npm - @growthub/cli - Versions diffs - 0.14.9 → 0.14.11 - Mend

@growthub/cli 0.14.9 → 0.14.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-contract-compliance.js ADDED Viewed

@@ -0,0 +1,168 @@
+/**
+ * Growthub Workspace Contract-Compliance V1 — governed-mutation predicate.
+ *
+ * Given a PROPOSED mutation and a role/SKILL contract, derive the set of proofs,
+ * ledgers, and review states that must be satisfied for the mutation to be
+ * legal — and which of those are already satisfied by the supplied evidence.
+ *
+ * This is a PURE PREDICATE over law artifacts the caller already holds (the
+ * contract rules + the evidence gathered from receipts/review state). It reads
+ * NO state itself, writes nothing, and exposes no secrets. It does not widen
+ * any mutation boundary — it only reports what the existing governed lanes
+ * require, the same rules the `governed-workspace-mutation` SKILL encodes:
+ *   - live workflow fields are never PATCHed directly — they need a draft, a
+ *     proving sandbox-run, then publish;
+ *   - dataModel / dashboard mutations need a preflight receipt;
+ *   - anything outside the PATCH allowlist is rejected by construction.
+ *
+ * Default contract (when none supplied) mirrors the shipped boundary so the
+ * predicate is useful out of the box; callers pass a stricter contract per role.
+ */
+const CONTRACT_COMPLIANCE_KIND = "growthub-workspace-contract-compliance-v1";
+const CONTRACT_COMPLIANCE_VERSION = 1;
+// The permanent PATCH allowlist — the floor every contract inherits.
+const DEFAULT_ALLOWED_FIELDS = ["dashboards", "widgetTypes", "canvas", "dataModel"];
+function safeString(value) {
+  if (value == null) return "";
+  return typeof value === "string" ? value : String(value);
+}
+function asArray(value) {
+  return Array.isArray(value) ? value : [];
+}
+function defaultContract() {
+  return {
+    role: "default",
+    allowedFields: DEFAULT_ALLOWED_FIELDS.slice(),
+    // Field groups that require a recorded preflight receipt before the write.
+    requiresReceiptFor: ["dataModel", "dashboards"],
+    // Field groups that require a human/super-admin review state.
+    requiresReviewFor: [],
+    // Live workflow changes must go draft → sandbox-run proof → publish.
+    liveWorkflowRequiresPublishProof: true
+  };
+}
+/**
+ * @param {object} mutation the proposed change.
+ *   `{ changedFields: string[], touchesLiveWorkflow?: boolean, lane?: string }`
+ * @param {object} [contract] role/SKILL contract (see `defaultContract`).
+ * @param {object} [evidence] proof already gathered.
+ *   `{ hasPreflightReceipt?: boolean, hasPublishProof?: boolean, reviewState?: string }`
+ * @returns {object} `{ kind, version, role, compliant, required[], satisfied[], missing[], violations[], nextAction, summary }`
+ */
+function deriveContractCompliance(mutation, contract, evidence = {}) {
+  const rules = { ...defaultContract(), ...(contract && typeof contract === "object" ? contract : {}) };
+  const role = safeString(rules.role) || "default";
+  const empty = (warning) => ({
+    kind: CONTRACT_COMPLIANCE_KIND,
+    version: CONTRACT_COMPLIANCE_VERSION,
+    role,
+    compliant: false,
+    required: [],
+    satisfied: [],
+    missing: [],
+    violations: warning ? [{ code: "invalid_input", message: warning }] : [],
+    nextAction: null,
+    summary: warning || "No compliance computed."
+  });
+  if (!mutation || typeof mutation !== "object") return empty("mutation missing or malformed");
+  const changedFields = asArray(mutation.changedFields).map(safeString).filter(Boolean);
+  const allowed = new Set(asArray(rules.allowedFields).map(safeString));
+  const required = [];
+  const satisfied = [];
+  const missing = [];
+  const violations = [];
+  // 1. Allowlist — disallowed fields are a hard violation (rejected by the route).
+  for (const field of changedFields) {
+    if (!allowed.has(field)) {
+      violations.push({
+        code: "field_not_allowed",
+        field,
+        message: `Field "${field}" is outside the PATCH allowlist (${Array.from(allowed).join(", ")}).`
+      });
+    }
+  }
+  // 2. Preflight receipt requirement.
+  const receiptGroups = new Set(asArray(rules.requiresReceiptFor).map(safeString));
+  if (changedFields.some((f) => receiptGroups.has(f))) {
+    const req = { code: "preflight_receipt", message: "A recorded patch-preflight receipt is required." };
+    required.push(req);
+    (evidence.hasPreflightReceipt ? satisfied : missing).push(req);
+  }
+  // 3. Review state requirement.
+  const reviewGroups = new Set(asArray(rules.requiresReviewFor).map(safeString));
+  if (changedFields.some((f) => reviewGroups.has(f))) {
+    const req = { code: "review_state", message: "A human/super-admin review state is required (e.g. approved)." };
+    required.push(req);
+    const reviewOk = ["approved", "accepted", "merged"].includes(safeString(evidence.reviewState).toLowerCase());
+    (reviewOk ? satisfied : missing).push(req);
+  }
+  // 4. Live workflow proof chain.
+  if (mutation.touchesLiveWorkflow && rules.liveWorkflowRequiresPublishProof) {
+    const req = { code: "publish_proof", message: "Live workflow change requires draft → sandbox-run proof → publish." };
+    required.push(req);
+    (evidence.hasPublishProof ? satisfied : missing).push(req);
+  }
+  const compliant = violations.length === 0 && missing.length === 0;
+  const nextAction = violations.length
+    ? `Remove disallowed field(s): ${violations.filter((v) => v.code === "field_not_allowed").map((v) => v.field).join(", ") || "see violations"}.`
+    : (missing[0]
+      ? missingNextAction(missing[0])
+      : (compliant ? "Compliant — proceed through the governed PATCH/publish lane." : null));
+  return {
+    kind: CONTRACT_COMPLIANCE_KIND,
+    version: CONTRACT_COMPLIANCE_VERSION,
+    role,
+    compliant,
+    required,
+    satisfied,
+    missing,
+    violations,
+    nextAction,
+    summary: summarizeCompliance(role, compliant, required, missing, violations)
+  };
+}
+function missingNextAction(req) {
+  switch (req.code) {
+    case "preflight_receipt": return "Run POST /api/workspace/patch/preflight and record the receipt before PATCH.";
+    case "review_state": return "Obtain an approved review state before applying.";
+    case "publish_proof": return "Save a draft, prove it with sandbox-run, then POST /api/workspace/workflow/publish.";
+    default: return `Satisfy: ${req.message}`;
+  }
+}
+function summarizeCompliance(role, compliant, required, missing, violations) {
+  if (violations.length) {
+    return `Non-compliant (${role}): ${violations.length} hard violation(s) — ${violations[0].message}`;
+  }
+  if (compliant) {
+    return required.length
+      ? `Compliant (${role}): all ${required.length} requirement(s) satisfied.`
+      : `Compliant (${role}): no governed requirements triggered.`;
+  }
+  return `Non-compliant (${role}): ${missing.length} of ${required.length} requirement(s) unmet.`;
+}
+export {
+  CONTRACT_COMPLIANCE_KIND,
+  CONTRACT_COMPLIANCE_VERSION,
+  DEFAULT_ALLOWED_FIELDS,
+  defaultContract,
+  deriveContractCompliance,
+  summarizeCompliance
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-data-model.js CHANGED Viewed

@@ -895,6 +895,27 @@ const OBJECT_TYPE_PRESETS = {
       "version",
       "runLocality",
       "schedulerRegistryId",
+      "schedulerProviderId",
+      "schedulerProductId",
+      "schedulerRegion",
+      "scheduleId",
+      "schedulerCron",
+      "schedulerTriggerInput",
+      "schedulerDestination",
+      "schedulerCallbackUrl",
+      "schedulerFailureCallbackUrl",
+      "schedulerInstalledAt",
+      "schedulerPaused",
+      "schedulerPausedAt",
+      "schedulerResumedAt",
+      "lastScheduledRunStatus",
+      "lastScheduledRunMessageId",
+      "lastScheduledRunAttemptedAt",
+      "lastScheduledRunSucceededAt",
+      "lastScheduledRunFailedAt",
+      "lastScheduledRunFailureReason",
+      "lastScheduledRunBodyPreview",
+      "lastScheduledRunRetries",
       "runtime",
       "adapter",
       "agentHost",

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-operator-auth.js ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Mutation access boundary — single hook for operator/admin authorization on
+ * high-impact governed workspace mutations (schedule install/uninstall, provider
+ * sync, product sync). These routes can spend provider credentials, create/delete
+ * remote infrastructure, and mutate workspace config, so they must sit behind the
+ * SAME boundary as any governed write.
+ *
+ * In the open-source starter kit this is intentionally a NO-OP: the kit is
+ * local/dev-only unless the host application wraps these routes. Hosted
+ * deployments (e.g. Agency Portal / private) replace this with a real check —
+ * session/role, the same middleware that guards `/api/workspace`, or an app-scope
+ * gate — WITHOUT changing any route: every mutation route calls this one function.
+ *
+ * Returns { ok: true } when allowed, or { ok: false, status, error } to reject.
+ */
+function requireWorkspaceOperator(_request) {
+  // Starter kit: no built-in auth. Host app is responsible for protecting these
+  // routes (reverse proxy, middleware, or platform auth). Set
+  // GROWTHUB_REQUIRE_OPERATOR_AUTH=true with no provider configured to hard-block
+  // mutations on an unprotected public deployment.
+  if (String(process.env.GROWTHUB_REQUIRE_OPERATOR_AUTH || "").trim() === "true") {
+    return {
+      ok: false,
+      status: 403,
+      error: "operator authorization required but no operator auth provider is configured for this deployment",
+    };
+  }
+  return { ok: true };
+}
+export { requireWorkspaceOperator };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-patch-impact.js ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * Growthub Workspace Patch-Impact V1 — the single, authoritative "what does this
+ * patch actually change?" deriver, shared by the preflight route and the CLI.
+ *
+ * A dataModel/dashboards PATCH REPLACES the whole array, so the patch body alone
+ * is never "what changed". This diffs the CURRENT config against the MERGED
+ * (post-patch) config and reports THREE classes of change, each with downstream
+ * impact:
+ *
+ *   - added / modified objects + dashboards → seeded on the MERGED graph
+ *     (their new dependents).
+ *   - REMOVED objects + dashboards → seeded on the CURRENT graph, because the
+ *     deleted node no longer exists in the merged graph; the surfaces that
+ *     depended on it are the blast radius of deleting it. Without this, deleting
+ *     a business surface would silently report no impact — the highest-risk
+ *     false confidence.
+ *
+ * Pure: composes `deriveStaleSurfaces` (which composes the blast-radius spine),
+ * no new traversal, no writes, no secrets.
+ */
+import { deriveStaleSurfaces } from "./workspace-stale-surfaces.js";
+const PATCH_IMPACT_KIND = "growthub-workspace-patch-impact-v1";
+const PATCH_IMPACT_VERSION = 1;
+function objectIndex(config) {
+  return new Map((config?.dataModel?.objects || []).map((o) => [o && o.id, JSON.stringify(o)]));
+}
+function dashboardIndex(config) {
+  return new Map((config?.dashboards || []).map((d) => [d && (d.id || d.name), JSON.stringify(d)]));
+}
+/**
+ * @param {object} currentGraph graph built from the CURRENT config (pre-patch)
+ * @param {object} mergedGraph  graph built from the MERGED config (post-patch)
+ * @param {object} currentConfig
+ * @param {object} mergedConfig
+ * @returns {object} `{ kind, version, scope, seeds[], total, byType, staleSurfaces[], removed[], summary, warnings }`
+ */
+function derivePatchImpact(currentGraph, mergedGraph, currentConfig, mergedConfig) {
+  const empty = (warning) => ({
+    kind: PATCH_IMPACT_KIND,
+    version: PATCH_IMPACT_VERSION,
+    scope: "changed-only",
+    seeds: [],
+    total: 0,
+    byType: {},
+    staleSurfaces: [],
+    removed: [],
+    summary: "No object or dashboard added, modified, or removed.",
+    warnings: warning ? [warning] : []
+  });
+  if (!mergedGraph || !Array.isArray(mergedGraph.nodes)) return empty("merged graph missing");
+  const curObjects = objectIndex(currentConfig);
+  const mergedObjects = objectIndex(mergedConfig);
+  const curDashboards = dashboardIndex(currentConfig);
+  const mergedDashboards = dashboardIndex(mergedConfig);
+  const changedObjectIds = new Set();
+  const removedObjectIds = new Set();
+  for (const [id, json] of mergedObjects) if (id && curObjects.get(id) !== json) changedObjectIds.add(id);
+  for (const [id] of curObjects) if (id && !mergedObjects.has(id)) removedObjectIds.add(id);
+  const changedDashboardIds = new Set();
+  const removedDashboardIds = new Set();
+  for (const [id, json] of mergedDashboards) if (id && curDashboards.get(id) !== json) changedDashboardIds.add(id);
+  for (const [id] of curDashboards) if (id && !mergedDashboards.has(id)) removedDashboardIds.add(id);
+  // ── added / modified: seed on the MERGED graph ──────────────────────────
+  const changedSeeds = [];
+  for (const node of mergedGraph.nodes) {
+    if (node.type === "dataModelObject" && (changedObjectIds.has(node.summary?.objectId) || changedObjectIds.has(node.metadataId))) {
+      changedSeeds.push(node.id);
+    } else if (node.type === "dashboard" && (changedDashboardIds.has(node.metadataId) || changedDashboardIds.has(node.label))) {
+      changedSeeds.push(node.id);
+    }
+  }
+  const changedStale = changedSeeds.length ? deriveStaleSurfaces(mergedGraph, { seedIds: changedSeeds }) : null;
+  // ── removed: seed on the CURRENT graph (the deleted node lived there) ────
+  const removed = [];
+  const currentNodes = (currentGraph && Array.isArray(currentGraph.nodes)) ? currentGraph.nodes : [];
+  for (const node of currentNodes) {
+    const isRemovedObject = node.type === "dataModelObject" && (removedObjectIds.has(node.summary?.objectId) || removedObjectIds.has(node.metadataId));
+    const isRemovedDashboard = node.type === "dashboard" && (removedDashboardIds.has(node.metadataId) || removedDashboardIds.has(node.label));
+    if (!isRemovedObject && !isRemovedDashboard) continue;
+    const downstream = deriveStaleSurfaces(currentGraph, { seedIds: [node.id] });
+    removed.push({
+      id: node.id,
+      type: node.type,
+      label: node.label,
+      metadataId: node.metadataId,
+      affectedTotal: downstream.total,
+      affected: downstream.staleSurfaces,
+      summary: `Removing "${node.label}" affects ${downstream.total} downstream surface(s) that depend on it.`
+    });
+  }
+  if (!changedStale && !removed.length) return empty();
+  return {
+    kind: PATCH_IMPACT_KIND,
+    version: PATCH_IMPACT_VERSION,
+    scope: "changed-only",
+    seeds: changedStale ? changedStale.seeds : [],
+    total: changedStale ? changedStale.total : 0,
+    byType: changedStale ? changedStale.byType : {},
+    staleSurfaces: changedStale ? changedStale.staleSurfaces : [],
+    removed,
+    summary: summarizePatchImpact(changedStale, removed),
+    warnings: removed.length ? [`${removed.length} object/dashboard removal(s) — review affected downstream before applying.`] : []
+  };
+}
+function summarizePatchImpact(changedStale, removed) {
+  const parts = [];
+  if (changedStale && changedStale.total) parts.push(`${changedStale.total} surface(s) stale from add/modify`);
+  if (removed.length) {
+    const affected = removed.reduce((sum, r) => sum + (r.affectedTotal || 0), 0);
+    parts.push(`${removed.length} removal(s) affecting ${affected} downstream surface(s)`);
+  }
+  return parts.length ? `Patch impact: ${parts.join("; ")}.` : "No downstream impact.";
+}
+export {
+  PATCH_IMPACT_KIND,
+  PATCH_IMPACT_VERSION,
+  derivePatchImpact,
+  summarizePatchImpact
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-provenance-lineage.js ADDED Viewed

@@ -0,0 +1,214 @@
+/**
+ * Growthub Workspace Provenance-Lineage V1 — bidirectional lineage deriver.
+ *
+ * The mirror twin of `deriveBlastRadius`. It exposes BOTH transitive directions
+ * over the SAME edge taxonomy, named to MATCH the graph's own helper contract
+ * (`findDependents` = incoming, `findDependencies` = outgoing) so an agent never
+ * mis-reads a consumer as a producer:
+ *
+ *   - dependents    — transitive INCOMING closure (generalises `findDependents`):
+ *                     the nodes that DEPEND ON this node — its consumers and the
+ *                     things impacted if it changes (e.g. a widget that binds an
+ *                     object is the object's dependent). "What depends on this?"
+ *   - dependencies  — transitive OUTGOING closure (generalises `findDependencies`):
+ *                     the nodes this one DEPENDS ON — what it is built from /
+ *                     reads (e.g. an object's source record). "What does this
+ *                     depend on?"
+ *
+ * `ancestors` / `descendants` are kept ONLY as backward-compatible aliases of
+ * `dependents` / `dependencies` respectively — they read intuitively for the
+ * run→artifact case but mislead for objects/widgets/dashboards, so prefer the
+ * canonical names. The `direction` option accepts `dependents` | `dependencies`
+ * | `both` (and the legacy `ancestors` | `descendants`).
+ *
+ * One bounded, cycle-safe, deterministic BFS — the same skeleton the spine uses.
+ * No new graph, no new edges, no mutation, no secrets. `selectRunLineage` is the
+ * flat single-run ancestor of this module.
+ */
+import { summarizeGraphNode } from "./workspace-metadata-graph.js";
+import { deriveBlastRadius } from "./workspace-metadata-impact.js";
+const PROVENANCE_KIND = "growthub-workspace-provenance-lineage-v1";
+const PROVENANCE_VERSION = 1;
+const DEFAULT_MAX_NODES = 500;
+function safeString(value) {
+  if (value == null) return "";
+  return typeof value === "string" ? value : String(value);
+}
+/**
+ * Build the OUTGOING adjacency index once: `Map<fromId, Array<{ to, relation }>>`.
+ * (The INCOMING/dependents direction is NOT re-implemented here — it reuses the
+ * shipped `deriveBlastRadius` reverse closure, the single source of truth for
+ * incoming-edge traversal.)
+ */
+function buildOutgoingIndex(graph) {
+  const adjacency = new Map();
+  const edges = Array.isArray(graph?.edges) ? graph.edges : [];
+  for (const edge of edges) {
+    if (!edge || edge.from == null || edge.to == null) continue;
+    const key = String(edge.from);
+    if (!adjacency.has(key)) adjacency.set(key, []);
+    adjacency.get(key).push({ to: String(edge.to), relation: edge.relation });
+  }
+  return adjacency;
+}
+/**
+ * Bounded, cycle-safe BFS from `originId` over a pre-built adjacency index.
+ * Mirrors the blast-radius walk: FIFO queue → shortest path first, each node
+ * visited once, honest truncation past `maxNodes`.
+ */
+function walk(adjacency, nodesById, originId, maxNodes) {
+  const visited = new Set([originId]);
+  const reached = [];
+  let truncated = false;
+  let maxDistanceReached = 0;
+  const queue = [{ id: originId, distance: 0 }];
+  while (queue.length) {
+    const current = queue.shift();
+    const neighbours = adjacency.get(current.id) || [];
+    for (const { to, relation } of neighbours) {
+      if (visited.has(to)) continue;
+      const node = nodesById.get(to);
+      if (!node) continue;
+      if (reached.length >= maxNodes) {
+        truncated = true;
+        continue;
+      }
+      visited.add(to);
+      const distance = current.distance + 1;
+      maxDistanceReached = Math.max(maxDistanceReached, distance);
+      reached.push({
+        id: node.id,
+        type: node.type,
+        label: node.label,
+        metadataId: node.metadataId,
+        distance,
+        viaRelation: relation
+      });
+      queue.push({ id: to, distance });
+    }
+  }
+  reached.sort((a, b) =>
+    a.distance - b.distance ||
+    a.type.localeCompare(b.type) ||
+    a.id.localeCompare(b.id)
+  );
+  return { reached, truncated, maxDistanceReached };
+}
+/**
+ * @param {object} graph a `buildWorkspaceMetadataGraph` envelope
+ * @param {string} originId the metadataId to trace lineage for
+ * @param {object} [options]
+ * @param {"dependents"|"dependencies"|"both"|"ancestors"|"descendants"} [options.direction="both"]
+ * @param {number} [options.maxNodes=500] hard cap PER direction
+ * @returns {object} `{ kind, version, origin, direction, dependents[], dependencies[],
+ *   ancestors[] (alias of dependents), descendants[] (alias of dependencies),
+ *   byType, truncated, summary, warnings }`
+ */
+function deriveProvenanceLineage(graph, originId, options = {}) {
+  const maxNodes = Number.isFinite(options.maxNodes) && options.maxNodes > 0
+    ? Math.floor(options.maxNodes)
+    : DEFAULT_MAX_NODES;
+  // Normalise the requested direction to the canonical names (legacy aliases
+  // ancestors→dependents, descendants→dependencies).
+  const requested = safeString(options.direction) || "both";
+  const direction = requested === "ancestors" ? "dependents"
+    : requested === "descendants" ? "dependencies"
+      : ["dependents", "dependencies", "both"].includes(requested) ? requested
+        : "both";
+  const empty = (warning) => ({
+    kind: PROVENANCE_KIND,
+    version: PROVENANCE_VERSION,
+    origin: null,
+    direction,
+    dependents: [],
+    dependencies: [],
+    ancestors: [],
+    descendants: [],
+    byType: { dependents: {}, dependencies: {} },
+    truncated: false,
+    summary: "No lineage computed.",
+    warnings: warning ? [warning] : []
+  });
+  if (!graph || typeof graph !== "object" || !Array.isArray(graph.nodes)) {
+    return empty("graph missing or malformed");
+  }
+  const id = safeString(originId).trim();
+  if (!id) return empty("originId missing");
+  const nodesById = new Map(graph.nodes.map((node) => [node.id, node]));
+  const originNode = nodesById.get(id);
+  if (!originNode) return empty(`origin "${id}" not found in graph`);
+  let dependents = [];
+  let dependencies = [];
+  let truncated = false;
+  if (direction === "dependents" || direction === "both") {
+    // Reuse the spine — `dependents` IS the transitive incoming (reverse) closure
+    // that deriveBlastRadius already computes. No second incoming BFS.
+    const blast = deriveBlastRadius(graph, id, { maxNodes });
+    dependents = blast.impacted;
+    truncated = truncated || blast.truncated;
+  }
+  if (direction === "dependencies" || direction === "both") {
+    const res = walk(buildOutgoingIndex(graph), nodesById, id, maxNodes);
+    dependencies = res.reached;
+    truncated = truncated || res.truncated;
+  }
+  const countByType = (entries) => {
+    const out = {};
+    for (const entry of entries) out[entry.type] = (out[entry.type] || 0) + 1;
+    return out;
+  };
+  return {
+    kind: PROVENANCE_KIND,
+    version: PROVENANCE_VERSION,
+    origin: summarizeGraphNode(originNode),
+    direction,
+    // Canonical names — match findDependents (incoming) / findDependencies (outgoing).
+    dependents,
+    dependencies,
+    // Backward-compatible aliases (deprecated; can mislead for non-run nodes).
+    ancestors: dependents,
+    descendants: dependencies,
+    byType: { dependents: countByType(dependents), dependencies: countByType(dependencies) },
+    truncated,
+    summary: summarizeLineage(originNode, dependents, dependencies, direction, truncated),
+    warnings: []
+  };
+}
+function summarizeLineage(originNode, dependents, dependencies, direction, truncated) {
+  const label = originNode?.label || originNode?.id || "node";
+  const tail = truncated ? " (truncated)" : "";
+  if (direction === "dependents") {
+    return dependents.length
+      ? `${dependents.length} node(s) depend on "${label}"${tail}.`
+      : `Nothing depends on "${label}".`;
+  }
+  if (direction === "dependencies") {
+    return dependencies.length
+      ? `"${label}" depends on ${dependencies.length} node(s)${tail}.`
+      : `"${label}" depends on nothing.`;
+  }
+  return `"${label}": ${dependents.length} dependent(s), ${dependencies.length} dependenc(ies)${tail}.`;
+}
+export {
+  PROVENANCE_KIND,
+  PROVENANCE_VERSION,
+  DEFAULT_MAX_NODES,
+  deriveProvenanceLineage,
+  summarizeLineage
+};