@irisrun/agent 0.1.0 → 0.2.0

package/README.md

@@ -0,0 +1,35 @@
+# @irisrun/agent
+
+**The image toolchain that makes an agent a build artifact.** Parse an Agentfile,
+resolve + embed + pin every contract by hash, and emit a content-addressed,
+deterministic image — identical inputs produce an identical `imageDigest` — so a
+session resumes from exactly the definition it was born under. This is the
+library behind the `iris` CLI; host-side, zero external deps.
+
+## What it is
+
+`parseAgentfileYaml` / `parseAgentfileJson` + `validateAgentfile` turn an
+Agentfile into a checked model. `buildImage` resolves and pins each tool/bundle
+contract, embeds content by hash, validates the capability profile, and computes
+`imageDigest = sha256(canonicalize(image-minus-digest))` — the canonical image
+excludes its own self-referential digest, so the digest is reproducible
+(`computeImageDigest`, `canonicalImageOf`). `writeOciLayout` / `readOciLayout`
+serialize the image as a local, files-only OCI layout. `verifyImage` re-checks
+every content hash, re-resolves every contract, and recomputes the digest —
+throwing **loudly** on any drift, never silently. `latestRecord`,
+`governingDigest`, and `migrateDefinition` pin a session to its image digest and
+migrate a live session `from`→`to` at a turn boundary, with **zero** engine change.
+
+## Use it
+
+```sh
+iris build --file ./my-agent/agent.yaml --out ./image
+iris inspect ./image
+iris verify  ./image
+```
+
+See **[docs/Your first agent](../../docs/first-agent.md)** and
+**[docs/Architecture](../../docs/architecture.md)**.
+
+---
+Part of [Iris](../../README.md) — own, portable, verifiable state.

package/dist/agentfile.d.ts

@@ -27,7 +27,10 @@ export interface AgentfileModel {
         workspace?: string;
         network: string;
     };
+    secrets?: string[];
+    environment?: Record<string, string>;
 }
+export declare function isEnvName(s: string): boolean;
 /** Parse Agentfile JSON text into a validated model (throws loudly on bad JSON or shape). */
 export declare function parseAgentfileJson(text: string): AgentfileModel;
 /**
@@ -35,7 +38,7 @@ export declare function parseAgentfileJson(text: string): AgentfileModel;
  * (shape, required fields) and enforces the content-vs-contract split: a tool /
  * connection entry is REJECTED if it carries an inline-behavior field
  * (code/script/source) or a ref whose scheme is not mcp/grpc/subprocess
- * (ADR-0005 — no behavior in the manifest). Throws loudly; never coerces.
+ * (no behavior in the manifest). Throws loudly; never coerces.
  */
 export declare function validateAgentfile(raw: unknown): AgentfileModel;
 /** Content paths embedded by hash: instructions, skills, then sandbox.workspace (if any). */

package/dist/agentfile.js

@@ -1,5 +1,5 @@
 // A contract ref must use one of these schemes; anything else (incl. an inline
-// `code`/`script`/`source` field) is inlined behavior and is rejected (ADR-0005).
+// `code`/`script`/`source` field) is inlined behavior and is rejected.
 const CONTRACT_SCHEMES = ["mcp", "grpc", "subprocess"];
 const INLINE_BEHAVIOR_FIELDS = ["code", "script", "source"];
 // `requires` (the capability profile) is strict-when-present so the runtime
@@ -8,6 +8,14 @@ const INLINE_BEHAVIOR_FIELDS = ["code", "script", "source"];
 // boolean. (Initiative 20260620-agentfile-schema — these were untyped before.)
 const TOOL_LOCALITIES = ["in-process", "local", "remote"];
 const BOOLEAN_CAPS = ["long_running", "local_subprocess", "filesystem", "websockets"];
+// A POSIX-style environment-variable NAME: a letter/underscore then letters/
+// digits/underscores. Used for both `secrets` entries and `environment` keys here
+// AND re-exported (index.ts) so the CLI env resolver enforces the SAME shape —
+// authoring-time and runtime agree on what a valid name is.
+const ENV_NAME_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+export function isEnvName(s) {
+    return ENV_NAME_RE.test(s);
+}
 /** Parse Agentfile JSON text into a validated model (throws loudly on bad JSON or shape). */
 export function parseAgentfileJson(text) {
     let raw;
@@ -24,7 +32,7 @@ export function parseAgentfileJson(text) {
  * (shape, required fields) and enforces the content-vs-contract split: a tool /
  * connection entry is REJECTED if it carries an inline-behavior field
  * (code/script/source) or a ref whose scheme is not mcp/grpc/subprocess
- * (ADR-0005 — no behavior in the manifest). Throws loudly; never coerces.
+ * (no behavior in the manifest). Throws loudly; never coerces.
  */
 export function validateAgentfile(raw) {
     const o = asObject(raw, "Agentfile");
@@ -71,6 +79,17 @@ export function validateAgentfile(raw) {
             throw new Error("Agentfile: sandbox.workspace must be a string");
         sandboxOut.workspace = sandbox.workspace;
     }
+    // Env/secrets — OPTIONAL; validated strictly, OMITTED when absent (canonicalize
+    // throws on undefined AND omission keeps existing digests byte-identical).
+    const secretsOut = validateSecrets(o.secrets);
+    const environmentOut = validateEnvironment(o.environment);
+    if (secretsOut !== undefined && environmentOut !== undefined) {
+        for (const name of secretsOut) {
+            if (Object.prototype.hasOwnProperty.call(environmentOut, name)) {
+                throw new Error(`Agentfile: "${name}" is declared as both a secret and an environment literal — a name must be one or the other`);
+            }
+        }
+    }
     return {
         apiVersion: "iris/v1",
         kind: "Agent",
@@ -83,8 +102,58 @@ export function validateAgentfile(raw) {
         harness: harnessOut,
         requires: requires,
         sandbox: sandboxOut,
+        ...(secretsOut !== undefined ? { secrets: secretsOut } : {}),
+        ...(environmentOut !== undefined ? { environment: environmentOut } : {}),
     };
 }
+// Validate the OPTIONAL `secrets` (NAMES of required runtime secrets). Returns the
+// validated array, or undefined when absent (omitted from the model → digest-stable).
+// Order is author-significant and digest-affecting — NOT sorted.
+function validateSecrets(v) {
+    if (v === undefined)
+        return undefined;
+    if (!Array.isArray(v)) {
+        throw new Error('Agentfile: "secrets" must be an array of environment-variable names');
+    }
+    const seen = new Set();
+    for (const entry of v) {
+        if (typeof entry !== "string" || !isEnvName(entry)) {
+            throw new Error(`Agentfile: secrets[] entry ${JSON.stringify(entry)} is not a valid env-var name (a letter/underscore then letters/digits/underscores)`);
+        }
+        if (seen.has(entry)) {
+            throw new Error(`Agentfile: duplicate secret name "${entry}"`);
+        }
+        seen.add(entry);
+    }
+    return v;
+}
+// Validate the OPTIONAL `environment` (literal NON-secret config). Scalar values
+// (string/number/boolean) are coerced to strings HERE — env vars are inherently
+// strings, so JSON `"3"`, YAML `3`, and YAML `"3"` all produce the SAME model and
+// therefore the SAME imageDigest. null/object/array values are rejected loudly.
+// Returns the coerced map, or undefined when absent.
+function validateEnvironment(v) {
+    if (v === undefined)
+        return undefined;
+    const o = asObject(v, "environment");
+    const out = {};
+    for (const [key, val] of Object.entries(o)) {
+        if (!isEnvName(key)) {
+            throw new Error(`Agentfile: environment key ${JSON.stringify(key)} is not a valid env-var name (a letter/underscore then letters/digits/underscores)`);
+        }
+        if (typeof val === "string") {
+            out[key] = val;
+        }
+        else if (typeof val === "number" || typeof val === "boolean") {
+            out[key] = String(val);
+        }
+        else {
+            const kind = val === null ? "null" : Array.isArray(val) ? "array" : typeof val;
+            throw new Error(`Agentfile: environment.${key} must be a string (got ${kind})`);
+        }
+    }
+    return out;
+}
 // Strict-when-present validation of the capability profile (`requires`), so the
 // runtime agrees with the published JSON schema. Unknown keys are still ignored
 // (retained in the model) — only the KNOWN fields are type-checked when present.
@@ -119,7 +188,7 @@ function requireStringArray(o, key) {
     }
     return v;
 }
-// Validate a tools/connections array, rejecting inlined behavior (ADR-0005).
+// Validate a tools/connections array, rejecting inlined behavior.
 function requireRefArray(o, key) {
     const v = o[key];
     if (!Array.isArray(v)) {
@@ -129,7 +198,7 @@ function requireRefArray(o, key) {
         const e = asObject(entry, `${key}[${i}]`);
         for (const field of INLINE_BEHAVIOR_FIELDS) {
             if (field in e) {
-                throw new Error(`Agentfile: ${key}[${i}] carries inline behavior ("${field}") — tools are contracts referenced by digest, not inlined code (ADR-0005)`);
+                throw new Error(`Agentfile: ${key}[${i}] carries inline behavior ("${field}") — tools are contracts referenced by digest, not inlined code`);
             }
         }
         const ref = e.ref;

package/dist/bundle.js

@@ -1,9 +1,9 @@
-// Bundle resolution + digest (spec §4.2, ADR-0004) — the M6 strengthening of the
-// M4 tactic pin. A tactic BUNDLE (e.g. `@irisrun/bundle-coding`) is distributed like
+// Bundle resolution + digest — the strengthening of the
+// tactic pin. A tactic BUNDLE (e.g. `@irisrun/bundle-coding`) is distributed like
 // a tool contract: an Agentfile `harness.bundle` ref (e.g. "iris/coding@^1")
-// resolves — via an injected BundleResolver, mirroring the M4 RegistryResolver —
+// resolves — via an injected BundleResolver, mirroring the RegistryResolver —
 // to a concrete BundleDefinition, and the image pins `bundleDigest(def)` (a real
-// content digest over the BEHAVIOR SURFACE) instead of the M4 sha256Hex(id)
+// content digest over the BEHAVIOR SURFACE) instead of the sha256Hex(id)
 // placeholder. The digest is STABLE across a floating `location` (re-resolve by
 // stable ref, not by location — [[lrn-resolve-by-stable-ref-not-floating-location]])
 // yet detects any change to the behavior surface (id/version/seams/...).
@@ -13,7 +13,7 @@ import { canonicalize } from "@irisrun/core";
 // The behavior surface the digest is computed over: the full definition MINUS the
 // floating `location` (and any undefined fields, which canonicalize rejects). Two
 // definitions that differ only in `location` produce the SAME surface → the SAME
-// digest (the ADR-0004 float-impl property); any behavior-surface change differs.
+// digest (the float-impl property); any behavior-surface change differs.
 function behaviorSurface(def) {
     const surface = {};
     for (const [k, v] of Object.entries(def)) {

package/dist/image.d.ts

@@ -34,6 +34,8 @@ export interface ImageInspection {
         digest: string;
     }>;
     capabilities: CapabilityProfile;
+    secrets?: string[];
+    environment?: Record<string, string>;
 }
 /** Human-readable resolved intent of an image (what `iris inspect` prints). */
 export declare function inspectImage(image: AgentImage): ImageInspection;

package/dist/image.js

@@ -1,4 +1,4 @@
-// Image build (spec §3.5): resolve + pin → embed content by hash → compute the
+// Image build: resolve + pin → embed content by hash → compute the
 // content-addressed, deterministic imageDigest = sha256(canonicalize(canonical
 // image)). The canonical image EXCLUDES the self-referential imageDigest field;
 // content values are base64 STRINGS (canonicalize rejects Buffer/Uint8Array) and
@@ -60,7 +60,7 @@ export async function buildImage(model, opts) {
     if (model.harness.bundle !== undefined) {
         const id = model.harness.bundle;
         if (opts.resolveBundle !== undefined) {
-            // M6: resolve the bundle ref to a definition and pin its REAL content digest.
+            // Resolve the bundle ref to a definition and pin its REAL content digest.
             // The id stays the STABLE Agentfile ref (re-resolved by verify, location floats).
             const def = await opts.resolveBundle.resolve(id);
             if (def === null) {
@@ -69,7 +69,7 @@ export async function buildImage(model, opts) {
             tactics.bundle = { id, digest: bundleDigest(def) };
         }
         else {
-            // Back-compat (every M4 path): keep the sha256Hex(id) placeholder unchanged.
+            // Back-compat: keep the sha256Hex(id) placeholder unchanged.
             tactics.bundle = { id, digest: sha256Hex(id) };
         }
     }
@@ -100,9 +100,11 @@ export function inspectImage(image) {
         content: image.lock.content,
         tactics: image.lock.tactics,
         capabilities: image.lock.capabilities,
+        ...(image.agentfile.secrets !== undefined ? { secrets: image.agentfile.secrets } : {}),
+        ...(image.agentfile.environment !== undefined ? { environment: image.agentfile.environment } : {}),
     };
 }
-// --- OCI image layout (local, files-only — spec §3.5) -------------------------
+// --- OCI image layout (local, files-only) -------------------------
 // Real registry push/pull (+ cosign) is the manual smoke; this is the install-free
 // path. Shape: `oci-layout` + `index.json` + `blobs/sha256/<hex>`.
 const IRIS_IMAGE_MEDIA_TYPE = "application/vnd.iris.agent.image+json";

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export declare const PACKAGE = "@irisrun/agent";
-export { parseAgentfileJson, validateAgentfile, contentPaths, contractRefs, refScheme, } from "./agentfile.js";
+export { parseAgentfileJson, validateAgentfile, contentPaths, contractRefs, refScheme, isEnvName, } from "./agentfile.js";
 export type { AgentfileModel, CapabilityProfile, ToolRef, } from "./agentfile.js";
 export { parseAgentfileYaml, parseYamlValue } from "./yaml.js";
 export { AGENTFILE_SCHEMA, agentfileSchemaJson, checkAgainstSchema } from "./schema.js";

package/dist/index.js

@@ -1,6 +1,6 @@
 // @irisrun/agent — public surface (host-side; zero external deps).
 export const PACKAGE = "@irisrun/agent";
-export { parseAgentfileJson, validateAgentfile, contentPaths, contractRefs, refScheme, } from "./agentfile.js";
+export { parseAgentfileJson, validateAgentfile, contentPaths, contractRefs, refScheme, isEnvName, } from "./agentfile.js";
 export { parseAgentfileYaml, parseYamlValue } from "./yaml.js";
 export { AGENTFILE_SCHEMA, agentfileSchemaJson, checkAgainstSchema } from "./schema.js";
 export { makeLocalResolver, refBase } from "./resolver.js";

package/dist/lock.d.ts

@@ -31,7 +31,7 @@ export interface Lock {
  */
 export declare function resolveLockTools(refs: ToolRef[], resolver: RegistryResolver): Promise<LockTool[]>;
 /**
- * Validate the capability profile against the resolved tools (spec §3.3 step 4),
+ * Validate the capability profile against the resolved tools,
  * loudly (no silent inconsistency): a `remote` locality forbids subprocess tools,
  * and any subprocess tool requires `local_subprocess: true`.
  */

package/dist/lock.js

@@ -1,6 +1,6 @@
-// The lockfile (spec §3.4) — pins model + tools/connections (by contractDigest) +
+// The lockfile — pins model + tools/connections (by contractDigest) +
 // tactics + capabilities + the embedded content hashes. `imageDigest` is filled by
-// the image build (§3.5). This module owns the tool-resolution + pinning + the
+// the image build. This module owns the tool-resolution + pinning + the
 // capability validation; Task 4 completes content/model/tactics. Host-side.
 import { contractDigest } from "@irisrun/tools";
 /**
@@ -31,7 +31,7 @@ export async function resolveLockTools(refs, resolver) {
     return out;
 }
 /**
- * Validate the capability profile against the resolved tools (spec §3.3 step 4),
+ * Validate the capability profile against the resolved tools,
  * loudly (no silent inconsistency): a `remote` locality forbids subprocess tools,
  * and any subprocess tool requires `local_subprocess: true`.
  */

package/dist/pin.d.ts

@@ -22,7 +22,7 @@ export interface MigrateOptions {
 }
 /**
  * Migrate a LIVE session's pinned definition `from`→`to` at a turn boundary
- * (ADR-0004 hold-and-migrate). Appends an `upgraded {from,to,atTurn}` marker
+ * (hold-and-migrate). Appends an `upgraded {from,to,atTurn}` marker
  * stamped with `defDigest: to`; subsequent turns run with `defDigest = to`. Refuses
  * LOUDLY when the session has not started, is mid-turn, or its governing digest is
  * not `from`. `atTurn` = the boundary journal sequence (the engine emits no

package/dist/pin.js

@@ -1,4 +1,4 @@
-// Session pinning + definition migration (spec §3.7, ADR-0002/0004) — ZERO engine
+// Session pinning + definition migration — ZERO engine
 // change. A session pins the image digest as its governing `defDigest` (the engine
 // already stamps every record). Pinning/migration ride the EXISTING per-record
 // defDigest + the `upgraded` marker; this module uses only the StateStore port +
@@ -32,7 +32,7 @@ export async function governingDigest(store, sessionId) {
 const TURN_TERMINAL_MARKERS = new Set(["wait", "finish"]);
 /**
  * Migrate a LIVE session's pinned definition `from`→`to` at a turn boundary
- * (ADR-0004 hold-and-migrate). Appends an `upgraded {from,to,atTurn}` marker
+ * (hold-and-migrate). Appends an `upgraded {from,to,atTurn}` marker
  * stamped with `defDigest: to`; subsequent turns run with `defDigest = to`. Refuses
  * LOUDLY when the session has not started, is mid-turn, or its governing digest is
  * not `from`. `atTurn` = the boundary journal sequence (the engine emits no

package/dist/resolver.d.ts

@@ -7,6 +7,6 @@ export declare function refBase(ref: string): string;
 /**
  * A resolver over an in-memory `refBase → ToolContract` map (install-free). Both
  * `mcp://r/x@^2` and `mcp://r/x@^3` resolve via the shared base `mcp://r/x`,
- * modelling "pin the contract, float the implementation" (ADR-0004).
+ * modelling "pin the contract, float the implementation".
  */
 export declare function makeLocalResolver(map: Record<string, ToolContract>): RegistryResolver;

package/dist/resolver.js

@@ -7,7 +7,7 @@ export function refBase(ref) {
 /**
  * A resolver over an in-memory `refBase → ToolContract` map (install-free). Both
  * `mcp://r/x@^2` and `mcp://r/x@^3` resolve via the shared base `mcp://r/x`,
- * modelling "pin the contract, float the implementation" (ADR-0004).
+ * modelling "pin the contract, float the implementation".
  */
 export function makeLocalResolver(map) {
     return {

package/dist/schema.js

@@ -17,7 +17,7 @@ export const AGENTFILE_SCHEMA = {
     $schema: "https://json-schema.org/draft/2020-12/schema",
     $id: "https://iris.run/schema/agentfile/v1.json",
     title: "Iris Agentfile (iris/v1, kind Agent)",
-    description: "An Iris Agentfile: a declarative RECIPE that references content (embedded by hash) and tool/connection contracts (pinned by digest). It carries NO executable behavior (ADR-0005).",
+    description: "An Iris Agentfile: a declarative RECIPE that references content (embedded by hash) and tool/connection contracts (pinned by digest). It carries NO executable behavior.",
     type: "object",
     required: [
         "apiVersion",
@@ -66,6 +66,24 @@ export const AGENTFILE_SCHEMA = {
         harness: { $ref: "#/$defs/harness" },
         requires: { $ref: "#/$defs/capabilityProfile" },
         sandbox: { $ref: "#/$defs/sandbox" },
+        // Env/secrets (initiative 20260620-agentfile-env-secrets). `secrets` = NAMES
+        // of required runtime secrets (VALUES are supplied at run time, never in the
+        // manifest). `environment` = literal NON-secret config defaults.
+        // AGREEMENT-CORPUS FOOTGUN: the zero-dep checker can express only what is
+        // below — secrets is an array of pattern-valid strings, and environment is an
+        // object. It CANNOT express secrets uniqueness, secrets/environment overlap,
+        // environment KEY patterns, or environment VALUE typing. Those are runtime-only
+        // (validateAgentfile) and must NOT be added to the T3 agreement corpus — the
+        // schema accepts them, so a corpus entry would make the two surfaces disagree.
+        secrets: {
+            type: "array",
+            items: { type: "string", minLength: 1, pattern: "^[A-Za-z_][A-Za-z0-9_]*$" },
+            description: "Names of required runtime secrets — values are supplied at run time, never stored in the manifest/image.",
+        },
+        environment: {
+            type: "object",
+            description: "Literal NON-secret config defaults (string values). Object-ness is the shared constraint with the runtime; value coercion/typing is runtime-only.",
+        },
     },
     additionalProperties: true,
     $defs: {
@@ -79,7 +97,7 @@ export const AGENTFILE_SCHEMA = {
                     pattern: "^(mcp|grpc|subprocess)://",
                     description: "Contract ref. Scheme must be mcp, grpc, or subprocess.",
                 },
-                // ADR-0005: a tool/connection is a contract referenced by digest, never
+                // A tool/connection is a contract referenced by digest, never
                 // inlined code. A present code/script/source field validates against the
                 // boolean `false` subschema → rejected.
                 code: false,

package/dist/verify.js

@@ -1,4 +1,4 @@
-// Integrity verification (spec §3.6, ADR-0006 §4) — throws LOUDLY on any failure
+// Integrity verification — throws LOUDLY on any failure
 // (no silent corruption, [[lrn-no-silent-policy-widening]]). Checks, in order:
 // (1) every embedded content hash matches its bytes; (2) every tool contractDigest
 // is still resolvable + unchanged; (3) the recomputed imageDigest equals the
@@ -20,7 +20,7 @@ export async function verifyImage(image, opts) {
         }
     }
     // 2. every tool contract is still resolvable (BY ITS STABLE ref — not location,
-    //    which floats per ADR-0004) and its digest unchanged
+    //    which floats) and its digest unchanged
     for (const tool of image.lock.tools) {
         const contract = await opts.resolver.resolve(tool.ref);
         if (contract === null) {
@@ -37,11 +37,11 @@ export async function verifyImage(image, opts) {
     if (recomputed !== image.lock.imageDigest) {
         throw new Error(`verify: imageDigest mismatch — stored ${image.lock.imageDigest}, recomputed ${recomputed}`);
     }
-    // 4. (M6, NET-NEW) re-resolve the pinned tactic bundle by its STABLE id/ref (NOT
-    //    a floating location, ADR-0004), recompute bundleDigest, and assert it equals
+    // 4. (NET-NEW) re-resolve the pinned tactic bundle by its STABLE id/ref (NOT
+    //    a floating location), recompute bundleDigest, and assert it equals
     //    the pinned digest. This catches a CONTENT-tampered bundle whose pinned lock
     //    digest is left unchanged — invisible to the imageDigest check above. Skipped
-    //    entirely when no resolveBundle is injected (M4 back-compat).
+    //    entirely when no resolveBundle is injected (back-compat).
     if (opts.resolveBundle !== undefined) {
         const pinned = image.lock.tactics.bundle;
         if (pinned !== undefined) {

package/dist/yaml.js

@@ -125,8 +125,16 @@ function looksScalar(item) {
     return !/^[A-Za-z0-9_.-]+:\s/.test(item) && !/^[A-Za-z0-9_.-]+:$/.test(item);
 }
 function parseScalar(s, lineNo) {
+    // The ONLY supported flow collections are the EMPTY literals `[]` and `{}` — so a
+    // no-skills / no-connections agent (very common) is authorable in YAML, which the
+    // block `- ` / `key:` syntax cannot express. NON-empty flow stays rejected (no
+    // general flow support). Initiative 20260620-agentfile-env-secrets.
+    if (s === "[]")
+        return [];
+    if (s === "{}")
+        return {};
     if (s.startsWith("[") || s.startsWith("{")) {
-        throw new Error(`Agentfile YAML: flow collections ([..]/{..}) are unsupported (line ${lineNo})`);
+        throw new Error(`Agentfile YAML: non-empty flow collections ([..]/{..}) are unsupported — only the empty literals [] and {} (line ${lineNo})`);
     }
     if (s.startsWith("&") || s.startsWith("*")) {
         throw new Error(`Agentfile YAML: anchors/aliases (&/*) are unsupported (line ${lineNo})`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@irisrun/agent",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "type": "module",
   "description": "Iris agent image toolchain — Agentfile model + parsers, builder (resolve/embed/pin/validate), content-addressed inspectable image + OCI layout, lockfile, integrity verify, and session pinning + definition migration. Host-side, zero external deps.",
   "exports": {
@@ -11,8 +11,8 @@
     }
   },
   "dependencies": {
-    "@irisrun/core": "^0.1.0",
-    "@irisrun/tools": "^0.1.0"
+    "@irisrun/core": "^0.2.0",
+    "@irisrun/tools": "^0.2.0"
   },
   "license": "MIT",
   "engines": {