@growthub/cli 0.14.9 → 0.14.10

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/metadata-graph/route.js

@@ -35,6 +35,11 @@ import { readWorkspaceConfig, readWorkspaceSourceRecords } from "@/lib/workspace
 import { buildWorkspaceMetadataStore } from "@/lib/workspace-metadata-store";
 import { buildWorkspaceMetadataGraph } from "@/lib/workspace-metadata-graph";
 import { selectStaleMetadataGroups } from "@/lib/workspace-metadata-selectors";
+import { deriveBlastRadius } from "@/lib/workspace-metadata-impact";
+import { deriveStaleSurfaces } from "@/lib/workspace-stale-surfaces";
+import { deriveWorkflowImpact } from "@/lib/workspace-workflow-impact";
+import { deriveProvenanceLineage } from "@/lib/workspace-provenance-lineage";
+import { deriveAppReadiness } from "@/lib/workspace-app-readiness";
 
 const ENVELOPE_KIND = "growthub-workspace-metadata-graph-v1";
 const ENVELOPE_VERSION = 1;
@@ -111,10 +116,17 @@ async function GET(request) {
   // Optional stale-group selector via query params.
   let staleGroups = [];
   let staleReasons = [];
+  // Parse all causal query params from one URL read.
+  let impactId = "";
+  let lineageId = "";
+  let lineageDirection = "both";
   try {
     const url = request && request.url ? new URL(request.url) : null;
     const staleKind = url ? (url.searchParams.get("staleKind") || "").trim() : "";
     const staleId = url ? (url.searchParams.get("staleId") || "").trim() : "";
+    impactId = url ? (url.searchParams.get("impactId") || "").trim() : "";
+    lineageId = url ? (url.searchParams.get("lineageId") || "").trim() : "";
+    lineageDirection = url ? (url.searchParams.get("lineageDirection") || "both").trim() : "both";
     if (staleKind && staleId) {
       const result = selectStaleMetadataGroups(metadataStore, { kind: staleKind, id: staleId });
       staleGroups = Array.isArray(result?.groups) ? result.groups : [];
@@ -124,6 +136,30 @@ async function GET(request) {
     warnings.push(`Failed to compute stale groups: ${error?.message || "unknown error"}`);
   }
 
+  // Causal derivations over the same read-only graph (Mutation → Law →
+  // Intelligence). All pure, all bounded, all secret-free. `staleSurfaces` is
+  // the unconditional freshness baseline (timestamps already in the graph);
+  // `impact` and `lineage` are computed on demand for one node.
+  let staleSurfaces = null;
+  let readiness = null;
+  let impact = null;
+  let lineage = null;
+  try {
+    staleSurfaces = deriveStaleSurfaces(graph);
+    readiness = deriveAppReadiness(graph);
+    if (impactId) {
+      impact = {
+        blastRadius: deriveBlastRadius(graph, impactId),
+        workflowImpact: deriveWorkflowImpact(graph, impactId)
+      };
+    }
+    if (lineageId) {
+      lineage = deriveProvenanceLineage(graph, lineageId, { direction: lineageDirection });
+    }
+  } catch (error) {
+    warnings.push(`Failed to compute causal derivations: ${error?.message || "unknown error"}`);
+  }
+
   return NextResponse.json({
     kind: ENVELOPE_KIND,
     version: ENVELOPE_VERSION,
@@ -163,6 +199,11 @@ async function GET(request) {
       groups: staleGroups,
       reasons: staleReasons
     },
+    // Causal intelligence layer — read-only derivations over `graph` above.
+    staleSurfaces,
+    readiness,
+    ...(impact ? { impact } : {}),
+    ...(lineage ? { lineage } : {}),
     warnings,
     selectors: {
       // Manifest of selectors the route honours. Only `selectStaleMetadataGroups`
@@ -170,7 +211,14 @@ async function GET(request) {
       // selectors are exposed as importable helpers for server-side consumers
       // and the read-only inspector; they are NOT toggled through query
       // params in V1.
-      httpEnabled: ["selectStaleMetadataGroups"],
+      httpEnabled: [
+        "selectStaleMetadataGroups",
+        "deriveStaleSurfaces",
+        "deriveBlastRadius",
+        "deriveWorkflowImpact",
+        "deriveProvenanceLineage",
+        "deriveAppReadiness"
+      ],
       helperOnly: [
         "selectWidgetRequiredFields",
         "selectWorkflowNodeInputSchema",

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/patch/preflight/route.js

@@ -35,6 +35,38 @@ import {
 } from "@/lib/workspace-patch-policy";
 import { evaluateAppScope, requireAppScope } from "@/lib/workspace-app-registry";
 import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { readWorkspaceSourceRecords } from "@/lib/workspace-config";
+import { buildWorkspaceMetadataStore } from "@/lib/workspace-metadata-store";
+import { buildWorkspaceMetadataGraph } from "@/lib/workspace-metadata-graph";
+import { derivePatchImpact } from "@/lib/workspace-patch-impact";
+
+/**
+ * Report the blast radius of a proposed patch BEFORE the write — the S1
+ * spine's intended preflight consumption. Builds the metadata graph from the
+ * MERGED config (what the workspace becomes if this patch lands), maps the
+ * patched dataModel objects / dashboards to their graph node ids, and runs the
+ * pure `deriveStaleSurfaces` seed path over them. Pure, additive, never
+ * throws — on any failure the preflight verdict is unaffected and `impact`
+ * is simply omitted.
+ */
+async function computePatchImpact(currentConfig, mergedConfig, patch) {
+  try {
+    if (!patch || typeof patch !== "object" || Array.isArray(patch)) return null;
+    let sourceRecords = {};
+    try { sourceRecords = (await readWorkspaceSourceRecords()) || {}; } catch { sourceRecords = {}; }
+    // Build BOTH graphs so the impact deriver can report not just added/modified
+    // (on the merged graph) but also REMOVED objects/dashboards (whose downstream
+    // lived in the current graph). One shared, unit-tested deriver does the diff.
+    const buildGraph = (cfg) => buildWorkspaceMetadataGraph(buildWorkspaceMetadataStore({ workspaceConfig: cfg || {}, workspaceSourceRecords: sourceRecords }));
+    const currentGraph = buildGraph(currentConfig);
+    const mergedGraph = buildGraph(mergedConfig);
+    const impact = derivePatchImpact(currentGraph, mergedGraph, currentConfig || {}, mergedConfig || {});
+    if (!impact.total && !impact.removed.length) return null;
+    return impact;
+  } catch {
+    return null;
+  }
+}
 
 async function POST(request) {
   let patch;
@@ -66,12 +98,14 @@ async function POST(request) {
   // PATCH about the merged result. Skipped when the body is not a plain
   // object (policy already reports that).
   let schema = { ok: true, errors: [] };
+  let mergedConfig = null;
   if (patch && typeof patch === "object" && !Array.isArray(patch)) {
     const sanitized = {};
     for (const key of WORKSPACE_PATCH_ALLOWED_FIELDS) {
       if (Object.prototype.hasOwnProperty.call(patch, key)) sanitized[key] = patch[key];
     }
     const merged = applyWorkspaceConfigPatch(currentConfig || {}, sanitized);
+    mergedConfig = merged;
     try {
       validateWorkspaceConfig({
         dashboards: merged.dashboards,
@@ -103,6 +137,9 @@ async function POST(request) {
     }
   }
 
+  // Blast radius of this patch BEFORE the write (additive; never blocks).
+  const impact = await computePatchImpact(currentConfig, mergedConfig, patch);
+
   const persistence = describePersistenceMode();
   const ok = policy.ok && schema.ok && (appScopeVerdict ? appScopeVerdict.allowed : true);
   const repairPlan = repairPlanForViolations(policy.violations);
@@ -140,6 +177,7 @@ async function POST(request) {
     schema,
     repairPlan,
     ...(appScopeVerdict ? { appScopeVerdict } : {}),
+    ...(impact ? { impact } : {}),
     ...(safeNextStep ? { safeNextStep } : {}),
     persistence: {
       mode: persistence.mode,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-graph-runner.js

@@ -62,6 +62,27 @@ function buildAuthHeaders(record, secretValue) {
   return { [headerName]: prefix ? `${prefix} ${secretValue}` : secretValue };
 }
 
+function executeFeatureSeedMock(url, { registryId, method, startedAt }) {
+  if (!String(url || "").startsWith("mock://growthub-feature-seed/")) return null;
+  return {
+    ok: true,
+    exitCode: 0,
+    durationMs: Date.now() - startedAt,
+    stdout: JSON.stringify({ ok: true, status: 200, data: [{ id: "rec-1", label: "Probe record", registryId }] }, null, 2),
+    stderr: "",
+    rawPayload: { ok: true, status: 200, data: [{ id: "rec-1", label: "Probe record", registryId }] },
+    httpStatus: 200,
+    adapterMeta: {
+      mode: "orchestration-graph",
+      registryId,
+      url,
+      httpStatus: 200,
+      method,
+      transport: "feature-seed-mock"
+    }
+  };
+}
+
 function findRegistryRecord(workspaceConfig, registryId) {
   const id = String(registryId || "").trim();
   if (!id) return null;
@@ -203,6 +224,12 @@ async function executeApiRegistryCall(workspaceConfig, nodeConfig, inputPayload,
     }
   }
 
+  const mockResult = executeFeatureSeedMock(url, { registryId, method, startedAt });
+  if (mockResult) {
+    clearTimeout(timer);
+    return mockResult;
+  }
+
   try {
     const response = await fetch(url, {
       method,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-app-readiness.js

@@ -0,0 +1,212 @@
+/**
+ * Growthub Workspace App-Readiness V1 — ship-readiness deriver.
+ *
+ * Composes the signals the workspace already records into ONE app-scoped
+ * eligibility verdict: `{ ready, blocking[], nextAction }`. Eligibility, not a
+ * flag — readiness is computed from the live state every call, never stored.
+ *
+ * Signal sources, all already present in the read-only metadata graph the
+ * Workspace Map builds:
+ *   - integration.status      — an unconnected integration blocks its dependents
+ *   - sandbox.authStatus      — an unauthenticated sandbox cannot run
+ *   - pipelineHealth.status / latestOk — an untested or failing pipeline blocks
+ *   - workflow.lifecycleStatus — a draft-only workflow is a soft (non-blocking)
+ *                                signal that proof is still pending
+ *
+ * Callers that hold richer signals (env-status, deploy check shape, swarm
+ * eligibility) may pass them via `options.extraBlockers` / `options.extraSignals`
+ * — they are merged in without changing the shape. Pure: no fetch, no fs, no
+ * writes, no secrets. Deterministic ordering so receipts/diffs stay clean.
+ */
+
+const APP_READINESS_KIND = "growthub-workspace-app-readiness-v1";
+const APP_READINESS_VERSION = 1;
+
+// Severity rank → lower sorts first (most urgent blocker becomes nextAction).
+const SEVERITY = { blocker: 0, warning: 1 };
+
+function safeString(value) {
+  if (value == null) return "";
+  return typeof value === "string" ? value : String(value);
+}
+
+function isConnected(status) {
+  const s = safeString(status).toLowerCase();
+  return s === "connected" || s === "ok" || s === "active" || s === "ready";
+}
+
+// Three-state auth: "authed" | "unauthed" | "unknown". Empty is UNKNOWN, never
+// silently "authed" — unknown auth must not pass as ready (review finding D).
+function authState(status) {
+  const s = safeString(status).toLowerCase();
+  if (["authed", "authenticated", "ok", "connected", "ready"].includes(s)) return "authed";
+  if (!s) return "unknown";
+  return "unauthed";
+}
+
+// A local / no-auth sandbox legitimately has no credential — an intentional
+// exception, not a silent default.
+function isNoAuthSandbox(summary) {
+  const locality = safeString(summary.runLocality).toLowerCase();
+  const adapter = safeString(summary.adapter).toLowerCase();
+  const provider = safeString(summary.authProvider).toLowerCase();
+  return locality === "local" || adapter.includes("local") || provider === "none" || provider === "local";
+}
+
+/**
+ * @param {object} graph a `buildWorkspaceMetadataGraph` envelope
+ * @param {object} [options]
+ * @param {string} [options.appId] restrict to nodes scoped to this app (when
+ *        node summaries carry `appId`/`appScope`); omit for workspace scope.
+ * @param {Array<{severity?:string,code:string,message:string,nextAction?:string}>} [options.extraBlockers]
+ * @param {object} [options.extraSignals] merged verbatim into `signals`.
+ * @returns {object} `{ kind, version, appId, ready, score, blocking[], warnings[], signals, nextAction, summary }`
+ */
+function deriveAppReadiness(graph, options = {}) {
+  const appId = safeString(options.appId).trim() || null;
+
+  const empty = (warning) => ({
+    kind: APP_READINESS_KIND,
+    version: APP_READINESS_VERSION,
+    appId,
+    ready: false,
+    score: 0,
+    blocking: [],
+    warnings: warning ? [warning] : [],
+    signals: {},
+    nextAction: null,
+    summary: "No readiness computed."
+  });
+
+  if (!graph || typeof graph !== "object" || !Array.isArray(graph.nodes)) {
+    return empty("graph missing or malformed");
+  }
+
+  const inScope = (node) => {
+    if (!appId) return true;
+    const scope = node.summary && (node.summary.appId || node.summary.appScope);
+    return safeString(scope) === appId;
+  };
+
+  const nodes = graph.nodes.filter(inScope);
+  const issues = [];
+  const counts = { integrations: 0, sandboxes: 0, pipelines: 0, workflows: 0 };
+
+  for (const node of nodes) {
+    const s = node.summary || {};
+    if (node.type === "integration") {
+      counts.integrations += 1;
+      if (!isConnected(s.status)) {
+        issues.push({
+          severity: "blocker",
+          code: "integration_not_connected",
+          subject: node.label || node.id,
+          message: `Integration "${node.label || node.id}" is ${safeString(s.status) || "not connected"}.`,
+          nextAction: `Connect integration "${node.label || node.id}" (test-source / auth), then re-check readiness.`
+        });
+      }
+    } else if (node.type === "sandbox") {
+      counts.sandboxes += 1;
+      const state = authState(s.authStatus);
+      const subject = node.label || node.id;
+      if (state === "authed" || isNoAuthSandbox(s)) {
+        // authed, or a deliberate local/no-auth sandbox — ready.
+      } else if (state === "unknown") {
+        issues.push({
+          severity: "warning",
+          code: "sandbox_auth_unknown",
+          subject,
+          message: `Sandbox "${subject}" has no auth status — cannot confirm it can run, and it is not marked local/no-auth.`,
+          nextAction: `Authenticate sandbox "${subject}", or mark it local/no-auth (runLocality: local) if it needs no credential.`
+        });
+      } else {
+        issues.push({
+          severity: "blocker",
+          code: "sandbox_unauthenticated",
+          subject,
+          message: `Sandbox "${subject}" auth status is ${safeString(s.authStatus)}.`,
+          nextAction: `Authenticate sandbox "${subject}" before running.`
+        });
+      }
+    } else if (node.type === "pipelineHealth") {
+      counts.pipelines += 1;
+      const status = safeString(s.status).toLowerCase();
+      if (status === "untested" || s.latestOk === false) {
+        issues.push({
+          severity: status === "untested" ? "warning" : "blocker",
+          code: status === "untested" ? "pipeline_untested" : "pipeline_failing",
+          subject: node.label || node.id,
+          message: `Pipeline "${node.label || node.id}" is ${status || "failing"}.`,
+          nextAction: status === "untested"
+            ? `Run "${node.label || node.id}" once to prove it (POST /api/workspace/sandbox-run).`
+            : `Investigate the last failing run of "${node.label || node.id}".`
+        });
+      }
+    } else if (node.type === "workflow") {
+      counts.workflows += 1;
+      if (safeString(s.lifecycleStatus).toLowerCase() === "draft") {
+        issues.push({
+          severity: "warning",
+          code: "workflow_draft_only",
+          subject: node.label || node.id,
+          message: `Workflow "${node.label || node.id}" is draft-only — durable proof pending.`,
+          nextAction: `Prove "${node.label || node.id}" with a sandbox run, then publish.`
+        });
+      }
+    }
+  }
+
+  for (const extra of Array.isArray(options.extraBlockers) ? options.extraBlockers : []) {
+    if (!extra || !extra.code) continue;
+    issues.push({
+      severity: extra.severity === "warning" ? "warning" : "blocker",
+      code: safeString(extra.code),
+      subject: safeString(extra.subject) || safeString(extra.code),
+      message: safeString(extra.message) || safeString(extra.code),
+      nextAction: extra.nextAction ? safeString(extra.nextAction) : null
+    });
+  }
+
+  issues.sort((a, b) =>
+    (SEVERITY[a.severity] ?? 9) - (SEVERITY[b.severity] ?? 9) ||
+    a.code.localeCompare(b.code) ||
+    a.subject.localeCompare(b.subject)
+  );
+
+  const blocking = issues.filter((i) => i.severity === "blocker");
+  const warnings = issues.filter((i) => i.severity === "warning");
+  const ready = blocking.length === 0;
+
+  // Score: 100 when ready and clean; each blocker −25, each warning −5, floored at 0.
+  const score = Math.max(0, 100 - blocking.length * 25 - warnings.length * 5);
+  const nextAction = (blocking[0]?.nextAction)
+    || (warnings[0]?.nextAction)
+    || (ready ? "Ready — promote/deploy through the governed lane." : null);
+
+  return {
+    kind: APP_READINESS_KIND,
+    version: APP_READINESS_VERSION,
+    appId,
+    ready,
+    score,
+    blocking,
+    warnings,
+    signals: { ...counts, ...(options.extraSignals && typeof options.extraSignals === "object" ? options.extraSignals : {}) },
+    nextAction,
+    summary: summarizeReadiness(appId, ready, blocking, warnings, score)
+  };
+}
+
+function summarizeReadiness(appId, ready, blocking, warnings, score) {
+  const scope = appId ? `App "${appId}"` : "Workspace";
+  if (ready && !warnings.length) return `${scope} is ready to ship (score ${score}).`;
+  if (ready) return `${scope} is ready (score ${score}) with ${warnings.length} warning(s).`;
+  return `${scope} is blocked (score ${score}): ${blocking.length} blocker(s), ${warnings.length} warning(s).`;
+}
+
+export {
+  APP_READINESS_KIND,
+  APP_READINESS_VERSION,
+  deriveAppReadiness,
+  summarizeReadiness
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-contract-compliance.js

@@ -0,0 +1,168 @@
+/**
+ * Growthub Workspace Contract-Compliance V1 — governed-mutation predicate.
+ *
+ * Given a PROPOSED mutation and a role/SKILL contract, derive the set of proofs,
+ * ledgers, and review states that must be satisfied for the mutation to be
+ * legal — and which of those are already satisfied by the supplied evidence.
+ *
+ * This is a PURE PREDICATE over law artifacts the caller already holds (the
+ * contract rules + the evidence gathered from receipts/review state). It reads
+ * NO state itself, writes nothing, and exposes no secrets. It does not widen
+ * any mutation boundary — it only reports what the existing governed lanes
+ * require, the same rules the `governed-workspace-mutation` SKILL encodes:
+ *   - live workflow fields are never PATCHed directly — they need a draft, a
+ *     proving sandbox-run, then publish;
+ *   - dataModel / dashboard mutations need a preflight receipt;
+ *   - anything outside the PATCH allowlist is rejected by construction.
+ *
+ * Default contract (when none supplied) mirrors the shipped boundary so the
+ * predicate is useful out of the box; callers pass a stricter contract per role.
+ */
+
+const CONTRACT_COMPLIANCE_KIND = "growthub-workspace-contract-compliance-v1";
+const CONTRACT_COMPLIANCE_VERSION = 1;
+
+// The permanent PATCH allowlist — the floor every contract inherits.
+const DEFAULT_ALLOWED_FIELDS = ["dashboards", "widgetTypes", "canvas", "dataModel"];
+
+function safeString(value) {
+  if (value == null) return "";
+  return typeof value === "string" ? value : String(value);
+}
+
+function asArray(value) {
+  return Array.isArray(value) ? value : [];
+}
+
+function defaultContract() {
+  return {
+    role: "default",
+    allowedFields: DEFAULT_ALLOWED_FIELDS.slice(),
+    // Field groups that require a recorded preflight receipt before the write.
+    requiresReceiptFor: ["dataModel", "dashboards"],
+    // Field groups that require a human/super-admin review state.
+    requiresReviewFor: [],
+    // Live workflow changes must go draft → sandbox-run proof → publish.
+    liveWorkflowRequiresPublishProof: true
+  };
+}
+
+/**
+ * @param {object} mutation the proposed change.
+ *   `{ changedFields: string[], touchesLiveWorkflow?: boolean, lane?: string }`
+ * @param {object} [contract] role/SKILL contract (see `defaultContract`).
+ * @param {object} [evidence] proof already gathered.
+ *   `{ hasPreflightReceipt?: boolean, hasPublishProof?: boolean, reviewState?: string }`
+ * @returns {object} `{ kind, version, role, compliant, required[], satisfied[], missing[], violations[], nextAction, summary }`
+ */
+function deriveContractCompliance(mutation, contract, evidence = {}) {
+  const rules = { ...defaultContract(), ...(contract && typeof contract === "object" ? contract : {}) };
+  const role = safeString(rules.role) || "default";
+
+  const empty = (warning) => ({
+    kind: CONTRACT_COMPLIANCE_KIND,
+    version: CONTRACT_COMPLIANCE_VERSION,
+    role,
+    compliant: false,
+    required: [],
+    satisfied: [],
+    missing: [],
+    violations: warning ? [{ code: "invalid_input", message: warning }] : [],
+    nextAction: null,
+    summary: warning || "No compliance computed."
+  });
+
+  if (!mutation || typeof mutation !== "object") return empty("mutation missing or malformed");
+
+  const changedFields = asArray(mutation.changedFields).map(safeString).filter(Boolean);
+  const allowed = new Set(asArray(rules.allowedFields).map(safeString));
+  const required = [];
+  const satisfied = [];
+  const missing = [];
+  const violations = [];
+
+  // 1. Allowlist — disallowed fields are a hard violation (rejected by the route).
+  for (const field of changedFields) {
+    if (!allowed.has(field)) {
+      violations.push({
+        code: "field_not_allowed",
+        field,
+        message: `Field "${field}" is outside the PATCH allowlist (${Array.from(allowed).join(", ")}).`
+      });
+    }
+  }
+
+  // 2. Preflight receipt requirement.
+  const receiptGroups = new Set(asArray(rules.requiresReceiptFor).map(safeString));
+  if (changedFields.some((f) => receiptGroups.has(f))) {
+    const req = { code: "preflight_receipt", message: "A recorded patch-preflight receipt is required." };
+    required.push(req);
+    (evidence.hasPreflightReceipt ? satisfied : missing).push(req);
+  }
+
+  // 3. Review state requirement.
+  const reviewGroups = new Set(asArray(rules.requiresReviewFor).map(safeString));
+  if (changedFields.some((f) => reviewGroups.has(f))) {
+    const req = { code: "review_state", message: "A human/super-admin review state is required (e.g. approved)." };
+    required.push(req);
+    const reviewOk = ["approved", "accepted", "merged"].includes(safeString(evidence.reviewState).toLowerCase());
+    (reviewOk ? satisfied : missing).push(req);
+  }
+
+  // 4. Live workflow proof chain.
+  if (mutation.touchesLiveWorkflow && rules.liveWorkflowRequiresPublishProof) {
+    const req = { code: "publish_proof", message: "Live workflow change requires draft → sandbox-run proof → publish." };
+    required.push(req);
+    (evidence.hasPublishProof ? satisfied : missing).push(req);
+  }
+
+  const compliant = violations.length === 0 && missing.length === 0;
+  const nextAction = violations.length
+    ? `Remove disallowed field(s): ${violations.filter((v) => v.code === "field_not_allowed").map((v) => v.field).join(", ") || "see violations"}.`
+    : (missing[0]
+      ? missingNextAction(missing[0])
+      : (compliant ? "Compliant — proceed through the governed PATCH/publish lane." : null));
+
+  return {
+    kind: CONTRACT_COMPLIANCE_KIND,
+    version: CONTRACT_COMPLIANCE_VERSION,
+    role,
+    compliant,
+    required,
+    satisfied,
+    missing,
+    violations,
+    nextAction,
+    summary: summarizeCompliance(role, compliant, required, missing, violations)
+  };
+}
+
+function missingNextAction(req) {
+  switch (req.code) {
+    case "preflight_receipt": return "Run POST /api/workspace/patch/preflight and record the receipt before PATCH.";
+    case "review_state": return "Obtain an approved review state before applying.";
+    case "publish_proof": return "Save a draft, prove it with sandbox-run, then POST /api/workspace/workflow/publish.";
+    default: return `Satisfy: ${req.message}`;
+  }
+}
+
+function summarizeCompliance(role, compliant, required, missing, violations) {
+  if (violations.length) {
+    return `Non-compliant (${role}): ${violations.length} hard violation(s) — ${violations[0].message}`;
+  }
+  if (compliant) {
+    return required.length
+      ? `Compliant (${role}): all ${required.length} requirement(s) satisfied.`
+      : `Compliant (${role}): no governed requirements triggered.`;
+  }
+  return `Non-compliant (${role}): ${missing.length} of ${required.length} requirement(s) unmet.`;
+}
+
+export {
+  CONTRACT_COMPLIANCE_KIND,
+  CONTRACT_COMPLIANCE_VERSION,
+  DEFAULT_ALLOWED_FIELDS,
+  defaultContract,
+  deriveContractCompliance,
+  summarizeCompliance
+};