@kontourai/flow-agents 0.1.1

package/evals/integration/test_veritas_governance_adapter.sh

@@ -0,0 +1,235 @@
+#!/usr/bin/env bash
+# test_veritas_governance_adapter.sh - optional Veritas governance adapter coverage
+set -uo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$ROOT/evals/lib/node.sh"
+
+TMPDIR_EVAL="$(mktemp -d)"
+errors=0
+
+cleanup() {
+  rm -rf "$TMPDIR_EVAL"
+}
+trap cleanup EXIT
+
+_pass() { echo "  ✓ $1"; }
+_fail() { echo "  ✗ $1"; errors=$((errors + 1)); }
+
+ADAPTER="veritas-governance"
+VALIDATOR="validate-workflow-artifacts"
+REPO="$TMPDIR_EVAL/repo"
+ARTIFACT_DIR="$REPO/.flow-agents/veritas-fixture"
+mkdir -p "$ARTIFACT_DIR" "$TMPDIR_EVAL/bin" "$REPO/.veritas"
+FAKE_PASS="$ROOT/evals/fixtures/veritas-governance-adapter/fake-veritas-pass.sh"
+FAKE_UNCONFIGURED="$ROOT/evals/fixtures/veritas-governance-adapter/fake-veritas-unconfigured.sh"
+FAKE_SECRET_FAIL="$ROOT/evals/fixtures/veritas-governance-adapter/fake-veritas-secret-fail.sh"
+
+cat >"$ARTIFACT_DIR/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "veritas-fixture",
+  "status": "in_progress",
+  "phase": "execution",
+  "owner": "eval",
+  "created_at": "2026-06-01T00:00:00Z",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "source_request": "Fixture workflow for Veritas adapter.",
+  "artifact_paths": ["state.json", "acceptance.json", "handoff.json"],
+  "next_action": {
+    "status": "continue",
+    "summary": "Run Veritas governance adapter.",
+    "target_phase": "verification"
+  }
+}
+JSON
+
+cat >"$ARTIFACT_DIR/acceptance.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "veritas-fixture",
+  "source_request": "Fixture workflow for Veritas adapter.",
+  "criteria": [
+    {
+      "id": "veritas-fixture",
+      "description": "Veritas evidence is mapped by reference.",
+      "status": "pending",
+      "evidence_refs": [
+        {
+          "kind": "artifact",
+          "file": "evidence.json",
+          "summary": "Veritas evidence sidecar."
+        }
+      ]
+    }
+  ],
+  "goal_fit": {
+    "status": "pending",
+    "summary": "Fixture goal fit is pending.",
+    "open_gaps": []
+  }
+}
+JSON
+
+cat >"$ARTIFACT_DIR/handoff.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "veritas-fixture",
+  "summary": "Fixture handoff for Veritas adapter.",
+  "current_state_ref": "state.json",
+  "next_steps": ["Run adapter."],
+  "blockers": [],
+  "warnings": []
+}
+JSON
+
+PASS_ARTIFACT="$REPO/.veritas/readiness-pass.json"
+printf '{"status":"pass","producer":"fake-veritas"}\n' >"$PASS_ARTIFACT"
+VERITAS_ARGV_LOG="$TMPDIR_EVAL/pass-argv.log" VERITAS_EXPECT_ROOT="$REPO" \
+  flow_agents_node "$ADAPTER" evidence \
+    --artifact-dir "$ARTIFACT_DIR" \
+    --repo-root "$REPO" \
+    --veritas-root "$REPO" \
+    --veritas-bin "$FAKE_PASS" \
+    --veritas-artifact "$PASS_ARTIFACT" \
+    --max-age-seconds 300 >"$TMPDIR_EVAL/pass.out" 2>"$TMPDIR_EVAL/pass.err"
+pass_status=$?
+
+if [[ "$pass_status" -eq 0 ]] \
+  && rg -q '^readiness --check evidence --working-tree --root ' "$TMPDIR_EVAL/pass-argv.log" \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="pass") process.exit(1); const c=ev.checks[0]; if (c.kind!=="policy" || c.status!=="pass") process.exit(2); if (c.standard_refs[0].standard!=="veritas") process.exit(3); if (ev.external_evidence[0].standard!=="veritas") process.exit(4); if (JSON.stringify(ev).includes("veritas_rule")) process.exit(5);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "adapter invokes configurable Veritas command and maps passing evidence by reference"
+else
+  _fail "adapter pass case failed: $(cat "$TMPDIR_EVAL/pass.out" "$TMPDIR_EVAL/pass.err" 2>/dev/null)"
+fi
+
+if flow_agents_node "$VALIDATOR" --require-sidecars --skip-markdown-validation "$ARTIFACT_DIR" >"$TMPDIR_EVAL/validate-pass.out" 2>"$TMPDIR_EVAL/validate-pass.err"; then
+  _pass "adapter-produced evidence sidecar validates"
+else
+  _fail "adapter-produced evidence sidecar did not validate: $(cat "$TMPDIR_EVAL/validate-pass.out" "$TMPDIR_EVAL/validate-pass.err")"
+fi
+
+CUSTOM_EVIDENCE="$TMPDIR_EVAL/custom/evidence.json"
+VERITAS_ARGV_LOG="$TMPDIR_EVAL/relative-artifact-argv.log" \
+  flow_agents_node "$ADAPTER" evidence \
+    --artifact-dir "$ARTIFACT_DIR" \
+    --evidence-path "$CUSTOM_EVIDENCE" \
+    --repo-root "$REPO" \
+    --veritas-bin "$FAKE_PASS" \
+    --veritas-artifact ".veritas/readiness-pass.json" \
+    --max-age-seconds 300 >"$TMPDIR_EVAL/relative-artifact.out" 2>"$TMPDIR_EVAL/relative-artifact.err"
+relative_artifact_status=$?
+
+if [[ "$relative_artifact_status" -eq 0 ]] \
+  && node -e 'const fs=require("fs"); const path=require("path"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); const expected=path.resolve(process.argv[2], ".veritas/readiness-pass.json"); if (ev.verdict!=="pass") process.exit(1); if (ev.checks[0].artifact_refs[0].file!==expected) process.exit(2); if (ev.external_evidence[0].ref.file!==expected) process.exit(3);' "$CUSTOM_EVIDENCE" "$REPO"; then
+  _pass "relative native artifact resolves against non-default repo root and custom evidence path is honored"
+else
+  _fail "relative artifact/custom evidence case failed: $(cat "$TMPDIR_EVAL/relative-artifact.out" "$TMPDIR_EVAL/relative-artifact.err" 2>/dev/null)"
+fi
+
+if flow_agents_node "$ADAPTER" evidence \
+  --artifact-dir "$ARTIFACT_DIR" \
+  --repo-root "$REPO" \
+  --veritas-bin "$FAKE_UNCONFIGURED" \
+  --veritas-artifact "$REPO/.veritas/unconfigured.json" >"$TMPDIR_EVAL/fail.out" 2>"$TMPDIR_EVAL/fail.err" \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="not_verified") process.exit(1); if (ev.checks[0].status!=="not_verified") process.exit(2); if (!/exit status 78/.test(ev.checks[0].summary)) process.exit(3);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "nonzero/unconfigured Veritas records not_verified evidence"
+else
+  _fail "nonzero Veritas case failed: $(cat "$TMPDIR_EVAL/fail.out" "$TMPDIR_EVAL/fail.err" 2>/dev/null)"
+fi
+
+if flow_agents_node "$ADAPTER" evidence \
+  --artifact-dir "$ARTIFACT_DIR" \
+  --repo-root "$REPO" \
+  --veritas-bin "$FAKE_SECRET_FAIL" >"$TMPDIR_EVAL/secret-fail.out" 2>"$TMPDIR_EVAL/secret-fail.err" \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); const text=JSON.stringify(ev); if (ev.verdict!=="not_verified") process.exit(1); if (!/exit status 17/.test(ev.checks[0].summary)) process.exit(2); if (/fixture-token-redaction-sentinel|fixture-api-key-redaction-sentinel/.test(text)) process.exit(3); if (!text.includes("[REDACTED]")) process.exit(4); if (!/Output truncated/.test(ev.checks[0].summary)) process.exit(5); if (/detail line 40/.test(text)) process.exit(6);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "nonzero Veritas output is redacted and bounded before persistence"
+else
+  _fail "secret-bearing nonzero Veritas case failed: $(cat "$TMPDIR_EVAL/secret-fail.out" "$TMPDIR_EVAL/secret-fail.err" 2>/dev/null)"
+fi
+
+if flow_agents_node "$ADAPTER" evidence \
+  --artifact-dir "$ARTIFACT_DIR" \
+  --repo-root "$REPO" \
+  --veritas-bin "$TMPDIR_EVAL/bin/not-a-real-veritas" >"$TMPDIR_EVAL/missing-bin.out" 2>"$TMPDIR_EVAL/missing-bin.err" \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="not_verified") process.exit(1); if (!/Unable to run Veritas executable/.test(ev.checks[0].summary)) process.exit(2);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "missing executable records not_verified evidence"
+else
+  _fail "missing executable case failed: $(cat "$TMPDIR_EVAL/missing-bin.out" "$TMPDIR_EVAL/missing-bin.err" 2>/dev/null)"
+fi
+
+MISSING_ARTIFACT="$REPO/.veritas/missing.json"
+VERITAS_ARGV_LOG="$TMPDIR_EVAL/missing-artifact-argv.log" \
+  flow_agents_node "$ADAPTER" evidence \
+    --artifact-dir "$ARTIFACT_DIR" \
+    --repo-root "$REPO" \
+    --veritas-bin "$FAKE_PASS" \
+    --veritas-artifact "$MISSING_ARTIFACT" >"$TMPDIR_EVAL/missing-artifact.out" 2>"$TMPDIR_EVAL/missing-artifact.err"
+missing_artifact_status=$?
+
+if [[ "$missing_artifact_status" -eq 0 ]] \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="not_verified") process.exit(1); if (!/expected native artifact is missing/.test(ev.checks[0].summary)) process.exit(2);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "missing native artifact records not_verified evidence"
+else
+  _fail "missing native artifact case failed: $(cat "$TMPDIR_EVAL/missing-artifact.out" "$TMPDIR_EVAL/missing-artifact.err" 2>/dev/null)"
+fi
+
+UNREADABLE_ARTIFACT="$REPO/.veritas/unreadable.json"
+printf '{"status":"pass"}\n' >"$UNREADABLE_ARTIFACT"
+chmod 000 "$UNREADABLE_ARTIFACT"
+VERITAS_ARGV_LOG="$TMPDIR_EVAL/unreadable-argv.log" \
+  flow_agents_node "$ADAPTER" evidence \
+    --artifact-dir "$ARTIFACT_DIR" \
+    --repo-root "$REPO" \
+    --veritas-bin "$FAKE_PASS" \
+    --veritas-artifact "$UNREADABLE_ARTIFACT" >"$TMPDIR_EVAL/unreadable.out" 2>"$TMPDIR_EVAL/unreadable.err"
+unreadable_status=$?
+chmod 600 "$UNREADABLE_ARTIFACT"
+
+if [[ "$unreadable_status" -eq 0 ]] \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="not_verified") process.exit(1); if (!/unreadable/.test(ev.checks[0].summary)) process.exit(2);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "unreadable native artifact records not_verified evidence"
+else
+  _fail "unreadable native artifact case failed: $(cat "$TMPDIR_EVAL/unreadable.out" "$TMPDIR_EVAL/unreadable.err" 2>/dev/null)"
+fi
+
+STALE_ARTIFACT="$REPO/.veritas/stale.json"
+printf '{"status":"pass"}\n' >"$STALE_ARTIFACT"
+touch -t 202001010000 "$STALE_ARTIFACT"
+VERITAS_ARGV_LOG="$TMPDIR_EVAL/stale-argv.log" \
+  flow_agents_node "$ADAPTER" evidence \
+    --artifact-dir "$ARTIFACT_DIR" \
+    --repo-root "$REPO" \
+    --veritas-bin "$FAKE_PASS" \
+    --veritas-artifact "$STALE_ARTIFACT" \
+    --max-age-seconds 0 >"$TMPDIR_EVAL/stale.out" 2>"$TMPDIR_EVAL/stale.err"
+stale_status=$?
+
+if [[ "$stale_status" -eq 0 ]] \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="not_verified") process.exit(1); if (!/stale/.test(ev.checks[0].summary)) process.exit(2);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "stale native artifact records not_verified evidence"
+else
+  _fail "stale artifact case failed: $(cat "$TMPDIR_EVAL/stale.out" "$TMPDIR_EVAL/stale.err" 2>/dev/null)"
+fi
+
+if flow_agents_node "$ADAPTER" evidence --artifact-dir "$ARTIFACT_DIR" --skip >"$TMPDIR_EVAL/skip.out" 2>"$TMPDIR_EVAL/skip.err" \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="partial") process.exit(1); if (ev.checks[0].status!=="skip") process.exit(2);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "explicit skip records skip evidence"
+else
+  _fail "skip case failed: $(cat "$TMPDIR_EVAL/skip.out" "$TMPDIR_EVAL/skip.err" 2>/dev/null)"
+fi
+
+if flow_agents_node "$ADAPTER" evidence --artifact-dir "$ARTIFACT_DIR" --not-configured >"$TMPDIR_EVAL/not-configured.out" 2>"$TMPDIR_EVAL/not-configured.err" \
+  && node -e 'const fs=require("fs"); const ev=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); if (ev.verdict!=="not_verified") process.exit(1); if (ev.checks[0].status!=="not_verified") process.exit(2); if (!/not configured/.test(ev.checks[0].summary)) process.exit(3);' "$ARTIFACT_DIR/evidence.json"; then
+  _pass "no-config path records not_verified evidence"
+else
+  _fail "not-configured case failed: $(cat "$TMPDIR_EVAL/not-configured.out" "$TMPDIR_EVAL/not-configured.err" 2>/dev/null)"
+fi
+
+if [[ "$errors" -eq 0 ]]; then
+  echo "Veritas governance adapter integration eval passed."
+  exit 0
+fi
+
+echo "Veritas governance adapter integration eval failed with $errors error(s)." >&2
+exit 1

package/evals/integration/test_workflow_artifact_cleanup_audit.sh

@@ -0,0 +1,287 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+SCRIPT="workflow-artifact-cleanup-audit"
+TMPDIR_EVAL="$(mktemp -d)"
+ARTIFACT_ROOT="$TMPDIR_EVAL/flow-agents"
+trap 'rm -rf "$TMPDIR_EVAL"' EXIT
+
+source "$ROOT/evals/lib/node.sh"
+
+errors=0
+pass() { echo "  ✓ $1"; }
+fail() { echo "  ✗ $1"; errors=$((errors + 1)); }
+
+mkdir -p "$ARTIFACT_ROOT"/{active-wip,terminal-done,stale-verified,learning-followup,delivered-learning-followup,invalid-learning-route,invalid-sidecar,symlink-state,large-learning,missing-state-next-action,missing-learning-records,non-array-learning-records,changes,archive,.hidden}
+
+cat > "$ARTIFACT_ROOT/active-wip/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "active-wip",
+  "status": "in_progress",
+  "phase": "execution",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "continue", "summary": "keep working" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/terminal-done/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "terminal-done",
+  "status": "accepted",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "accepted" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/stale-verified/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "stale-verified",
+  "status": "verified",
+  "phase": "verification",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "ready for cleanup" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/learning-followup/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "learning-followup",
+  "status": "accepted",
+  "phase": "learning",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "accepted with learning" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/learning-followup/learning.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "learning-followup",
+  "status": "followup_required",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "records": [
+    {
+      "id": "learn-1",
+      "recorded_at": "2026-06-01T00:00:00Z",
+      "source_refs": ["verification"],
+      "outcome": "mixed",
+      "facts": ["Open follow-up remains."],
+      "interpretation": "Route this learning before cleanup.",
+      "routing": [
+        { "target": "doc", "action": "Document lifecycle command.", "status": "open" }
+      ]
+    }
+  ]
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/delivered-learning-followup/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "delivered-learning-followup",
+  "status": "delivered",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "delivered with unresolved learning" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/delivered-learning-followup/learning.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "delivered-learning-followup",
+  "status": "followup_required",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "records": [
+    {
+      "id": "learn-delivered",
+      "recorded_at": "2026-06-01T00:00:00Z",
+      "source_refs": ["release"],
+      "outcome": "mixed",
+      "facts": ["Delivered work still has an open learning route."],
+      "interpretation": "Open learning must win over terminal lifecycle shape.",
+      "routing": [
+        { "target": "skill", "action": "Update workflow guidance.", "status": "open" }
+      ]
+    }
+  ]
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/invalid-learning-route/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "invalid-learning-route",
+  "status": "accepted",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "accepted with malformed learning routing" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/invalid-learning-route/learning.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "invalid-learning-route",
+  "status": "learned",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "records": [
+    {
+      "id": "learn-invalid-route",
+      "recorded_at": "2026-06-01T00:00:00Z",
+      "source_refs": ["review"],
+      "outcome": "unknown",
+      "facts": ["A routing entry is missing required status."],
+      "interpretation": "Malformed learning routing must make the workflow invalid.",
+      "routing": [
+        { "target": "doc", "action": "Document missing status handling." }
+      ]
+    }
+  ]
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/missing-state-next-action/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "missing-state-next-action",
+  "status": "accepted",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z"
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/missing-learning-records/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "missing-learning-records",
+  "status": "accepted",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "accepted with malformed learning" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/missing-learning-records/learning.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "missing-learning-records",
+  "status": "learned",
+  "updated_at": "2026-06-01T00:00:00Z"
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/non-array-learning-records/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "non-array-learning-records",
+  "status": "accepted",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "accepted with malformed learning" }
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/non-array-learning-records/learning.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "non-array-learning-records",
+  "status": "learned",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "records": {}
+}
+JSON
+
+cat > "$ARTIFACT_ROOT/large-learning/state.json" <<'JSON'
+{
+  "schema_version": "1.0",
+  "task_slug": "large-learning",
+  "status": "accepted",
+  "phase": "done",
+  "updated_at": "2026-06-01T00:00:00Z",
+  "next_action": { "status": "done", "summary": "oversized learning sidecar" }
+}
+JSON
+
+printf '{ "schema_version": "1.0", "status": ' > "$ARTIFACT_ROOT/invalid-sidecar/state.json"
+ln -s "$ARTIFACT_ROOT/active-wip/state.json" "$ARTIFACT_ROOT/symlink-state/state.json"
+node -e 'const fs=require("fs"); fs.writeFileSync(process.argv[1], " ".repeat(1024 * 1024 + 1));' "$ARTIFACT_ROOT/large-learning/learning.json"
+find "$ARTIFACT_ROOT" -mindepth 1 -maxdepth 1 -type d | sort > "$TMPDIR_EVAL/before.txt"
+
+echo "=== Workflow Artifact Cleanup Audit ==="
+
+flow_agents_node "$SCRIPT" --artifact-root "$ARTIFACT_ROOT" > "$TMPDIR_EVAL/audit.txt"
+status=$?
+[[ "$status" -eq 0 ]] && pass "text audit exits successfully" || fail "text audit exits successfully"
+
+grep -q "Active WIP: 1" "$TMPDIR_EVAL/audit.txt" && pass "text separates active WIP bucket" || fail "text separates active WIP bucket"
+grep -q "Cleanup candidates: 1" "$TMPDIR_EVAL/audit.txt" && pass "text separates cleanup candidate bucket" || fail "text separates cleanup candidate bucket"
+grep -q "Active learning follow-ups: 2" "$TMPDIR_EVAL/audit.txt" && pass "text reports learning follow-up bucket" || fail "text reports learning follow-up bucket"
+grep -q "Invalid sidecars: 7" "$TMPDIR_EVAL/audit.txt" && pass "text reports invalid bucket" || fail "text reports invalid bucket"
+
+if grep -A3 "Active WIP: 1" "$TMPDIR_EVAL/audit.txt" | grep -q "stale-verified"; then
+  fail "verified done fixture is not active WIP"
+else
+  pass "verified done fixture is not active WIP"
+fi
+
+flow_agents_node "$SCRIPT" --artifact-root "$ARTIFACT_ROOT" --json > "$TMPDIR_EVAL/audit.json"
+status=$?
+[[ "$status" -eq 0 ]] && pass "json audit exits successfully" || fail "json audit exits successfully"
+
+json_query() {
+  node -e 'const fs=require("fs"); let cur=JSON.parse(fs.readFileSync(process.argv[1],"utf8")); for (const part of process.argv[2].split(".")) cur=Array.isArray(cur) ? cur[Number(part)] : cur[part]; console.log(cur);' "$1" "$2"
+}
+
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.active_wip.0.slug")" == "active-wip" ]] && pass "json classifies active fixture" || fail "json classifies active fixture"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.terminal_done.0.slug")" == "terminal-done" ]] && pass "json classifies terminal fixture" || fail "json classifies terminal fixture"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.cleanup_candidate.0.slug")" == "stale-verified" ]] && pass "json classifies stale verified cleanup fixture" || fail "json classifies stale verified cleanup fixture"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.active_learning_followup.0.slug")" == "delivered-learning-followup" ]] && pass "json keeps delivered done open learning active" || fail "json keeps delivered done open learning active"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.active_learning_followup.1.slug")" == "learning-followup" ]] && pass "json keeps open learning routing active" || fail "json keeps open learning routing active"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.0.slug")" == "invalid-learning-route" ]] && pass "json classifies malformed learning routing invalid" || fail "json classifies malformed learning routing invalid"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.0.reasons.0")" == "learning routing status is missing or invalid" ]] && pass "json reports missing learning routing status" || fail "json reports missing learning routing status"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.1.slug")" == "invalid-sidecar" ]] && pass "json classifies invalid sidecar fixture" || fail "json classifies invalid sidecar fixture"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.2.slug")" == "large-learning" ]] && pass "json classifies oversized learning sidecar invalid" || fail "json classifies oversized learning sidecar invalid"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.3.slug")" == "missing-learning-records" ]] && pass "json classifies missing learning records invalid" || fail "json classifies missing learning records invalid"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.3.reasons.0")" == "learning.records is missing or invalid" ]] && pass "json reports missing learning records" || fail "json reports missing learning records"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.4.slug")" == "missing-state-next-action" ]] && pass "json classifies missing state next_action invalid" || fail "json classifies missing state next_action invalid"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.4.reasons.0")" == "state.next_action is missing or invalid" ]] && pass "json reports missing state next_action" || fail "json reports missing state next_action"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.5.slug")" == "non-array-learning-records" ]] && pass "json classifies non-array learning records invalid" || fail "json classifies non-array learning records invalid"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.5.reasons.0")" == "learning.records is missing or invalid" ]] && pass "json reports non-array learning records" || fail "json reports non-array learning records"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.6.slug")" == "symlink-state" ]] && pass "json classifies symlink state sidecar invalid" || fail "json classifies symlink state sidecar invalid"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.invalid.6.reasons.0")" == "state.json must not be a symlink" ]] && pass "json reports symlink rejection without reading target" || fail "json reports symlink rejection without reading target"
+[[ "$(json_query "$TMPDIR_EVAL/audit.json" "buckets.cleanup_candidate.0.classification")" == "cleanup_candidate" ]] && pass "json includes stable classification field" || fail "json includes stable classification field"
+
+if flow_agents_node "$SCRIPT" --artifact-root "$TMPDIR_EVAL/missing-root" > "$TMPDIR_EVAL/missing-root.out" 2> "$TMPDIR_EVAL/missing-root.err"; then
+  fail "missing artifact root exits nonzero"
+else
+  pass "missing artifact root exits nonzero"
+fi
+grep -q "workflow-artifact-cleanup-audit:" "$TMPDIR_EVAL/missing-root.err" && pass "missing artifact root reports controlled error prefix" || fail "missing artifact root reports controlled error prefix"
+grep -Eq "ENOENT|no such file|cannot find" "$TMPDIR_EVAL/missing-root.err" && pass "missing artifact root reports missing path" || fail "missing artifact root reports missing path"
+grep -q "Error:" "$TMPDIR_EVAL/missing-root.err" && fail "missing artifact root does not print Node stack header" || pass "missing artifact root does not print Node stack header"
+
+flow_agents_node "$SCRIPT" --help > "$TMPDIR_EVAL/help.txt"
+if grep -Eq -- "--(apply|delete|archive)" "$TMPDIR_EVAL/help.txt"; then
+  fail "help does not advertise apply/delete/archive flags"
+else
+  pass "help does not advertise apply/delete/archive flags"
+fi
+
+find "$ARTIFACT_ROOT" -mindepth 1 -maxdepth 1 -type d | sort > "$TMPDIR_EVAL/after.txt"
+cmp -s "$TMPDIR_EVAL/before.txt" "$TMPDIR_EVAL/after.txt" && pass "audit leaves fixture directories in place" || fail "audit leaves fixture directories in place"
+[[ -f "$ARTIFACT_ROOT/stale-verified/state.json" ]] && pass "audit leaves fixture files in place" || fail "audit leaves fixture files in place"
+
+if [[ "$errors" -eq 0 ]]; then
+  echo "Workflow artifact cleanup audit checks passed"
+else
+  echo "Workflow artifact cleanup audit checks failed: $errors"
+fi
+
+exit "$errors"