@chllming/wave-orchestration 0.9.0 → 0.9.2

package/scripts/wave-orchestrator/closure-engine.mjs

@@ -1,4 +1,5 @@
 import path from "node:path";
+import { appendCoordinationRecord } from "./coordination-store.mjs";
 import {
   parseStructuredSignalsFromLog,
   refreshWaveDashboardAgentStates,
@@ -14,8 +15,13 @@ import {
   readWaveIntegrationBarrier as readWaveIntegrationBarrierDefault,
   readWaveSecurityGate as readWaveSecurityGateDefault,
 } from "./gate-engine.mjs";
+import { applyLaunchResultToRun } from "./launcher-runtime.mjs";
 import { REPO_ROOT, toIsoTimestamp } from "./shared.mjs";
-import { isSecurityReviewAgent, resolveWaveRoleBindings } from "./role-helpers.mjs";
+import {
+  isSecurityReviewAgentForLane,
+  resolveAgentClosureRoleKeys,
+  resolveWaveRoleBindings,
+} from "./role-helpers.mjs";
 import { summarizeResolvedSkills } from "./skills.mjs";
 
 function failureResultFromGate(gate, fallbackLogPath) {
@@ -57,6 +63,64 @@ function recordClosureGateFailure({
   });
 }
 
+function isForwardableClosureGap(gate) {
+  return gate?.statusCode === "wave-proof-gap";
+}
+
+function forwardedClosureGapRecord({
+  stage,
+  wave,
+  lanePaths,
+  gate,
+  attempt,
+  targetAgentIds = [],
+}) {
+  return {
+    id: `wave-${wave.wave}-closure-gap-${stage.key}-${gate.agentId}-attempt-${attempt || 1}`,
+    kind: "blocker",
+    lane: lanePaths.lane,
+    wave: wave.wave,
+    agentId: gate.agentId,
+    status: "open",
+    priority: "high",
+    blocking: true,
+    blockerSeverity: "closure-critical",
+    summary: `${stage.label} reported a proof gap and was forwarded to later closure stages.`,
+    detail: gate.detail,
+    artifactRefs: gate.logPath ? [gate.logPath] : [],
+    targets: targetAgentIds.map((agentId) => `agent:${agentId}`),
+    attempt: attempt || 1,
+  };
+}
+
+function stageRequiresRun(stage, wave, lanePaths) {
+  switch (stage.key) {
+    case "integration":
+    case "documentation":
+    case "cont-qa":
+      return true;
+    case "cont-eval":
+      return Array.isArray(wave?.agents) && wave.agents.some((agent) => agent?.agentId === stage.agentId);
+    case "security-review":
+      return (
+        Array.isArray(wave?.agents) &&
+        wave.agents.some((agent) => isSecurityReviewAgentForLane(agent, lanePaths))
+      );
+    default:
+      return false;
+  }
+}
+
+function missingClosureRunGate(stage) {
+  return {
+    ok: false,
+    agentId: stage.agentId,
+    statusCode: "missing-closure-run",
+    detail: `${stage.label} is required for this wave but no matching closure run was provided.`,
+    logPath: null,
+  };
+}
+
 export async function runClosureSweepPhase({
   lanePaths,
   wave,
@@ -113,10 +177,24 @@ export async function runClosureSweepPhase({
       ? readWaveContQaGateFn
       : readWaveContQaGateDefault;
   const stagedRuns = planClosureStages({ lanePaths, wave, closureRuns });
+  const forwardedFailures = [];
   const { contQaAgentId, contEvalAgentId, integrationAgentId, documentationAgentId } =
     resolveWaveRoleBindings(wave, lanePaths);
-  for (const stage of stagedRuns) {
+  for (const [stageIndex, stage] of stagedRuns.entries()) {
     if (stage.runs.length === 0) {
+      if (stageRequiresRun(stage, wave, lanePaths)) {
+        const gate = missingClosureRunGate(stage);
+        recordClosureGateFailure({
+          wave,
+          lanePaths,
+          gate,
+          label: stage.label,
+          recordCombinedEvent,
+          appendCoordination,
+          actionRequested: stage.actionRequested,
+        });
+        return failureResultFromGate(gate, null);
+      }
       continue;
     }
     for (const runInfo of stage.runs) {
@@ -138,6 +216,7 @@ export async function runClosureSweepPhase({
         promptPath: runInfo.promptPath,
         logPath: runInfo.logPath,
         statusPath: runInfo.statusPath,
+        runtimePath: runInfo.runtimePath,
         messageBoardPath: runInfo.messageBoardPath,
         messageBoardSnapshot: runInfo.messageBoardSnapshot || "",
         sharedSummaryPath: runInfo.sharedSummaryPath,
@@ -157,19 +236,18 @@ export async function runClosureSweepPhase({
           attempt: dashboardState?.attempt || 1,
         },
       });
-      runInfo.lastLaunchAttempt = dashboardState?.attempt || null;
-      runInfo.lastPromptHash = launchResult?.promptHash || null;
-      runInfo.lastContext7 = launchResult?.context7 || null;
-      runInfo.lastExecutorId = launchResult?.executorId || runInfo.agent.executorResolved?.id || null;
-      runInfo.lastSkillProjection =
-        launchResult?.skills || summarizeResolvedSkills(runInfo.agent.skillsResolved);
+      applyLaunchResultToRun(runInfo, launchResult, {
+        attempt: dashboardState?.attempt || null,
+        fallbackExecutorId: runInfo.agent.executorResolved?.id || null,
+        fallbackSkills: summarizeResolvedSkills(runInfo.agent.skillsResolved),
+      });
       setWaveDashboardAgent(dashboardState, runInfo.agent.agentId, {
         state: "running",
         detail: `Closure sweep launched${launchResult?.context7?.mode ? ` (${launchResult.context7.mode})` : ""}`,
       });
       recordCombinedEvent({
         agentId: runInfo.agent.agentId,
-        message: `Closure sweep launched in tmux session ${runInfo.sessionName}`,
+        message: `Closure sweep launched via ${launchResult?.sessionBackend || "process"} backend`,
       });
       flushDashboards();
       const result = await waitForWaveCompletionFn(
@@ -228,6 +306,43 @@ export async function runClosureSweepPhase({
       contQaAgentId,
     });
     if (!gate.ok) {
+      if (isForwardableClosureGap(gate)) {
+        const targetAgentIds = stagedRuns
+          .slice(stageIndex + 1)
+          .flatMap((candidate) => candidate.runs.map((run) => run.agent.agentId))
+          .filter(Boolean);
+        forwardedFailures.push({
+          agentId: gate.agentId,
+          statusCode: gate.statusCode,
+          logPath: gate.logPath || (stage.runs[0]?.logPath ? path.relative(REPO_ROOT, stage.runs[0].logPath) : null),
+          detail: gate.detail,
+        });
+        appendCoordinationRecord(
+          coordinationLogPath,
+          forwardedClosureGapRecord({
+            stage,
+            wave,
+            lanePaths,
+            gate,
+            attempt: dashboardState?.attempt || 1,
+            targetAgentIds,
+          }),
+        );
+        recordCombinedEvent({
+          level: "warn",
+          agentId: gate.agentId,
+          message: `${stage.label} reported a proof gap; continuing later closure stages with the gap as input.`,
+        });
+        appendCoordination({
+          event: "closure_gap_forwarded",
+          waves: [wave.wave],
+          status: "blocked",
+          details: `agent=${gate.agentId}; reason=${gate.statusCode}; ${gate.detail}`,
+          actionRequested: `Lane ${lanePaths.lane} owners should resolve the forwarded closure proof gap after downstream closure evidence is collected.`,
+        });
+        refreshDerivedState?.(dashboardState?.attempt || 0);
+        continue;
+      }
       recordClosureGateFailure({
         wave,
         lanePaths,
@@ -243,18 +358,21 @@ export async function runClosureSweepPhase({
       );
     }
   }
-  return { failures: [], timedOut: false };
+  return { failures: forwardedFailures, timedOut: false };
 }
 
 export function planClosureStages({ lanePaths, wave, closureRuns }) {
+  const roleBindings = resolveWaveRoleBindings(wave, lanePaths);
   const { contQaAgentId, contEvalAgentId, integrationAgentId, documentationAgentId } =
-    resolveWaveRoleBindings(wave, lanePaths);
+    roleBindings;
+  const runHasRole = (run, roleKey) =>
+    resolveAgentClosureRoleKeys(run.agent, roleBindings, lanePaths).includes(roleKey);
   return [
     {
       key: "cont-eval",
       agentId: contEvalAgentId,
       label: "cont-EVAL gate",
-      runs: closureRuns.filter((run) => run.agent.agentId === contEvalAgentId),
+      runs: closureRuns.filter((run) => runHasRole(run, "cont-eval")),
       actionRequested:
         `Lane ${lanePaths.lane} owners should resolve cont-EVAL tuning gaps before integration closure.`,
     },
@@ -262,7 +380,7 @@ export function planClosureStages({ lanePaths, wave, closureRuns }) {
       key: "security-review",
       agentId: "security",
       label: "Security review",
-      runs: closureRuns.filter((run) => isSecurityReviewAgent(run.agent)),
+      runs: closureRuns.filter((run) => runHasRole(run, "security-review")),
       actionRequested:
         `Lane ${lanePaths.lane} owners should resolve blocked security findings or missing approvals before integration closure.`,
     },
@@ -270,7 +388,7 @@ export function planClosureStages({ lanePaths, wave, closureRuns }) {
       key: "integration",
       agentId: integrationAgentId,
       label: "Integration gate",
-      runs: closureRuns.filter((run) => run.agent.agentId === integrationAgentId),
+      runs: closureRuns.filter((run) => runHasRole(run, "integration")),
       actionRequested:
         `Lane ${lanePaths.lane} owners should resolve integration contradictions or blockers before documentation and cont-QA closure.`,
     },
@@ -278,7 +396,7 @@ export function planClosureStages({ lanePaths, wave, closureRuns }) {
       key: "documentation",
       agentId: documentationAgentId,
       label: "Documentation closure",
-      runs: closureRuns.filter((run) => run.agent.agentId === documentationAgentId),
+      runs: closureRuns.filter((run) => runHasRole(run, "documentation")),
       actionRequested:
         `Lane ${lanePaths.lane} owners should resolve the shared-plan or component-matrix closure state before cont-QA progression.`,
     },
@@ -286,7 +404,7 @@ export function planClosureStages({ lanePaths, wave, closureRuns }) {
       key: "cont-qa",
       agentId: contQaAgentId,
       label: "cont-QA gate",
-      runs: closureRuns.filter((run) => run.agent.agentId === contQaAgentId),
+      runs: closureRuns.filter((run) => runHasRole(run, "cont-qa")),
       actionRequested:
         `Lane ${lanePaths.lane} owners should resolve the cont-QA gate before wave progression.`,
     },
@@ -320,7 +438,10 @@ function evaluateClosureStage({
         benchmarkCatalogPath: lanePaths.laneProfile?.paths?.benchmarkCatalogPath,
       });
     case "security-review":
-      return readWaveSecurityGateFn(wave, closureRuns, { mode: "live" });
+      return readWaveSecurityGateFn(wave, closureRuns, {
+        mode: "live",
+        securityRolePromptPath: lanePaths?.securityRolePromptPath,
+      });
     case "integration":
       return readWaveIntegrationBarrierFn(
         wave,

package/scripts/wave-orchestrator/config.mjs

@@ -73,12 +73,22 @@ export const DEFAULT_CODEX_SANDBOX_MODE = "danger-full-access";
 export const CODEX_SANDBOX_MODES = ["read-only", "workspace-write", "danger-full-access"];
 export const DEFAULT_CLAUDE_COMMAND = "claude";
 export const DEFAULT_OPENCODE_COMMAND = "opencode";
-export const DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR = "WAVE_CONTROL_AUTH_TOKEN";
+export const DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR = "WAVE_API_TOKEN";
+export const LEGACY_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR = "WAVE_CONTROL_AUTH_TOKEN";
 export const DEFAULT_WAVE_CONTROL_ENDPOINT = "https://wave-control.up.railway.app/api/v1";
 export const DEFAULT_WAVE_CONTROL_REPORT_MODE = "metadata-only";
 export const DEFAULT_WAVE_CONTROL_REQUEST_TIMEOUT_MS = 5000;
 export const DEFAULT_WAVE_CONTROL_FLUSH_BATCH_SIZE = 25;
 export const DEFAULT_WAVE_CONTROL_MAX_PENDING_EVENTS = 1000;
+export const WAVE_CONTROL_RUNTIME_CREDENTIAL_PROVIDERS = ["anthropic", "openai"];
+export const EXTERNAL_PROVIDER_MODES = ["direct", "broker", "hybrid"];
+export const DEFAULT_CONTEXT7_API_KEY_ENV_VAR = "CONTEXT7_API_KEY";
+export const DEFAULT_CORRIDOR_API_TOKEN_ENV_VAR = "CORRIDOR_API_TOKEN";
+export const DEFAULT_CORRIDOR_API_KEY_FALLBACK_ENV_VAR = "CORRIDOR_API_KEY";
+export const DEFAULT_CORRIDOR_BASE_URL = "https://app.corridor.dev/api";
+export const DEFAULT_CORRIDOR_SEVERITY_THRESHOLD = "critical";
+export const DEFAULT_CORRIDOR_FINDING_STATES = ["open", "potential"];
+export const CORRIDOR_SEVERITY_LEVELS = ["low", "medium", "high", "critical"];
 export const DEFAULT_WAVE_CONTROL_SELECTED_ARTIFACT_KINDS = [
   "trace-run-metadata",
   "trace-quality",
@@ -295,6 +305,103 @@ function normalizeOptionalJsonObject(value, label) {
   throw new Error(`${label} must be a JSON object`);
 }
 
+function normalizeExternalProviderMode(value, label, fallback = "direct") {
+  const normalized = String(value || fallback)
+    .trim()
+    .toLowerCase();
+  if (!EXTERNAL_PROVIDER_MODES.includes(normalized)) {
+    throw new Error(`${label} must be one of: ${EXTERNAL_PROVIDER_MODES.join(", ")}`);
+  }
+  return normalized;
+}
+
+function normalizeCorridorSeverity(value, label, fallback = DEFAULT_CORRIDOR_SEVERITY_THRESHOLD) {
+  const normalized = String(value || fallback)
+    .trim()
+    .toLowerCase();
+  if (!CORRIDOR_SEVERITY_LEVELS.includes(normalized)) {
+    throw new Error(`${label} must be one of: ${CORRIDOR_SEVERITY_LEVELS.join(", ")}`);
+  }
+  return normalized;
+}
+
+function normalizeExternalProviders(rawExternalProviders = {}, label = "externalProviders") {
+  const externalProviders =
+    rawExternalProviders &&
+    typeof rawExternalProviders === "object" &&
+    !Array.isArray(rawExternalProviders)
+      ? rawExternalProviders
+      : {};
+  const context7 =
+    externalProviders.context7 &&
+    typeof externalProviders.context7 === "object" &&
+    !Array.isArray(externalProviders.context7)
+      ? externalProviders.context7
+      : {};
+  const corridor =
+    externalProviders.corridor &&
+    typeof externalProviders.corridor === "object" &&
+    !Array.isArray(externalProviders.corridor)
+      ? externalProviders.corridor
+      : {};
+  const context7Mode = normalizeExternalProviderMode(
+    context7.mode,
+    `${label}.context7.mode`,
+    "direct",
+  );
+  const corridorMode = normalizeExternalProviderMode(
+    corridor.mode,
+    `${label}.corridor.mode`,
+    "direct",
+  );
+  const normalized = {
+    context7: {
+      mode: context7Mode,
+      apiKeyEnvVar:
+        normalizeOptionalString(
+          context7.apiKeyEnvVar,
+          DEFAULT_CONTEXT7_API_KEY_ENV_VAR,
+        ) || DEFAULT_CONTEXT7_API_KEY_ENV_VAR,
+    },
+    corridor: {
+      enabled: normalizeOptionalBoolean(corridor.enabled, false),
+      mode: corridorMode,
+      baseUrl: normalizeOptionalString(corridor.baseUrl, DEFAULT_CORRIDOR_BASE_URL),
+      apiTokenEnvVar:
+        normalizeOptionalString(
+          corridor.apiTokenEnvVar,
+          DEFAULT_CORRIDOR_API_TOKEN_ENV_VAR,
+        ) || DEFAULT_CORRIDOR_API_TOKEN_ENV_VAR,
+      apiKeyFallbackEnvVar:
+        normalizeOptionalString(
+          corridor.apiKeyFallbackEnvVar,
+          DEFAULT_CORRIDOR_API_KEY_FALLBACK_ENV_VAR,
+        ) || DEFAULT_CORRIDOR_API_KEY_FALLBACK_ENV_VAR,
+      teamId: normalizeOptionalString(corridor.teamId, null),
+      projectId: normalizeOptionalString(corridor.projectId, null),
+      severityThreshold: normalizeCorridorSeverity(
+        corridor.severityThreshold,
+        `${label}.corridor.severityThreshold`,
+      ),
+      findingStates: normalizeOptionalStringArray(
+        corridor.findingStates,
+        DEFAULT_CORRIDOR_FINDING_STATES,
+      ),
+      requiredAtClosure: normalizeOptionalBoolean(corridor.requiredAtClosure, true),
+    },
+  };
+  if (
+    normalized.corridor.enabled &&
+    normalized.corridor.mode === "direct" &&
+    (!normalized.corridor.teamId || !normalized.corridor.projectId)
+  ) {
+    throw new Error(
+      `${label}.corridor.teamId and ${label}.corridor.projectId are required when corridor is enabled in direct mode`,
+    );
+  }
+  return normalized;
+}
+
 function normalizeExecutorBudget(rawBudget = {}, label = "budget") {
   const budget =
     rawBudget && typeof rawBudget === "object" && !Array.isArray(rawBudget) ? rawBudget : {};
@@ -578,6 +685,31 @@ function normalizeWaveControl(rawWaveControl = {}, label = "waveControl") {
     rawWaveControl && typeof rawWaveControl === "object" && !Array.isArray(rawWaveControl)
       ? rawWaveControl
       : {};
+  const credentials = Array.isArray(waveControl.credentials) ? waveControl.credentials : [];
+  const normalizedCredentials = [];
+  const seenCredentialEnvVars = new Set();
+  for (const [index, entry] of credentials.entries()) {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+      throw new Error(`${label}.credentials[${index}] must be an object with id and envVar.`);
+    }
+    const id = String(entry.id || "").trim().toLowerCase();
+    if (!/^[a-z0-9][a-z0-9._-]*$/.test(id)) {
+      throw new Error(
+        `${label}.credentials[${index}].id must match /^[a-z0-9][a-z0-9._-]*$/.`,
+      );
+    }
+    const envVar = String(entry.envVar || "").trim().toUpperCase();
+    if (!/^[A-Z_][A-Z0-9_]*$/.test(envVar)) {
+      throw new Error(
+        `${label}.credentials[${index}].envVar must match /^[A-Z_][A-Z0-9_]*$/.`,
+      );
+    }
+    if (seenCredentialEnvVars.has(envVar)) {
+      throw new Error(`${label}.credentials contains duplicate envVar mappings for ${envVar}.`);
+    }
+    seenCredentialEnvVars.add(envVar);
+    normalizedCredentials.push({ id, envVar });
+  }
   const reportMode = normalizeWaveControlReportMode(
     waveControl.reportMode,
     `${label}.reportMode`,
@@ -591,8 +723,36 @@ function normalizeWaveControl(rawWaveControl = {}, label = "waveControl") {
     workspaceId: normalizeOptionalString(waveControl.workspaceId, null),
     projectId: normalizeOptionalString(waveControl.projectId, null),
     authTokenEnvVar:
-      normalizeOptionalString(waveControl.authTokenEnvVar, DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR) ||
-      DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+      normalizeOptionalString(
+        waveControl.authTokenEnvVar,
+        DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+      ) || DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+    authTokenEnvVars: Array.from(
+      new Set(
+        normalizeOptionalStringArray(
+          waveControl.authTokenEnvVars,
+          [
+            normalizeOptionalString(
+              waveControl.authTokenEnvVar,
+              DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+            ) || DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+            LEGACY_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+          ],
+        ),
+      ),
+    ),
+    credentialProviders: normalizeOptionalStringArray(waveControl.credentialProviders, []).map(
+      (providerId, index) => {
+        const normalized = String(providerId || "").trim().toLowerCase();
+        if (!WAVE_CONTROL_RUNTIME_CREDENTIAL_PROVIDERS.includes(normalized)) {
+          throw new Error(
+            `${label}.credentialProviders[${index}] must be one of: ${WAVE_CONTROL_RUNTIME_CREDENTIAL_PROVIDERS.join(", ")}`,
+          );
+        }
+        return normalized;
+      },
+    ),
+    credentials: normalizedCredentials,
     reportMode,
     uploadArtifactKinds: normalizeOptionalStringArray(
       waveControl.uploadArtifactKinds,
@@ -1109,6 +1269,7 @@ export function loadWaveConfig(configPath = DEFAULT_WAVE_CONFIG_PATH) {
           capabilityRouting: rawProject.capabilityRouting || {},
           runtimePolicy: rawProject.runtimePolicy || {},
           waveControl: rawProject.waveControl || {},
+          externalProviders: rawProject.externalProviders || {},
           lanes: projectLanes,
           explicit: Boolean(rawProjects),
         },
@@ -1130,6 +1291,10 @@ export function loadWaveConfig(configPath = DEFAULT_WAVE_CONFIG_PATH) {
     capabilityRouting: normalizeCapabilityRouting(rawConfig.capabilityRouting),
     runtimePolicy: normalizeRuntimePolicy(rawConfig.runtimePolicy),
     waveControl: normalizeWaveControl(rawConfig.waveControl, "waveControl"),
+    externalProviders: normalizeExternalProviders(
+      rawConfig.externalProviders,
+      "externalProviders",
+    ),
     sharedPlanDocs,
     lanes: legacyLanes,
     projects,
@@ -1182,6 +1347,21 @@ export function resolveProjectProfile(config, projectInput = config.defaultProje
       ...config.runtimePolicy,
       ...(projectConfig.runtimePolicy || {}),
     }),
+    externalProviders: normalizeExternalProviders(
+      {
+        ...config.externalProviders,
+        ...(projectConfig.externalProviders || {}),
+        context7: {
+          ...(config.externalProviders?.context7 || {}),
+          ...(projectConfig.externalProviders?.context7 || {}),
+        },
+        corridor: {
+          ...(config.externalProviders?.corridor || {}),
+          ...(projectConfig.externalProviders?.corridor || {}),
+        },
+      },
+      `projects.${projectId}.externalProviders`,
+    ),
     waveControl: normalizeWaveControl(
       {
         ...config.waveControl,
@@ -1256,6 +1436,21 @@ export function resolveLaneProfile(config, laneInput = config.defaultLane, proje
     },
     `${lane}.waveControl`,
   );
+  const externalProviders = normalizeExternalProviders(
+    {
+      ...projectProfile.externalProviders,
+      ...(laneConfig.externalProviders || {}),
+      context7: {
+        ...(projectProfile.externalProviders?.context7 || {}),
+        ...(laneConfig.externalProviders?.context7 || {}),
+      },
+      corridor: {
+        ...(projectProfile.externalProviders?.corridor || {}),
+        ...(laneConfig.externalProviders?.corridor || {}),
+      },
+    },
+    `${lane}.externalProviders`,
+  );
   return {
     projectId: projectProfile.projectId,
     projectName: projectProfile.projectName,
@@ -1276,6 +1471,7 @@ export function resolveLaneProfile(config, laneInput = config.defaultLane, proje
     skills,
     capabilityRouting,
     runtimePolicy,
+    externalProviders,
     waveControl,
     paths: {
       terminalsPath: normalizeRepoRelativePath(