@chllming/wave-orchestration 0.9.0 → 0.9.2

package/scripts/wave-orchestrator/corridor.mjs

@@ -0,0 +1,363 @@
+import fs from "node:fs";
+import path from "node:path";
+import {
+  DEFAULT_CORRIDOR_BASE_URL,
+  DEFAULT_CORRIDOR_SEVERITY_THRESHOLD,
+  DEFAULT_WAVE_CONTROL_ENDPOINT,
+} from "./config.mjs";
+import { writeJsonAtomic, readJsonOrNull } from "./shared.mjs";
+import {
+  isDefaultWaveControlEndpoint,
+  readJsonResponse,
+  resolveWaveControlAuthToken,
+} from "./provider-runtime.mjs";
+import {
+  isContEvalImplementationOwningAgent,
+  isDesignAgent,
+  isSecurityReviewAgent,
+} from "./role-helpers.mjs";
+
+const SEVERITY_RANK = {
+  low: 1,
+  medium: 2,
+  high: 3,
+  critical: 4,
+};
+
+function normalizeOwnedPath(value) {
+  return String(value || "").trim().replaceAll("\\", "/").replace(/\/+$/, "");
+}
+
+function isRelevantOwnedPath(value) {
+  const normalized = normalizeOwnedPath(value);
+  if (!normalized || normalized.startsWith(".tmp/")) {
+    return false;
+  }
+  if (normalized.startsWith("docs/")) {
+    return false;
+  }
+  return !/\.(?:md|txt)$/i.test(normalized);
+}
+
+function matchesOwnedPath(findingPath, ownedPath) {
+  const normalizedFinding = normalizeOwnedPath(findingPath);
+  const normalizedOwned = normalizeOwnedPath(ownedPath);
+  if (!normalizedFinding || !normalizedOwned) {
+    return false;
+  }
+  return normalizedFinding === normalizedOwned || normalizedFinding.startsWith(`${normalizedOwned}/`);
+}
+
+function shouldIncludeImplementationOwnedPaths(agent, lanePaths = {}) {
+  if (!agent || isSecurityReviewAgent(agent) || isDesignAgent(agent)) {
+    return false;
+  }
+  if (agent.agentId === lanePaths.contQaAgentId || agent.agentId === lanePaths.documentationAgentId) {
+    return false;
+  }
+  if (agent.agentId === lanePaths.integrationAgentId) {
+    return false;
+  }
+  if (agent.agentId === lanePaths.contEvalAgentId) {
+    return isContEvalImplementationOwningAgent(agent, {
+      contEvalAgentId: lanePaths.contEvalAgentId,
+    });
+  }
+  return true;
+}
+
+export function waveCorridorContextPath(lanePaths, waveNumber) {
+  return path.join(lanePaths.securityDir, `wave-${waveNumber}-corridor.json`);
+}
+
+export function readWaveCorridorContext(lanePaths, waveNumber) {
+  return readJsonOrNull(waveCorridorContextPath(lanePaths, waveNumber));
+}
+
+function corridorArtifactBase({ lanePaths, wave, ownedPaths, providerMode, source }) {
+  return {
+    schemaVersion: 1,
+    wave,
+    lane: lanePaths.lane,
+    projectId: lanePaths.project,
+    providerMode,
+    source,
+    requiredAtClosure: lanePaths.externalProviders?.corridor?.requiredAtClosure !== false,
+    severityThreshold:
+      lanePaths.externalProviders?.corridor?.severityThreshold || DEFAULT_CORRIDOR_SEVERITY_THRESHOLD,
+    fetchedAt: new Date().toISOString(),
+    relevantOwnedPaths: ownedPaths,
+  };
+}
+
+function summarizeCorridorPayload(base, guardrails, findings) {
+  const thresholdRank = SEVERITY_RANK[String(base.severityThreshold || "critical").toLowerCase()] || 4;
+  const matchedFindings = (Array.isArray(findings) ? findings : [])
+    .map((finding) => {
+      const matchedOwnedPaths = base.relevantOwnedPaths.filter((ownedPath) =>
+        matchesOwnedPath(finding.affectedFile, ownedPath),
+      );
+      if (matchedOwnedPaths.length === 0) {
+        return null;
+      }
+      return {
+        id: finding.id || null,
+        title: finding.title || null,
+        affectedFile: finding.affectedFile || null,
+        cwe: finding.cwe || null,
+        severity: finding.severity || null,
+        state: finding.state || null,
+        createdAt: finding.createdAt || null,
+        matchedOwnedPaths,
+      };
+    })
+    .filter(Boolean);
+  const blockingFindings = matchedFindings.filter((finding) => {
+    const rank = SEVERITY_RANK[String(finding.severity || "").toLowerCase()] || 0;
+    return rank >= thresholdRank;
+  });
+  return {
+    ...base,
+    ok: true,
+    guardrails: Array.isArray(guardrails?.reports) ? guardrails.reports : [],
+    matchedFindings,
+    blockingFindings,
+    blocking: blockingFindings.length > 0,
+    error: null,
+  };
+}
+
+function failureCorridorPayload(base, error) {
+  return {
+    ...base,
+    ok: false,
+    guardrails: [],
+    matchedFindings: [],
+    blockingFindings: [],
+    blocking: base.requiredAtClosure === true,
+    error: error instanceof Error ? error.message : String(error),
+  };
+}
+
+async function requestCorridorJson(fetchImpl, url, token) {
+  const response = await fetchImpl(url, {
+    method: "GET",
+    headers: {
+      authorization: `Bearer ${token}`,
+      accept: "application/json",
+    },
+    signal: AbortSignal.timeout(10000),
+  });
+  if (!response.ok) {
+    const payload = await readJsonResponse(response, null);
+    throw new Error(
+      `Corridor request failed (${response.status}): ${payload?.error || payload?.message || response.statusText || "unknown error"}`,
+    );
+  }
+  return response.json();
+}
+
+async function listCorridorFindings(fetchImpl, baseUrl, projectId, token, findingStates) {
+  const findings = [];
+  const states = findingStates.size > 0 ? [...findingStates] : [null];
+  for (const state of states) {
+    let nextUrl = new URL(`${baseUrl}/projects/${projectId}/findings`);
+    if (state) {
+      nextUrl.searchParams.set("state", state);
+    }
+    let pages = 0;
+    while (nextUrl && pages < 10) {
+      const payload = await requestCorridorJson(fetchImpl, nextUrl, token);
+      if (Array.isArray(payload)) {
+        findings.push(...payload);
+        break;
+      }
+      const items = Array.isArray(payload?.items)
+        ? payload.items
+        : Array.isArray(payload?.findings)
+          ? payload.findings
+          : Array.isArray(payload?.data)
+            ? payload.data
+            : [];
+      findings.push(...items);
+      if (payload?.nextPageUrl) {
+        nextUrl = new URL(payload.nextPageUrl);
+      } else if (payload?.nextCursor) {
+        nextUrl = new URL(`${baseUrl}/projects/${projectId}/findings`);
+        if (state) {
+          nextUrl.searchParams.set("state", state);
+        }
+        nextUrl.searchParams.set("cursor", String(payload.nextCursor));
+      } else if (payload?.page && payload?.totalPages && Number(payload.page) < Number(payload.totalPages)) {
+        nextUrl = new URL(`${baseUrl}/projects/${projectId}/findings`);
+        if (state) {
+          nextUrl.searchParams.set("state", state);
+        }
+        nextUrl.searchParams.set("page", String(Number(payload.page) + 1));
+      } else {
+        nextUrl = null;
+      }
+      pages += 1;
+    }
+  }
+  return findings;
+}
+
+async function fetchCorridorDirect(fetchImpl, lanePaths, ownedPaths) {
+  const corridor = lanePaths.externalProviders?.corridor || {};
+  const token =
+    process.env[corridor.apiTokenEnvVar || "CORRIDOR_API_TOKEN"] ||
+    process.env[corridor.apiKeyFallbackEnvVar || "CORRIDOR_API_KEY"] ||
+    "";
+  if (!token) {
+    throw new Error(
+      `Corridor token is missing; set ${corridor.apiTokenEnvVar || "CORRIDOR_API_TOKEN"} or ${corridor.apiKeyFallbackEnvVar || "CORRIDOR_API_KEY"}.`,
+    );
+  }
+  const baseUrl = String(corridor.baseUrl || DEFAULT_CORRIDOR_BASE_URL).replace(/\/$/, "");
+  const findingStates = new Set((corridor.findingStates || []).map((state) => String(state).trim().toLowerCase()));
+  const [guardrails, findings] = await Promise.all([
+    requestCorridorJson(fetchImpl, `${baseUrl}/projects/${corridor.projectId}/reports`, token),
+    listCorridorFindings(fetchImpl, baseUrl, corridor.projectId, token, findingStates),
+  ]);
+  const filteredFindings = (Array.isArray(findings) ? findings : []).filter((finding) =>
+    findingStates.size === 0 || findingStates.has(String(finding.state || "").trim().toLowerCase()),
+  );
+  return summarizeCorridorPayload(
+    corridorArtifactBase({
+      lanePaths,
+      wave: null,
+      ownedPaths,
+      providerMode: "direct",
+      source: "corridor-api",
+    }),
+    guardrails,
+    filteredFindings,
+  );
+}
+
+async function fetchCorridorBroker(fetchImpl, lanePaths, waveNumber, ownedPaths) {
+  const waveControl = lanePaths.waveControl || {};
+  const endpoint = String(waveControl.endpoint || DEFAULT_WAVE_CONTROL_ENDPOINT).trim();
+  if (!endpoint || isDefaultWaveControlEndpoint(endpoint)) {
+    throw new Error("Corridor broker mode requires an owned Wave Control endpoint.");
+  }
+  const authToken = resolveWaveControlAuthToken(waveControl);
+  if (!authToken) {
+    throw new Error("WAVE_API_TOKEN is not set; Corridor broker mode is unavailable.");
+  }
+  const response = await fetchImpl(`${endpoint.replace(/\/$/, "")}/providers/corridor/context`, {
+    method: "POST",
+    headers: {
+      authorization: `Bearer ${authToken}`,
+      "content-type": "application/json",
+      accept: "application/json",
+    },
+    body: JSON.stringify({
+      projectId: lanePaths.project,
+      wave: waveNumber,
+      ownedPaths,
+      severityThreshold:
+        lanePaths.externalProviders?.corridor?.severityThreshold || DEFAULT_CORRIDOR_SEVERITY_THRESHOLD,
+      findingStates: lanePaths.externalProviders?.corridor?.findingStates || [],
+    }),
+  });
+  if (!response.ok) {
+    const payload = await readJsonResponse(response, null);
+    throw new Error(
+      `Corridor broker request failed (${response.status}): ${payload?.error || payload?.message || response.statusText || "unknown error"}`,
+    );
+  }
+  return response.json();
+}
+
+export async function materializeWaveCorridorContext(
+  lanePaths,
+  waveDefinition,
+  {
+    fetchImpl = globalThis.fetch,
+  } = {},
+) {
+  const corridor = lanePaths.externalProviders?.corridor || {};
+  const waveNumber = waveDefinition?.wave ?? 0;
+  const artifactPath = waveCorridorContextPath(lanePaths, waveNumber);
+  if (!corridor.enabled) {
+    return null;
+  }
+  const ownedPaths = (Array.isArray(waveDefinition?.agents) ? waveDefinition.agents : [])
+    .filter((agent) => shouldIncludeImplementationOwnedPaths(agent, lanePaths))
+    .flatMap((agent) => (Array.isArray(agent.ownedPaths) ? agent.ownedPaths : []))
+    .map(normalizeOwnedPath)
+    .filter(isRelevantOwnedPath);
+  const base = corridorArtifactBase({
+    lanePaths,
+    wave: waveNumber,
+    ownedPaths,
+    providerMode: corridor.mode || "direct",
+    source: null,
+  });
+  if (ownedPaths.length === 0) {
+    const payload = {
+      ...base,
+      ok: true,
+      guardrails: [],
+      matchedFindings: [],
+      blockingFindings: [],
+      blocking: false,
+      error: null,
+      detail: "No implementation-owned paths were eligible for Corridor matching in this wave.",
+    };
+    writeJsonAtomic(artifactPath, payload);
+    return payload;
+  }
+  try {
+    let payload;
+    if (corridor.mode === "broker") {
+      payload = await fetchCorridorBroker(fetchImpl, lanePaths, waveNumber, ownedPaths);
+    } else if (corridor.mode === "hybrid") {
+      try {
+        payload = await fetchCorridorBroker(fetchImpl, lanePaths, waveNumber, ownedPaths);
+      } catch {
+        payload = await fetchCorridorDirect(fetchImpl, lanePaths, ownedPaths);
+      }
+    } else {
+      payload = await fetchCorridorDirect(fetchImpl, lanePaths, ownedPaths);
+    }
+    const mergedPayload = {
+      ...base,
+      ...payload,
+      wave: waveNumber,
+      lane: lanePaths.lane,
+      projectId: lanePaths.project,
+      relevantOwnedPaths: ownedPaths,
+      requiredAtClosure: corridor.requiredAtClosure !== false,
+    };
+    writeJsonAtomic(artifactPath, mergedPayload);
+    return mergedPayload;
+  } catch (error) {
+    const payload = failureCorridorPayload(base, error);
+    writeJsonAtomic(artifactPath, payload);
+    return payload;
+  }
+}
+
+export function renderCorridorPromptContext(corridorContext) {
+  if (!corridorContext || corridorContext.ok !== true) {
+    if (corridorContext?.error) {
+      return `Corridor provider fetch failed: ${corridorContext.error}`;
+    }
+    return "";
+  }
+  const lines = [
+    `Corridor source: ${corridorContext.source || corridorContext.providerMode || "unknown"}`,
+    `Corridor blocking: ${corridorContext.blocking ? "yes" : "no"}`,
+    `Corridor threshold: ${corridorContext.severityThreshold || DEFAULT_CORRIDOR_SEVERITY_THRESHOLD}`,
+    `Corridor matched findings: ${(corridorContext.matchedFindings || []).length}`,
+  ];
+  for (const finding of (corridorContext.blockingFindings || []).slice(0, 5)) {
+    lines.push(
+      `- ${finding.severity || "unknown"} ${finding.affectedFile || "unknown-file"}: ${finding.title || "finding"}`
+    );
+  }
+  return lines.join("\n");
+}

package/scripts/wave-orchestrator/dashboard-renderer.mjs

@@ -1,4 +1,3 @@
-import { spawnSync } from "node:child_process";
 import fs from "node:fs";
 import path from "node:path";
 import { loadWaveConfig } from "./config.mjs";
@@ -14,6 +13,7 @@ import {
   formatAgeFromTimestamp,
   formatElapsed,
   pad,
+  readJsonOrNull,
   sleep,
   truncate,
 } from "./shared.mjs";
@@ -21,6 +21,10 @@ import {
   createCurrentWaveDashboardTerminalEntry,
   createGlobalDashboardTerminalEntry,
 } from "./terminals.mjs";
+import {
+  attachSession as attachTmuxSession,
+  hasSession as hasTmuxSession,
+} from "./tmux-adapter.mjs";
 
 const DASHBOARD_ATTACH_TARGETS = ["current", "global"];
 
@@ -78,30 +82,7 @@ export function parseDashboardArgs(argv) {
   return { help: false, options };
 }
 
-function tmuxSessionExists(socketName, sessionName) {
-  const result = spawnSync("tmux", ["-L", socketName, "has-session", "-t", sessionName], {
-    cwd: REPO_ROOT,
-    encoding: "utf8",
-    env: { ...process.env, TMUX: "" },
-  });
-  if (result.error) {
-    throw new Error(`tmux session lookup failed: ${result.error.message}`);
-  }
-  if (result.status === 0) {
-    return true;
-  }
-  const combined = `${String(result.stderr || "").toLowerCase()}\n${String(result.stdout || "").toLowerCase()}`;
-  if (
-    combined.includes("can't find session") ||
-    combined.includes("no server running") ||
-    combined.includes("error connecting")
-  ) {
-    return false;
-  }
-  throw new Error((result.stderr || result.stdout || "tmux has-session failed").trim());
-}
-
-function attachDashboardSession(project, lane, target) {
+async function attachDashboardSession(project, lane, target) {
   const config = loadWaveConfig();
   const lanePaths = buildLanePaths(lane, {
     config,
@@ -111,25 +92,112 @@ function attachDashboardSession(project, lane, target) {
     target === "global"
       ? createGlobalDashboardTerminalEntry(lanePaths, "current")
       : createCurrentWaveDashboardTerminalEntry(lanePaths);
-  if (!tmuxSessionExists(lanePaths.tmuxSocketName, entry.sessionName)) {
-    const dashboardsRel = path.relative(REPO_ROOT, path.dirname(lanePaths.globalDashboardPath));
-    throw new Error(
-      `No ${target} dashboard session is live for lane ${lanePaths.lane}. Launch a dashboarded run on that lane, then inspect ${dashboardsRel} if you need the last written dashboard state.`,
-    );
+  if (!await hasTmuxSession(lanePaths.tmuxSocketName, entry.sessionName, { allowMissingBinary: false })) {
+    const fallback = resolveDashboardAttachFallback(lanePaths, target);
+    if (fallback) {
+      return fallback;
+    }
+    throw new Error(buildMissingDashboardAttachError(lanePaths, target));
+  }
+  try {
+    await attachTmuxSession(lanePaths.tmuxSocketName, entry.sessionName);
+    return null;
+  } catch (error) {
+    if (error?.tmuxMissingSession) {
+      const fallback = resolveDashboardAttachFallback(lanePaths, target);
+      if (fallback) {
+        return fallback;
+      }
+      throw new Error(buildMissingDashboardAttachError(lanePaths, target));
+    }
+    throw error;
+  }
+}
+
+function buildMissingDashboardAttachError(lanePaths, target) {
+  const dashboardsRel = path.relative(REPO_ROOT, path.dirname(lanePaths.globalDashboardPath));
+  return `No ${target} dashboard session is live for lane ${lanePaths.lane}. Launch a dashboarded run on that lane, then inspect ${dashboardsRel} if you need the last written dashboard state.`;
+}
+
+function waveDashboardPathForNumber(lanePaths, waveNumber) {
+  if (!Number.isFinite(Number(waveNumber))) {
+    return null;
   }
-  const result = spawnSync("tmux", ["-L", lanePaths.tmuxSocketName, "attach", "-t", entry.sessionName], {
-    cwd: REPO_ROOT,
-    stdio: "inherit",
-    env: { ...process.env, TMUX: "" },
+  const candidate = path.join(lanePaths.dashboardsDir, `wave-${Number(waveNumber)}.json`);
+  return fs.existsSync(candidate) ? candidate : null;
+}
+
+function selectCurrentWaveFromGlobalDashboard(globalState) {
+  const waves = Array.isArray(globalState?.waves) ? globalState.waves : [];
+  const candidates = waves
+    .map((wave) => ({
+      waveNumber: Number.parseInt(String(wave?.wave ?? ""), 10),
+      status: String(wave?.status || "").trim().toLowerCase(),
+      updatedAt: Date.parse(
+        String(wave?.updatedAt || wave?.completedAt || wave?.startedAt || ""),
+      ),
+    }))
+    .filter((entry) => Number.isFinite(entry.waveNumber));
+  if (candidates.length === 0) {
+    return null;
+  }
+  candidates.sort((left, right) => {
+    const leftTerminal = TERMINAL_STATES.has(left.status);
+    const rightTerminal = TERMINAL_STATES.has(right.status);
+    if (leftTerminal !== rightTerminal) {
+      return leftTerminal ? 1 : -1;
+    }
+    const leftUpdatedAt = Number.isFinite(left.updatedAt) ? left.updatedAt : 0;
+    const rightUpdatedAt = Number.isFinite(right.updatedAt) ? right.updatedAt : 0;
+    if (leftUpdatedAt !== rightUpdatedAt) {
+      return rightUpdatedAt - leftUpdatedAt;
+    }
+    return right.waveNumber - left.waveNumber;
   });
-  if (result.error) {
-    throw new Error(`tmux attach failed: ${result.error.message}`);
+  return candidates[0].waveNumber;
+}
+
+export function resolveDashboardAttachFallback(lanePaths, target) {
+  if (target === "global") {
+    return fs.existsSync(lanePaths.globalDashboardPath)
+      ? { dashboardFile: lanePaths.globalDashboardPath }
+      : null;
   }
-  if (result.status !== 0) {
-    throw new Error(
-      `tmux attach exited ${result.status} for lane ${lanePaths.lane} ${target} dashboard session ${entry.sessionName}.`,
-    );
+  const globalState = readJsonOrNull(lanePaths.globalDashboardPath);
+  const preferredWaveNumber = selectCurrentWaveFromGlobalDashboard(globalState);
+  const preferredWavePath = waveDashboardPathForNumber(lanePaths, preferredWaveNumber);
+  if (preferredWavePath) {
+    return { dashboardFile: preferredWavePath };
   }
+  if (!fs.existsSync(lanePaths.dashboardsDir)) {
+    return fs.existsSync(lanePaths.globalDashboardPath)
+      ? { dashboardFile: lanePaths.globalDashboardPath }
+      : null;
+  }
+  const candidates = fs.readdirSync(lanePaths.dashboardsDir, { withFileTypes: true })
+    .filter((entry) => entry.isFile())
+    .map((entry) => ({
+      filePath: path.join(lanePaths.dashboardsDir, entry.name),
+      match: entry.name.match(/^wave-(\d+)\.json$/),
+    }))
+    .filter((entry) => entry.match)
+    .map((entry) => ({
+      dashboardFile: entry.filePath,
+      waveNumber: Number.parseInt(entry.match[1], 10),
+      mtimeMs: fs.statSync(entry.filePath).mtimeMs,
+    }))
+    .sort((left, right) => {
+      if (left.mtimeMs !== right.mtimeMs) {
+        return right.mtimeMs - left.mtimeMs;
+      }
+      return right.waveNumber - left.waveNumber;
+    });
+  if (candidates.length > 0) {
+    return { dashboardFile: candidates[0].dashboardFile };
+  }
+  return fs.existsSync(lanePaths.globalDashboardPath)
+    ? { dashboardFile: lanePaths.globalDashboardPath }
+    : null;
 }
 
 function readMessageBoardTail(messageBoardPath, maxLines = 24) {
@@ -460,7 +528,7 @@ Options:
   --dashboard-file <path>  Path to wave/global dashboard JSON
   --message-board <path>   Optional message board path override
   --attach <current|global>
-                          Attach to the stable tmux-backed dashboard session for the lane
+                          Attach to the stable dashboard session for the lane, or follow the last written dashboard file when no live session exists
   --watch                  Refresh continuously
   --refresh-ms <n>         Refresh interval in ms (default: ${DEFAULT_REFRESH_MS})
 `);
@@ -468,8 +536,12 @@ Options:
   }
 
   if (options.attach) {
-    attachDashboardSession(options.project, options.lane, options.attach);
-    return;
+    const fallback = await attachDashboardSession(options.project, options.lane, options.attach);
+    if (!fallback) {
+      return;
+    }
+    options.dashboardFile = fallback.dashboardFile;
+    options.watch = true;
   }
 
   let terminalStateReachedAt = null;

package/scripts/wave-orchestrator/derived-state-engine.mjs

@@ -26,7 +26,7 @@ import { deriveWaveLedger, readWaveLedger } from "./ledger.mjs";
 import { buildDocsQueue, readDocsQueue } from "./docs-queue.mjs";
 import { parseStructuredSignalsFromLog } from "./dashboard-state.mjs";
 import {
-  isSecurityReviewAgent,
+  isSecurityReviewAgentForLane,
   resolveSecurityReviewReportPath,
   isContEvalImplementationOwningAgent,
   resolveWaveRoleBindings,
@@ -47,6 +47,10 @@ import {
   describeContext7Libraries,
   loadContext7BundleIndex,
 } from "./context7.mjs";
+import {
+  readWaveCorridorContext,
+  waveCorridorContextPath,
+} from "./corridor.mjs";
 
 export function waveCoordinationLogPath(lanePaths, waveNumber) {
   return path.join(lanePaths.coordinationDir, `wave-${waveNumber}.jsonl`);
@@ -212,9 +216,12 @@ export function buildWaveSecuritySummary({
   wave,
   attempt,
   summariesByAgentId = {},
+  corridorSummary = null,
 }) {
   const createdAt = toIsoTimestamp();
-  const securityAgents = (wave.agents || []).filter((agent) => isSecurityReviewAgent(agent));
+  const securityAgents = (wave.agents || []).filter((agent) =>
+    isSecurityReviewAgentForLane(agent, lanePaths),
+  );
   if (securityAgents.length === 0) {
     return {
       wave: wave.wave,
@@ -273,7 +280,9 @@ export function buildWaveSecuritySummary({
   const totalFindings = agents.reduce((sum, entry) => sum + (entry.findings || 0), 0);
   const totalApprovals = agents.reduce((sum, entry) => sum + (entry.approvals || 0), 0);
   const detail =
-    overallState === "blocked"
+    corridorSummary?.blocking
+      ? `Corridor matched blocking findings for implementation-owned paths.`
+      : overallState === "blocked"
       ? `Security review blocked by ${blockedAgentIds.join(", ")}.`
       : overallState === "pending"
         ? `Security review output is incomplete for ${pendingAgentIds.join(", ")}.`
@@ -290,6 +299,17 @@ export function buildWaveSecuritySummary({
     concernAgentIds,
     blockedAgentIds,
     detail,
+    corridor: corridorSummary
+      ? {
+          ok: corridorSummary.ok === true,
+          providerMode: corridorSummary.providerMode || null,
+          source: corridorSummary.source || null,
+          blocking: corridorSummary.blocking === true,
+          blockingFindings: corridorSummary.blockingFindings || [],
+          matchedFindings: corridorSummary.matchedFindings || [],
+          error: corridorSummary.error || null,
+        }
+      : null,
     agents,
     createdAt,
     updatedAt: createdAt,
@@ -377,7 +397,7 @@ function buildIntegrationEvidence({
       isContEvalImplementationOwningAgent(agent, {
         contEvalAgentId: roleBindings.contEvalAgentId,
       });
-    if (isSecurityReviewAgent(agent)) {
+    if (isSecurityReviewAgentForLane(agent, lanePaths)) {
       continue;
     }
     if (agent.agentId === roleBindings.contEvalAgentId) {
@@ -490,6 +510,15 @@ function buildIntegrationEvidence({
       );
     }
   }
+  for (const finding of securitySummary?.corridor?.matchedFindings || []) {
+    securityFindingEntries.push(
+      summarizeGap(
+        "corridor",
+        `${finding.severity || "unknown"} ${finding.affectedFile || "unknown-file"}: ${finding.title || "finding"}`,
+        "Corridor matched a relevant finding.",
+      ),
+    );
+  }
 
   return {
     openClaims: uniqueStringEntries(openClaims),
@@ -506,6 +535,13 @@ function buildIntegrationEvidence({
     securityState: securitySummary?.overallState || "not-applicable",
     securityFindings: uniqueStringEntries(securityFindingEntries),
     securityApprovals: uniqueStringEntries(securityApprovalEntries),
+    corridorState: securitySummary?.corridor?.blocking
+      ? "blocked"
+      : securitySummary?.corridor?.ok === false
+        ? "error"
+        : securitySummary?.corridor
+          ? "clear"
+          : "not-configured",
   };
 }
 
@@ -681,6 +717,7 @@ export function buildWaveDerivedState({
     wave,
     attempt,
     summariesByAgentId,
+    corridorSummary: readWaveCorridorContext(lanePaths, wave.wave),
   });
   const integrationSummary = buildWaveIntegrationSummary({
     lanePaths,
@@ -710,6 +747,7 @@ export function buildWaveDerivedState({
     benchmarkCatalogPath: lanePaths.laneProfile?.paths?.benchmarkCatalogPath,
     capabilityAssignments,
     dependencySnapshot,
+    securityRolePromptPath: lanePaths.securityRolePromptPath,
   });
   const inboxDir = waveInboxDir(lanePaths, wave.wave);
   const sharedSummary = compileSharedSummary({
@@ -759,6 +797,8 @@ export function buildWaveDerivedState({
     dependencySnapshotMarkdownPath: waveDependencySnapshotMarkdownPath(lanePaths, wave.wave),
     securitySummary,
     securitySummaryPath: waveSecurityPath(lanePaths, wave.wave),
+    corridorSummary: readWaveCorridorContext(lanePaths, wave.wave),
+    corridorSummaryPath: waveCorridorContextPath(lanePaths, wave.wave),
     integrationSummary,
     integrationSummaryPath: waveIntegrationPath(lanePaths, wave.wave),
     integrationMarkdownPath: waveIntegrationMarkdownPath(lanePaths, wave.wave),