@chllming/wave-orchestration 0.9.1 → 0.9.2

package/scripts/wave-orchestrator/launcher-runtime.mjs

@@ -1,6 +1,11 @@
 import fs from "node:fs";
 import path from "node:path";
 import { buildExecutionPrompt } from "./coordination.mjs";
+import {
+  materializeWaveCorridorContext,
+  renderCorridorPromptContext,
+  waveCorridorContextPath,
+} from "./corridor.mjs";
 import {
   DEFAULT_AGENT_RATE_LIMIT_BASE_DELAY_SECONDS,
   DEFAULT_AGENT_RATE_LIMIT_MAX_DELAY_SECONDS,
@@ -15,7 +20,12 @@ import {
 import { readStatusCodeIfPresent } from "./dashboard-state.mjs";
 import { buildExecutorLaunchSpec } from "./executors.mjs";
 import { hashAgentPromptFingerprint, prefetchContext7ForSelection } from "./context7.mjs";
-import { isDesignAgent, resolveDesignReportPath, resolveWaveRoleBindings } from "./role-helpers.mjs";
+import {
+  isDesignAgent,
+  isSecurityReviewAgent,
+  resolveDesignReportPath,
+  resolveWaveRoleBindings,
+} from "./role-helpers.mjs";
 import {
   resolveAgentSkills,
   summarizeResolvedSkills,
@@ -30,6 +40,44 @@ import {
   spawnAgentProcessRunner,
   terminateAgentProcessRuntime,
 } from "./agent-process-runner.mjs";
+import {
+  requestWaveControlCredentialEnv,
+  requestWaveControlProviderEnv,
+} from "./provider-runtime.mjs";
+
+function redactPreviewEnv(env = {}, redactedKeys = []) {
+  const output = { ...(env || {}) };
+  for (const key of redactedKeys) {
+    if (Object.prototype.hasOwnProperty.call(output, key)) {
+      output[key] = "[redacted]";
+    }
+  }
+  return output;
+}
+
+function buildDryRunContext7Preview(selection) {
+  if (
+    !selection ||
+    selection.bundleId === "none" ||
+    !Array.isArray(selection.libraries) ||
+    selection.libraries.length === 0
+  ) {
+    return {
+      mode: "none",
+      selection,
+      promptText: "",
+      snippetHash: "",
+      warning: "",
+    };
+  }
+  return {
+    mode: "dry-run",
+    selection,
+    promptText: "",
+    snippetHash: "",
+    warning: "Context7 prefetch skipped during dry-run preview.",
+  };
+}
 
 export function refreshResolvedSkillsForRun(runInfo, waveDefinition, lanePaths) {
   runInfo.agent.skillsResolved = resolveAgentSkills(
@@ -141,13 +189,31 @@ export async function launchAgentSession(
     fs.rmSync(runtimePath, { force: true });
   }
 
-  const context7 = await prefetchContext7ForSelection(agent.context7Resolved, {
-    cacheDir: lanePaths.context7CacheDir,
-    disabled: !context7Enabled,
-  });
+  const resolvedWaveDefinition = waveDefinition || { deployEnvironments: [] };
+  const context7 = dryRun
+    ? buildDryRunContext7Preview(agent.context7Resolved || null)
+    : await prefetchContext7ForSelection(agent.context7Resolved, {
+        lanePaths,
+        cacheDir: lanePaths.context7CacheDir,
+        disabled: !context7Enabled,
+      });
+  const integrationAgentId =
+    waveDefinition?.integrationAgentId || lanePaths.integrationAgentId || "A8";
+  const shouldLoadCorridorContext =
+    lanePaths.externalProviders?.corridor?.enabled === true &&
+    (isSecurityReviewAgent(agent) || agent.agentId === integrationAgentId);
+  const corridorContext = !dryRun && shouldLoadCorridorContext
+    ? await materializeWaveCorridorContext(lanePaths, resolvedWaveDefinition)
+    : null;
+  const corridorContextPath = !dryRun && shouldLoadCorridorContext
+    ? waveCorridorContextPath(lanePaths, wave)
+    : null;
+  const corridorContextText =
+    dryRun && shouldLoadCorridorContext
+      ? "Corridor context omitted in dry-run preview."
+      : renderCorridorPromptContext(corridorContext);
   const overlayDir = path.join(lanePaths.executorOverlaysDir, `wave-${wave}`, agent.slug);
   ensureDirectory(overlayDir);
-  const resolvedWaveDefinition = waveDefinition || { deployEnvironments: [] };
   const skillsResolved =
     agent.skillsResolved ||
     resolveAgentSkills(agent, resolvedWaveDefinition, {
@@ -176,6 +242,8 @@ export async function launchAgentSession(
       inboxPath,
       inboxText,
       context7,
+      corridorContextPath,
+      corridorContextText,
       componentPromotions: resolvedWaveDefinition.componentPromotions,
       evalTargets: resolvedWaveDefinition.evalTargets,
       benchmarkCatalogPath: lanePaths.laneProfile?.paths?.benchmarkCatalogPath,
@@ -201,11 +269,45 @@ export async function launchAgentSession(
     overlayDir,
     skillProjection: agent.skillsResolved,
   });
+  const requestedCredentialProviders = Array.isArray(lanePaths.waveControl?.credentialProviders)
+    ? lanePaths.waveControl.credentialProviders
+    : [];
+  const requestedCredentials = Array.isArray(lanePaths.waveControl?.credentials)
+    ? lanePaths.waveControl.credentials
+    : [];
+  const leasedProviderEnv =
+    !dryRun && requestedCredentialProviders.length > 0
+      ? await requestWaveControlProviderEnv(fetch, lanePaths.waveControl, requestedCredentialProviders)
+      : {};
+  const leasedCredentialEnv =
+    !dryRun && requestedCredentials.length > 0
+      ? await requestWaveControlCredentialEnv(fetch, lanePaths.waveControl, requestedCredentials)
+      : {};
+  const overlappingLeasedEnvVars = Object.keys(leasedProviderEnv).filter((key) =>
+    Object.prototype.hasOwnProperty.call(leasedCredentialEnv, key),
+  );
+  if (overlappingLeasedEnvVars.length > 0) {
+    throw new Error(
+      `Wave Control leased duplicate environment variables: ${overlappingLeasedEnvVars.join(", ")}.`,
+    );
+  }
+  const leasedEnv = {
+    ...leasedProviderEnv,
+    ...leasedCredentialEnv,
+  };
+  if (Object.keys(leasedEnv).length > 0) {
+    launchSpec.env = {
+      ...(launchSpec.env || {}),
+      ...leasedEnv,
+    };
+  }
   const resolvedExecutorMode = launchSpec.executorId || agent.executorResolved?.id || "codex";
   writeJsonAtomic(path.join(overlayDir, "launch-preview.json"), {
     executorId: resolvedExecutorMode,
     command: launchSpec.command,
-    env: launchSpec.env || {},
+    env: redactPreviewEnv(launchSpec.env || {}, Object.keys(leasedEnv)),
+    credentialProviders: requestedCredentialProviders,
+    credentials: requestedCredentials,
     useRateLimitRetries: launchSpec.useRateLimitRetries === true,
     invocationLines: launchSpec.invocationLines,
     limits: launchSpec.limits || null,
@@ -215,6 +317,7 @@ export async function launchAgentSession(
     return {
       promptHash,
       context7,
+      corridorContext,
       executorId: resolvedExecutorMode,
       launchSpec,
       dryRun: true,
@@ -339,6 +442,7 @@ export async function launchAgentSession(
   return {
     promptHash,
     context7,
+    corridorContext,
     executorId: resolvedExecutorMode,
     skills: summarizeResolvedSkills(agent.skillsResolved),
     runtimePath,

package/scripts/wave-orchestrator/planner.mjs

@@ -2625,6 +2625,7 @@ async function runAgenticDraftFlow(options = {}) {
     request,
   });
   const plannerContext7Prefetch = await prefetchContext7ForSelection(plannerContext7Selection, {
+    lanePaths,
     cacheDir: lanePaths.context7CacheDir,
   });
   const promptText = buildPlannerPromptText({

package/scripts/wave-orchestrator/projection-writer.mjs

@@ -126,6 +126,8 @@ export function writeWaveAttemptTraceProjection({
     capabilityAssignments: derivedState.capabilityAssignments,
     dependencySnapshot: derivedState.dependencySnapshot,
     securitySummary: derivedState.securitySummary,
+    corridorSummary: derivedState.corridorSummary,
+    corridorSummaryPath: derivedState.corridorSummaryPath,
     integrationSummary: derivedState.integrationSummary,
     integrationMarkdownPath: derivedState.integrationMarkdownPath,
     proofRegistryPath: lanePaths.proofDir ? waveProofRegistryPath(lanePaths, wave.wave) : null,
@@ -191,6 +193,7 @@ export function writeWaveRelaunchProjection({
 }
 
 function renderWaveSecuritySummaryMarkdown(securitySummary) {
+  const corridor = securitySummary?.corridor || null;
   return [
     `# Wave ${securitySummary.wave} Security Summary`,
     "",
@@ -199,7 +202,18 @@ function renderWaveSecuritySummaryMarkdown(securitySummary) {
     `- Total findings: ${securitySummary.totalFindings || 0}`,
     `- Total approvals: ${securitySummary.totalApprovals || 0}`,
     `- Reviewers: ${(securitySummary.agents || []).length}`,
+    `- Corridor: ${corridor ? (corridor.ok ? (corridor.blocking ? "blocking" : "clear") : "fetch-failed") : "not-configured"}`,
     "",
+    ...(corridor
+      ? [
+          "## Corridor",
+          `- Source: ${corridor.source || corridor.providerMode || "unknown"}`,
+          `- Matched findings: ${(corridor.matchedFindings || []).length}`,
+          `- Blocking findings: ${(corridor.blockingFindings || []).length}`,
+          ...(corridor.error ? [`- Error: ${corridor.error}`] : []),
+          "",
+        ]
+      : []),
     "## Reviews",
     ...((securitySummary.agents || []).length > 0
       ? securitySummary.agents.map(
@@ -220,6 +234,7 @@ function renderIntegrationSection(title, items) {
 }
 
 function renderIntegrationSummaryMarkdown(integrationSummary) {
+  const corridor = integrationSummary?.corridor || null;
   return [
     `# Wave ${integrationSummary.wave} Integration Summary`,
     "",
@@ -239,6 +254,7 @@ function renderIntegrationSummaryMarkdown(integrationSummary) {
     `- Inbound dependencies: ${(integrationSummary.inboundDependencies || []).length}`,
     `- Outbound dependencies: ${(integrationSummary.outboundDependencies || []).length}`,
     `- Helper assignments: ${(integrationSummary.helperAssignments || []).length}`,
+    `- Corridor blocking findings: ${(corridor?.blockingFindings || []).length}`,
     "",
     ...renderIntegrationSection("## Open Claims", integrationSummary.openClaims),
     ...renderIntegrationSection("## Conflicting Claims", integrationSummary.conflictingClaims),
@@ -251,6 +267,13 @@ function renderIntegrationSummaryMarkdown(integrationSummary) {
     ...renderIntegrationSection("## Proof Gaps", integrationSummary.proofGaps),
     ...renderIntegrationSection("## Deploy Risks", integrationSummary.deployRisks),
     ...renderIntegrationSection("## Security Findings", integrationSummary.securityFindings),
+    ...renderIntegrationSection(
+      "## Corridor Findings",
+      corridor?.matchedFindings?.map(
+        (finding) =>
+          `${finding.severity || "unknown"} ${finding.affectedFile || "unknown-file"}: ${finding.title || "finding"}`,
+      ) || [],
+    ),
     ...renderIntegrationSection("## Security Approvals", integrationSummary.securityApprovals),
     ...renderIntegrationSection("## Inbound Dependencies", integrationSummary.inboundDependencies),
     ...renderIntegrationSection("## Outbound Dependencies", integrationSummary.outboundDependencies),

package/scripts/wave-orchestrator/provider-runtime.mjs

@@ -0,0 +1,104 @@
+import { DEFAULT_WAVE_CONTROL_ENDPOINT } from "./config.mjs";
+
+export function resolveEnvValue(envVars, env = process.env) {
+  for (const envVar of Array.isArray(envVars) ? envVars : [envVars]) {
+    const value = envVar ? String(env[envVar] || "").trim() : "";
+    if (value) {
+      return value;
+    }
+  }
+  return "";
+}
+
+export function resolveWaveControlAuthToken(waveControl = {}, env = process.env) {
+  const envVars = Array.isArray(waveControl?.authTokenEnvVars)
+    ? waveControl.authTokenEnvVars
+    : [waveControl?.authTokenEnvVar].filter(Boolean);
+  return resolveEnvValue(envVars, env);
+}
+
+export function isDefaultWaveControlEndpoint(endpoint) {
+  const normalized = String(endpoint || "").trim().replace(/\/+$/, "");
+  return normalized === String(DEFAULT_WAVE_CONTROL_ENDPOINT).trim().replace(/\/+$/, "");
+}
+
+export async function readJsonResponse(response, fallback = null) {
+  try {
+    return await response.json();
+  } catch {
+    return fallback;
+  }
+}
+
+export async function requestProvider(fetchImpl, url, options = {}) {
+  const response = await fetchImpl(url, options);
+  if (response.ok) {
+    return response;
+  }
+  const payload = await readJsonResponse(response, null);
+  throw new Error(
+    `${options.method || "GET"} ${url} failed (${response.status}): ${payload?.error || payload?.message || response.statusText || "unknown error"}`,
+  );
+}
+
+export async function requestWaveControlProviderEnv(fetchImpl, waveControl = {}, providers = []) {
+  const endpoint = String(waveControl.endpoint || DEFAULT_WAVE_CONTROL_ENDPOINT).trim();
+  if (!endpoint) {
+    throw new Error("Wave Control endpoint is not configured.");
+  }
+  if (isDefaultWaveControlEndpoint(endpoint)) {
+    throw new Error("Wave Control provider credential leasing requires an owned Wave Control deployment.");
+  }
+  const token = resolveWaveControlAuthToken(waveControl);
+  if (!token) {
+    throw new Error("WAVE_API_TOKEN is not set; Wave Control credential leasing is unavailable.");
+  }
+  const response = await requestProvider(
+    fetchImpl,
+    `${endpoint.replace(/\/$/, "")}/runtime/provider-env`,
+    {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${token}`,
+        "content-type": "application/json",
+        accept: "application/json",
+      },
+      body: JSON.stringify({ providers }),
+    },
+  );
+  const payload = await readJsonResponse(response, null);
+  return payload?.env && typeof payload.env === "object" && !Array.isArray(payload.env)
+    ? payload.env
+    : {};
+}
+
+export async function requestWaveControlCredentialEnv(fetchImpl, waveControl = {}, credentials = []) {
+  const endpoint = String(waveControl.endpoint || DEFAULT_WAVE_CONTROL_ENDPOINT).trim();
+  if (!endpoint) {
+    throw new Error("Wave Control endpoint is not configured.");
+  }
+  if (isDefaultWaveControlEndpoint(endpoint)) {
+    throw new Error("Wave Control credential leasing requires an owned Wave Control deployment.");
+  }
+  const token = resolveWaveControlAuthToken(waveControl);
+  if (!token) {
+    throw new Error("WAVE_API_TOKEN is not set; Wave Control credential leasing is unavailable.");
+  }
+  const response = await requestProvider(
+    fetchImpl,
+    `${endpoint.replace(/\/$/, "")}/runtime/credential-env`,
+    {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${token}`,
+        "content-type": "application/json",
+        accept: "application/json",
+      },
+      body: JSON.stringify({ credentials }),
+    },
+  );
+  const payload = await readJsonResponse(response, null);
+  return payload?.env && typeof payload.env === "object" && !Array.isArray(payload.env)
+    ? payload.env
+    : {};
+}

package/scripts/wave-orchestrator/shared.mjs

@@ -279,6 +279,7 @@ export function buildLanePaths(laneInput = DEFAULT_WAVE_LANE, options = {}) {
     executors: laneProfile.executors,
     skills: laneProfile.skills,
     capabilityRouting: laneProfile.capabilityRouting,
+    externalProviders: laneProfile.externalProviders,
     projectId: buildTelemetryProjectId(laneProfile.waveControl || { projectId }),
     projectRootDir: path.join(REPO_ROOT, laneProfile.projectRootDir || "."),
     runtimeVersion: readRuntimeVersion(),

package/scripts/wave-orchestrator/traces.mjs

@@ -798,6 +798,8 @@ export function writeTraceBundle({
   capabilityAssignments = [],
   dependencySnapshot = null,
   securitySummary = null,
+  corridorSummary = null,
+  corridorSummaryPath = null,
   integrationSummary,
   integrationMarkdownPath,
   proofRegistryPath = null,
@@ -860,6 +862,28 @@ export function writeTraceBundle({
     "json",
     true,
   );
+  const corridorArtifact =
+    corridorSummaryPath || corridorSummary
+      ? corridorSummaryPath
+        ? copyArtifactDescriptor(
+            dir,
+            corridorSummaryPath,
+            path.join(dir, "corridor.json"),
+            false,
+          )
+        : writeArtifactDescriptor(
+            dir,
+            path.join(dir, "corridor.json"),
+            corridorSummary || {},
+            "json",
+            false,
+          )
+      : {
+          path: "corridor.json",
+          required: false,
+          present: false,
+          sha256: null,
+        };
   const integrationArtifact = writeArtifactDescriptor(
     dir,
     path.join(dir, "integration.json"),
@@ -1023,6 +1047,7 @@ export function writeTraceBundle({
       capabilityAssignments: capabilityAssignmentsArtifact,
       dependencySnapshot: dependencySnapshotArtifact,
       security: securityArtifact,
+      corridor: corridorArtifact,
       integration: integrationArtifact,
       integrationMarkdown: integrationMarkdownArtifact,
       proofRegistry: proofRegistryArtifact,

package/scripts/wave-orchestrator/wave-control-client.mjs

@@ -154,6 +154,19 @@ function resolveWaveControlConfig(lanePaths, overrides = {}) {
   };
 }
 
+function resolveWaveControlAuthToken(config) {
+  const authVars = Array.isArray(config.authTokenEnvVars)
+    ? config.authTokenEnvVars
+    : [config.authTokenEnvVar].filter(Boolean);
+  for (const envVar of authVars) {
+    const value = envVar ? String(process.env[envVar] || "").trim() : "";
+    if (value) {
+      return value;
+    }
+  }
+  return "";
+}
+
 function buildWorkspaceId(lanePaths, config) {
   return normalizeText(config.workspaceId, buildWorkspaceTmuxToken(REPO_ROOT));
 }
@@ -505,7 +518,7 @@ export async function flushWaveControlQueue(lanePaths, options = {}) {
 
   try {
     const ingestUrl = resolveIngestUrl(config.endpoint);
-    const authToken = config.authTokenEnvVar ? process.env[config.authTokenEnvVar] || "" : "";
+    const authToken = resolveWaveControlAuthToken(config);
     await postBatch(
       ingestUrl,
       authToken,