@claude-flow/cli 3.22.0 → 3.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/.claude/evolve-proof/generation-0.json +211 -0
  2. package/.claude/evolve-proof/real-generation-0.json +406 -0
  3. package/.claude/evolve-proof/real-generation-1.json +406 -0
  4. package/.claude/helpers/.helpers-version +1 -0
  5. package/.claude/helpers/helpers.manifest.json +2 -2
  6. package/.claude/helpers/hook-handler.cjs +0 -0
  7. package/.claude/helpers/intelligence.cjs +10 -0
  8. package/.claude/proven-config.manifest.json +37 -0
  9. package/.claude/proven-config.signed.json +41 -0
  10. package/.claude/proven-config.signed.rvf +0 -0
  11. package/dist/src/commands/memory-backup.d.ts +11 -0
  12. package/dist/src/commands/memory-backup.js +46 -0
  13. package/dist/src/commands/memory.js +2 -1
  14. package/dist/src/config/harness-feedback-applier.d.ts +50 -0
  15. package/dist/src/config/harness-feedback-applier.js +122 -0
  16. package/dist/src/config/proven-config-refresh.d.ts +39 -0
  17. package/dist/src/config/proven-config-refresh.js +154 -0
  18. package/dist/src/config/proven-config-rvfa.d.ts +23 -0
  19. package/dist/src/config/proven-config-rvfa.js +73 -0
  20. package/dist/src/config/proven-config.d.ts +86 -0
  21. package/dist/src/config/proven-config.js +176 -0
  22. package/dist/src/index.js +35 -0
  23. package/dist/src/mcp-tools/neural-tools.d.ts +10 -0
  24. package/dist/src/mcp-tools/neural-tools.js +107 -18
  25. package/dist/src/services/daemon-autostart.d.ts +17 -0
  26. package/dist/src/services/daemon-autostart.js +79 -0
  27. package/dist/src/services/evolve-proof.d.ts +247 -0
  28. package/dist/src/services/evolve-proof.js +341 -0
  29. package/dist/src/services/harness-benchmark.d.ts +68 -0
  30. package/dist/src/services/harness-benchmark.js +94 -0
  31. package/dist/src/services/harness-canary.d.ts +60 -0
  32. package/dist/src/services/harness-canary.js +69 -0
  33. package/dist/src/services/harness-corpus-harvester.d.ts +51 -0
  34. package/dist/src/services/harness-corpus-harvester.js +74 -0
  35. package/dist/src/services/harness-flywheel-generations.d.ts +111 -0
  36. package/dist/src/services/harness-flywheel-generations.js +354 -0
  37. package/dist/src/services/harness-flywheel-runtime.d.ts +25 -0
  38. package/dist/src/services/harness-flywheel-runtime.js +101 -0
  39. package/dist/src/services/harness-flywheel.d.ts +48 -0
  40. package/dist/src/services/harness-flywheel.js +207 -0
  41. package/dist/src/services/harness-hosts.d.ts +40 -0
  42. package/dist/src/services/harness-hosts.js +88 -0
  43. package/dist/src/services/harness-improvement-ledger.d.ts +63 -0
  44. package/dist/src/services/harness-improvement-ledger.js +101 -0
  45. package/dist/src/services/harness-loop.d.ts +53 -0
  46. package/dist/src/services/harness-loop.js +85 -0
  47. package/dist/src/services/harness-qualification.d.ts +66 -0
  48. package/dist/src/services/harness-qualification.js +143 -0
  49. package/dist/src/services/harness-replay.d.ts +37 -0
  50. package/dist/src/services/harness-replay.js +92 -0
  51. package/dist/src/services/harness-verify.d.ts +33 -0
  52. package/dist/src/services/harness-verify.js +26 -0
  53. package/dist/src/services/harness-worker.d.ts +23 -0
  54. package/dist/src/services/harness-worker.js +66 -0
  55. package/dist/src/services/memory-backup.d.ts +24 -0
  56. package/dist/src/services/memory-backup.js +94 -0
  57. package/dist/src/services/worker-daemon.d.ts +16 -1
  58. package/dist/src/services/worker-daemon.js +84 -0
  59. package/package.json +1 -1
@@ -0,0 +1,122 @@
1
+ /**
2
+ * Feedback applier — close the loop (ADR-176 phase 9).
3
+ *
4
+ * A proven champion adopted by the propagation channel (ADR-177,
5
+ * proven-config-refresh.ts writes `.claude/proven-config.json`) is inert until
6
+ * something *applies* it to what ruflo actually runs. This applier promotes the
7
+ * adopted champion to the ACTIVE harness policy that routing/agents consume —
8
+ * reversibly (keeps the previous pointer) and provenance-tagged (ADR-171), so
9
+ * it composes with the promote-gate discipline rather than bypassing it. It only
10
+ * ever sets a pointer to a proven, signed champion; it never invents config.
11
+ * Zero deps, $0.
12
+ */
13
+ import * as fs from 'fs';
14
+ import * as path from 'path';
15
+ export const ADOPTED_CONFIG_FILE = 'proven-config.json'; // written by proven-config-refresh (in .claude)
16
+ export const ACTIVE_POLICY_FILE = 'harness-active-policy.json'; // consumed by routing/agents (in .claude-flow)
17
+ function readJson(p) {
18
+ try {
19
+ return JSON.parse(fs.readFileSync(p, 'utf-8'));
20
+ }
21
+ catch {
22
+ return null;
23
+ }
24
+ }
25
+ /**
26
+ * Apply the adopted champion to the active harness policy. Idempotent (applying
27
+ * the same champion is a no-op), reversible (records the superseded champion),
28
+ * best-effort. `now` is injectable for tests.
29
+ */
30
+ export function applyChampion(cwd, opts = {}) {
31
+ try {
32
+ const claudeDir = path.join(cwd, '.claude');
33
+ const adopted = readJson(path.join(claudeDir, ADOPTED_CONFIG_FILE));
34
+ if (!adopted?.championId)
35
+ return { applied: false, reason: 'no adopted champion' };
36
+ const cfDir = path.join(cwd, '.claude-flow');
37
+ const activePath = path.join(cfDir, ACTIVE_POLICY_FILE);
38
+ const current = readJson(activePath);
39
+ if (current?.championId === adopted.championId && !current.rolledBack) {
40
+ return { applied: false, reason: 'already active' }; // idempotent
41
+ }
42
+ const active = {
43
+ championId: adopted.championId,
44
+ // A champion only reaches adoption if it cleared the promote-gate, so it is
45
+ // oracle/judge-backed; proxy can never be here (ADR-171). Default oracle.
46
+ provenanceTier: 'oracle:test-exec',
47
+ layer: adopted.manifest?.layer,
48
+ appliedAt: opts.now ?? Date.now(),
49
+ previous: current?.championId ?? adopted.previous ?? null,
50
+ params: adopted.manifest?.policy?.value,
51
+ };
52
+ fs.mkdirSync(cfDir, { recursive: true });
53
+ fs.writeFileSync(activePath, JSON.stringify(active, null, 2), 'utf-8');
54
+ return { applied: true, from: active.previous, to: active.championId };
55
+ }
56
+ catch (e) {
57
+ return { applied: false, reason: `error: ${e?.message ?? e}` };
58
+ }
59
+ }
60
+ /**
61
+ * Apply a champion directly by its config payload (local self-optimization,
62
+ * ADR-176 flywheel). Unlike applyChampion (which reads a propagated, signed,
63
+ * adopted record), this activates a LOCALLY-mined champion that just cleared the
64
+ * install's own measured gate — no signing, because nothing is propagated. Still
65
+ * reversible (records `previous`) and idempotent. Consumers read `params`.
66
+ */
67
+ export function applyChampionParams(cwd, opts) {
68
+ try {
69
+ const cfDir = path.join(cwd, '.claude-flow');
70
+ const activePath = path.join(cfDir, ACTIVE_POLICY_FILE);
71
+ const current = readJson(activePath);
72
+ if (current?.championId === opts.championId && !current.rolledBack)
73
+ return { applied: false, reason: 'already active' };
74
+ const active = {
75
+ championId: opts.championId,
76
+ provenanceTier: 'oracle:test-exec', // only a gate-cleared champion reaches here
77
+ layer: opts.layer,
78
+ appliedAt: opts.now ?? Date.now(),
79
+ previous: opts.previous ?? current?.championId ?? null,
80
+ params: opts.params,
81
+ };
82
+ fs.mkdirSync(cfDir, { recursive: true });
83
+ fs.writeFileSync(activePath, JSON.stringify(active, null, 2), 'utf-8');
84
+ return { applied: true, from: active.previous, to: active.championId };
85
+ }
86
+ catch (e) {
87
+ return { applied: false, reason: `error: ${e?.message ?? e}` };
88
+ }
89
+ }
90
+ /**
91
+ * Reverse the last apply: point the active policy back at its `previous`
92
+ * champion (reversibility, ADR-177 rollback pointer). No-op if there is no
93
+ * previous. The previous champion's policy is fetched by ref by consumers.
94
+ */
95
+ export function rollbackActivePolicy(cwd, opts = {}) {
96
+ try {
97
+ const activePath = path.join(cwd, '.claude-flow', ACTIVE_POLICY_FILE);
98
+ const current = readJson(activePath);
99
+ if (!current)
100
+ return { applied: false, reason: 'no active policy' };
101
+ if (!current.previous)
102
+ return { applied: false, reason: 'no previous to roll back to' };
103
+ const reverted = {
104
+ championId: current.previous,
105
+ provenanceTier: current.provenanceTier,
106
+ layer: current.layer,
107
+ appliedAt: opts.now ?? Date.now(),
108
+ previous: null,
109
+ rolledBack: true,
110
+ };
111
+ fs.writeFileSync(activePath, JSON.stringify(reverted, null, 2), 'utf-8');
112
+ return { applied: true, from: current.championId, to: reverted.championId };
113
+ }
114
+ catch (e) {
115
+ return { applied: false, reason: `error: ${e?.message ?? e}` };
116
+ }
117
+ }
118
+ /** The champion routing/agents should currently use, or null. */
119
+ export function activeChampion(cwd) {
120
+ return readJson(path.join(cwd, '.claude-flow', ACTIVE_POLICY_FILE));
121
+ }
122
+ //# sourceMappingURL=harness-feedback-applier.js.map
@@ -0,0 +1,39 @@
1
+ import { type InstallEnv, type SignedProvenConfig } from './proven-config.js';
2
+ export declare const PROVEN_CONFIG_STAMP = ".proven-config-version";
3
+ /** The signed champion manifest shipped in the package (metadata; the RVFA payload rides alongside). */
4
+ export declare const PROVEN_CONFIG_FILE = "proven-config.signed.json";
5
+ /** The RVFA-packaged champion (ADR-177 final phase). Preferred when present. */
6
+ export declare const PROVEN_CONFIG_RVFA_FILE = "proven-config.signed.rvf";
7
+ /** Where an adopted champion is recorded in the project (consumed by the feedback applier, ADR-176 phase 9). */
8
+ export declare const ADOPTED_CONFIG_FILE = "proven-config.json";
9
+ /**
10
+ * Read a shipped champion from either packaging. `.rvf` → unpack the RVFA
11
+ * envelope (integrity-checked); anything else → parse as signed JSON. Returns
12
+ * null (never throws) on any failure. The Ed25519 signature is still verified
13
+ * downstream by adoptSignedConfig — this only decodes the transport.
14
+ */
15
+ export declare function loadShippedChampion(srcPath: string): SignedProvenConfig | null;
16
+ /** Build the local environment the champion's constraints are checked against. */
17
+ export declare function currentInstallEnv(cwd?: string): InstallEnv;
18
+ export interface AdoptResult {
19
+ adopted: boolean;
20
+ from?: string;
21
+ to?: string;
22
+ reason?: string;
23
+ skipped?: string;
24
+ }
25
+ /**
26
+ * The testable adoption core: given a signed champion and the local env, adopt
27
+ * it into `cwd/.claude` iff it is newer than the stamp AND passes both gates.
28
+ * Fail-closed; never throws. `pubkeyPem` is injectable for tests.
29
+ */
30
+ export declare function adoptSignedConfig(cwd: string, signed: SignedProvenConfig, env: InstallEnv, opts?: {
31
+ pubkeyPem?: string;
32
+ }): AdoptResult;
33
+ /**
34
+ * On CLI startup: if the package ships a signed champion newer than the
35
+ * project's stamp, adopt it when authentic + suitable. Best-effort, never
36
+ * throws. No-op when no manifest ships or the project isn't initialized.
37
+ */
38
+ export declare function autoAdoptProvenConfigIfStale(cwd?: string): Promise<AdoptResult>;
39
+ //# sourceMappingURL=proven-config-refresh.d.ts.map
@@ -0,0 +1,154 @@
1
+ /**
2
+ * Proven-configuration propagation to existing installs (ADR-177).
3
+ *
4
+ * A SIBLING of the helper auto-refresh (ADR-174), deliberately independent so it
5
+ * never touches the hook-code channel that older CLIs verify:
6
+ * - its own stamp file (`.proven-config-version`, the adopted champion id),
7
+ * - its own trust root (RUFLO_CONFIG_PUBKEY),
8
+ * - additive-only: a project with no shipped manifest is a no-op.
9
+ *
10
+ * On a CLI command, if the package ships a signed champion newer than the
11
+ * project's stamp, it is adopted ONLY when both gates pass (ADR-177):
12
+ * authenticity (Ed25519) AND suitability (host/platform/compatibility/layer).
13
+ * A signed-but-unsuitable champion is a SAFE skip (not an error), which is also
14
+ * the backwards-compatibility version gate. Zero deps on the decision path.
15
+ */
16
+ import * as fs from 'fs';
17
+ import * as path from 'path';
18
+ import { fileURLToPath } from 'url';
19
+ import { createRequire } from 'module';
20
+ import { getInstalledCliVersion } from '../init/helper-refresh.js';
21
+ import { evaluateForAdoption } from './proven-config.js';
22
+ import { unpackProvenConfigRvfa } from './proven-config-rvfa.js';
23
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
24
+ export const PROVEN_CONFIG_STAMP = '.proven-config-version';
25
+ /** The signed champion manifest shipped in the package (metadata; the RVFA payload rides alongside). */
26
+ export const PROVEN_CONFIG_FILE = 'proven-config.signed.json';
27
+ /** The RVFA-packaged champion (ADR-177 final phase). Preferred when present. */
28
+ export const PROVEN_CONFIG_RVFA_FILE = 'proven-config.signed.rvf';
29
+ /** Where an adopted champion is recorded in the project (consumed by the feedback applier, ADR-176 phase 9). */
30
+ export const ADOPTED_CONFIG_FILE = 'proven-config.json';
31
+ /**
32
+ * Locate the package's shipped signed champion, if any. Null when none ships.
33
+ * The RVFA package is preferred over the raw JSON when both are present.
34
+ */
35
+ function findPackageProvenConfig() {
36
+ const dirs = [];
37
+ try {
38
+ const esmRequire = createRequire(import.meta.url);
39
+ const pkgRoot = path.dirname(esmRequire.resolve('@claude-flow/cli/package.json'));
40
+ dirs.push(path.join(pkgRoot, '.claude'));
41
+ }
42
+ catch { /* not resolvable */ }
43
+ dirs.push(path.resolve(__dirname, '..', '..', '..', '.claude'));
44
+ // RVFA form first (ruvnet-native envelope), then the raw signed JSON fallback.
45
+ for (const d of dirs) {
46
+ const rvf = path.join(d, PROVEN_CONFIG_RVFA_FILE);
47
+ if (fs.existsSync(rvf))
48
+ return rvf;
49
+ const json = path.join(d, PROVEN_CONFIG_FILE);
50
+ if (fs.existsSync(json))
51
+ return json;
52
+ }
53
+ return null;
54
+ }
55
+ /**
56
+ * Read a shipped champion from either packaging. `.rvf` → unpack the RVFA
57
+ * envelope (integrity-checked); anything else → parse as signed JSON. Returns
58
+ * null (never throws) on any failure. The Ed25519 signature is still verified
59
+ * downstream by adoptSignedConfig — this only decodes the transport.
60
+ */
61
+ export function loadShippedChampion(srcPath) {
62
+ try {
63
+ if (srcPath.endsWith('.rvf')) {
64
+ return unpackProvenConfigRvfa(fs.readFileSync(srcPath));
65
+ }
66
+ return JSON.parse(fs.readFileSync(srcPath, 'utf-8'));
67
+ }
68
+ catch {
69
+ return null;
70
+ }
71
+ }
72
+ /** Build the local environment the champion's constraints are checked against. */
73
+ export function currentInstallEnv(cwd = process.cwd()) {
74
+ const env = {
75
+ platform: process.platform,
76
+ versions: { ruflo: getInstalledCliVersion() },
77
+ };
78
+ // Layer, if the project declares one (ADR-176 hierarchy). Optional.
79
+ try {
80
+ const layerFile = path.join(cwd, '.claude', '.harness-layer');
81
+ if (fs.existsSync(layerFile))
82
+ env.layer = fs.readFileSync(layerFile, 'utf-8').trim();
83
+ }
84
+ catch { /* none */ }
85
+ return env;
86
+ }
87
+ /**
88
+ * The testable adoption core: given a signed champion and the local env, adopt
89
+ * it into `cwd/.claude` iff it is newer than the stamp AND passes both gates.
90
+ * Fail-closed; never throws. `pubkeyPem` is injectable for tests.
91
+ */
92
+ export function adoptSignedConfig(cwd, signed, env, opts = {}) {
93
+ try {
94
+ const claudeDir = path.join(cwd, '.claude');
95
+ if (!fs.existsSync(claudeDir))
96
+ return { adopted: false }; // not a ruflo project
97
+ const championId = signed.manifest?.policy?.ref;
98
+ if (!championId)
99
+ return { adopted: false, skipped: 'manifest missing policy.ref' };
100
+ let stamped = '';
101
+ try {
102
+ stamped = fs.readFileSync(path.join(claudeDir, PROVEN_CONFIG_STAMP), 'utf-8').trim();
103
+ }
104
+ catch { /* unstamped */ }
105
+ if (stamped === championId)
106
+ return { adopted: false }; // already current — fast path
107
+ const decision = evaluateForAdoption(signed, env, opts.pubkeyPem);
108
+ if (!decision.adopt) {
109
+ // A safe skip (unsuitable) or a refusal (bad signature). Do NOT advance the stamp.
110
+ return { adopted: false, skipped: decision.reason };
111
+ }
112
+ // Adopt: record the champion for the feedback applier + retain the previous (rollback pointer).
113
+ const record = {
114
+ adoptedAt: Date.now(),
115
+ championId,
116
+ manifest: decision.manifest,
117
+ previous: signed.manifest.rollback?.previousManifest ?? stamped ?? null,
118
+ };
119
+ try {
120
+ fs.writeFileSync(path.join(claudeDir, ADOPTED_CONFIG_FILE), JSON.stringify(record, null, 2), 'utf-8');
121
+ }
122
+ catch { /* */ }
123
+ try {
124
+ fs.writeFileSync(path.join(claudeDir, PROVEN_CONFIG_STAMP), championId, 'utf-8');
125
+ }
126
+ catch { /* */ }
127
+ return { adopted: true, from: stamped || '(none)', to: championId };
128
+ }
129
+ catch {
130
+ return { adopted: false };
131
+ }
132
+ }
133
+ /**
134
+ * On CLI startup: if the package ships a signed champion newer than the
135
+ * project's stamp, adopt it when authentic + suitable. Best-effort, never
136
+ * throws. No-op when no manifest ships or the project isn't initialized.
137
+ */
138
+ export async function autoAdoptProvenConfigIfStale(cwd = process.cwd()) {
139
+ try {
140
+ if (!fs.existsSync(path.join(cwd, '.claude')))
141
+ return { adopted: false };
142
+ const src = findPackageProvenConfig();
143
+ if (!src)
144
+ return { adopted: false }; // no champion ships → no-op (additive)
145
+ const signed = loadShippedChampion(src);
146
+ if (!signed)
147
+ return { adopted: false, skipped: 'unreadable manifest' };
148
+ return adoptSignedConfig(cwd, signed, currentInstallEnv(cwd));
149
+ }
150
+ catch {
151
+ return { adopted: false };
152
+ }
153
+ }
154
+ //# sourceMappingURL=proven-config-refresh.js.map
@@ -0,0 +1,23 @@
1
+ import type { SignedProvenConfig } from './proven-config.js';
2
+ /** The single RVFA section id that carries the signed manifest JSON. */
3
+ export declare const PROVEN_CONFIG_SECTION = "proven-config";
4
+ /** Header capability marker so a reader can tell this appliance apart. */
5
+ export declare const PROVEN_CONFIG_CAPABILITY = "proven-config";
6
+ /**
7
+ * Pack a signed proven-config manifest into an RVFA appliance binary.
8
+ *
9
+ * The whole SignedProvenConfig (manifest + signature + algorithm) becomes the
10
+ * payload, so the config-root signature travels inside the envelope. The RVFA
11
+ * layer contributes integrity (footer + section hash), not authenticity.
12
+ */
13
+ export declare function packProvenConfigRvfa(signed: SignedProvenConfig): Buffer;
14
+ /** True if `buf` looks like an RVFA container (starts with the RVFA magic). */
15
+ export declare function isProvenConfigRvfa(buf: Buffer): boolean;
16
+ /**
17
+ * Unpack + integrity-check an RVFA-packed champion. Returns the inner
18
+ * SignedProvenConfig, or null on ANY failure (bad magic, corrupt footer,
19
+ * missing section, malformed JSON). Fail-closed — does NOT verify the Ed25519
20
+ * signature; that stays with adoptSignedConfig (single config trust root).
21
+ */
22
+ export declare function unpackProvenConfigRvfa(buf: Buffer): SignedProvenConfig | null;
23
+ //# sourceMappingURL=proven-config-rvfa.d.ts.map
@@ -0,0 +1,73 @@
1
+ /**
2
+ * RVFA packaging for proven-configuration manifests (ADR-177, final phase).
3
+ *
4
+ * Keeps champion propagation inside the ruvnet RVFA ecosystem: the *already
5
+ * config-signed* SignedProvenConfig is carried as the sole section of a small
6
+ * RVFA appliance binary. This adds a ruvnet-native transport + tamper-evident
7
+ * envelope (RVFA's SHA256 footer + per-section hash) WITHOUT a second trust
8
+ * root — adoption still verifies the inner manifest's Ed25519 signature against
9
+ * RUFLO_CONFIG_PUBKEY (see adoptSignedConfig). Signed ≠ suitable is unchanged:
10
+ * unpack → verifyProvenConfig → isSuitable, fail-closed at every step.
11
+ *
12
+ * Pure Node (RvfaWriter/RvfaReader) — no LLM, no network, $0. Additive: a raw
13
+ * `.signed.json` champion still adopts exactly as before; the `.rvf` form is a
14
+ * second, optional packaging the same adopt path understands.
15
+ */
16
+ import { RvfaWriter, RvfaReader, RVFA_MAGIC } from '../appliance/rvfa-format.js';
17
+ /** The single RVFA section id that carries the signed manifest JSON. */
18
+ export const PROVEN_CONFIG_SECTION = 'proven-config';
19
+ /** Header capability marker so a reader can tell this appliance apart. */
20
+ export const PROVEN_CONFIG_CAPABILITY = 'proven-config';
21
+ /**
22
+ * Pack a signed proven-config manifest into an RVFA appliance binary.
23
+ *
24
+ * The whole SignedProvenConfig (manifest + signature + algorithm) becomes the
25
+ * payload, so the config-root signature travels inside the envelope. The RVFA
26
+ * layer contributes integrity (footer + section hash), not authenticity.
27
+ */
28
+ export function packProvenConfigRvfa(signed) {
29
+ const m = signed.manifest;
30
+ const writer = new RvfaWriter({
31
+ name: `proven-config:${m.policy?.ref ?? 'unknown'}`,
32
+ // Carry the compat floor for humans/tools; the real gate is isSuitable.
33
+ appVersion: m.compatibility?.ruflo ?? '0',
34
+ platform: m.platform?.[0] ?? 'any',
35
+ arch: 'any',
36
+ profile: 'offline',
37
+ capabilities: [PROVEN_CONFIG_CAPABILITY],
38
+ });
39
+ writer.addSection(PROVEN_CONFIG_SECTION, Buffer.from(JSON.stringify(signed), 'utf-8'), {
40
+ compression: 'gzip',
41
+ type: 'application/json',
42
+ });
43
+ return writer.build();
44
+ }
45
+ /** True if `buf` looks like an RVFA container (starts with the RVFA magic). */
46
+ export function isProvenConfigRvfa(buf) {
47
+ return buf.length >= RVFA_MAGIC.length && buf.subarray(0, RVFA_MAGIC.length).equals(RVFA_MAGIC);
48
+ }
49
+ /**
50
+ * Unpack + integrity-check an RVFA-packed champion. Returns the inner
51
+ * SignedProvenConfig, or null on ANY failure (bad magic, corrupt footer,
52
+ * missing section, malformed JSON). Fail-closed — does NOT verify the Ed25519
53
+ * signature; that stays with adoptSignedConfig (single config trust root).
54
+ */
55
+ export function unpackProvenConfigRvfa(buf) {
56
+ try {
57
+ if (!isProvenConfigRvfa(buf))
58
+ return null;
59
+ const reader = RvfaReader.fromBuffer(buf);
60
+ const integrity = reader.verify();
61
+ if (!integrity.valid)
62
+ return null; // tampered envelope → reject
63
+ const payload = reader.extractSection(PROVEN_CONFIG_SECTION);
64
+ const signed = JSON.parse(payload.toString('utf-8'));
65
+ if (!signed || signed.algorithm !== 'ed25519' || !signed.signature || !signed.manifest)
66
+ return null;
67
+ return signed;
68
+ }
69
+ catch {
70
+ return null;
71
+ }
72
+ }
73
+ //# sourceMappingURL=proven-config-rvfa.js.map
@@ -0,0 +1,86 @@
1
+ /** Ruflo config-signing PUBLIC key (safe to commit). Private half in GCP Secret Manager (ruflo-config-signing-key). */
2
+ export declare const RUFLO_CONFIG_PUBKEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA3zr3BLCFKyrjvjZg9BXxchXIuGYwYwq21FYCjTpQO6A=\n-----END PUBLIC KEY-----";
3
+ /** The receipt bundle (ADR-176) — reproducible proof-of-work summary. */
4
+ export interface ProvenConfigReceipt {
5
+ heldOutDelta?: number;
6
+ redblue?: 'PASS' | 'FAIL' | 'SKIPPED';
7
+ drift?: number;
8
+ canary?: {
9
+ rollbackRate?: number;
10
+ latencyP95?: number;
11
+ costPerTask?: number;
12
+ };
13
+ receiptCoverage?: number;
14
+ }
15
+ /** The constraint contract (ADR-177 §signed != suitable) + policy reference + receipt. */
16
+ export interface ProvenConfigManifest {
17
+ schema: string;
18
+ policy: {
19
+ ref: string;
20
+ value?: Record<string, unknown>;
21
+ };
22
+ host?: Record<string, string>;
23
+ platform?: string[];
24
+ compatibility?: Record<string, string>;
25
+ benchmark?: {
26
+ corpus: string;
27
+ corpusHash: string;
28
+ };
29
+ layer?: string;
30
+ receipt?: ProvenConfigReceipt;
31
+ rollback?: {
32
+ previousManifest?: string;
33
+ };
34
+ }
35
+ export interface SignedProvenConfig {
36
+ manifest: ProvenConfigManifest;
37
+ signature: string;
38
+ algorithm: 'ed25519';
39
+ }
40
+ /** The local environment a manifest's constraints are checked against. */
41
+ export interface InstallEnv {
42
+ platform: string;
43
+ hosts?: Record<string, string>;
44
+ versions?: Record<string, string>;
45
+ layer?: string;
46
+ }
47
+ export declare function sha256Hex(content: string | Buffer): string;
48
+ /**
49
+ * Deterministic canonical bytes — recursively sorted object keys so signer and
50
+ * verifier agree byte-for-byte regardless of insertion order.
51
+ */
52
+ export declare function canonicalManifestBytes(m: ProvenConfigManifest): Buffer;
53
+ /** Sign a manifest (publish-time; key from GCP via scripts). */
54
+ export declare function signProvenConfig(manifest: ProvenConfigManifest, privateKeyPem: string): SignedProvenConfig;
55
+ /**
56
+ * Verify a signed manifest against ruflo's config public key. Returns the
57
+ * manifest on success, or null on ANY failure (bad signature, malformed JSON,
58
+ * wrong algorithm, missing fields). Fail-closed.
59
+ */
60
+ export declare function verifyProvenConfig(signedJson: string | SignedProvenConfig, pubkeyPem?: string): ProvenConfigManifest | null;
61
+ /**
62
+ * Minimal semver-range satisfier for the compat contract. Supports `>=X`, `>X`,
63
+ * `<=X`, `<X`, `=X`, and a bare version `X` (treated as `>=X`). Deliberately
64
+ * small — the manifest contract only uses min-version bounds.
65
+ */
66
+ export declare function satisfiesRange(installed: string, range: string): boolean;
67
+ export interface SuitabilityResult {
68
+ suitable: boolean;
69
+ reason?: string;
70
+ }
71
+ /**
72
+ * Check a manifest's constraint contract against the local environment.
73
+ * Fail-closed: a missing/unsatisfiable constraint => not suitable (safe skip).
74
+ * A constraint the manifest doesn't declare is not required.
75
+ */
76
+ export declare function isSuitable(manifest: ProvenConfigManifest, env: InstallEnv): SuitabilityResult;
77
+ /**
78
+ * The combined adoption decision (ADR-177): a manifest is adoptable iff it is
79
+ * both authentic (signature verifies) AND suitable (constraints satisfied).
80
+ */
81
+ export declare function evaluateForAdoption(signedJson: string | SignedProvenConfig, env: InstallEnv, pubkeyPem?: string): {
82
+ adopt: boolean;
83
+ manifest?: ProvenConfigManifest;
84
+ reason: string;
85
+ };
86
+ //# sourceMappingURL=proven-config.d.ts.map
@@ -0,0 +1,176 @@
1
+ /**
2
+ * Proven Configuration Manifest (ADR-176 proof #3 + ADR-177 core).
3
+ *
4
+ * The signed, constraint-carrying artifact that the self-optimizing harness loop
5
+ * (ADR-176) emits and the propagation channel (ADR-177) ships to installs. Two
6
+ * independent gates decide adoption, and BOTH must pass (fail-closed):
7
+ *
8
+ * 1. Authenticity — Ed25519 signature over the canonical manifest bytes,
9
+ * verified against a baked public key. Proves it came from
10
+ * ruflo, unmodified. (native node:crypto, zero deps —
11
+ * same primitive as helper-signing.ts / rvfa-signing.ts.)
12
+ * 2. Suitability — the constraint contract (host/platform/compatibility/
13
+ * layer) checked against THIS install. A perfectly-signed
14
+ * manifest that doesn't fit the local environment is a safe
15
+ * NON-adoption, not an error. "signed != suitable."
16
+ *
17
+ * This is a DISTINCT Ed25519 trust root from helper-signing (ADR-177): the
18
+ * config channel gets its own key so rotating it never touches the hook-code
19
+ * channel that older CLIs verify.
20
+ */
21
+ import { createHash, verify as edVerify, sign as edSign } from 'crypto';
22
+ /** Ruflo config-signing PUBLIC key (safe to commit). Private half in GCP Secret Manager (ruflo-config-signing-key). */
23
+ export const RUFLO_CONFIG_PUBKEY = `-----BEGIN PUBLIC KEY-----
24
+ MCowBQYDK2VwAyEA3zr3BLCFKyrjvjZg9BXxchXIuGYwYwq21FYCjTpQO6A=
25
+ -----END PUBLIC KEY-----`;
26
+ export function sha256Hex(content) {
27
+ return createHash('sha256').update(content).digest('hex');
28
+ }
29
+ /**
30
+ * Deterministic canonical bytes — recursively sorted object keys so signer and
31
+ * verifier agree byte-for-byte regardless of insertion order.
32
+ */
33
+ export function canonicalManifestBytes(m) {
34
+ const canon = (v) => {
35
+ if (Array.isArray(v))
36
+ return v.map(canon);
37
+ if (v && typeof v === 'object') {
38
+ const out = {};
39
+ for (const k of Object.keys(v).sort())
40
+ out[k] = canon(v[k]);
41
+ return out;
42
+ }
43
+ return v;
44
+ };
45
+ return Buffer.from(JSON.stringify(canon(m)), 'utf-8');
46
+ }
47
+ /** Sign a manifest (publish-time; key from GCP via scripts). */
48
+ export function signProvenConfig(manifest, privateKeyPem) {
49
+ const signature = edSign(null, canonicalManifestBytes(manifest), privateKeyPem).toString('base64');
50
+ return { manifest, signature, algorithm: 'ed25519' };
51
+ }
52
+ /**
53
+ * Verify a signed manifest against ruflo's config public key. Returns the
54
+ * manifest on success, or null on ANY failure (bad signature, malformed JSON,
55
+ * wrong algorithm, missing fields). Fail-closed.
56
+ */
57
+ export function verifyProvenConfig(signedJson, pubkeyPem = RUFLO_CONFIG_PUBKEY) {
58
+ try {
59
+ const signed = typeof signedJson === 'string' ? JSON.parse(signedJson) : signedJson;
60
+ if (!signed || signed.algorithm !== 'ed25519' || !signed.signature || !signed.manifest)
61
+ return null;
62
+ if (!signed.manifest.schema || !signed.manifest.policy?.ref)
63
+ return null;
64
+ const ok = edVerify(null, canonicalManifestBytes(signed.manifest), pubkeyPem, Buffer.from(signed.signature, 'base64'));
65
+ return ok ? signed.manifest : null;
66
+ }
67
+ catch {
68
+ return null;
69
+ }
70
+ }
71
+ // ── Suitability gate ────────────────────────────────────────────────────────
72
+ /** Normalize platform aliases so process.platform matches manifest names. */
73
+ function platformMatches(installed, allowed) {
74
+ const norm = (p) => {
75
+ const l = p.toLowerCase();
76
+ if (l === 'darwin' || l === 'macos' || l === 'mac')
77
+ return 'macos';
78
+ if (l === 'win32' || l === 'windows')
79
+ return 'windows';
80
+ return l; // linux, etc.
81
+ };
82
+ const want = norm(installed);
83
+ return allowed.some(a => norm(a) === want);
84
+ }
85
+ function parseVer(v) {
86
+ // Tolerant: accepts X, X.Y, or X.Y.Z (a range like '>=1.9' has no patch).
87
+ const m = /(\d+)(?:\.(\d+))?(?:\.(\d+))?/.exec(v);
88
+ if (!m)
89
+ return [0, 0, 0];
90
+ return [Number(m[1] || 0), Number(m[2] || 0), Number(m[3] || 0)];
91
+ }
92
+ function cmpVer(a, b) {
93
+ const [a1, a2, a3] = parseVer(a);
94
+ const [b1, b2, b3] = parseVer(b);
95
+ return a1 - b1 || a2 - b2 || a3 - b3;
96
+ }
97
+ /**
98
+ * Minimal semver-range satisfier for the compat contract. Supports `>=X`, `>X`,
99
+ * `<=X`, `<X`, `=X`, and a bare version `X` (treated as `>=X`). Deliberately
100
+ * small — the manifest contract only uses min-version bounds.
101
+ */
102
+ export function satisfiesRange(installed, range) {
103
+ const r = range.trim();
104
+ const m = /^(>=|<=|>|<|=)?\s*(.+)$/.exec(r);
105
+ if (!m)
106
+ return false;
107
+ const op = m[1] ?? '>=';
108
+ const target = m[2].trim();
109
+ const c = cmpVer(installed, target);
110
+ switch (op) {
111
+ case '>=': return c >= 0;
112
+ case '>': return c > 0;
113
+ case '<=': return c <= 0;
114
+ case '<': return c < 0;
115
+ case '=': return c === 0;
116
+ default: return false;
117
+ }
118
+ }
119
+ /**
120
+ * Check a manifest's constraint contract against the local environment.
121
+ * Fail-closed: a missing/unsatisfiable constraint => not suitable (safe skip).
122
+ * A constraint the manifest doesn't declare is not required.
123
+ */
124
+ export function isSuitable(manifest, env) {
125
+ // platform
126
+ if (manifest.platform && manifest.platform.length > 0) {
127
+ if (!platformMatches(env.platform, manifest.platform)) {
128
+ return { suitable: false, reason: `platform ${env.platform} not in [${manifest.platform.join(', ')}]` };
129
+ }
130
+ }
131
+ // host presence + version
132
+ if (manifest.host) {
133
+ for (const [name, range] of Object.entries(manifest.host)) {
134
+ const installed = env.hosts?.[name];
135
+ if (!installed)
136
+ return { suitable: false, reason: `required host '${name}' not present` };
137
+ if (!satisfiesRange(installed, range)) {
138
+ return { suitable: false, reason: `host '${name}' ${installed} does not satisfy ${range}` };
139
+ }
140
+ }
141
+ }
142
+ // package compatibility ranges (ruflo, metaharness, …)
143
+ if (manifest.compatibility) {
144
+ for (const [pkg, range] of Object.entries(manifest.compatibility)) {
145
+ const installed = env.versions?.[pkg];
146
+ if (!installed)
147
+ return { suitable: false, reason: `required package '${pkg}' version unknown` };
148
+ if (!satisfiesRange(installed, range)) {
149
+ return { suitable: false, reason: `${pkg} ${installed} does not satisfy ${range}` };
150
+ }
151
+ }
152
+ }
153
+ // hierarchy layer — an install only adopts a manifest for its own (or an ancestor) layer
154
+ if (manifest.layer && env.layer && manifest.layer !== env.layer) {
155
+ // allow ancestor layers: manifest 'framework/node-cli' is adoptable by env layer that startsWith it or vice-versa
156
+ const a = manifest.layer, b = env.layer;
157
+ if (!(b.startsWith(a) || a.startsWith(b))) {
158
+ return { suitable: false, reason: `layer '${a}' not applicable to install layer '${b}'` };
159
+ }
160
+ }
161
+ return { suitable: true };
162
+ }
163
+ /**
164
+ * The combined adoption decision (ADR-177): a manifest is adoptable iff it is
165
+ * both authentic (signature verifies) AND suitable (constraints satisfied).
166
+ */
167
+ export function evaluateForAdoption(signedJson, env, pubkeyPem = RUFLO_CONFIG_PUBKEY) {
168
+ const manifest = verifyProvenConfig(signedJson, pubkeyPem);
169
+ if (!manifest)
170
+ return { adopt: false, reason: 'signature invalid — refusing (authenticity gate)' };
171
+ const suit = isSuitable(manifest, env);
172
+ if (!suit.suitable)
173
+ return { adopt: false, manifest, reason: `not suitable — ${suit.reason} (safe skip)` };
174
+ return { adopt: true, manifest, reason: 'authentic + suitable' };
175
+ }
176
+ //# sourceMappingURL=proven-config.js.map