@devtrack-solution/codesdd 1.2.3 → 1.2.4-rc3

package/dist/core/sdd/plugin-broker.d.ts

@@ -31,8 +31,8 @@ export declare const pluginInvocationEnvelopeSchema: z.ZodObject<{
         env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
         network: z.ZodEnum<{
             disabled: "disabled";
-            restricted: "restricted";
             enabled: "enabled";
+            restricted: "restricted";
         }>;
         process_spawn: z.ZodEnum<{
             forbidden: "forbidden";
@@ -56,6 +56,79 @@ export declare const pluginArtifactManifestEntrySchema: z.ZodObject<{
     checksum_before: z.ZodOptional<z.ZodString>;
     checksum_after: z.ZodOptional<z.ZodString>;
     content_type: z.ZodOptional<z.ZodString>;
+    artifact_kind: z.ZodOptional<z.ZodEnum<{
+        documentation: "documentation";
+        schema: "schema";
+        configuration: "configuration";
+        source: "source";
+        migration: "migration";
+        evidence: "evidence";
+        test: "test";
+        asset: "asset";
+        "package-metadata": "package-metadata";
+    }>>;
+    role: z.ZodOptional<z.ZodEnum<{
+        documentation: "documentation";
+        type: "type";
+        validator: "validator";
+        evidence: "evidence";
+        test: "test";
+        interface: "interface";
+        implementation: "implementation";
+        abstraction: "abstraction";
+        "business-object": "business-object";
+        "value-object": "value-object";
+        entity: "entity";
+        "repository-port": "repository-port";
+        "use-case": "use-case";
+        service: "service";
+        handler: "handler";
+        adapter: "adapter";
+        mapper: "mapper";
+        module: "module";
+        controller: "controller";
+        dto: "dto";
+        policy: "policy";
+        manifest: "manifest";
+        fixture: "fixture";
+    }>>;
+    layer: z.ZodOptional<z.ZodEnum<{
+        sdd: "sdd";
+        config: "config";
+        domain: "domain";
+        docs: "docs";
+        root: "root";
+        application: "application";
+        infrastructure: "infrastructure";
+        presentation: "presentation";
+        shared: "shared";
+        tests: "tests";
+        assets: "assets";
+    }>>;
+    language: z.ZodOptional<z.ZodEnum<{
+        shell: "shell";
+        other: "other";
+        typescript: "typescript";
+        javascript: "javascript";
+        python: "python";
+        java: "java";
+        go: "go";
+        rust: "rust";
+        csharp: "csharp";
+        php: "php";
+        ruby: "ruby";
+    }>>;
+    context: z.ZodOptional<z.ZodString>;
+    implementation: z.ZodOptional<z.ZodEnum<{
+        contract: "contract";
+        manual: "manual";
+        concrete: "concrete";
+        abstract: "abstract";
+        generated: "generated";
+    }>>;
+    decision_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    source_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
 }, z.core.$strip>;
 export declare const pluginArtifactManifestSchema: z.ZodObject<{
     schema_version: z.ZodLiteral<1>;
@@ -92,6 +165,79 @@ export declare const pluginArtifactManifestSchema: z.ZodObject<{
         checksum_before: z.ZodOptional<z.ZodString>;
         checksum_after: z.ZodOptional<z.ZodString>;
         content_type: z.ZodOptional<z.ZodString>;
+        artifact_kind: z.ZodOptional<z.ZodEnum<{
+            documentation: "documentation";
+            schema: "schema";
+            configuration: "configuration";
+            source: "source";
+            migration: "migration";
+            evidence: "evidence";
+            test: "test";
+            asset: "asset";
+            "package-metadata": "package-metadata";
+        }>>;
+        role: z.ZodOptional<z.ZodEnum<{
+            documentation: "documentation";
+            type: "type";
+            validator: "validator";
+            evidence: "evidence";
+            test: "test";
+            interface: "interface";
+            implementation: "implementation";
+            abstraction: "abstraction";
+            "business-object": "business-object";
+            "value-object": "value-object";
+            entity: "entity";
+            "repository-port": "repository-port";
+            "use-case": "use-case";
+            service: "service";
+            handler: "handler";
+            adapter: "adapter";
+            mapper: "mapper";
+            module: "module";
+            controller: "controller";
+            dto: "dto";
+            policy: "policy";
+            manifest: "manifest";
+            fixture: "fixture";
+        }>>;
+        layer: z.ZodOptional<z.ZodEnum<{
+            sdd: "sdd";
+            config: "config";
+            domain: "domain";
+            docs: "docs";
+            root: "root";
+            application: "application";
+            infrastructure: "infrastructure";
+            presentation: "presentation";
+            shared: "shared";
+            tests: "tests";
+            assets: "assets";
+        }>>;
+        language: z.ZodOptional<z.ZodEnum<{
+            shell: "shell";
+            other: "other";
+            typescript: "typescript";
+            javascript: "javascript";
+            python: "python";
+            java: "java";
+            go: "go";
+            rust: "rust";
+            csharp: "csharp";
+            php: "php";
+            ruby: "ruby";
+        }>>;
+        context: z.ZodOptional<z.ZodString>;
+        implementation: z.ZodOptional<z.ZodEnum<{
+            contract: "contract";
+            manual: "manual";
+            concrete: "concrete";
+            abstract: "abstract";
+            generated: "generated";
+        }>>;
+        decision_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        source_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
     }, z.core.$strip>>>;
     validation_evidence: z.ZodDefault<z.ZodArray<z.ZodObject<{
         command: z.ZodString;
@@ -185,8 +331,8 @@ export declare const pluginRuntimeInvocationEnvelopeSchema: z.ZodObject<{
         env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
         network: z.ZodEnum<{
             disabled: "disabled";
-            restricted: "restricted";
             enabled: "enabled";
+            restricted: "restricted";
         }>;
         process_spawn: z.ZodEnum<{
             forbidden: "forbidden";
@@ -345,8 +491,8 @@ export declare const pluginRuntimeInvocationPlanSchema: z.ZodObject<{
             env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
             network: z.ZodEnum<{
                 disabled: "disabled";
-                restricted: "restricted";
                 enabled: "enabled";
+                restricted: "restricted";
             }>;
             process_spawn: z.ZodEnum<{
                 forbidden: "forbidden";
@@ -445,6 +591,79 @@ export declare const pluginRuntimeInvocationPlanSchema: z.ZodObject<{
             checksum_before: z.ZodOptional<z.ZodString>;
             checksum_after: z.ZodOptional<z.ZodString>;
             content_type: z.ZodOptional<z.ZodString>;
+            artifact_kind: z.ZodOptional<z.ZodEnum<{
+                documentation: "documentation";
+                schema: "schema";
+                configuration: "configuration";
+                source: "source";
+                migration: "migration";
+                evidence: "evidence";
+                test: "test";
+                asset: "asset";
+                "package-metadata": "package-metadata";
+            }>>;
+            role: z.ZodOptional<z.ZodEnum<{
+                documentation: "documentation";
+                type: "type";
+                validator: "validator";
+                evidence: "evidence";
+                test: "test";
+                interface: "interface";
+                implementation: "implementation";
+                abstraction: "abstraction";
+                "business-object": "business-object";
+                "value-object": "value-object";
+                entity: "entity";
+                "repository-port": "repository-port";
+                "use-case": "use-case";
+                service: "service";
+                handler: "handler";
+                adapter: "adapter";
+                mapper: "mapper";
+                module: "module";
+                controller: "controller";
+                dto: "dto";
+                policy: "policy";
+                manifest: "manifest";
+                fixture: "fixture";
+            }>>;
+            layer: z.ZodOptional<z.ZodEnum<{
+                sdd: "sdd";
+                config: "config";
+                domain: "domain";
+                docs: "docs";
+                root: "root";
+                application: "application";
+                infrastructure: "infrastructure";
+                presentation: "presentation";
+                shared: "shared";
+                tests: "tests";
+                assets: "assets";
+            }>>;
+            language: z.ZodOptional<z.ZodEnum<{
+                shell: "shell";
+                other: "other";
+                typescript: "typescript";
+                javascript: "javascript";
+                python: "python";
+                java: "java";
+                go: "go";
+                rust: "rust";
+                csharp: "csharp";
+                php: "php";
+                ruby: "ruby";
+            }>>;
+            context: z.ZodOptional<z.ZodString>;
+            implementation: z.ZodOptional<z.ZodEnum<{
+                contract: "contract";
+                manual: "manual";
+                concrete: "concrete";
+                abstract: "abstract";
+                generated: "generated";
+            }>>;
+            decision_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            source_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
         }, z.core.$strip>>>;
         validation_evidence: z.ZodDefault<z.ZodArray<z.ZodObject<{
             command: z.ZodString;
@@ -526,8 +745,8 @@ export declare const pluginDryRunExecutionPlanSchema: z.ZodObject<{
             env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
             network: z.ZodEnum<{
                 disabled: "disabled";
-                restricted: "restricted";
                 enabled: "enabled";
+                restricted: "restricted";
             }>;
             process_spawn: z.ZodEnum<{
                 forbidden: "forbidden";

package/dist/core/sdd/plugin-broker.js

@@ -1,6 +1,7 @@
 import { z } from 'zod';
 import { pluginRegistryStateSchema, resolvePluginCapability, } from './plugin-registry.js';
 import { evaluatePluginTrustPolicy, pluginPolicyEvaluationSchema } from './plugin-policy.js';
+import { pluginArtifactKindSchema, pluginArtifactLayerSchema, pluginArtifactRoleSchema, pluginRuntimeLanguageSchema, } from './plugin-sdk-contract.js';
 const FEATURE_REF_PATTERN = /^FEAT-\d{4}$/;
 const OPERATION_ID_PATTERN = /^[a-z0-9][a-z0-9-]*$/;
 const jsonObjectSchema = z.record(z.string(), z.unknown());
@@ -51,6 +52,15 @@ export const pluginArtifactManifestEntrySchema = z.object({
     checksum_before: z.string().optional(),
     checksum_after: z.string().optional(),
     content_type: z.string().optional(),
+    artifact_kind: pluginArtifactKindSchema.optional(),
+    role: pluginArtifactRoleSchema.optional(),
+    layer: pluginArtifactLayerSchema.optional(),
+    language: pluginRuntimeLanguageSchema.optional(),
+    context: z.string().min(1).optional(),
+    implementation: z.enum(['concrete', 'abstract', 'contract', 'generated', 'manual']).optional(),
+    decision_refs: z.array(z.string().regex(/^(?:ADR|DEB|EPIC|FEAT|INS)-\d{4}$/)).optional(),
+    source_refs: z.array(z.string().min(1)).optional(),
+    tags: z.array(z.string().min(1)).optional(),
 });
 export const pluginArtifactManifestSchema = z.object({
     schema_version: z.literal(1),

package/dist/core/sdd/plugin-cli.d.ts

@@ -1,6 +1,7 @@
 import { type DevTrackApiScaffoldDryRunPlan } from './devtrack-api-appliance.js';
 import { type PluginRuntimeInvocationPlan } from './plugin-broker.js';
 import { type PluginManifest } from './plugin-manifest.js';
+import { type CodesddStorageBoundaryClassification } from './runtime-boundary-contract.js';
 type PluginInvocationMode = 'dry-run' | 'apply' | 'rollback';
 export interface PluginCliInspectResult {
     schema_version: 1;
@@ -39,6 +40,7 @@ export interface PluginCliPlanOptions {
     requested_env?: string[];
     network_domains?: string[];
     process_spawn_requested?: boolean;
+    project_root?: string;
     technology?: {
         language?: string;
         framework?: string;
@@ -88,6 +90,34 @@ export interface PluginCliWorkcellRunner {
     rollback: {
         supported: boolean;
     };
+    standalone: {
+        schema_version: 1;
+        status: 'ready' | 'blocked';
+        package_governance: {
+            status: 'passed' | 'blocked';
+            package_name?: string;
+            sdk_package?: string;
+            versioning?: string;
+            registry?: string;
+            issues: string[];
+        };
+        language_runtime: {
+            bridge?: string;
+            input_transport?: string;
+            output_transport?: string;
+            command?: string;
+        };
+        storage_boundary: {
+            status: 'passed' | 'blocked';
+            project_root: string;
+            classifications: CodesddStorageBoundaryClassification[];
+            findings: Array<{
+                path: string;
+                boundary: string;
+                message: string;
+            }>;
+        };
+    };
 }
 export interface DevTrackApiScaffoldDryRunCliOptions {
     feature_ref: string;

package/dist/core/sdd/plugin-cli.js

@@ -4,6 +4,8 @@ import { FeatureLintService } from './services/feature-lint.service.js';
 import { buildPluginRuntimeInvocationPlan, pluginRuntimeInvocationRequestSchema, } from './plugin-broker.js';
 import { loadPluginManifest } from './plugin-manifest.js';
 import { createPluginRegistryState } from './plugin-registry.js';
+import { validatePluginPackageGovernance } from './plugin-sdk-contract.js';
+import { classifyCodesddStoragePath, validateCodesddStoragePaths, } from './runtime-boundary-contract.js';
 export async function inspectPluginManifestFromFile(manifestPath) {
     const manifest = await loadPluginManifest(manifestPath);
     return buildInspectResult(manifest, manifestPath);
@@ -41,11 +43,20 @@ export async function planPluginInvocationFromFile(manifestPath, options) {
         process_spawn_requested: options.process_spawn_requested ?? false,
     });
     const plan = buildPluginRuntimeInvocationPlan(registry, request);
+    const projectRoot = path.resolve(options.project_root ?? process.cwd());
+    const plannedStoragePaths = [
+        ...(options.requested_write_scope ?? []),
+        ...(options.planned_writes ?? []),
+    ].map((entry) => path.resolve(projectRoot, entry));
+    const standalone = buildStandaloneRunnerPolicy(manifest, plan, {
+        projectRoot,
+        plannedStoragePaths,
+    });
     return {
         schema_version: 1,
         manifest_path: normalizeManifestPath(manifestPath),
         plan,
-        workcell_runner: buildWorkcellRunner(manifest, plan),
+        workcell_runner: buildWorkcellRunner(manifest, plan, standalone),
     };
 }
 export async function planDevTrackApiScaffoldDryRunFromFile(manifestPath, options) {
@@ -127,7 +138,7 @@ function buildInspectResult(manifest, manifestPath) {
         compression: manifest.compression,
     };
 }
-function buildWorkcellRunner(manifest, plan) {
+function buildWorkcellRunner(manifest, plan, standalone) {
     const capability = manifest.capabilities.find((entry) => entry.name === plan.request.capability);
     const envelope = plan.envelope;
     const executable = envelope?.command.executable ?? manifest.execution.command;
@@ -154,7 +165,7 @@ function buildWorkcellRunner(manifest, plan) {
         : null;
     return {
         schema_version: 1,
-        status: plan.status,
+        status: plan.status === 'ready' && standalone.status === 'blocked' ? 'blocked' : plan.status,
         parameterization: {
             owner: 'llm',
             source: 'runtime-plan-request',
@@ -186,8 +197,64 @@ function buildWorkcellRunner(manifest, plan) {
         rollback: {
             supported: capability?.supports_rollback ?? false,
         },
+        standalone,
+    };
+}
+function buildStandaloneRunnerPolicy(manifest, plan, options) {
+    const packageGovernance = evaluatePackageGovernance(manifest);
+    const storageValidation = validateCodesddStoragePaths(options.plannedStoragePaths, {
+        projectRoot: options.projectRoot,
+    });
+    const status = plan.status === 'ready' &&
+        packageGovernance.status === 'passed' &&
+        storageValidation.valid
+        ? 'ready'
+        : 'blocked';
+    return {
+        schema_version: 1,
+        status,
+        package_governance: packageGovernance,
+        language_runtime: {
+            bridge: manifest.language_runtime?.bridge,
+            input_transport: manifest.language_runtime?.input_transport,
+            output_transport: manifest.language_runtime?.output_transport,
+            command: manifest.language_runtime?.command ?? manifest.execution.command,
+        },
+        storage_boundary: {
+            status: storageValidation.valid ? 'passed' : 'blocked',
+            project_root: options.projectRoot,
+            classifications: storageValidation.classifications.length > 0
+                ? storageValidation.classifications
+                : [classifyCodesddStoragePath(options.projectRoot, { projectRoot: options.projectRoot })],
+            findings: storageValidation.findings,
+        },
     };
 }
+function evaluatePackageGovernance(manifest) {
+    if (!manifest.package_governance) {
+        return {
+            status: 'blocked',
+            issues: ['PACKAGE_GOVERNANCE_MISSING: standalone plugins must declare package_governance.'],
+        };
+    }
+    try {
+        const governance = validatePluginPackageGovernance(manifest.package_governance, `${manifest.id} package_governance`);
+        return {
+            status: 'passed',
+            package_name: governance.package_name,
+            sdk_package: governance.sdk_package,
+            versioning: governance.versioning,
+            registry: governance.registry,
+            issues: [],
+        };
+    }
+    catch (error) {
+        return {
+            status: 'blocked',
+            issues: [error instanceof Error ? error.message : String(error)],
+        };
+    }
+}
 function isCompressionExcluded(executable, excludes) {
     const baseName = path.basename(executable);
     return excludes.some((entry) => entry === executable || entry === baseName);

package/dist/core/sdd/plugin-evidence.d.ts

@@ -97,6 +97,79 @@ export declare const pluginEvidenceManifestSchema: z.ZodObject<{
             checksum_before: z.ZodOptional<z.ZodString>;
             checksum_after: z.ZodOptional<z.ZodString>;
             content_type: z.ZodOptional<z.ZodString>;
+            artifact_kind: z.ZodOptional<z.ZodEnum<{
+                documentation: "documentation";
+                schema: "schema";
+                configuration: "configuration";
+                source: "source";
+                migration: "migration";
+                evidence: "evidence";
+                test: "test";
+                asset: "asset";
+                "package-metadata": "package-metadata";
+            }>>;
+            role: z.ZodOptional<z.ZodEnum<{
+                documentation: "documentation";
+                type: "type";
+                validator: "validator";
+                evidence: "evidence";
+                test: "test";
+                interface: "interface";
+                implementation: "implementation";
+                abstraction: "abstraction";
+                "business-object": "business-object";
+                "value-object": "value-object";
+                entity: "entity";
+                "repository-port": "repository-port";
+                "use-case": "use-case";
+                service: "service";
+                handler: "handler";
+                adapter: "adapter";
+                mapper: "mapper";
+                module: "module";
+                controller: "controller";
+                dto: "dto";
+                policy: "policy";
+                manifest: "manifest";
+                fixture: "fixture";
+            }>>;
+            layer: z.ZodOptional<z.ZodEnum<{
+                sdd: "sdd";
+                config: "config";
+                domain: "domain";
+                docs: "docs";
+                root: "root";
+                application: "application";
+                infrastructure: "infrastructure";
+                presentation: "presentation";
+                shared: "shared";
+                tests: "tests";
+                assets: "assets";
+            }>>;
+            language: z.ZodOptional<z.ZodEnum<{
+                shell: "shell";
+                other: "other";
+                typescript: "typescript";
+                javascript: "javascript";
+                python: "python";
+                java: "java";
+                go: "go";
+                rust: "rust";
+                csharp: "csharp";
+                php: "php";
+                ruby: "ruby";
+            }>>;
+            context: z.ZodOptional<z.ZodString>;
+            implementation: z.ZodOptional<z.ZodEnum<{
+                contract: "contract";
+                manual: "manual";
+                concrete: "concrete";
+                abstract: "abstract";
+                generated: "generated";
+            }>>;
+            decision_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            source_refs: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
         }, z.core.$strip>>>;
         validation_evidence: z.ZodDefault<z.ZodArray<z.ZodObject<{
             command: z.ZodString;

package/dist/core/sdd/plugin-manifest.d.ts

@@ -57,6 +57,74 @@ export declare const pluginManifestSchema: z.ZodObject<{
         package_manager: z.ZodOptional<z.ZodString>;
         min_versions: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
     }, z.core.$strip>;
+    package_governance: z.ZodOptional<z.ZodObject<{
+        package_name: z.ZodString;
+        sdk_package: z.ZodDefault<z.ZodString>;
+        sdk_version: z.ZodDefault<z.ZodString>;
+        package_kind: z.ZodEnum<{
+            frontend: "frontend";
+            backend: "backend";
+            "full-stack": "full-stack";
+            generator: "generator";
+            validator: "validator";
+            evidence: "evidence";
+            "agent-adapter": "agent-adapter";
+            "policy-pack": "policy-pack";
+        }>;
+        versioning: z.ZodDefault<z.ZodLiteral<"semver">>;
+        registry: z.ZodDefault<z.ZodEnum<{
+            custom: "custom";
+            workspace: "workspace";
+            npm: "npm";
+            "private-npm": "private-npm";
+            "artifact-registry": "artifact-registry";
+        }>>;
+        keywords: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        internal_package: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    language_runtime: z.ZodOptional<z.ZodObject<{
+        language: z.ZodEnum<{
+            shell: "shell";
+            other: "other";
+            typescript: "typescript";
+            javascript: "javascript";
+            python: "python";
+            java: "java";
+            go: "go";
+            rust: "rust";
+            csharp: "csharp";
+            php: "php";
+            ruby: "ruby";
+        }>;
+        runtime: z.ZodString;
+        bridge: z.ZodEnum<{
+            "node-library": "node-library";
+            "stdio-json": "stdio-json";
+            "process-cli": "process-cli";
+            "http-local": "http-local";
+            container: "container";
+            wasm: "wasm";
+        }>;
+        input_transport: z.ZodEnum<{
+            "sdk-call": "sdk-call";
+            "stdin-json": "stdin-json";
+            "stdout-json": "stdout-json";
+            "file-envelope": "file-envelope";
+            "http-json": "http-json";
+        }>;
+        output_transport: z.ZodEnum<{
+            "sdk-call": "sdk-call";
+            "stdin-json": "stdin-json";
+            "stdout-json": "stdout-json";
+            "file-envelope": "file-envelope";
+            "http-json": "http-json";
+        }>;
+        command: z.ZodOptional<z.ZodString>;
+        args: z.ZodDefault<z.ZodArray<z.ZodString>>;
+        package_manager: z.ZodOptional<z.ZodString>;
+        min_versions: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
+        env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>;
     capabilities: z.ZodArray<z.ZodObject<{
         name: z.ZodString;
         description: z.ZodString;
@@ -88,8 +156,8 @@ export declare const pluginManifestSchema: z.ZodObject<{
         env_allowlist: z.ZodDefault<z.ZodArray<z.ZodString>>;
         network: z.ZodDefault<z.ZodEnum<{
             disabled: "disabled";
-            restricted: "restricted";
             enabled: "enabled";
+            restricted: "restricted";
         }>>;
         process_spawn: z.ZodDefault<z.ZodEnum<{
             forbidden: "forbidden";

package/dist/core/sdd/plugin-manifest.js

@@ -2,6 +2,7 @@ import fs from 'node:fs/promises';
 import path from 'node:path';
 import { parse as parseYaml } from 'yaml';
 import { toJSONSchema, z } from 'zod';
+import { pluginPackageGovernanceSchema, pluginLanguageRuntimeSchema } from './plugin-sdk-contract.js';
 const JSON_SCHEMA_DRAFT = 'https://json-schema.org/draft/2020-12/schema';
 const PLUGIN_ID_PATTERN = /^codesdd-plugin-[a-z0-9][a-z0-9-]*$/;
 const SEMVER_PATTERN = /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/;
@@ -74,6 +75,8 @@ export const pluginManifestSchema = z
         package_manager: z.string().optional(),
         min_versions: z.record(z.string(), z.string()).default({}),
     }),
+    package_governance: pluginPackageGovernanceSchema.optional(),
+    language_runtime: pluginLanguageRuntimeSchema.optional(),
     capabilities: z.array(pluginCapabilitySchema).min(1),
     execution: z.object({
         command: z.string().min(1),
@@ -120,6 +123,13 @@ export const pluginManifestSchema = z
     }),
 })
     .superRefine((manifest, context) => {
+    if (manifest.language_runtime && manifest.language_runtime.language !== manifest.technology.language) {
+        context.addIssue({
+            code: 'custom',
+            path: ['language_runtime', 'language'],
+            message: 'Language runtime language must match technology.language.',
+        });
+    }
     const duplicateCapabilityNames = findDuplicates(manifest.capabilities.map((capability) => capability.name));
     for (const duplicateName of duplicateCapabilityNames) {
         context.addIssue({

package/dist/core/sdd/plugin-policy-pack.d.ts

@@ -37,8 +37,8 @@ export declare const pluginPolicyPackSchema: z.ZodObject<{
         execution: z.ZodDefault<z.ZodObject<{
             network: z.ZodOptional<z.ZodEnum<{
                 disabled: "disabled";
-                restricted: "restricted";
                 enabled: "enabled";
+                restricted: "restricted";
             }>>;
             process_spawn: z.ZodOptional<z.ZodEnum<{
                 forbidden: "forbidden";