npm - @kontourai/flow-agents - Versions diffs - 0.1.1 - Mend

@kontourai/flow-agents 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (418) hide show

package/.githooks/pre-push +11 -0
package/.github/workflows/ci.yml +210 -0
package/.github/workflows/docs-pages.yml +52 -0
package/.github/workflows/publish-npm.yml +104 -0
package/AGENTS.md +26 -0
package/CHANGELOG.md +66 -0
package/CODE_OF_CONDUCT.md +25 -0
package/CONTEXT.md +300 -0
package/CONTRIBUTING.md +44 -0
package/LICENSE +201 -0
package/README.md +129 -0
package/SECURITY.md +33 -0
package/agent-cards/dev.json +19 -0
package/agents/dev.json +127 -0
package/agents/tool-code-reviewer.json +61 -0
package/agents/tool-dependencies-updater.json +118 -0
package/agents/tool-explore-config.json +92 -0
package/agents/tool-explore-deps.json +92 -0
package/agents/tool-explore-entry.json +92 -0
package/agents/tool-explore-patterns.json +92 -0
package/agents/tool-explore-structure.json +92 -0
package/agents/tool-explore-tests.json +92 -0
package/agents/tool-planner.json +57 -0
package/agents/tool-playwright.json +145 -0
package/agents/tool-security-reviewer.json +56 -0
package/agents/tool-verifier.json +61 -0
package/agents/tool-worker.json +58 -0
package/build/src/cli/console-learning-projection.js +123 -0
package/build/src/cli/docs-preview.js +39 -0
package/build/src/cli/effective-backlog-settings.js +102 -0
package/build/src/cli/export-bookmarks.js +38 -0
package/build/src/cli/fixture-retirement-audit.js +140 -0
package/build/src/cli/flow-kit.js +138 -0
package/build/src/cli/import-bookmarks.js +50 -0
package/build/src/cli/init.js +239 -0
package/build/src/cli/instinct-cli.js +93 -0
package/build/src/cli/promote-workflow-artifact.js +63 -0
package/build/src/cli/publish-change-helper.js +154 -0
package/build/src/cli/pull-work-provider.js +469 -0
package/build/src/cli/runtime-adapter.js +23 -0
package/build/src/cli/telemetry-doctor.js +221 -0
package/build/src/cli/usage-feedback.js +443 -0
package/build/src/cli/validate-hook-influence.js +152 -0
package/build/src/cli/validate-source-tree.js +31 -0
package/build/src/cli/validate-workflow-artifacts.js +486 -0
package/build/src/cli/veritas-governance.js +262 -0
package/build/src/cli/workflow-artifact-cleanup-audit.js +272 -0
package/build/src/cli/workflow-sidecar.js +816 -0
package/build/src/cli.js +89 -0
package/build/src/flow-kit/validate.js +75 -0
package/build/src/lib/args.js +45 -0
package/build/src/lib/fs.js +62 -0
package/build/src/lib/workflow-learning-projection.js +334 -0
package/build/src/runtime-adapters.js +146 -0
package/build/src/tools/build-universal-bundles.js +397 -0
package/build/src/tools/common.js +56 -0
package/build/src/tools/filter-installed-packs.js +132 -0
package/build/src/tools/generate-context-map.js +198 -0
package/build/src/tools/validate-package.js +64 -0
package/build/src/tools/validate-source-tree.js +622 -0
package/console.telemetry.json +176 -0
package/context/base-rules.md +17 -0
package/context/code-review-standards.md +62 -0
package/context/coding-standards.md +42 -0
package/context/common/orchestrators.md +12 -0
package/context/common/subagents.md +28 -0
package/context/contracts/artifact-contract.md +182 -0
package/context/contracts/builder-kit-workflow-state-contract.md +319 -0
package/context/contracts/delivery-contract.md +69 -0
package/context/contracts/execution-contract.md +53 -0
package/context/contracts/governance-adapter-contract.md +67 -0
package/context/contracts/planning-contract.md +85 -0
package/context/contracts/review-contract.md +104 -0
package/context/contracts/sandbox-policy.md +52 -0
package/context/contracts/verification-contract.md +134 -0
package/context/contracts/work-item-contract.md +215 -0
package/context/deferred/demo-mode.md +33 -0
package/context/deferred/languages/go.md +31 -0
package/context/deferred/languages/python.md +31 -0
package/context/deferred/languages/typescript.md +34 -0
package/context/deferred/parallelization.md +35 -0
package/context/deferred/worktree-isolation.md +24 -0
package/context/development-workflow.md +50 -0
package/context/scripts/context-budget/budget-scan.sh +166 -0
package/context/scripts/detect-tools.sh +3 -0
package/context/scripts/discover-agents.sh +28 -0
package/context/scripts/git-status.sh +49 -0
package/context/scripts/hooks/config-protection.js +79 -0
package/context/scripts/hooks/desktop-notify.sh +39 -0
package/context/scripts/hooks/governance-audit.sh +135 -0
package/context/scripts/hooks/lib/audit-transport.sh +40 -0
package/context/scripts/hooks/lib/hook-flags.js +49 -0
package/context/scripts/hooks/lib/patterns.sh +57 -0
package/context/scripts/hooks/lib/resolve-formatter.js +80 -0
package/context/scripts/hooks/post-edit-accumulator.js +66 -0
package/context/scripts/hooks/pre-commit-quality.js +194 -0
package/context/scripts/hooks/quality-gate.js +93 -0
package/context/scripts/hooks/report-only-guard.js +21 -0
package/context/scripts/hooks/run-hook.js +136 -0
package/context/scripts/hooks/stop-format-typecheck.js +141 -0
package/context/scripts/hooks/stop-goal-fit.js +337 -0
package/context/scripts/hooks/workflow-steering.js +250 -0
package/context/scripts/telemetry/console-presets.sh +14 -0
package/context/scripts/telemetry/install-console-config.sh +214 -0
package/context/scripts/telemetry/lib/config.sh +85 -0
package/context/scripts/telemetry/lib/enrich.sh +115 -0
package/context/scripts/telemetry/lib/redact.sh +22 -0
package/context/scripts/telemetry/lib/session.sh +63 -0
package/context/scripts/telemetry/lib/transport.sh +183 -0
package/context/scripts/telemetry/lib/usage.sh +29 -0
package/context/scripts/telemetry/sync-agents.sh +173 -0
package/context/scripts/telemetry/telemetry.conf +23 -0
package/context/scripts/telemetry/telemetry.sh +387 -0
package/context/scripts/validate-package.sh +89 -0
package/context/settings/backlog-provider-settings.json +54 -0
package/context/templates/core/identity.md +26 -0
package/context/templates/core/user.md +15 -0
package/docs/_config.yml +15 -0
package/docs/_layouts/default.html +87 -0
package/docs/adr/0001-flow-agents-consumes-flow.md +77 -0
package/docs/adr/0002-flow-kits-as-extension-unit.md +13 -0
package/docs/adr/0003-flow-agents-coordinates-kits-and-adapters.md +13 -0
package/docs/adr/0004-gates-expect-surface-claims.md +15 -0
package/docs/adr/0005-kubernetes-inspired-resource-contracts.md +48 -0
package/docs/adr/0006-typescript-first-source-policy.md +98 -0
package/docs/agent-system-guidebook.md +391 -0
package/docs/agent-usage-feedback-loop.md +351 -0
package/docs/assets/favicon.svg +13 -0
package/docs/assets/og-image.png +0 -0
package/docs/assets/site.css +774 -0
package/docs/assets/site.js +139 -0
package/docs/configurable-workflow-routing.md +174 -0
package/docs/context-map.md +145 -0
package/docs/developer-architecture.md +145 -0
package/docs/developer-hook-setup.md +61 -0
package/docs/fixture-ownership.md +44 -0
package/docs/flow-kit-repository-contract.md +180 -0
package/docs/index.md +129 -0
package/docs/kontour-resource-contract.md +358 -0
package/docs/migrations.md +64 -0
package/docs/north-star.md +322 -0
package/docs/operating-layers.md +110 -0
package/docs/repository-structure.md +132 -0
package/docs/sandbox-policy.md +56 -0
package/docs/skills-map.md +203 -0
package/docs/standards-register.md +96 -0
package/docs/veritas-integration.md +165 -0
package/docs/work-item-adapters.md +72 -0
package/docs/workflow-artifact-lifecycle.md +141 -0
package/docs/workflow-eval-strategy.md +295 -0
package/docs/workflow-shared-contracts.md +51 -0
package/docs/workflow-usage-guide.md +443 -0
package/evals/ARCHITECTURE.md +143 -0
package/evals/CONVENTIONS.md +58 -0
package/evals/README.md +128 -0
package/evals/acceptance/run.sh +29 -0
package/evals/acceptance/test_claude_harness.sh +242 -0
package/evals/acceptance/test_codex_harness.sh +108 -0
package/evals/acceptance/test_kiro_harness.sh +128 -0
package/evals/cases/dev/404.html +97 -0
package/evals/cases/dev/code-review.yaml +44 -0
package/evals/cases/dev/dashboard.html +300 -0
package/evals/cases/dev/deliver.yaml +66 -0
package/evals/cases/dev/dependency-update.yaml +16 -0
package/evals/cases/dev/explore.yaml +20 -0
package/evals/cases/dev/index.html +370 -0
package/evals/cases/dev/package-lock.json +28 -0
package/evals/cases/dev/package.json +16 -0
package/evals/cases/dev/plan-work.yaml +20 -0
package/evals/cases/dev/promptfooconfig.yaml +666 -0
package/evals/cases/dev/search-first.yaml +20 -0
package/evals/cases/dev/tdd-workflow.yaml +48 -0
package/evals/cases/dev/verify-work.yaml +44 -0
package/evals/cases/dev/workflow.yaml +34 -0
package/evals/ci/run-baseline.sh +283 -0
package/evals/fixtures/backlog-provider-settings/global-default.json +44 -0
package/evals/fixtures/backlog-provider-settings/project-override.json +53 -0
package/evals/fixtures/builder-kit-workflow-state/baseline-freshness-resolution-hint.json +139 -0
package/evals/fixtures/builder-kit-workflow-state/direct-primitive-stop.json +59 -0
package/evals/fixtures/builder-kit-workflow-state/empty-board-route-shape.json +55 -0
package/evals/fixtures/builder-kit-workflow-state/happy-path.json +71 -0
package/evals/fixtures/builder-kit-workflow-state/mid-work-resume.json +80 -0
package/evals/fixtures/builder-kit-workflow-state/missing-prestep-recovery.json +65 -0
package/evals/fixtures/builder-kit-workflow-state/product-build-chaining.json +60 -0
package/evals/fixtures/builder-kit-workflow-state/stale-continuation-requires-new-probe.json +57 -0
package/evals/fixtures/console-learning-projection/artifacts/console-learning-correction/learning.json +50 -0
package/evals/fixtures/console-learning-projection/artifacts/console-learning-open-route/learning.json +41 -0
package/evals/fixtures/flow-kit-repository/invalid-absolute-path/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/invalid-asset-section/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-asset-section/kit.json +11 -0
package/evals/fixtures/flow-kit-repository/invalid-duplicate-flow/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-duplicate-flow/kit.json +9 -0
package/evals/fixtures/flow-kit-repository/invalid-id/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-id/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/invalid-malformed-json/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-flow/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-id/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-id/kit.json +7 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-schema-version/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-schema-version/kit.json +7 -0
package/evals/fixtures/flow-kit-repository/invalid-name/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-name/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/invalid-schema-version/flows/review.flow.json +6 -0
package/evals/fixtures/flow-kit-repository/invalid-schema-version/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/invalid-traversal/kit.json +8 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/adapters/example.json +3 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/assets/example.txt +1 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/docs/README.md +3 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/flows/runtime.flow.json +26 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/kit-evals/example.json +3 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/kit-skills/mixed/SKILL.md +3 -0
package/evals/fixtures/flow-kit-repository/mixed-runtime-kit/kit.json +44 -0
package/evals/fixtures/flow-kit-repository/valid-local-kit/docs/README.md +3 -0
package/evals/fixtures/flow-kit-repository/valid-local-kit/flows/review.flow.json +26 -0
package/evals/fixtures/flow-kit-repository/valid-local-kit/kit.json +20 -0
package/evals/fixtures/hook-influence/cases.json +336 -0
package/evals/fixtures/pull-work-provider/github-issues.json +170 -0
package/evals/fixtures/pull-work-wip-shepherding/global-wip-informs.json +43 -0
package/evals/fixtures/pull-work-wip-shepherding/personal-wip-blocks.json +42 -0
package/evals/fixtures/surface-trust/accepted-claim-trust-report.json +31 -0
package/evals/fixtures/surface-trust/artifact-absent.json +19 -0
package/evals/fixtures/surface-trust/integrity-mismatch-trust-report.json +32 -0
package/evals/fixtures/surface-trust/missing-authority-trust-report.json +27 -0
package/evals/fixtures/surface-trust/provider-absent.json +19 -0
package/evals/fixtures/surface-trust/rejected-claim-trust-report.json +30 -0
package/evals/fixtures/surface-trust/stale-claim-trust-snapshot.json +31 -0
package/evals/fixtures/usage-feedback/sample-full.jsonl +11 -0
package/evals/fixtures/usage-feedback/sample-outcomes.jsonl +1 -0
package/evals/fixtures/veritas-governance-adapter/fake-veritas-pass.sh +18 -0
package/evals/fixtures/veritas-governance-adapter/fake-veritas-secret-fail.sh +10 -0
package/evals/fixtures/veritas-governance-adapter/fake-veritas-unconfigured.sh +4 -0
package/evals/integration/test_bundle_install.sh +541 -0
package/evals/integration/test_console_learning_projection.sh +192 -0
package/evals/integration/test_context_map.sh +65 -0
package/evals/integration/test_effective_backlog_settings.sh +58 -0
package/evals/integration/test_fixture_retirement_audit.sh +58 -0
package/evals/integration/test_flow_agents_statusline.sh +93 -0
package/evals/integration/test_flow_kit_repository.sh +90 -0
package/evals/integration/test_goal_fit_hook.sh +482 -0
package/evals/integration/test_hook_category_behaviors.sh +190 -0
package/evals/integration/test_hook_influence_cases.sh +69 -0
package/evals/integration/test_local_flow_kit_install.sh +145 -0
package/evals/integration/test_publish_change_helper.sh +176 -0
package/evals/integration/test_pull_work_provider.sh +140 -0
package/evals/integration/test_runtime_adapter_activation.sh +106 -0
package/evals/integration/test_telemetry.sh +485 -0
package/evals/integration/test_telemetry_doctor.sh +193 -0
package/evals/integration/test_usage_feedback_dashboard.sh +169 -0
package/evals/integration/test_usage_feedback_global.sh +117 -0
package/evals/integration/test_usage_feedback_import.sh +227 -0
package/evals/integration/test_usage_feedback_outcomes.sh +165 -0
package/evals/integration/test_usage_feedback_report.sh +263 -0
package/evals/integration/test_veritas_governance_adapter.sh +235 -0
package/evals/integration/test_workflow_artifact_cleanup_audit.sh +287 -0
package/evals/integration/test_workflow_artifacts.sh +1247 -0
package/evals/integration/test_workflow_sidecar_writer.sh +2112 -0
package/evals/integration/test_workflow_steering_hook.sh +337 -0
package/evals/lib/assertions/delegated-to.js +40 -0
package/evals/lib/assertions/max-tool-calls.js +15 -0
package/evals/lib/assertions/no-write-tools.js +27 -0
package/evals/lib/assertions/pass-at-k.js +39 -0
package/evals/lib/assertions/telemetry-utils.js +105 -0
package/evals/lib/assertions/tool-called.js +39 -0
package/evals/lib/assertions/verify-after-fix.js +61 -0
package/evals/lib/claude-judge.sh +40 -0
package/evals/lib/claude-provider.sh +74 -0
package/evals/lib/codex-judge.sh +39 -0
package/evals/lib/codex-provider.sh +81 -0
package/evals/lib/eval-dev.sh +5 -0
package/evals/lib/eval-judge.sh +22 -0
package/evals/lib/eval-provider.sh +26 -0
package/evals/lib/eval-report.sh +73 -0
package/evals/lib/kiro-dev.sh +4 -0
package/evals/lib/kiro-judge.sh +17 -0
package/evals/lib/kiro-provider.sh +62 -0
package/evals/lib/node.sh +111 -0
package/evals/promptfooconfig.yaml +70 -0
package/evals/run.sh +309 -0
package/evals/static/test_evidence_refs.sh +141 -0
package/evals/static/test_package.sh +407 -0
package/evals/static/test_repo_hooks.sh +68 -0
package/evals/static/test_universal_bundles.sh +274 -0
package/evals/static/test_workflow_skills.sh +1207 -0
package/install.sh +64 -0
package/integrations/veritas/flow-agents.adapter.json +138 -0
package/integrations/veritas/flow-agents.authority-settings.json +26 -0
package/integrations/veritas/flow-agents.repo-standards.json +82 -0
package/kits/builder/flows/build.flow.json +218 -0
package/kits/builder/flows/shape.flow.json +127 -0
package/kits/builder/kit.json +19 -0
package/kits/catalog.json +11 -0
package/package.json +130 -0
package/packaging/README.md +60 -0
package/packaging/manifest.json +173 -0
package/packaging/packs.json +69 -0
package/powers/dependency-checker/POWER.md +20 -0
package/powers/dependency-checker/mcp.json +20 -0
package/powers/playwright/POWER.md +25 -0
package/powers/playwright/mcp.json +12 -0
package/prompts/code-audit.md +123 -0
package/prompts/kcommit.md +88 -0
package/schemas/backlog-provider-settings.schema.json +138 -0
package/schemas/workflow-acceptance.schema.json +216 -0
package/schemas/workflow-critique.schema.json +113 -0
package/schemas/workflow-evidence.schema.json +357 -0
package/schemas/workflow-handoff.schema.json +52 -0
package/schemas/workflow-learning.schema.json +223 -0
package/schemas/workflow-release.schema.json +172 -0
package/schemas/workflow-state.schema.json +80 -0
package/scripts/README.md +111 -0
package/scripts/build-universal-bundles.js +3 -0
package/scripts/check-content-boundary.cjs +99 -0
package/scripts/context-budget/budget-scan.sh +166 -0
package/scripts/detect-tools.sh +3 -0
package/scripts/discover-agents.sh +28 -0
package/scripts/effective-backlog-settings.js +2 -0
package/scripts/filter-installed-packs.js +2 -0
package/scripts/flow-kit.js +2 -0
package/scripts/generate-context-map.js +2 -0
package/scripts/git-status.sh +49 -0
package/scripts/hooks/claude-hook-adapter.js +174 -0
package/scripts/hooks/claude-telemetry-hook.js +115 -0
package/scripts/hooks/codex-hook-adapter.js +176 -0
package/scripts/hooks/codex-telemetry-hook.js +95 -0
package/scripts/hooks/config-protection.js +79 -0
package/scripts/hooks/desktop-notify.sh +39 -0
package/scripts/hooks/governance-audit.sh +135 -0
package/scripts/hooks/lib/audit-transport.sh +40 -0
package/scripts/hooks/lib/hook-flags.js +49 -0
package/scripts/hooks/lib/patterns.sh +57 -0
package/scripts/hooks/lib/resolve-formatter.js +80 -0
package/scripts/hooks/post-edit-accumulator.js +66 -0
package/scripts/hooks/pre-commit-quality.js +194 -0
package/scripts/hooks/quality-gate.js +93 -0
package/scripts/hooks/report-only-guard.js +21 -0
package/scripts/hooks/run-hook.js +136 -0
package/scripts/hooks/stop-format-typecheck.js +141 -0
package/scripts/hooks/stop-goal-fit.js +337 -0
package/scripts/hooks/workflow-steering.js +250 -0
package/scripts/install-codex-home.sh +106 -0
package/scripts/package.json +3 -0
package/scripts/promote-workflow-artifact.js +2 -0
package/scripts/publish-change-helper.js +2 -0
package/scripts/pull-work-provider.js +2 -0
package/scripts/setup-repo-hooks.sh +8 -0
package/scripts/statusline/flow-agents-statusline.js +157 -0
package/scripts/telemetry/console-presets.sh +14 -0
package/scripts/telemetry/install-console-config.sh +214 -0
package/scripts/telemetry/lib/config.sh +85 -0
package/scripts/telemetry/lib/enrich.sh +115 -0
package/scripts/telemetry/lib/redact.sh +22 -0
package/scripts/telemetry/lib/session.sh +63 -0
package/scripts/telemetry/lib/transport.sh +183 -0
package/scripts/telemetry/lib/usage.sh +29 -0
package/scripts/telemetry/sync-agents.sh +173 -0
package/scripts/telemetry/telemetry.conf +23 -0
package/scripts/telemetry/telemetry.sh +387 -0
package/scripts/usage-feedback.js +2 -0
package/scripts/validate-hook-influence-cases.js +2 -0
package/scripts/validate-package.sh +89 -0
package/scripts/validate-source-tree.js +9 -0
package/skills/agentic-engineering/SKILL.md +62 -0
package/skills/browser-test/SKILL.md +51 -0
package/skills/builder-shape/SKILL.md +76 -0
package/skills/context-budget/SKILL.md +40 -0
package/skills/deliver/SKILL.md +241 -0
package/skills/dependency-update/SKILL.md +68 -0
package/skills/design-probe/SKILL.md +107 -0
package/skills/eval-rebuild/SKILL.md +39 -0
package/skills/evidence-gate/SKILL.md +186 -0
package/skills/execute-plan/SKILL.md +110 -0
package/skills/explore/SKILL.md +137 -0
package/skills/feedback-loop/SKILL.md +87 -0
package/skills/fix-bug/SKILL.md +133 -0
package/skills/frontend-design/SKILL.md +80 -0
package/skills/github-cli/SKILL.md +63 -0
package/skills/idea-to-backlog/SKILL.md +267 -0
package/skills/knowledge-capture/SKILL.md +55 -0
package/skills/learning-review/SKILL.md +115 -0
package/skills/pickup-probe/SKILL.md +114 -0
package/skills/plan-work/SKILL.md +176 -0
package/skills/pull-work/SKILL.md +309 -0
package/skills/release-readiness/SKILL.md +121 -0
package/skills/review-work/SKILL.md +161 -0
package/skills/search-first/SKILL.md +66 -0
package/skills/tdd-workflow/SKILL.md +140 -0
package/skills/verify-work/SKILL.md +109 -0
package/src/cli/console-learning-projection.ts +140 -0
package/src/cli/effective-backlog-settings.ts +99 -0
package/src/cli/fixture-retirement-audit.ts +154 -0
package/src/cli/flow-kit.ts +139 -0
package/src/cli/init.ts +248 -0
package/src/cli/promote-workflow-artifact.ts +64 -0
package/src/cli/publish-change-helper.ts +143 -0
package/src/cli/pull-work-provider.ts +481 -0
package/src/cli/runtime-adapter.ts +24 -0
package/src/cli/telemetry-doctor.ts +243 -0
package/src/cli/usage-feedback.ts +418 -0
package/src/cli/validate-hook-influence.ts +119 -0
package/src/cli/validate-source-tree.ts +30 -0
package/src/cli/validate-workflow-artifacts.ts +411 -0
package/src/cli/veritas-governance.ts +322 -0
package/src/cli/workflow-artifact-cleanup-audit.ts +281 -0
package/src/cli/workflow-sidecar.ts +676 -0
package/src/cli.ts +95 -0
package/src/flow-kit/validate.ts +74 -0
package/src/lib/args.ts +43 -0
package/src/lib/fs.ts +62 -0
package/src/lib/workflow-learning-projection.ts +491 -0
package/src/runtime-adapters.ts +154 -0
package/src/tools/build-universal-bundles.ts +366 -0
package/src/tools/common.ts +61 -0
package/src/tools/filter-installed-packs.ts +129 -0
package/src/tools/generate-context-map.ts +199 -0
package/src/tools/validate-package.ts +57 -0
package/src/tools/validate-source-tree.ts +488 -0
package/tsconfig.json +19 -0
package/veritas.claims.json +6 -0

package/build/src/cli/workflow-sidecar.js ADDED Viewed

@@ -0,0 +1,816 @@
+#!/usr/bin/env node
+import * as fs from "node:fs";
+import * as path from "node:path";
+import { execFileSync } from "node:child_process";
+const statuses = new Set(["new", "planning", "planned", "in_progress", "blocked", "verifying", "verified", "needs_decision", "not_verified", "failed", "delivered", "accepted", "archived"]);
+const phases = ["idea", "backlog", "pickup", "planning", "execution", "verification", "goal_fit", "evidence", "release", "learning", "done"];
+const checkKinds = new Set(["build", "types", "lint", "test", "security", "diff", "browser", "runtime", "policy", "external"]);
+const checkStatuses = new Set(["pass", "fail", "not_verified", "skip"]);
+const verdicts = new Set(["pass", "partial", "fail", "not_verified"]);
+function now() { return new Date().toISOString().replace(/\.\d{3}Z$/, "Z"); }
+function read(file) { return fs.readFileSync(file, "utf8"); }
+function writeJson(file, payload) { fs.mkdirSync(path.dirname(file), { recursive: true }); fs.writeFileSync(file, `${JSON.stringify(payload, null, 2)}\n`); }
+function printJson(payload) { console.log(JSON.stringify(payload).replace(/":/g, '": ').replace(/,"/g, ', "')); }
+function loadJson(file, fallback = {}) { return fs.existsSync(file) ? JSON.parse(read(file)) : { ...fallback }; }
+function appendJsonl(file, payload) {
+    fs.mkdirSync(path.dirname(file), { recursive: true });
+    const line = JSON.stringify(payload, Object.keys(payload).sort()).replace(/":/g, '": ').replace(/,"/g, ', "');
+    fs.appendFileSync(file, `${line}\n`);
+}
+function die(message) { throw new Error(message); }
+function slugify(value, fallback) { return value.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "") || fallback; }
+function safeRepoIdentifier(value) {
+    const trimmed = value.trim().replace(/\.git$/, "");
+    if (!trimmed || trimmed.length > 120)
+        return "";
+    if (path.isAbsolute(trimmed) || trimmed.includes("\\") || /[\x00-\x1F\x7F]/.test(trimmed))
+        return "";
+    const parts = trimmed.split("/");
+    if (parts.length > 2 || parts.some((part) => !part || part === "." || part === ".."))
+        return "";
+    if (!parts.every((part) => /^[A-Za-z0-9_.-]+$/.test(part)))
+        return "";
+    return parts.join("/");
+}
+function parseRepoRemote(value) {
+    const trimmed = value.trim().replace(/\.git$/, "");
+    const ssh = /^git@[^:]+:(?<owner>[^/]+)\/(?<repo>[^/]+)$/.exec(trimmed);
+    if (ssh?.groups)
+        return safeRepoIdentifier(`${ssh.groups.owner}/${ssh.groups.repo}`);
+    try {
+        const url = new URL(trimmed);
+        if (!["https:", "http:", "ssh:", "git:"].includes(url.protocol))
+            return "";
+        const parts = url.pathname.split("/").filter(Boolean);
+        if (parts.length >= 2)
+            return safeRepoIdentifier(`${parts.at(-2)}/${parts.at(-1)}`);
+    }
+    catch {
+        // Non-URL remotes fall back to repository directory name below.
+    }
+    return "";
+}
+function repoIdentifier() {
+    const explicit = safeRepoIdentifier(process.env.FLOW_AGENTS_REPO ?? "");
+    if (explicit)
+        return explicit;
+    try {
+        const remote = execFileSync("git", ["config", "--get", "remote.origin.url"], { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] });
+        const parsed = parseRepoRemote(remote);
+        if (parsed)
+            return parsed;
+    }
+    catch {
+        // Keep sidecar writing independent of Git availability.
+    }
+    try {
+        const top = execFileSync("git", ["rev-parse", "--show-toplevel"], { encoding: "utf8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+        if (top)
+            return safeRepoIdentifier(path.basename(top)) || "workspace";
+    }
+    catch {
+        // Fall through to cwd basename for non-Git workspaces.
+    }
+    return safeRepoIdentifier(path.basename(process.cwd())) || "workspace";
+}
+function sidecarBase(slug) {
+    return { schema_version: "1.0", task_slug: slug, repo: repoIdentifier() };
+}
+function parseArgs(argv) {
+    const [command, ...rest] = argv;
+    const positional = [];
+    const opts = {};
+    const flags = new Set();
+    for (let i = 0; i < rest.length; i += 1) {
+        const arg = rest[i];
+        if (!arg.startsWith("--")) {
+            positional.push(arg);
+            continue;
+        }
+        const key = arg.slice(2);
+        const next = rest[i + 1];
+        if (!next || next.startsWith("--"))
+            flags.add(key);
+        else {
+            (opts[key] ??= []).push(next);
+            i += 1;
+        }
+    }
+    return { command: command ?? "", positional, opts, flags };
+}
+function opt(parsed, key, fallback = "") { return parsed.opts[key]?.at(-1) ?? fallback; }
+function opts(parsed, key) { return parsed.opts[key] ?? []; }
+function isUnderDir(dir, root) {
+    const resolvedRoot = fs.realpathSync(root);
+    const resolvedDir = fs.realpathSync(dir);
+    const relative = path.relative(resolvedRoot, resolvedDir);
+    return !!relative && !relative.startsWith("..") && !path.isAbsolute(relative);
+}
+function explicitArtifactRoot(p) {
+    const explicit = opt(p, "artifact-dir");
+    const configuredRoot = opt(p, "artifact-root");
+    if (!explicit)
+        return path.resolve(configuredRoot || ".flow-agents");
+    const dir = path.resolve(explicit);
+    if (!fs.existsSync(dir))
+        die(`artifact directory does not exist: ${dir}`);
+    if (fs.lstatSync(dir).isSymbolicLink())
+        die(`artifact directory must not be a symlink: ${dir}`);
+    if (configuredRoot) {
+        const root = path.resolve(configuredRoot);
+        if (!isUnderDir(dir, root))
+            die(`artifact directory must be under artifact root: ${dir} is outside ${root}`);
+        return root;
+    }
+    return path.dirname(dir);
+}
+function requireArtifactDirUnderRoot(dir, root) {
+    if (!dir || !fs.existsSync(dir))
+        die("artifact directory does not exist");
+    if (fs.lstatSync(dir).isSymbolicLink())
+        die(`artifact directory must not be a symlink: ${dir}`);
+    if (!isUnderDir(dir, root))
+        die(`artifact directory must be under artifact root: ${dir} is outside ${root}`);
+}
+function isPermissionDeniedLockError(error) {
+    return error.code === "EPERM" || error.code === "EACCES";
+}
+function lockAcquisitionFailureMessage(command, lockDir, error) {
+    const original = error.message || error.code || String(error);
+    if (!isPermissionDeniedLockError(error)) {
+        return `failed to acquire workflow sidecar lock for ${command}: ${lockDir}: ${original}`;
+    }
+    return [
+        `failed to acquire workflow sidecar lock for ${command}: ${lockDir}: ${original}`,
+        "Likely cause: local directory permissions, ownership, or sandbox restrictions prevented creating the lock directory.",
+        "Safe next step: fix permissions or ownership on the artifact directory, or rerun in an approved writable workspace.",
+        "If still blocked: manually write schema-valid sidecars and run workflow artifact validation rather than bypassing locks.",
+    ].join(" ");
+}
+async function withLock(dir, create, command, body) {
+    if (create)
+        fs.mkdirSync(dir, { recursive: true });
+    if (!fs.existsSync(dir))
+        return body();
+    const lockDir = path.join(dir, ".workflow-sidecar.lockdir");
+    const staleMs = Number(process.env.FLOW_AGENTS_WORKFLOW_SIDECAR_STALE_LOCK_MS ?? 5 * 60 * 1000);
+    const deadline = Date.now() + 30000;
+    while (true) {
+        try {
+            fs.mkdirSync(lockDir);
+            break;
+        }
+        catch (error) {
+            const lockError = error;
+            if (lockError.code !== "EEXIST") {
+                die(lockAcquisitionFailureMessage(command, lockDir, lockError));
+            }
+            try {
+                const stat = fs.statSync(lockDir);
+                if (staleMs > 0 && Date.now() - stat.mtimeMs > staleMs) {
+                    fs.rmSync(lockDir, { recursive: true, force: true });
+                    continue;
+                }
+            }
+            catch (error) {
+                if (error.code === "ENOENT")
+                    continue;
+                throw error;
+            }
+            if (Date.now() > deadline)
+                die(`timed out waiting for workflow sidecar lock for ${command}: ${dir}`);
+            await new Promise((resolve) => setTimeout(resolve, 20));
+        }
+    }
+    try {
+        const delay = process.env.FLOW_AGENTS_WORKFLOW_SIDECAR_LOCK_DELAY;
+        if (delay)
+            await new Promise((resolve) => setTimeout(resolve, Number(delay) * 1000));
+        return body();
+    }
+    finally {
+        fs.rmSync(lockDir, { recursive: true, force: true });
+    }
+}
+function section(text, heading) {
+    const match = new RegExp(`^(?<marks>##+)\\s+${heading.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*$`, "m").exec(text);
+    if (!match?.groups)
+        return "";
+    const start = match.index + match[0].length;
+    const rest = text.slice(start);
+    const next = new RegExp(`^#{2,${match.groups.marks.length}}\\s+`, "m").exec(rest);
+    return rest.slice(0, next?.index).trim();
+}
+function definitionAcceptanceLines(markdown) {
+    const out = [];
+    let active = false;
+    for (const raw of section(markdown, "Definition Of Done").split(/\r?\n/)) {
+        const line = raw.trim();
+        if (/^-\s+\*\*Acceptance criteria:\*\*/i.test(line)) {
+            active = true;
+            continue;
+        }
+        if (active && /^-\s+\*\*(Usefulness checks|Stop-short risks|Durable docs target|Scope|User outcome):\*\*/i.test(line))
+            break;
+        if (active && /^-\s+\[[ xX]\]/.test(line))
+            out.push(line);
+    }
+    return out;
+}
+function parseCriterion(line, index) {
+    let text = line.replace(/^-\s+\[[ xX]\]\s*/, "").trim();
+    const m = /\s+-\s+Evidence:\s*(.+)$/i.exec(text);
+    const evidence = m?.[1]?.trim().replace(/\.$/, "");
+    if (m)
+        text = text.slice(0, m.index).trim().replace(/\.$/, "");
+    const item = { id: slugify(text, `criterion-${index + 1}`), description: text, status: "pending" };
+    if (evidence)
+        item.evidence_refs = [evidenceRef("command", { excerpt: evidence })];
+    return item;
+}
+function artifactDirFrom(value) { return path.extname(value) ? path.dirname(value) : value; }
+function taskSlugFor(dir, explicit = "") { return explicit || path.basename(dir); }
+function relArtifacts(dir) { return fs.existsSync(dir) ? fs.readdirSync(dir).filter((n) => n.endsWith(".md") || n.endsWith(".json")).sort() : []; }
+function sessionDirFor(root, slug) {
+    if (!slug)
+        die("--task-slug is required");
+    if (path.isAbsolute(slug))
+        die("--task-slug must be a relative slug");
+    if (slug.includes(".."))
+        die("--task-slug must not contain '..'");
+    if (slug.includes("/") || slug.includes("\\") || path.basename(slug) !== slug)
+        die("--task-slug must not contain path separators");
+    const dir = path.resolve(root, slug);
+    const relative = path.relative(root, dir);
+    if (!relative || relative.startsWith("..") || path.isAbsolute(relative))
+        die("session directory must stay under artifact root");
+    return dir;
+}
+function validateAgentId(agent) {
+    if (!agent)
+        die("--agent-id is required");
+    if (path.isAbsolute(agent))
+        die("--agent-id must be a relative slug");
+    if (agent.includes(".."))
+        die("--agent-id must not contain '..'");
+    if (agent.includes("/") || agent.includes("\\") || path.basename(agent) !== agent)
+        die("--agent-id must not contain path separators");
+    if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(agent))
+        die("--agent-id must be a conservative slug");
+    return agent;
+}
+function writeCurrent(root, dir, timestamp, owner, source) {
+    writeJson(path.join(root, "current.json"), {
+        schema_version: "1.0",
+        active_slug: path.basename(dir),
+        artifact_dir: path.relative(root, dir) || ".",
+        updated_at: timestamp,
+        owner,
+        source,
+        active_agents: [],
+    });
+}
+function loadCurrent(root) {
+    const file = path.join(root, "current.json");
+    if (!fs.existsSync(file))
+        return null;
+    return JSON.parse(read(file));
+}
+function currentDir(root) {
+    const c = loadCurrent(root);
+    if (!c)
+        return null;
+    const dir = path.resolve(root, c.artifact_dir ?? c.active_slug ?? "");
+    return fs.existsSync(dir) ? dir : null;
+}
+function updateCurrentAgent(root, dir, agentId, status, timestamp) {
+    const cur = loadCurrent(root);
+    if (!cur || path.resolve(root, cur.artifact_dir ?? "") !== path.resolve(dir))
+        return;
+    const active = Array.isArray(cur.active_agents) ? cur.active_agents.filter((a) => a.agent_id !== agentId) : [];
+    if (status === "active" || status === "blocked")
+        active.push({ agent_id: agentId, status, updated_at: timestamp });
+    cur.active_agents = active;
+    cur.updated_at = timestamp;
+    writeJson(path.join(root, "current.json"), cur);
+}
+function initSidecars(dir, slug, sourceRequest, summary, nextAction, timestamp, markdown) {
+    const criteria = markdown ? definitionAcceptanceLines(markdown).map(parseCriterion) : [];
+    writeJson(path.join(dir, "state.json"), {
+        ...sidecarBase(slug), status: "planned", phase: "planning", created_at: timestamp, updated_at: timestamp,
+        artifact_paths: relArtifacts(dir),
+        next_action: { status: "continue", summary: nextAction || summary },
+    });
+    writeJson(path.join(dir, "acceptance.json"), {
+        ...sidecarBase(slug), source_request: sourceRequest,
+        criteria,
+        goal_fit: { status: "pending", summary: "Goal fit has not been verified yet." },
+    });
+    writeJson(path.join(dir, "handoff.json"), {
+        ...sidecarBase(slug), summary, current_state_ref: "state.json", next_steps: nextAction ? [nextAction] : [], blockers: [], warnings: [],
+    });
+}
+function ensureSession(p) {
+    const root = path.resolve(opt(p, "artifact-root", ".flow-agents"));
+    const slug = opt(p, "task-slug") || die("--task-slug is required");
+    const dir = sessionDirFor(root, slug);
+    fs.mkdirSync(dir, { recursive: true });
+    const timestamp = opt(p, "timestamp", now());
+    let md = fs.existsSync(path.join(dir, `${slug}--deliver.md`)) ? read(path.join(dir, `${slug}--deliver.md`)) : "";
+    if (!md) {
+        md = `# ${opt(p, "title", slug)}\n\nbranch: main\nworktree: main\ncreated: ${timestamp}\nstatus: planning\ntype: deliver\niteration: 1\n\n## Plan\n\n${opt(p, "summary", "")}\n\n## Definition Of Done\n\n- **User outcome:** ${opt(p, "summary", "Workflow session is durable.")}\n- **Scope:** Workflow session artifacts and sidecars.\n- **Acceptance criteria:**\n${opts(p, "criterion").map((c) => `  - [ ] ${c} - Evidence: pending.`).join("\n")}\n- **Usefulness checks:**\n  - [ ] User-facing workflow is documented or discoverable\n- **Stop-short risks:** Workflow artifacts could drift.\n- **Durable docs target:** not needed\n- **Sandbox mode:** local-edit\n\n## Execution Progress\n\n- [ ] Session initialized.\n\n## Verification Report\n\nBuild: [NOT_VERIFIED] Verification has not run yet.\n\n### Acceptance Criteria\n- [NOT_VERIFIED] Verification has not run yet - Evidence: pending workflow execution and checks.\n\n### Verdict: NOT_VERIFIED\n\n## Goal Fit Gate\n\n- [ ] Original user goal restated\n\n## Final Acceptance\n\n- [ ] CI/relevant checks passed or local equivalent recorded\n`;
+        fs.writeFileSync(path.join(dir, `${slug}--deliver.md`), md);
+    }
+    if (!fs.existsSync(path.join(dir, "state.json")) || !fs.existsSync(path.join(dir, "acceptance.json")) || !fs.existsSync(path.join(dir, "handoff.json"))) {
+        initSidecars(dir, slug, opt(p, "source-request"), opt(p, "summary"), opt(p, "next-action", "Continue."), timestamp, md);
+    }
+    writeCurrent(root, dir, timestamp, "workflow-sidecar", "ensure-session");
+    console.log(dir);
+    return 0;
+}
+function current(p) {
+    const root = path.resolve(opt(p, "artifact-root", ".flow-agents"));
+    const dir = currentDir(root);
+    if (!dir)
+        die("no current workflow session is recorded");
+    const format = opt(p, "format", "path");
+    console.log(format === "slug" ? path.basename(dir) : dir);
+    return 0;
+}
+function recordAgentEvent(p) {
+    const hasExplicitRoot = !!opt(p, "artifact-root");
+    const root = explicitArtifactRoot(p);
+    const explicit = opt(p, "artifact-dir");
+    const dir = explicit ? path.resolve(explicit) : currentDir(root);
+    if (!dir || !fs.existsSync(dir))
+        die("artifact directory does not exist");
+    if (explicit && fs.lstatSync(dir).isSymbolicLink())
+        die(`artifact directory must not be a symlink: ${dir}`);
+    if (hasExplicitRoot)
+        requireArtifactDirUnderRoot(dir, root);
+    const timestamp = opt(p, "timestamp", now());
+    const agent = validateAgentId(opt(p, "agent-id"));
+    const event = { timestamp, agent_id: agent, kind: opt(p, "kind", "note"), status: opt(p, "status", "info"), summary: opt(p, "summary"), ...(opt(p, "ref") ? { ref: opt(p, "ref") } : {}) };
+    appendJsonl(path.join(dir, "agents", agent, "events.jsonl"), event);
+    updateCurrentAgent(root, dir, agent, event.status, timestamp);
+    return 0;
+}
+function initPlan(p) {
+    const artifact = p.positional[0] || die("artifact path is required");
+    const dir = artifactDirFrom(artifact);
+    const slug = taskSlugFor(dir, opt(p, "task-slug"));
+    initSidecars(dir, slug, opt(p, "source-request"), opt(p, "summary"), opt(p, "next-action"), opt(p, "timestamp", now()), read(artifact));
+    return 0;
+}
+function parseJson(value, label) {
+    try {
+        const raw = JSON.parse(value);
+        if (!raw || typeof raw !== "object" || Array.isArray(raw))
+            throw new Error("object expected");
+        return raw;
+    }
+    catch {
+        die(`${label} must be valid JSON object`);
+    }
+}
+function evidenceRef(kind, fields) {
+    return { kind, ...fields };
+}
+function hasNonEmptyString(value) {
+    return typeof value === "string" && value.length > 0;
+}
+function hasPositiveInteger(value) {
+    return Number.isInteger(value) && Number(value) >= 1;
+}
+function validateEvidenceRef(ref, label) {
+    if (!["source", "command", "artifact", "provider", "external"].includes(ref.kind))
+        die(`${label} entry kind must be one of: source, command, artifact, provider, external`);
+    for (const key of Object.keys(ref))
+        if (!["kind", "url", "file", "line_start", "line_end", "excerpt", "summary"].includes(key))
+            die(`${label} entries contain unsupported field: ${key}`);
+    if (ref.url !== undefined && !hasNonEmptyString(ref.url))
+        die(`${label} entry url must be a non-empty string`);
+    if (ref.file !== undefined && !hasNonEmptyString(ref.file))
+        die(`${label} entry file must be a non-empty string`);
+    if (ref.excerpt !== undefined && !hasNonEmptyString(ref.excerpt))
+        die(`${label} entry excerpt must be a non-empty string`);
+    if (ref.summary !== undefined && !hasNonEmptyString(ref.summary))
+        die(`${label} entry summary must be a non-empty string`);
+    if (ref.line_start !== undefined && !hasPositiveInteger(ref.line_start))
+        die(`${label} entry line_start must be a positive integer`);
+    if (ref.line_end !== undefined && !hasPositiveInteger(ref.line_end))
+        die(`${label} entry line_end must be a positive integer`);
+    if (ref.kind === "source" && (!hasNonEmptyString(ref.file) || !hasPositiveInteger(ref.line_start) || !hasPositiveInteger(ref.line_end) || !hasNonEmptyString(ref.excerpt)))
+        die(`${label} source refs require file, line_start, line_end, and excerpt`);
+    if (ref.kind === "artifact" && (!hasNonEmptyString(ref.file) && !hasNonEmptyString(ref.url)))
+        die(`${label} artifact refs require file or url`);
+    if (ref.kind === "artifact" && (!hasNonEmptyString(ref.summary) && !hasNonEmptyString(ref.excerpt)))
+        die(`${label} artifact refs require summary or excerpt`);
+    if (ref.kind === "command" && (!hasNonEmptyString(ref.summary) && !hasNonEmptyString(ref.excerpt) && !hasNonEmptyString(ref.url)))
+        die(`${label} command refs require summary, excerpt, or url`);
+    if ((ref.kind === "provider" || ref.kind === "external") && !hasNonEmptyString(ref.url))
+        die(`${label} ${ref.kind} refs require url`);
+    return ref;
+}
+function normalizeEvidenceRefs(raw, label) {
+    if (!Array.isArray(raw))
+        die(`${label} must be an array`);
+    return raw.map((ref) => {
+        if (typeof ref === "string")
+            die(`${label} entries must be structured evidence reference objects; legacy string refs are not supported`);
+        if (!ref || typeof ref !== "object" || Array.isArray(ref))
+            die(`${label} entries must be objects`);
+        return validateEvidenceRef({ ...ref }, label);
+    });
+}
+function normalizeCheck(raw) {
+    const check = { ...raw };
+    if (!check.id || !check.kind || !check.status || !check.summary)
+        die("check requires id, kind, status, and summary");
+    if (!checkKinds.has(check.kind))
+        die("kind must be one of: build, types, lint, test, security, diff, browser, runtime, policy, external");
+    if (!checkStatuses.has(check.status))
+        die("status must be one of: pass, fail, not_verified, skip");
+    if (Array.isArray(check.standard_refs))
+        for (const ref of check.standard_refs)
+            if (!["junit", "sarif", "coverage", "veritas"].includes(ref.standard))
+                die("standard must be one of");
+    if (check.artifact_refs)
+        check.artifact_refs = normalizeEvidenceRefs(check.artifact_refs, "artifact_refs");
+    if (check.surface_trust_refs)
+        check.surface_trust_refs = normalizeSurfaceRefs(check.surface_trust_refs);
+    return check;
+}
+function normalizeSurfaceRefs(refs) {
+    if (!Array.isArray(refs))
+        die("surface_trust_refs must be an array");
+    return refs.map((ref) => {
+        const keys = JSON.stringify(ref).match(/"([^"]+)":/g) ?? [];
+        for (const key of keys.map((k) => k.slice(1, -2)))
+            if (key.toLowerCase().includes("veritas"))
+                die(`unsupported field in Surface trust ref: ${key}`);
+        const out = { ...ref };
+        if (!["TrustReport", "Trust Snapshot"].includes(out.artifact_kind))
+            die("artifact_kind must be one of");
+        const status = deriveSurfaceStatus(out);
+        if (out.status === "pass" && status !== "pass")
+            die("surface_trust_refs contradicts Surface trust facts");
+        return out;
+    });
+}
+function deriveSurfaceStatus(ref) {
+    if (ref.claim_status !== "accepted")
+        return "fail";
+    if (ref.freshness?.status !== "fresh")
+        return "not_verified";
+    if (!ref.authority || ref.authority.producer === "unknown")
+        return "fail";
+    if (ref.integrity?.status !== "matched")
+        return "fail";
+    return "pass";
+}
+function surfaceCheckFromArtifact(file, index) {
+    const raw = JSON.parse(read(file));
+    const lower = JSON.stringify(raw).toLowerCase();
+    let ref;
+    if (lower.includes("provider") && lower.includes("absent")) {
+        ref = { artifact_kind: "TrustReport", artifact_ref: file, gate_id: "provider.unavailable", claim_type: "surface.claim", claim_status: "unknown", subject: "builder-kit", freshness: { status: "unknown", summary: "No trust provider is configured" }, authority: { producer: "unknown", summary: "No trust provider is configured" }, integrity: { status: "unknown", summary: "Unknown" }, status: "not_verified", summary: "No trust provider is configured" };
+    }
+    else if (lower.includes("artifact") && lower.includes("absent")) {
+        ref = { artifact_kind: "TrustReport", artifact_ref: file, gate_id: "artifact.unavailable", claim_type: "surface.claim", claim_status: "unknown", subject: "builder-kit", freshness: { status: "unknown", summary: "Artifact not readable" }, authority: { producer: "unknown", summary: "Artifact not readable" }, integrity: { status: "unknown", summary: "Artifact not readable" }, status: "not_verified", summary: "artifact not readable" };
+    }
+    else {
+        const claimStatus = lower.includes("rejected") ? "rejected" : "accepted";
+        const freshness = lower.includes("stale") ? "stale" : "fresh";
+        const producer = lower.includes("missing-authority") ? "unknown" : "surface-local";
+        const integrity = lower.includes("mismatch") ? "mismatch" : "matched";
+        ref = { artifact_kind: file.includes("snapshot") ? "Trust Snapshot" : "TrustReport", artifact_ref: file, gate_id: "builder.surface.claim", claim_type: "surface.claim", claim_status: claimStatus, subject: "builder-kit", freshness: { status: freshness, summary: freshness === "fresh" ? "fresh" : "not currently verifiable" }, authority: { producer, summary: producer === "unknown" ? "missing authority" : "Local Surface trust producer." }, integrity: { status: integrity, summary: integrity === "matched" ? "matched" : "integrity mismatch" } };
+        ref.status = deriveSurfaceStatus(ref);
+        ref.summary = ref.status === "pass" ? "accepted" : ref.status === "not_verified" ? "not currently verifiable" : (claimStatus === "rejected" ? "rejected" : producer === "unknown" ? "missing authority" : "integrity mismatch");
+    }
+    return { id: `surface-trust-${index + 1}`, kind: "policy", status: ref.status, summary: ref.summary, surface_trust_refs: [ref] };
+}
+function updateAcceptance(dir, verdict) {
+    const file = path.join(dir, "acceptance.json");
+    if (!fs.existsSync(file))
+        return;
+    const data = loadJson(file);
+    const status = verdict === "pass" ? "pass" : verdict === "fail" ? "fail" : "not_verified";
+    if (Array.isArray(data.criteria))
+        data.criteria = data.criteria.map((c) => ({ ...c, status }));
+    data.goal_fit = { ...(data.goal_fit ?? {}), status, summary: verdict === "pass" ? "Evidence passed." : "Evidence requires follow-up." };
+    writeJson(file, data);
+}
+function validateAcceptanceEvidenceRefs(dir) {
+    const file = path.join(dir, "acceptance.json");
+    if (!fs.existsSync(file))
+        return;
+    const data = loadJson(file);
+    if (!Array.isArray(data.criteria))
+        return;
+    data.criteria.forEach((criterion, index) => {
+        if (criterion.evidence_refs !== undefined)
+            normalizeEvidenceRefs(criterion.evidence_refs, `acceptance.criteria[${index}].evidence_refs`);
+    });
+}
+function writeState(dir, slug, status, phase, timestamp, summary, next = "continue") {
+    writeJson(path.join(dir, "state.json"), { ...loadJson(path.join(dir, "state.json")), ...sidecarBase(slug), status, phase, updated_at: timestamp, artifact_paths: relArtifacts(dir), next_action: { status: next, summary } });
+}
+function recordEvidence(p) {
+    const dir = artifactDirFrom(p.positional[0] || die("artifact directory is required"));
+    const verdict = opt(p, "verdict") || die("--verdict is required");
+    if (!verdicts.has(verdict))
+        die("verdict must be one of: pass, partial, fail, not_verified");
+    const slug = taskSlugFor(dir, opt(p, "task-slug"));
+    const checks = [...opts(p, "check-json").map((v) => normalizeCheck(parseJson(v, "--check-json"))), ...opts(p, "surface-trust-json").map(surfaceCheckFromArtifact)];
+    if (!checks.length && opts(p, "surface-trust-json").length === 0)
+        die("record-evidence requires at least one --check-json or --surface-trust-json");
+    validateAcceptanceEvidenceRefs(dir);
+    const payload = { ...sidecarBase(slug), verdict, checks, not_verified_gaps: opts(p, "gap") };
+    writeJson(path.join(dir, "evidence.json"), payload);
+    updateAcceptance(dir, verdict);
+    const stateStatus = verdict === "pass" ? "verified" : verdict === "fail" ? "failed" : "not_verified";
+    writeState(dir, slug, stateStatus, "verification", opt(p, "timestamp", now()), "Evidence recorded.");
+    return 0;
+}
+function diagnostic(dir, code, summary) {
+    const payload = { timestamp: now(), code, summary };
+    appendJsonl(path.join(dir, "transition-diagnostics.jsonl"), payload);
+    die(`${code}: ${summary}`);
+}
+function advanceState(p) {
+    const dir = artifactDirFrom(p.positional[0] || die("artifact directory is required"));
+    const status = opt(p, "status");
+    const phase = opt(p, "phase");
+    const target = opt(p, "target-phase");
+    if (!statuses.has(status))
+        die(`status must be one of: ${[...statuses].join(", ")}`);
+    if (!phases.includes(phase))
+        die(`phase must be one of: ${phases.join(", ")}`);
+    if (target && !phases.includes(target))
+        die(`target phase must be one of: ${phases.join(", ")}`);
+    const prev = loadJson(path.join(dir, "state.json"));
+    if ((status === "archived" || status === "accepted") && prev.phase !== "learning")
+        diagnostic(dir, "terminal_jump_rejected", "Terminal workflow states require release and learning gates.");
+    const flow = opt(p, "flow-definition");
+    if (flow === "builder.build" && prev.phase === "verification" && phase === "execution") {
+        const reason = opt(p, "route-back-reason");
+        if (!reason)
+            diagnostic(dir, "route_back_reason_required", "Builder Kit route-back requires implementation_defect or equivalent reason.");
+        const file = path.join(dir, "transition-attempts.json");
+        const attempts = loadJson(file);
+        const key = `verification->execution:${reason}`;
+        const count = attempts[key]?.count ?? 0;
+        if (count >= 3)
+            diagnostic(dir, "route_back_attempts_exceeded", "Builder Kit route-back attempts exceeded.");
+        attempts[key] = { count: count + 1, reason, updated_at: opt(p, "timestamp", now()) };
+        writeJson(file, attempts);
+    }
+    const slug = taskSlugFor(dir, opt(p, "task-slug"));
+    const timestamp = opt(p, "timestamp", now());
+    writeState(dir, slug, status, phase, timestamp, opt(p, "summary"));
+    writeJson(path.join(dir, "handoff.json"), { ...loadJson(path.join(dir, "handoff.json")), ...sidecarBase(slug), summary: opt(p, "summary"), current_state_ref: "state.json", next_steps: [opt(p, "next-action")].filter(Boolean), blockers: [], warnings: [] });
+    return 0;
+}
+function normalizeFinding(raw) {
+    if (raw.file_refs !== undefined && !Array.isArray(raw.file_refs))
+        die("file_refs must be an array");
+    return raw;
+}
+function critiqueStatus(critiques, required) {
+    if (!required && critiques.length === 0)
+        return "not_required";
+    if (critiques.some((c) => c.verdict === "fail" || (Array.isArray(c.findings) && c.findings.some((f) => f.status === "open"))))
+        return "fail";
+    return "pass";
+}
+function recordCritique(p) {
+    const dir = artifactDirFrom(p.positional[0] || die("artifact directory is required"));
+    const slug = taskSlugFor(dir, opt(p, "task-slug"));
+    const existing = loadJson(path.join(dir, "critique.json"), { critiques: [] });
+    const critique = { id: opt(p, "id") || "review", reviewer: opt(p, "reviewer", "tool-code-reviewer"), reviewed_at: opt(p, "timestamp", now()), verdict: opt(p, "verdict", "pass"), summary: opt(p, "summary"), artifact_refs: opts(p, "artifact-ref"), findings: opts(p, "finding-json").map((v) => normalizeFinding(parseJson(v, "--finding-json"))) };
+    const critiques = [...(Array.isArray(existing.critiques) ? existing.critiques : []), critique];
+    if (critique.verdict === "pass" && critique.findings.some((f) => f.status === "open"))
+        die("required critique must pass");
+    writeJson(path.join(dir, "critique.json"), { ...sidecarBase(slug), status: critiqueStatus(critiques, true), required: true, updated_at: critique.reviewed_at, critiques });
+    return 0;
+}
+function frontmatter(text, key) {
+    if (!text.startsWith("---"))
+        return "";
+    const end = text.indexOf("\n---", 3);
+    if (end < 0)
+        return "";
+    return new RegExp(`^${key}:\\s*(.+)$`, "m").exec(text.slice(0, end))?.[1]?.trim() ?? "";
+}
+function importCritique(p) {
+    const dir = artifactDirFrom(p.positional[0] || die("artifact directory is required"));
+    const review = p.positional[1] || die("review artifact is required");
+    const text = read(review);
+    const role = frontmatter(text, "role");
+    if (!["review", "code-review"].includes(role))
+        die("review artifact must declare role");
+    const verdictRaw = (frontmatter(text, "verdict") || /###\s+Verdict:\s*([A-Z_]+)/i.exec(text)?.[1] || "PASS").toUpperCase();
+    const verdict = verdictRaw === "CHANGES_REQUESTED" || verdictRaw === "FAIL" ? "fail" : verdictRaw === "NOT_VERIFIED" ? "not_verified" : "pass";
+    const findings = [];
+    const re = /^####\s+\[(?<severity>[A-Z]+)\]\s+(?<target>.+?)\s+-\s+(?<title>.+)$/gm;
+    for (let m; (m = re.exec(text));) {
+        const title = m.groups?.title ?? "finding";
+        findings.push({ id: slugify(title, `finding-${findings.length + 1}`), severity: (m.groups?.severity ?? "info").toLowerCase(), status: opt(p, "finding-status", verdict === "pass" ? "fixed" : "open"), description: title, file_refs: [m.groups?.target ?? review] });
+    }
+    const parsed = { ...p, positional: [dir], opts: { ...p.opts, id: [slugify(path.basename(review).replace(/\.md$/, ""), "review")], reviewer: ["tool-code-reviewer"], verdict: [verdict], summary: [`Imported critique from ${path.basename(review)}`], "finding-json": findings.map((f) => JSON.stringify(f)) }, flags: p.flags };
+    const result = recordCritique(parsed);
+    if (verdict !== "pass")
+        die("required critique must pass");
+    return result;
+}
+function recordRelease(p) {
+    const dir = artifactDirFrom(p.positional[0] || die("artifact directory is required"));
+    const slug = taskSlugFor(dir, opt(p, "task-slug"));
+    const decision = opt(p, "decision");
+    if (!["merge", "release", "deploy", "hold", "rollback_required"].includes(decision))
+        die("decision must be one of: merge, release, deploy, hold, rollback_required");
+    const gates = opts(p, "gate-json").map((v) => parseJson(v, "--gate-json"));
+    if (["merge", "release", "deploy"].includes(decision) && !gates.some((g) => g.name === decision && g.status === "pass"))
+        die(`positive release decision requires ${decision} gate to pass`);
+    const payload = { ...sidecarBase(slug), decision: opt(p, "decision"), updated_at: opt(p, "timestamp", now()), scope: opt(p, "scope"), evidence_ref: opt(p, "evidence-ref"), gates: opts(p, "gate-json").map((v) => parseJson(v, "--gate-json")), rollback_plan: parseJson(opt(p, "rollback-json", '{"status":"not_required","summary":"Not required.","owner":"maintainer"}'), "--rollback-json"), observability_plan: parseJson(opt(p, "observability-json", '{"status":"not_required","summary":"Not required."}'), "--observability-json"), post_deploy_checks: opts(p, "post-deploy-json").map((v) => parseJson(v, "--post-deploy-json")), docs: parseJson(opt(p, "docs-json", '{"status":"not_needed","summary":"Not needed."}'), "--docs-json") };
+    const stateSummary = opt(p, "summary").trim() || `Release readiness recorded for ${decision}.`;
+    writeJson(path.join(dir, "release.json"), payload);
+    writeState(dir, slug, "delivered", "release", payload.updated_at, stateSummary);
+    return 0;
+}
+function validateLearningCorrection(record) {
+    const correction = record.correction;
+    if (correction === undefined)
+        return;
+    if (!correction || typeof correction !== "object" || Array.isArray(correction))
+        die("correction must be an object");
+    if (typeof correction.needed !== "boolean")
+        die("correction.needed must be boolean");
+    if (correction.needed === false) {
+        if (typeof correction.evidence !== "string" || correction.evidence.length === 0)
+            die("correction.evidence is required when correction.needed is false");
+        return;
+    }
+    for (const key of ["type", "recurrence_key", "intended_behavior", "observed_behavior", "gap"]) {
+        if (typeof correction[key] !== "string" || correction[key].length === 0)
+            die(`correction.${key} is required when correction.needed is true`);
+    }
+    if (!["workflow", "skill", "agent", "tooling", "test", "doc", "process", "product", "provider", "none"].includes(correction.type)) {
+        die("correction.type must be one of: workflow, skill, agent, tooling, test, doc, process, product, provider, none");
+    }
+    const prevention = correction.prevention;
+    if (prevention !== undefined)
+        validateLearningPrevention(prevention);
+    const hasPrevention = prevention !== undefined;
+    const hasNoChange = typeof correction.no_change_rationale === "string" && correction.no_change_rationale.length > 0;
+    if (!hasPrevention && !hasNoChange)
+        die("correction requires prevention route or no_change_rationale when correction.needed is true");
+}
+function validateLearningPrevention(prevention) {
+    if (!prevention || typeof prevention !== "object" || Array.isArray(prevention))
+        die("correction.prevention must be an object");
+    const value = prevention;
+    if (typeof value.target !== "string" || value.target.length === 0)
+        die("correction.prevention.target is required");
+    if (!["rule", "skill", "power", "agent", "eval", "doc", "backlog", "knowledge", "none"].includes(value.target))
+        die("correction.prevention.target must be one of: rule, skill, power, agent, eval, doc, backlog, knowledge, none");
+    if (typeof value.action !== "string" || value.action.length === 0)
+        die("correction.prevention.action is required");
+    if (typeof value.status !== "string" || value.status.length === 0)
+        die("correction.prevention.status is required");
+    if (!["open", "completed", "accepted", "deferred", "rejected"].includes(value.status))
+        die("correction.prevention.status must be one of: open, completed, accepted, deferred, rejected");
+}
+function normalizeLearning(raw, timestamp) {
+    if (!Array.isArray(raw.source_refs))
+        die("source_refs must be an array");
+    if (!Array.isArray(raw.facts))
+        die("facts must be an array");
+    if (!Array.isArray(raw.routing))
+        die("routing must be an array");
+    if (!["success", "failure", "mixed", "unknown"].includes(raw.outcome))
+        die("learning outcome must be one of: success, failure, mixed, unknown");
+    validateLearningCorrection(raw);
+    return { recorded_at: timestamp, ...raw };
+}
+function recordLearning(p) {
+    const dir = artifactDirFrom(p.positional[0] || die("artifact directory is required"));
+    const slug = taskSlugFor(dir, opt(p, "task-slug"));
+    const timestamp = opt(p, "timestamp", now());
+    const records = opts(p, "record-json").map((v) => normalizeLearning(parseJson(v, "--record-json"), timestamp));
+    const status = opt(p, "status", "learned");
+    if (status === "learned" && records.some((r) => r.routing.some((x) => x.status === "open")))
+        die("learning status learned cannot have open routing");
+    if (status === "learned" && records.some((r) => r.correction === undefined))
+        die("learning status learned requires every record to include correction.needed");
+    writeJson(path.join(dir, "learning.json"), { ...sidecarBase(slug), status, updated_at: timestamp, records });
+    writeState(dir, slug, "accepted", "learning", timestamp, opt(p, "summary"));
+    return 0;
+}
+function evidenceClean(dir) {
+    const e = loadJson(path.join(dir, "evidence.json"), {});
+    return e.verdict === "pass" && Array.isArray(e.checks) && e.checks.length > 0 && e.checks.every((c) => {
+        if (!(c.status === "pass" || c.status === "skip"))
+            return false;
+        return !Array.isArray(c.standard_refs) || c.standard_refs.every((r) => ["junit", "sarif", "coverage", "veritas"].includes(r.standard));
+    });
+}
+function critiqueClean(dir) {
+    const c = loadJson(path.join(dir, "critique.json"), {});
+    return c.status === "pass" && Array.isArray(c.critiques) && c.critiques.every((x) => x.verdict !== "fail" && (!Array.isArray(x.findings) || x.findings.every((f) => f.status !== "open" && (f.file_refs === undefined || Array.isArray(f.file_refs)))));
+}
+function assertExistingLearningValid(dir) {
+    const file = path.join(dir, "learning.json");
+    if (!fs.existsSync(file))
+        return;
+    const data = loadJson(file);
+    if (!Array.isArray(data.records))
+        die("learning records must be an array");
+    for (const record of data.records) {
+        if (!Array.isArray(record.source_refs))
+            die("source_refs must be an array");
+        if (!Array.isArray(record.facts))
+            die("facts must be an array");
+        if (!Array.isArray(record.routing))
+            die("routing must be an array");
+        validateLearningCorrection(record);
+        if (data.status === "learned" && record.correction === undefined)
+            die("learning status learned requires every record to include correction.needed");
+    }
+}
+function dogfoodPass(p) {
+    const root = path.resolve(opt(p, "artifact-root", ".flow-agents"));
+    const dir = path.resolve(opt(p, "artifact-dir") || currentDir(root) || "");
+    requireArtifactDirUnderRoot(dir, root);
+    assertExistingLearningValid(dir);
+    const verdict = opt(p, "verdict");
+    if (verdict === "pass") {
+        const checks = opts(p, "check-json").map((v) => normalizeCheck(parseJson(v, "--check-json")));
+        if (checks.some((c) => c.status !== "pass" && c.status !== "skip"))
+            die("clean evidence requires all non-skipped checks to pass");
+        if (fs.existsSync(path.join(dir, "evidence.json")) && !evidenceClean(dir))
+            die("cannot mark clean without passing evidence");
+        if (!fs.existsSync(path.join(dir, "evidence.json")) && checks.length === 0)
+            die("cannot mark clean without passing evidence");
+        if (p.flags.has("require-critique") || opt(p, "release-decision")) {
+            const newCritiqueVerdict = opt(p, "critique-verdict", "pass");
+            for (const value of opts(p, "finding-json"))
+                normalizeFinding(parseJson(value, "--finding-json"));
+            if (newCritiqueVerdict !== "pass")
+                die(opt(p, "release-decision") ? "requires clean critique" : "requires clean critique before recording pass evidence");
+            if (!opt(p, "critique-id") && !critiqueClean(dir))
+                die("requires passing critique");
+            if (fs.existsSync(path.join(dir, "critique.json")) && !critiqueClean(dir))
+                die(opt(p, "release-decision") ? "requires clean critique" : "requires clean critique before recording pass evidence");
+        }
+    }
+    const learningRecords = opts(p, "learning-record-json").map((v) => normalizeLearning(parseJson(v, "--learning-record-json"), opt(p, "timestamp", now())));
+    if (opt(p, "learning-status") === "learned" && learningRecords.some((r) => r.routing.some((x) => x.status === "open")))
+        die("learned status cannot have open learning routing");
+    if (opt(p, "learning-status") === "learned" && learningRecords.some((r) => r.correction === undefined))
+        die("learned status requires every learning record to include correction.needed");
+    if (opts(p, "check-json").length)
+        recordEvidence({ ...p, positional: [dir], opts: { ...p.opts, verdict: [verdict] }, flags: p.flags });
+    if (p.flags.has("require-critique") && opt(p, "critique-id"))
+        recordCritique({ ...p, positional: [dir], opts: { ...p.opts, id: [opt(p, "critique-id")], verdict: [opt(p, "critique-verdict", "pass")], summary: [opt(p, "critique-summary", opt(p, "summary"))] }, flags: p.flags });
+    if (learningRecords.length)
+        recordLearning({ ...p, positional: [dir], opts: { ...p.opts, status: [opt(p, "learning-status", "learned")], "record-json": opts(p, "learning-record-json"), summary: [opt(p, "learning-summary", opt(p, "summary"))] }, flags: p.flags });
+    if (opt(p, "release-decision")) {
+        recordRelease({ ...p, positional: [dir], opts: { ...p.opts, decision: [opt(p, "release-decision")], scope: [opt(p, "release-scope")], summary: [opt(p, "release-summary", opt(p, "summary"))], "gate-json": ['{"name":"merge","status":"pass","summary":"Dogfood release gate passed."}'], "evidence-ref": ["evidence.json"], "docs-json": [`{"status":"updated","summary":"Docs updated.","refs":["${opt(p, "release-doc-ref", "docs/workflow-usage-guide.md")}"]}`] }, flags: p.flags });
+        printJson({ release_decision: opt(p, "release-decision") });
+        return 0;
+    }
+    const stateStatus = verdict === "pass" ? "verified" : verdict === "fail" ? "failed" : "not_verified";
+    const handoff = loadJson(path.join(dir, "handoff.json"));
+    if (verdict === "fail") {
+        handoff.blockers = ["Required dogfood critique is not passing"];
+        writeJson(path.join(dir, "handoff.json"), handoff);
+    }
+    writeState(dir, taskSlugFor(dir, opt(p, "task-slug")), stateStatus, "verification", opt(p, "timestamp", now()), opt(p, "summary"), verdict === "pass" ? "continue" : "blocked");
+    printJson({ state_status: stateStatus });
+    return 0;
+}
+async function main() {
+    const p = parseArgs(process.argv.slice(2));
+    if (!p.command)
+        die("workflow-sidecar command is required");
+    const lockRoot = ["ensure-session", "current", "dogfood-pass"].includes(p.command) ? path.resolve(opt(p, "artifact-root", ".flow-agents")) : p.command === "record-agent-event" ? explicitArtifactRoot(p) : p.positional[0] ? artifactDirFrom(p.positional[0]) : "";
+    return withLock(lockRoot, ["ensure-session", "record-agent-event", "dogfood-pass"].includes(p.command), p.command, () => {
+        switch (p.command) {
+            case "ensure-session": return ensureSession(p);
+            case "current": return current(p);
+            case "record-agent-event": return recordAgentEvent(p);
+            case "init-plan": return initPlan(p);
+            case "record-evidence": return recordEvidence(p);
+            case "advance-state": return advanceState(p);
+            case "record-critique": return recordCritique(p);
+            case "import-critique": return importCritique(p);
+            case "record-release": return recordRelease(p);
+            case "record-learning": return recordLearning(p);
+            case "dogfood-pass": return dogfoodPass(p);
+            default: die(`unknown command: ${p.command}`);
+        }
+    });
+}
+main().then((code) => process.exit(code)).catch((error) => { console.error(error instanceof Error ? error.message : String(error)); process.exit(1); });