@kognai/orchestrator-core 0.2.0 → 0.2.2

package/dist/lib/acp.js

@@ -66,11 +66,25 @@ const REGISTRY = [
         max_model_tier: 'power',
     },
     {
+        // TICKET-346 Finding 8: the supervisor reviews code on the cloud tier (T2.5/
+        // haiku) but lacked llm_call_cloud, so every review tripped the ClawRouter
+        // spend-gate shadow-downgrade ("agent supervisor lacks llm_call_cloud — T2.5
+        // WOULD be downgraded"), slowing/degrading review quality. Supervisors are
+        // sovereign — their review tier must not be role-gated. Grant cloud routing.
         agent_id: 'supervisor', display_name: 'Supervisor', tier: 'T3',
-        capabilities: ['read_files', 'search_code', 'git_read', 'llm_call_local', 'db_query'],
+        capabilities: ['read_files', 'search_code', 'git_read', 'llm_call_local', 'llm_call_cloud', 'db_query'],
         denied: ['write_files', 'shell_exec', 'deploy', 'git_push'],
         scope: 'Sprint review, quality validation. Read-only analysis.',
-        max_model_tier: 'power',
+        max_model_tier: 'cloud',
+    },
+    {
+        // Second independent reviewer (haiku). Registered so it is GOVERNED by the
+        // spend-gate rather than silently passing through as an unknown agent_id.
+        agent_id: 'supervisor-2', display_name: 'Supervisor (2nd opinion)', tier: 'T3',
+        capabilities: ['read_files', 'search_code', 'git_read', 'llm_call_local', 'llm_call_cloud', 'db_query'],
+        denied: ['write_files', 'shell_exec', 'deploy', 'git_push'],
+        scope: 'Independent second-opinion review (haiku). Read-only analysis.',
+        max_model_tier: 'cloud',
     },
     {
         agent_id: 'devops', display_name: 'DevOps', tier: 'T4',

package/dist/lib/anthropic-direct.js

@@ -55,7 +55,7 @@ async function callAnthropic(opts) {
         throw new Error('ANTHROPIC_API_KEY not set');
     const body = JSON.stringify({
         model: opts.model,
-        max_tokens: opts.max_tokens ?? 800,
+        max_tokens: opts.max_tokens ?? 4096,
         temperature: opts.temperature ?? 0.4,
         system: opts.system,
         messages: [{ role: 'user', content: opts.user }],

package/dist/lib/cto-approval-gate.js

@@ -149,6 +149,33 @@ async function requestCTOApproval(proposal, projectRoot, product = 'kognai') {
             timestamp,
         };
     }
+    // TICKET-346: CEO-approved autonomous proposals are sanctioned work — the CEO
+    // approval IS the plan authorization (exactly as 'queue-prescribed' means "the
+    // queue IS the plan"). The dispatcher (dispatch-approved-proposals.ts) only
+    // authors these from reports/cto/approved-proposals.json AFTER CEO approval,
+    // so the plan-alignment LLM must not reject them for NOT_IN_PLAN. Without this
+    // the autonomous loop fought its own governance: dispatcher authored → CTO gate
+    // rejected → $0 output (the 2026-06-12 diagnostic). Capability + Police checks
+    // belong here but the established sanctioned-source pattern (human, queue-
+    // prescribed) bypasses them too; the CEO approval is the upstream safety gate.
+    if (proposal.source === 'cto-autonomous') {
+        logCTODecision({
+            approved: true,
+            sprint_id: proposal.sprint_id,
+            reason: 'CEO-approved autonomous proposal — approval is the plan authorization (TICKET-346).',
+            plan_reference: 'CEO_APPROVED_AUTONOMOUS',
+            cto_confidence: 100,
+            timestamp,
+        }, projectRoot, product);
+        return {
+            approved: true,
+            sprint_id: proposal.sprint_id,
+            reason: 'CEO-approved autonomous proposal — approval is the plan authorization (TICKET-346).',
+            plan_reference: 'CEO_APPROVED_AUTONOMOUS',
+            cto_confidence: 100,
+            timestamp,
+        };
+    }
     // Sprint 650: ACP pre-check — reject if agents lack required capabilities
     if (proposal.agent_capabilities && proposal.agent_capabilities.length > 0) {
         const violations = [];

package/dist/lib/cto-gate-types.d.ts

@@ -11,7 +11,7 @@ export interface SprintProposal {
     description: string;
     tasks: string[];
     estimated_complexity: string;
-    source: 'autonomous_loop' | 'human' | 'cto_backlog' | 'queue-prescribed' | 'auto-queue-empty' | 'queue-empty-autonomous';
+    source: 'autonomous_loop' | 'human' | 'cto_backlog' | 'queue-prescribed' | 'auto-queue-empty' | 'queue-empty-autonomous' | 'cto-autonomous';
     /** Sprint TICKET-005-RULE2: research | implementation phase gate */
     phase?: 'research' | 'implementation';
     /** ID of the research sprint that must be done before this implementation sprint can run */

package/dist/lib/engine-agents.d.ts

@@ -1,4 +1,4 @@
-import { type CitizenOwner } from './citizenship';
+import { type CitizenOwner, type CitizenRecord } from './citizenship';
 import type { AgentTask, ReviewResult, CTOProposal, CTOReport } from './orchestrate-engine';
 export declare class SupervisorAgent {
     private systemPrompt;
@@ -69,6 +69,13 @@ export interface SpawnGateResult {
      *  Voxight swarm's a Voxight citizen, etc. The running company is carried by
      *  the template-injected gate's requester_did, not hardcoded in the engine. */
     owner?: CitizenOwner;
+    /** TICKET-334b: the citizen the gate already minted through the template's
+     *  canonical issuer (Kognai → SAF.spawnCitizen — governance + owner-lineage +
+     *  ACP-at-birth). When present the engine adopts it verbatim and SKIPS its own
+     *  bare mintCitizen, so the engine path no longer loses the ACP seeding. When
+     *  absent (gate-less templates, or a gate that only governs) the engine falls
+     *  back to minting itself with the resolved owner. */
+    citizen?: CitizenRecord;
 }
 export type SpawnGate = (spec: AgentSpawnSpec) => SpawnGateResult;
 export declare class AgentCreator {

package/dist/lib/engine-agents.js

@@ -736,6 +736,7 @@ class AgentCreator {
         // anything on disk. Approval/rejection only; the citizenship logic below is
         // unchanged (its extraction is tracked separately as TICKET-226).
         let spawnOwner;
+        let gateCitizen;
         if (this.spawnGate) {
             const decision = this.spawnGate(spec);
             if (!decision.approved) {
@@ -753,6 +754,10 @@ class AgentCreator {
             // The gate (SAF) resolves the lineage from its requester_did — this is the
             // running company's context, plumbed in rather than hardcoded here.
             spawnOwner = decision.owner;
+            // TICKET-334b: when the gate minted through the canonical issuer
+            // (SAF.spawnCitizen — owner-lineage + ACP-at-birth), adopt that citizen
+            // and skip the bare mint below (which would skip ACP seeding).
+            gateCitizen = decision.citizen;
         }
         const agentDir = `./agents/${spec.name}`;
         (0, fs_1.mkdirSync)(agentDir, { recursive: true });
@@ -760,9 +765,11 @@ class AgentCreator {
         // citizen — not a bare agent. Mint citizenship (citizen_id + roll
         // number + Kōpus avatar + ACP baseline) BEFORE writing the agent
         // files so the citizen record can be referenced in the prompt.
-        // Owner-scoped when the gate supplied a lineage (e.g. invoica/voxight);
-        // legacy kognai-internal path otherwise (back-compat for gate-less templates).
-        const citizen = (0, citizenship_1.mintCitizen)(spec.name, {
+        // Prefer the citizen the gate already minted through the canonical issuer
+        // (carries ACP-at-birth); else mint here owner-scoped when the gate supplied
+        // a lineage (e.g. invoica/voxight), or via the legacy kognai-internal path
+        // for gate-less templates.
+        const citizen = gateCitizen ?? (0, citizenship_1.mintCitizen)(spec.name, {
             founding_agent: 'ceo',
             proposing_agent: 'cto',
             citizen_type: 'spawned',

package/dist/lib/engine-coding-agent.js

@@ -743,7 +743,8 @@ ${originalContent}
                 task_type: 'json_repair', tier_class: 'text', complexity: 'nano',
                 context_tokens: Math.ceil(repairPrompt.length / 4), constitutional_flag: false,
                 agent_id: 'json-repair',
-                payload: { prompt: repairPrompt, max_tokens: 2048 },
+                // TICKET-346 Finding 6: repair returns the WHOLE file; cap must hold it.
+                payload: { prompt: repairPrompt, max_tokens: parseInt(process.env.KOGNAI_DEBUG_REPAIR_MAX_TOKENS ?? process.env.KOGNAI_MAX_OUTPUT_TOKENS ?? '8192', 10) },
             });
             const fixed = result.content.trim();
             try {

package/dist/lib/engine-primitives.js

@@ -671,6 +671,13 @@ async function typecheckChangedFiles(filePaths) {
     }
     return { pass: true, errorCount: 0, firstError: `${projects.size} project(s) typechecked clean` };
 }
+// TICKET-346 Finding 6 (TICKET-336): the repair OUTPUT cap must be decoupled
+// from issue severity. tieredDebug returns the WHOLE fixed file, so a "minor"
+// fix to a 400-line file still needs room to emit all 400 lines. The old caps
+// (4096/2048/1024) truncated full-file repairs → [TRUNCATION] rejection → repair
+// exhausted (this killed scorer.ts in sprint-1665). Severity still selects the
+// MODEL tier (exec vs power); only the output ceiling is now uniform & generous.
+const DEBUG_REPAIR_MAX_TOKENS = parseInt(process.env.KOGNAI_DEBUG_REPAIR_MAX_TOKENS ?? process.env.KOGNAI_MAX_OUTPUT_TOKENS ?? '8192', 10);
 // B.11: Tiered debugger — routes debug effort by issue severity via ClawRouter v2.0
 async function tieredDebug(task, review, _systemPrompt) {
     const issueText = (review.issues || []).map(i => `[${i.severity}] ${i.file}: ${i.description}`).join('\n');
@@ -683,7 +690,7 @@ async function tieredDebug(task, review, _systemPrompt) {
                 task_type: 'debug_architectural', tier_class: 'text', complexity: 'exec',
                 context_tokens: Math.ceil((issueText.length + 800) / 4), constitutional_flag: false,
                 agent_id: 'tiered-debugger',
-                payload: { prompt: `Fix this code. Issues:\n${issueText}\n\nTask: ${task.context.substring(0, 800)}`, max_tokens: 4096 },
+                payload: { prompt: `Fix this code. Issues:\n${issueText}\n\nTask: ${task.context.substring(0, 800)}`, max_tokens: DEBUG_REPAIR_MAX_TOKENS },
             });
             return result.content || null;
         }
@@ -693,7 +700,7 @@ async function tieredDebug(task, review, _systemPrompt) {
                 task_type: 'debug_systemic', tier_class: 'text', complexity: 'power',
                 context_tokens: Math.ceil((issueText.length + 600) / 4), constitutional_flag: false,
                 agent_id: 'tiered-debugger',
-                payload: { prompt: `Fix these code issues:\n${issueText}\n\nTask: ${task.context.substring(0, 600)}`, max_tokens: 2048 },
+                payload: { prompt: `Fix these code issues:\n${issueText}\n\nTask: ${task.context.substring(0, 600)}`, max_tokens: DEBUG_REPAIR_MAX_TOKENS },
             });
             return result.content;
         }
@@ -703,7 +710,7 @@ async function tieredDebug(task, review, _systemPrompt) {
                 task_type: 'debug_minor', tier_class: 'text', complexity: 'power',
                 context_tokens: Math.ceil((issueText.length + 500) / 4), constitutional_flag: false,
                 agent_id: 'tiered-debugger',
-                payload: { prompt: `Fix these minor code issues:\n${issueText}\n\nTask: ${task.context.substring(0, 500)}`, max_tokens: 1024 },
+                payload: { prompt: `Fix these minor code issues:\n${issueText}\n\nTask: ${task.context.substring(0, 500)}`, max_tokens: DEBUG_REPAIR_MAX_TOKENS },
             });
             return result.content;
         }

package/dist/lib/sovereign-agent-factory.d.ts

@@ -119,12 +119,19 @@ export declare function deriveOwner(requester_did: string): CitizenOwner;
  *
  * Returns the governance decision plus the minted citizen (when approved). The
  * caller still writes citizen.yaml via renderCitizenYaml(citizen). The initial
- * ACP (`decision.initial_acp_score`) should be persisted to the score registry
- * by the caller/wiring step (see TICKET-335).
+ * ACP is seeded here at birth (writeInitialAcp) so the citizen has a routing
+ * profile from the moment it exists — this is the property the engine seam lost
+ * when it minted via bare mintCitizen (TICKET-334b).
+ *
+ * `founding_agent` / `proposing_agent` let a caller preserve its own attribution
+ * (e.g. the engine's CEO-founds / CTO-proposes lineage). When omitted, the
+ * proposing agent defaults to the requester DID.
  */
 export declare function spawnCitizen(req: SpawnRequest, opts?: {
     agent_name?: string;
     now?: Date;
+    founding_agent?: string;
+    proposing_agent?: string;
 }): {
     decision: SpawnDecision;
     citizen?: CitizenRecord;

package/dist/lib/sovereign-agent-factory.js

@@ -328,8 +328,13 @@ function deriveOwner(requester_did) {
  *
  * Returns the governance decision plus the minted citizen (when approved). The
  * caller still writes citizen.yaml via renderCitizenYaml(citizen). The initial
- * ACP (`decision.initial_acp_score`) should be persisted to the score registry
- * by the caller/wiring step (see TICKET-335).
+ * ACP is seeded here at birth (writeInitialAcp) so the citizen has a routing
+ * profile from the moment it exists — this is the property the engine seam lost
+ * when it minted via bare mintCitizen (TICKET-334b).
+ *
+ * `founding_agent` / `proposing_agent` let a caller preserve its own attribution
+ * (e.g. the engine's CEO-founds / CTO-proposes lineage). When omitted, the
+ * proposing agent defaults to the requester DID.
  */
 function spawnCitizen(req, opts = {}) {
     const decision = sovereignSpawn(req);
@@ -339,7 +344,8 @@ function spawnCitizen(req, opts = {}) {
     const citizen = (0, citizenship_1.mintCitizen)(opts.agent_name ?? req.requested_role, {
         owner,
         citizen_type: 'spawned',
-        proposing_agent: req.requester_did,
+        founding_agent: opts.founding_agent,
+        proposing_agent: opts.proposing_agent ?? req.requester_did,
         now: opts.now,
     });
     decision.citizen_did = citizen.agent_did;

package/dist/lib/sprint-runner-engine.d.ts

@@ -21,7 +21,7 @@
  */
 export interface SprintRunnerOpts {
     orchestratorScript: string;
-    postSprintHook?: () => void;
+    postSprintHook?: () => void | Promise<void>;
 }
 declare function runSprintCycle(opts: SprintRunnerOpts): Promise<void>;
 export { runSprintCycle };

package/dist/lib/sprint-runner-engine.js

@@ -1033,7 +1033,7 @@ async function runSprintCycle(opts) {
     // TICKET-201: post-sprint hook (e.g. dispatch-approved-proposals).
     // Supplied by the product entry so core stays product-agnostic.
     try {
-        opts.postSprintHook?.();
+        await opts.postSprintHook?.();
     }
     catch (e) {
         log(`WARN: post-sprint hook failed (non-fatal): ${(e?.message || String(e)).substring(0, 200)}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kognai/orchestrator-core",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "Kognai sovereign orchestrator — core engine (template-agnostic). Shared by all products (Kognai/coding, Voxight/market-intel, Invoica/fin-compliance); each supplies only its template. Replaces per-repo forks of orchestrate-agents-v2 / sprint-runner / lib.",
   "license": "MIT",
   "author": "SkinGem",