@claude-flow/cli 3.23.0 → 3.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/.claude/evolve-proof/generation-0.json +211 -0
  2. package/.claude/evolve-proof/real-generation-0.json +406 -0
  3. package/.claude/evolve-proof/real-generation-1.json +406 -0
  4. package/.claude/helpers/.helpers-version +1 -1
  5. package/.claude/helpers/intelligence.cjs +10 -0
  6. package/.claude/proven-config.manifest.json +37 -0
  7. package/.claude/proven-config.signed.json +41 -0
  8. package/.claude/proven-config.signed.rvf +0 -0
  9. package/dist/src/config/harness-feedback-applier.d.ts +50 -0
  10. package/dist/src/config/harness-feedback-applier.js +122 -0
  11. package/dist/src/config/proven-config-refresh.d.ts +39 -0
  12. package/dist/src/config/proven-config-refresh.js +154 -0
  13. package/dist/src/config/proven-config-rvfa.d.ts +23 -0
  14. package/dist/src/config/proven-config-rvfa.js +73 -0
  15. package/dist/src/config/proven-config.d.ts +86 -0
  16. package/dist/src/config/proven-config.js +176 -0
  17. package/dist/src/index.js +35 -0
  18. package/dist/src/mcp-tools/neural-tools.d.ts +10 -0
  19. package/dist/src/mcp-tools/neural-tools.js +107 -18
  20. package/dist/src/services/daemon-autostart.d.ts +17 -0
  21. package/dist/src/services/daemon-autostart.js +79 -0
  22. package/dist/src/services/evolve-proof.d.ts +247 -0
  23. package/dist/src/services/evolve-proof.js +341 -0
  24. package/dist/src/services/harness-benchmark.d.ts +68 -0
  25. package/dist/src/services/harness-benchmark.js +94 -0
  26. package/dist/src/services/harness-canary.d.ts +60 -0
  27. package/dist/src/services/harness-canary.js +69 -0
  28. package/dist/src/services/harness-corpus-harvester.d.ts +51 -0
  29. package/dist/src/services/harness-corpus-harvester.js +74 -0
  30. package/dist/src/services/harness-flywheel-generations.d.ts +111 -0
  31. package/dist/src/services/harness-flywheel-generations.js +354 -0
  32. package/dist/src/services/harness-flywheel-runtime.d.ts +25 -0
  33. package/dist/src/services/harness-flywheel-runtime.js +101 -0
  34. package/dist/src/services/harness-flywheel.d.ts +48 -0
  35. package/dist/src/services/harness-flywheel.js +207 -0
  36. package/dist/src/services/harness-hosts.d.ts +40 -0
  37. package/dist/src/services/harness-hosts.js +88 -0
  38. package/dist/src/services/harness-improvement-ledger.d.ts +63 -0
  39. package/dist/src/services/harness-improvement-ledger.js +101 -0
  40. package/dist/src/services/harness-loop.d.ts +53 -0
  41. package/dist/src/services/harness-loop.js +85 -0
  42. package/dist/src/services/harness-qualification.d.ts +66 -0
  43. package/dist/src/services/harness-qualification.js +143 -0
  44. package/dist/src/services/harness-replay.d.ts +37 -0
  45. package/dist/src/services/harness-replay.js +92 -0
  46. package/dist/src/services/harness-verify.d.ts +33 -0
  47. package/dist/src/services/harness-verify.js +26 -0
  48. package/dist/src/services/harness-worker.d.ts +23 -0
  49. package/dist/src/services/harness-worker.js +66 -0
  50. package/dist/src/services/worker-daemon.d.ts +8 -1
  51. package/dist/src/services/worker-daemon.js +42 -0
  52. package/package.json +1 -1
@@ -0,0 +1,39 @@
1
+ import { type InstallEnv, type SignedProvenConfig } from './proven-config.js';
2
+ export declare const PROVEN_CONFIG_STAMP = ".proven-config-version";
3
+ /** The signed champion manifest shipped in the package (metadata; the RVFA payload rides alongside). */
4
+ export declare const PROVEN_CONFIG_FILE = "proven-config.signed.json";
5
+ /** The RVFA-packaged champion (ADR-177 final phase). Preferred when present. */
6
+ export declare const PROVEN_CONFIG_RVFA_FILE = "proven-config.signed.rvf";
7
+ /** Where an adopted champion is recorded in the project (consumed by the feedback applier, ADR-176 phase 9). */
8
+ export declare const ADOPTED_CONFIG_FILE = "proven-config.json";
9
+ /**
10
+ * Read a shipped champion from either packaging. `.rvf` → unpack the RVFA
11
+ * envelope (integrity-checked); anything else → parse as signed JSON. Returns
12
+ * null (never throws) on any failure. The Ed25519 signature is still verified
13
+ * downstream by adoptSignedConfig — this only decodes the transport.
14
+ */
15
+ export declare function loadShippedChampion(srcPath: string): SignedProvenConfig | null;
16
+ /** Build the local environment the champion's constraints are checked against. */
17
+ export declare function currentInstallEnv(cwd?: string): InstallEnv;
18
+ export interface AdoptResult {
19
+ adopted: boolean;
20
+ from?: string;
21
+ to?: string;
22
+ reason?: string;
23
+ skipped?: string;
24
+ }
25
+ /**
26
+ * The testable adoption core: given a signed champion and the local env, adopt
27
+ * it into `cwd/.claude` iff it is newer than the stamp AND passes both gates.
28
+ * Fail-closed; never throws. `pubkeyPem` is injectable for tests.
29
+ */
30
+ export declare function adoptSignedConfig(cwd: string, signed: SignedProvenConfig, env: InstallEnv, opts?: {
31
+ pubkeyPem?: string;
32
+ }): AdoptResult;
33
+ /**
34
+ * On CLI startup: if the package ships a signed champion newer than the
35
+ * project's stamp, adopt it when authentic + suitable. Best-effort, never
36
+ * throws. No-op when no manifest ships or the project isn't initialized.
37
+ */
38
+ export declare function autoAdoptProvenConfigIfStale(cwd?: string): Promise<AdoptResult>;
39
+ //# sourceMappingURL=proven-config-refresh.d.ts.map
@@ -0,0 +1,154 @@
1
+ /**
2
+ * Proven-configuration propagation to existing installs (ADR-177).
3
+ *
4
+ * A SIBLING of the helper auto-refresh (ADR-174), deliberately independent so it
5
+ * never touches the hook-code channel that older CLIs verify:
6
+ * - its own stamp file (`.proven-config-version`, the adopted champion id),
7
+ * - its own trust root (RUFLO_CONFIG_PUBKEY),
8
+ * - additive-only: a project with no shipped manifest is a no-op.
9
+ *
10
+ * On a CLI command, if the package ships a signed champion newer than the
11
+ * project's stamp, it is adopted ONLY when both gates pass (ADR-177):
12
+ * authenticity (Ed25519) AND suitability (host/platform/compatibility/layer).
13
+ * A signed-but-unsuitable champion is a SAFE skip (not an error), which is also
14
+ * the backwards-compatibility version gate. Zero deps on the decision path.
15
+ */
16
+ import * as fs from 'fs';
17
+ import * as path from 'path';
18
+ import { fileURLToPath } from 'url';
19
+ import { createRequire } from 'module';
20
+ import { getInstalledCliVersion } from '../init/helper-refresh.js';
21
+ import { evaluateForAdoption } from './proven-config.js';
22
+ import { unpackProvenConfigRvfa } from './proven-config-rvfa.js';
23
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
24
+ export const PROVEN_CONFIG_STAMP = '.proven-config-version';
25
+ /** The signed champion manifest shipped in the package (metadata; the RVFA payload rides alongside). */
26
+ export const PROVEN_CONFIG_FILE = 'proven-config.signed.json';
27
+ /** The RVFA-packaged champion (ADR-177 final phase). Preferred when present. */
28
+ export const PROVEN_CONFIG_RVFA_FILE = 'proven-config.signed.rvf';
29
+ /** Where an adopted champion is recorded in the project (consumed by the feedback applier, ADR-176 phase 9). */
30
+ export const ADOPTED_CONFIG_FILE = 'proven-config.json';
31
+ /**
32
+ * Locate the package's shipped signed champion, if any. Null when none ships.
33
+ * The RVFA package is preferred over the raw JSON when both are present.
34
+ */
35
+ function findPackageProvenConfig() {
36
+ const dirs = [];
37
+ try {
38
+ const esmRequire = createRequire(import.meta.url);
39
+ const pkgRoot = path.dirname(esmRequire.resolve('@claude-flow/cli/package.json'));
40
+ dirs.push(path.join(pkgRoot, '.claude'));
41
+ }
42
+ catch { /* not resolvable */ }
43
+ dirs.push(path.resolve(__dirname, '..', '..', '..', '.claude'));
44
+ // RVFA form first (ruvnet-native envelope), then the raw signed JSON fallback.
45
+ for (const d of dirs) {
46
+ const rvf = path.join(d, PROVEN_CONFIG_RVFA_FILE);
47
+ if (fs.existsSync(rvf))
48
+ return rvf;
49
+ const json = path.join(d, PROVEN_CONFIG_FILE);
50
+ if (fs.existsSync(json))
51
+ return json;
52
+ }
53
+ return null;
54
+ }
55
+ /**
56
+ * Read a shipped champion from either packaging. `.rvf` → unpack the RVFA
57
+ * envelope (integrity-checked); anything else → parse as signed JSON. Returns
58
+ * null (never throws) on any failure. The Ed25519 signature is still verified
59
+ * downstream by adoptSignedConfig — this only decodes the transport.
60
+ */
61
+ export function loadShippedChampion(srcPath) {
62
+ try {
63
+ if (srcPath.endsWith('.rvf')) {
64
+ return unpackProvenConfigRvfa(fs.readFileSync(srcPath));
65
+ }
66
+ return JSON.parse(fs.readFileSync(srcPath, 'utf-8'));
67
+ }
68
+ catch {
69
+ return null;
70
+ }
71
+ }
72
+ /** Build the local environment the champion's constraints are checked against. */
73
+ export function currentInstallEnv(cwd = process.cwd()) {
74
+ const env = {
75
+ platform: process.platform,
76
+ versions: { ruflo: getInstalledCliVersion() },
77
+ };
78
+ // Layer, if the project declares one (ADR-176 hierarchy). Optional.
79
+ try {
80
+ const layerFile = path.join(cwd, '.claude', '.harness-layer');
81
+ if (fs.existsSync(layerFile))
82
+ env.layer = fs.readFileSync(layerFile, 'utf-8').trim();
83
+ }
84
+ catch { /* none */ }
85
+ return env;
86
+ }
87
+ /**
88
+ * The testable adoption core: given a signed champion and the local env, adopt
89
+ * it into `cwd/.claude` iff it is newer than the stamp AND passes both gates.
90
+ * Fail-closed; never throws. `pubkeyPem` is injectable for tests.
91
+ */
92
+ export function adoptSignedConfig(cwd, signed, env, opts = {}) {
93
+ try {
94
+ const claudeDir = path.join(cwd, '.claude');
95
+ if (!fs.existsSync(claudeDir))
96
+ return { adopted: false }; // not a ruflo project
97
+ const championId = signed.manifest?.policy?.ref;
98
+ if (!championId)
99
+ return { adopted: false, skipped: 'manifest missing policy.ref' };
100
+ let stamped = '';
101
+ try {
102
+ stamped = fs.readFileSync(path.join(claudeDir, PROVEN_CONFIG_STAMP), 'utf-8').trim();
103
+ }
104
+ catch { /* unstamped */ }
105
+ if (stamped === championId)
106
+ return { adopted: false }; // already current — fast path
107
+ const decision = evaluateForAdoption(signed, env, opts.pubkeyPem);
108
+ if (!decision.adopt) {
109
+ // A safe skip (unsuitable) or a refusal (bad signature). Do NOT advance the stamp.
110
+ return { adopted: false, skipped: decision.reason };
111
+ }
112
+ // Adopt: record the champion for the feedback applier + retain the previous (rollback pointer).
113
+ const record = {
114
+ adoptedAt: Date.now(),
115
+ championId,
116
+ manifest: decision.manifest,
117
+ previous: signed.manifest.rollback?.previousManifest ?? stamped ?? null,
118
+ };
119
+ try {
120
+ fs.writeFileSync(path.join(claudeDir, ADOPTED_CONFIG_FILE), JSON.stringify(record, null, 2), 'utf-8');
121
+ }
122
+ catch { /* */ }
123
+ try {
124
+ fs.writeFileSync(path.join(claudeDir, PROVEN_CONFIG_STAMP), championId, 'utf-8');
125
+ }
126
+ catch { /* */ }
127
+ return { adopted: true, from: stamped || '(none)', to: championId };
128
+ }
129
+ catch {
130
+ return { adopted: false };
131
+ }
132
+ }
133
+ /**
134
+ * On CLI startup: if the package ships a signed champion newer than the
135
+ * project's stamp, adopt it when authentic + suitable. Best-effort, never
136
+ * throws. No-op when no manifest ships or the project isn't initialized.
137
+ */
138
+ export async function autoAdoptProvenConfigIfStale(cwd = process.cwd()) {
139
+ try {
140
+ if (!fs.existsSync(path.join(cwd, '.claude')))
141
+ return { adopted: false };
142
+ const src = findPackageProvenConfig();
143
+ if (!src)
144
+ return { adopted: false }; // no champion ships → no-op (additive)
145
+ const signed = loadShippedChampion(src);
146
+ if (!signed)
147
+ return { adopted: false, skipped: 'unreadable manifest' };
148
+ return adoptSignedConfig(cwd, signed, currentInstallEnv(cwd));
149
+ }
150
+ catch {
151
+ return { adopted: false };
152
+ }
153
+ }
154
+ //# sourceMappingURL=proven-config-refresh.js.map
@@ -0,0 +1,23 @@
1
+ import type { SignedProvenConfig } from './proven-config.js';
2
+ /** The single RVFA section id that carries the signed manifest JSON. */
3
+ export declare const PROVEN_CONFIG_SECTION = "proven-config";
4
+ /** Header capability marker so a reader can tell this appliance apart. */
5
+ export declare const PROVEN_CONFIG_CAPABILITY = "proven-config";
6
+ /**
7
+ * Pack a signed proven-config manifest into an RVFA appliance binary.
8
+ *
9
+ * The whole SignedProvenConfig (manifest + signature + algorithm) becomes the
10
+ * payload, so the config-root signature travels inside the envelope. The RVFA
11
+ * layer contributes integrity (footer + section hash), not authenticity.
12
+ */
13
+ export declare function packProvenConfigRvfa(signed: SignedProvenConfig): Buffer;
14
+ /** True if `buf` looks like an RVFA container (starts with the RVFA magic). */
15
+ export declare function isProvenConfigRvfa(buf: Buffer): boolean;
16
+ /**
17
+ * Unpack + integrity-check an RVFA-packed champion. Returns the inner
18
+ * SignedProvenConfig, or null on ANY failure (bad magic, corrupt footer,
19
+ * missing section, malformed JSON). Fail-closed — does NOT verify the Ed25519
20
+ * signature; that stays with adoptSignedConfig (single config trust root).
21
+ */
22
+ export declare function unpackProvenConfigRvfa(buf: Buffer): SignedProvenConfig | null;
23
+ //# sourceMappingURL=proven-config-rvfa.d.ts.map
@@ -0,0 +1,73 @@
1
+ /**
2
+ * RVFA packaging for proven-configuration manifests (ADR-177, final phase).
3
+ *
4
+ * Keeps champion propagation inside the ruvnet RVFA ecosystem: the *already
5
+ * config-signed* SignedProvenConfig is carried as the sole section of a small
6
+ * RVFA appliance binary. This adds a ruvnet-native transport + tamper-evident
7
+ * envelope (RVFA's SHA256 footer + per-section hash) WITHOUT a second trust
8
+ * root — adoption still verifies the inner manifest's Ed25519 signature against
9
+ * RUFLO_CONFIG_PUBKEY (see adoptSignedConfig). Signed ≠ suitable is unchanged:
10
+ * unpack → verifyProvenConfig → isSuitable, fail-closed at every step.
11
+ *
12
+ * Pure Node (RvfaWriter/RvfaReader) — no LLM, no network, $0. Additive: a raw
13
+ * `.signed.json` champion still adopts exactly as before; the `.rvf` form is a
14
+ * second, optional packaging the same adopt path understands.
15
+ */
16
+ import { RvfaWriter, RvfaReader, RVFA_MAGIC } from '../appliance/rvfa-format.js';
17
+ /** The single RVFA section id that carries the signed manifest JSON. */
18
+ export const PROVEN_CONFIG_SECTION = 'proven-config';
19
+ /** Header capability marker so a reader can tell this appliance apart. */
20
+ export const PROVEN_CONFIG_CAPABILITY = 'proven-config';
21
+ /**
22
+ * Pack a signed proven-config manifest into an RVFA appliance binary.
23
+ *
24
+ * The whole SignedProvenConfig (manifest + signature + algorithm) becomes the
25
+ * payload, so the config-root signature travels inside the envelope. The RVFA
26
+ * layer contributes integrity (footer + section hash), not authenticity.
27
+ */
28
+ export function packProvenConfigRvfa(signed) {
29
+ const m = signed.manifest;
30
+ const writer = new RvfaWriter({
31
+ name: `proven-config:${m.policy?.ref ?? 'unknown'}`,
32
+ // Carry the compat floor for humans/tools; the real gate is isSuitable.
33
+ appVersion: m.compatibility?.ruflo ?? '0',
34
+ platform: m.platform?.[0] ?? 'any',
35
+ arch: 'any',
36
+ profile: 'offline',
37
+ capabilities: [PROVEN_CONFIG_CAPABILITY],
38
+ });
39
+ writer.addSection(PROVEN_CONFIG_SECTION, Buffer.from(JSON.stringify(signed), 'utf-8'), {
40
+ compression: 'gzip',
41
+ type: 'application/json',
42
+ });
43
+ return writer.build();
44
+ }
45
+ /** True if `buf` looks like an RVFA container (starts with the RVFA magic). */
46
+ export function isProvenConfigRvfa(buf) {
47
+ return buf.length >= RVFA_MAGIC.length && buf.subarray(0, RVFA_MAGIC.length).equals(RVFA_MAGIC);
48
+ }
49
+ /**
50
+ * Unpack + integrity-check an RVFA-packed champion. Returns the inner
51
+ * SignedProvenConfig, or null on ANY failure (bad magic, corrupt footer,
52
+ * missing section, malformed JSON). Fail-closed — does NOT verify the Ed25519
53
+ * signature; that stays with adoptSignedConfig (single config trust root).
54
+ */
55
+ export function unpackProvenConfigRvfa(buf) {
56
+ try {
57
+ if (!isProvenConfigRvfa(buf))
58
+ return null;
59
+ const reader = RvfaReader.fromBuffer(buf);
60
+ const integrity = reader.verify();
61
+ if (!integrity.valid)
62
+ return null; // tampered envelope → reject
63
+ const payload = reader.extractSection(PROVEN_CONFIG_SECTION);
64
+ const signed = JSON.parse(payload.toString('utf-8'));
65
+ if (!signed || signed.algorithm !== 'ed25519' || !signed.signature || !signed.manifest)
66
+ return null;
67
+ return signed;
68
+ }
69
+ catch {
70
+ return null;
71
+ }
72
+ }
73
+ //# sourceMappingURL=proven-config-rvfa.js.map
@@ -0,0 +1,86 @@
1
+ /** Ruflo config-signing PUBLIC key (safe to commit). Private half in GCP Secret Manager (ruflo-config-signing-key). */
2
+ export declare const RUFLO_CONFIG_PUBKEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA3zr3BLCFKyrjvjZg9BXxchXIuGYwYwq21FYCjTpQO6A=\n-----END PUBLIC KEY-----";
3
+ /** The receipt bundle (ADR-176) — reproducible proof-of-work summary. */
4
+ export interface ProvenConfigReceipt {
5
+ heldOutDelta?: number;
6
+ redblue?: 'PASS' | 'FAIL' | 'SKIPPED';
7
+ drift?: number;
8
+ canary?: {
9
+ rollbackRate?: number;
10
+ latencyP95?: number;
11
+ costPerTask?: number;
12
+ };
13
+ receiptCoverage?: number;
14
+ }
15
+ /** The constraint contract (ADR-177 §signed != suitable) + policy reference + receipt. */
16
+ export interface ProvenConfigManifest {
17
+ schema: string;
18
+ policy: {
19
+ ref: string;
20
+ value?: Record<string, unknown>;
21
+ };
22
+ host?: Record<string, string>;
23
+ platform?: string[];
24
+ compatibility?: Record<string, string>;
25
+ benchmark?: {
26
+ corpus: string;
27
+ corpusHash: string;
28
+ };
29
+ layer?: string;
30
+ receipt?: ProvenConfigReceipt;
31
+ rollback?: {
32
+ previousManifest?: string;
33
+ };
34
+ }
35
+ export interface SignedProvenConfig {
36
+ manifest: ProvenConfigManifest;
37
+ signature: string;
38
+ algorithm: 'ed25519';
39
+ }
40
+ /** The local environment a manifest's constraints are checked against. */
41
+ export interface InstallEnv {
42
+ platform: string;
43
+ hosts?: Record<string, string>;
44
+ versions?: Record<string, string>;
45
+ layer?: string;
46
+ }
47
+ export declare function sha256Hex(content: string | Buffer): string;
48
+ /**
49
+ * Deterministic canonical bytes — recursively sorted object keys so signer and
50
+ * verifier agree byte-for-byte regardless of insertion order.
51
+ */
52
+ export declare function canonicalManifestBytes(m: ProvenConfigManifest): Buffer;
53
+ /** Sign a manifest (publish-time; key from GCP via scripts). */
54
+ export declare function signProvenConfig(manifest: ProvenConfigManifest, privateKeyPem: string): SignedProvenConfig;
55
+ /**
56
+ * Verify a signed manifest against ruflo's config public key. Returns the
57
+ * manifest on success, or null on ANY failure (bad signature, malformed JSON,
58
+ * wrong algorithm, missing fields). Fail-closed.
59
+ */
60
+ export declare function verifyProvenConfig(signedJson: string | SignedProvenConfig, pubkeyPem?: string): ProvenConfigManifest | null;
61
+ /**
62
+ * Minimal semver-range satisfier for the compat contract. Supports `>=X`, `>X`,
63
+ * `<=X`, `<X`, `=X`, and a bare version `X` (treated as `>=X`). Deliberately
64
+ * small — the manifest contract only uses min-version bounds.
65
+ */
66
+ export declare function satisfiesRange(installed: string, range: string): boolean;
67
+ export interface SuitabilityResult {
68
+ suitable: boolean;
69
+ reason?: string;
70
+ }
71
+ /**
72
+ * Check a manifest's constraint contract against the local environment.
73
+ * Fail-closed: a missing/unsatisfiable constraint => not suitable (safe skip).
74
+ * A constraint the manifest doesn't declare is not required.
75
+ */
76
+ export declare function isSuitable(manifest: ProvenConfigManifest, env: InstallEnv): SuitabilityResult;
77
+ /**
78
+ * The combined adoption decision (ADR-177): a manifest is adoptable iff it is
79
+ * both authentic (signature verifies) AND suitable (constraints satisfied).
80
+ */
81
+ export declare function evaluateForAdoption(signedJson: string | SignedProvenConfig, env: InstallEnv, pubkeyPem?: string): {
82
+ adopt: boolean;
83
+ manifest?: ProvenConfigManifest;
84
+ reason: string;
85
+ };
86
+ //# sourceMappingURL=proven-config.d.ts.map
@@ -0,0 +1,176 @@
1
+ /**
2
+ * Proven Configuration Manifest (ADR-176 proof #3 + ADR-177 core).
3
+ *
4
+ * The signed, constraint-carrying artifact that the self-optimizing harness loop
5
+ * (ADR-176) emits and the propagation channel (ADR-177) ships to installs. Two
6
+ * independent gates decide adoption, and BOTH must pass (fail-closed):
7
+ *
8
+ * 1. Authenticity — Ed25519 signature over the canonical manifest bytes,
9
+ * verified against a baked public key. Proves it came from
10
+ * ruflo, unmodified. (native node:crypto, zero deps —
11
+ * same primitive as helper-signing.ts / rvfa-signing.ts.)
12
+ * 2. Suitability — the constraint contract (host/platform/compatibility/
13
+ * layer) checked against THIS install. A perfectly-signed
14
+ * manifest that doesn't fit the local environment is a safe
15
+ * NON-adoption, not an error. "signed != suitable."
16
+ *
17
+ * This is a DISTINCT Ed25519 trust root from helper-signing (ADR-177): the
18
+ * config channel gets its own key so rotating it never touches the hook-code
19
+ * channel that older CLIs verify.
20
+ */
21
+ import { createHash, verify as edVerify, sign as edSign } from 'crypto';
22
+ /** Ruflo config-signing PUBLIC key (safe to commit). Private half in GCP Secret Manager (ruflo-config-signing-key). */
23
+ export const RUFLO_CONFIG_PUBKEY = `-----BEGIN PUBLIC KEY-----
24
+ MCowBQYDK2VwAyEA3zr3BLCFKyrjvjZg9BXxchXIuGYwYwq21FYCjTpQO6A=
25
+ -----END PUBLIC KEY-----`;
26
+ export function sha256Hex(content) {
27
+ return createHash('sha256').update(content).digest('hex');
28
+ }
29
+ /**
30
+ * Deterministic canonical bytes — recursively sorted object keys so signer and
31
+ * verifier agree byte-for-byte regardless of insertion order.
32
+ */
33
+ export function canonicalManifestBytes(m) {
34
+ const canon = (v) => {
35
+ if (Array.isArray(v))
36
+ return v.map(canon);
37
+ if (v && typeof v === 'object') {
38
+ const out = {};
39
+ for (const k of Object.keys(v).sort())
40
+ out[k] = canon(v[k]);
41
+ return out;
42
+ }
43
+ return v;
44
+ };
45
+ return Buffer.from(JSON.stringify(canon(m)), 'utf-8');
46
+ }
47
+ /** Sign a manifest (publish-time; key from GCP via scripts). */
48
+ export function signProvenConfig(manifest, privateKeyPem) {
49
+ const signature = edSign(null, canonicalManifestBytes(manifest), privateKeyPem).toString('base64');
50
+ return { manifest, signature, algorithm: 'ed25519' };
51
+ }
52
+ /**
53
+ * Verify a signed manifest against ruflo's config public key. Returns the
54
+ * manifest on success, or null on ANY failure (bad signature, malformed JSON,
55
+ * wrong algorithm, missing fields). Fail-closed.
56
+ */
57
+ export function verifyProvenConfig(signedJson, pubkeyPem = RUFLO_CONFIG_PUBKEY) {
58
+ try {
59
+ const signed = typeof signedJson === 'string' ? JSON.parse(signedJson) : signedJson;
60
+ if (!signed || signed.algorithm !== 'ed25519' || !signed.signature || !signed.manifest)
61
+ return null;
62
+ if (!signed.manifest.schema || !signed.manifest.policy?.ref)
63
+ return null;
64
+ const ok = edVerify(null, canonicalManifestBytes(signed.manifest), pubkeyPem, Buffer.from(signed.signature, 'base64'));
65
+ return ok ? signed.manifest : null;
66
+ }
67
+ catch {
68
+ return null;
69
+ }
70
+ }
71
+ // ── Suitability gate ────────────────────────────────────────────────────────
72
+ /** Normalize platform aliases so process.platform matches manifest names. */
73
+ function platformMatches(installed, allowed) {
74
+ const norm = (p) => {
75
+ const l = p.toLowerCase();
76
+ if (l === 'darwin' || l === 'macos' || l === 'mac')
77
+ return 'macos';
78
+ if (l === 'win32' || l === 'windows')
79
+ return 'windows';
80
+ return l; // linux, etc.
81
+ };
82
+ const want = norm(installed);
83
+ return allowed.some(a => norm(a) === want);
84
+ }
85
+ function parseVer(v) {
86
+ // Tolerant: accepts X, X.Y, or X.Y.Z (a range like '>=1.9' has no patch).
87
+ const m = /(\d+)(?:\.(\d+))?(?:\.(\d+))?/.exec(v);
88
+ if (!m)
89
+ return [0, 0, 0];
90
+ return [Number(m[1] || 0), Number(m[2] || 0), Number(m[3] || 0)];
91
+ }
92
+ function cmpVer(a, b) {
93
+ const [a1, a2, a3] = parseVer(a);
94
+ const [b1, b2, b3] = parseVer(b);
95
+ return a1 - b1 || a2 - b2 || a3 - b3;
96
+ }
97
+ /**
98
+ * Minimal semver-range satisfier for the compat contract. Supports `>=X`, `>X`,
99
+ * `<=X`, `<X`, `=X`, and a bare version `X` (treated as `>=X`). Deliberately
100
+ * small — the manifest contract only uses min-version bounds.
101
+ */
102
+ export function satisfiesRange(installed, range) {
103
+ const r = range.trim();
104
+ const m = /^(>=|<=|>|<|=)?\s*(.+)$/.exec(r);
105
+ if (!m)
106
+ return false;
107
+ const op = m[1] ?? '>=';
108
+ const target = m[2].trim();
109
+ const c = cmpVer(installed, target);
110
+ switch (op) {
111
+ case '>=': return c >= 0;
112
+ case '>': return c > 0;
113
+ case '<=': return c <= 0;
114
+ case '<': return c < 0;
115
+ case '=': return c === 0;
116
+ default: return false;
117
+ }
118
+ }
119
+ /**
120
+ * Check a manifest's constraint contract against the local environment.
121
+ * Fail-closed: a missing/unsatisfiable constraint => not suitable (safe skip).
122
+ * A constraint the manifest doesn't declare is not required.
123
+ */
124
+ export function isSuitable(manifest, env) {
125
+ // platform
126
+ if (manifest.platform && manifest.platform.length > 0) {
127
+ if (!platformMatches(env.platform, manifest.platform)) {
128
+ return { suitable: false, reason: `platform ${env.platform} not in [${manifest.platform.join(', ')}]` };
129
+ }
130
+ }
131
+ // host presence + version
132
+ if (manifest.host) {
133
+ for (const [name, range] of Object.entries(manifest.host)) {
134
+ const installed = env.hosts?.[name];
135
+ if (!installed)
136
+ return { suitable: false, reason: `required host '${name}' not present` };
137
+ if (!satisfiesRange(installed, range)) {
138
+ return { suitable: false, reason: `host '${name}' ${installed} does not satisfy ${range}` };
139
+ }
140
+ }
141
+ }
142
+ // package compatibility ranges (ruflo, metaharness, …)
143
+ if (manifest.compatibility) {
144
+ for (const [pkg, range] of Object.entries(manifest.compatibility)) {
145
+ const installed = env.versions?.[pkg];
146
+ if (!installed)
147
+ return { suitable: false, reason: `required package '${pkg}' version unknown` };
148
+ if (!satisfiesRange(installed, range)) {
149
+ return { suitable: false, reason: `${pkg} ${installed} does not satisfy ${range}` };
150
+ }
151
+ }
152
+ }
153
+ // hierarchy layer — an install only adopts a manifest for its own (or an ancestor) layer
154
+ if (manifest.layer && env.layer && manifest.layer !== env.layer) {
155
+ // allow ancestor layers: manifest 'framework/node-cli' is adoptable by env layer that startsWith it or vice-versa
156
+ const a = manifest.layer, b = env.layer;
157
+ if (!(b.startsWith(a) || a.startsWith(b))) {
158
+ return { suitable: false, reason: `layer '${a}' not applicable to install layer '${b}'` };
159
+ }
160
+ }
161
+ return { suitable: true };
162
+ }
163
+ /**
164
+ * The combined adoption decision (ADR-177): a manifest is adoptable iff it is
165
+ * both authentic (signature verifies) AND suitable (constraints satisfied).
166
+ */
167
+ export function evaluateForAdoption(signedJson, env, pubkeyPem = RUFLO_CONFIG_PUBKEY) {
168
+ const manifest = verifyProvenConfig(signedJson, pubkeyPem);
169
+ if (!manifest)
170
+ return { adopt: false, reason: 'signature invalid — refusing (authenticity gate)' };
171
+ const suit = isSuitable(manifest, env);
172
+ if (!suit.suitable)
173
+ return { adopt: false, manifest, reason: `not suitable — ${suit.reason} (safe skip)` };
174
+ return { adopt: true, manifest, reason: 'authentic + suitable' };
175
+ }
176
+ //# sourceMappingURL=proven-config.js.map
package/dist/src/index.js CHANGED
@@ -133,6 +133,41 @@ export class CLI {
133
133
  }
134
134
  }
135
135
  catch { /* silent */ }
136
+ // ADR-177: adopt a signed proven-configuration champion if the package
137
+ // ships one newer than this project's stamp AND it is authentic +
138
+ // suitable for this environment. Sibling of the helper channel above —
139
+ // its own stamp + trust root; additive no-op when no champion ships.
140
+ try {
141
+ const { autoAdoptProvenConfigIfStale } = await import('./config/proven-config-refresh.js');
142
+ const a = await autoAdoptProvenConfigIfStale(process.cwd());
143
+ if (a.adopted && this.output.isVerbose()) {
144
+ this.output.printDebug(`Adopted proven config (${a.from} → ${a.to})`);
145
+ }
146
+ // Close the loop (ADR-176 phase 9): promote the adopted champion to the
147
+ // ACTIVE policy that consumers (neural_patterns retrieval, …) read. A
148
+ // no-op if nothing is adopted or it is already active; reversible.
149
+ const { applyChampion } = await import('./config/harness-feedback-applier.js');
150
+ const ap = applyChampion(process.cwd());
151
+ if (ap.applied && this.output.isVerbose()) {
152
+ this.output.printDebug(`Applied proven config to active policy (${ap.from ?? '(none)'} → ${ap.to})`);
153
+ }
154
+ }
155
+ catch { /* silent */ }
156
+ // Self-running daemon: ensure the background workers (distillation,
157
+ // backup, …) are actually firing without a manual `daemon start`.
158
+ // Single-instance (only spawns when none is alive; the spawned daemon
159
+ // re-checks its own lock), bounded (TTL/idle self-shutdown), opt-out via
160
+ // RUFLO_DAEMON_AUTOSTART=0. Skipped for `daemon` (no recursion). Detached
161
+ // + fire-and-forget, so it never blocks the command.
162
+ if (commandPath[0] !== 'daemon') {
163
+ try {
164
+ const { ensureDaemonRunning } = await import('./services/daemon-autostart.js');
165
+ const d = ensureDaemonRunning(process.cwd());
166
+ if (d.started && this.output.isVerbose())
167
+ this.output.printDebug('Started background daemon (auto)');
168
+ }
169
+ catch { /* silent */ }
170
+ }
136
171
  }
137
172
  // Handle lazy-loaded commands that weren't recognized by the parser
138
173
  // If commandPath is empty but positional has a command name, check if it's lazy-loadable
@@ -12,6 +12,16 @@
12
12
  * Note: For production neural features, use @claude-flow/neural module
13
13
  */
14
14
  import { type MCPTool } from './types.js';
15
+ /**
16
+ * ADR-176 flywheel: expose the stored patterns (id/name/content) so the
17
+ * self-optimizing loop can harvest a benchmark corpus from real usage. Additive,
18
+ * read-only, never throws.
19
+ */
20
+ export declare function getStorePatterns(): Array<{
21
+ id: string;
22
+ name: string;
23
+ content?: string;
24
+ }>;
15
25
  /**
16
26
  * Public helper: read-only stats about the neural store, for the unified
17
27
  * learning-stats aggregator. Returns total pattern count + per-type breakdown