs <TASK-id-or-task-path> [--verifier-provider codex-cli] [--verifier-model gpt-5.5]');
+  }
+
+  const taskDir = resolveTaskDir(taskArg);
+  const taskId = path.basename(taskDir);
+  const verifierConfig = resolveVerifierConfig(args);
+  const planSha = hashTaskMarkdown(taskDir, 'plan.md');
+  const executionSha = hashTaskMarkdown(taskDir, 'execution.md');
+  const taskManifest = readOptionalJson(taskDir, 'task-manifest.json');
+  const initialContextMode = resolveLlmContextMode({
+    requestedMode: getFlag(args, 'context-mode') || getFlag(args, 'llm-context-mode'),
+    riskTriggers: taskManifest?.context?.riskTriggers || [],
+  });
+  const evidenceIssues = validateExecutionEvidenceForPlan({
+    planContent: readTaskFile(taskDir, 'plan.md'),
+    executionContent: readTaskFile(taskDir, 'execution.md'),
+  });
+
+  if (evidenceIssues.length > 0) {
+    writeDeterministicEvidenceReturn({
+      taskDir,
+      taskId,
+      verifierConfig,
+      planSha,
+      executionSha,
+      evidenceIssues,
+    });
+    console.log(`Verifier preflight blocked ${taskId}: return_to_execute`);
+    console.log(`- evidenceIssues: ${evidenceIssues.length}`);
+    return;
+  }
+
+  if (verifierConfig.mode === 'internal_supervisor') {
+    writeInternalSupervisorVerify({
+      taskDir,
+      taskId,
+      verifierConfig,
+      planSha,
+      executionSha,
+    });
+    console.log(`Internal supervisor Verify artifact written for ${taskId}: pass_with_notes`);
+    return;
+  }
+
+  let output = null;
+  let verifyResultJson = null;
+  let verifyMarkdown = '';
+  let verifierRunId = null;
+  let finalPack = null;
+  let rerunCount = 0;
+  const llmInputAttempts = [];
+
+  for (const contextMode of buildContextModeSequence(initialContextMode)) {
+    verifierRunId = [
+      'external-cli',
+      verifierConfig.provider,
+      verifierConfig.model,
+      contextMode,
+      new Date().toISOString().replace(/[:.]/g, '-'),
+    ].join(':');
+    const promptPayload = buildVerifierPrompt({
+      taskDir,
+      taskId,
+      verifierConfig,
+      verifierRunId,
+      planSha,
+      executionSha,
+      contextMode,
+    });
+    finalPack = promptPayload.pack;
+    console.log(`Verifier LLM input for ${taskId}`);
+    for (const line of summarizePackForConsole(promptPayload.pack)) {
+      console.log(line);
+    }
+    if (promptPayload.pack.meta.overCap && contextMode !== 'strict') {
+      llmInputAttempts.push(buildAttemptRecord(promptPayload.pack.meta, 'skipped_over_cap'));
+      appendOrchestrationLog(taskDir, `verifier LLM input exceeded ${contextMode} cap; rerunning pack builder with expanded context`);
+      continue;
+    }
+    if (promptPayload.pack.meta.overCap) {
+      llmInputAttempts.push(buildAttemptRecord(promptPayload.pack.meta, 'over_cap_blocked'));
+      writeVerifierFailure({
+        taskDir,
+        taskId,
+        verifierConfig,
+        verifierRunId,
+        planSha,
+        executionSha,
+        failureReason: 'context_overflow',
+        message: `Strict LLM input pack exceeds cap: estimatedTokens=${promptPayload.pack.meta.estimatedTokens}, capTokens=${promptPayload.pack.meta.capTokens}`,
+        rawOutput: null,
+      });
+      recordLlmInputUsage({
+        taskDir,
+        stage: 'verify',
+        packMeta: promptPayload.pack.meta,
+        attempts: llmInputAttempts,
+        rerunCount,
+      });
+      console.log(`Verifier blocked for ${taskId}: strict context pack over cap`);
+      return;
+    }
+
+    try {
+      output = await runExternalCliChecker({
+        providerName: verifierConfig.provider,
+        providerConfig: verifierConfig.providerConfig,
+        model: verifierConfig.model,
+        reasoningEffort: verifierConfig.reasoningEffort,
+        prompt: promptPayload.prompt,
+        cwd: repoRoot,
+      });
+    } catch (error) {
+      writeVerifierFailure({
+        taskDir,
+        taskId,
+        verifierConfig,
+        verifierRunId,
+        planSha,
+        executionSha,
+        failureReason: error.failureReason || 'unknown',
+        message: error.message,
+        rawOutput: error.rawOutput || null,
+      });
+      llmInputAttempts.push(buildAttemptRecord(promptPayload.pack.meta, `provider_failed:${error.failureReason || 'unknown'}`));
+      recordLlmInputUsage({
+        taskDir,
+        stage: 'verify',
+        packMeta: promptPayload.pack.meta,
+        attempts: llmInputAttempts,
+        rerunCount,
+      });
+      throw error;
+    }
+
+    verifyMarkdown = String(output.verifyMarkdown || '').trim();
+    verifyResultJson = normalizeVerifyResult({
+      taskId,
+      verifierConfig,
+      verifierRunId,
+      planSha,
+      executionSha,
+      value: output.verifyResultJson,
+    });
+    if (!isContextInsufficientResult(verifyResultJson) || contextMode === 'strict') {
+      llmInputAttempts.push(buildAttemptRecord(promptPayload.pack.meta, verifyResultJson?.verdict || 'completed'));
+      break;
+    }
+    llmInputAttempts.push(buildAttemptRecord(promptPayload.pack.meta, 'context_insufficient'));
+    rerunCount += 1;
+    appendOrchestrationLog(taskDir, `verifier returned context_insufficient in ${contextMode}; rerunning with expanded context`);
+  }
+
+  if (!verifyMarkdown) {
+    throw new Error('Verifier output missing verifyMarkdown.');
+  }
+
+  writeTaskFile(taskDir, 'verify.md', verifyMarkdown);
+  writeTaskFile(taskDir, 'verify.result.json', JSON.stringify(verifyResultJson, null, 2));
+  if (finalPack) {
+    recordLlmInputUsage({
+      taskDir,
+      stage: 'verify',
+      packMeta: finalPack.meta,
+      attempts: llmInputAttempts,
+      rerunCount,
+    });
+  }
+  appendOrchestrationLog(taskDir, `external CLI verifier completed via ${verifierConfig.provider}; verdict=${verifyResultJson.verdict}; runId=${verifierRunId}`);
+  console.log(`Verifier run completed for ${taskId}: ${verifyResultJson.verdict}`);
+  console.log(`- verifierRunId: ${verifierRunId}`);
+  if (finalPack) {
+    console.log(`- finalLlmInputMode: ${finalPack.meta.mode}`);
+    console.log(`- finalEstimatedInputTokens: ${finalPack.meta.estimatedTokens}`);
+  }
+}
+
+function buildAttemptRecord(packMeta, outcome) {
+  return {
+    mode: packMeta.mode,
+    estimatedTokens: packMeta.estimatedTokens,
+    bytes: packMeta.bytes,
+    capTokens: packMeta.capTokens,
+    overCap: packMeta.overCap,
+    outcome,
+  };
+}
+
+function writeDeterministicEvidenceReturn({
+  taskDir,
+  taskId,
+  verifierConfig,
+  planSha,
+  executionSha,
+  evidenceIssues,
+}) {
+  const verifierRunId = `deterministic-preverify:${new Date().toISOString().replace(/[:.]/g, '-')}`;
+  const findings = evidenceIssues.map((issue, index) => ({
+    id: `V-${String(index + 1).padStart(3, '0')}`,
+    severity: 'blocking',
+    claimCategory: issue.category,
+    affectedArtifacts: ['plan.md', 'execution.md'],
+    claim: issue.message,
+    evidenceRefs: [
+      {
+        type: 'artifact',
+        ref: 'deterministic pre-verify evidence gate',
+      },
+    ],
+    expectedCorrection: expectedCorrectionForEvidenceIssue(issue),
+  }));
+  const verifyMarkdown = [
+    '# Verify',
+    '',
+    '## Verdict',
+    '',
+    '`FAIL` / `return_to_execute`',
+    '',
+    '## Deterministic Pre-Verify Gate',
+    '',
+    'External/internal verifier was not invoked because mandatory execution evidence is missing.',
+    '',
+    '## Findings',
+    '',
+    '| ID | Severity | Category | Claim | Expected correction |',
+    '| --- | --- | --- | --- | --- |',
+    ...findings.map((finding) => `| ${finding.id} | ${finding.severity} | ${finding.claimCategory} | ${escapeTableCell(finding.claim)} | ${escapeTableCell(finding.expectedCorrection)} |`),
+    '',
+    '## Recommended next step',
+    '',
+    'Return to Execute, record the missing evidence, then rerun Verify.',
+  ].join('\n');
+  const result = {
+    schemaVersion: 1,
+    taskId,
+    planSha,
+    executionSha,
+    verificationMode: verifierConfig.mode,
+    verifierProvider: 'deterministic-preverify',
+    verifierModel: 'none',
+    verifierRunId,
+    verdict: 'return_to_execute',
+    failureReason: null,
+    readyForRetrospective: false,
+    counts: {
+      blockingFindings: findings.length,
+      nonBlockingFindings: 0,
+      questions: 0,
+    },
+    findings,
+  };
+
+  writeTaskFile(taskDir, 'verify.md', verifyMarkdown);
+  writeTaskFile(taskDir, 'verify.result.json', JSON.stringify(result, null, 2));
+  appendOrchestrationLog(taskDir, `deterministic pre-verify evidence gate returned return_to_execute; findings=${findings.length}; configuredMode=${verifierConfig.mode}`);
+}
+
+function escapeTableCell(value) {
+  return String(value).replace(/\|/g, '\\|').replace(/\n/g, ' ').trim();
+}
+
+function expectedCorrectionForEvidenceIssue(issue) {
+  if (issue.category === 'ui_verification_gap') {
+    return 'Record UI Acceptance Evidence for each planned UI scenario with scenario id, result, observed visible state and screenshot/payload/rendered/API fallback evidence.';
+  }
+  if (issue.message.includes('Production Rollout')) {
+    return 'Record Production Rollout Evidence with rollout impact, env/deploy facts, rollback path and post-deploy logs/metrics/smoke evidence.';
+  }
+  if (issue.message.includes('Source Sync / Provider')) {
+    return 'Record Source Sync / Provider Evidence with scope/window, idempotency, retry/pagination/rate-limit, raw-record and coverage/parity evidence.';
+  }
+  if (issue.message.includes('Optimization Review')) {
+    return 'Record Optimization Review Evidence with hot-path review, anti-pattern findings, timing/rows/benchmark/EXPLAIN evidence or explicit deferred findings before Verify.';
+  }
+  return 'Record Complexity / Performance Evidence with timing, row-count, EXPLAIN, N+1 or hot-path review evidence before Verify.';
+}
+
+function resolveVerifierConfig(args) {
+  const config = readAgentsConfig();
+  const mode = normalizeVerifierMode(
+    getFlag(args, 'verify-mode')
+      || getFlag(args, 'verification-mode')
+      || process.env.VERIFICATION_MODE
+      || process.env.VERIFIER_MODE
+      || resolveConfigValue(config.verifier?.mode)
+      || 'external_cli',
+  );
+  const provider = getFlag(args, 'verifier-provider')
+    || process.env.VERIFIER_PROVIDER
+    || resolveConfigValue(config.verifier?.provider)
+    || 'codex-cli';
+  const providerDefaults = config.checkerProviders?.[provider] || {};
+  const model = getFlag(args, 'verifier-model')
+    || process.env.VERIFIER_MODEL
+    || resolveConfigValue(providerDefaults.model)
+    || resolveConfigValue(config.verifier?.model)
+    || (provider === 'claude-cli' || provider === 'cloud-cli' ? 'claude-opus-4-7' : 'gpt-5.5');
+  const reasoningEffort = getFlag(args, 'verifier-reasoning-effort')
+    || process.env.VERIFIER_REASONING_EFFORT
+    || resolveConfigValue(providerDefaults.reasoningEffort)
+    || resolveConfigValue(config.verifier?.reasoningEffort)
+    || 'medium';
+
+  return {
+    mode,
+    provider,
+    model,
+    reasoningEffort,
+    providerConfig: resolveExternalCliProvider(provider, config),
+  };
+}
+
+function normalizeVerifierMode(value) {
+  if (value === 'external' || value === 'external_cli' || value === 'independent') {
+    return 'external_cli';
+  }
+
+  if (value === 'internal' || value === 'internal_supervisor' || value === 'off' || value === 'none' || value === 'no_external') {
+    return 'internal_supervisor';
+  }
+
+  throw new Error(`Invalid verifier mode: ${value}. Use external_cli or internal_supervisor.`);
+}
+
+function writeInternalSupervisorVerify({
+  taskDir,
+  taskId,
+  verifierConfig,
+  planSha,
+  executionSha,
+}) {
+  const verifierRunId = `internal-supervisor:${new Date().toISOString().replace(/[:.]/g, '-')}`;
+  const status = readTaskFile(taskDir, 'status.md');
+  const execution = readTaskFile(taskDir, 'execution.md');
+  const verifyMarkdown = [
+    '# Verify',
+    '',
+    '## verdict',
+    '',
+    '`PASS_WITH_NOTES`',
+    '',
+    'Internal Supervisor Verify was selected. No external CLI/model verifier was invoked.',
+    '',
+    '## verification mode',
+    '',
+    '- `verificationMode`: `internal_supervisor`',
+    '- `verifierProvider`: `supervisor`',
+    '- External independent verifier: skipped by configured cost-saving mode.',
+    '',
+    '## evidence reviewed',
+    '',
+    '- `plan.md` hash matched the recorded verify input.',
+    '- `execution.md` hash matched the recorded verify input.',
+    '- Supervisor reviewed the current execution ledger and status artifact.',
+    '',
+    '## residual risks',
+    '',
+    '- This is not an independent fresh-context verifier run.',
+    '- Use `--verify-mode external_cli` for production-readiness, R4/R5, material migrations/backfills, destructive/security/financial work, broad ambiguous refactors or explicit human request.',
+    '',
+    '## latest status excerpt',
+    '',
+    '```md',
+    status.trim().slice(0, 2000),
+    '```',
+    '',
+    '## execution evidence excerpt',
+    '',
+    '```md',
+    execution.trim().slice(-4000),
+    '```',
+  ].join('\n');
+  const result = {
+    schemaVersion: 1,
+    taskId,
+    planSha,
+    executionSha,
+    verificationMode: 'internal_supervisor',
+    verifierProvider: 'supervisor',
+    verifierModel: 'none',
+    verifierRunId,
+    verdict: 'pass_with_notes',
+    failureReason: null,
+    readyForRetrospective: true,
+    counts: {
+      blockingFindings: 0,
+      nonBlockingFindings: 1,
+      questions: 0,
+    },
+    findings: [
+      {
+        id: 'V-001',
+        severity: 'non_blocking',
+        claimCategory: 'insufficient_evidence',
+        affectedArtifacts: ['verify.md', 'verify.result.json'],
+        claim: 'Verify used internal supervisor mode, so no independent fresh-context verifier reviewed this execution.',
+        evidenceRefs: [
+          {
+            type: 'config',
+            ref: `verifier.mode=${verifierConfig.mode}`,
+          },
+        ],
+        expectedCorrection: 'Run `corepack yarn agent:run-verify <TASK> --verify-mode external_cli` if the task risk or human decision requires independent verification.',
+      },
+    ],
+  };
+
+  writeTaskFile(taskDir, 'verify.md', verifyMarkdown);
+  writeTaskFile(taskDir, 'verify.result.json', JSON.stringify(result, null, 2));
+  appendOrchestrationLog(taskDir, `internal supervisor verifier completed; verdict=${result.verdict}; runId=${verifierRunId}`);
+}
+
+function buildVerifierPrompt({
+  taskDir,
+  taskId,
+  verifierConfig,
+  verifierRunId,
+  planSha,
+  executionSha,
+  contextMode,
+}) {
+  const verifierPrompt = readPrompt('verifier.md');
+  const pack = buildVerifierLlmInputPack({
+    taskDir,
+    taskId,
+    planSha,
+    executionSha,
+    verifier: {
+      provider: verifierConfig.provider,
+      model: verifierConfig.model,
+      reasoningEffort: verifierConfig.reasoningEffort,
+      runId: verifierRunId,
+    },
+    mode: contextMode,
+  });
+
+  const prompt = [
+    verifierPrompt,
+    '',
+    'Fresh-context enforcement:',
+    '- You are an external isolated CLI Verifier invocation.',
+    '- You do not inherit this chat, Executor reasoning, Planner reasoning or prior Verifier reasoning.',
+    '- Treat execution.md as claims to verify against plan.md, task artifacts and repository state.',
+    '- Read repository files as needed, but do not mutate any files.',
+    '- If you compare planSha/executionSha with local files, use `corepack yarn agent:hash-task-artifacts <TASK-id>` or equivalent normalizeMarkdownBody semantics; raw `shasum` over markdown files is not equivalent.',
+    '',
+    'Return exactly one JSON object, with no markdown wrapper:',
+    '{',
+    '  "verifyMarkdown": "full markdown for verify.md",',
+    '  "verifyResultJson": { ... object matching verify.result.json contract ... }',
+    '}',
+    '',
+    'Required verifyResultJson fields:',
+    '- schemaVersion: 1',
+    `- taskId: ${taskId}`,
+    `- planSha: ${planSha}`,
+    `- executionSha: ${executionSha}`,
+    '- verificationMode: external_cli',
+    `- verifierProvider: ${verifierConfig.provider}`,
+    `- verifierModel: ${verifierConfig.model}`,
+    `- verifierRunId: ${verifierRunId}`,
+    '- verdict: pass | pass_with_notes | return_to_execute | return_to_plan | human_arbitration_required | context_insufficient | verifier_failed',
+    '- failureReason: null unless verdict=verifier_failed',
+    '- readyForRetrospective: true only for pass/pass_with_notes',
+    '- counts matching findings[]',
+    '- findings[] with V-001, V-002 IDs and severity blocking | non_blocking | question',
+    '',
+    '<task_input_json>',
+    JSON.stringify(pack.input, null, 2),
+    '</task_input_json>',
+  ].join('\n');
+  return {
+    prompt,
+    pack,
+  };
+}
+
+function normalizeVerifyResult({
+  taskId,
+  verifierConfig,
+  verifierRunId,
+  planSha,
+  executionSha,
+  value,
+}) {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    throw new Error('Verifier output missing verifyResultJson object.');
+  }
+  return {
+    ...value,
+    schemaVersion: 1,
+    taskId,
+    planSha,
+    executionSha,
+    verificationMode: 'external_cli',
+    verifierProvider: verifierConfig.provider,
+    verifierModel: verifierConfig.model,
+    verifierRunId,
+  };
+}
+
+function writeVerifierFailure({
+  taskDir,
+  taskId,
+  verifierConfig,
+  verifierRunId,
+  planSha,
+  executionSha,
+  failureReason,
+  message,
+  rawOutput,
+}) {
+  const verifyMarkdown = [
+    '# Verify',
+    '',
+    '## Verdict',
+    '',
+    '`VERIFIER_FAILED`',
+    '',
+    `External CLI verifier failed before producing a valid result: ${message}`,
+    '',
+    '## Findings',
+    '',
+    '| ID | Severity | Category | Claim | Expected correction |',
+    '| --- | --- | --- | --- | --- |',
+    `| V-001 | blocking | verifier_failure | External verifier failed with ${failureReason}. | Fix provider/config/output and rerun external verifier. |`,
+  ].join('\n');
+  const result = {
+    schemaVersion: 1,
+    taskId,
+    planSha,
+    executionSha,
+    verificationMode: 'external_cli',
+    verifierProvider: verifierConfig.provider,
+    verifierModel: verifierConfig.model,
+    verifierRunId,
+    verdict: 'verifier_failed',
+    failureReason,
+    readyForRetrospective: false,
+    counts: {
+      blockingFindings: 1,
+      nonBlockingFindings: 0,
+      questions: 0,
+    },
+    findings: [
+      {
+        id: 'V-001',
+        severity: 'blocking',
+        claimCategory: 'verifier_failure',
+        affectedArtifacts: ['verify.result.json'],
+        claim: `External verifier failed: ${message}`,
+        evidenceRefs: rawOutput ? [{ type: 'external_output', ref: rawOutput.slice(0, 1000) }] : [],
+        expectedCorrection: 'Fix provider/config/output and rerun external verifier.',
+      },
+    ],
+  };
+  writeTaskFile(taskDir, 'verify.md', verifyMarkdown);
+  writeTaskFile(taskDir, 'verify.result.json', JSON.stringify(result, null, 2));
+  appendOrchestrationLog(taskDir, `external CLI verifier failed via ${verifierConfig.provider}; failureReason=${failureReason}; runId=${verifierRunId}`);
+}
+
+function hashTaskMarkdown(taskDir, fileName) {
+  return sha256(normalizeMarkdownBody(readRequiredTaskFile(taskDir, fileName)));
+}
+
+function readRequiredTaskFile(taskDir, fileName) {
+  const filePath = path.join(taskDir, fileName);
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`Missing required task artifact: ${fileName}`);
+  }
+  return fs.readFileSync(filePath, 'utf8');
+}
+
+function readOptionalJson(taskDir, fileName) {
+  const filePath = path.join(taskDir, fileName);
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+main();

package/bin/self-lint.mjs

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __filename = fileURLToPath(import.meta.url);
+const packageRoot = path.resolve(path.dirname(__filename), '..');
+const fix = process.argv.includes('--fix');
+const issues = [];
+const textExtensions = new Set(['.json', '.md', '.mjs', '.ts', '.yaml', '.yml']);
+const ignoredDirs = new Set(['node_modules', '.git', '.yarn']);
+const openWorkMarkerPattern = new RegExp(`\\b(${['TO', 'DO'].join('')}|${['FIX', 'ME'].join('')})\\b`);
+const localAbsolutePathPattern = new RegExp(`/${'Users'}/|/${'Applications'}/`);
+const projectSpecificPattern = new RegExp([
+  String.raw`\b${['apps', 'panel'].join('/')}\b`,
+  ['Leak', 'Engine'].join(''),
+  ['Delivery', 'Os'].join(''),
+  ['Personal', 'Blog'].join(''),
+].join('|'));
+
+for (const filePath of walk(packageRoot)) {
+  const relativePath = path.relative(packageRoot, filePath);
+  if (path.basename(filePath) === '.DS_Store') {
+    issues.push(`${relativePath}: remove .DS_Store from package files`);
+    continue;
+  }
+  if (!textExtensions.has(path.extname(filePath))) {
+    continue;
+  }
+  checkTextFile(filePath, relativePath);
+}
+
+if (issues.length > 0) {
+  console.error(`ops-framework lint failed (${issues.length} issue${issues.length === 1 ? '' : 's'}):`);
+  for (const issue of issues) {
+    console.error(`- ${issue}`);
+  }
+  process.exit(1);
+}
+
+console.log(`ops-framework lint ${fix ? 'fixed and ' : ''}passed`);
+
+function checkTextFile(filePath, relativePath) {
+  const original = fs.readFileSync(filePath, 'utf8');
+  let content = original;
+
+  if (openWorkMarkerPattern.test(content)) {
+    issues.push(`${relativePath}: contains open-work marker`);
+  }
+  if (localAbsolutePathPattern.test(content)) {
+    issues.push(`${relativePath}: contains local absolute path`);
+  }
+  if (projectSpecificPattern.test(content)) {
+    issues.push(`${relativePath}: contains project-specific path or name`);
+  }
+  if (/[ \t]+$/m.test(content)) {
+    issues.push(`${relativePath}: contains trailing whitespace`);
+    if (fix) {
+      content = content.replace(/[ \t]+$/gm, '');
+    }
+  }
+  if (content && !content.endsWith('\n')) {
+    issues.push(`${relativePath}: missing final newline`);
+    if (fix) {
+      content = `${content}\n`;
+    }
+  }
+
+  if (fix && content !== original) {
+    fs.writeFileSync(filePath, content);
+  }
+}
+
+function* walk(dir) {
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    if (ignoredDirs.has(entry.name)) {
+      continue;
+    }
+    const filePath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      yield* walk(filePath);
+      continue;
+    }
+    if (entry.isFile()) {
+      yield filePath;
+    }
+  }
+}