@jterrats/open-orchestra 0.5.7 → 1.0.2

package/dist/workflow-services.js

@@ -1,9 +1,10 @@
 import { randomUUID } from "node:crypto";
 import path from "node:path";
+import { uniqueStrings } from "./collection-utils.js";
 import { FILES } from "./constants.js";
 import { removeUndefined } from "./command-utils.js";
-import { ensureDir, readJson, resolveWorkflowPath, updateJsonFile, writeJson, } from "./fs-utils.js";
-import { assertProviderAllowed, assertVendorFallbackAllowed, createModelProvider, defaultApiKeyFileEnv, defaultBaseUrlEnv, FakeModelProvider, InMemoryModelProviderRegistry, providerEnvFromCredentialConfig, summarizeConfiguredProviders, } from "./model-providers.js";
+import { ensureDir, exists, readJson, resolveWorkflowPath, updateJsonFile, writeJson, } from "./fs-utils.js";
+import { assertProviderAllowed, assertVendorFallbackAllowed, createModelProvider, defaultApiKeyEnv, defaultApiKeyFileEnv, defaultBaseUrlEnv, FakeModelProvider, InMemoryModelProviderRegistry, providerEnvFromCredentialConfig, summarizeConfiguredProviders, } from "./model-providers.js";
 import { appendEvent, loadWorkspace, readEvents, writeArtifact, } from "./workspace.js";
 import { validateReadiness } from "./validation.js";
 import { getWorkflowGate } from "./workflow-gates.js";
@@ -13,6 +14,7 @@ import { getTelemetryConsent } from "./telemetry.js";
 import { latestDelegationDecision } from "./delegation-decision.js";
 import { listAutonomousRuns } from "./autonomous-workflow.js";
 import { readEstimate } from "./benchmark.js";
+import { qaPlanReadinessBlocker } from "./qa-readiness.js";
 import { handoffFlowRequirements, recommendCollaborationFlow, } from "./collaboration-flows.js";
 import { queryMemory, recordMemoryEvent } from "./memory.js";
 import { applyContextBudget, DEFAULT_CONTEXT_TOKEN_BUDGET, } from "./context-budget.js";
@@ -20,137 +22,12 @@ import { selectWorkflowTemplates } from "./workflow-templates.js";
 import { findStoredApprovalForProposal } from "./workflow-approval-service.js";
 import { listWorkflowEventsByType } from "./workflow-event-query.js";
 import { aggregateUsage, aggregateUsageBy, budgetEstimateWarningsForBudgets, budgetViolations, emptyUsageBreakdown, projectUsageCost, } from "./workflow-budget-utils.js";
+import { listTasks as listWorkflowTasks, updateTask as updateWorkflowTask, } from "./workflow-task-service.js";
 import { SIZING_LABELS } from "./types.js";
+export { addTask, archiveTask, deleteTask, getWorkflowStatus, listTasks, updateTask, } from "./workflow-task-service.js";
 export { addEvidence, addPlaywrightEvidence, listEvidence, listReviews, recordReview, } from "./workflow-evidence-service.js";
 export { generatePlaywrightTestPlan, generatePullRequestSummary, getWorkflowSummary, } from "./workflow-summary-service.js";
-export { approveApproval, approveWorkflowGate, listApprovals, rejectApproval, showApproval, } from "./workflow-approval-service.js";
-export async function getWorkflowStatus(root = process.cwd()) {
-    const workspace = await loadWorkspace(root);
-    const config = await readJson(resolveWorkflowPath(root, FILES.config), {});
-    const counts = Object.create(null);
-    const blocked = [];
-    for (const task of workspace.tasks) {
-        counts[task.status] = (counts[task.status] ?? 0) + 1;
-        if (task.status === "blocked") {
-            blocked.push({
-                id: task.id,
-                title: task.title,
-                reason: task.blockedReason ?? "not specified",
-            });
-        }
-    }
-    return {
-        ...(config.mode ? { mode: config.mode } : {}),
-        tasks: {
-            total: workspace.tasks.length,
-            byStatus: counts,
-            blocked,
-        },
-        locks: {
-            total: workspace.locks.length,
-        },
-    };
-}
-export async function addTask(input, root = process.cwd()) {
-    const workspace = await loadWorkspace(root);
-    if (!workspace.roleIds.has(input.ownerRole)) {
-        throw new Error(`unknown owner role: ${input.ownerRole}`);
-    }
-    const now = new Date().toISOString();
-    const task = removeUndefined({
-        ...input,
-        status: "pending",
-        createdAt: now,
-        updatedAt: now,
-    });
-    await mutateTasks(workspace.base, (tasks) => {
-        if (tasks.some((candidate) => candidate.id === input.id)) {
-            throw new Error(`task already exists: ${input.id}`);
-        }
-        return [...tasks, task];
-    });
-    await appendEvent(root, {
-        type: "TASK_ASSIGNED",
-        taskId: input.id,
-        actor: "parent",
-        summary: `Task assigned to ${input.ownerRole}`,
-        metadata: { title: input.title, ownerRole: input.ownerRole },
-    });
-    return task;
-}
-export async function listTasks(root = process.cwd()) {
-    const workspace = await loadWorkspace(root);
-    return workspace.tasks;
-}
-export async function deleteTask(taskId, options = {}, root = process.cwd()) {
-    const workspace = await loadWorkspace(root);
-    let deleted;
-    await mutateTasks(workspace.base, (tasks) => {
-        const taskIndex = tasks.findIndex((task) => task.id === taskId);
-        if (taskIndex < 0) {
-            throw new Error(`unknown task: ${taskId}`);
-        }
-        const current = tasks[taskIndex];
-        if (!current) {
-            throw new Error(`unknown task: ${taskId}`);
-        }
-        assertTaskCanBeRemoved(current, tasks, options.force ?? false);
-        deleted = current;
-        return tasks.filter((task) => task.id !== taskId);
-    });
-    if (!deleted) {
-        throw new Error(`unknown task: ${taskId}`);
-    }
-    await appendEvent(root, {
-        type: "TASK_DELETED",
-        taskId,
-        actor: "parent",
-        summary: `Task deleted: ${taskId}`,
-        metadata: {
-            title: deleted.title,
-            status: deleted.status,
-            forced: Boolean(options.force),
-        },
-    });
-    return deleted;
-}
-export async function archiveTask(taskId, options = {}, root = process.cwd()) {
-    const workspace = await loadWorkspace(root);
-    let archived;
-    await mutateTasks(workspace.base, (tasks) => {
-        const taskIndex = tasks.findIndex((task) => task.id === taskId);
-        if (taskIndex < 0) {
-            throw new Error(`unknown task: ${taskId}`);
-        }
-        const current = tasks[taskIndex];
-        if (!current) {
-            throw new Error(`unknown task: ${taskId}`);
-        }
-        assertTaskCanBeRemoved(current, tasks, options.force ?? false);
-        archived = {
-            ...current,
-            status: "archived",
-            updatedAt: new Date().toISOString(),
-        };
-        const nextTasks = [...tasks];
-        nextTasks[taskIndex] = archived;
-        return nextTasks;
-    });
-    if (!archived) {
-        throw new Error(`unknown task: ${taskId}`);
-    }
-    await appendEvent(root, {
-        type: "TASK_ARCHIVED",
-        taskId,
-        actor: "parent",
-        summary: `Task archived: ${taskId}`,
-        metadata: {
-            title: archived.title,
-            forced: Boolean(options.force),
-        },
-    });
-    return archived;
-}
+export { approveApproval, approveWorkflowGate, listApprovals, recordWorkflowGateDecision, rejectApproval, showApproval, } from "./workflow-approval-service.js";
 export async function listRoles(root = process.cwd()) {
     const workspace = await loadWorkspace(root);
     return workspace.roles;
@@ -198,74 +75,6 @@ export async function validatePreRun(taskId, options = {}, root = process.cwd())
         bypassDecisionArtifact,
     });
 }
-export async function updateTask(input, root = process.cwd()) {
-    const workspace = await loadWorkspace(root);
-    if (input.ownerRole && !workspace.roleIds.has(input.ownerRole)) {
-        throw new Error(`unknown owner role: ${input.ownerRole}`);
-    }
-    let updated;
-    let changedFields = [];
-    await mutateTasks(workspace.base, (tasks) => {
-        const taskIndex = tasks.findIndex((task) => task.id === input.id);
-        if (taskIndex < 0) {
-            throw new Error(`unknown task: ${input.id}`);
-        }
-        const current = tasks[taskIndex];
-        if (!current) {
-            throw new Error(`unknown task: ${input.id}`);
-        }
-        const next = { ...current };
-        const changes = new Set();
-        applyTaskUpdate(next, current, input, changes);
-        changedFields = [...changes].sort();
-        updated = { ...next, updatedAt: new Date().toISOString() };
-        const nextTasks = [...tasks];
-        nextTasks[taskIndex] = updated;
-        return nextTasks;
-    });
-    if (!updated) {
-        throw new Error(`unknown task: ${input.id}`);
-    }
-    await appendEvent(root, {
-        type: "TASK_UPDATED",
-        taskId: input.id,
-        actor: "parent",
-        summary: `Task updated: ${input.id}`,
-        metadata: { status: updated.status, changedFields },
-    });
-    return updated;
-}
-function applyTaskUpdate(next, current, input, changedFields) {
-    setTaskField(next, current, "title", input.title, changedFields);
-    setTaskField(next, current, "ownerRole", input.ownerRole, changedFields);
-    setTaskField(next, current, "goal", input.goal, changedFields);
-    setTaskField(next, current, "scope", input.scope, changedFields);
-    setTaskField(next, current, "paths", input.paths, changedFields);
-    setTaskField(next, current, "testStrategy", input.testStrategy, changedFields);
-    setTaskField(next, current, "status", input.status, changedFields);
-    setTaskField(next, current, "blockedReason", input.blockedReason, changedFields);
-    setTaskField(next, current, "claimedAt", input.claimedAt, changedFields);
-    setTaskField(next, current, "doneAt", input.doneAt, changedFields);
-    appendTaskField(next, "acceptanceCriteria", input.acceptanceCriteria, changedFields);
-    appendTaskField(next, "assumptions", input.assumptions, changedFields);
-    appendTaskField(next, "risks", input.risks, changedFields);
-}
-function setTaskField(next, current, key, value, changedFields) {
-    if (value === undefined) {
-        return;
-    }
-    if (JSON.stringify(current[key]) !== JSON.stringify(value)) {
-        changedFields.add(String(key));
-    }
-    next[key] = value;
-}
-function appendTaskField(next, key, values, changedFields) {
-    if (!values || values.length === 0) {
-        return;
-    }
-    next[key] = [...(next[key] ?? []), ...values];
-    changedFields.add(key);
-}
 export async function checkTaskDependencies(taskId, root = process.cwd()) {
     const workspace = await loadWorkspace(root);
     const task = workspace.tasks.find((candidate) => candidate.id === taskId);
@@ -292,7 +101,7 @@ export async function checkTaskDependencies(taskId, root = process.cwd()) {
     };
 }
 export async function generateTaskGraphPlan(root = process.cwd()) {
-    const tasks = await listTasks(root);
+    const tasks = await listWorkflowTasks(root);
     const locks = await listLocks(root);
     const ready = [];
     const blocked = [];
@@ -314,6 +123,14 @@ export async function generateTaskGraphPlan(root = process.cwd()) {
         }
         const dependencies = await checkTaskDependencies(task.id, root);
         if (dependencies.isSatisfied) {
+            const qaBlocker = qaPlanReadinessBlocker(task);
+            if (qaBlocker) {
+                blocked.push({
+                    ...item,
+                    incomplete: [qaBlocker],
+                });
+                continue;
+            }
             const taskLocks = locksForTask(task, locks);
             if (taskLocks.length > 0) {
                 locked.push({
@@ -560,7 +377,7 @@ export async function createHandoff(input, root = process.cwd()) {
         metadata: { to: input.to, updateOwner: Boolean(input.updateOwner) },
     });
     if (input.updateOwner) {
-        await updateTask({ id: input.task, ownerRole: input.to }, root);
+        await updateWorkflowTask({ id: input.task, ownerRole: input.to }, root);
     }
     return { artifact, content };
 }
@@ -748,6 +565,8 @@ export async function executePlanWithFakeProvider(taskId, root = process.cwd(),
                 inputTokens: response.usage.inputTokens,
                 outputTokens: response.usage.outputTokens,
                 estimatedCostUsd: 0,
+                usageSource: "provider",
+                costSource: "free",
                 finishReason: response.finishReason,
             }, root);
             const artifact = await writeRunArtifact(root, taskId, step.id, [
@@ -1039,6 +858,146 @@ export async function getWorkflowConfig(root = process.cwd()) {
 export async function listConfiguredModelProviders(root = process.cwd()) {
     return summarizeConfiguredProviders(await getWorkflowConfig(root));
 }
+export async function listProviderRuntimeProfiles(root = process.cwd()) {
+    const config = await getWorkflowConfig(root);
+    const activeProfile = config.providers?.activeProfile;
+    return Object.entries(config.providers?.profiles ?? {})
+        .map(([name, profile]) => removeUndefined({
+        name,
+        active: name === activeProfile,
+        description: profile.description,
+        roles: Object.keys(profile.byRole ?? {}).sort(),
+        defaultProvider: profile.defaults?.provider,
+        defaultModel: profile.defaults?.model,
+        requiredEnv: profile.requiredEnv ?? [],
+    }))
+        .sort((a, b) => a.name.localeCompare(b.name));
+}
+export async function saveProviderRuntimeProfile(input, root = process.cwd()) {
+    const workspace = await loadWorkspace(root);
+    validateProfileName(input.name);
+    for (const role of input.roles) {
+        if (!workspace.roleIds.has(role)) {
+            throw new Error(`unknown role: ${role}`);
+        }
+    }
+    if (input.roles.length === 0) {
+        throw new Error("at least one role is required");
+    }
+    validateProfileRouting(input.routing);
+    const configPath = resolveWorkflowPath(root, FILES.config);
+    const config = await readJson(configPath, {});
+    const profile = removeUndefined({
+        description: input.description,
+        byRole: Object.fromEntries(input.roles.map((role) => [role, input.routing])),
+        requiredEnv: input.requiredEnv,
+    });
+    config.providers = {
+        defaults: config.providers?.defaults,
+        byRole: config.providers?.byRole ?? {},
+        profiles: {
+            ...(config.providers?.profiles ?? {}),
+            [input.name]: profile,
+        },
+        ...(input.activate ? { activeProfile: input.name } : {}),
+    };
+    await writeJson(configPath, config);
+    if (input.apply || input.activate) {
+        await applyProviderRuntimeProfile(input.name, root);
+    }
+    await appendEvent(root, {
+        type: "MODEL_PROFILE_SAVED",
+        actor: "parent",
+        summary: `Provider runtime profile saved: ${input.name}`,
+        metadata: {
+            profile: input.name,
+            roles: input.roles,
+            provider: input.routing.provider,
+            model: input.routing.model,
+        },
+    });
+    const summaries = await listProviderRuntimeProfiles(root);
+    return summaries.find((summary) => summary.name === input.name);
+}
+export async function applyProviderRuntimeProfile(name, root = process.cwd()) {
+    validateProfileName(name);
+    const workspace = await loadWorkspace(root);
+    const configPath = resolveWorkflowPath(root, FILES.config);
+    const config = await readJson(configPath, {});
+    const profile = config.providers?.profiles?.[name];
+    if (!profile) {
+        throw new Error(`unknown provider runtime profile: ${name}`);
+    }
+    for (const role of Object.keys(profile.byRole ?? {})) {
+        if (!workspace.roleIds.has(role)) {
+            throw new Error(`profile ${name} references unknown role: ${role}`);
+        }
+    }
+    for (const routing of Object.values(profile.byRole ?? {})) {
+        validateProfileRouting(routing);
+    }
+    if (profile.defaults) {
+        validateProfileRouting(profile.defaults);
+    }
+    config.providers = {
+        defaults: profile.defaults ?? config.providers.defaults,
+        byRole: {
+            ...(config.providers.byRole ?? {}),
+            ...(profile.byRole ?? {}),
+        },
+        profiles: config.providers.profiles ?? {},
+        activeProfile: name,
+    };
+    if (profile.budgets) {
+        config.budgets = profile.budgets;
+    }
+    if (profile.providerPolicy) {
+        config.providerPolicy = {
+            ...(config.providerPolicy ?? {}),
+            ...profile.providerPolicy,
+        };
+    }
+    await writeJson(configPath, config);
+    await appendEvent(root, {
+        type: "MODEL_PROFILE_APPLIED",
+        actor: "parent",
+        summary: `Provider runtime profile applied: ${name}`,
+        metadata: { profile: name, roles: Object.keys(profile.byRole ?? {}) },
+    });
+    const summaries = await listProviderRuntimeProfiles(root);
+    return summaries.find((summary) => summary.name === name);
+}
+export async function smokeProviderRuntimeProfile(name, root = process.cwd(), env = process.env) {
+    validateProfileName(name);
+    const config = await getWorkflowConfig(root);
+    const profile = config.providers?.profiles?.[name];
+    if (!profile) {
+        throw new Error(`unknown provider runtime profile: ${name}`);
+    }
+    const checks = [];
+    for (const envName of profile.requiredEnv ?? []) {
+        checks.push({
+            scope: `env:${envName}`,
+            provider: "environment",
+            model: "not-applicable",
+            status: env[envName]?.trim() ? "pass" : "fail",
+            detail: env[envName]?.trim()
+                ? "environment variable is configured"
+                : `missing required environment variable ${envName}`,
+        });
+    }
+    const routes = Object.entries(profile.byRole ?? {}).map(([role, routing]) => [`role:${role}`, routing]);
+    if (profile.defaults)
+        routes.unshift(["defaults", profile.defaults]);
+    for (const [scope, routing] of routes) {
+        checks.push(...(await smokeRouting(scope, routing, config, root, env)));
+    }
+    return {
+        profile: name,
+        passed: checks.every((check) => check.status === "pass"),
+        checks,
+    };
+}
 export async function completeWithProviderFallback(routing, prompt, { failingProviders = [], root = process.cwd(), taskId, role = "parent", jsonMode = false, providerMode = "fake", } = {}) {
     const registry = new InMemoryModelProviderRegistry();
     const config = await getWorkflowConfig(root);
@@ -1061,39 +1020,46 @@ export async function completeWithProviderFallback(routing, prompt, { failingPro
         if (providerMode === "real" && index > 0) {
             assertVendorFallbackAllowed(providerId, config.providerPolicy);
         }
-        try {
-            const provider = registry.get(providerId);
-            const response = await provider.complete({
-                model: routing.model,
-                jsonMode,
-                timeoutMs: routing.timeoutMs,
-                messages: [{ role: "user", content: prompt }],
-            });
-            if (index > 0) {
-                await appendEvent(root, removeUndefined({
-                    type: "MODEL_FALLBACK_USED",
-                    actor: role,
-                    taskId,
-                    summary: `Fallback provider used: ${providerId}`,
-                    metadata: { provider: providerId, failedProviders },
-                }));
+        let attempts = 0;
+        const maxAttempts = Math.max(1, 1 + routing.retries);
+        while (attempts < maxAttempts) {
+            attempts += 1;
+            try {
+                const provider = registry.get(providerId);
+                const response = await provider.complete({
+                    model: routing.model,
+                    jsonMode,
+                    timeoutMs: routing.timeoutMs,
+                    messages: [{ role: "user", content: prompt }],
+                });
+                if (index > 0) {
+                    await appendEvent(root, removeUndefined({
+                        type: "MODEL_FALLBACK_USED",
+                        actor: role,
+                        taskId,
+                        summary: `Fallback provider used: ${providerId}`,
+                        metadata: { provider: providerId, failedProviders },
+                    }));
+                }
+                return {
+                    provider: providerId,
+                    model: routing.model,
+                    response,
+                    fallbackUsed: index > 0,
+                    failedProviders,
+                };
             }
-            return {
-                provider: providerId,
-                model: routing.model,
-                response,
-                fallbackUsed: index > 0,
-                failedProviders,
-            };
-        }
-        catch (error) {
-            if (isProviderTimeoutError(error)) {
-                throw error;
+            catch (error) {
+                const failure = providerFailureFromError(providerId, error, attempts);
+                if (failure.code === "timeout") {
+                    throw error;
+                }
+                if (failure.retryable && attempts < maxAttempts) {
+                    continue;
+                }
+                failedProviders.push(failure);
+                break;
             }
-            failedProviders.push({
-                provider: providerId,
-                reason: sanitizeProviderError(error),
-            });
         }
     }
     throw new ProviderFallbackError(failedProviders);
@@ -1112,10 +1078,31 @@ export function providerFailuresFromError(error) {
 function providerFailureSummary(failures) {
     const providers = failures.map((failure) => failure.provider).join(", ");
     const details = failures
-        .map((failure) => `${failure.provider}: ${failure.reason}`)
+        .map((failure) => `${failure.provider}: ${failure.reason} (${failure.code}, attempts=${failure.attempts})`)
         .join("; ");
     return `all providers failed: ${providers}${details ? ` (${details})` : ""}`;
 }
+function providerFailureFromError(providerId, error, attempts) {
+    const code = providerFailureCode(error);
+    return {
+        provider: providerId,
+        code,
+        reason: sanitizeProviderError(error),
+        retryable: code === "provider_error",
+        attempts,
+    };
+}
+function providerFailureCode(error) {
+    const message = errorMessage(error).toLowerCase();
+    if (isProviderTimeoutError(error))
+        return "timeout";
+    if (/permission|denied|forbidden|unauthorized/.test(message)) {
+        return "permission_denied";
+    }
+    if (/policy|not allowed|blocked/.test(message))
+        return "policy_blocked";
+    return "provider_error";
+}
 function sanitizeProviderError(error) {
     const messages = [];
     if (error instanceof Error) {
@@ -1141,6 +1128,9 @@ function sanitizeProviderError(error) {
     }
     return redactProviderError(messages.filter(Boolean).join(": "));
 }
+function errorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}
 function isErrorCauseRecord(value) {
     return typeof value === "object" && value !== null;
 }
@@ -1171,6 +1161,10 @@ export async function setRoleModelProvider(role, routing, root = process.cwd())
             ...(config.providers.byRole ?? {}),
             [role]: routing,
         },
+        profiles: config.providers.profiles ?? {},
+        ...(config.providers.activeProfile
+            ? { activeProfile: config.providers.activeProfile }
+            : {}),
     };
     await writeJson(configPath, config);
     await appendEvent(root, {
@@ -1207,6 +1201,10 @@ export async function connectModelProvider(input, root = process.cwd()) {
     config.providers = {
         defaults: config.providers?.defaults ?? routing,
         byRole,
+        profiles: config.providers?.profiles ?? {},
+        ...(config.providers?.activeProfile
+            ? { activeProfile: config.providers.activeProfile }
+            : {}),
     };
     const credential = removeUndefined({
         apiKeyFile: input.apiKeyFile,
@@ -1227,7 +1225,7 @@ export async function connectModelProvider(input, root = process.cwd()) {
     if (input.allowDirectProviderApi) {
         config.providerPolicy = {
             ...(config.providerPolicy ?? {}),
-            allowedProviders: unique([
+            allowedProviders: uniqueStrings([
                 ...(config.providerPolicy?.allowedProviders ?? []),
                 input.provider,
             ]),
@@ -1239,6 +1237,9 @@ export async function connectModelProvider(input, root = process.cwd()) {
             delegation: {
                 mode: config.runtimePolicy?.delegation?.mode ?? "runtime-native",
                 allowDirectProviderApi: true,
+                ...(config.runtimePolicy?.delegation?.guardrails
+                    ? { guardrails: config.runtimePolicy.delegation.guardrails }
+                    : {}),
             },
         };
     }
@@ -1263,8 +1264,85 @@ export async function connectModelProvider(input, root = process.cwd()) {
         allowDirectProviderApi: input.allowDirectProviderApi,
     });
 }
-function unique(values) {
-    return [...new Set(values)];
+function validateProfileName(name) {
+    if (!/^[a-z0-9][a-z0-9._-]{1,62}$/i.test(name)) {
+        throw new Error("profile name must be 2-63 characters and contain only letters, numbers, dots, underscores, or dashes");
+    }
+}
+function validateProfileRouting(routing) {
+    if (!routing.provider?.trim()) {
+        throw new Error("profile routing requires provider");
+    }
+    if (!routing.model?.trim()) {
+        throw new Error("profile routing requires model");
+    }
+    if (new Set([routing.provider, ...(routing.fallbacks ?? [])]).size !==
+        [routing.provider, ...(routing.fallbacks ?? [])].length) {
+        throw new Error("profile routing fallback chain contains duplicates");
+    }
+}
+async function smokeRouting(scope, routing, config, root, env) {
+    const checks = [];
+    const providerIds = [routing.provider, ...(routing.fallbacks ?? [])];
+    for (const [index, providerId] of providerIds.entries()) {
+        const providerScope = index === 0 ? scope : `${scope}:fallback:${index}`;
+        const policyError = providerPolicySmokeError(providerId, config, index);
+        if (policyError) {
+            checks.push({
+                scope: providerScope,
+                provider: providerId,
+                model: routing.model,
+                status: "fail",
+                detail: policyError,
+            });
+            continue;
+        }
+        const credentialError = await providerCredentialSmokeError(providerId, config.providerCredentials?.byProvider?.[providerId], root, env);
+        checks.push({
+            scope: providerScope,
+            provider: providerId,
+            model: routing.model,
+            status: credentialError ? "fail" : "pass",
+            detail: credentialError ?? "provider configuration is present",
+        });
+    }
+    return checks;
+}
+function providerPolicySmokeError(providerId, config, fallbackIndex) {
+    try {
+        assertProviderAllowed(providerId, config.providerPolicy);
+        if (fallbackIndex > 0) {
+            assertVendorFallbackAllowed(providerId, config.providerPolicy);
+        }
+        return undefined;
+    }
+    catch (error) {
+        return error instanceof Error ? error.message : String(error);
+    }
+}
+async function providerCredentialSmokeError(providerId, credential, root, env) {
+    if (providerId === "none" ||
+        providerId === "fake" ||
+        providerId === "ollama") {
+        return undefined;
+    }
+    const apiKeyEnv = credential?.apiKeyEnv ?? defaultApiKeyEnv(providerId);
+    const apiKeyFileEnv = credential?.apiKeyFileEnv ?? defaultApiKeyFileEnv(providerId);
+    const effectiveEnv = providerEnvFromCredentialConfig(providerId, credential, env);
+    if (apiKeyEnv && effectiveEnv[apiKeyEnv]?.trim()) {
+        return undefined;
+    }
+    if (apiKeyFileEnv && effectiveEnv[apiKeyFileEnv]?.trim()) {
+        const keyFile = effectiveEnv[apiKeyFileEnv].trim();
+        if (!path.isAbsolute(keyFile)) {
+            return `${apiKeyFileEnv} must reference an absolute path`;
+        }
+        if (!(await exists(keyFile))) {
+            return `${apiKeyFileEnv} references an unreadable secret file`;
+        }
+        return undefined;
+    }
+    return `${apiKeyEnv ?? "provider API key"} or ${apiKeyFileEnv ?? "provider API key file"} is required`;
 }
 export async function recordModelProvenance(input, root = process.cwd()) {
     const workspace = await loadWorkspace(root);
@@ -1440,27 +1518,9 @@ async function writeBudgetEscalationProposal(root, taskId, proposal) {
     ].join("\n");
     return writeArtifact(root, "approvals", `${taskId}-budget-fallback.md`, content);
 }
-async function mutateTasks(base, update) {
-    return updateJsonFile(path.join(base, FILES.tasks), [], update);
-}
 async function mutateLocks(base, update) {
     return updateJsonFile(path.join(base, FILES.locks), [], update);
 }
-function assertTaskCanBeRemoved(task, tasks, isForced) {
-    if (!isForced &&
-        (task.status === "in_progress" || task.status === "blocked")) {
-        throw new Error(`task ${task.id} is ${task.status}; use --force to remove it`);
-    }
-    const dependent = tasks.find((candidate) => candidate.id !== task.id &&
-        !isTerminalTaskStatus(candidate.status) &&
-        candidate.dependencies.includes(task.id));
-    if (dependent) {
-        throw new Error(`task ${task.id} is a dependency of active task ${dependent.id}`);
-    }
-}
-function isTerminalTaskStatus(status) {
-    return ["done", "canceled", "rejected", "archived"].includes(status);
-}
 function flowRequirementLines(requirements) {
     return requirements.length > 0
         ? requirements.map((requirement) => `- ${requirement}`)