@h9-foundry/agentforge-cli 0.6.0 → 0.7.1

package/dist/index.js

@@ -1,11 +1,12 @@
-import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
+import { execFileSync } from "node:child_process";
 import yaml from "js-yaml";
 import { renderAuditBundleMarkdown } from "@h9-foundry/agentforge-audit";
 import { createWorkflowState, findWorkspaceRoot } from "@h9-foundry/agentforge-context-engine";
 import { createPolicyEngine, loadPolicyDocument, resolvePolicy } from "@h9-foundry/agentforge-policy-engine";
 import { runWorkflow } from "@h9-foundry/agentforge-runtime";
-import { agentforgeConfigSchema, auditBundleSchema, designArtifactSchema, designRequestSchema, implementationRequestSchema, planningArtifactSchema, planningRequestSchema, qaRequestSchema, workflowDefinitionSchema } from "@h9-foundry/agentforge-schemas";
+import { agentforgeConfigSchema, auditBundleSchema, designArtifactSchema, designRequestSchema, implementationRequestSchema, incidentRequestSchema, maintenanceRequestSchema, planningArtifactSchema, planningRequestSchema, qaRequestSchema, releaseRequestSchema, securityRequestSchema, workflowDefinitionSchema } from "@h9-foundry/agentforge-schemas";
 import { createBuiltinAdapters } from "./internal/builtin-adapters.js";
 import { createBuiltinAgentRegistry } from "./internal/builtin-agents.js";
 import { LocalPluginRegistry } from "./internal/local-plugin-registry.js";
@@ -181,7 +182,7 @@ nodes:
 `;
 const qaWorkflowTemplate = `version: 1
 name: qa-review
-description: Validate a bounded QA request and prepare it for later QA analysis stages.
+description: Validate a bounded QA request and synthesize a read-only QA report.
 trigger: manual
 catalog:
   domain: test
@@ -193,6 +194,118 @@ nodes:
     kind: deterministic
     agent: qa-intake
     outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: qa-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: qa
+    kind: reasoning
+    agent: qa-analyst
+    outputs_to: agentResults.qa
+  - id: report
+    kind: report
+    outputs_to: reports.final
+`;
+const securityWorkflowTemplate = `version: 1
+name: security-review
+description: Validate a bounded security request while preserving the default local security posture.
+trigger: manual
+catalog:
+  domain: security
+  supportLevel: official
+  maturity: mvp
+  trustScope: official-core-only
+nodes:
+  - id: intake
+    kind: deterministic
+    agent: security-intake
+    outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: security-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: security
+    kind: reasoning
+    agent: security-analyst
+    outputs_to: agentResults.security
+  - id: report
+    kind: report
+    outputs_to: reports.final
+`;
+const releaseWorkflowTemplate = `version: 1
+name: release-readiness
+description: Validate a bounded release-readiness request while keeping trusted publish automation separate.
+trigger: manual
+catalog:
+  domain: release
+  supportLevel: partial
+  maturity: mvp
+  trustScope: official-core-only
+nodes:
+  - id: intake
+    kind: deterministic
+    agent: release-intake
+    outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: release-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: release
+    kind: reasoning
+    agent: release-analyst
+    outputs_to: agentResults.release
+  - id: report
+    kind: report
+    outputs_to: reports.final
+`;
+const incidentWorkflowTemplate = `version: 1
+name: incident-handoff
+description: Validate staged incident evidence while keeping the default path local, read-only, and explicit.
+trigger: manual
+catalog:
+  domain: operate
+  supportLevel: partial
+  maturity: mvp
+  trustScope: official-core-only
+nodes:
+  - id: intake
+    kind: deterministic
+    agent: incident-intake
+    outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: incident-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: incident
+    kind: reasoning
+    agent: incident-analyst
+    outputs_to: agentResults.incident
+  - id: report
+    kind: report
+    outputs_to: reports.final
+`;
+const maintenanceWorkflowTemplate = `version: 1
+name: maintenance-triage
+description: Validate a bounded maintenance request while keeping the default path local, read-only, and routing-oriented.
+trigger: manual
+catalog:
+  domain: maintain
+  supportLevel: partial
+  maturity: mvp
+  trustScope: official-core-only
+nodes:
+  - id: intake
+    kind: deterministic
+    agent: maintenance-intake
+    outputs_to: agentResults.intake
+  - id: evidence
+    kind: deterministic
+    agent: maintenance-evidence-normalizer
+    outputs_to: agentResults.evidence
+  - id: maintenance
+    kind: reasoning
+    agent: maintenance-analyst
+    outputs_to: agentResults.maintenance
   - id: report
     kind: report
     outputs_to: reports.final
@@ -206,6 +319,136 @@ function isRecord(value) {
 function asArray(value) {
     return Array.isArray(value) ? value : [];
 }
+function runGit(root, args) {
+    try {
+        return execFileSync("git", args, { cwd: root, encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    }
+    catch {
+        return "";
+    }
+}
+function parseGitHubRepositoryUrl(value) {
+    const trimmed = value.trim();
+    const sshMatch = trimmed.match(/^git@([^:]+):([^/]+)\/([^/]+?)(?:\.git)?$/i);
+    if (sshMatch) {
+        return {
+            host: sshMatch[1].toLowerCase(),
+            owner: sshMatch[2],
+            repo: sshMatch[3]
+        };
+    }
+    const httpsMatch = trimmed.match(/^https?:\/\/([^/]+)\/([^/]+)\/([^/]+?)(?:\.git)?(?:\/)?$/i);
+    if (!httpsMatch) {
+        return undefined;
+    }
+    return {
+        host: httpsMatch[1].toLowerCase(),
+        owner: httpsMatch[2],
+        repo: httpsMatch[3]
+    };
+}
+function inferGitHubRepoContext(root) {
+    const packageJsonPath = join(root, "package.json");
+    if (existsSync(packageJsonPath)) {
+        const parsed = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+        if (isRecord(parsed)) {
+            const repository = parsed.repository;
+            if (typeof repository === "string") {
+                const context = parseGitHubRepositoryUrl(repository);
+                if (context) {
+                    return context;
+                }
+            }
+            if (isRecord(repository) && typeof repository.url === "string") {
+                const context = parseGitHubRepositoryUrl(repository.url);
+                if (context) {
+                    return context;
+                }
+            }
+        }
+    }
+    const remoteUrl = runGit(root, ["config", "--get", "remote.origin.url"]);
+    return remoteUrl ? parseGitHubRepositoryUrl(remoteUrl) : undefined;
+}
+function normalizeGitHubReference(rawValue, repoContext) {
+    const raw = rawValue.trim();
+    if (!raw) {
+        return undefined;
+    }
+    const fromParts = (context, kind, number) => ({
+        platform: "github",
+        host: context.host,
+        owner: context.owner,
+        repo: context.repo,
+        kind,
+        number,
+        canonical: kind === "issue"
+            ? `${context.owner}/${context.repo}#${number}`
+            : `${context.owner}/${context.repo}/pull/${number}`,
+        url: kind === "issue"
+            ? `https://${context.host}/${context.owner}/${context.repo}/issues/${number}`
+            : `https://${context.host}/${context.owner}/${context.repo}/pull/${number}`,
+        source: raw
+    });
+    const urlMatch = raw.match(/^https?:\/\/([^/]+)\/([^/]+)\/([^/]+)\/(issues|pull)\/(\d+)(?:\/)?$/i);
+    if (urlMatch) {
+        return fromParts({ host: urlMatch[1].toLowerCase(), owner: urlMatch[2], repo: urlMatch[3] }, urlMatch[4].toLowerCase() === "pull" ? "pull_request" : "issue", Number.parseInt(urlMatch[5], 10));
+    }
+    const repoIssueMatch = raw.match(/^([^/\s]+)\/([^#\s]+)#(\d+)$/);
+    if (repoIssueMatch) {
+        return fromParts({ host: repoContext?.host ?? "github.com", owner: repoIssueMatch[1], repo: repoIssueMatch[2] }, "issue", Number.parseInt(repoIssueMatch[3], 10));
+    }
+    const repoPullMatch = raw.match(/^([^/\s]+)\/([^/\s]+)\/pull\/(\d+)$/i);
+    if (repoPullMatch) {
+        return fromParts({ host: repoContext?.host ?? "github.com", owner: repoPullMatch[1], repo: repoPullMatch[2] }, "pull_request", Number.parseInt(repoPullMatch[3], 10));
+    }
+    const shortIssueMatch = raw.match(/^#(\d+)$/);
+    if (shortIssueMatch && repoContext) {
+        return fromParts(repoContext, "issue", Number.parseInt(shortIssueMatch[1], 10));
+    }
+    const shortPullMatch = raw.match(/^(?:PR|pr)\s*#(\d+)$/);
+    if (shortPullMatch && repoContext) {
+        return fromParts(repoContext, "pull_request", Number.parseInt(shortPullMatch[1], 10));
+    }
+    return undefined;
+}
+function normalizeGitHubReferences(rawValues, repoContext) {
+    const seen = new Set();
+    const normalized = [];
+    for (const rawValue of rawValues) {
+        const githubRef = normalizeGitHubReference(rawValue, repoContext);
+        if (!githubRef || seen.has(githubRef.canonical)) {
+            continue;
+        }
+        seen.add(githubRef.canonical);
+        normalized.push(githubRef);
+    }
+    return normalized;
+}
+export function mapWorkflowRunStatusToGitHubStatus(workflow, localRunStatus) {
+    if (localRunStatus === "success") {
+        return {
+            workflow,
+            localRunStatus,
+            githubStatus: "completed",
+            reason: "Successful local workflow runs map to completed GitHub handoff status."
+        };
+    }
+    if (localRunStatus === "partial") {
+        return {
+            workflow,
+            localRunStatus,
+            githubStatus: "blocked",
+            reason: "Partial local workflow runs map to blocked GitHub handoff status until follow-up work resolves them."
+        };
+    }
+    return {
+        workflow,
+        localRunStatus,
+        githubStatus: "failed",
+        reason: "Failed local workflow runs map to failed GitHub handoff status."
+    };
+}
 function ensureReadablePath(policyEngine, pathValue, purpose) {
     const decision = policyEngine.canReadPath(pathValue);
     if (!decision.allowed) {
@@ -229,9 +472,31 @@ function validatePlanningRequestCompleteness(request) {
     }
     return request;
 }
+function validateIncidentRequestCompleteness(request) {
+    const evidenceSignalCount = request.evidenceSources.length + request.releaseReportRefs.length;
+    if (evidenceSignalCount === 0) {
+        throw new Error("Incident request is underspecified. Add at least one of evidenceSources or releaseReportRefs.");
+    }
+    return request;
+}
+function validateMaintenanceRequestCompleteness(request) {
+    const supportingSignalCount = request.dependencyAlertRefs.length +
+        request.docsTaskRefs.length +
+        request.releaseReportRefs.length +
+        request.issueRefs.length;
+    if (supportingSignalCount === 0) {
+        throw new Error("Maintenance request is underspecified. Add at least one of dependencyAlertRefs, docsTaskRefs, releaseReportRefs, or issueRefs.");
+    }
+    return request;
+}
 function validateWorkflowLifecyclePosture(workflow, policyEngine) {
     const domain = workflow.catalog?.domain;
-    if (domain !== "plan" && domain !== "design" && domain !== "build") {
+    if (domain !== "plan" &&
+        domain !== "design" &&
+        domain !== "build" &&
+        domain !== "security" &&
+        domain !== "release" &&
+        domain !== "operate") {
         return;
     }
     if (policyEngine.snapshot.defaults.network !== "deny") {
@@ -265,6 +530,52 @@ function loadDesignBundleArtifact(root, designRecordRef) {
     }
     return designArtifactSchema.parse(designArtifact);
 }
+function ensureBundleContainsArtifactKind(root, bundleRef, artifactKind, purpose) {
+    const artifactKinds = loadLifecycleArtifactKinds(root, bundleRef);
+    if (!artifactKinds.includes(artifactKind)) {
+        throw new Error(`Referenced ${purpose} does not contain a ${artifactKind} artifact: ${bundleRef}`);
+    }
+}
+function validateReleaseRequestCompleteness(request) {
+    const evidenceSignalCount = request.qaReportRefs.length + request.securityReportRefs.length + request.evidenceSources.length;
+    if (evidenceSignalCount === 0) {
+        throw new Error("Release request is underspecified. Add at least one of qaReportRefs, securityReportRefs, or evidenceSources.");
+    }
+    return request;
+}
+function loadLifecycleArtifactKinds(root, bundleRef) {
+    const bundlePath = join(root, bundleRef);
+    if (!existsSync(bundlePath)) {
+        throw new Error(`Referenced bundle not found: ${bundleRef}`);
+    }
+    const bundle = auditBundleSchema.parse(JSON.parse(readFileSync(bundlePath, "utf8")));
+    return bundle.lifecycleArtifacts.map((artifact) => artifact.artifactKind);
+}
+function loadLifecycleArtifactSourceReferences(root, bundleRef) {
+    const bundlePath = join(root, bundleRef);
+    if (!existsSync(bundlePath)) {
+        throw new Error(`Referenced bundle not found: ${bundleRef}`);
+    }
+    const bundle = auditBundleSchema.parse(JSON.parse(readFileSync(bundlePath, "utf8")));
+    const repoContext = inferGitHubRepoContext(root);
+    const issueRefs = new Set();
+    const githubRefs = new Map();
+    for (const artifact of bundle.lifecycleArtifacts) {
+        for (const issueRef of artifact.source.issueRefs) {
+            issueRefs.add(issueRef);
+        }
+        for (const githubRef of artifact.source.githubRefs ?? []) {
+            githubRefs.set(githubRef.canonical, githubRef);
+        }
+        for (const githubRef of normalizeGitHubReferences(artifact.source.issueRefs, repoContext)) {
+            githubRefs.set(githubRef.canonical, githubRef);
+        }
+    }
+    return {
+        issueRefs: [...issueRefs],
+        githubRefs: [...githubRefs.values()]
+    };
+}
 function prepareWorkflowInputs(workflow, root, policyEngine) {
     const requestsDir = join(root, ".agentops", "requests");
     ensureDirectory(requestsDir);
@@ -272,8 +583,10 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         const requestPath = ".agentops/requests/planning.yaml";
         ensureReadablePath(policyEngine, requestPath, "planning request");
         const planningRequest = validatePlanningRequestCompleteness(readYamlFile(join(root, requestPath), planningRequestSchema, "planning request"));
+        const planningGithubRefs = normalizeGitHubReferences(planningRequest.issueRefs, inferGitHubRepoContext(root));
         return {
             planningRequest,
+            planningGithubRefs,
             requestFile: requestPath
         };
     }
@@ -306,11 +619,163 @@ function prepareWorkflowInputs(workflow, root, policyEngine) {
         ensureReadablePath(policyEngine, requestPath, "QA request");
         const qaRequest = readYamlFile(join(root, requestPath), qaRequestSchema, "QA request");
         ensureReadablePath(policyEngine, qaRequest.targetRef, "QA target reference");
+        if (!existsSync(join(root, qaRequest.targetRef))) {
+            throw new Error(`QA target reference not found: ${qaRequest.targetRef}`);
+        }
         for (const evidenceSource of qaRequest.evidenceSources) {
             ensureReadablePath(policyEngine, evidenceSource, "QA evidence source");
         }
+        const referencedSourceRefs = qaRequest.targetRef.endsWith("bundle.json")
+            ? loadLifecycleArtifactSourceReferences(root, qaRequest.targetRef)
+            : { issueRefs: [], githubRefs: [] };
         return {
             qaRequest: qaRequest,
+            qaIssueRefs: referencedSourceRefs.issueRefs,
+            qaGithubRefs: referencedSourceRefs.githubRefs,
+            requestFile: requestPath
+        };
+    }
+    if (workflow.name === "security-review") {
+        const requestPath = ".agentops/requests/security.yaml";
+        ensureReadablePath(policyEngine, requestPath, "security request");
+        const securityRequest = readYamlFile(join(root, requestPath), securityRequestSchema, "security request");
+        ensureReadablePath(policyEngine, securityRequest.targetRef, "security target reference");
+        if (!existsSync(join(root, securityRequest.targetRef))) {
+            throw new Error(`Security target reference not found: ${securityRequest.targetRef}`);
+        }
+        for (const evidenceSource of securityRequest.evidenceSources) {
+            ensureReadablePath(policyEngine, evidenceSource, "security evidence source");
+        }
+        const referencedArtifactKinds = securityRequest.targetRef.endsWith("bundle.json")
+            ? loadLifecycleArtifactKinds(root, securityRequest.targetRef)
+            : [];
+        const allowedSecurityTargets = new Set(["design-record", "implementation-proposal", "qa-report", "release-report"]);
+        if (securityRequest.targetRef.endsWith("bundle.json") && !referencedArtifactKinds.some((kind) => allowedSecurityTargets.has(kind))) {
+            throw new Error(`Referenced security bundle does not contain a supported lifecycle artifact: ${securityRequest.targetRef}`);
+        }
+        const referencedSourceRefs = securityRequest.targetRef.endsWith("bundle.json")
+            ? loadLifecycleArtifactSourceReferences(root, securityRequest.targetRef)
+            : { issueRefs: [], githubRefs: [] };
+        return {
+            securityRequest: securityRequest,
+            securityTargetArtifactKinds: referencedArtifactKinds,
+            securityIssueRefs: referencedSourceRefs.issueRefs,
+            securityGithubRefs: referencedSourceRefs.githubRefs,
+            requestFile: requestPath
+        };
+    }
+    if (workflow.name === "release-readiness") {
+        const requestPath = ".agentops/requests/release.yaml";
+        ensureReadablePath(policyEngine, requestPath, "release request");
+        const releaseRequest = validateReleaseRequestCompleteness(readYamlFile(join(root, requestPath), releaseRequestSchema, "release request"));
+        const releaseIssueRefs = new Set();
+        const releaseGithubRefMap = new Map();
+        for (const qaReportRef of releaseRequest.qaReportRefs) {
+            ensureReadablePath(policyEngine, qaReportRef, "QA report reference");
+            ensureBundleContainsArtifactKind(root, qaReportRef, "qa-report", "QA report reference");
+            const refs = loadLifecycleArtifactSourceReferences(root, qaReportRef);
+            for (const issueRef of refs.issueRefs) {
+                releaseIssueRefs.add(issueRef);
+            }
+            for (const githubRef of refs.githubRefs) {
+                releaseGithubRefMap.set(githubRef.canonical, githubRef);
+            }
+        }
+        for (const securityReportRef of releaseRequest.securityReportRefs) {
+            ensureReadablePath(policyEngine, securityReportRef, "security report reference");
+            ensureBundleContainsArtifactKind(root, securityReportRef, "security-report", "security report reference");
+            const refs = loadLifecycleArtifactSourceReferences(root, securityReportRef);
+            for (const issueRef of refs.issueRefs) {
+                releaseIssueRefs.add(issueRef);
+            }
+            for (const githubRef of refs.githubRefs) {
+                releaseGithubRefMap.set(githubRef.canonical, githubRef);
+            }
+        }
+        for (const evidenceSource of releaseRequest.evidenceSources) {
+            ensureReadablePath(policyEngine, evidenceSource, "release evidence source");
+            if (!existsSync(join(root, evidenceSource))) {
+                throw new Error(`Release evidence source not found: ${evidenceSource}`);
+            }
+        }
+        return {
+            releaseRequest: releaseRequest,
+            releaseIssueRefs: [...releaseIssueRefs],
+            releaseGithubRefs: [...releaseGithubRefMap.values()],
+            requestFile: requestPath
+        };
+    }
+    if (workflow.name === "incident-handoff") {
+        const requestPath = ".agentops/requests/incident.yaml";
+        ensureReadablePath(policyEngine, requestPath, "incident request");
+        const incidentRequest = validateIncidentRequestCompleteness(readYamlFile(join(root, requestPath), incidentRequestSchema, "incident request"));
+        const repoContext = inferGitHubRepoContext(root);
+        const incidentIssueRefs = new Set(incidentRequest.issueRefs);
+        const incidentGithubRefMap = new Map();
+        for (const githubRef of normalizeGitHubReferences(incidentRequest.issueRefs, repoContext)) {
+            incidentGithubRefMap.set(githubRef.canonical, githubRef);
+        }
+        for (const releaseReportRef of incidentRequest.releaseReportRefs) {
+            ensureReadablePath(policyEngine, releaseReportRef, "release report reference");
+            ensureBundleContainsArtifactKind(root, releaseReportRef, "release-report", "release report reference");
+            const refs = loadLifecycleArtifactSourceReferences(root, releaseReportRef);
+            for (const issueRef of refs.issueRefs) {
+                incidentIssueRefs.add(issueRef);
+            }
+            for (const githubRef of refs.githubRefs) {
+                incidentGithubRefMap.set(githubRef.canonical, githubRef);
+            }
+        }
+        for (const evidenceSource of incidentRequest.evidenceSources) {
+            ensureReadablePath(policyEngine, evidenceSource, "incident evidence source");
+            if (!existsSync(join(root, evidenceSource))) {
+                throw new Error(`Incident evidence source not found: ${evidenceSource}`);
+            }
+        }
+        return {
+            incidentRequest: incidentRequest,
+            incidentIssueRefs: [...incidentIssueRefs],
+            incidentGithubRefs: [...incidentGithubRefMap.values()],
+            requestFile: requestPath
+        };
+    }
+    if (workflow.name === "maintenance-triage") {
+        const requestPath = ".agentops/requests/maintenance.yaml";
+        ensureReadablePath(policyEngine, requestPath, "maintenance request");
+        const maintenanceRequest = validateMaintenanceRequestCompleteness(readYamlFile(join(root, requestPath), maintenanceRequestSchema, "maintenance request"));
+        const repoContext = inferGitHubRepoContext(root);
+        const maintenanceIssueRefs = new Set(maintenanceRequest.issueRefs);
+        const maintenanceGithubRefMap = new Map();
+        for (const githubRef of normalizeGitHubReferences(maintenanceRequest.issueRefs, repoContext)) {
+            maintenanceGithubRefMap.set(githubRef.canonical, githubRef);
+        }
+        for (const releaseReportRef of maintenanceRequest.releaseReportRefs) {
+            ensureReadablePath(policyEngine, releaseReportRef, "release report reference");
+            ensureBundleContainsArtifactKind(root, releaseReportRef, "release-report", "release report reference");
+            const refs = loadLifecycleArtifactSourceReferences(root, releaseReportRef);
+            for (const issueRef of refs.issueRefs) {
+                maintenanceIssueRefs.add(issueRef);
+            }
+            for (const githubRef of refs.githubRefs) {
+                maintenanceGithubRefMap.set(githubRef.canonical, githubRef);
+            }
+        }
+        for (const dependencyAlertRef of maintenanceRequest.dependencyAlertRefs) {
+            ensureReadablePath(policyEngine, dependencyAlertRef, "dependency alert reference");
+            if (!existsSync(join(root, dependencyAlertRef))) {
+                throw new Error(`Dependency alert reference not found: ${dependencyAlertRef}`);
+            }
+        }
+        for (const docsTaskRef of maintenanceRequest.docsTaskRefs) {
+            ensureReadablePath(policyEngine, docsTaskRef, "docs task reference");
+            if (!existsSync(join(root, docsTaskRef))) {
+                throw new Error(`Docs task reference not found: ${docsTaskRef}`);
+            }
+        }
+        return {
+            maintenanceRequest: maintenanceRequest,
+            maintenanceIssueRefs: [...maintenanceIssueRefs],
+            maintenanceGithubRefs: [...maintenanceGithubRefMap.values()],
             requestFile: requestPath
         };
     }
@@ -383,6 +848,51 @@ function normalizeAgentForgeConfigInput(value) {
         }
     };
 }
+function readLatestCompleteRunBundle(runsRoot) {
+    if (!existsSync(runsRoot)) {
+        return undefined;
+    }
+    const parseRunTimestampMs = (value) => {
+        if (typeof value !== "string" || value.length === 0) {
+            return undefined;
+        }
+        const parsedDate = Date.parse(value);
+        if (!Number.isNaN(parsedDate)) {
+            return parsedDate;
+        }
+        const timestampPrefix = Number.parseInt(value.split("-")[0] ?? "", 10);
+        return Number.isNaN(timestampPrefix) ? undefined : timestampPrefix;
+    };
+    const candidates = readdirSync(runsRoot)
+        .map((entry) => {
+        const bundlePath = join(runsRoot, entry, "bundle.json");
+        if (!existsSync(bundlePath)) {
+            return undefined;
+        }
+        const stats = statSync(bundlePath);
+        const bundle = JSON.parse(readFileSync(bundlePath, "utf8"));
+        const bundleRunId = typeof bundle.runId === "string" ? bundle.runId : entry;
+        const completedAtMs = parseRunTimestampMs(bundle.finishedAt) ??
+            parseRunTimestampMs(bundle.startedAt) ??
+            parseRunTimestampMs(bundleRunId) ??
+            parseRunTimestampMs(entry) ??
+            stats.mtimeMs;
+        return {
+            runDir: entry,
+            bundle,
+            bundleRunId,
+            completedAtMs
+        };
+    })
+        .filter((candidate) => Boolean(candidate))
+        .sort((left, right) => {
+        if (left.completedAtMs !== right.completedAtMs) {
+            return right.completedAtMs - left.completedAtMs;
+        }
+        return right.bundleRunId.localeCompare(left.bundleRunId);
+    });
+    return candidates[0] ? { runDir: candidates[0].runDir, bundle: candidates[0].bundle } : undefined;
+}
 function loadAgentForgeConfig(root) {
     const configPath = join(root, ".agentops", "agentops.yaml");
     if (!existsSync(configPath)) {
@@ -446,6 +956,22 @@ function ensureInitFiles(root) {
         {
             path: join(workflowsDir, "qa-review.yaml"),
             contents: qaWorkflowTemplate
+        },
+        {
+            path: join(workflowsDir, "security-review.yaml"),
+            contents: securityWorkflowTemplate
+        },
+        {
+            path: join(workflowsDir, "release-readiness.yaml"),
+            contents: releaseWorkflowTemplate
+        },
+        {
+            path: join(workflowsDir, "incident-handoff.yaml"),
+            contents: incidentWorkflowTemplate
+        },
+        {
+            path: join(workflowsDir, "maintenance-triage.yaml"),
+            contents: maintenanceWorkflowTemplate
         }
     ];
     for (const file of files) {
@@ -599,18 +1125,17 @@ export function explainLastRun(cwd = process.cwd()) {
     const root = findWorkspaceRoot(cwd);
     const config = loadAgentForgeConfig(root);
     const runsRoot = join(root, config.runtime.runsPath);
-    const entries = existsSync(runsRoot) ? readdirSync(runsRoot).sort() : [];
-    const latest = entries.at(-1);
+    const latest = readLatestCompleteRunBundle(runsRoot);
     if (!latest) {
-        throw new Error("No recorded runs found.");
+        throw new Error("No complete recorded runs found.");
     }
-    const bundle = JSON.parse(readFileSync(join(runsRoot, latest, "bundle.json"), "utf8"));
+    const bundle = latest.bundle;
     const findings = asArray(bundle.findings);
     const blockedPlugins = asArray(bundle.blockedPlugins);
     const lifecycleArtifacts = asArray(bundle.lifecycleArtifacts);
     const runEntries = asArray(bundle.entries);
     return {
-        runId: typeof bundle.runId === "string" ? bundle.runId : latest,
+        runId: typeof bundle.runId === "string" ? bundle.runId : latest.runDir,
         status: typeof bundle.status === "string" ? bundle.status : "unknown",
         findings: findings.length,
         blockedActions: runEntries.reduce((total, entry) => {
@@ -620,8 +1145,8 @@ export function explainLastRun(cwd = process.cwd()) {
             return total + asArray(entry.blockedActions).length;
         }, 0),
         blockedPlugins: blockedPlugins.length,
-        jsonPath: join(runsRoot, latest, "bundle.json"),
-        markdownPath: join(runsRoot, latest, "summary.md"),
+        jsonPath: join(runsRoot, latest.runDir, "bundle.json"),
+        markdownPath: join(runsRoot, latest.runDir, "summary.md"),
         artifactCount: lifecycleArtifacts.length,
         artifactKinds: lifecycleArtifacts
             .map((artifact) => (isRecord(artifact) && typeof artifact.artifactKind === "string" ? artifact.artifactKind : undefined))