@bradheitmann/odin-sentinel 0.2.1

package/protocol/roles.yaml

@@ -0,0 +1,62 @@
+version: 0.2.1
+roles:
+  EXEC_PM:
+    title: EXEC PM
+    layer: executive
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Intent, priority, authorization, escalation, and claim framing.
+  EXEC_ODIN:
+    title: EXEC ODIN
+    layer: meta_control
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Governance health, polling, delivery proof, role boundaries, and closeout hygiene.
+  EXEC_ASST:
+    title: EXEC ASST
+    layer: executive_support
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Ledger, reminders, pane inventory, artifact index, and delivery checks.
+  EXEC_RSCH:
+    title: EXEC RSCH
+    layer: research
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Read-only strategy, alternatives, context recovery, and risk analysis.
+  EXEC_QA:
+    title: EXEC QA
+    layer: quality
+    may_implement_default: false
+    may_qa_accept_default: true
+    purpose: Independent adversarial audit of process, evidence, closure language, and drift.
+  TEAM_PM:
+    title: TEAM PM
+    layer: pod_control
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Pod task routing, worker activation, and reporting.
+  TEAM_ODIN:
+    title: TEAM ODIN
+    layer: meta_control
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Pod health monitoring, polling, blockers, freezes, and lateral ODIN mesh awareness.
+  DEV_WORKER:
+    title: DEV WORKER
+    layer: implementation
+    may_implement_default: true
+    may_qa_accept_default: false
+    purpose: Bounded implementation inside exact write scope with evidence.
+  QA_WORKER:
+    title: QA WORKER
+    layer: quality
+    may_implement_default: false
+    may_qa_accept_default: true
+    purpose: Independent verification of worker evidence and acceptance criteria.
+  SHADOW_REVIEWER:
+    title: SHADOW REVIEWER
+    layer: review
+    may_implement_default: false
+    may_qa_accept_default: false
+    purpose: Independent critique, risk surfacing, and second-pass review.

package/protocol/topology.yaml

@@ -0,0 +1,22 @@
+version: 0.2.1
+default_topology:
+  executive_office:
+    team: A
+    slots:
+      - A/EXEC-PM
+      - A/EXEC-ODIN
+      - A/EXEC-ASST
+      - A/EXEC-RSCH
+      - A/EXEC-QA
+  development_pod:
+    slots:
+      - "{TEAM}/TEAM-PM"
+      - "{TEAM}/ODIN"
+      - "{TEAM}/DEV-1"
+      - "{TEAM}/QA-1"
+      - "{TEAM}/SHADOW-1"
+  fresh_repo_default_pods: 1
+  odin_mesh:
+    bootstrap_identity_exchange: true
+    health_round_robin_minutes: 10
+    aggregator: A/EXEC-ODIN

package/scripts/audit/public-surface.mjs

@@ -0,0 +1,67 @@
+import { execFileSync } from "node:child_process";
+import { readdirSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+
+function walk(dir) {
+  return readdirSync(dir).flatMap((entry) => {
+    const path = join(dir, entry);
+    if ([".git", "dist", "node_modules"].includes(entry)) return [];
+    if (path === "pnpm-lock.yaml") return [];
+    return statSync(path).isDirectory() ? walk(path) : [path];
+  });
+}
+
+function filesToAudit() {
+  try {
+    const tracked = execFileSync("git", ["ls-files"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    const untracked = execFileSync("git", ["ls-files", "--others", "--exclude-standard"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+
+    return `${tracked}\n${untracked}`
+      .split("\n")
+      .filter(Boolean)
+      .filter((file) => !file.startsWith("pnpm-lock.yaml"));
+  } catch {
+    return walk(".");
+  }
+}
+
+const publicFiles = filesToAudit();
+
+const forbidden = [
+  { name: "macOS home path", pattern: new RegExp(`/${"Users"}/[A-Za-z0-9._-]+/`) },
+  { name: "Linux home path", pattern: /\/home\/[A-Za-z0-9._-]+\// },
+  { name: "tilde home path", pattern: /~\// },
+  { name: "local agent config path", pattern: new RegExp(`\\.${"codex"}|\\.${"claude"}|\\.${"agents"}`, "i") },
+  { name: "legacy extension terminology", pattern: new RegExp(`\\b${"sk" + "ill"}\\b|${"SK" + "ILL"}\\.md|export_${"sk" + "ill"}_snapshot`, "i") },
+  {
+    name: "private project or account marker",
+    pattern: new RegExp(
+      `\\b(edge-${"agentic"}|Edu${"gentic"}|${"OK" + "OA"}|open_${"protocols"})\\b`,
+      "i"
+    )
+  },
+  { name: "secret-looking assignment", pattern: /(api[_-]?key|secret|token|password)\s*[:=]\s*["'][^"']+["']/i }
+];
+
+const findings = [];
+
+for (const file of publicFiles) {
+  const text = readFileSync(file, "utf8");
+  for (const rule of forbidden) {
+    if (rule.pattern.test(text)) {
+      findings.push(`${file}: ${rule.name}`);
+    }
+  }
+}
+
+if (findings.length > 0) {
+  throw new Error(`Public surface audit failed:\n${findings.join("\n")}`);
+}
+
+console.log(`Public surface audit PASS: ${publicFiles.length} files checked`);

package/scripts/audit/verify-pack.mjs

@@ -0,0 +1,71 @@
+import { execFileSync } from "node:child_process";
+
+const output = execFileSync("pnpm", ["pack", "--dry-run", "--json"], {
+  encoding: "utf8",
+  stdio: ["ignore", "pipe", "pipe"]
+});
+
+// pnpm 11 writes JSON directly to stdout (no preamble); pnpm <=10 prefixed
+// it with lifecycle logs. Handle both shapes: take from "\n{" if present, or
+// from the start if output already begins with "{".
+const newlineBrace = output.lastIndexOf("\n{");
+const jsonStart = newlineBrace !== -1 ? newlineBrace + 1 : (output.trimStart().startsWith("{") ? output.indexOf("{") : -1);
+if (jsonStart === -1) {
+  throw new Error("pnpm pack did not return JSON metadata");
+}
+
+const pack = JSON.parse(output.slice(jsonStart));
+const paths = new Set(pack.files.map((file) => file.path));
+
+const requiredProtocolFiles = [
+  "protocol/SCP.md",
+  "protocol/roles.yaml",
+  "protocol/topology.yaml",
+  "protocol/model-profiles.yaml",
+  "protocol/closeout.yaml",
+  "protocol/delegation.yaml",
+  "protocol/receipts/boot-receipt.yaml",
+  "protocol/receipts/team-manifest.yaml"
+];
+
+const requiredFiles = [
+  "dist/src/bin/index.js",
+  "dist/src/mcp/server.js",
+  "dist/src/protocol/index.js",
+  "dist/src/protocol/service.js",
+  "dist/src/protocol/repository.js",
+  "dist/src/protocol/schemas.js",
+  "dist/src/protocol/validators.js",
+  "dist/src/protocol/version.js",
+  "docs/guides/quick-start.md",
+  "docs/guides/recommended-starter-team.md",
+  "docs/reference/client-compatibility.md",
+  "docs/reference/cost-and-privacy.md",
+  "docs/reference/distribution.md",
+  "docs/reference/public-surface-audit.md",
+  ...requiredProtocolFiles,
+  "scripts/audit/public-surface.mjs",
+  "scripts/audit/verify-pack.mjs",
+  "README.md",
+  "LICENSE",
+  "package.json"
+];
+
+const missing = requiredFiles.filter((file) => !paths.has(file));
+if (missing.length > 0) {
+  throw new Error(`Package is missing required files: ${missing.join(", ")}`);
+}
+
+const staleFiles = [
+  "dist/src/index.js",
+  "dist/src/server.js",
+  "dist/src/protocol.js",
+  "dist/src/protocol-repository.js",
+  "dist/src/validators.js"
+].filter((file) => paths.has(file));
+
+if (staleFiles.length > 0) {
+  throw new Error(`Package includes stale build files: ${staleFiles.join(", ")}`);
+}
+
+console.log(`Package smoke PASS: ${pack.files.length} files included in ${pack.filename}`);