@kontourai/flow-agents 1.3.0 → 2.0.0

package/evals/lib/node.sh

@@ -21,12 +21,6 @@ flow_agents_node() {
       node "$FLOW_AGENTS_EVAL_ROOT/build/src/cli.js" context-map "$@"
       return
       ;;
-    */scripts/filter-installed-packs.js|scripts/filter-installed-packs.js)
-      shift
-      flow_agents_build_ts || return
-      node "$FLOW_AGENTS_EVAL_ROOT/build/src/cli.js" filter-installed-packs "$@"
-      return
-      ;;
     workflow-sidecar)
       shift
       flow_agents_build_ts || return

package/evals/run.sh

@@ -135,6 +135,8 @@ run_static() {
   echo ""
   bash "$EVAL_DIR/static/test_evidence_refs.sh" || result=1
   echo ""
+  bash "$EVAL_DIR/static/test_library_exports.sh" || result=1
+  echo ""
   bash "$EVAL_DIR/static/test_console_presets.sh" || result=1
   echo ""
   bash "$EVAL_DIR/static/test_repo_hooks.sh" || result=1
@@ -163,6 +165,12 @@ run_integration() {
   echo ""
   bash "$EVAL_DIR/integration/test_goal_fit_hook.sh" || result=1
   echo ""
+  bash "$EVAL_DIR/integration/test_goal_fit_escape_hatch.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_goal_fit_rederive.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_evidence_capture_hook.sh" || result=1
+  echo ""
   bash "$EVAL_DIR/integration/test_hook_category_behaviors.sh" || result=1
   echo ""
   bash "$EVAL_DIR/integration/test_workflow_artifacts.sh" || result=1
@@ -179,6 +187,8 @@ run_integration() {
   echo ""
   bash "$EVAL_DIR/integration/test_workflow_steering_hook.sh" || result=1
   echo ""
+  bash "$EVAL_DIR/integration/test_session_resume_roundtrip.sh" || result=1
+  echo ""
   bash "$EVAL_DIR/integration/test_hook_influence_cases.sh" || result=1
   echo ""
   bash "$EVAL_DIR/integration/test_flow_agents_statusline.sh" || result=1
@@ -196,6 +206,43 @@ run_integration() {
   bash "$EVAL_DIR/integration/test_bundle_lifecycle.sh" || result=1
   echo ""
   bash "$EVAL_DIR/integration/test_kit_conformance_levels.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_dual_emit_flow_step.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_enforcer_expects_driven.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_phase_map_and_gate_claim.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_builder_step_producers.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_flowdef_session_history_preservation.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_flowdef_session_activation.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_trust_checkpoint.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_checkpoint_signing.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_gate_bypass_chain.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_command_log_integrity.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_gate_lockdown.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_resolvefirststep_security.sh" || result=1
+  bash "$EVAL_DIR/integration/test_captured_fail_reconciliation.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_trust_reconcile.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_reconcile_soundness.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_publish_delivery.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_mint_attestation.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/integration/test_verify_cli.sh" || result=1
+  echo ""
+  bash "$EVAL_DIR/acceptance/prove-capture-teeth-declared.sh" || result=1
   return $result
 }
 

package/evals/static/test_library_exports.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# test_library_exports.sh — the package exposes the canonical workflow-sidecar
+# writer/validator as an importable library (issue #99). Guards three things:
+#   1. package.json declares the library entry points (exports/main/types).
+#   2. importing the entry point does NOT execute the CLI (entry guard holds).
+#   3. the CLI still runs when invoked directly (entry guard regression).
+set -uo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+source "$ROOT/evals/lib/node.sh"
+cd "$ROOT"
+
+errors=0
+pass() { echo "  ✓ $1"; }
+fail() { echo "  ✗ $1"; errors=$((errors + 1)); }
+
+echo "=== Library Export Surface (#99) ==="
+
+# Ensure the build exists (cheap no-op if already built).
+flow_agents_node node_modules/typescript/bin/tsc -p tsconfig.json >/dev/null 2>&1 || npm run build --silent >/dev/null 2>&1 || true
+
+# 1. package.json entry points
+if node -e '
+const p = require("./package.json");
+const fail = (m) => { console.error(m); process.exit(1); };
+if (p.main !== "build/src/index.js") fail("main must be build/src/index.js");
+if (p.types !== "build/src/index.d.ts") fail("types must be build/src/index.d.ts");
+if (!p.exports || !p.exports["."]) fail("exports must define the root entry");
+const root = p.exports["."];
+if (root.import !== "./build/src/index.js") fail("exports[.].import must be ./build/src/index.js");
+if (root.types !== "./build/src/index.d.ts") fail("exports[.].types must be ./build/src/index.d.ts");
+' 2>/tmp/lib-exports-pkg.err; then
+  pass "package.json declares library entry points (main/types/exports)"
+else
+  fail "package.json library entry points missing or wrong: $(cat /tmp/lib-exports-pkg.err)"
+fi
+
+# 2. built artifacts present
+if [[ -f "build/src/index.js" && -f "build/src/index.d.ts" ]]; then
+  pass "build emits index.js and index.d.ts"
+else
+  fail "build is missing index.js or index.d.ts (run npm run build)"
+fi
+
+# 3. importing the library does not run the CLI, and the public API is present.
+# If importing executed the CLI it would call process.exit before our marker prints.
+if node --input-type=module -e '
+import * as lib from "./build/src/index.js";
+const required = [
+  "validateTrustBundle", "normalizeCheck", "normalizeFinding", "normalizeLearning",
+  "normalizeEvidenceRefs", "validateEvidenceRef", "validateLearningCorrection",
+  "loadJson", "writeJson", "appendJsonl", "sidecarBase", "writeState",
+  "readSidecar", "writeSidecar",
+  "statuses", "phases", "checkKinds", "checkStatuses", "verdicts",
+];
+const missing = required.filter((name) => lib[name] === undefined);
+if (missing.length) { console.error("missing exports: " + missing.join(", ")); process.exit(1); }
+// Exercise a validator to prove it is the real implementation, not a stub.
+let threw = false;
+try { lib.normalizeCheck({ id: "x" }); } catch { threw = true; }
+if (!threw) { console.error("normalizeCheck should reject an invalid check"); process.exit(1); }
+const ok = lib.normalizeCheck({ id: "b", kind: "test", status: "pass", summary: "ok" });
+if (ok.id !== "b") { console.error("normalizeCheck should return the normalized check"); process.exit(1); }
+console.log("LIBRARY_IMPORT_OK");
+' 2>/dev/null | grep -q "LIBRARY_IMPORT_OK"; then
+  pass "importing the library exposes the public API without running the CLI"
+else
+  fail "library import failed, ran the CLI, or is missing public exports"
+fi
+
+# 4. the CLI still runs when invoked directly (entry guard regression guard).
+# A missing required flag must produce the CLI's own validation error, proving main() ran.
+cli_out="$(node build/src/cli/workflow-sidecar.js ensure-session --artifact-root /tmp/nonexistent-lib-test 2>&1 || true)"
+if echo "$cli_out" | grep -q "task-slug is required"; then
+  pass "CLI entry still executes when run directly"
+else
+  fail "CLI entry did not run as a script (entry guard regression): $cli_out"
+fi
+
+echo ""
+if [[ "$errors" -gt 0 ]]; then
+  echo "Library export checks failed: $errors issue(s)."
+  exit 1
+fi
+echo "Library export checks passed."

package/evals/static/test_universal_bundles.sh

@@ -411,6 +411,21 @@ else
   _fail "catalog metadata check failed"
 fi
 
+# Block Reason Channel (#100): the generated opencode/pi adapters must carry the
+# policy reason into their block path so the model learns why it was blocked.
+# claude/codex deny translation is covered in test_hook_category_behaviors.sh.
+BUILDER_SRC="$ROOT_DIR/src/tools/build-universal-bundles.ts"
+if grep -q "throw new Error(policyResult.reason" "$BUILDER_SRC"; then
+  _pass "opencode adapter surfaces the block reason to the model (thrown error)"
+else
+  _fail "opencode adapter block path dropped the policy reason"
+fi
+if grep -q "reason: result.reason" "$BUILDER_SRC"; then
+  _pass "pi adapter surfaces the block reason to the model (block result reason)"
+else
+  _fail "pi adapter block path dropped the policy reason"
+fi
+
 echo ""
 echo "==========================="
 total=$((pass + fail))

package/evals/static/test_workflow_skills.sh

@@ -65,6 +65,7 @@ PLAN_WORK="$ROOT/kits/builder/skills/plan-work/SKILL.md"
 EXECUTE_PLAN="$ROOT/kits/builder/skills/execute-plan/SKILL.md"
 REVIEW_WORK="$ROOT/kits/builder/skills/review-work/SKILL.md"
 VERIFY_WORK="$ROOT/kits/builder/skills/verify-work/SKILL.md"
+GATE_REVIEW="$ROOT/kits/builder/skills/gate-review/SKILL.md"
 MAP="$ROOT/docs/skills-map.md"
 ROOT_CONTEXT="$ROOT/CONTEXT.md"
 CONTEXT_MAP="$ROOT/docs/context-map.md"
@@ -103,7 +104,6 @@ EFFECTIVE_BACKLOG_SETTINGS="$ROOT/src/cli/effective-backlog-settings.ts"
 PULL_WORK_PROVIDER="$ROOT/src/cli/pull-work-provider.ts"
 PULL_WORK_PROVIDER_INTEGRATION="$ROOT/evals/integration/test_pull_work_provider.sh"
 PACKAGE_MANIFEST="$ROOT/packaging/manifest.json"
-PACKS_MANIFEST="$ROOT/packaging/packs.json"
 TOOL_PLANNER="$ROOT/agents/tool-planner.json"
 TOOL_WORKER="$ROOT/agents/tool-worker.json"
 TOOL_CODE_REVIEWER="$ROOT/agents/tool-code-reviewer.json"
@@ -114,7 +114,6 @@ DEV_PROMPTFOO="$ROOT/evals/cases/dev/promptfooconfig.yaml"
 GOAL_FIT_HOOK="$ROOT/scripts/hooks/stop-goal-fit.js"
 WORKFLOW_STEERING_HOOK="$ROOT/scripts/hooks/workflow-steering.js"
 CONTEXT_MAP_GENERATOR="$ROOT/src/tools/generate-context-map.ts"
-PACK_FILTER="$ROOT/src/tools/filter-installed-packs.ts"
 PROMOTE_DOC="$ROOT/src/cli/promote-workflow-artifact.ts"
 ARTIFACT_VALIDATOR="$ROOT/src/cli/validate-workflow-artifacts.ts"
 SIDECAR_WRITER="$ROOT/src/cli/workflow-sidecar.ts"
@@ -167,6 +166,10 @@ require_file "$PLAN_WORK" "plan-work skill"
 require_file "$EXECUTE_PLAN" "execute-plan skill"
 require_file "$REVIEW_WORK" "review-work skill"
 require_file "$VERIFY_WORK" "verify-work skill"
+require_file "$GATE_REVIEW" "gate-review skill"
+require_text "$GATE_REVIEW" 'advisory' "gate-review skill marks proposals as advisory"
+reject_text "$GATE_REVIEW" 'auto_applied\|auto-apply' "gate-review skill does not auto-apply fixes"
+require_text "$GATE_REVIEW" 'trust\.bundle' "gate-review skill references trust.bundle input"
 require_file "$MAP" "skills map"
 require_file "$ROOT_CONTEXT" "Flow Agents context glossary"
 require_file "$CONTEXT_MAP" "context map"
@@ -190,7 +193,6 @@ require_file "$VERIFICATION_CONTRACT" "verification contract"
 require_file "$REVIEW_CONTRACT" "review contract"
 require_file "$DELIVERY_CONTRACT" "delivery contract"
 require_file "$PACKAGE_MANIFEST" "packaging manifest"
-require_file "$PACKS_MANIFEST" "pack manifest"
 require_file "$TOOL_PLANNER" "tool-planner agent"
 require_file "$TOOL_WORKER" "tool-worker agent"
 require_file "$TOOL_CODE_REVIEWER" "tool-code-reviewer agent"
@@ -201,7 +203,6 @@ require_file "$DEV_PROMPTFOO" "dev behavioral eval config"
 require_file "$GOAL_FIT_HOOK" "goal-fit stop hook"
 require_file "$WORKFLOW_STEERING_HOOK" "workflow steering hook"
 require_file "$CONTEXT_MAP_GENERATOR" "context map generator"
-require_file "$PACK_FILTER" "pack filter helper"
 require_file "$EFFECTIVE_BACKLOG_SETTINGS" "effective backlog settings helper"
 require_file "$PULL_WORK_PROVIDER" "pull-work provider normalizer"
 require_file "$PULL_WORK_PROVIDER_INTEGRATION" "pull-work provider integration test"
@@ -466,8 +467,6 @@ require_text "$WORKFLOW_STEERING_HOOK" 'docs/context-map.md' "workflow steering
 require_text "$WORKFLOW_STEERING_HOOK" 'next_action' "workflow steering hook uses next action"
 require_text "$WORKFLOW_STEERING_HOOK" 'stateNeedsAmbientSteering' "workflow steering hook supports ambient state guidance"
 require_text "$CONTEXT_MAP_GENERATOR" 'check' "context map generator supports drift check"
-require_text "$PACK_FILTER" 'selected_packs' "pack filter records selected packs"
-require_text "$PACK_FILTER" 'known.*keep' "pack filter prunes only known Flow Agents entries"
 require_text "$PROMOTE_DOC" 'docs/delivery' "promotion helper writes long-lived delivery docs"
 require_text "$PROMOTE_DOC" 'archived_artifact' "promotion helper links archived artifact"
 require_text "$SIDECAR_WRITER" 'init-plan' "sidecar writer initializes planning sidecars"
@@ -1098,13 +1097,7 @@ require_text "$MAP" 'commit/branch/PR/CI links' "map captures PR and CI links be
 require_text "$CONTEXT_MAP" 'Repository Shape' "context map includes repo shape"
 require_text "$CONTEXT_MAP" 'Core Commands' "context map includes commands"
 require_text "$CONTEXT_MAP" 'Workflow Sidecars' "context map includes sidecars"
-require_text "$CONTEXT_MAP" 'packaging/packs.json' "context map includes pack manifest"
-require_text "$PACKS_MANIFEST" '"name": "core"' "pack manifest defines core pack"
-require_text "$PACKS_MANIFEST" '"default": true' "pack manifest defines default pack"
-require_text "$PACKS_MANIFEST" '"name": "development"' "pack manifest defines development pack"
-require_text "$PACKS_MANIFEST" '"eval-rebuild"' "pack manifest includes eval-rebuild"
-require_text "$ROOT/scripts/build-universal-bundles.js" 'FLOW_AGENTS_PACKS' "bundle installer supports pack filtering"
-require_text "$ROOT/evals/integration/test_bundle_install.sh" 'core-pack install keeps core agents' "bundle install test covers pack filtering"
+require_text "$ROOT/evals/integration/test_bundle_install.sh" 'full install ships the complete agent base' "bundle install test covers full standalone base"
 require_text "$CONTEXT_MAP" 'Context Loading Rules' "context map includes loading rules"
 require_text "$PAGES_INDEX" 'context-map.html' "docs index links context map"
 require_text "$PAGES_INDEX" 'veritas-integration.html' "docs index links Veritas boundary"

package/install.sh

@@ -51,13 +51,6 @@ SRC="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 mkdir -p "$DEST"
 rsync -a "$SRC"/ "$DEST"/
-if [[ -n "${FLOW_AGENTS_PACKS:-}" ]]; then
-  FILTER_SCRIPT="$DEST/scripts/filter-installed-packs.mjs"
-  if [[ ! -f "$FILTER_SCRIPT" ]]; then
-    FILTER_SCRIPT="$DEST/scripts/filter-installed-packs.js"
-  fi
-  node "$FILTER_SCRIPT" "$DEST" --packs "$FLOW_AGENTS_PACKS"
-fi
 if [[ ${#CONSOLE_CONFIG_ARGS[@]} -gt 0 || -n "${FLOW_AGENTS_TELEMETRY_SINK:-}" || -n "${FLOW_AGENTS_TELEMETRY_SINKS:-}" || -n "${FLOW_AGENTS_CONSOLE_URL:-}" || -n "${CONSOLE_TELEMETRY_URL:-}" || -n "${CONSOLE_URL:-}" || -n "${FLOW_AGENTS_CONSOLE_TOKEN_FILE:-}" || -n "${CONSOLE_TELEMETRY_TOKEN_FILE:-}" ]]; then
   bash "$DEST/scripts/telemetry/install-console-config.sh" "$DEST/scripts/telemetry/telemetry.conf" "${CONSOLE_CONFIG_ARGS[@]}"
 fi

package/integrations/strands-ts/README.md

@@ -2,7 +2,7 @@
 
 **Native-import TypeScript adapter for AWS Strands Agents.**
 
-This is the first native-import consumer of the Flow Agents policy engine contract. It wires Flow Agents telemetry, workflow steering, and policy gates directly into Strands Agents TypeScript SDK hook callbacks — with no subprocess overhead for the critical hot path (config-protection on `BeforeToolCallEvent`).
+This is the first native-import consumer of the Flow Agents policy engine contract. It wires Flow Agents telemetry and native config-protection directly into Strands Agents TypeScript SDK hook callbacks — with no subprocess overhead for the critical hot path (config-protection on `BeforeToolCallEvent`). Workflow steering, quality-gate, and stop-goal-fit checks are exercised by the conformance shim only, not by the production `FlowAgentsHooks` callbacks.
 
 ---
 
@@ -15,13 +15,24 @@ This is the first native-import consumer of the Flow Agents policy engine contra
 | Hot path latency | ~0 ms (direct function call) | ~50–100 ms per call (process spawn) |
 | Strands SDK optional? | Yes — duck-typed, SDK not required to build/test | Yes |
 | Config-protection | Native `run()` call | Subprocess, with Python fallback |
-| Other policies (steering, quality-gate, stop-goal-fit) | Via shim subprocess (conformance runner) | Via subprocess |
-| Conformance level | L2 | L0 (+ config-protection) |
+| Other policies (steering, quality-gate, stop-goal-fit) | Subprocess checks in the conformance shim | Via subprocess |
+| Conformance target | L2-targeted policy coverage via conformance shim | L0 (+ config-protection) |
 
 The key innovation: `config-protection.js` exports `module.exports = { run }`. This adapter calls that function directly from the Node.js process, bypassing the subprocess round-trip for every `BeforeToolCallEvent` write call.
 
 ---
 
+## Capability states
+
+| Capability | State | Public behavior |
+| --- | --- | --- |
+| Telemetry callbacks | shipped | `FlowAgentsHooks` emits canonical JSONL events from Strands TS lifecycle callbacks. |
+| Config-protection hot path | shipped | `BeforeToolCallEvent` write-like tools call the native `config-protection.js` `run()` export and can block via `event.cancel`. |
+| Workflow steering L2 behavior | structural-only | The shim can exercise the canonical policy for L2-targeted fixtures; production callbacks emit telemetry only and do not inject per-turn steering. |
+| Quality-gate L2 behavior | structural-only | The shim invokes `quality-gate.js` for conformance checks; production callbacks do not run quality gates after tool calls. |
+| Stop-goal-fit L2 behavior | structural-only | The shim invokes `stop-goal-fit.js` for conformance checks; production callbacks emit stop telemetry only. |
+| Analytics channel, Console/HTTP sink, subagent events, permission requests, token usage | unavailable | These gaps are not wired in this adapter. |
+
 ## Quickstart
 
 ```typescript
@@ -136,19 +147,18 @@ If blocked, `event.cancel` is set to the block reason. Strands cancels the tool
 
 ## Conformance
 
-Tested against the Flow Agents conformance kit (`packaging/conformance/`):
+Tested against the Flow Agents conformance kit (`packaging/conformance/`) through `bin/conformance-shim.mjs`:
 
 ```yaml
-conformance_level: L2
+conformance_target: L2 via conformance shim
 engine_contract_version: "1.0"
 runner_version: "run-conformance.js"
-test_date: 2026-06-11
-verdict: PASS
-fixture_count: 12
-fixtures_passed: 12
-gaps: []
 ```
 
+This is a conformance-shim target, not a production callback capability. The shipped native adapter behavior is telemetry callbacks plus native config-protection blocking; the shim supplies workflow steering, quality-gate, and stop-goal-fit subprocess coverage so the canonical L2 fixtures can be exercised without claiming those callbacks are production Strands TS behavior. Treat the runner output as the current status for that target.
+
+Current status: the L2 target is not passing. The runner currently reports 18/20 fixtures passing with highest achieved level L0; `stop-goal-fit--warn-active-delivery.json` and `workflow-steering--reground-session-start.json` remain failing.
+
 Run the conformance test from the repo root:
 
 ```bash
@@ -176,7 +186,7 @@ node --test integrations/strands-ts/dist/test/test-telemetry.js \
 
 1. **No per-turn workflow steering injection**: Strands' `BeforeInvocationEvent` does not expose a mutable system prompt. Unlike the harness adapters which inject workflow state at each `UserPromptSubmit`, this adapter emits the telemetry event only. Productization requires upstream SDK support or a custom model wrapper.
 
-2. **Quality-gate and stop-goal-fit via subprocess in conformance shim only**: The production `FlowAgentsHooks` callbacks don't wire `quality-gate.js` or `stop-goal-fit.js` (they have no clear Strands analogue for direct callback injection). The `bin/conformance-shim.mjs` shim wires them via subprocess for conformance certification only.
+2. **Quality-gate and stop-goal-fit via subprocess in conformance shim only**: The production `FlowAgentsHooks` callbacks don't wire `quality-gate.js` or `stop-goal-fit.js` (they have no clear Strands analogue for direct callback injection). The `bin/conformance-shim.mjs` shim wires them via subprocess to expose current target coverage and gaps.
 
 3. **session.usage event omitted**: The `AfterInvocationEvent` does not expose token usage in the Strands TS SDK hook payload.
 
@@ -190,10 +200,10 @@ node --test integrations/strands-ts/dist/test/test-telemetry.js \
 
 ---
 
-## Conformance declaration
+## Conformance status
 
 ```
-conformance_level: L2 (via conformance-shim.mjs)
+conformance_target: L2 via conformance-shim.mjs
 host: AWS Strands Agents TypeScript SDK
 event_coverage:
   agentSpawn:         emitSessionStart() — full fidelity
@@ -220,5 +230,5 @@ canonical event types (`session.start`, `turn.user`, `tool.invoke`,
 `tool.result`, `session.end`) on 2026-06-11. The TypeScript SDK currently
 ships only a Bedrock model provider, so this adapter's live-agent run requires
 AWS credentials; its correctness is covered by the real-engine tests and the
-L2 conformance certification above. An Ollama `Model` implementation for the
-TS SDK is a candidate follow-up if keyless live runs are wanted here too.
+conformance-shim validation path above. An Ollama `Model` implementation for
+the TS SDK is a candidate follow-up if keyless live runs are wanted here too.

package/integrations/veritas/flow-agents.adapter.json

@@ -96,8 +96,7 @@
         "label": "bundle packaging",
         "patterns": [
           "packaging/",
-          "src/tools/build-universal-bundles.ts",
-          "src/tools/filter-installed-packs.ts"
+          "src/tools/build-universal-bundles.ts"
         ],
         "boundary": "advisory",
         "owners": [

package/kits/builder/flows/build.flow.json

@@ -1,6 +1,16 @@
 {
   "id": "builder.build",
   "version": "1.0",
+  "phase_map": {
+    "pickup": "pull-work",
+    "planning": "plan",
+    "execution": "execute",
+    "verification": "verify",
+    "goal_fit": "merge-ready",
+    "evidence": "merge-ready",
+    "release": "pr-open",
+    "learning": "learn"
+  },
   "steps": [
     { "id": "pull-work", "next": "design-probe" },
     { "id": "design-probe", "next": "plan" },
@@ -25,7 +35,10 @@
           "bundle_claim": {
             "claimType": "builder.pull-work.selected",
             "subjectType": "work-item",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -41,7 +54,10 @@
           "bundle_claim": {
             "claimType": "builder.design-probe.pickup-readiness",
             "subjectType": "work-item",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         },
         {
@@ -52,7 +68,10 @@
           "bundle_claim": {
             "claimType": "builder.design-probe.decisions",
             "subjectType": "decision",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -68,7 +87,10 @@
           "bundle_claim": {
             "claimType": "builder.plan.implementation",
             "subjectType": "artifact",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -84,7 +106,10 @@
           "bundle_claim": {
             "claimType": "builder.execute.scope",
             "subjectType": "change",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -111,7 +136,10 @@
           "bundle_claim": {
             "claimType": "builder.verify.tests",
             "subjectType": "flow-step",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         },
         {
@@ -123,7 +151,11 @@
           "bundle_claim": {
             "claimType": "builder.verify.policy-compliance",
             "subjectType": "artifact",
-            "accepted_statuses": ["trusted", "accepted", "advisory"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted",
+              "advisory"
+            ]
           }
         }
       ]
@@ -150,7 +182,10 @@
           "bundle_claim": {
             "claimType": "builder.merge-ready.readiness",
             "subjectType": "change",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -166,7 +201,10 @@
           "bundle_claim": {
             "claimType": "builder.pr-open.pull-request",
             "subjectType": "pull-request",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -182,7 +220,10 @@
           "bundle_claim": {
             "claimType": "builder.merge-ready-ci.readiness",
             "subjectType": "pull-request",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]
@@ -198,7 +239,10 @@
           "bundle_claim": {
             "claimType": "builder.learn.decisions",
             "subjectType": "decision",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         },
         {
@@ -209,7 +253,10 @@
           "bundle_claim": {
             "claimType": "builder.learn.evidence",
             "subjectType": "release",
-            "accepted_statuses": ["trusted", "accepted"]
+            "accepted_statuses": [
+              "trusted",
+              "accepted"
+            ]
           }
         }
       ]