@deepstrike/wasm 0.2.9 → 0.2.11

package/dist/index.d.ts

@@ -4,7 +4,7 @@ export { FilteredExecutionPlane } from "./runtime/filtered-plane.js";
 export { SubAgentOrchestrator, defaultSubAgentOrchestrator, spawnStandalone } from "./runtime/sub-agent-orchestrator.js";
 export type { SubAgentRunContext } from "./runtime/sub-agent-orchestrator.js";
 export type { AgentCapabilityFilter, AgentIdentity, AgentIsolation, AgentRunSpec, AgentProcessChangedObservation, ContextInheritance, KernelAgentRole, LoopResult, MilestoneCheckResult, MilestoneContract, MilestonePhase, MilestonePolicy, SubAgentResult, TerminationReason, WorkflowSpec, WorkflowNodeSpec, WorkflowTaskSpec, WorkflowSpawnInfo, } from "./runtime/types/agent.js";
-export { workflowSpecToKernel, fanoutSynthesize, generateAndFilter, verifyRules } from "./runtime/types/agent.js";
+export { workflowSpecToKernel, workflowNodeSpecToKernel, submitWorkflowNodesToKernel, submitWorkflowNodesTool, fanoutSynthesize, generateAndFilter, verifyRules } from "./runtime/types/agent.js";
 export { Governance } from "./governance.js";
 export type { GovernanceVerdict } from "./governance.js";
 export { AnthropicProvider } from "./providers/anthropic.js";

package/dist/index.js

@@ -1,7 +1,7 @@
 export { RuntimeRunner, collectText, InMemorySessionLog, LocalExecutionPlane, DEFAULT_NATIVE_ATTENTION_POLICY, DEFAULT_NATIVE_GOVERNANCE_POLICY, DEFAULT_SANDBOX_POLICY, assertNativeProfile, osProfile, validateDeclarativePolicy, } from "./runtime/index.js";
 export { FilteredExecutionPlane } from "./runtime/filtered-plane.js";
 export { SubAgentOrchestrator, defaultSubAgentOrchestrator, spawnStandalone } from "./runtime/sub-agent-orchestrator.js";
-export { workflowSpecToKernel, fanoutSynthesize, generateAndFilter, verifyRules } from "./runtime/types/agent.js";
+export { workflowSpecToKernel, workflowNodeSpecToKernel, submitWorkflowNodesToKernel, submitWorkflowNodesTool, fanoutSynthesize, generateAndFilter, verifyRules } from "./runtime/types/agent.js";
 export { Governance } from "./governance.js";
 export { AnthropicProvider } from "./providers/anthropic.js";
 export { OpenAIProvider, QwenProvider, DeepSeekProvider, MiniMaxProvider, KimiProvider } from "./providers/openai.js";

package/dist/runtime/index.d.ts

@@ -4,6 +4,8 @@ export type { RunContext, ExecutionPlane } from "./execution-plane.js";
 export { LocalExecutionPlane } from "./execution-plane.js";
 export type { MemoryPolicy, MemoryWriteRateLimit, ResourceQuota, RuntimeOptions, SchedulerBudget } from "./runner.js";
 export { RuntimeRunner, collectText } from "./runner.js";
+export { builtinReducers, resolveReducer } from "./reducers.js";
+export type { Reducer, ReducerRegistry, ReducerInput } from "./reducers.js";
 export { getKernel } from "./kernel.js";
 export { DEFAULT_NATIVE_ATTENTION_POLICY, DEFAULT_NATIVE_GOVERNANCE_POLICY, DEFAULT_SANDBOX_POLICY, assertNativeProfile, osProfile, validateDeclarativePolicy, } from "./os-profile.js";
 export type { NativeOsProfile, OsProfileId } from "./os-profile.js";

package/dist/runtime/index.js

@@ -1,5 +1,6 @@
 export { InMemorySessionLog } from "./session-log.js";
 export { LocalExecutionPlane } from "./execution-plane.js";
 export { RuntimeRunner, collectText } from "./runner.js";
+export { builtinReducers, resolveReducer } from "./reducers.js";
 export { getKernel } from "./kernel.js";
 export { DEFAULT_NATIVE_ATTENTION_POLICY, DEFAULT_NATIVE_GOVERNANCE_POLICY, DEFAULT_SANDBOX_POLICY, assertNativeProfile, osProfile, validateDeclarativePolicy, } from "./os-profile.js";

package/dist/runtime/output-schema.d.ts

@@ -0,0 +1,14 @@
+export interface SchemaValidation {
+    ok: boolean;
+    errors: string[];
+}
+type JsonSchema = Record<string, unknown>;
+/** Validate `value` against `schema` (the supported subset). `path` is for error messages. */
+export declare function validateAgainstSchema(value: unknown, schema: JsonSchema, path?: string): SchemaValidation;
+/** The instruction appended to a node's goal so its agent produces schema-conforming JSON. */
+export declare function schemaInstruction(schema: JsonSchema): string;
+/** A stronger re-prompt for a retry after a validation failure. */
+export declare function schemaRetryInstruction(schema: JsonSchema, errors: string[]): string;
+/** Best-effort extraction of a JSON value from agent output (raw, fenced, or embedded). */
+export declare function extractJsonValue(text: string): unknown;
+export {};

package/dist/runtime/output-schema.js

@@ -0,0 +1,113 @@
+// G3 structured output: a small, dependency-free JSON-Schema subset validator + helpers used by the
+// workflow runner to enforce a node's `output_schema`. The kernel carries the schema verbatim (it is
+// zero-I/O and never validates); enforcement lives here, SDK-side, where the agent output exists.
+//
+// Supported keywords (the common structured-output subset): `type` (object | array | string |
+// number | integer | boolean | null), `required`, `properties` (recursive), `items` (recursive),
+// `enum`. Unknown keywords are ignored rather than rejected — a permissive superset of these specs
+// still validates, matching "instruct the model, then check the shape" rather than full JSON Schema.
+function typeOfValue(v) {
+    if (v === null)
+        return "null";
+    if (Array.isArray(v))
+        return "array";
+    return typeof v; // "object" | "string" | "number" | "boolean"
+}
+function matchesType(v, t) {
+    switch (t) {
+        case "integer":
+            return typeof v === "number" && Number.isInteger(v);
+        case "number":
+            return typeof v === "number";
+        case "object":
+            return typeOfValue(v) === "object";
+        default:
+            return typeOfValue(v) === t;
+    }
+}
+/** Validate `value` against `schema` (the supported subset). `path` is for error messages. */
+export function validateAgainstSchema(value, schema, path = "$") {
+    const errors = [];
+    const type = schema.type;
+    if (typeof type === "string" && !matchesType(value, type)) {
+        errors.push(`${path}: expected ${type}, got ${typeOfValue(value)}`);
+        return { ok: false, errors }; // type mismatch ⇒ stop; deeper checks are meaningless
+    }
+    if (Array.isArray(type) && !type.some(t => typeof t === "string" && matchesType(value, t))) {
+        errors.push(`${path}: expected one of [${type.join(", ")}], got ${typeOfValue(value)}`);
+        return { ok: false, errors };
+    }
+    if (Array.isArray(schema.enum) && !schema.enum.some(e => e === value)) {
+        errors.push(`${path}: value not in enum`);
+    }
+    if (typeOfValue(value) === "object") {
+        const obj = value;
+        const required = Array.isArray(schema.required) ? schema.required : [];
+        for (const key of required) {
+            if (!(key in obj))
+                errors.push(`${path}.${key}: required property missing`);
+        }
+        const properties = schema.properties ?? {};
+        for (const [key, sub] of Object.entries(properties)) {
+            if (key in obj) {
+                const r = validateAgainstSchema(obj[key], sub, `${path}.${key}`);
+                if (!r.ok)
+                    errors.push(...r.errors);
+            }
+        }
+    }
+    if (typeOfValue(value) === "array" && schema.items && typeof schema.items === "object") {
+        const items = schema.items;
+        value.forEach((el, i) => {
+            const r = validateAgainstSchema(el, items, `${path}[${i}]`);
+            if (!r.ok)
+                errors.push(...r.errors);
+        });
+    }
+    return { ok: errors.length === 0, errors };
+}
+/** The instruction appended to a node's goal so its agent produces schema-conforming JSON. */
+export function schemaInstruction(schema) {
+    return ("You MUST return ONLY a single JSON value that conforms to this JSON Schema, with no prose, " +
+        "no markdown, and no code fences:\n" +
+        JSON.stringify(schema));
+}
+/** A stronger re-prompt for a retry after a validation failure. */
+export function schemaRetryInstruction(schema, errors) {
+    return (`${schemaInstruction(schema)}\n\nYour previous output did NOT conform: ${errors.join("; ")}. ` +
+        "Return ONLY the corrected JSON value.");
+}
+/** Best-effort extraction of a JSON value from agent output (raw, fenced, or embedded). */
+export function extractJsonValue(text) {
+    const trimmed = (text ?? "").trim();
+    if (!trimmed)
+        return undefined;
+    const tryParse = (s) => {
+        try {
+            return JSON.parse(s);
+        }
+        catch {
+            return undefined;
+        }
+    };
+    const whole = tryParse(trimmed);
+    if (whole !== undefined)
+        return whole;
+    const fence = trimmed.match(/```(?:json)?\s*([\s\S]*?)```/i);
+    if (fence) {
+        const fenced = tryParse(fence[1].trim());
+        if (fenced !== undefined)
+            return fenced;
+    }
+    // Fall back to the first balanced {...} or [...] slice.
+    for (const [open, close] of [["{", "}"], ["[", "]"]]) {
+        const start = trimmed.indexOf(open);
+        const end = trimmed.lastIndexOf(close);
+        if (start !== -1 && end > start) {
+            const slice = tryParse(trimmed.slice(start, end + 1));
+            if (slice !== undefined)
+                return slice;
+        }
+    }
+    return undefined;
+}

package/dist/runtime/reducers.d.ts

@@ -0,0 +1,15 @@
+/** One dependency's contribution to a reduce: the producing node's agent id and its output text. */
+export interface ReducerInput {
+    agentId: string;
+    output: string;
+}
+/** A pure function over a reduce node's dependency outputs → the reduce node's output string. */
+export type Reducer = (inputs: ReducerInput[]) => string;
+export type ReducerRegistry = Record<string, Reducer>;
+/**
+ * Built-in reducers, available to every workflow without registration. A user-supplied registry is
+ * merged over these (so a custom reducer can shadow a built-in of the same name).
+ */
+export declare const builtinReducers: ReducerRegistry;
+/** Resolve a reducer by name from the built-ins overlaid with a user registry. */
+export declare function resolveReducer(name: string, user?: ReducerRegistry): Reducer | undefined;

package/dist/runtime/reducers.js

@@ -0,0 +1,57 @@
+// G2 deterministic compute: the host-side reducer registry. A `NodeKind::Reduce` workflow node runs
+// no LLM agent — the kernel hands the SDK a reducer name + its dependency outputs, and the SDK runs
+// the named pure function here. This is the "ordinary code between stages" (dedupe / filter / merge /
+// early-exit) of the code-orchestration model, expressed deterministically as a DAG node.
+import { extractJsonValue } from "./output-schema.js";
+/** Non-empty, trimmed lines of a string. */
+function lines(s) {
+    return s
+        .split("\n")
+        .map(l => l.trim())
+        .filter(l => l.length > 0);
+}
+/**
+ * Built-in reducers, available to every workflow without registration. A user-supplied registry is
+ * merged over these (so a custom reducer can shadow a built-in of the same name).
+ */
+export const builtinReducers = {
+    /** Concatenate every input's output, separated by blank lines, in dependency order. */
+    concat: inputs => inputs.map(i => i.output).join("\n\n"),
+    /** Union of non-empty lines across all inputs, first-seen order preserved (dedupe a fan-out). */
+    dedupe_lines: inputs => {
+        const seen = new Set();
+        const out = [];
+        for (const i of inputs) {
+            for (const line of lines(i.output)) {
+                if (!seen.has(line)) {
+                    seen.add(line);
+                    out.push(line);
+                }
+            }
+        }
+        return out.join("\n");
+    },
+    /** Parse each input as a JSON array, concatenate, dedupe by canonical JSON → a JSON array string. */
+    merge_json_arrays: inputs => {
+        const seen = new Set();
+        const merged = [];
+        for (const i of inputs) {
+            const v = extractJsonValue(i.output);
+            const arr = Array.isArray(v) ? v : v !== undefined ? [v] : [];
+            for (const el of arr) {
+                const key = JSON.stringify(el);
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    merged.push(el);
+                }
+            }
+        }
+        return JSON.stringify(merged);
+    },
+    /** The number of inputs that produced any non-empty output — handy for early-exit/branch gates. */
+    count: inputs => String(inputs.filter(i => i.output.trim().length > 0).length),
+};
+/** Resolve a reducer by name from the built-ins overlaid with a user registry. */
+export function resolveReducer(name, user) {
+    return user?.[name] ?? builtinReducers[name];
+}

package/dist/runtime/runner.d.ts

@@ -8,6 +8,7 @@ import type { ExecutionPlane } from "./execution-plane.js";
 import { type GovernancePolicy } from "../governance.js";
 import type { AgentRunSpec, SubAgentResult, MilestonePolicy, MilestoneContract, MilestoneCheckResult, WorkflowSpec } from "./types/agent.js";
 import { type SubAgentOrchestrator } from "./sub-agent-orchestrator.js";
+import { type ReducerRegistry } from "./reducers.js";
 import { type NativeOsProfile, type OsProfileId } from "./os-profile.js";
 import { LargeResultSpool } from "./large-result-spool.js";
 export interface MemoryWriteRateLimit {
@@ -69,6 +70,8 @@ export interface RuntimeOptions {
     onToolSuspend?: (event: ToolSuspendEvent) => Promise<unknown> | unknown;
     onPermissionRequest?: (event: PermissionRequestEvent) => Promise<PermissionResponse | boolean> | PermissionResponse | boolean;
     subAgentOrchestrator?: SubAgentOrchestrator;
+    /** G2: custom reducers for `NodeKind::Reduce` workflow nodes, merged over the built-ins. */
+    reducers?: ReducerRegistry;
     milestonePolicy?: MilestonePolicy;
     milestoneContract?: MilestoneContract;
     onMilestoneEvaluate?: (ctx: {
@@ -113,6 +116,19 @@ export declare class RuntimeRunner {
     dream(agentId: string, nowMs?: number): Promise<DreamResult>;
     private execute;
     spawnSubAgent(spec: AgentRunSpec): Promise<SubAgentResult>;
+    /**
+     * G3: run one workflow node, enforcing its `output_schema` (if any) by instructing the agent,
+     * validating its output (the supported JSON-Schema subset), and re-running once with the errors
+     * fed back on mismatch. If it still does not conform, the node is failed with the validation
+     * reason (an `Error`-terminated result fails the node in-kernel, starving its dependents).
+     */
+    private runWorkflowNode;
+    /**
+     * G2: execute a deterministic reduce node — run the named reducer (built-ins overlaid with
+     * `opts.reducers`) over its dependency outputs and return a synthetic completion. No LLM, zero
+     * tokens. An unknown reducer or a thrown reducer fails the node (`Error` → starves dependents).
+     */
+    private runReduceNode;
     /**
      * W0-ABI: run a declarative workflow DAG. The kernel owns the DAG and gates every node spawn
      * through the syscall trap; this driver runs each kernel-emitted batch of nodes in parallel,
@@ -120,6 +136,7 @@ export declare class RuntimeRunner {
      */
     runWorkflow(spec: WorkflowSpec, opts?: {
         resumedCompleted?: string[];
+        resumedSubmissions?: Record<string, unknown>[][];
     }): Promise<{
         completed: string[];
         failed: string[];

package/dist/runtime/runner.js

@@ -3,10 +3,12 @@ import { governancePolicyToKernelEvent } from "../governance.js";
 import { getKernel } from "./kernel.js";
 import { peekProviderReplay, seedProviderReplayFromEvents } from "./provider-replay.js";
 import { sanitizeReplayText } from "./replay-sanitize.js";
-import { buildLlmCompletedEvent, buildRunTerminalEvent, buildWorkflowNodeCompletedEvent, recoverCompletedWorkflowNodes, repairEventsForRecovery, } from "./session-repair.js";
+import { buildLlmCompletedEvent, buildRunTerminalEvent, buildWorkflowNodeCompletedEvent, buildWorkflowNodesSubmittedEvent, recoverCompletedWorkflowNodes, recoverSubmittedWorkflowNodes, repairEventsForRecovery, } from "./session-repair.js";
 import { forceCompact, kernelAction, kernelApply, kernelMaybeAction, messageToKernelMessage, skillMetadataToKernel, toolResultToKernel, toolSchemaToKernel, } from "./kernel-step.js";
-import { agentRunSpecToKernel, findSpawnProcessObservation, milestoneCheckPass, milestoneCheckResultToKernel, spawnObservationToManifest, subAgentResultToKernel, workflowNodeToManifest, workflowNodeToSpec, workflowSpecToKernel, } from "./types/agent.js";
+import { agentRunSpecToKernel, findSpawnProcessObservation, milestoneCheckPass, milestoneCheckResultToKernel, spawnObservationToManifest, subAgentResultToKernel, submitWorkflowNodesToKernel, workflowBudgetNote, workflowNodeToManifest, workflowNodeToSpec, workflowSpecToKernel, } from "./types/agent.js";
 import { defaultSubAgentOrchestrator } from "./sub-agent-orchestrator.js";
+import { extractJsonValue, schemaInstruction, schemaRetryInstruction, validateAgainstSchema, } from "./output-schema.js";
+import { resolveReducer } from "./reducers.js";
 import { kernelObservationToSessionEvent, withCategory } from "./kernel-event-log.js";
 import { assertNativeProfile } from "./os-profile.js";
 import { LargeResultSpool } from "./large-result-spool.js";
@@ -527,7 +529,18 @@ export class RuntimeRunner {
                     onPermissionRequest: this.opts.onPermissionRequest,
                 };
                 const toolResults = [];
-                for await (const evt of this.opts.executionPlane.executeAll(allCalls, runCtx)) {
+                // R3-1: intercept `submit_workflow_nodes` — it can't apply to this runner's kernel (when this
+                // runner is a workflow node, the workflow lives in the parent). Surface the nodes as an event;
+                // the orchestrator collects them and `runWorkflow` sends them to the parent kernel.
+                const submitCalls = allCalls.filter(c => c.name === "submit_workflow_nodes");
+                const normalCalls = allCalls.filter(c => c.name !== "submit_workflow_nodes");
+                for (const call of submitCalls) {
+                    const nodes = parseSubmitWorkflowNodesArgs(call.arguments);
+                    yield { type: "workflow_nodes_submitted", nodes };
+                    toolResults.push({ callId: call.id, output: "submitted", isError: false });
+                    yield { type: "tool_result", callId: call.id, content: "submitted", isError: false };
+                }
+                for await (const evt of this.opts.executionPlane.executeAll(normalCalls, runCtx)) {
                     yield evt;
                     if (evt.type === "tool_result") {
                         const tre = evt;
@@ -706,6 +719,81 @@ export class RuntimeRunner {
         });
         return result;
     }
+    /**
+     * G3: run one workflow node, enforcing its `output_schema` (if any) by instructing the agent,
+     * validating its output (the supported JSON-Schema subset), and re-running once with the errors
+     * fed back on mismatch. If it still does not conform, the node is failed with the validation
+     * reason (an `Error`-terminated result fails the node in-kernel, starving its dependents).
+     */
+    async runWorkflowNode(node, parentSessionId, orchestrator, budget, outputs) {
+        // G2: a reduce node runs no LLM — execute the registered pure function over its dependency
+        // outputs and feed the result back as an ordinary completion. Deterministic; no agent burned.
+        if (node.reducer) {
+            return this.runReduceNode(node, outputs ?? new Map());
+        }
+        const baseSpec = workflowNodeToSpec(node, parentSessionId);
+        const manifest = workflowNodeToManifest(node, parentSessionId);
+        // G4: surface remaining workflow budget so a coordinator node can size its submission.
+        const budgetNote = workflowBudgetNote(budget);
+        const withBudget = (goal) => (budgetNote ? `${goal}\n\n${budgetNote}` : goal);
+        const mkCtx = (goal) => ({
+            parentOpts: this.opts,
+            parentSessionId,
+            spec: { ...baseSpec, goal: withBudget(goal) },
+            manifest,
+            sessionLog: this.opts.sessionLog,
+        });
+        const schema = node.output_schema;
+        if (!schema)
+            return orchestrator.run(mkCtx(baseSpec.goal));
+        const MAX_ATTEMPTS = 2;
+        let last;
+        let lastErrors = [];
+        for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
+            const goal = attempt === 1
+                ? `${baseSpec.goal}\n\n${schemaInstruction(schema)}`
+                : `${baseSpec.goal}\n\n${schemaRetryInstruction(schema, lastErrors)}`;
+            const result = await orchestrator.run(mkCtx(goal));
+            const content = result.result.finalMessage?.content;
+            const text = typeof content === "string" ? content : content != null ? JSON.stringify(content) : "";
+            const v = validateAgainstSchema(extractJsonValue(text), schema);
+            if (v.ok)
+                return result;
+            last = result;
+            lastErrors = v.errors;
+        }
+        const reason = `output_schema validation failed after ${MAX_ATTEMPTS} attempts: ${lastErrors.join("; ")}`;
+        const fallback = last;
+        return {
+            ...fallback,
+            result: {
+                ...fallback.result,
+                termination: "error",
+                finalMessage: { role: "assistant", content: reason, toolCalls: [] },
+            },
+        };
+    }
+    /**
+     * G2: execute a deterministic reduce node — run the named reducer (built-ins overlaid with
+     * `opts.reducers`) over its dependency outputs and return a synthetic completion. No LLM, zero
+     * tokens. An unknown reducer or a thrown reducer fails the node (`Error` → starves dependents).
+     */
+    runReduceNode(node, outputs) {
+        const ok = (content, termination) => ({
+            agentId: node.agent_id,
+            result: { termination, finalMessage: { role: "assistant", content, toolCalls: [] }, turnsUsed: 0, totalTokensUsed: 0 },
+        });
+        const reducer = resolveReducer(node.reducer, this.opts.reducers);
+        if (!reducer)
+            return ok(`unknown reducer "${node.reducer}"`, "error");
+        const inputs = (node.input_agent_ids ?? []).map(agentId => ({ agentId, output: outputs.get(agentId) ?? "" }));
+        try {
+            return ok(reducer(inputs), "completed");
+        }
+        catch (err) {
+            return ok(`reducer "${node.reducer}" threw: ${err instanceof Error ? err.message : String(err)}`, "error");
+        }
+    }
     /**
      * W0-ABI: run a declarative workflow DAG. The kernel owns the DAG and gates every node spawn
      * through the syscall trap; this driver runs each kernel-emitted batch of nodes in parallel,
@@ -718,34 +806,63 @@ export class RuntimeRunner {
         const parentSessionId = this.currentSessionId;
         const runtime = this.activeKernel;
         const orchestrator = this.opts.subAgentOrchestrator ?? defaultSubAgentOrchestrator;
-        let observations = kernelApply(runtime, this.pendingObservations, {
+        const observations = kernelApply(runtime, this.pendingObservations, {
             kind: "load_workflow",
             spec: workflowSpecToKernel(spec),
             parent_session_id: parentSessionId,
             // W0-ABI resume: skip nodes already completed before an interruption.
             ...(opts?.resumedCompleted && opts.resumedCompleted.length ? { resumed_completed: opts.resumedCompleted } : {}),
+            // R3-1: re-apply recorded runtime submissions so dynamically-appended nodes are reconstructed.
+            ...(opts?.resumedSubmissions && opts.resumedSubmissions.length ? { resumed_submissions: opts.resumedSubmissions } : {}),
         });
+        const collectNodes = (obs) => obs.find(o => o.kind === "workflow_batch_spawned")?.nodes ?? [];
+        // G4: the batch observation carries the workflow's remaining budget; track the latest.
+        const collectBudget = (obs) => obs.find(o => o.kind === "workflow_batch_spawned")?.budget;
+        const findDone = (obs) => obs.find(o => o.kind === "workflow_completed");
+        let done = findDone(observations);
+        if (done)
+            return { completed: done.completed ?? [], failed: done.failed ?? [] };
+        let nodes = collectNodes(observations);
+        let budget = collectBudget(observations);
+        // G2: each completed node's output, keyed by agent id — a reduce node reads its deps' outputs.
+        const outputs = new Map();
         for (;;) {
-            const done = observations.find(o => o.kind === "workflow_completed");
-            if (done)
-                return { completed: done.completed ?? [], failed: done.failed ?? [] };
-            const batch = observations.find(o => o.kind === "workflow_batch_spawned");
-            const nodes = batch?.nodes ?? [];
             if (nodes.length === 0)
                 return { completed: [], failed: [] };
-            const results = await Promise.all(nodes.map(node => orchestrator.run({
-                parentOpts: this.opts,
-                parentSessionId,
-                spec: workflowNodeToSpec(node, parentSessionId),
-                manifest: workflowNodeToManifest(node, parentSessionId),
-                sessionLog: this.opts.sessionLog,
-            })));
-            observations = [];
+            const roundBudget = budget;
+            const results = await Promise.all(nodes.map(node => this.runWorkflowNode(node, parentSessionId, orchestrator, roundBudget, outputs)));
+            // Accumulate next-batch nodes across feeds (per-node unblock can spawn dependents per feed).
+            const nextNodes = [];
+            done = undefined;
             for (const result of results) {
-                observations = kernelApply(runtime, this.pendingObservations, {
+                // G2: record this node's output so a downstream reduce node can consume it.
+                const outContent = result.result.finalMessage?.content;
+                outputs.set(result.agentId, typeof outContent === "string" ? outContent : outContent != null ? JSON.stringify(outContent) : "");
+                // R3-1: if this node's agent submitted more nodes, append them to the parent DAG BEFORE
+                // reporting the node's completion — the workflow is still active, so even a last-node
+                // submission keeps the DAG alive.
+                if (result.submittedNodes?.length) {
+                    // G1: stamp the submitting node's agent id so the kernel coerces a quarantined submitter's
+                    // nodes to quarantined (no topological privilege escalation).
+                    const submitEvent = submitWorkflowNodesToKernel(result.submittedNodes, result.agentId);
+                    const subObs = kernelApply(runtime, this.pendingObservations, submitEvent);
+                    nextNodes.push(...collectNodes(subObs));
+                    budget = collectBudget(subObs) ?? budget;
+                    // R3-1: persist the submission (kernel-shape nodes) so resume can re-apply it.
+                    await this.opts.sessionLog.append(parentSessionId, buildWorkflowNodesSubmittedEvent({
+                        turn: runtime.turn(),
+                        nodes: submitEvent.nodes ?? [],
+                    }));
+                }
+                const obs = kernelApply(runtime, this.pendingObservations, {
                     kind: "sub_agent_completed",
                     result: subAgentResultToKernel(result),
                 });
+                nextNodes.push(...collectNodes(obs));
+                budget = collectBudget(obs) ?? budget;
+                const d = findDone(obs);
+                if (d)
+                    done = d;
                 // Persist node completion for resume recovery.
                 await this.opts.sessionLog.append(parentSessionId, buildWorkflowNodeCompletedEvent({
                     turn: runtime.turn(),
@@ -753,6 +870,10 @@ export class RuntimeRunner {
                     termination: result.result.termination,
                 }));
             }
+            if (done && nextNodes.length === 0) {
+                return { completed: done.completed ?? [], failed: done.failed ?? [] };
+            }
+            nodes = nextNodes;
         }
     }
     /**
@@ -766,7 +887,8 @@ export class RuntimeRunner {
         }
         const events = await this.opts.sessionLog.read(this.currentSessionId);
         const resumedCompleted = recoverCompletedWorkflowNodes(events);
-        return this.runWorkflow(spec, { resumedCompleted });
+        const resumedSubmissions = recoverSubmittedWorkflowNodes(events);
+        return this.runWorkflow(spec, { resumedCompleted, resumedSubmissions });
     }
     async appendObservations(sessionId, runtime, nextArchiveStart) {
         const turn = runtime.turn();
@@ -956,3 +1078,15 @@ export async function collectText(stream) {
     }
     return text;
 }
+/** R3-1: parse `submit_workflow_nodes` tool args (`{ nodes: WorkflowNodeSpec[] }`). Node shapes are
+ *  trusted structurally; the kernel validates them on append. Malformed payload → no nodes. */
+function parseSubmitWorkflowNodesArgs(argsStr) {
+    let parsed = {};
+    try {
+        parsed = JSON.parse(argsStr);
+    }
+    catch {
+        // Ignore parse error → no nodes submitted.
+    }
+    return Array.isArray(parsed.nodes) ? parsed.nodes : [];
+}

package/dist/runtime/session-log.d.ts

@@ -239,6 +239,13 @@ export type SessionEvent = {
     primitive?: KernelPrimitive;
     agent_id: string;
     termination: string;
+} | {
+    kind: "workflow_nodes_submitted";
+    turn: number;
+    category?: KernelEventCategory;
+    primitive?: KernelPrimitive;
+    /** Kernel-shape (snake_case) submitted node specs — persisted so resume can re-apply them. */
+    nodes: Record<string, unknown>[];
 } | {
     kind: "workflow_batch_spawned";
     turn: number;

package/dist/runtime/session-repair.d.ts

@@ -52,3 +52,17 @@ export declare function recoverCompletedWorkflowNodes(events: Array<{
     seq: number;
     event: SessionEvent;
 }>): string[];
+/** R3-1: build workflow_nodes_submitted for persistence after a runtime submission, so resume can
+ *  re-apply it. `nodes` is the kernel-shape (snake_case) submitted node array. */
+export declare function buildWorkflowNodesSubmittedEvent(input: {
+    turn: number;
+    nodes: Record<string, unknown>[];
+}): Extract<SessionEvent, {
+    kind: "workflow_nodes_submitted";
+}>;
+/** R3-1: recover the runtime submission batches (in order) to rebuild `resumed_submissions` for
+ *  resumeWorkflow, so dynamically-appended nodes are reconstructed. */
+export declare function recoverSubmittedWorkflowNodes(events: Array<{
+    seq: number;
+    event: SessionEvent;
+}>): Record<string, unknown>[][];

package/dist/runtime/session-repair.js

@@ -70,3 +70,18 @@ export function recoverCompletedWorkflowNodes(events) {
     }
     return completed;
 }
+/** R3-1: build workflow_nodes_submitted for persistence after a runtime submission, so resume can
+ *  re-apply it. `nodes` is the kernel-shape (snake_case) submitted node array. */
+export function buildWorkflowNodesSubmittedEvent(input) {
+    return { kind: "workflow_nodes_submitted", turn: input.turn, nodes: input.nodes };
+}
+/** R3-1: recover the runtime submission batches (in order) to rebuild `resumed_submissions` for
+ *  resumeWorkflow, so dynamically-appended nodes are reconstructed. */
+export function recoverSubmittedWorkflowNodes(events) {
+    const submissions = [];
+    for (const { event } of events) {
+        if (event.kind === "workflow_nodes_submitted")
+            submissions.push(event.nodes);
+    }
+    return submissions;
+}

package/dist/runtime/sub-agent-orchestrator.js

@@ -41,6 +41,8 @@ export class SubAgentOrchestrator {
         });
         let done;
         let finalText = "";
+        // R3-1: collect any nodes this node's agent submitted via the `submit_workflow_nodes` tool.
+        const submittedNodes = [];
         for await (const evt of childRunner.run({
             sessionId: ctx.spec.identity.sessionId,
             goal: ctx.spec.goal,
@@ -49,6 +51,8 @@ export class SubAgentOrchestrator {
                 finalText += evt.delta;
             if (evt.type === "done")
                 done = evt;
+            if (evt.type === "workflow_nodes_submitted")
+                submittedNodes.push(...evt.nodes);
         }
         const loopResult = {
             termination: terminationFromStatus(done?.status ?? "error"),
@@ -58,7 +62,11 @@ export class SubAgentOrchestrator {
                 ? { finalMessage: { role: "assistant", content: finalText, toolCalls: [] } }
                 : {}),
         };
-        return { agentId: ctx.spec.identity.agentId, result: loopResult };
+        return {
+            agentId: ctx.spec.identity.agentId,
+            result: loopResult,
+            ...(submittedNodes.length ? { submittedNodes } : {}),
+        };
     }
 }
 export const defaultSubAgentOrchestrator = new SubAgentOrchestrator();

package/dist/runtime/types/agent.d.ts

@@ -1,4 +1,4 @@
-import type { Message } from "../../types.js";
+import type { Message, ToolSchema } from "../../types.js";
 export type KernelAgentRole = "explore" | "plan" | "implement" | "verify" | "custom";
 export type AgentIsolation = "shared" | "read_only" | "worktree" | "remote";
 export type ContextInheritance = "none" | "system_only" | "full";
@@ -52,6 +52,9 @@ export interface LoopResult {
 export interface SubAgentResult {
     agentId: string;
     result: LoopResult;
+    /** R3-1: nodes this node's agent asked to append to the parent workflow DAG. Surfaced by the
+     *  orchestrator; `runWorkflow` sends them to the parent kernel before completion. SDK-internal. */
+    submittedNodes?: WorkflowNodeSpec[];
 }
 export interface MilestoneCheckResult {
     phaseId: string;
@@ -82,12 +85,20 @@ export type WorkflowTaskSpec = {
     lane?: string;
 } | string;
 /** One node in a declarative workflow DAG (camelCase host shape). */
+export type NodeTrust = "trusted" | "quarantined";
 export interface WorkflowNodeSpec {
     task: WorkflowTaskSpec;
     role: KernelAgentRole;
     isolation?: AgentIsolation;
     contextInheritance?: ContextInheritance;
     modelHint?: string;
+    /** W3: `quarantined` nodes read untrusted content and must run without privileges (read-only). */
+    trust?: NodeTrust;
+    /** G3: JSON Schema the node's output must conform to (validated + retried SDK-side). */
+    outputSchema?: Record<string, unknown>;
+    /** G2: make this a deterministic reduce node — runs no LLM; the runner routes it to the registered
+     *  reducer of this name over its `dependsOn` nodes' outputs. */
+    reducer?: string;
     /** Indices of nodes this node depends on. */
     dependsOn?: number[];
 }
@@ -103,9 +114,36 @@ export interface WorkflowSpawnInfo {
     isolation: string;
     context_inheritance: string;
     model_hint?: string;
+    /** G3: JSON Schema the node's output must conform to (carried verbatim from the spec). */
+    output_schema?: Record<string, unknown>;
+    /** G2: for a reduce node, the registered reducer name to run (no LLM). */
+    reducer?: string;
+    /** G2: the dependency agent ids whose outputs a reduce node consumes. */
+    input_agent_ids?: string[];
 }
+/** G4 budget-as-signal: the workflow's remaining headroom under the active quota, carried on the
+ *  `workflow_batch_spawned` observation so a coordinator node can scale its next submission. */
+export interface WorkflowBudget {
+    nodes_used: number;
+    nodes_max?: number;
+    nodes_remaining?: number;
+    running_subagents: number;
+    max_concurrent_subagents?: number;
+    concurrency_remaining?: number;
+}
+/** G4: a concise budget note appended to a coordinator node's goal. "" when nothing is bounded. */
+export declare function workflowBudgetNote(budget: WorkflowBudget | undefined): string;
 /** Map a host `WorkflowSpec` to the snake_case kernel JSON (`load_workflow.spec`). */
+/** Map one host `WorkflowNodeSpec` to its snake_case kernel JSON. Shared by `load_workflow` and
+ *  `submit_workflow_nodes` (R3-1) so the two encodings never drift. */
+export declare function workflowNodeSpecToKernel(n: WorkflowNodeSpec): Record<string, unknown>;
 export declare function workflowSpecToKernel(spec: WorkflowSpec): Record<string, unknown>;
+/** R3-1: map a batch of host nodes to the `submit_workflow_nodes` kernel event body. G1: pass
+ *  `submitterAgentId` so the kernel enforces no-privilege-escalation (quarantined submitter ⇒ its
+ *  nodes coerced to quarantined). Omitted ⇒ no coercion. */
+export declare function submitWorkflowNodesToKernel(nodes: WorkflowNodeSpec[], submitterAgentId?: string): Record<string, unknown>;
+/** R3-1: the tool a workflow-coordinator node's agent calls to append work to the running DAG. */
+export declare const submitWorkflowNodesTool: ToolSchema;
 /** Build a sub-agent run spec for a kernel-generated workflow node. */
 export declare function workflowNodeToSpec(node: WorkflowSpawnInfo, parentSessionId: string): AgentRunSpec;
 /** Build the host manifest for a kernel-generated workflow node. */

package/dist/runtime/types/agent.js

@@ -94,27 +94,87 @@ export function milestoneCheckPass(phaseId) {
 export function milestoneCheckFail(phaseId, reason) {
     return { phaseId, passed: false, reason };
 }
+/** G4: a concise budget note appended to a coordinator node's goal. "" when nothing is bounded. */
+export function workflowBudgetNote(budget) {
+    if (!budget)
+        return "";
+    const parts = [];
+    if (budget.nodes_remaining != null && budget.nodes_max != null) {
+        parts.push(`nodes ${budget.nodes_used}/${budget.nodes_max} used, ${budget.nodes_remaining} remaining`);
+    }
+    if (budget.concurrency_remaining != null && budget.max_concurrent_subagents != null) {
+        parts.push(`concurrency ${budget.running_subagents}/${budget.max_concurrent_subagents} running, ${budget.concurrency_remaining} free`);
+    }
+    if (parts.length === 0)
+        return "";
+    return (`[workflow budget] ${parts.join(" · ")}. ` +
+        "If you submit more workflow nodes, keep the batch within the remaining node budget.");
+}
 /** Map a host `WorkflowSpec` to the snake_case kernel JSON (`load_workflow.spec`). */
+/** Map one host `WorkflowNodeSpec` to its snake_case kernel JSON. Shared by `load_workflow` and
+ *  `submit_workflow_nodes` (R3-1) so the two encodings never drift. */
+export function workflowNodeSpecToKernel(n) {
+    const task = typeof n.task === "string" ? { goal: n.task } : n.task;
+    return {
+        task: {
+            goal: task.goal,
+            // `criteria` is required by the kernel's RuntimeTask serde (no default).
+            criteria: task.criteria ?? [],
+            ...(task.lane ? { lane: task.lane } : {}),
+        },
+        role: n.role,
+        isolation: n.isolation ?? "shared",
+        context_inheritance: n.contextInheritance ?? "none",
+        ...(n.modelHint ? { model_hint: n.modelHint } : {}),
+        ...(n.trust && n.trust !== "trusted" ? { trust: n.trust } : {}),
+        ...(n.outputSchema ? { output_schema: n.outputSchema } : {}),
+        // G2: a reducer name lowers to the kernel's `NodeKind::Reduce` (serde-tagged by `type`).
+        ...(n.reducer ? { kind: { type: "reduce", reducer: n.reducer } } : {}),
+        ...(n.dependsOn && n.dependsOn.length ? { depends_on: n.dependsOn } : {}),
+    };
+}
 export function workflowSpecToKernel(spec) {
+    return { nodes: spec.nodes.map(workflowNodeSpecToKernel) };
+}
+/** R3-1: map a batch of host nodes to the `submit_workflow_nodes` kernel event body. G1: pass
+ *  `submitterAgentId` so the kernel enforces no-privilege-escalation (quarantined submitter ⇒ its
+ *  nodes coerced to quarantined). Omitted ⇒ no coercion. */
+export function submitWorkflowNodesToKernel(nodes, submitterAgentId) {
     return {
-        nodes: spec.nodes.map(n => {
-            const task = typeof n.task === "string" ? { goal: n.task } : n.task;
-            return {
-                task: {
-                    goal: task.goal,
-                    // `criteria` is required by the kernel's RuntimeTask serde (no default).
-                    criteria: task.criteria ?? [],
-                    ...(task.lane ? { lane: task.lane } : {}),
-                },
-                role: n.role,
-                isolation: n.isolation ?? "shared",
-                context_inheritance: n.contextInheritance ?? "none",
-                ...(n.modelHint ? { model_hint: n.modelHint } : {}),
-                ...(n.dependsOn && n.dependsOn.length ? { depends_on: n.dependsOn } : {}),
-            };
-        }),
+        kind: "submit_workflow_nodes",
+        nodes: nodes.map(workflowNodeSpecToKernel),
+        ...(submitterAgentId ? { submitter_agent_id: submitterAgentId } : {}),
     };
 }
+/** R3-1: the tool a workflow-coordinator node's agent calls to append work to the running DAG. */
+export const submitWorkflowNodesTool = {
+    name: "submit_workflow_nodes",
+    description: "Append new nodes to the running workflow DAG (dynamic fan-out / loop-until-done). Each node " +
+        "spawns as a gated sub-agent. Use when you discover more work that should run as its own node.",
+    parameters: JSON.stringify({
+        type: "object",
+        properties: {
+            nodes: {
+                type: "array",
+                items: {
+                    type: "object",
+                    properties: {
+                        task: { description: "The node's goal: a string, or { goal, criteria?, lane? }." },
+                        role: { type: "string", enum: ["explore", "plan", "implement", "verify", "custom"] },
+                        isolation: { type: "string", enum: ["shared", "read_only", "worktree", "remote"] },
+                        contextInheritance: { type: "string", enum: ["none", "system_only", "full"] },
+                        trust: { type: "string", enum: ["trusted", "quarantined"] },
+                        outputSchema: { type: "object", description: "Optional JSON Schema the node's output must conform to." },
+                        reducer: { type: "string", description: "Make this a deterministic reduce node (no LLM); names a registered reducer." },
+                        dependsOn: { type: "array", items: { type: "integer" } },
+                    },
+                    required: ["task", "role"],
+                },
+            },
+        },
+        required: ["nodes"],
+    }),
+};
 /** Build a sub-agent run spec for a kernel-generated workflow node. */
 export function workflowNodeToSpec(node, parentSessionId) {
     return {

package/dist/types.d.ts

@@ -1,3 +1,4 @@
+import type { WorkflowNodeSpec } from "./runtime/types/agent.js";
 export interface Message {
     role: "system" | "user" | "assistant" | "tool";
     content: string;
@@ -63,6 +64,11 @@ export interface ToolResultEvent extends StreamEvent {
     isFatal?: boolean;
     errorKind?: ToolErrorKind;
 }
+/** R3-1: a workflow node's agent called `submit_workflow_nodes`; the runner surfaces the requested nodes (the workflow lives in the parent kernel) and `runWorkflow` sends them to the parent kernel. */
+export interface WorkflowNodesSubmittedEvent extends StreamEvent {
+    type: "workflow_nodes_submitted";
+    nodes: WorkflowNodeSpec[];
+}
 export interface DoneEvent extends StreamEvent {
     type: "done";
     iterations: number;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@deepstrike/wasm",
-  "version": "0.2.9",
+  "version": "0.2.11",
   "description": "DeepStrike WASM SDK — browser, Cloudflare Workers, Deno Deploy",
   "type": "module",
   "main": "dist/index.js",
@@ -15,7 +15,7 @@
     "test": "node --experimental-vm-modules node_modules/.bin/jest"
   },
   "dependencies": {
-    "@deepstrike/wasm-kernel": "0.2.9"
+    "@deepstrike/wasm-kernel": "0.2.11"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",