@jterrats/open-orchestra 1.0.14 → 1.0.16

package/docs/diagrams/deterministic-pipeline/README.md

@@ -0,0 +1,102 @@
+# Deterministic Diagram Pipeline
+
+Task: GH-462-DETERMINISTIC-DIAGRAM-PIPELINE
+Status: first implementation slice
+
+## Scope
+
+This slice introduces a local TypeScript pipeline for source-free semantic
+diagrams:
+
+1. `DiagramModel` captures semantic intent: nodes, groups, connectors, labels,
+   and Iconify icon references.
+2. `layoutDiagram()` produces deterministic geometry from model order and group
+   membership.
+3. `renderDiagramSvg()` emits a minimal SVG artifact from the model and layout.
+4. `validateDiagramArtifact()` checks text fit, canvas/container containment,
+   connector endpoints, connector-node overlaps, connector labels covering
+   other lines, and unnecessary bends where the path is already straight.
+5. `generateDeterministicDiagram()` ties model, layout, rendering, and
+   validation together for a single pass. It first validates the runtime
+   payload against the structured diagram schema and fails with field-level
+   errors before any layout or SVG rendering occurs.
+6. `runDeterministicDiagramPipeline()` adds bounded iteration. It renders the
+   first pass, applies deterministic text-fit repair when possible, regenerates
+   the artifact, and retains only the final artifact unless
+   `retainIterations=true` is requested for debug evidence.
+
+The current slice is intentionally API-level. CLI routing is still pending so
+this does not widen `command-routes*` or `tool-commands` ownership in the same
+change. Consumers can call `runDeterministicDiagramPipeline()` directly to get a
+stable final SVG plus optional retained iteration artifacts.
+
+## Structured Output Contracts
+
+Agents that generate deterministic artifacts must return structured JSON-like
+payloads, not prose instructions for renderers to interpret.
+
+Diagram payloads must satisfy `DiagramModel`:
+
+- `id`, `title`, and `direction` are required.
+- `direction` must be `right` or `down`.
+- `nodes` must be a non-empty array. Each node needs `id`, `kind`, and
+  `text.label`; `kind` must be one of `actor`, `system`, `service`, `database`,
+  `queue`, or `boundary`.
+- `connectors` must be an array. Each connector needs `id`, `from`, `to`, and
+  `kind`; `from` and `to` must reference known node ids; `kind` must be one of
+  `sync`, `async`, `data`, or `control`.
+- Optional `groups` define labeled containers. Unused groups are allowed so
+  generated drafts can keep future grouping intent, but duplicate group ids are
+  rejected.
+
+Report payloads use `ReportDocument` through `renderReportMarkdown()`:
+
+- `id`, `title`, `summary`, and a non-empty `sections` array are required.
+- Section `kind` must be one of `summary`, `findings`, `decisions`, `risks`,
+  `evidence`, or `nextSteps`.
+- Section items require `id` and `text`; optional severity must be one of
+  `info`, `low`, `medium`, `high`, or `critical`.
+
+Validation errors include JSON-path-like locations, for example
+`$.connectors[0].to: references unknown node "api-gateway"`. Agent prompts
+should pass those messages back to the generating role unchanged so the payload
+can be corrected without guessing which field failed.
+
+## Icon Policy
+
+Diagram nodes reference icons by semantic purpose and Iconify id. Rendering
+resolves the SVG body from an injected cache. Tests use the in-memory cache, so
+the pipeline does not require network access to prove deterministic rendering.
+
+Future slices can add a controlled cache warmer for Iconify sets. That command
+should pin source metadata, record cache evidence, and fail closed when icons are
+missing instead of fetching during tests.
+
+## Target Guidance
+
+- Use Mermaid for markdown-native semantic diagrams and fast syntax validation.
+- Use this deterministic SVG pipeline when a generated diagram needs stable
+  geometry, validation findings, and repeatable rendering without relying on LLM
+  absolute coordinates.
+- Use draw.io XML or Lucid when the acceptance target is editable,
+  pixel-sensitive recreation, manual stakeholder editing, or exact connector
+  anchors beyond this pipeline's current router.
+- Use LLM prompt generation for semantic drafting, copy, and model suggestions;
+  do not treat prompt-selected coordinates as the source of truth.
+
+## Artifact Retention
+
+Default generation keeps the final SVG artifact and reports how many internal
+iterations were discarded. Debug generation can request `retainIterations=true`
+to keep each intermediate artifact and its findings. This keeps normal
+deliverables clean while allowing QA or architecture review to inspect how the
+pipeline corrected text fit and regenerated the diagram.
+
+## Known Gaps
+
+- Connector routing is simple orthogonal routing, not a full obstacle-avoidance
+  solver.
+- Text measurement is deterministic approximation based on character and line
+  counts, not browser font metrics.
+- Iteration artifact retention is available through API, but not exposed through
+  CLI yet.

package/docs/e2e-test-batteries.md

@@ -36,11 +36,11 @@ entry points a user or CI runner actually executes.
 
 | Battery                        | Scope                                                                 | Command                                                               | Minimum Assertions                                                                                                                                                     | Evidence                                                     |
 | ------------------------------ | --------------------------------------------------------------------- | --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
-| Multi-squad runtime            | Parallel squad delegation with queue and threshold policy             | `node --test e2e/runtime-multi-squad.test.js`                         | independent sessions, non-blocking parent, queued sessions do not fall back to parent, completion order reconciles                                                     | JSON output, lifecycle events                                |
+| Multi-squad runtime            | Parallel squad delegation with queue and threshold policy             | `npm run test:e2e:runtime`                                            | independent sessions, non-blocking parent, queued sessions do not fall back to parent, completion order reconciles                                                     | JSON output, lifecycle events                                |
 | Acceptance evidence            | CLI, API, browser, and deferred integration evidence                  | `node --test e2e/acceptance-evidence.test.js`                         | evidence maps to named acceptance criteria, deferred external validation requires owner and rationale                                                                  | evidence artifacts                                           |
 | Recovery and repair            | Interrupted runs, stale locks, failed provider phases                 | `node --test e2e/recovery-cli.test.js` plus browser recovery coverage | recovery detects issue, repair requires confirmation, repaired state is observable                                                                                     | JSON output, before/after state                              |
 | Docs/site content source       | Site content generated from docs and manifest                         | `npm run site:build && npm run test:e2e -- --grep docs`               | docs render as human-friendly catalog, no markdown-only dead ends, search works                                                                                        | Playwright report                                            |
-| Security-sensitive operations  | File paths, shell execution, web writes, secrets, telemetry redaction | `node --test e2e/security-boundaries.test.js`                         | path traversal blocked, unsafe writes rejected, secret-like data redacted, no raw stack traces                                                                         | command/API evidence                                         |
+| Security-sensitive operations  | File paths, shell execution, web writes, secrets, telemetry redaction | `npm run test:e2e:security`                                           | path traversal blocked, unsafe writes rejected, secret-like data redacted, no raw stack traces                                                                         | command/API evidence                                         |
 | Ollama provider-backed runtime | Local OpenAI-compatible Ollama provider route in a `/tmp` workspace   | `npm run test:e2e:runtime:ollama`                                     | `model connect --provider ollama`, provider-backed developer phase, OpenAI-compatible request shape, provider provenance, no runtime subagent credentials in artifacts | stdout/stderr, JSON output, mock provider request, event log |
 
 ## P2 Extended Confidence Batteries
@@ -49,7 +49,7 @@ entry points a user or CI runner actually executes.
 | -------------------------- | ----------------------------------------------------- | ------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | ---------------------------- |
 | Tracker and GitHub sync    | Issue import/export and close readiness               | opt-in CI job with network credentials                        | labels, comments, close gate, release readiness, no secret exposure                       | sanitized logs               |
 | Sonar quality loop         | Local or remote Sonar import and release gate mapping | configured Sonar workflow or local compose job                | insights imported, release readiness reflects quality gate, unavailable token is explicit | artifact import report       |
-| Provider-backed delegation | OpenAI, Gemini, Ollama, Claude/Cursor runtime bridges | opt-in provider E2E                                           | budget checks, rate-limit/backpressure, lifecycle events, no direct API when disallowed   | redacted provider provenance |
+| Provider-backed delegation | OpenAI, Anthropic, Gemini, Ollama, fake/local provider-backed routes plus runtime-native separation | opt-in provider E2E plus focused wrapper/unit coverage | registry routing, explicit direct API policy, forbidden fallback, budget and scheduler blocks, redacted evidence, no silent runtime-native fallback | redacted provider provenance |
 | Package release dry run    | npm package contents and release check                | `npm pack --dry-run --json && orchestra release check --json` | generated/private state excluded, version/tag policy valid, release readiness complete    | package list, release report |
 
 ## Required `/tmp` Fixture Patterns

package/docs/evidence-compaction.md

@@ -0,0 +1,25 @@
+# Evidence Compaction
+
+Use evidence compaction when a task has enough evidence artifacts to make
+workflow context noisy.
+
+```sh
+orchestra evidence compact --task GH-471 --threshold 20
+```
+
+The command writes Markdown and JSON summaries under
+`.agent-workflow/evidence-summaries/`. Raw evidence files are not modified or
+deleted; summary artifacts keep links to every raw evidence artifact.
+
+Compaction groups evidence by task, role, type, and result. It preserves failed
+evidence, unresolved or residual risk lines, and acceptance criteria references
+found through exact criterion text or `AC-<number>` mentions.
+
+Task context rendering uses an in-memory evidence summary when the evidence
+count reaches the configured threshold. Override the default threshold with:
+
+```sh
+orchestra context --task GH-471 --evidence-summary-threshold 10
+```
+
+For process-wide defaults, set `ORCHESTRA_EVIDENCE_SUMMARY_THRESHOLD`.

package/docs/reports/context-pack-benchmark-gh-452.json

@@ -0,0 +1,119 @@
+{
+  "generatedAt": "2026-05-22T17:09:28.420Z",
+  "workspaceRoot": "/var/folders/bv/08sjh7yj717c8shc52b5_lh00000gn/T/orchestra-context-pack-bench-YyJ38r",
+  "fixture": {
+    "requestedFiles": 120,
+    "indexedFiles": 120,
+    "excludedFiles": 2,
+    "totalIndexedBytes": 132854
+  },
+  "query": "payment command security evidence",
+  "role": "developer",
+  "phase": "developer",
+  "budget": {
+    "targetChars": 6000,
+    "hardCapChars": 8000,
+    "usedChars": 2866,
+    "maxFiles": 12,
+    "maxSnippets": 24,
+    "perSnippetChars": 600,
+    "truncated": false
+  },
+  "reduction": {
+    "sourceBytes": 132854,
+    "packedChars": 2866,
+    "ratio": 0.0216,
+    "targetSatisfied": true,
+    "hardCapSatisfied": true
+  },
+  "selectedFiles": [
+    {
+      "path": "src/payments/payment-001.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-007.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-013.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-019.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-025.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-031.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-037.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-043.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-049.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-055.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-061.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    },
+    {
+      "path": "src/payments/payment-067.ts",
+      "score": 163,
+      "inclusionReason": "path matched query; basename matched query; symbol matched query; developer phase boost",
+      "snippetCount": 1
+    }
+  ],
+  "redactions": 12,
+  "omittedCount": 108,
+  "staleIndex": {
+    "detected": true,
+    "statusReason": "context index file changed: src/payments/payment-001.ts",
+    "packFailure": "context pack requires a fresh context index: context index file changed: src/payments/payment-001.ts"
+  },
+  "runtimeSpawnPackMetadata": {
+    "taskId": "GH-452",
+    "phase": "developer",
+    "role": "developer",
+    "jsonArtifact": ".agent-workflow/context-packs/gh-452-payment-command-security-evidence-1779469768399.json",
+    "markdownArtifact": ".agent-workflow/context-packs/gh-452-payment-command-security-evidence-1779469768399.md",
+    "contextPackArtifactPresent": true
+  },
+  "passed": true
+}

package/docs/reports/context-pack-benchmark-gh-452.md

@@ -0,0 +1,32 @@
+# Context Pack Benchmark Report
+
+- Task: GH-452
+- Result: passed
+- Indexed files: 120
+- Excluded files: 2
+- Source bytes: 132854
+- Packed chars: 2866
+- Reduction ratio: 0.0216
+- Redactions: 12
+- Stale index detected: true
+
+## Selected Files
+
+- src/payments/payment-001.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-007.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-013.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-019.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-025.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-031.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-037.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-043.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-049.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-055.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-061.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+- src/payments/payment-067.ts score=163 snippets=1: path matched query; basename matched query; symbol matched query; developer phase boost
+
+## Runtime Spawn Pack Metadata
+
+- JSON: .agent-workflow/context-packs/gh-452-payment-command-security-evidence-1779469768399.json
+- Markdown: .agent-workflow/context-packs/gh-452-payment-command-security-evidence-1779469768399.md
+- Context pack artifact present: true

package/docs/reports/gh-428-test-coverage-context-review-20260522.md

@@ -0,0 +1,75 @@
+# GH-428 Test Coverage And Context Review
+
+Date: 2026-05-22
+Task: GH-428-TEST-COVERAGE-CONTEXT-REVIEW
+Scope: CLI, web console/site, runtime workflow gates, and context-token performance.
+
+## Summary
+
+Architect and QA review found no release-blocking source test gap for the current implemented behavior. The current suite has broad unit/integration coverage, browser E2E coverage for the web console and site, runtime E2E coverage for init/target guidance and queue behavior, and context-pack coverage for bounded runtime delegation.
+
+The main remaining gaps are backlog improvements: full multi-squad E2E, workflow lifecycle CLI E2E as a standalone installed-user battery, security-boundary E2E, and stronger context budget telemetry over real-world repositories.
+
+## Evidence Reviewed
+
+- `npm run precommit`: passed. Remaining warnings are historical `workflow-runs.jsonl` references to archived/unknown tasks.
+- `npm run release:matrix`: passed and lists required release flows.
+- `npm run performance:bench`: passed with 250 tasks. `graph-plan` 118 ms, `health` 120 ms, web `/api/graph/plan` 119 ms.
+- `node --test test/context-index.test.js test/context-search.test.js test/context-pack.test.js test/runtime-scheduler.test.js test/runtime-adapters.test.js`: 80 passing.
+- GH-419 CI passed after push. GH-419 and prior GH-424 Sonar workflows failed at the quality-gate step after importing Orchestra evidence.
+
+## Coverage Matrix
+
+| Area | Current evidence | Gaps | Priority | Recommendation |
+| --- | --- | --- | --- | --- |
+| Source quality gate | `npm run precommit` covers lint, typecheck, secret scan, security audit, build, unit tests, workflow validation | Historical workflow-run warnings add noise | Medium | Create cleanup task for stale workflow-run references, not a release blocker |
+| CLI onboarding | `e2e/init-onboarding.test.js` covers `/tmp` workspaces, first-use flow, target guidance refresh, acceptance mapping | Installed-package journey is listed in matrix but should be mandatory in release checklist | Medium | Promote installed-package init to release-blocking before publish |
+| Runtime target guidance | `e2e/runtime-instruction-flow.test.js` and runtime adapter tests cover Codex, Claude, Cursor, VS Code/GitHub Copilot, Windsurf guidance contracts | Real Claude CLI validation remains user-environment dependent | Medium | Keep GH-439 for real Claude validation; add optional local smoke recipe |
+| Runtime delegation/queue | `e2e/runtime-manual-queue.test.js`, runtime scheduler tests, parent-action tests | Multi-squad E2E listed in docs but no standalone `e2e/runtime-multi-squad.test.js` file | High | Create E2E for async multi-squad, queue promotion, independent completion, and no parent blocking |
+| Workflow lifecycle CLI | Unit/integration workflow tests cover gates, resume, failback, no-go, handoffs | Release matrix references `e2e/workflow-lifecycle-cli.test.js`, but the file does not exist | High | Add standalone E2E for installed-user lifecycle: run, gate, request changes, failback, resume, release readiness |
+| Web console | `e2e/web-console.spec.js` covers task creation, dashboard, providers, recovery, evidence, lifecycle, accessibility, artifact canvas | Full visual regression and screenshot review are not release-blocking by default | Medium | Add snapshot/screenshots for high-risk UI states when frontend changes |
+| Public site | `e2e/project-site.spec.js` covers docs/site navigation and public docs behavior | Docs search/content freshness should be tied to generated docs manifest in CI | Medium | Add docs content freshness check before site build |
+| Acceptance evidence | `test/qa-coverage.test.js`, `test/cli-output-evidence.test.js`, automation evidence tests | E2E file listed as `e2e/acceptance-evidence.test.js` does not exist | Medium | Add cross-surface acceptance evidence E2E for CLI/API/browser/deferred validation |
+| Security boundaries | Unit tests cover web action security, secret scan, path handling | Release matrix lists `e2e/security-boundaries.test.js`, but the file does not exist | High | Add E2E for path traversal, unsafe writes, secret redaction, no raw stack traces |
+| Context-token performance | Context index/search/pack tests and `performance:bench` pass. Context packs are bounded and fail closed on stale indexes | No large-repo telemetry baseline checked into reports | Medium | Add benchmark fixture/report for large repo context pack size, redaction count, selected files, and token budget |
+| Sonar quality loop | Local/import contracts exist and release matrix includes Sonar | GH-419 and GH-424 Sonar workflows failed at the quality-gate step after importing Orchestra evidence | High | Treat Sonar workflow failure as operational quality-gate follow-up before release candidate promotion |
+
+## Architect Review
+
+The test architecture is layered correctly:
+
+- Unit and service tests cover domain contracts, workflow gates, runtime scheduler, context pack services, and evidence rules.
+- E2E tests run against isolated `/tmp` workspaces and validate stdout/stderr, generated files, events, and browser-visible state.
+- Runtime context work now has a bounded context index/search/pack path, reducing full-transcript and full-file context pressure.
+
+Architecture gaps are mostly orchestration-level:
+
+- The release matrix names some E2E batteries that are not implemented as standalone files yet.
+- Runtime/provider validation is intentionally mixed: deterministic source tests prove contracts, while real provider/Claude validation remains environment dependent.
+- Sonar is part of the quality loop, but failing CI Sonar should be made visible as a release readiness blocker or accepted operational risk.
+
+## QA Review
+
+QA coverage is sufficient for the current GH-419/GH-424/GH-451 implemented behavior based on precommit and focused suites.
+
+QA gaps to convert into backlog:
+
+- Multi-squad runtime E2E must prove multiple queued/active squads, parent remains conversational, completions reconcile independently, and queued work promotes after capacity frees.
+- Workflow lifecycle CLI E2E must prove phase handoffs, blocked transitions, return to owner, resume after correction, and release artifact content in a disposable workspace.
+- Security boundary E2E must prove path traversal, unsafe writes, stack trace leakage, and secret-like payload redaction across CLI/API surfaces.
+- Context performance evidence should include large-repo budgets, selected-file rationale, redaction counts, stale-index behavior, and token budget deltas.
+
+## Follow-Up Candidates
+
+1. High: Add standalone multi-squad runtime E2E battery: GH-455.
+2. High: Add standalone workflow lifecycle CLI E2E battery: GH-453.
+3. High: Add security-boundary E2E battery: GH-454.
+4. High: Make Sonar workflow failure visible in release readiness.
+5. Medium: Promote installed-package CLI init to release-blocking publish evidence.
+6. Medium: Add large-repo context-pack benchmark report: GH-452.
+7. Medium: Add docs/site content freshness check against generated docs manifest.
+8. Medium: Add cross-surface acceptance evidence E2E.
+
+## Release Assessment
+
+No source implementation was performed for GH-428. Current implemented behavior is not blocked by this review. The high-priority follow-ups should be scheduled as hardening work before the next broad release candidate, especially multi-squad E2E, workflow lifecycle CLI E2E, security-boundary E2E, and Sonar release visibility.

package/docs/rule-loading-strategy.md

@@ -0,0 +1,37 @@
+# Rule Loading Strategy
+
+Open Orchestra treats detailed delivery rules as neutral source material that can
+be rendered or referenced by each runtime. Cursor `.mdc` files are supported
+runtime outputs, but they are not the universal source of truth.
+
+## Source Model
+
+- Root files such as `AGENTS.md`, `CLAUDE.md`, and `ORCHESTRA.md` stay compact.
+- `src/rule-catalog.ts` owns rule metadata: id, title, canonical path, roles,
+  capabilities, triggers, and risk areas.
+- Detailed rule content lives under `rules/` using the format that best fits the
+  rule. Cursor-specific `.mdc` files remain valid rendered or legacy targets.
+- Runtime context manifests and quality contracts resolve rules by id instead of
+  hardcoding Cursor paths.
+
+## Runtime Behavior
+
+For a task or phase, Orchestra selects rules from:
+
+- active role and required roles;
+- capabilities needed by the work;
+- task title, goal, scope, paths, risks, and acceptance criteria;
+- phase-specific evidence and handoff requirements.
+
+The selected rules are injected as context references or excerpts for the active
+runtime. A runtime may render the same rule source differently: Codex receives
+compact markdown references, Claude can load markdown files, Cursor can receive
+`.mdc`, and VS Code-style integrations can consume structured JSON.
+
+## Semantic Code Rule
+
+Implementation roles should load `semantic-code` when writing or reviewing code,
+automation, scripts, tests, or architecture-sensitive refactors. The rule
+requires code to be readable by intent through domain naming, narrow types,
+focused helpers, and clear boundaries. Comments should explain why, trade-offs,
+or non-obvious constraints, not restate the code.