@chllming/wave-orchestration 0.9.1 → 0.9.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chllming/wave-orchestration",
-  "version": "0.9.1",
+  "version": "0.9.3",
   "license": "MIT",
   "description": "Generic wave-based multi-agent orchestration for repository work.",
   "repository": {

package/releases/manifest.json

@@ -2,22 +2,63 @@
   "schemaVersion": 1,
   "packageName": "@chllming/wave-orchestration",
   "releases": [
+    {
+      "version": "0.9.3",
+      "date": "2026-03-30",
+      "summary": "Gap-value wave-gate fix and first-time project setup UX improvements.",
+      "features": [
+        "WAVE_GATE_REGEX now accepts `gap` alongside `pass|concerns|blocked` for all five gate dimensions (architecture, integration, durability, live, docs), so agents reporting a documented gap no longer have their marker rejected entirely.",
+        "`validateContQaSummary` now treats `gap` dimension values as a conditional pass (`ok: true`, `statusCode: conditional-pass`) instead of a hard blocker, with detail text listing which dimensions have documented gaps.",
+        "The cont-QA coordination prompt now documents `gap` as a valid dimension value alongside `pass|concerns|blocked`.",
+        "First-time `wave launch` now auto-triggers `wave project setup` when no project profile exists, matching existing `wave draft` behavior. (Contributed by @justanothernate in #54)",
+        "`wave project setup` now shows descriptive help text before each prompt, explains all template and posture options inline, and adds whitespace between question groups for readability. (Contributed by @justanothernate in #54)",
+        "`PromptSession` gains a `describe(text)` method for writing contextual help to stderr during interactive setup flows.",
+        "`parseArgs` now passes the loaded config object through to `runLauncherCli`, avoiding a redundant `loadWaveConfig()` call.",
+        "Release docs, migration guidance, runtime-config and closure references, the manifest, and the tracked install-state fixtures now all point at the `0.9.3` surface.",
+        "Planner migration guidance and the `planner-agentic` bundle placeholder remain part of the shipped current-surface docs so adopted repos still have one aligned upgrade target."
+      ],
+      "manualSteps": [
+        "Run `pnpm exec wave doctor` and `pnpm exec wave launch --lane main --dry-run --no-dashboard` after upgrading so the repo validates against the `0.9.3` release surface.",
+        "Push the `v0.9.3` tag after the release commit so the GitHub publish workflow can publish the matching npm package version.",
+        "If your repo copied starter docs or runbooks, sync `README.md`, `docs/README.md`, `docs/plans/current-state.md`, `docs/plans/migration.md`, `docs/reference/coordination-and-closure.md`, `docs/reference/runtime-config/README.md`, and `docs/guides/recommendations-0.9.3.md` so local guidance matches the packaged release."
+      ],
+      "breaking": false
+    },
+    {
+      "version": "0.9.2",
+      "date": "2026-03-29",
+      "summary": "0.9.2 release cut for the documented Corridor and Wave Control surface, plus aligned publish artifacts.",
+      "features": [
+        "The packaged version now advances to `0.9.2` so the documented Corridor, Wave Control auth, and security surfaces can be tagged and published without colliding with the existing `0.9.1` npm release and git tag.",
+        "Release docs, migration guidance, runtime-config docs, coordination docs, Wave Control docs, package publishing docs, tracked install-state fixtures, and the release manifest now all point at the same `0.9.2` surface.",
+        "The shipped versioned operating guide is now `docs/guides/recommendations-0.9.2.md`, and starter install seeding plus install regression coverage now use that exact path.",
+        "Planner migration guidance and the `planner-agentic` bundle placeholder remain part of the shipped current-surface docs so adopted repos still have one aligned upgrade target."
+      ],
+      "manualSteps": [
+        "Run `pnpm exec wave doctor` and `pnpm exec wave launch --lane main --dry-run --no-dashboard` after upgrading so the repo validates against the `0.9.2` release surface.",
+        "Push the `v0.9.2` tag after the release commit so the GitHub publish workflow can publish the matching npm package version.",
+        "If your repo copied starter docs or runbooks, sync `README.md`, `docs/README.md`, `docs/plans/current-state.md`, `docs/plans/migration.md`, `docs/reference/coordination-and-closure.md`, `docs/reference/runtime-config/README.md`, `docs/reference/corridor.md`, `docs/reference/wave-control.md`, and `docs/guides/recommendations-0.9.2.md` so local guidance matches the packaged release."
+      ],
+      "breaking": false
+    },
     {
       "version": "0.9.1",
       "date": "2026-03-29",
-      "summary": "Detached process-backed agent execution, sandbox-safe supervisor hardening, lower memory pressure, and 0.9.1 release-surface alignment.",
+      "summary": "Detached process-backed agent execution, authenticated Wave Control, Corridor-backed security context, and 0.9.1 release-surface alignment.",
       "features": [
         "Live agent execution now uses detached process runners by default instead of per-agent tmux execution sessions, which reduces tmux churn and lowers memory use during wide orchestration bursts while keeping tmux as an optional dashboard projection layer.",
         "The sandbox-facing path is now `wave submit`, `wave supervise`, `wave status`, `wave wait`, and `wave attach`, with exact-context lookup, read-side launcher-status reconciliation, progress journaling, degraded-run handling, and log-follow attach behavior suited to LEAPclaw, OpenClaw, Nemoshell, and similar short-lived exec environments.",
         "Supervisor recovery now relies on run-owned terminal artifacts and finalized progress instead of lane-global completion history, preserving the correct remaining wave range and final active wave during multi-wave reruns and launcher-loss recovery.",
         "Ordinary runs, closure runs, and resident orchestrator runs now all preserve process-runtime metadata for timeout and cleanup, while process-backed resident orchestrators terminate cleanly and rate-limit retry detection stays scoped to the current attempt output.",
+        "Owned `wave-control` deployments now expose the shipped auth surface: Stack-backed browser access, Wave-managed approval states and provider grants, PATs, dedicated service tokens, encrypted per-user credential storage, runtime env leasing, and the separate `services/wave-control-web` frontend.",
+        "Corridor is now documented as a first-class security input with `direct`, `broker`, and `hybrid` runtime modes, normalized per-wave security artifacts, owned-path matching rules, and closure gating that can fail before integration on fetch failures or matched blocking findings.",
         "Planner migration guidance and the `planner-agentic` bundle placeholder remain part of the shipped current-surface docs so adopted repos still have one aligned upgrade target.",
-        "A dedicated setup guide now ships for sandboxed and containerized operation, including Nemoshell and Docker guidance, while README, migration docs, terminal-surface docs, runtime-config docs, coordination docs, and the renamed recommendations guide `docs/guides/recommendations-0.9.1.md` now describe the same sandbox-safe release surface."
+        "A dedicated setup guide now ships for sandboxed and containerized operation, and README, migration docs, terminal-surface docs, runtime-config docs, coordination docs, Wave Control docs, the new Corridor reference, and the renamed recommendations guide `docs/guides/recommendations-0.9.1.md` now describe the same current release surface."
       ],
       "manualSteps": [
         "Run `pnpm exec wave doctor` and `pnpm exec wave launch --lane main --dry-run --no-dashboard` after upgrading so the repo validates against the `0.9.1` release surface.",
         "If your repo runs Wave inside LEAPclaw, OpenClaw, Nemoshell, Docker, or another short-lived exec sandbox, move long-running orchestration to `wave supervise`, use `wave submit/status/wait/attach` from disposable clients, and set Codex sandbox defaults in `wave.config.json` instead of relying on per-command overrides.",
-        "If your repo copied starter docs or runbooks, sync `README.md`, `docs/README.md`, `docs/plans/current-state.md`, `docs/plans/migration.md`, `docs/reference/coordination-and-closure.md`, `docs/reference/runtime-config/README.md`, `docs/guides/sandboxed-environments.md`, `docs/guides/terminal-surfaces.md`, and `docs/guides/recommendations-0.9.1.md` so local guidance matches the packaged release."
+        "If your repo copied starter docs or runbooks, sync `README.md`, `docs/README.md`, `docs/plans/current-state.md`, `docs/plans/migration.md`, `docs/reference/coordination-and-closure.md`, `docs/reference/runtime-config/README.md`, `docs/reference/corridor.md`, `docs/reference/wave-control.md`, `docs/guides/sandboxed-environments.md`, `docs/guides/terminal-surfaces.md`, and `docs/guides/recommendations-0.9.1.md` so local guidance matches the packaged release."
       ],
       "breaking": false
     },

package/scripts/wave-cli-bootstrap.mjs

@@ -1,4 +1,13 @@
 import path from "node:path";
+import fs from "node:fs";
+
+const ALLOWLISTED_ENV_FILE_KEYS = new Set([
+  "CONTEXT7_API_KEY",
+  "CORRIDOR_API_TOKEN",
+  "CORRIDOR_API_KEY",
+  "WAVE_API_TOKEN",
+  "WAVE_CONTROL_AUTH_TOKEN",
+]);
 
 function stripRepoRootArg(argv) {
   const normalizedArgs = [];
@@ -22,6 +31,48 @@ function stripRepoRootArg(argv) {
   return normalizedArgs;
 }
 
+function parseEnvLine(line) {
+  const trimmed = String(line || "").trim();
+  if (!trimmed || trimmed.startsWith("#")) {
+    return null;
+  }
+  const exportPrefix = trimmed.startsWith("export ") ? trimmed.slice("export ".length).trim() : trimmed;
+  const equalsIndex = exportPrefix.indexOf("=");
+  if (equalsIndex <= 0) {
+    return null;
+  }
+  const key = exportPrefix.slice(0, equalsIndex).trim();
+  let value = exportPrefix.slice(equalsIndex + 1).trim();
+  if (!ALLOWLISTED_ENV_FILE_KEYS.has(key)) {
+    return null;
+  }
+  if (
+    (value.startsWith("\"") && value.endsWith("\"")) ||
+    (value.startsWith("'") && value.endsWith("'"))
+  ) {
+    value = value.slice(1, -1);
+  }
+  return { key, value };
+}
+
+function loadRepoLocalEnv() {
+  const repoRoot = path.resolve(process.env.WAVE_REPO_ROOT || process.cwd());
+  const envPath = path.join(repoRoot, ".env.local");
+  if (!fs.existsSync(envPath)) {
+    return;
+  }
+  const lines = fs.readFileSync(envPath, "utf8").split(/\r?\n/);
+  for (const line of lines) {
+    const entry = parseEnvLine(line);
+    if (!entry || process.env[entry.key]) {
+      continue;
+    }
+    process.env[entry.key] = entry.value;
+  }
+}
+
 export function bootstrapWaveArgs(argv) {
-  return stripRepoRootArg(Array.isArray(argv) ? argv : []);
+  const normalizedArgs = stripRepoRootArg(Array.isArray(argv) ? argv : []);
+  loadRepoLocalEnv();
+  return normalizedArgs;
 }

package/scripts/wave-orchestrator/agent-state.mjs

@@ -50,7 +50,7 @@ const WAVE_SECURITY_REGEX =
 const WAVE_DESIGN_REGEX =
   /^\[wave-design\]\s*state=(ready-for-implementation|needs-clarification|blocked)\s+decisions=(\d+)\s+assumptions=(\d+)\s+open_questions=(\d+)\s*(?:detail=(.*))?$/gim;
 const WAVE_GATE_REGEX =
-  /^\[wave-gate\]\s*architecture=(pass|concerns|blocked)\s+integration=(pass|concerns|blocked)\s+durability=(pass|concerns|blocked)\s+live=(pass|concerns|blocked)\s+docs=(pass|concerns|blocked)\s*(?:detail=(.*))?$/gim;
+  /^\[wave-gate\]\s*architecture=(pass|concerns|blocked|gap)\s+integration=(pass|concerns|blocked|gap)\s+durability=(pass|concerns|blocked|gap)\s+live=(pass|concerns|blocked|gap)\s+docs=(pass|concerns|blocked|gap)\s*(?:detail=(.*))?$/gim;
 const WAVE_GAP_REGEX =
   /^\[wave-gap\]\s*kind=(architecture|integration|durability|ops|docs)\s*(?:detail=(.*))?$/gim;
 const WAVE_COMPONENT_REGEX =
@@ -1268,17 +1268,34 @@ export function validateContQaSummary(agent, summary, options = {}) {
       detail: summary.verdict.detail || "Verdict read from cont-QA report.",
     };
   }
+  const hardBlockers = [];
+  const documentedGaps = [];
   for (const key of ["architecture", "integration", "durability", "live", "docs"]) {
-    if (summary.gate[key] !== "pass") {
-      return {
-        ok: false,
-        statusCode: `gate-${key}-${summary.gate[key]}`,
-        detail:
-          summary.gate.detail ||
-          `Final cont-QA gate did not pass ${key}; got ${summary.gate[key]}.`,
-      };
+    if (summary.gate[key] === "gap") {
+      documentedGaps.push(key);
+    } else if (summary.gate[key] !== "pass") {
+      hardBlockers.push(key);
     }
   }
+  if (hardBlockers.length > 0) {
+    const key = hardBlockers[0];
+    return {
+      ok: false,
+      statusCode: `gate-${key}-${summary.gate[key]}`,
+      detail:
+        summary.gate.detail ||
+        `Final cont-QA gate did not pass ${key}; got ${summary.gate[key]}.`,
+    };
+  }
+  if (documentedGaps.length > 0) {
+    return {
+      ok: true,
+      statusCode: "conditional-pass",
+      detail:
+        summary.gate.detail ||
+        `cont-QA gate passed with documented gaps in: ${documentedGaps.join(", ")}.`,
+    };
+  }
   return {
     ok: true,
     statusCode: "pass",

package/scripts/wave-orchestrator/config.mjs

@@ -73,12 +73,22 @@ export const DEFAULT_CODEX_SANDBOX_MODE = "danger-full-access";
 export const CODEX_SANDBOX_MODES = ["read-only", "workspace-write", "danger-full-access"];
 export const DEFAULT_CLAUDE_COMMAND = "claude";
 export const DEFAULT_OPENCODE_COMMAND = "opencode";
-export const DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR = "WAVE_CONTROL_AUTH_TOKEN";
+export const DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR = "WAVE_API_TOKEN";
+export const LEGACY_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR = "WAVE_CONTROL_AUTH_TOKEN";
 export const DEFAULT_WAVE_CONTROL_ENDPOINT = "https://wave-control.up.railway.app/api/v1";
 export const DEFAULT_WAVE_CONTROL_REPORT_MODE = "metadata-only";
 export const DEFAULT_WAVE_CONTROL_REQUEST_TIMEOUT_MS = 5000;
 export const DEFAULT_WAVE_CONTROL_FLUSH_BATCH_SIZE = 25;
 export const DEFAULT_WAVE_CONTROL_MAX_PENDING_EVENTS = 1000;
+export const WAVE_CONTROL_RUNTIME_CREDENTIAL_PROVIDERS = ["anthropic", "openai"];
+export const EXTERNAL_PROVIDER_MODES = ["direct", "broker", "hybrid"];
+export const DEFAULT_CONTEXT7_API_KEY_ENV_VAR = "CONTEXT7_API_KEY";
+export const DEFAULT_CORRIDOR_API_TOKEN_ENV_VAR = "CORRIDOR_API_TOKEN";
+export const DEFAULT_CORRIDOR_API_KEY_FALLBACK_ENV_VAR = "CORRIDOR_API_KEY";
+export const DEFAULT_CORRIDOR_BASE_URL = "https://app.corridor.dev/api";
+export const DEFAULT_CORRIDOR_SEVERITY_THRESHOLD = "critical";
+export const DEFAULT_CORRIDOR_FINDING_STATES = ["open", "potential"];
+export const CORRIDOR_SEVERITY_LEVELS = ["low", "medium", "high", "critical"];
 export const DEFAULT_WAVE_CONTROL_SELECTED_ARTIFACT_KINDS = [
   "trace-run-metadata",
   "trace-quality",
@@ -295,6 +305,103 @@ function normalizeOptionalJsonObject(value, label) {
   throw new Error(`${label} must be a JSON object`);
 }
 
+function normalizeExternalProviderMode(value, label, fallback = "direct") {
+  const normalized = String(value || fallback)
+    .trim()
+    .toLowerCase();
+  if (!EXTERNAL_PROVIDER_MODES.includes(normalized)) {
+    throw new Error(`${label} must be one of: ${EXTERNAL_PROVIDER_MODES.join(", ")}`);
+  }
+  return normalized;
+}
+
+function normalizeCorridorSeverity(value, label, fallback = DEFAULT_CORRIDOR_SEVERITY_THRESHOLD) {
+  const normalized = String(value || fallback)
+    .trim()
+    .toLowerCase();
+  if (!CORRIDOR_SEVERITY_LEVELS.includes(normalized)) {
+    throw new Error(`${label} must be one of: ${CORRIDOR_SEVERITY_LEVELS.join(", ")}`);
+  }
+  return normalized;
+}
+
+function normalizeExternalProviders(rawExternalProviders = {}, label = "externalProviders") {
+  const externalProviders =
+    rawExternalProviders &&
+    typeof rawExternalProviders === "object" &&
+    !Array.isArray(rawExternalProviders)
+      ? rawExternalProviders
+      : {};
+  const context7 =
+    externalProviders.context7 &&
+    typeof externalProviders.context7 === "object" &&
+    !Array.isArray(externalProviders.context7)
+      ? externalProviders.context7
+      : {};
+  const corridor =
+    externalProviders.corridor &&
+    typeof externalProviders.corridor === "object" &&
+    !Array.isArray(externalProviders.corridor)
+      ? externalProviders.corridor
+      : {};
+  const context7Mode = normalizeExternalProviderMode(
+    context7.mode,
+    `${label}.context7.mode`,
+    "direct",
+  );
+  const corridorMode = normalizeExternalProviderMode(
+    corridor.mode,
+    `${label}.corridor.mode`,
+    "direct",
+  );
+  const normalized = {
+    context7: {
+      mode: context7Mode,
+      apiKeyEnvVar:
+        normalizeOptionalString(
+          context7.apiKeyEnvVar,
+          DEFAULT_CONTEXT7_API_KEY_ENV_VAR,
+        ) || DEFAULT_CONTEXT7_API_KEY_ENV_VAR,
+    },
+    corridor: {
+      enabled: normalizeOptionalBoolean(corridor.enabled, false),
+      mode: corridorMode,
+      baseUrl: normalizeOptionalString(corridor.baseUrl, DEFAULT_CORRIDOR_BASE_URL),
+      apiTokenEnvVar:
+        normalizeOptionalString(
+          corridor.apiTokenEnvVar,
+          DEFAULT_CORRIDOR_API_TOKEN_ENV_VAR,
+        ) || DEFAULT_CORRIDOR_API_TOKEN_ENV_VAR,
+      apiKeyFallbackEnvVar:
+        normalizeOptionalString(
+          corridor.apiKeyFallbackEnvVar,
+          DEFAULT_CORRIDOR_API_KEY_FALLBACK_ENV_VAR,
+        ) || DEFAULT_CORRIDOR_API_KEY_FALLBACK_ENV_VAR,
+      teamId: normalizeOptionalString(corridor.teamId, null),
+      projectId: normalizeOptionalString(corridor.projectId, null),
+      severityThreshold: normalizeCorridorSeverity(
+        corridor.severityThreshold,
+        `${label}.corridor.severityThreshold`,
+      ),
+      findingStates: normalizeOptionalStringArray(
+        corridor.findingStates,
+        DEFAULT_CORRIDOR_FINDING_STATES,
+      ),
+      requiredAtClosure: normalizeOptionalBoolean(corridor.requiredAtClosure, true),
+    },
+  };
+  if (
+    normalized.corridor.enabled &&
+    normalized.corridor.mode === "direct" &&
+    (!normalized.corridor.teamId || !normalized.corridor.projectId)
+  ) {
+    throw new Error(
+      `${label}.corridor.teamId and ${label}.corridor.projectId are required when corridor is enabled in direct mode`,
+    );
+  }
+  return normalized;
+}
+
 function normalizeExecutorBudget(rawBudget = {}, label = "budget") {
   const budget =
     rawBudget && typeof rawBudget === "object" && !Array.isArray(rawBudget) ? rawBudget : {};
@@ -578,6 +685,31 @@ function normalizeWaveControl(rawWaveControl = {}, label = "waveControl") {
     rawWaveControl && typeof rawWaveControl === "object" && !Array.isArray(rawWaveControl)
       ? rawWaveControl
       : {};
+  const credentials = Array.isArray(waveControl.credentials) ? waveControl.credentials : [];
+  const normalizedCredentials = [];
+  const seenCredentialEnvVars = new Set();
+  for (const [index, entry] of credentials.entries()) {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+      throw new Error(`${label}.credentials[${index}] must be an object with id and envVar.`);
+    }
+    const id = String(entry.id || "").trim().toLowerCase();
+    if (!/^[a-z0-9][a-z0-9._-]*$/.test(id)) {
+      throw new Error(
+        `${label}.credentials[${index}].id must match /^[a-z0-9][a-z0-9._-]*$/.`,
+      );
+    }
+    const envVar = String(entry.envVar || "").trim().toUpperCase();
+    if (!/^[A-Z_][A-Z0-9_]*$/.test(envVar)) {
+      throw new Error(
+        `${label}.credentials[${index}].envVar must match /^[A-Z_][A-Z0-9_]*$/.`,
+      );
+    }
+    if (seenCredentialEnvVars.has(envVar)) {
+      throw new Error(`${label}.credentials contains duplicate envVar mappings for ${envVar}.`);
+    }
+    seenCredentialEnvVars.add(envVar);
+    normalizedCredentials.push({ id, envVar });
+  }
   const reportMode = normalizeWaveControlReportMode(
     waveControl.reportMode,
     `${label}.reportMode`,
@@ -591,8 +723,36 @@ function normalizeWaveControl(rawWaveControl = {}, label = "waveControl") {
     workspaceId: normalizeOptionalString(waveControl.workspaceId, null),
     projectId: normalizeOptionalString(waveControl.projectId, null),
     authTokenEnvVar:
-      normalizeOptionalString(waveControl.authTokenEnvVar, DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR) ||
-      DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+      normalizeOptionalString(
+        waveControl.authTokenEnvVar,
+        DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+      ) || DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+    authTokenEnvVars: Array.from(
+      new Set(
+        normalizeOptionalStringArray(
+          waveControl.authTokenEnvVars,
+          [
+            normalizeOptionalString(
+              waveControl.authTokenEnvVar,
+              DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+            ) || DEFAULT_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+            LEGACY_WAVE_CONTROL_AUTH_TOKEN_ENV_VAR,
+          ],
+        ),
+      ),
+    ),
+    credentialProviders: normalizeOptionalStringArray(waveControl.credentialProviders, []).map(
+      (providerId, index) => {
+        const normalized = String(providerId || "").trim().toLowerCase();
+        if (!WAVE_CONTROL_RUNTIME_CREDENTIAL_PROVIDERS.includes(normalized)) {
+          throw new Error(
+            `${label}.credentialProviders[${index}] must be one of: ${WAVE_CONTROL_RUNTIME_CREDENTIAL_PROVIDERS.join(", ")}`,
+          );
+        }
+        return normalized;
+      },
+    ),
+    credentials: normalizedCredentials,
     reportMode,
     uploadArtifactKinds: normalizeOptionalStringArray(
       waveControl.uploadArtifactKinds,
@@ -1109,6 +1269,7 @@ export function loadWaveConfig(configPath = DEFAULT_WAVE_CONFIG_PATH) {
           capabilityRouting: rawProject.capabilityRouting || {},
           runtimePolicy: rawProject.runtimePolicy || {},
           waveControl: rawProject.waveControl || {},
+          externalProviders: rawProject.externalProviders || {},
           lanes: projectLanes,
           explicit: Boolean(rawProjects),
         },
@@ -1130,6 +1291,10 @@ export function loadWaveConfig(configPath = DEFAULT_WAVE_CONFIG_PATH) {
     capabilityRouting: normalizeCapabilityRouting(rawConfig.capabilityRouting),
     runtimePolicy: normalizeRuntimePolicy(rawConfig.runtimePolicy),
     waveControl: normalizeWaveControl(rawConfig.waveControl, "waveControl"),
+    externalProviders: normalizeExternalProviders(
+      rawConfig.externalProviders,
+      "externalProviders",
+    ),
     sharedPlanDocs,
     lanes: legacyLanes,
     projects,
@@ -1182,6 +1347,21 @@ export function resolveProjectProfile(config, projectInput = config.defaultProje
       ...config.runtimePolicy,
       ...(projectConfig.runtimePolicy || {}),
     }),
+    externalProviders: normalizeExternalProviders(
+      {
+        ...config.externalProviders,
+        ...(projectConfig.externalProviders || {}),
+        context7: {
+          ...(config.externalProviders?.context7 || {}),
+          ...(projectConfig.externalProviders?.context7 || {}),
+        },
+        corridor: {
+          ...(config.externalProviders?.corridor || {}),
+          ...(projectConfig.externalProviders?.corridor || {}),
+        },
+      },
+      `projects.${projectId}.externalProviders`,
+    ),
     waveControl: normalizeWaveControl(
       {
         ...config.waveControl,
@@ -1256,6 +1436,21 @@ export function resolveLaneProfile(config, laneInput = config.defaultLane, proje
     },
     `${lane}.waveControl`,
   );
+  const externalProviders = normalizeExternalProviders(
+    {
+      ...projectProfile.externalProviders,
+      ...(laneConfig.externalProviders || {}),
+      context7: {
+        ...(projectProfile.externalProviders?.context7 || {}),
+        ...(laneConfig.externalProviders?.context7 || {}),
+      },
+      corridor: {
+        ...(projectProfile.externalProviders?.corridor || {}),
+        ...(laneConfig.externalProviders?.corridor || {}),
+      },
+    },
+    `${lane}.externalProviders`,
+  );
   return {
     projectId: projectProfile.projectId,
     projectName: projectProfile.projectName,
@@ -1276,6 +1471,7 @@ export function resolveLaneProfile(config, laneInput = config.defaultLane, proje
     skills,
     capabilityRouting,
     runtimePolicy,
+    externalProviders,
     waveControl,
     paths: {
       terminalsPath: normalizeRepoRelativePath(