@haaaiawd/second-nature 0.1.22 → 0.1.24

package/runtime/connectors/agent-network/agent-world/adapter.js

@@ -0,0 +1,58 @@
+export function createAgentWorldRunner(input) {
+    const { apiClient } = input;
+    return {
+        async run(plan, request) {
+            const started = Date.now();
+            try {
+                const apiKey = request.payload?.apiKey ?? "";
+                if (!apiKey) {
+                    return {
+                        platformId: request.platformId,
+                        channel: plan.channel,
+                        latencyMs: Date.now() - started,
+                        success: false,
+                        error: {
+                            code: "auth_failure",
+                            detail: "api_key_required_for_agent_world",
+                        },
+                    };
+                }
+                let result;
+                if (plan.intent === "feed.read") {
+                    result = await apiClient.readFeed(request.payload, String(apiKey));
+                }
+                else if (plan.intent === "work.discover") {
+                    result = await apiClient.discoverWork(request.payload, String(apiKey));
+                }
+                else if (plan.intent === "task.claim") {
+                    result = await apiClient.claimTask(request.payload, String(apiKey));
+                }
+                else {
+                    throw { code: "protocol_mismatch", detail: `unsupported agent-world intent: ${plan.intent}` };
+                }
+                return {
+                    platformId: request.platformId,
+                    channel: plan.channel,
+                    latencyMs: Date.now() - started,
+                    degraded: plan.channel === "skill",
+                    success: true,
+                    payload: {
+                        capability: request.intent,
+                        channel: plan.channel,
+                        data: result,
+                    },
+                };
+            }
+            catch (error) {
+                return {
+                    platformId: request.platformId,
+                    channel: plan.channel,
+                    latencyMs: Date.now() - started,
+                    degraded: plan.channel === "skill",
+                    success: false,
+                    error,
+                };
+            }
+        },
+    };
+}

package/runtime/connectors/agent-network/agent-world/index.d.ts

@@ -0,0 +1,2 @@
+export { agentWorldManifest } from "./manifest.js";
+export { createAgentWorldRunner, type AgentWorldApiClient } from "./adapter.js";

package/runtime/connectors/agent-network/agent-world/index.js

@@ -0,0 +1,2 @@
+export { agentWorldManifest } from "./manifest.js";
+export { createAgentWorldRunner } from "./adapter.js";

package/runtime/connectors/agent-network/agent-world/manifest.d.ts

@@ -0,0 +1,2 @@
+import type { ConnectorManifest } from "../../base/manifest.js";
+export declare const agentWorldManifest: ConnectorManifest;

package/runtime/connectors/agent-network/agent-world/manifest.js

@@ -0,0 +1,7 @@
+export const agentWorldManifest = {
+    platformId: "agent-world",
+    supportedCapabilities: ["feed.read", "work.discover", "task.claim"],
+    channelPriority: ["api_rest", "a2a", "skill"],
+    credentialTypes: ["api_key"],
+    degradedChannels: ["skill"],
+};

package/runtime/connectors/base/manifest.d.ts

@@ -38,6 +38,11 @@ declare const connectorManifestSchema: z.ZodObject<{
     }, z.core.$strip>>;
 }, z.core.$strip>;
 export type ConnectorManifest = z.infer<typeof connectorManifestSchema>;
+export interface ResolvedConnectorCapability {
+    platformId: string;
+    intent: CapabilityIntent;
+    source: "namespace" | "v5_explicit" | "unambiguous_default";
+}
 export declare class CapabilityContractRegistry {
     private readonly byPlatform;
     register(manifest: ConnectorManifest): void;
@@ -46,6 +51,14 @@ export declare class CapabilityContractRegistry {
     hasCapability(platformId: string, intent: CapabilityIntent): boolean;
     listCapabilities(platformId: string): CapabilityIntent[];
     listChannels(platformId: string): ChannelType[];
+    /**
+     * Resolve a capability string that may be namespaced (`platformId:capability`)
+     * or a bare v5 capability. Returns the platform + intent pair.
+     * If bare capability and no explicit platform is provided, only succeeds when
+     * exactly one registered platform supports it (unambiguous_default).
+     */
+    resolveCapability(intentWithNamespace: string, explicitPlatformId?: string): ResolvedConnectorCapability;
+    findPlatformsForIntent(intent: CapabilityIntent): string[];
 }
 /** T3.1.1 contract name for manifest-first registry. */
 export declare const ConnectorManifestRegistry: typeof CapabilityContractRegistry;

package/runtime/connectors/base/manifest.js

@@ -40,6 +40,53 @@ export class CapabilityContractRegistry {
     listChannels(platformId) {
         return [...this.loadManifest(platformId).channelPriority];
     }
+    /**
+     * Resolve a capability string that may be namespaced (`platformId:capability`)
+     * or a bare v5 capability. Returns the platform + intent pair.
+     * If bare capability and no explicit platform is provided, only succeeds when
+     * exactly one registered platform supports it (unambiguous_default).
+     */
+    resolveCapability(intentWithNamespace, explicitPlatformId) {
+        const colonIndex = intentWithNamespace.indexOf(":");
+        if (colonIndex >= 0) {
+            const platformId = intentWithNamespace.slice(0, colonIndex);
+            const intent = intentWithNamespace.slice(colonIndex + 1);
+            if (!CAPABILITY_INTENTS.includes(intent)) {
+                throw new Error(`capability_not_recognized:${intent}`);
+            }
+            if (!this.byPlatform.has(platformId)) {
+                throw new Error(`platform_not_found:${platformId}`);
+            }
+            return { platformId, intent, source: "namespace" };
+        }
+        const intent = intentWithNamespace;
+        if (!CAPABILITY_INTENTS.includes(intent)) {
+            throw new Error(`capability_not_recognized:${intent}`);
+        }
+        if (explicitPlatformId) {
+            if (!this.byPlatform.has(explicitPlatformId)) {
+                throw new Error(`platform_not_found:${explicitPlatformId}`);
+            }
+            return { platformId: explicitPlatformId, intent, source: "v5_explicit" };
+        }
+        const platforms = this.findPlatformsForIntent(intent);
+        if (platforms.length === 0) {
+            throw new Error(`no_platform_supports_capability:${intent}`);
+        }
+        if (platforms.length > 1) {
+            throw new Error(`ambiguous_capability:${intent}:${platforms.join(",")}`);
+        }
+        return { platformId: platforms[0], intent, source: "unambiguous_default" };
+    }
+    findPlatformsForIntent(intent) {
+        const result = [];
+        for (const [platformId, manifest] of this.byPlatform) {
+            if (manifest.supportedCapabilities.includes(intent)) {
+                result.push(platformId);
+            }
+        }
+        return result;
+    }
 }
 /** T3.1.1 contract name for manifest-first registry. */
 export const ConnectorManifestRegistry = CapabilityContractRegistry;

package/runtime/connectors/manifest/manifest-parser.d.ts

@@ -0,0 +1,16 @@
+import { type ConnectorManifestV6, type ConnectorManifestValidationError } from "./manifest-schema.js";
+export interface ParseManifestResult {
+    ok: true;
+    manifest: ConnectorManifestV6;
+}
+export interface ParseManifestFailure {
+    ok: false;
+    errors: string[];
+}
+export type ParseManifestOutput = ParseManifestResult | ParseManifestFailure;
+/**
+ * Safe YAML parse + zod validation for connector manifest v6.
+ * Uses JSON_SCHEMA to block custom YAML tags/object constructors.
+ */
+export declare function parseConnectorManifestV6(yamlText: string, path?: string): ParseManifestOutput;
+export declare function toValidationError(path: string, output: ParseManifestFailure): ConnectorManifestValidationError[];

package/runtime/connectors/manifest/manifest-parser.js

@@ -0,0 +1,35 @@
+import yaml from "js-yaml";
+import { connectorManifestV6Schema, } from "./manifest-schema.js";
+/**
+ * Safe YAML parse + zod validation for connector manifest v6.
+ * Uses JSON_SCHEMA to block custom YAML tags/object constructors.
+ */
+export function parseConnectorManifestV6(yamlText, path) {
+    let raw;
+    try {
+        raw = yaml.load(yamlText, { schema: yaml.JSON_SCHEMA });
+    }
+    catch (error) {
+        return {
+            ok: false,
+            errors: [
+                error instanceof Error ? `yaml_parse_error:${error.message}` : `yaml_parse_error:${String(error)}`,
+            ],
+        };
+    }
+    if (raw === null || typeof raw !== "object") {
+        return { ok: false, errors: ["yaml_parse_error:parsed_content_is_null_or_not_object"] };
+    }
+    const parsed = connectorManifestV6Schema.safeParse(raw);
+    if (!parsed.success) {
+        const errors = parsed.error.issues.map((issue) => {
+            const pathStr = issue.path.join(".");
+            return `schema_validation_error:${pathStr}:${issue.message}`;
+        });
+        return { ok: false, errors };
+    }
+    return { ok: true, manifest: parsed.data };
+}
+export function toValidationError(path, output) {
+    return output.errors.map((message) => ({ path, message }));
+}

package/runtime/connectors/manifest/manifest-schema.d.ts

@@ -0,0 +1,145 @@
+import { z } from "zod";
+export declare const connectorRunnerKindSchema: z.ZodEnum<{
+    skill: "skill";
+    browser: "browser";
+    declarative_http: "declarative_http";
+    declarative_a2a: "declarative_a2a";
+    declarative_mcp: "declarative_mcp";
+    cli_descriptor: "cli_descriptor";
+    custom_adapter: "custom_adapter";
+}>;
+export type ConnectorRunnerKind = z.infer<typeof connectorRunnerKindSchema>;
+export declare const connectorTrustStatusSchema: z.ZodEnum<{
+    blocked: "blocked";
+    declarative_trusted: "declarative_trusted";
+    custom_adapter_pending_trust: "custom_adapter_pending_trust";
+    trusted_custom_adapter: "trusted_custom_adapter";
+}>;
+export type ConnectorTrustStatus = z.infer<typeof connectorTrustStatusSchema>;
+export declare const capabilityDeclarationSchema: z.ZodObject<{
+    id: z.ZodString;
+    channel: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type ConnectorCapabilityDeclaration = z.infer<typeof capabilityDeclarationSchema>;
+export declare const runnerDeclarationSchema: z.ZodObject<{
+    kind: z.ZodEnum<{
+        skill: "skill";
+        browser: "browser";
+        declarative_http: "declarative_http";
+        declarative_a2a: "declarative_a2a";
+        declarative_mcp: "declarative_mcp";
+        cli_descriptor: "cli_descriptor";
+        custom_adapter: "custom_adapter";
+    }>;
+    entrypoint: z.ZodOptional<z.ZodString>;
+    config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+export type ConnectorRunnerDeclaration = z.infer<typeof runnerDeclarationSchema>;
+export declare const credentialRequirementSchema: z.ZodObject<{
+    type: z.ZodString;
+    required: z.ZodDefault<z.ZodBoolean>;
+    description: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type CredentialRequirementDeclaration = z.infer<typeof credentialRequirementSchema>;
+export declare const sourceRefPolicySchema: z.ZodObject<{
+    minSourceRefs: z.ZodDefault<z.ZodNumber>;
+    rejectInlineSensitivePayload: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+export type SourceRefPolicyDeclaration = z.infer<typeof sourceRefPolicySchema>;
+export declare const trustDeclarationSchema: z.ZodObject<{
+    status: z.ZodOptional<z.ZodEnum<{
+        blocked: "blocked";
+        declarative_trusted: "declarative_trusted";
+        custom_adapter_pending_trust: "custom_adapter_pending_trust";
+        trusted_custom_adapter: "trusted_custom_adapter";
+    }>>;
+    override: z.ZodOptional<z.ZodBoolean>;
+    reason: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export type ConnectorTrustDeclaration = z.infer<typeof trustDeclarationSchema>;
+export declare const connectorManifestV6Schema: z.ZodObject<{
+    schemaVersion: z.ZodLiteral<"sn.connector.v1">;
+    platformId: z.ZodString;
+    displayName: z.ZodString;
+    family: z.ZodEnum<{
+        custom: "custom";
+        social_community: "social_community";
+        agent_network: "agent_network";
+        work_platform: "work_platform";
+    }>;
+    capabilities: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        channel: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    runner: z.ZodObject<{
+        kind: z.ZodEnum<{
+            skill: "skill";
+            browser: "browser";
+            declarative_http: "declarative_http";
+            declarative_a2a: "declarative_a2a";
+            declarative_mcp: "declarative_mcp";
+            cli_descriptor: "cli_descriptor";
+            custom_adapter: "custom_adapter";
+        }>;
+        entrypoint: z.ZodOptional<z.ZodString>;
+        config: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strip>;
+    credentials: z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        required: z.ZodDefault<z.ZodBoolean>;
+        description: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    sourceRefPolicy: z.ZodObject<{
+        minSourceRefs: z.ZodDefault<z.ZodNumber>;
+        rejectInlineSensitivePayload: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>;
+    trust: z.ZodOptional<z.ZodObject<{
+        status: z.ZodOptional<z.ZodEnum<{
+            blocked: "blocked";
+            declarative_trusted: "declarative_trusted";
+            custom_adapter_pending_trust: "custom_adapter_pending_trust";
+            trusted_custom_adapter: "trusted_custom_adapter";
+        }>>;
+        override: z.ZodOptional<z.ZodBoolean>;
+        reason: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type ConnectorManifestV6 = z.infer<typeof connectorManifestV6Schema>;
+export interface ConnectorConflict {
+    platformId: string;
+    existingSource: "built_in" | "workspace";
+    attemptedSource: "built_in" | "workspace";
+    reason: string;
+}
+export interface ConnectorManifestValidationError {
+    platformId?: string;
+    path: string;
+    message: string;
+}
+export interface ConnectorInventoryEntry {
+    platformId: string;
+    source: "built_in" | "workspace";
+    manifestPath?: string;
+    trustStatus: ConnectorTrustStatus;
+    executable: boolean;
+    capabilities: string[];
+    validationErrors: string[];
+    conflict?: ConnectorConflict;
+}
+export interface ConnectorReloadResult {
+    scanned: number;
+    registered: number;
+    skipped: number;
+    conflicts: ConnectorConflict[];
+    validationErrors: ConnectorManifestValidationError[];
+}
+export interface ConnectorRegistrySnapshot {
+    readonly entries: ReadonlyMap<string, ConnectorInventoryEntry>;
+    readonly builtInEntries: ReadonlyMap<string, ConnectorInventoryEntry>;
+    readonly dynamicEntries: ReadonlyMap<string, ConnectorInventoryEntry>;
+    readonly conflicts: readonly ConnectorConflict[];
+    readonly validationErrors: readonly ConnectorManifestValidationError[];
+    readonly createdAt: string;
+}

package/runtime/connectors/manifest/manifest-schema.js

@@ -0,0 +1,51 @@
+import { z } from "zod";
+export const connectorRunnerKindSchema = z.enum([
+    "declarative_http",
+    "declarative_a2a",
+    "declarative_mcp",
+    "cli_descriptor",
+    "custom_adapter",
+    "skill",
+    "browser",
+]);
+export const connectorTrustStatusSchema = z.enum([
+    "declarative_trusted",
+    "custom_adapter_pending_trust",
+    "trusted_custom_adapter",
+    "blocked",
+]);
+export const capabilityDeclarationSchema = z.object({
+    id: z.string().min(1),
+    channel: z.string().optional(),
+    description: z.string().optional(),
+});
+export const runnerDeclarationSchema = z.object({
+    kind: connectorRunnerKindSchema,
+    entrypoint: z.string().optional(),
+    config: z.record(z.string(), z.unknown()).optional(),
+});
+export const credentialRequirementSchema = z.object({
+    type: z.string().min(1),
+    required: z.boolean().default(true),
+    description: z.string().optional(),
+});
+export const sourceRefPolicySchema = z.object({
+    minSourceRefs: z.number().int().min(0).default(1),
+    rejectInlineSensitivePayload: z.boolean().optional(),
+});
+export const trustDeclarationSchema = z.object({
+    status: connectorTrustStatusSchema.optional(),
+    override: z.boolean().optional(),
+    reason: z.string().optional(),
+});
+export const connectorManifestV6Schema = z.object({
+    schemaVersion: z.literal("sn.connector.v1"),
+    platformId: z.string().min(1),
+    displayName: z.string().min(1),
+    family: z.enum(["social_community", "agent_network", "work_platform", "custom"]),
+    capabilities: z.array(capabilityDeclarationSchema).min(1),
+    runner: runnerDeclarationSchema,
+    credentials: z.array(credentialRequirementSchema),
+    sourceRefPolicy: sourceRefPolicySchema,
+    trust: trustDeclarationSchema.optional(),
+});

package/runtime/connectors/registry/dynamic-connector-registry.d.ts

@@ -0,0 +1,29 @@
+import { type ConnectorManifestV6, type ConnectorInventoryEntry, type ConnectorReloadResult, type ConnectorRegistrySnapshot } from "../manifest/manifest-schema.js";
+export interface RegistrySnapshotStore {
+    getActive(): ConnectorRegistrySnapshot;
+    swap(snapshot: ConnectorRegistrySnapshot): void;
+}
+export declare function createRegistrySnapshotStore(initial?: ConnectorRegistrySnapshot): RegistrySnapshotStore;
+export interface DynamicConnectorRegistryOptions {
+    builtInManifests?: ConnectorManifestV6[];
+    snapshotStore: RegistrySnapshotStore;
+}
+/**
+ * DynamicConnectorRegistry scans workspace manifests, validates, classifies trust,
+ * merges built-in entries, applies fail-closed conflict policy, and publishes
+ * immutable registry snapshots.
+ */
+export declare class DynamicConnectorRegistry {
+    private readonly builtInManifests;
+    private readonly snapshotStore;
+    constructor(options: DynamicConnectorRegistryOptions);
+    /**
+     * Reload connectors from workspace root.
+     * Scans `.second-nature/connectors/{platformId}/manifest.yaml`, validates,
+     * classifies trust, and atomically swaps the active registry snapshot.
+     */
+    reloadConnectors(workspaceRoot: string): ConnectorReloadResult;
+    getActiveRegistrySnapshot(): ConnectorRegistrySnapshot;
+    listConnectors(): ConnectorInventoryEntry[];
+    describeConnector(platformId: string): ConnectorInventoryEntry | undefined;
+}

package/runtime/connectors/registry/dynamic-connector-registry.js

@@ -0,0 +1,123 @@
+import path from "node:path";
+import { parseConnectorManifestV6, toValidationError } from "../manifest/manifest-parser.js";
+import { classifyTrust, isExecutable } from "./trust-policy.js";
+import { scanConnectorManifests } from "./manifest-scanner.js";
+export function createRegistrySnapshotStore(initial) {
+    let active = initial ??
+        buildSnapshot(new Map(), new Map(), [], [], new Date().toISOString());
+    return {
+        getActive() {
+            return active;
+        },
+        swap(snapshot) {
+            active = snapshot;
+        },
+    };
+}
+function buildSnapshot(builtIn, dynamic, conflicts, validationErrors, createdAt) {
+    const entries = new Map();
+    for (const [k, v] of builtIn)
+        entries.set(k, v);
+    for (const [k, v] of dynamic)
+        entries.set(k, v);
+    return Object.freeze({
+        entries,
+        builtInEntries: builtIn,
+        dynamicEntries: dynamic,
+        conflicts: Object.freeze([...conflicts]),
+        validationErrors: Object.freeze([...validationErrors]),
+        createdAt,
+    });
+}
+function manifestToInventoryEntry(manifest, source, manifestPath) {
+    const trustStatus = classifyTrust(manifest);
+    return {
+        platformId: manifest.platformId,
+        source,
+        manifestPath,
+        trustStatus,
+        executable: isExecutable(trustStatus),
+        capabilities: manifest.capabilities.map((c) => c.id),
+        validationErrors: [],
+    };
+}
+/**
+ * DynamicConnectorRegistry scans workspace manifests, validates, classifies trust,
+ * merges built-in entries, applies fail-closed conflict policy, and publishes
+ * immutable registry snapshots.
+ */
+export class DynamicConnectorRegistry {
+    builtInManifests;
+    snapshotStore;
+    constructor(options) {
+        this.builtInManifests = options.builtInManifests ?? [];
+        this.snapshotStore = options.snapshotStore;
+    }
+    /**
+     * Reload connectors from workspace root.
+     * Scans `.second-nature/connectors/{platformId}/manifest.yaml`, validates,
+     * classifies trust, and atomically swaps the active registry snapshot.
+     */
+    reloadConnectors(workspaceRoot) {
+        const scannedFiles = scanConnectorManifests(workspaceRoot);
+        const scanned = scannedFiles.length;
+        const builtInMap = new Map();
+        for (const manifest of this.builtInManifests) {
+            builtInMap.set(manifest.platformId, manifestToInventoryEntry(manifest, "built_in"));
+        }
+        const dynamicMap = new Map();
+        const conflicts = [];
+        const validationErrors = [];
+        let registered = 0;
+        let skipped = 0;
+        for (const file of scannedFiles) {
+            const parseResult = parseConnectorManifestV6(file.content, file.path);
+            if (!parseResult.ok) {
+                validationErrors.push(...toValidationError(file.path, parseResult));
+                skipped++;
+                continue;
+            }
+            const manifest = parseResult.manifest;
+            const manifestPath = path.relative(workspaceRoot, file.path);
+            // Duplicate platformId without override -> fail-closed
+            if (builtInMap.has(manifest.platformId) || dynamicMap.has(manifest.platformId)) {
+                const existing = builtInMap.get(manifest.platformId) ?? dynamicMap.get(manifest.platformId);
+                const allowOverride = manifest.trust?.override === true;
+                const isTrustedSource = existing.source === "built_in";
+                if (!allowOverride || isTrustedSource) {
+                    conflicts.push({
+                        platformId: manifest.platformId,
+                        existingSource: existing.source,
+                        attemptedSource: "workspace",
+                        reason: allowOverride
+                            ? "override_rejected_trusted_source"
+                            : "duplicate_platform_id_without_override",
+                    });
+                    skipped++;
+                    continue;
+                }
+            }
+            const entry = manifestToInventoryEntry(manifest, "workspace", manifestPath);
+            dynamicMap.set(manifest.platformId, entry);
+            registered++;
+        }
+        const snapshot = buildSnapshot(builtInMap, dynamicMap, conflicts, validationErrors, new Date().toISOString());
+        this.snapshotStore.swap(snapshot);
+        return {
+            scanned,
+            registered,
+            skipped,
+            conflicts,
+            validationErrors,
+        };
+    }
+    getActiveRegistrySnapshot() {
+        return this.snapshotStore.getActive();
+    }
+    listConnectors() {
+        return [...this.snapshotStore.getActive().entries.values()];
+    }
+    describeConnector(platformId) {
+        return this.snapshotStore.getActive().entries.get(platformId);
+    }
+}

package/runtime/connectors/registry/index.d.ts

@@ -0,0 +1,3 @@
+export { DynamicConnectorRegistry, createRegistrySnapshotStore, type RegistrySnapshotStore, type DynamicConnectorRegistryOptions, } from "./dynamic-connector-registry.js";
+export { scanConnectorManifests, type ManifestScanResult } from "./manifest-scanner.js";
+export { classifyTrust, isExecutable } from "./trust-policy.js";

package/runtime/connectors/registry/index.js

@@ -0,0 +1,3 @@
+export { DynamicConnectorRegistry, createRegistrySnapshotStore, } from "./dynamic-connector-registry.js";
+export { scanConnectorManifests } from "./manifest-scanner.js";
+export { classifyTrust, isExecutable } from "./trust-policy.js";

package/runtime/connectors/registry/manifest-scanner.d.ts

@@ -0,0 +1,9 @@
+export interface ManifestScanResult {
+    path: string;
+    content: string;
+}
+/**
+ * Enumerate `.second-nature/connectors/{platformId}/manifest.yaml` under workspace root.
+ * Does not execute any code; only reads file paths and contents.
+ */
+export declare function scanConnectorManifests(workspaceRoot: string): ManifestScanResult[];

package/runtime/connectors/registry/manifest-scanner.js

@@ -0,0 +1,29 @@
+import fs from "node:fs";
+import path from "node:path";
+/**
+ * Enumerate `.second-nature/connectors/{platformId}/manifest.yaml` under workspace root.
+ * Does not execute any code; only reads file paths and contents.
+ */
+export function scanConnectorManifests(workspaceRoot) {
+    const connectorsDir = path.join(workspaceRoot, ".second-nature", "connectors");
+    if (!fs.existsSync(connectorsDir)) {
+        return [];
+    }
+    const results = [];
+    const entries = fs.readdirSync(connectorsDir, { withFileTypes: true });
+    for (const entry of entries) {
+        if (!entry.isDirectory())
+            continue;
+        const manifestPath = path.join(connectorsDir, entry.name, "manifest.yaml");
+        if (!fs.existsSync(manifestPath))
+            continue;
+        try {
+            const content = fs.readFileSync(manifestPath, "utf-8");
+            results.push({ path: manifestPath, content });
+        }
+        catch {
+            // Skip unreadable files; validation layer will not see them
+        }
+    }
+    return results;
+}

package/runtime/connectors/registry/trust-policy.d.ts

@@ -0,0 +1,13 @@
+import { type ConnectorManifestV6, type ConnectorTrustStatus } from "../manifest/manifest-schema.js";
+/**
+ * Classify manifest runner into trust status per v6 trust decision tree.
+ * declarative_http/a2a/mcp -> declarative_trusted
+ * cli_descriptor -> declarative_trusted (P0 conditional; dry-run/read path优先)
+ * custom_adapter/skill/browser -> custom_adapter_pending_trust
+ * explicit blocked/trusted_custom_adapter in manifest.trust respected.
+ */
+export declare function classifyTrust(manifest: ConnectorManifestV6): ConnectorTrustStatus;
+/**
+ * Determine whether a connector entry is executable based on trust status.
+ */
+export declare function isExecutable(trustStatus: ConnectorTrustStatus): boolean;

package/runtime/connectors/registry/trust-policy.js

@@ -0,0 +1,37 @@
+/**
+ * Classify manifest runner into trust status per v6 trust decision tree.
+ * declarative_http/a2a/mcp -> declarative_trusted
+ * cli_descriptor -> declarative_trusted (P0 conditional; dry-run/read path优先)
+ * custom_adapter/skill/browser -> custom_adapter_pending_trust
+ * explicit blocked/trusted_custom_adapter in manifest.trust respected.
+ */
+export function classifyTrust(manifest) {
+    if (manifest.trust?.status === "blocked") {
+        return "blocked";
+    }
+    if (manifest.trust?.status === "trusted_custom_adapter") {
+        return "trusted_custom_adapter";
+    }
+    const kind = manifest.runner.kind;
+    switch (kind) {
+        case "declarative_http":
+        case "declarative_a2a":
+        case "declarative_mcp":
+        case "cli_descriptor":
+            return "declarative_trusted";
+        case "custom_adapter":
+        case "skill":
+        case "browser":
+            return "custom_adapter_pending_trust";
+        default: {
+            // Exhaustive check; unknown runner kind is blocked for safety
+            return "blocked";
+        }
+    }
+}
+/**
+ * Determine whether a connector entry is executable based on trust status.
+ */
+export function isExecutable(trustStatus) {
+    return trustStatus === "declarative_trusted" || trustStatus === "trusted_custom_adapter";
+}