@h9-foundry/agentforge-schemas 0.6.0 → 0.7.1

package/dist/index.js

@@ -15,13 +15,29 @@ export const lifecycleArtifactKindSchema = z.enum([
     "planning-brief",
     "design-record",
     "implementation-proposal",
+    "incident-brief",
+    "qa-report",
+    "security-report",
     "review-report",
     "release-report",
     "maintenance-report"
 ]);
-export const lifecycleDomainSchema = z.enum(["plan", "design", "build", "review", "release", "maintain"]);
+export const lifecycleDomainSchema = z.enum(["plan", "design", "build", "test", "security", "review", "release", "operate", "maintain"]);
 export const lifecycleArtifactSourceTypeSchema = z.enum(["workflow-run", "manual-input", "imported"]);
 export const lifecycleArtifactStatusSchema = z.enum(["draft", "complete", "superseded", "cancelled"]);
+export const githubReferenceKindSchema = z.enum(["issue", "pull_request"]);
+export const githubWorkflowStatusSchema = z.enum(["planned", "in_progress", "blocked", "completed", "failed"]);
+export const githubActionsRunStatusSchema = z.enum(["queued", "in_progress", "completed"]);
+export const githubActionsConclusionSchema = z.enum([
+    "success",
+    "failure",
+    "neutral",
+    "cancelled",
+    "skipped",
+    "timed_out",
+    "action_required",
+    "stale"
+]);
 export const catalogDomainSchema = z.enum([
     "foundation",
     "plan",
@@ -295,6 +311,13 @@ export const qaRequestSchema = z.object({
     constraints: z.array(z.string().min(1)).default([]),
     releaseContext: z.enum(["none", "candidate", "blocking"]).default("none")
 });
+export const securityRequestSchema = z.object({
+    targetRef: z.string().min(1),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    focusAreas: z.array(z.string().min(1)).default([]),
+    constraints: z.array(z.string().min(1)).default([]),
+    releaseContext: z.enum(["none", "candidate", "blocking"]).default("none")
+});
 export const normalizedValidationCommandSchema = z.object({
     command: z.string().min(1),
     source: z.enum(["request", "package-script", "workspace-script"]),
@@ -310,6 +333,96 @@ export const implementationInventorySchema = z.object({
     policySurfaces: z.array(z.string().min(1)).default([]),
     discoveredValidationCommands: z.array(normalizedValidationCommandSchema).default([])
 });
+export const githubActionsJobEvidenceSchema = z.object({
+    name: z.string().min(1),
+    status: githubActionsRunStatusSchema,
+    conclusion: githubActionsConclusionSchema.optional(),
+    htmlUrl: z.string().url().optional(),
+    startedAt: z.string().datetime().optional(),
+    completedAt: z.string().datetime().optional()
+});
+export const githubActionsCheckRunEvidenceSchema = z.object({
+    name: z.string().min(1),
+    status: githubActionsRunStatusSchema,
+    conclusion: githubActionsConclusionSchema.optional(),
+    detailsUrl: z.string().url().optional()
+});
+export const githubActionsEvidenceSchema = z.object({
+    sourcePath: z.string().min(1).optional(),
+    repository: z.string().min(1),
+    workflowName: z.string().min(1),
+    workflowRunId: z.number().int().positive(),
+    runAttempt: z.number().int().positive().default(1),
+    event: z.string().min(1).optional(),
+    headBranch: z.string().min(1).optional(),
+    headSha: z.string().min(1).optional(),
+    status: githubActionsRunStatusSchema,
+    conclusion: githubActionsConclusionSchema.optional(),
+    htmlUrl: z.string().url(),
+    jobs: z.array(githubActionsJobEvidenceSchema).default([]),
+    checkRuns: z.array(githubActionsCheckRunEvidenceSchema).default([])
+});
+export const githubActionsEvidenceNormalizationSchema = z.object({
+    evidence: z.array(githubActionsEvidenceSchema).default([]),
+    workflowNames: z.array(z.string().min(1)).default([]),
+    failingChecks: z.array(z.string().min(1)).default([]),
+    provenanceRefs: z.array(z.string().min(1)).default([])
+});
+export const qaEvidenceNormalizationSchema = z.object({
+    targetRef: z.string().min(1),
+    targetType: z.enum(["artifact-bundle", "validation-output", "local-reference"]),
+    referencedArtifactKinds: z.array(z.string().min(1)).default([]),
+    normalizedEvidenceSources: z.array(z.string().min(1)).default([]),
+    missingEvidenceSources: z.array(z.string().min(1)).default([]),
+    normalizedExecutedChecks: z.array(z.string().min(1)).default([]),
+    unrecognizedExecutedChecks: z.array(z.string().min(1)).default([]),
+    affectedPackages: z.array(z.string().min(1)).default([]),
+    allowedValidationCommands: z.array(normalizedValidationCommandSchema).default([]),
+    githubActions: githubActionsEvidenceNormalizationSchema.default({
+        evidence: [],
+        workflowNames: [],
+        failingChecks: [],
+        provenanceRefs: []
+    })
+});
+export const securityEvidenceNormalizationSchema = z.object({
+    targetRef: z.string().min(1),
+    targetType: z.enum(["artifact-bundle", "local-reference"]),
+    referencedArtifactKinds: z.array(z.string().min(1)).default([]),
+    normalizedEvidenceSources: z.array(z.string().min(1)).default([]),
+    missingEvidenceSources: z.array(z.string().min(1)).default([]),
+    normalizedFocusAreas: z.array(z.string().min(1)).default([]),
+    securitySignals: z.array(z.string().min(1)).default([]),
+    provenanceRefs: z.array(z.string().min(1)).default([]),
+    affectedPackages: z.array(z.string().min(1)).default([])
+});
+export const incidentEvidenceNormalizationSchema = z.object({
+    incidentSummary: z.string().min(1),
+    severityHint: z.enum(["unknown", "low", "medium", "high", "critical"]),
+    normalizedEvidenceSources: z.array(z.string().min(1)).default([]),
+    missingEvidenceSources: z.array(z.string().min(1)).default([]),
+    releaseReportRefs: z.array(z.string().min(1)).default([]),
+    timelineSummary: z.array(z.string().min(1)).default([]),
+    likelyImpactedAreas: z.array(z.string().min(1)).default([]),
+    followUpWorkflowRefs: z.array(z.string().min(1)).default([]),
+    provenanceRefs: z.array(z.string().min(1)).default([]),
+    redactionCategories: z.array(z.string().min(1)).default([]),
+    referencedArtifactKinds: z.array(z.string().min(1)).default([])
+});
+export const maintenanceEvidenceNormalizationSchema = z.object({
+    maintenanceGoal: z.string().min(1),
+    dependencyAlertRefs: z.array(z.string().min(1)).default([]),
+    docsTaskRefs: z.array(z.string().min(1)).default([]),
+    releaseReportRefs: z.array(z.string().min(1)).default([]),
+    normalizedEvidenceSources: z.array(z.string().min(1)).default([]),
+    missingEvidenceSources: z.array(z.string().min(1)).default([]),
+    referencedArtifactKinds: z.array(z.string().min(1)).default([]),
+    affectedPackagesOrDocs: z.array(z.string().min(1)).default([]),
+    maintenanceSignals: z.array(z.string().min(1)).default([]),
+    followUpWorkflowRefs: z.array(z.string().min(1)).default([]),
+    routingRecommendation: z.string().min(1),
+    provenanceRefs: z.array(z.string().min(1)).default([])
+});
 export const repoMetadataSchema = z.object({
     root: z.string().min(1),
     name: z.string().min(1),
@@ -384,11 +497,46 @@ export const lifecycleArtifactWorkflowReferenceSchema = z.object({
     name: z.string().min(1),
     displayName: z.string().min(1).optional()
 });
+export const githubReferenceSchema = z.object({
+    platform: z.literal("github"),
+    host: z.string().min(1).default("github.com"),
+    owner: z.string().min(1),
+    repo: z.string().min(1),
+    kind: githubReferenceKindSchema,
+    number: z.number().int().positive(),
+    canonical: z.string().min(1),
+    url: z.string().url(),
+    source: z.string().min(1)
+});
+export const githubWorkflowStatusMappingSchema = z.object({
+    workflow: z.string().min(1),
+    localRunStatus: runStatusSchema,
+    githubStatus: githubWorkflowStatusSchema,
+    reason: z.string().min(1)
+});
+export const githubHandoffArtifactKindSchema = z.enum(["planning-brief", "design-record", "incident-brief", "qa-report", "release-report"]);
+export const githubHandoffSectionSchema = z.object({
+    heading: z.string().min(1),
+    lines: z.array(z.string().min(1)).default([])
+});
+export const githubHandoffSummarySchema = z.object({
+    artifactKind: githubHandoffArtifactKindSchema,
+    workflow: z.string().min(1),
+    githubStatus: githubWorkflowStatusSchema,
+    title: z.string().min(1),
+    summary: z.string().min(1),
+    body: z.string().min(1),
+    issueRefs: z.array(githubReferenceSchema).default([]),
+    pullRequestRefs: z.array(githubReferenceSchema).default([]),
+    provenanceRefs: z.array(z.string().min(1)).default([]),
+    sections: z.array(githubHandoffSectionSchema).default([])
+});
 export const lifecycleArtifactSourceReferenceSchema = z.object({
     sourceType: lifecycleArtifactSourceTypeSchema,
     runId: z.string().min(1).optional(),
     inputRefs: z.array(z.string()).default([]),
-    issueRefs: z.array(z.string()).default([])
+    issueRefs: z.array(z.string()).default([]),
+    githubRefs: z.array(githubReferenceSchema).default([])
 });
 export const lifecycleArtifactRepoReferenceSchema = z.object({
     root: z.string().min(1),
@@ -460,6 +608,24 @@ export const reviewArtifactPayloadSchema = z.object({
     securityConcerns: z.array(z.string().min(1)).default([]),
     approvalRecommendations: z.array(z.string().min(1)).default([])
 });
+export const qaArtifactPayloadSchema = z.object({
+    targetRef: z.string().min(1),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    executedChecks: z.array(z.string().min(1)).default([]),
+    findings: z.array(findingSchema).default([]),
+    coverageGaps: z.array(z.string().min(1)).default([]),
+    recommendedNextChecks: z.array(z.string().min(1)).default([]),
+    releaseImpact: z.string().min(1)
+});
+export const securityArtifactPayloadSchema = z.object({
+    targetRef: z.string().min(1),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    findings: z.array(findingSchema).default([]),
+    severitySummary: z.string().min(1),
+    mitigations: z.array(z.string().min(1)).default([]),
+    releaseImpact: z.string().min(1),
+    followUpWork: z.array(z.string().min(1)).default([])
+});
 export const implementationArtifactPayloadSchema = z.object({
     designRecordRef: z.string().min(1),
     implementationGoal: z.string().min(1),
@@ -470,6 +636,14 @@ export const implementationArtifactPayloadSchema = z.object({
     risks: z.array(z.string().min(1)).default([]),
     openQuestions: z.array(z.string().min(1)).default([])
 });
+export const incidentArtifactPayloadSchema = z.object({
+    incidentSummary: z.string().min(1),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    timelineSummary: z.array(z.string().min(1)).default([]),
+    likelyImpactedAreas: z.array(z.string().min(1)).default([]),
+    followUpWorkflowRefs: z.array(z.string().min(1)).default([]),
+    openQuestions: z.array(z.string().min(1)).default([])
+});
 export const releaseVerificationCheckSchema = z.object({
     name: z.string().min(1),
     status: z.enum(["passed", "failed", "skipped"]),
@@ -479,11 +653,59 @@ export const releaseVersionTargetSchema = z.object({
     name: z.string().min(1),
     version: z.string().min(1)
 });
+export const releaseVersionResolutionSchema = z.object({
+    name: z.string().min(1),
+    targetVersion: z.string().min(1),
+    currentVersion: z.string().min(1).optional(),
+    status: z.enum(["matches-target", "pending-version-bump", "package-missing"])
+});
+export const releaseApprovalRecommendationSchema = z.object({
+    action: z.string().min(1),
+    classification: z.enum(["allow", "approval_required", "deny"]),
+    reason: z.string().min(1)
+});
+export const releaseRequestSchema = z.object({
+    releaseScope: z.string().min(1),
+    versionTargets: z.array(releaseVersionTargetSchema).min(1),
+    qaReportRefs: z.array(z.string().min(1)).default([]),
+    securityReportRefs: z.array(z.string().min(1)).default([]),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    constraints: z.array(z.string().min(1)).default([])
+});
+export const incidentRequestSchema = z.object({
+    incidentSummary: z.string().min(1),
+    severityHint: z.enum(["unknown", "low", "medium", "high", "critical"]).default("unknown"),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    releaseReportRefs: z.array(z.string().min(1)).default([]),
+    issueRefs: z.array(z.string().min(1)).default([]),
+    constraints: z.array(z.string().min(1)).default([])
+});
+export const maintenanceRequestSchema = z.object({
+    maintenanceGoal: z.string().min(1),
+    dependencyAlertRefs: z.array(z.string().min(1)).default([]),
+    docsTaskRefs: z.array(z.string().min(1)).default([]),
+    releaseReportRefs: z.array(z.string().min(1)).default([]),
+    issueRefs: z.array(z.string().min(1)).default([]),
+    constraints: z.array(z.string().min(1)).default([])
+});
+export const releaseEvidenceNormalizationSchema = z.object({
+    qaReportRefs: z.array(z.string().min(1)).default([]),
+    securityReportRefs: z.array(z.string().min(1)).default([]),
+    normalizedEvidenceSources: z.array(z.string().min(1)).default([]),
+    missingEvidenceSources: z.array(z.string().min(1)).default([]),
+    versionResolutions: z.array(releaseVersionResolutionSchema).default([]),
+    localReadinessChecks: z.array(releaseVerificationCheckSchema).default([]),
+    readinessStatus: z.enum(["ready", "blocked", "partial"]),
+    approvalRecommendations: z.array(releaseApprovalRecommendationSchema).default([]),
+    provenanceRefs: z.array(z.string().min(1)).default([])
+});
 export const releaseArtifactPayloadSchema = z.object({
     releaseScope: z.string().min(1),
     versionTargets: z.array(releaseVersionTargetSchema).min(1),
     readinessStatus: z.enum(["ready", "blocked", "partial"]),
     verificationChecks: z.array(releaseVerificationCheckSchema).default([]),
+    versionResolutions: z.array(releaseVersionResolutionSchema).default([]),
+    approvalRecommendations: z.array(releaseApprovalRecommendationSchema).default([]),
     publishingPlan: z.array(z.string().min(1)).default([]),
     trustStatus: z.string().min(1),
     publishedPackages: z.array(z.string().min(1)).default([]),
@@ -494,8 +716,13 @@ export const releaseArtifactPayloadSchema = z.object({
 });
 export const maintenanceArtifactPayloadSchema = z.object({
     maintenanceScope: z.string().min(1),
+    evidenceSources: z.array(z.string().min(1)).default([]),
+    affectedPackagesOrDocs: z.array(z.string().min(1)).default([]),
     currentFindings: z.array(z.string().min(1)).default([]),
     recommendedActions: z.array(z.string().min(1)).default([]),
+    routingRecommendation: z.string().min(1),
+    followUpWorkflowRefs: z.array(z.string().min(1)).default([]),
+    risks: z.array(z.string().min(1)).default([]),
     priorityAssessment: z.string().min(1),
     dependencyUpdates: z.array(z.string().min(1)).default([]),
     docsUpdates: z.array(z.string().min(1)).default([]),
@@ -517,6 +744,21 @@ export const implementationArtifactSchema = lifecycleArtifactEnvelopeSchema.exte
     lifecycleDomain: z.literal("build"),
     payload: implementationArtifactPayloadSchema
 });
+export const incidentArtifactSchema = lifecycleArtifactEnvelopeSchema.extend({
+    artifactKind: z.literal("incident-brief"),
+    lifecycleDomain: z.literal("operate"),
+    payload: incidentArtifactPayloadSchema
+});
+export const qaArtifactSchema = lifecycleArtifactEnvelopeSchema.extend({
+    artifactKind: z.literal("qa-report"),
+    lifecycleDomain: z.literal("test"),
+    payload: qaArtifactPayloadSchema
+});
+export const securityArtifactSchema = lifecycleArtifactEnvelopeSchema.extend({
+    artifactKind: z.literal("security-report"),
+    lifecycleDomain: z.literal("security"),
+    payload: securityArtifactPayloadSchema
+});
 export const reviewArtifactSchema = lifecycleArtifactEnvelopeSchema.extend({
     artifactKind: z.literal("review-report"),
     lifecycleDomain: z.literal("review"),
@@ -536,6 +778,9 @@ export const lifecycleArtifactSchema = z.discriminatedUnion("artifactKind", [
     planningArtifactSchema,
     designArtifactSchema,
     implementationArtifactSchema,
+    incidentArtifactSchema,
+    qaArtifactSchema,
+    securityArtifactSchema,
     reviewArtifactSchema,
     releaseArtifactSchema,
     maintenanceArtifactSchema
@@ -572,6 +817,14 @@ export const schemaRegistry = {
     auditComponent: auditComponentSchema,
     auditProvenance: auditProvenanceSchema,
     auditRedaction: auditRedactionSchema,
+    githubReference: githubReferenceSchema,
+    githubActionsJobEvidence: githubActionsJobEvidenceSchema,
+    githubActionsCheckRunEvidence: githubActionsCheckRunEvidenceSchema,
+    githubActionsEvidence: githubActionsEvidenceSchema,
+    githubActionsEvidenceNormalization: githubActionsEvidenceNormalizationSchema,
+    githubHandoffSection: githubHandoffSectionSchema,
+    githubHandoffSummary: githubHandoffSummarySchema,
+    githubWorkflowStatusMapping: githubWorkflowStatusMappingSchema,
     lifecycleArtifactWorkflowReference: lifecycleArtifactWorkflowReferenceSchema,
     lifecycleArtifactSourceReference: lifecycleArtifactSourceReferenceSchema,
     lifecycleArtifactRepoReference: lifecycleArtifactRepoReferenceSchema,
@@ -582,14 +835,23 @@ export const schemaRegistry = {
     designArtifactOption: designArtifactOptionSchema,
     designArtifactPayload: designArtifactPayloadSchema,
     implementationArtifactPayload: implementationArtifactPayloadSchema,
+    incidentArtifactPayload: incidentArtifactPayloadSchema,
+    qaArtifactPayload: qaArtifactPayloadSchema,
+    securityArtifactPayload: securityArtifactPayloadSchema,
     reviewArtifactPayload: reviewArtifactPayloadSchema,
     releaseVerificationCheck: releaseVerificationCheckSchema,
     releaseVersionTarget: releaseVersionTargetSchema,
+    releaseVersionResolution: releaseVersionResolutionSchema,
+    releaseApprovalRecommendation: releaseApprovalRecommendationSchema,
+    releaseEvidenceNormalization: releaseEvidenceNormalizationSchema,
     releaseArtifactPayload: releaseArtifactPayloadSchema,
     maintenanceArtifactPayload: maintenanceArtifactPayloadSchema,
     planningArtifact: planningArtifactSchema,
     designArtifact: designArtifactSchema,
     implementationArtifact: implementationArtifactSchema,
+    incidentArtifact: incidentArtifactSchema,
+    qaArtifact: qaArtifactSchema,
+    securityArtifact: securityArtifactSchema,
     reviewArtifact: reviewArtifactSchema,
     releaseArtifact: releaseArtifactSchema,
     maintenanceArtifact: maintenanceArtifactSchema,
@@ -602,8 +864,16 @@ export const schemaRegistry = {
     designRequest: designRequestSchema,
     implementationRequest: implementationRequestSchema,
     qaRequest: qaRequestSchema,
+    securityRequest: securityRequestSchema,
+    releaseRequest: releaseRequestSchema,
+    incidentRequest: incidentRequestSchema,
+    maintenanceRequest: maintenanceRequestSchema,
     normalizedValidationCommand: normalizedValidationCommandSchema,
     implementationInventory: implementationInventorySchema,
+    qaEvidenceNormalization: qaEvidenceNormalizationSchema,
+    securityEvidenceNormalization: securityEvidenceNormalizationSchema,
+    incidentEvidenceNormalization: incidentEvidenceNormalizationSchema,
+    maintenanceEvidenceNormalization: maintenanceEvidenceNormalizationSchema,
     policyDocument: policyDocumentSchema,
     effectivePolicySnapshot: effectivePolicySnapshotSchema,
     workflowDefinition: workflowDefinitionSchema,
@@ -626,7 +896,20 @@ const lifecycleArtifactFixtureBase = {
         sourceType: "workflow-run",
         runId: "run-123",
         inputRefs: ["docs/ROADMAP.md"],
-        issueRefs: ["#78"]
+        issueRefs: ["#78"],
+        githubRefs: [
+            {
+                platform: "github",
+                host: "github.com",
+                owner: "H9-Foundry",
+                repo: "AgentForge",
+                kind: "issue",
+                number: 78,
+                canonical: "H9-Foundry/AgentForge#78",
+                url: "https://github.com/H9-Foundry/AgentForge/issues/78",
+                source: "#78"
+            }
+        ]
     },
     status: "complete",
     generatedAt: "2026-03-17T12:00:00.000Z",
@@ -711,6 +994,79 @@ const implementationArtifactFixture = {
         openQuestions: ["Which validation commands should become allowlisted in the next slice?"]
     }
 };
+const incidentArtifactFixture = {
+    ...lifecycleArtifactFixtureBase,
+    artifactKind: "incident-brief",
+    lifecycleDomain: "operate",
+    summary: "Incident brief prepared for elevated 500s after the latest release candidate.",
+    payload: {
+        incidentSummary: "Customers saw elevated 500s after the latest release candidate.",
+        evidenceSources: [
+            ".agentops/evidence/incident-summary.md",
+            ".agentops/evidence/alerts.json",
+            ".agentops/runs/run-release/bundle.json"
+        ],
+        timelineSummary: [
+            "Severity hint: high.",
+            "Two staged evidence sources and one release-report reference were validated before reasoning."
+        ],
+        likelyImpactedAreas: ["release-readiness", "maintenance-triage", "packages/cli"],
+        followUpWorkflowRefs: ["maintenance-triage", "security-review"],
+        openQuestions: ["Which release candidate introduced the first reproducible 500 response?"]
+    }
+};
+const qaArtifactFixture = {
+    ...lifecycleArtifactFixtureBase,
+    artifactKind: "qa-report",
+    lifecycleDomain: "test",
+    summary: "QA report for the bounded implementation proposal handoff.",
+    payload: {
+        targetRef: ".agentops/runs/run-789/bundle.json",
+        evidenceSources: [".agentops/runs/run-789/summary.md"],
+        executedChecks: ["pnpm test"],
+        findings: [
+            {
+                id: "qa-finding-1",
+                title: "Coverage evidence still needs review",
+                summary: "The bounded QA handoff references validation output, but coverage evidence still needs interpretation.",
+                severity: "medium",
+                rationale: "The MVP QA workflow is read-only and request-driven, so it cannot infer full coverage status without normalized evidence.",
+                confidence: 0.82,
+                location: ".agentops/requests/qa.yaml",
+                tags: ["qa", "coverage"]
+            }
+        ],
+        coverageGaps: ["Coverage evidence was referenced but not normalized into a deterministic summary."],
+        recommendedNextChecks: ["Review the referenced validation output before promotion.", "Confirm release-risk expectations with the owning maintainer."],
+        releaseImpact: "candidate release requires QA follow-up before promotion."
+    }
+};
+const securityArtifactFixture = {
+    ...lifecycleArtifactFixtureBase,
+    artifactKind: "security-report",
+    lifecycleDomain: "security",
+    summary: "Security report for the bounded implementation proposal handoff.",
+    payload: {
+        targetRef: ".agentops/runs/run-790/bundle.json",
+        evidenceSources: [".agentops/runs/run-790/summary.md"],
+        findings: [
+            {
+                id: "security-finding-1",
+                title: "Dependency risk still needs bounded interpretation",
+                summary: "The security workflow synthesized a dependency-risk concern from validated references.",
+                severity: "medium",
+                rationale: "This slice emits a structured security report from validated evidence references before deterministic evidence normalization lands.",
+                confidence: 0.78,
+                location: ".agentops/requests/security.yaml",
+                tags: ["security", "dependency-risk"]
+            }
+        ],
+        severitySummary: "highest severity: medium; 1 synthesized security finding.",
+        mitigations: ["Review dependency-risk evidence before release promotion."],
+        releaseImpact: "candidate release requires explicit security review before promotion.",
+        followUpWork: ["Use deterministic security evidence normalization outputs before broader promotion."]
+    }
+};
 const reviewArtifactFixture = {
     ...lifecycleArtifactFixtureBase,
     artifactKind: "review-report",
@@ -744,8 +1100,28 @@ const releaseArtifactFixture = {
         versionTargets: [{ name: "@h9-foundry/agentforge-schemas", version: "0.4.1" }],
         readinessStatus: "ready",
         verificationChecks: [{ name: "release-verify", status: "passed" }],
+        versionResolutions: [
+            {
+                name: "@h9-foundry/agentforge-schemas",
+                targetVersion: "0.4.1",
+                currentVersion: "0.4.0",
+                status: "pending-version-bump"
+            }
+        ],
+        approvalRecommendations: [
+            {
+                action: "publish-packages",
+                classification: "approval_required",
+                reason: "Package publication remains outside the default read-only workflow path."
+            }
+        ],
         publishingPlan: ["Merge version PR", "Let GitHub Actions publish"],
-        trustStatus: "trusted-publishing-configured"
+        trustStatus: "trusted-publishing-configured",
+        publishedPackages: [],
+        tagRefs: [],
+        provenanceRefs: [".agentops/runs/run-321/bundle.json"],
+        rollbackNotes: ["Pause the release if the verification set changes before publish."],
+        externalDependencies: ["Trusted publishing remains configured in GitHub Actions."]
     }
 };
 const maintenanceArtifactFixture = {
@@ -755,8 +1131,20 @@ const maintenanceArtifactFixture = {
     summary: "Maintenance report for documentation and dependency hygiene.",
     payload: {
         maintenanceScope: "Docs and dependency hygiene",
+        evidenceSources: [
+            ".agentops/evidence/dependency-alerts.json",
+            ".agentops/evidence/docs-task.md",
+            ".agentops/runs/run-release/bundle.json"
+        ],
+        affectedPackagesOrDocs: ["docs/quickstart.md", "packages/cli"],
         currentFindings: ["README needs clearer first-run guidance"],
         recommendedActions: ["Rewrite quickstart", "Refresh sample repo docs"],
+        routingRecommendation: "implementation-proposal",
+        followUpWorkflowRefs: ["implementation-proposal", "release-readiness"],
+        risks: [
+            "Release-linked maintenance follow-up may drift if the latest release report is not revisited.",
+            "Docs debt can diverge from implemented behavior if maintenance triage is deferred."
+        ],
         priorityAssessment: "high",
         dependencyUpdates: ["vitest@4.1.0"],
         docsUpdates: ["docs/quickstart.md"],
@@ -795,12 +1183,117 @@ const qaRequestFixture = {
     constraints: ["Keep QA evidence collection read-only"],
     releaseContext: "candidate"
 };
+const securityRequestFixture = {
+    targetRef: ".agentops/runs/run-790/bundle.json",
+    evidenceSources: [".agentops/runs/run-790/summary.md"],
+    focusAreas: ["dependency-risk", "release-readiness"],
+    constraints: ["Keep security evidence collection read-only"],
+    releaseContext: "candidate"
+};
+const releaseRequestFixture = {
+    releaseScope: "Prepare the 0.7.0 candidate for maintainer review",
+    versionTargets: [{ name: "@h9-foundry/agentforge-cli", version: "0.7.0" }],
+    qaReportRefs: [".agentops/runs/run-789/bundle.json"],
+    securityReportRefs: [".agentops/runs/run-790/bundle.json"],
+    evidenceSources: [".agentops/runs/run-790/summary.md"],
+    constraints: ["Keep release readiness read-only by default"]
+};
+const incidentRequestFixture = {
+    incidentSummary: "Customers saw elevated 500s after the last release candidate.",
+    severityHint: "high",
+    evidenceSources: [".agentops/evidence/incident-summary.md", ".agentops/evidence/alerts.json"],
+    releaseReportRefs: [".agentops/runs/run-release/bundle.json"],
+    issueRefs: ["#144"],
+    constraints: ["Keep staged incident evidence read-only"]
+};
+const maintenanceRequestFixture = {
+    maintenanceGoal: "Triage dependency and docs hygiene follow-up after the latest release.",
+    dependencyAlertRefs: [".agentops/evidence/dependency-alerts.json"],
+    docsTaskRefs: [".agentops/evidence/docs-task.md"],
+    releaseReportRefs: [".agentops/runs/run-release/bundle.json"],
+    issueRefs: ["#145"],
+    constraints: ["Keep maintenance triage read-only"]
+};
 const normalizedValidationCommandFixture = {
     command: "pnpm test",
     source: "request",
     classification: "approval_required",
     reason: "Requested command matches a discovered allowlisted validation script."
 };
+const githubReferenceFixture = {
+    platform: "github",
+    host: "github.com",
+    owner: "H9-Foundry",
+    repo: "AgentForge",
+    kind: "issue",
+    number: 142,
+    canonical: "H9-Foundry/AgentForge#142",
+    url: "https://github.com/H9-Foundry/AgentForge/issues/142",
+    source: "#142"
+};
+const githubWorkflowStatusMappingFixture = {
+    workflow: "planning-discovery",
+    localRunStatus: "success",
+    githubStatus: "completed",
+    reason: "Successful local workflow runs map to completed GitHub handoff status."
+};
+const githubActionsEvidenceFixture = {
+    sourcePath: ".agentops/evidence/github-actions-ci.json",
+    repository: "H9-Foundry/AgentForge",
+    workflowName: "CI",
+    workflowRunId: 123456789,
+    runAttempt: 1,
+    event: "pull_request",
+    headBranch: "main",
+    headSha: "caf36447a49fc6e9fc308c34b98424958237aa1e",
+    status: "completed",
+    conclusion: "failure",
+    htmlUrl: "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789",
+    jobs: [
+        {
+            name: "test",
+            status: "completed",
+            conclusion: "success",
+            htmlUrl: "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789/job/1"
+        },
+        {
+            name: "lint",
+            status: "completed",
+            conclusion: "failure",
+            htmlUrl: "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789/job/2"
+        }
+    ],
+    checkRuns: [
+        {
+            name: "validate-public-packages",
+            status: "completed",
+            conclusion: "success",
+            detailsUrl: "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789/job/3"
+        }
+    ]
+};
+const githubHandoffSummaryFixture = {
+    artifactKind: "planning-brief",
+    workflow: "planning-discovery",
+    githubStatus: "completed",
+    title: "Planning handoff for H9-Foundry/AgentForge#78",
+    summary: "Planning brief scoped the next bounded workflow slice.",
+    body: [
+        "Planning handoff for `planning-discovery`.",
+        "",
+        "Summary:",
+        "- Planning brief scoped the next bounded workflow slice."
+    ].join("\n"),
+    issueRefs: [githubReferenceFixture],
+    pullRequestRefs: [],
+    provenanceRefs: [".agentops/runs/run-123/bundle.json", "docs/ROADMAP.md"],
+    sections: [
+        {
+            heading: "Summary",
+            lines: ["Planning brief scoped the next bounded workflow slice."]
+        }
+    ]
+};
 const implementationInventoryFixture = {
     requestedTargetPaths: ["packages/cli", "packages/runtime"],
     resolvedAffectedPaths: ["packages/cli/src/index.ts", "packages/runtime/src/index.ts"],
@@ -818,6 +1311,150 @@ const implementationInventoryFixture = {
         }
     ]
 };
+const qaEvidenceNormalizationFixture = {
+    targetRef: ".agentops/runs/run-789/bundle.json",
+    targetType: "artifact-bundle",
+    referencedArtifactKinds: ["implementation-proposal"],
+    normalizedEvidenceSources: [".agentops/runs/run-789/bundle.json", ".agentops/runs/run-789/summary.md"],
+    missingEvidenceSources: [],
+    normalizedExecutedChecks: ["pnpm test"],
+    unrecognizedExecutedChecks: [],
+    affectedPackages: ["packages/cli"],
+    allowedValidationCommands: [
+        normalizedValidationCommandFixture,
+        {
+            command: "pnpm build",
+            source: "package-script",
+            classification: "approval_required",
+            reason: "Discovered from a bounded repository script; execution would still require approval."
+        }
+    ],
+    githubActions: {
+        evidence: [githubActionsEvidenceFixture],
+        workflowNames: ["CI"],
+        failingChecks: ["CI / lint"],
+        provenanceRefs: [
+            ".agentops/evidence/github-actions-ci.json",
+            "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789",
+            "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789/job/1",
+            "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789/job/2",
+            "https://github.com/H9-Foundry/AgentForge/actions/runs/123456789/job/3"
+        ]
+    }
+};
+const securityEvidenceNormalizationFixture = {
+    targetRef: ".agentops/runs/run-790/bundle.json",
+    targetType: "artifact-bundle",
+    referencedArtifactKinds: ["implementation-proposal"],
+    normalizedEvidenceSources: [".agentops/runs/run-790/bundle.json", ".agentops/runs/run-790/summary.md"],
+    missingEvidenceSources: [],
+    normalizedFocusAreas: ["dependency-risk", "release-readiness"],
+    securitySignals: [
+        "Referenced artifact kinds: implementation-proposal",
+        "Affected packages inferred from bounded artifact payloads: packages/cli, packages/runtime"
+    ],
+    provenanceRefs: [
+        ".agentops/runs/run-790/bundle.json#implementation-proposal",
+        ".agentops/runs/run-790/summary.md"
+    ],
+    affectedPackages: ["packages/cli", "packages/runtime"]
+};
+const incidentEvidenceNormalizationFixture = {
+    incidentSummary: "Customers saw elevated 500s after the last release candidate.",
+    severityHint: "high",
+    normalizedEvidenceSources: [
+        ".agentops/evidence/incident-summary.md",
+        ".agentops/evidence/alerts.json",
+        ".agentops/runs/run-release/bundle.json"
+    ],
+    missingEvidenceSources: [],
+    releaseReportRefs: [".agentops/runs/run-release/bundle.json"],
+    timelineSummary: [
+        "Severity hint: high.",
+        "Normalized staged incident evidence and release-report references before reasoning.",
+        "Observed source .agentops/evidence/incident-summary.md during deterministic intake.",
+        "Observed source .agentops/evidence/alerts.json during deterministic intake.",
+        "Observed source .agentops/runs/run-release/bundle.json during deterministic intake."
+    ],
+    likelyImpactedAreas: ["release-readiness", "staged-operational-evidence", "security-follow-up"],
+    followUpWorkflowRefs: ["maintenance-triage", "release-readiness", "security-review"],
+    provenanceRefs: [
+        ".agentops/evidence/incident-summary.md",
+        ".agentops/evidence/alerts.json",
+        ".agentops/runs/run-release/bundle.json#release-report"
+    ],
+    redactionCategories: ["github-token", "api-key", "aws-key", "bearer-token", "password", "private-key", "operational-sensitive"],
+    referencedArtifactKinds: ["release-report"]
+};
+const maintenanceEvidenceNormalizationFixture = {
+    maintenanceGoal: "Triage dependency and docs hygiene follow-up after the latest release.",
+    dependencyAlertRefs: [".agentops/evidence/dependency-alerts.json"],
+    docsTaskRefs: [".agentops/evidence/docs-task.md"],
+    releaseReportRefs: [".agentops/runs/run-release/bundle.json"],
+    normalizedEvidenceSources: [
+        ".agentops/evidence/dependency-alerts.json",
+        ".agentops/evidence/docs-task.md",
+        ".agentops/runs/run-release/bundle.json"
+    ],
+    missingEvidenceSources: [],
+    referencedArtifactKinds: ["release-report"],
+    affectedPackagesOrDocs: ["docs/quickstart.md", "packages/cli"],
+    maintenanceSignals: [
+        "Observed source .agentops/evidence/dependency-alerts.json during deterministic intake.",
+        "Observed source .agentops/evidence/docs-task.md during deterministic intake.",
+        "Observed source .agentops/runs/run-release/bundle.json during deterministic intake.",
+        "Release report references contribute bounded maintenance follow-up context."
+    ],
+    followUpWorkflowRefs: ["implementation-proposal", "release-readiness"],
+    routingRecommendation: "implementation-proposal",
+    provenanceRefs: [
+        ".agentops/evidence/dependency-alerts.json",
+        ".agentops/evidence/docs-task.md",
+        ".agentops/runs/run-release/bundle.json#release-report"
+    ]
+};
+const releaseEvidenceNormalizationFixture = {
+    qaReportRefs: [".agentops/runs/run-789/bundle.json"],
+    securityReportRefs: [".agentops/runs/run-790/bundle.json"],
+    normalizedEvidenceSources: [
+        ".agentops/runs/run-789/bundle.json",
+        ".agentops/runs/run-790/bundle.json",
+        ".agentops/runs/run-790/summary.md"
+    ],
+    missingEvidenceSources: [],
+    versionResolutions: [
+        {
+            name: "@h9-foundry/agentforge-cli",
+            targetVersion: "0.7.0",
+            currentVersion: "0.6.0",
+            status: "pending-version-bump"
+        }
+    ],
+    localReadinessChecks: [
+        { name: "qa-report-refs", status: "passed", detail: "Using one validated QA report reference." },
+        { name: "security-report-refs", status: "passed", detail: "Using one validated security report reference." },
+        { name: "workspace-version-targets", status: "passed", detail: "Resolved one workspace version target." }
+    ],
+    readinessStatus: "ready",
+    approvalRecommendations: [
+        {
+            action: "publish-packages",
+            classification: "approval_required",
+            reason: "Package publication remains outside the default read-only workflow path."
+        },
+        {
+            action: "promote-release",
+            classification: "approval_required",
+            reason: "Promotion remains a release-significant side effect and requires explicit maintainer approval."
+        }
+    ],
+    provenanceRefs: [
+        ".agentops/runs/run-789/bundle.json",
+        ".agentops/runs/run-790/bundle.json",
+        ".agentops/runs/run-790/summary.md",
+        "packages/cli/package.json"
+    ]
+};
 export const schemaFixtures = {
     finding: {
         id: "finding-1",
@@ -924,12 +1561,28 @@ export const schemaFixtures = {
     },
     implementationRequest: implementationRequestFixture,
     qaRequest: qaRequestFixture,
+    securityRequest: securityRequestFixture,
+    releaseRequest: releaseRequestFixture,
+    incidentRequest: incidentRequestFixture,
+    maintenanceRequest: maintenanceRequestFixture,
+    githubReference: githubReferenceFixture,
+    githubActionsEvidence: githubActionsEvidenceFixture,
+    githubHandoffSummary: githubHandoffSummaryFixture,
+    githubWorkflowStatusMapping: githubWorkflowStatusMappingFixture,
     normalizedValidationCommand: normalizedValidationCommandFixture,
     implementationInventory: implementationInventoryFixture,
+    qaEvidenceNormalization: qaEvidenceNormalizationFixture,
+    securityEvidenceNormalization: securityEvidenceNormalizationFixture,
+    incidentEvidenceNormalization: incidentEvidenceNormalizationFixture,
+    maintenanceEvidenceNormalization: maintenanceEvidenceNormalizationFixture,
+    releaseEvidenceNormalization: releaseEvidenceNormalizationFixture,
     lifecycleArtifactEnvelope: planningArtifactFixture,
     planningArtifact: planningArtifactFixture,
     designArtifact: designArtifactFixture,
     implementationArtifact: implementationArtifactFixture,
+    incidentArtifact: incidentArtifactFixture,
+    qaArtifact: qaArtifactFixture,
+    securityArtifact: securityArtifactFixture,
     reviewArtifact: reviewArtifactFixture,
     releaseArtifact: releaseArtifactFixture,
     maintenanceArtifact: maintenanceArtifactFixture,