@hongmaple0820/scale-engine 0.26.0 → 0.27.0

package/docs/CONTEXT_BUDGET.md

@@ -43,6 +43,40 @@ scale context pack \
   --json
 ```
 
+Build the unified AI OS runtime plan that embeds the context pack with memory, skill routing, adaptive workflow, and ROI:
+
+```bash
+scale ai-os plan \
+  --task-id TASK-123 \
+  --task "Review frontend route with browser evidence" \
+  --level L \
+  --files src/routes/upload.tsx \
+  --budget 8000 \
+  --json
+```
+
+The context pack now uses the baseline Context Compiler. Each candidate section is scored by category, task/file relevance, risk level, and budget fit. The JSON output includes compiler metadata so callers can explain why a section was loaded or omitted:
+
+```json
+{
+  "compiler": {
+    "strategy": "relevance-budget-v1",
+    "budget": 4000,
+    "totalCandidateTokens": 6200,
+    "estimatedTokenSavings": 2200,
+    "ranking": [
+      {
+        "id": "runtime-evidence",
+        "included": true,
+        "score": 292,
+        "matchedSignals": ["evidence", "high-risk-evidence"],
+        "reason": "Evidence is needed for completion and verification claims."
+      }
+    ]
+  }
+}
+```
+
 Evaluate progressive governance mode:
 
 ```bash
@@ -109,5 +143,13 @@ This is not a replacement for verification. It only decides which governance beh
 
 ## Governance ROI
 
-`scale governance roi` reports both benefit and overhead. Early ROI is estimated from context budget and risk signals. Later versions should replace estimates with measured eval data such as file reads saved, tool calls saved, fix iterations reduced, and human corrections avoided.
+`scale governance roi` reports both benefit and overhead. In v0.27.0, `scale ai-os plan` also attaches ROI modules for:
+
+- `context-budget`
+- `context-compiler`
+- `memory-provider-runtime`
+- `skill-routing-engine`
+- `progressive-governance`
+
+Early ROI is still estimated from context budget, compiler savings, recall count, skill evidence steps, and risk signals. Later versions should replace estimates with measured eval data such as file reads saved, tool calls saved, fix iterations reduced, and human corrections avoided.
 

package/docs/DEPENDENCY_AUDIT.md

@@ -28,6 +28,28 @@ scale dependency audit --changed-packages left-pad,@scope/tool --json
 
 The command exits non-zero when the active mode has blocking findings.
 
+## Verification Command Safety
+
+SCALE verification commands are security-sensitive because they are often run in CI.
+The core verification paths (`verify-task`, phase verification, workflow eval attempts, and gate commands) execute configured commands without shell expansion by default.
+
+Allowed by default:
+
+```bash
+npm run build
+npm test -- --runInBand
+node scripts/check.js --changed
+```
+
+Blocked by default:
+
+```bash
+npm test && curl https://example.com
+node scripts/check.js | tee out.txt
+```
+
+Shell metacharacters such as `&&`, `|`, `;`, `<`, `>`, backticks, and unquoted `$` are rejected before execution. Use package scripts or checked-in helper scripts for composed commands. `SCALE_ALLOW_SHELL_COMMANDS=1` re-enables shell execution only for trusted local runs and must not be enabled for untrusted PR or user-controlled CI inputs.
+
 ## G7 Integration
 
 `SecurityGate` now emits two first-class evidence sources:
@@ -82,8 +104,15 @@ The first implementation detects:
 - install lifecycle scripts
 - executable bin scripts
 - deprecated packages from lockfile metadata
+- built-in ownership/provenance watchlist matches
 - dynamic code execution: `eval`, `new Function`
 - shell execution patterns
 - suspicious network access patterns
 
+The built-in ownership/provenance watchlist currently blocks exact versions that were flagged by external package behavior analysis:
+
+- `content-type@2.0.0`
+- `type-is@2.1.0`
+- `type-js@2.1.0` (kept as a defensive alias for reports that use this package name)
+
 Future network-backed checks can add npm registry metadata and `npm audit --json` ingestion, but they should stay optional and evidence-backed.

package/docs/MEMORY_FABRIC.md

@@ -122,6 +122,7 @@ Commands:
 scale memory provider init
 scale memory provider status --json
 scale memory provider recall "OAuth callback Redis state" --json
+scale ai-os plan --task "Fix OAuth callback Redis state" --files src/auth/oauth.ts --json
 ```
 
 Provider rules:
@@ -130,5 +131,6 @@ Provider rules:
 - External providers are read-only by default. Writes require an explicit provider policy change.
 - `scale-local` remains the fallback provider through Memory Brain and only promotes reviewed, evidence-backed memory.
 - `memory pack` automatically includes a `provider-memory` section when provider recall returns relevant active memories.
+- `ai-os plan` includes both the provider recall summary and the Memory Fabric context pack, so agents can route memory before planning without pretending external memory is always available.
 
 This keeps agents flexible: they can ask the router for memory before planning, verification, review, or release, while SCALE still records which provider was used and why fallback was required.

package/docs/README.md

@@ -36,6 +36,7 @@
 | [CODE_INTELLIGENCE.md](CODE_INTELLIGENCE.md) | CodeGraph、Graphify 和显式 fallback 的代码智能与探索 ROI |
 | [WORKFLOW_EVAL.md](WORKFLOW_EVAL.md) | Workflow Eval、pass@k 指标、Failure Replay 和改进候选 |
 | [SKILL_RADAR.md](SKILL_RADAR.md) | Skill Radar、能力置信度、证据要求和供应链安全检查 |
+| [AI_ENGINEERING_OS_POSITIONING.md](AI_ENGINEERING_OS_POSITIONING.md) | Agent Governance Runtime / AI Engineering OS 方向，以及 `scale ai-os plan` 一体化 runtime plan |
 | [THIRD_PARTY_SKILLS.md](THIRD_PARTY_SKILLS.md) | 第三方 skill 致谢、授权边界、引用方式和 vendoring 策略 |
 | [EXTERNAL_REFERENCES.md](EXTERNAL_REFERENCES.md) | 外部项目、skills、MCP、CLI 和适配器引用的完整清单 |
 | [UPGRADE_MANAGEMENT.md](UPGRADE_MANAGEMENT.md) | SCALE CLI、governance pack、skills、MCP 和 CLI 工具的安全升级流程 |

package/docs/SKILL_RADAR.md

@@ -19,6 +19,7 @@ scale skill radar --task "Automate WPS desktop workflow with CUA" --json
 scale skill radar --task "Review release PR" --phase review --level L --output docs/worklog/tasks/release/skill-radar.md
 scale skill doctor --supply-chain
 scale skill doctor --supply-chain --json
+scale ai-os plan --task "Design upload UI and run browser E2E checks" --files src/pages/upload.tsx --json
 ```
 
 ## Safety Levels
@@ -73,6 +74,18 @@ Each recommendation carries required evidence. Examples:
 
 If evidence is missing, the final delivery should list the capability as unverified rather than claiming it was used successfully.
 
+## Skill Execution Plan
+
+In v0.27.0, `createSkillPlan` and `scale ai-os plan` return an `executionPlan`:
+
+- `strategy`: currently `intent-evidence-graph-v1`
+- `steps`: ordered skill, artifact, and verification actions
+- `reason`: why the step was selected from task intents
+- `evidenceRequired`: what proof must be recorded
+- `fallback`: what to do when the skill, MCP, CLI, or verification path is unavailable
+
+This turns skill routing from a recommendation list into an auditable execution graph. Required steps still need concrete evidence or an explicit skipped/fallback record; recommended steps may be skipped with a reason.
+
 ## Supply-Chain Doctor
 
 `scale skill doctor --supply-chain` reviews known skill sources and install commands for:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hongmaple0820/scale-engine",
-  "version": "0.26.0",
+  "version": "0.27.0",
   "description": "Executable AI agent governance with workflow gates, evidence, skill/tool orchestration, and traceable HTML artifacts",
   "repository": {
     "type": "git",
@@ -25,6 +25,7 @@
   "files": [
     "dist",
     "docs/README.md",
+    "docs/AI_ENGINEERING_OS_POSITIONING.md",
     "docs/CODE_INTELLIGENCE.md",
     "docs/CONTEXT_BUDGET.md",
     "docs/BACKGROUND_HUNTER.md",
@@ -61,17 +62,23 @@
     "serve": "node dist/api/http.js"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@modelcontextprotocol/sdk": "1.29.0",
     "better-sqlite3": "^11.10.0",
     "chokidar": "^3.6.0",
     "citty": "^0.1.6",
+    "content-type": "1.0.5",
     "execa": "^9.3.0",
     "hono": "^4.5.0",
     "js-yaml": "^4.1.0",
     "pino": "^9.3.0",
     "pino-pretty": "^11.2.0",
+    "type-is": "2.0.1",
     "zod": "^3.23.0"
   },
+  "overrides": {
+    "content-type": "1.0.5",
+    "type-is": "2.0.1"
+  },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.0",
     "@types/js-yaml": "^4.0.9",