@bradheitmann/odin-sentinel 0.4.5 → 0.4.6

package/protocol/topology.yaml

@@ -1,4 +1,4 @@
-version: 0.3.0
+version: 0.4.6
 default_topology:
   executive_office:
     team: A
@@ -18,39 +18,81 @@ default_topology:
   fresh_repo_default_pods: 1
   odin_mesh:
     bootstrap_identity_exchange: true
-    health_round_robin_minutes: 10
+    health_round_robin_seconds: 30
     aggregator: A/EXEC-ODIN
-surface_layout:
-  description: >-
-    Canonical CMUX surface layout rule for EXEC PM. Teams arrive as letters
-    (Team A is executive; Team B onward are development pods). Columns are
-    equal width. Surfaces stack vertically inside a column with at most two
-    surfaces per column. Team A always occupies column 0. When the team count
-    is odd and at least 3, column 0 holds only Team A (the "tall column").
-  rules:
-    max_surfaces_per_column: 2
-    column_widths: equal
-    exec_team_column: 0
-    tall_column_when_odd_team: A
-  custodianship:
-    sole_custodian: A/EXEC-PM
-    includes:
-      - cmux new-split
-      - cmux new-surface
-      - cmux move-surface
-      - cmux close-surface
-  pre_staffing_gate: >-
-    Before adding any agent beyond A/EXEC, EXEC PM must (1) call
-    odin.compute_surface_layout for teamCount=N+1, (2) execute the splits
-    required to reach that layout via cmux, (3) confirm each new surface
-    is empty and addressable via cmux list-pane-surfaces, and only then
-    (4) dispatch the spawn to the newly created surface.
-  reference_layouts:
-    teams_1: "[A]"
-    teams_2: "[A] [B]"
-    teams_3: "[A] [B/C]"
-    teams_4: "[A/D] [B/C]"
-    teams_5: "[A] [B/C] [D/E]"
-    teams_6: "[A/F] [B/C] [D/E]"
-    teams_7: "[A] [B/C] [D/E] [F/G]"
-    teams_8: "[A/H] [B/C] [D/E] [F/G]"
+  launch_phases:
+    - SURFACE_PROVISIONED
+    - OCCUPANT_READINESS
+    - OCCUPANT_LAUNCH
+    - BOOT_RECEIPT_VALIDATION
+    - TEAM_ACTIVATION
+    - ACTIVE_WATCH
+  readiness_gate:
+    minimum_mcp_version: 0.4.5
+    cmux_required_for_governed_team: true
+    occupant_launch_allowed_when:
+      - PASS
+      - WAIVED_BY_EXEC_PM
+      - SUBSTITUTION_APPROVED_BY_EXEC_PM
+    team_activation_allowed_states:
+      - BOOTSTRAPPED_IDLE
+      - ACTIVE_WATCH
+      - VACANT_ROLE_SLOT
+      - AGENT_SUBSTITUTION_REQUIRED
+    safe_auth_failure_outcomes:
+      - choose a different harness
+      - receive setup guidance without pasting secrets
+      - mark slot VACANT_ROLE_SLOT
+      - request EXEC PM-approved substitution
+  surface_layout:
+    description: >-
+      Canonical CMUX surface layout rule for EXEC PM. Governed team bootstrap
+      uses human_cmux_quad by default: one CMUX workspace with four panes/regions
+      (executive office, Team B pod, Team C pod, blockers/status/intake).
+      Legacy columns remain available for compatibility but tab-only layout is
+      degraded unless explicitly approved.
+    canonical_profile: human_cmux_quad
+    human_cmux_quad:
+      workspace_policy: A/EXEC-PM remains in the same CMUX workspace as all governed teams
+      quadrants:
+        A: executive office
+        B: Team B pod
+        C: Team C pod
+        D: blockers/status/intake or overflow
+      empty_role_slots_before_launch: true
+      reject_tab_only_unless_degraded_mode_approved: true
+      reject_split_workspace_without_routing_proof: true
+      no_cmux_governed_status: NOT_GOVERNED_NO_CMUX
+    legacy_columns:
+      description: >-
+        Teams arrive as letters (Team A is executive; Team B onward are
+        development pods). Columns are equal width. Surfaces stack vertically
+        inside a column with at most two surfaces per column. Team A always
+        occupies column 0.
+    rules:
+      max_surfaces_per_column: 2
+      column_widths: equal
+      exec_team_column: 0
+      tall_column_when_odd_team: A
+    custodianship:
+      sole_custodian: A/EXEC-PM
+      includes:
+        - cmux new-split
+        - cmux new-surface
+        - cmux move-surface
+        - cmux close-surface
+    pre_staffing_gate: >-
+      Before adding any agent beyond A/EXEC, EXEC PM must (1) call
+      odin.compute_surface_layout for teamCount=N+1, (2) execute the splits
+      required to reach that layout via cmux, (3) confirm each new surface
+      is empty and addressable via cmux list-pane-surfaces, and only then
+      (4) dispatch the spawn to the newly created surface.
+    reference_layouts:
+      teams_1: "[A]"
+      teams_2: "[A] [B]"
+      teams_3: "[A] [B/C]"
+      teams_4: "[A/D] [B/C]"
+      teams_5: "[A] [B/C] [D/E]"
+      teams_6: "[A/F] [B/C] [D/E]"
+      teams_7: "[A] [B/C] [D/E] [F/G]"
+      teams_8: "[A/H] [B/C] [D/E] [F/G]"

package/scripts/audit/public-surface.mjs

@@ -1,6 +1,22 @@
 import { execFileSync } from "node:child_process";
 import { readdirSync, readFileSync, statSync } from "node:fs";
 import { join } from "node:path";
+import { pathToFileURL } from "node:url";
+
+const PUBLIC_ROOTS = [
+  "README.md",
+  "AGENTS.md",
+  "CLAUDE.md",
+  "LICENSE",
+  "package.json",
+  "docs/",
+  "protocol/",
+  "templates/",
+  "plugins/",
+  "scripts/audit/"
+];
+
+const EXCLUDED_PREFIXES = [".git/", "dist/", "node_modules/", "project/" + "planning" + "/", "." + "edge-" + "agentic" + "/local/", "tests/"];
 
 function walk(dir) {
   return readdirSync(dir).flatMap((entry) => {
@@ -11,6 +27,11 @@ function walk(dir) {
   });
 }
 
+export function isPublicAuditFile(file) {
+  if (EXCLUDED_PREFIXES.some((prefix) => file.startsWith(prefix))) return false;
+  return PUBLIC_ROOTS.some((root) => file === root || file.startsWith(root));
+}
+
 function filesToAudit() {
   try {
     const tracked = execFileSync("git", ["ls-files"], {
@@ -25,17 +46,13 @@ function filesToAudit() {
     return `${tracked}\n${untracked}`
       .split("\n")
       .filter(Boolean)
-      .filter((file) => !file.startsWith("pnpm-lock.yaml"));
+      .filter((file) => file !== "pnpm-lock.yaml")
+      .filter(isPublicAuditFile);
   } catch {
-    return walk(".");
+    return walk(".").filter(isPublicAuditFile);
   }
 }
 
-const publicFiles = filesToAudit();
-
-// Install and protocol documentation legitimately references agent harness
-// config directories and tilde home paths. The path-style rules below skip
-// these files; the rest of the rules still apply.
 const BUNDLED_DOC = new Set([
   "README.md",
   "docs/guides/quickstart-prompts.md",
@@ -47,7 +64,9 @@ const forbidden = [
   { name: "macOS home path", pattern: new RegExp(`/${"Users"}/[A-Za-z0-9._-]+/`) },
   { name: "Linux home path", pattern: /\/home\/[A-Za-z0-9._-]+\// },
   { name: "tilde home path", pattern: /~\//, exemptFiles: BUNDLED_DOC },
-  { name: "local agent config path", pattern: new RegExp(`\\.${"codex"}|\\.${"claude"}|\\.${"agents"}`, "i"), exemptFiles: BUNDLED_DOC },
+  { name: "local agent config path", pattern: new RegExp(`\\.(?:${"codex"}|${"claude"}|${"agents"})(?:/|$)`, "i"), exemptFiles: BUNDLED_DOC },
+  { name: "local evidence path", pattern: new RegExp(`\\.${"edge-" + "agentic"}/local`, "i") },
+  { name: "private planning path", pattern: new RegExp(`project/${"planning"}/`, "i") },
   {
     name: "private project or account marker",
     pattern: new RegExp(
@@ -58,20 +77,29 @@ const forbidden = [
   { name: "secret-looking assignment", pattern: /(api[_-]?key|secret|token|password)\s*[:=]\s*["'][^"']+["']/i }
 ];
 
-const findings = [];
-
-for (const file of publicFiles) {
-  const text = readFileSync(file, "utf8");
-  for (const rule of forbidden) {
-    if (rule.exemptFiles?.has(file)) continue;
-    if (rule.pattern.test(text)) {
-      findings.push(`${file}: ${rule.name}`);
+export function auditPublicSurface(fileTextByPath) {
+  const findings = [];
+  for (const [file, text] of Object.entries(fileTextByPath)) {
+    if (!isPublicAuditFile(file)) continue;
+    for (const rule of forbidden) {
+      if (rule.exemptFiles?.has(file)) continue;
+      if (rule.pattern.test(text)) findings.push(`${file}: ${rule.name}`);
     }
   }
+  return findings;
 }
 
-if (findings.length > 0) {
-  throw new Error(`Public surface audit failed:\n${findings.join("\n")}`);
+export function main() {
+  const publicFiles = filesToAudit();
+  const findings = auditPublicSurface(Object.fromEntries(publicFiles.map((file) => [file, readFileSync(file, "utf8")])));
+
+  if (findings.length > 0) {
+    throw new Error(`Public surface audit failed:\n${findings.join("\n")}`);
+  }
+
+  console.log(`Public surface audit PASS: ${publicFiles.length} files checked`);
 }
 
-console.log(`Public surface audit PASS: ${publicFiles.length} files checked`);
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+  main();
+}

package/scripts/audit/verify-pack.mjs

@@ -1,21 +1,8 @@
 import { execFileSync } from "node:child_process";
+import { readFileSync } from "node:fs";
+import { pathToFileURL } from "node:url";
 
-const output = execFileSync("pnpm", ["pack", "--dry-run", "--json"], {
-  encoding: "utf8",
-  stdio: ["ignore", "pipe", "pipe"]
-});
-
-// pnpm 11 writes JSON directly to stdout (no preamble); pnpm <=10 prefixed
-// it with lifecycle logs. Handle both shapes: take from "\n{" if present, or
-// from the start if output already begins with "{".
-const newlineBrace = output.lastIndexOf("\n{");
-const jsonStart = newlineBrace !== -1 ? newlineBrace + 1 : (output.trimStart().startsWith("{") ? output.indexOf("{") : -1);
-if (jsonStart === -1) {
-  throw new Error("pnpm pack did not return JSON metadata");
-}
-
-const pack = JSON.parse(output.slice(jsonStart));
-const paths = new Set(pack.files.map((file) => file.path));
+export const MINIMUM_COMPATIBLE_CHILD_MCP_VERSION = "0.4.5";
 
 const requiredProtocolFiles = [
   "protocol/SCP.md",
@@ -29,7 +16,14 @@ const requiredProtocolFiles = [
   "protocol/bootstrap-skill.md"
 ];
 
-const requiredFiles = [
+const requiredTemplateFiles = [
+  "templates/dev-slice-template.md",
+  "templates/qa-slice-template.md",
+  "templates/pm-role-template.md",
+  "templates/team-manifest-template.yaml"
+];
+
+export const requiredPackageFiles = [
   "dist/src/bin/index.js",
   "dist/src/mcp/server.js",
   "dist/src/protocol/index.js",
@@ -46,28 +40,300 @@ const requiredFiles = [
   "docs/reference/distribution.md",
   "docs/reference/public-surface-audit.md",
   ...requiredProtocolFiles,
+  ...requiredTemplateFiles,
   "scripts/audit/public-surface.mjs",
   "scripts/audit/verify-pack.mjs",
+  "AGENTS.md",
+  "CLAUDE.md",
   "README.md",
   "LICENSE",
   "package.json"
 ];
 
-const missing = requiredFiles.filter((file) => !paths.has(file));
-if (missing.length > 0) {
-  throw new Error(`Package is missing required files: ${missing.join(", ")}`);
-}
-
-const staleFiles = [
+const staleBuildFiles = [
   "dist/src/index.js",
   "dist/src/server.js",
   "dist/src/protocol.js",
   "dist/src/protocol-repository.js",
   "dist/src/validators.js"
-].filter((file) => paths.has(file));
+];
+
+const protocolResourceVersionLockedFiles = new Set([
+  "protocol/SCP.md",
+  "protocol/closeout.yaml",
+  "protocol/delegation.yaml",
+  "protocol/model-profiles.yaml",
+  "protocol/roles.yaml",
+  "protocol/topology.yaml"
+]);
+
+const forbiddenPackagePrefixes = ["project/" + "planning" + "/", "." + "edge-" + "agentic" + "/local/"];
+const forbiddenPackagedContentRules = [
+  { name: "local evidence path", pattern: new RegExp(`\\.${"edge-" + "agentic"}/local`, "i") },
+  { name: "local ODIN audit path", pattern: /\.odin\/local\//i },
+  { name: "private planning path", pattern: new RegExp(`project/${"planning"}/`, "i") },
+  { name: "macOS home path", pattern: new RegExp(`/${"Users"}/[A-Za-z0-9._-]+/`) },
+  { name: "Linux home path", pattern: /\/home\/[A-Za-z0-9._-]+\// },
+  { name: "secret-looking assignment", pattern: /(api[_-]?key|secret|token|password)\s*[:=]\s*["'][^"']+["']/i }
+];
+
+function asPathSet(paths) {
+  return new Set(Array.from(paths));
+}
+
+export function validatePackageMetadata(packageJson) {
+  const errors = [];
+  if (!packageJson.repository?.url) errors.push("package.json missing repository.url");
+  if (!packageJson.homepage) errors.push("package.json missing homepage");
+  if (!packageJson.bugs?.url) errors.push("package.json missing bugs.url");
+  if (!packageJson.license) errors.push("package.json missing license");
+  if (!packageJson.engines?.node) errors.push("package.json missing engines.node");
+  if (!Array.isArray(packageJson.files) || packageJson.files.length === 0) errors.push("package.json missing files allowlist");
+  for (const file of ["docs", "protocol", "templates", "AGENTS.md", "CLAUDE.md", "README.md", "LICENSE"]) {
+    if (!packageJson.files?.includes(file)) errors.push(`package.json files allowlist missing ${file}`);
+  }
+  if (packageJson.odin?.publicVersion !== packageJson.version) {
+    errors.push("package.json odin.publicVersion must match package version");
+  }
+  if (packageJson.odin?.minimumCompatibleChildMcpVersion !== MINIMUM_COMPATIBLE_CHILD_MCP_VERSION) {
+    errors.push("package.json odin.minimumCompatibleChildMcpVersion drifted");
+  }
+  for (const [name, version] of Object.entries(packageJson.dependencies ?? {})) {
+    if (typeof version !== "string" || /^[~^]/.test(version) || /[<>=*x|]/i.test(version)) {
+      errors.push(`package.json runtime dependency ${name} must be pinned exactly`);
+    }
+  }
+  return errors;
+}
+
+export function validatePackFileList(pathsInput) {
+  const paths = asPathSet(pathsInput);
+  const errors = [];
+  const missing = requiredPackageFiles.filter((file) => !paths.has(file));
+  if (missing.length > 0) errors.push(`Package is missing required files: ${missing.join(", ")}`);
+
+  const stale = staleBuildFiles.filter((file) => paths.has(file));
+  if (stale.length > 0) errors.push(`Package includes stale build files: ${stale.join(", ")}`);
+
+  const privatePaths = Array.from(paths).filter((file) => forbiddenPackagePrefixes.some((prefix) => file.startsWith(prefix)));
+  if (privatePaths.length > 0) errors.push(`Package includes private local paths: ${privatePaths.join(", ")}`);
 
-if (staleFiles.length > 0) {
-  throw new Error(`Package includes stale build files: ${staleFiles.join(", ")}`);
+  return errors;
 }
 
-console.log(`Package smoke PASS: ${pack.files.length} files included in ${pack.filename}`);
+export function validatePackFileContents(fileTextByPath) {
+  const findings = [];
+  for (const [file, text] of Object.entries(fileTextByPath)) {
+    for (const rule of forbiddenPackagedContentRules) {
+      if (rule.pattern.test(text)) findings.push(`${file}: ${rule.name}`);
+    }
+  }
+  return findings;
+}
+
+function isTextPackageFile(file) {
+  return /\.(js|mjs|cjs|ts|json|md|ya?ml|txt|html|css|sh)$/.test(file) || !file.includes(".");
+}
+
+function readPackFileTexts(paths) {
+  return Object.fromEntries(
+    paths
+      .filter(isTextPackageFile)
+      .flatMap((file) => {
+        try {
+          return [[file, readFileSync(file, "utf8")]];
+        } catch {
+          return [];
+        }
+      })
+  );
+}
+
+export function findStaleVersionReferences(fileTextByPath, currentVersion, minimumCompatibleVersion = MINIMUM_COMPATIBLE_CHILD_MCP_VERSION) {
+  const allowed = new Set([currentVersion, minimumCompatibleVersion]);
+  const findings = [];
+  const versionPattern = /\b\d+\.\d+\.\d+\b/g;
+  const relevantVersionLine = (line) => {
+    const lower = line.toLowerCase();
+    if (/\bnode\.?js\b/.test(lower) || /\bengines?\b/.test(lower)) return false;
+    if (/^version:\s*\d+\.\d+\.\d+\s*$/.test(line.trim())) return false;
+    return [
+      "odin-sentinel",
+      "serverinfo",
+      "package/server",
+      "public version",
+      "minimum compatible",
+      "compatible child mcp",
+      "mcp version",
+      "server version",
+      "expected version",
+      "stale mcp version",
+      "confirm >=",
+      "server "
+    ].some((marker) => lower.includes(marker));
+  };
+
+  for (const [file, text] of Object.entries(fileTextByPath)) {
+    for (const line of text.split("\n")) {
+      if (!relevantVersionLine(line)) continue;
+      const matches = line.match(versionPattern) ?? [];
+      for (const version of matches) {
+        if (!allowed.has(version)) findings.push(`${file}: stale version reference ${version}`);
+      }
+    }
+  }
+
+  return findings;
+}
+
+export function validatePublicProtocolSync({ scpText, bootstrapText, currentVersion, minimumCompatibleVersion = MINIMUM_COMPATIBLE_CHILD_MCP_VERSION }) {
+  const errors = [];
+  const requiredMarkers = [
+    `SCP_PUBLIC_VERSION: ${currentVersion}`,
+    `MIN_COMPATIBLE_CHILD_MCP: ${minimumCompatibleVersion}`
+  ];
+
+  for (const marker of requiredMarkers) {
+    if (!scpText.includes(marker)) errors.push(`protocol/SCP.md missing ${marker}`);
+    if (!bootstrapText.includes(marker)) errors.push(`protocol/bootstrap-skill.md missing ${marker}`);
+  }
+
+  return errors;
+}
+
+export function validatePluginSync({ pluginManifestText, pluginSkillText, pluginReadmeText, currentVersion, minimumCompatibleVersion = MINIMUM_COMPATIBLE_CHILD_MCP_VERSION }) {
+  const errors = [];
+  let manifest;
+  try {
+    manifest = JSON.parse(pluginManifestText);
+  } catch {
+    errors.push("Claude plugin manifest must be valid JSON");
+    manifest = {};
+  }
+
+  if (manifest.version !== currentVersion) {
+    errors.push(`Claude plugin manifest version ${manifest.version ?? "<missing>"} must match package version ${currentVersion}`);
+  }
+  const server = manifest.mcpServers?.["odin-sentinel"];
+  if (!server) {
+    errors.push("Claude plugin manifest missing odin-sentinel MCP server");
+  } else {
+    if (server.command !== "npx") errors.push("Claude plugin odin-sentinel server must use npx");
+    const args = Array.isArray(server.args) ? server.args : [];
+    for (const requiredArg of ["-y", "-p", "@bradheitmann/odin-sentinel", "odin-sentinel-mcp"]) {
+      if (!args.includes(requiredArg)) errors.push(`Claude plugin odin-sentinel args missing ${requiredArg}`);
+    }
+  }
+
+  for (const marker of [`SCP_PUBLIC_VERSION: ${currentVersion}`, `MIN_COMPATIBLE_CHILD_MCP: ${minimumCompatibleVersion}`]) {
+    if (!pluginSkillText.includes(marker)) errors.push(`Claude plugin skill missing ${marker}`);
+  }
+  if (!/23\s+`?odin\.\*`?\s+tools/i.test(pluginReadmeText)) {
+    errors.push("Claude plugin README must advertise 23 odin.* tools");
+  }
+
+  return errors;
+}
+
+export function validatePackagedProtocolVersions(fileTextByPath, currentVersion) {
+  const errors = [];
+  for (const [file, text] of Object.entries(fileTextByPath)) {
+    if (!protocolResourceVersionLockedFiles.has(file)) continue;
+    const firstVersion = text.match(/^(?:version|Version):\s*([0-9]+\.[0-9]+\.[0-9]+)\s*$/m);
+    if (firstVersion && firstVersion[1] !== currentVersion) {
+      errors.push(`${file}: protocol resource version ${firstVersion[1]} must match package version ${currentVersion}`);
+    }
+  }
+  return errors;
+}
+
+export function validateBootstrapReadiness(bootstrapText) {
+  const required = ["MCP server", "native skill", "full prompt fallback", "CMUX", "auth/account readiness", "local inference", "role compatibility"];
+  return required.filter((term) => !bootstrapText.toLowerCase().includes(term.toLowerCase())).map((term) => `protocol/bootstrap-skill.md missing readiness term: ${term}`);
+}
+
+export function validateTelemetryWording(costPrivacyText) {
+  const errors = [];
+  if (/does not .*telemetry/i.test(costPrivacyText) && !/optional|user-invoked|not automatic/i.test(costPrivacyText)) {
+    errors.push("Telemetry wording must explain optional/user-invoked behavior");
+  }
+  if (!/optional telemetry/i.test(costPrivacyText) || !/user-invoked/i.test(costPrivacyText)) {
+    errors.push("Cost/privacy docs must describe optional user-invoked telemetry");
+  }
+  return errors;
+}
+
+function readPublicVersionFiles() {
+  return Object.fromEntries([
+    "README.md",
+    "docs/guides/quick-start.md",
+    "docs/guides/quickstart-prompts.md",
+    "docs/reference/client-compatibility.md",
+    "docs/reference/distribution.md",
+    "docs/reference/public-surface-audit.md",
+    "protocol/SCP.md",
+    "protocol/bootstrap-skill.md",
+    "plugins/sentinel-coordination-protocol/.claude-plugin/plugin.json",
+    "plugins/sentinel-coordination-protocol/skills/sentinel-coordination-protocol/SKILL.md",
+    "plugins/sentinel-coordination-protocol/README.md"
+  ].map((file) => [file, readFileSync(file, "utf8")]));
+}
+
+function parsePackOutput(output) {
+  const newlineBrace = output.lastIndexOf("\n{");
+  const jsonStart = newlineBrace !== -1 ? newlineBrace + 1 : (output.trimStart().startsWith("{") ? output.indexOf("{") : -1);
+  if (jsonStart === -1) throw new Error("pnpm pack did not return JSON metadata");
+  return JSON.parse(output.slice(jsonStart));
+}
+
+export function runVerifyPack({ pack, packageJson, publicVersionFiles, costPrivacyText, packFileTextByPath }) {
+  const packPaths = pack.files.map((file) => file.path);
+  const packFileTexts = packFileTextByPath ?? readPackFileTexts(packPaths);
+  const errors = [
+    ...validatePackageMetadata(packageJson),
+    ...validatePackFileList(packPaths),
+    ...validatePackFileContents(packFileTexts),
+    ...validatePackagedProtocolVersions(packFileTexts, packageJson.version),
+    ...findStaleVersionReferences(publicVersionFiles, packageJson.version),
+    ...validatePublicProtocolSync({
+      scpText: publicVersionFiles["protocol/SCP.md"],
+      bootstrapText: publicVersionFiles["protocol/bootstrap-skill.md"],
+      currentVersion: packageJson.version
+    }),
+    ...validatePluginSync({
+      pluginManifestText: publicVersionFiles["plugins/sentinel-coordination-protocol/.claude-plugin/plugin.json"],
+      pluginSkillText: publicVersionFiles["plugins/sentinel-coordination-protocol/skills/sentinel-coordination-protocol/SKILL.md"],
+      pluginReadmeText: publicVersionFiles["plugins/sentinel-coordination-protocol/README.md"],
+      currentVersion: packageJson.version
+    }),
+    ...validateBootstrapReadiness(publicVersionFiles["protocol/bootstrap-skill.md"]),
+    ...validateTelemetryWording(costPrivacyText)
+  ];
+
+  if (errors.length > 0) throw new Error(`Package release sync failed:\n${errors.join("\n")}`);
+  return {
+    fileCount: pack.files.length,
+    filename: pack.filename,
+    version: packageJson.version,
+    minimumCompatibleChildMcpVersion: MINIMUM_COMPATIBLE_CHILD_MCP_VERSION
+  };
+}
+
+export function main() {
+  const output = execFileSync("pnpm", ["pack", "--dry-run", "--json"], {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  const pack = parsePackOutput(output);
+  const packageJson = JSON.parse(readFileSync("package.json", "utf8"));
+  const publicVersionFiles = readPublicVersionFiles();
+  const costPrivacyText = readFileSync("docs/reference/cost-and-privacy.md", "utf8");
+  const result = runVerifyPack({ pack, packageJson, publicVersionFiles, costPrivacyText });
+
+  console.log(`Package smoke PASS: ${result.fileCount} files included in ${result.filename}`);
+  console.log(`Release sync PASS: public version ${result.version}; minimum compatible child MCP ${result.minimumCompatibleChildMcpVersion}`);
+}
+
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href) {
+  main();
+}

package/templates/dev-slice-template.md

@@ -0,0 +1,56 @@
+# DEV Slice Template
+
+Use this as a public starter template. Replace every placeholder before launch.
+
+## Goal
+
+- Task: `<what to build or change>`
+- Owner: `<DEV role slot or agent>`
+- PM contact: `<PM role slot or human>`
+
+## Scope
+
+- Write-allowed files:
+  - `<path>`
+- Read-only context:
+  - `<path or doc>`
+- Out of scope:
+  - `<explicit non-goals>`
+
+## Requirements
+
+- Functional acceptance criteria:
+  - `<criterion 1>`
+  - `<criterion 2>`
+- User-defined criteria:
+  - `<project-specific criterion>`
+
+## Verification
+
+- Required commands:
+  - `<command>` -> expected `<result>`
+- Manual checks:
+  - `<check>`
+
+## DEV Report
+
+Return:
+
+- files changed
+- summary of implementation
+- verification commands and results
+- unmet criteria or blockers
+- risks for QA/integration
+
+## Boundaries
+
+DEV implements only the assigned scope and does not QA-accept its own work.
+
+## Minimal Filled Example
+
+- Task: `Update one README paragraph to clarify install steps`
+- Owner: `B/DEV-1`
+- Write-allowed files: `README.md`
+- Out of scope: `package code, release scripts, unrelated docs`
+- Required command: `pnpm test` -> expected `passes`
+- DEV report: `changed README.md; tests passed or blocker reported`