@kontourai/flow-agents 1.4.0 → 2.0.0

package/.github/CODEOWNERS

@@ -0,0 +1,29 @@
+# Code owners for security-critical paths — the anti-gaming trust gate, its
+# enforcement hooks, and the CI anchor. Changes here can weaken the gate, so they
+# require owner review.
+#
+# IMPORTANT: this file only takes effect once branch protection on `main` enables
+# "Require a pull request before merging" + "Require review from Code Owners".
+# Today main requires status checks + enforce_admins but NOT reviews — enabling
+# code-owner review is the remaining server-side step to close the
+# "agent weakens CI / the gate" residual (adversarial review Residual #1).
+
+# CI definition + the anchor (an agent must not silently weaken enforcement)
+/.github/                       @briananderson1222
+/evals/ci/                      @briananderson1222
+/scripts/ci/                    @briananderson1222
+
+# The verification config the CI anchor depends on — an agent must not redefine
+# trust-reconcile-verify to a fake/laundered command or rewire the lane runner
+# without owner review (convergence red-team finding).
+/package.json                   @briananderson1222
+/evals/run.sh                   @briananderson1222
+
+# The anti-gaming gate + its enforcement hooks
+/scripts/hooks/stop-goal-fit.js     @briananderson1222
+/scripts/hooks/config-protection.js @briananderson1222
+/scripts/hooks/evidence-capture.js  @briananderson1222
+
+# FlowDefinition resolution + the trust producer/checkpoint/signing the gate depends on
+/src/lib/flow-resolver.ts       @briananderson1222
+/src/cli/workflow-sidecar.ts    @briananderson1222

package/.github/actions/trust-verify/action.yml

@@ -0,0 +1,145 @@
+# trust-verify/action.yml — Reusable composite action: Flow Agents trust anchor.
+#
+# INTENDED AS A REQUIRED STATUS CHECK. Add this job to your workflow, then add
+# "Trust Verify" as a required, no-bypass status check in GitHub branch protection.
+# Once required, no PR can merge past it — the external CI anchor is armed.
+#
+# What it does:
+#   1. Re-runs your canonical verify command FRESH in a clean CI environment that
+#      the agent does not control (build + tests + lint — whatever you declare).
+#   2. If a delivery/trust.bundle is present, RECONCILES the agent's claimed-pass
+#      commands against CI's own fresh results. Any divergence (claimed pass + CI
+#      fail, laundered command, claim with no evidence, checkpoint-only bundle)
+#      fails the job with a clear diagnostic.
+#   3. Optionally mints a signed in-toto attestation over CI's own fresh results
+#      (requires id-token: write in the calling job).
+#
+# Inputs:
+#   verify-command    [required]  Your comprehensive verify command (build + tests +
+#                                 lint). What the agent ran locally should match what
+#                                 this reruns in CI.
+#   bundle            [optional]  Path to the delivered trust.bundle (default:
+#                                 delivery/trust.bundle). Auto-discovered if present.
+#   fail-on-divergence [optional] Fail the job on any divergence (default: true).
+#                                 Set to false for observability-only mode.
+#   sign              [optional]  Mint a signed in-toto attestation after a clean
+#                                 reconcile (default: false). Requires id-token: write.
+#   node-version      [optional]  Node.js version (default: 24).
+#
+# Usage in a downstream repo:
+#
+#   jobs:
+#     trust-verify:
+#       name: Trust Verify
+#       runs-on: ubuntu-latest
+#       permissions:
+#         contents: read
+#         id-token: write   # only needed when sign: true
+#       steps:
+#         - uses: actions/checkout@<sha>
+#         - uses: kontourai/flow-agents/.github/actions/trust-verify@<sha>
+#           with:
+#             verify-command: "npm run build && npm test && npm run lint"
+#
+# Then in GitHub branch protection → "Require status checks":
+#   Add "Trust Verify" as a required check with no bypass option.
+#
+# The agent publishes delivery/trust.bundle during the deliver skill. When that file
+# is present in the PR's checkout, this action reconciles per-command claimed passes
+# against fresh CI truth. When absent, only the fresh verify is enforced (fail-open
+# on bundle absence; fail-closed on divergence when the bundle is present).
+#
+# See docs/trust-anchor-adoption.md for the full adoption guide.
+
+name: "Flow Agents Trust Verify"
+description: >
+  Re-runs canonical verification fresh and reconciles a delivered trust.bundle's
+  claimed passes against CI results. Intended as a required status check.
+
+inputs:
+  verify-command:
+    description: >
+      Canonical verify command (build + tests + lint). Comma-separated commands
+      are each run in sequence. Fail-closed if not provided and no
+      trust-reconcile-verify script is in package.json.
+    required: true
+  bundle:
+    description: >
+      Path to the delivered trust.bundle (relative to workspace root).
+      Auto-discovers delivery/trust.bundle if this input is not set.
+    required: false
+    default: "delivery/trust.bundle"
+  fail-on-divergence:
+    description: >
+      Fail the job when divergence is detected (default: true). Set to false for
+      observability-only mode (the step still reports divergence but does not
+      fail the job).
+    required: false
+    default: "true"
+  sign:
+    description: >
+      Mint a signed in-toto attestation after a clean reconcile (default: false).
+      Requires id-token: write permission in the calling job. The attestation is
+      uploaded as a workflow artifact named trust-attestation.
+    required: false
+    default: "false"
+  node-version:
+    description: "Node.js version to use."
+    required: false
+    default: "24"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Node.js
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    # Resolve the bundle path: use the input value if the file exists, otherwise
+    # pass an empty string (trust-reconcile.js auto-discovers or operates fail-open).
+    - name: Trust verify
+      id: trust-verify
+      shell: bash
+      env:
+        VERIFY_COMMAND: ${{ inputs.verify-command }}
+        BUNDLE_INPUT: ${{ inputs.bundle }}
+        FAIL_ON_DIVERGENCE: ${{ inputs.fail-on-divergence }}
+      run: |
+        # Resolve bundle path: use the input if the file exists, empty otherwise.
+        if [ -n "$BUNDLE_INPUT" ] && [ -f "$BUNDLE_INPUT" ]; then
+          BUNDLE_ARG="--bundle $BUNDLE_INPUT"
+        else
+          BUNDLE_ARG=""
+        fi
+
+        node "${{ github.action_path }}/../../scripts/ci/trust-reconcile.js" \
+          --commands "$VERIFY_COMMAND" \
+          --repo-root "${{ github.workspace }}" \
+          $BUNDLE_ARG || {
+          code=$?
+          if [ "$FAIL_ON_DIVERGENCE" = "true" ]; then
+            exit $code
+          fi
+          echo "[trust-verify] divergence detected (fail-on-divergence=false — continuing)"
+        }
+
+    # Phase 2 (optional): mint a signed in-toto attestation over CI's own fresh results.
+    # Only runs when sign=true and the trust-verify step passed.
+    # Requires id-token: write in the calling job for Sigstore keyless signing.
+    - name: Mint attestation
+      if: inputs.sign == 'true' && steps.trust-verify.outcome == 'success'
+      shell: bash
+      run: node "${{ github.action_path }}/../../scripts/ci/mint-attestation.js"
+
+    - name: Upload attestation
+      if: inputs.sign == 'true' && steps.trust-verify.outcome == 'success'
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      with:
+        name: trust-attestation
+        path: |
+          trust.attestation.sig.json
+          trust.attestation.intoto.json
+          trust.attestation.status.json
+        if-no-files-found: ignore
+        retention-days: 30

package/.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Install Node dependencies
         run: npm ci
@@ -96,7 +96,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Install Node dependencies
         run: npm ci
@@ -157,7 +157,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Install Node dependencies
         run: npm ci
@@ -250,6 +250,13 @@ jobs:
         continue-on-error: true
         run: bash evals/ci/run-baseline.sh --check pull-work-provider-integration
 
+      # The anti-gaming + trust regression suite runs in this REQUIRED lane so that
+      # weakening the gate / CI anchor / their protections (or removing a regression
+      # test) is caught and cannot merge. Convergence red-team (Round 5/7) closure.
+      - name: Anti-gaming and trust suite
+        continue-on-error: true
+        run: bash evals/ci/run-baseline.sh --check anti-gaming-and-trust-suite
+
       - name: Finalize CI evidence
         if: always()
         run: bash evals/ci/run-baseline.sh --finalize
@@ -278,7 +285,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Install Node dependencies
         run: npm ci

package/.github/workflows/kit-gates-demo.yml

@@ -42,7 +42,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Install Flow CLI
         # Mirrors the FLOW_CLI_ROOT install pattern used in ci.yml.
@@ -108,7 +108,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
 
       - name: Install Flow CLI
         run: |

package/.github/workflows/publish-npm.yml

@@ -6,6 +6,14 @@ on:
       - "v*"
   workflow_dispatch:
 
+# Serialize publish runs so a duplicate trigger (the release tag push and a
+# workflow_dispatch firing within seconds of each other) cannot race: the second
+# run waits for the first to finish, then the "Check Published Version" step sees
+# the version already on npm and skips — instead of E403'ing on a double publish.
+concurrency:
+  group: publish-npm
+  cancel-in-progress: false
+
 permissions:
   contents: read
 
@@ -21,7 +29,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "22"
+          node-version: "24"
           cache: npm
 
       - name: Install dependencies
@@ -101,4 +109,4 @@ jobs:
 
       - name: Publish public package
         if: steps.published.outputs.published != 'true'
-        run: npm publish --access public
+        run: npm publish --access public --provenance

package/.github/workflows/release-please.yml

@@ -21,7 +21,7 @@ jobs:
       # author, so CI runs unassisted. See kontourai/flow-agents#38.
       - name: Mint app token
         id: app-token
-        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           app-id: ${{ vars.RELEASE_APP_ID }}
           private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

package/.github/workflows/trust-reconcile.yml

@@ -0,0 +1,113 @@
+# trust-reconcile.yml — CI trust anchor: Phase 1 (external anti-gaming anchor) +
+#                       Phase 2 (signed attestation over CI's own fresh results).
+#
+# Phase 1: re-runs canonical verification FRESH in a clean CI environment that
+# the agent does not control, then reconciles a delivered checkpoint/bundle's
+# claimed passes against CI reality. Any divergence (claimed pass + CI fail,
+# claimed pass + laundering operator, claimed pass + command CI never ran,
+# checkpoint-only bundle, claim with no evidence) fails the job with a clear
+# diagnostic message.
+#
+# Canonical verify command: npm run trust-reconcile-verify
+#   = npm run build && npm run eval:static
+#   (integration + the anti-gaming regression suite run in ci.yml's required
+#    "Runtime and Kit" lane, not here — see evals/ci/antigaming-suite.sh)
+#   This is the REAL verification this repo runs (build + static evals + integration
+#   evals), not a compile-only check. The script is declared in package.json so
+#   trust-reconcile.js auto-discovers it without needing TRUST_RECONCILE_COMMANDS.
+#
+# Phase 2 (additive): after the reconcile step PASSES, mint a signed in-toto
+# attestation over CI's own fresh results using Sigstore keyless signing
+# (Fulcio + Rekor). The attestation is uploaded as a workflow artifact.
+# Gated: the mint step only runs when the reconcile step passes (the job stays
+# red when reconcile fails — Phase 1 behavior unchanged).
+#
+# Design: NEVER trusts agent-produced artifacts as a truth source. The bundle is
+# read only to DETECT DIVERGENCE — CI's fresh run is the only authoritative result.
+# The agent cannot self-declare success here: it cannot modify the CI environment,
+# pre-disable this job, or post-forge results after the check runs.
+#
+# THIS JOB IS INTENDED TO BE A REQUIRED STATUS CHECK (branch protection).
+# Enabling it as required is a server-side GitHub branch-protection configuration
+# step — it is not wired here by code. Once required, no PR can merge past it.
+#
+# Additive — NOT a gate-hook change. Does not modify scripts/hooks/*, kits/knowledge,
+# or continue-work. Mirrors the structure of .github/workflows/ci.yml.
+
+name: Trust Reconcile
+
+on:
+  pull_request:
+  push:
+    branches: ["main"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trust-reconcile-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trust-reconcile:
+    name: Trust Reconcile
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Phase 2: id-token: write is required for Sigstore keyless signing (Fulcio OIDC).
+    # Mirrors the pattern in .github/workflows/publish-npm.yml.
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: "24"
+
+      - name: Install Node dependencies
+        run: npm ci
+
+      - name: Install shell tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq ripgrep
+
+      - name: Trust reconcile
+        id: trust-reconcile
+        run: node scripts/ci/trust-reconcile.js
+        # Canonical verify: auto-discovered from package.json scripts["trust-reconcile-verify"]
+        #   = npm run build && npm run eval:static
+#   (integration + the anti-gaming regression suite run in ci.yml's required
+#    "Runtime and Kit" lane, not here — see evals/ci/antigaming-suite.sh)
+        # This runs the REAL verification (build + static + integration evals), NOT a
+        # compile-only check. Override via TRUST_RECONCILE_COMMANDS or --commands if needed.
+        # Bundle auto-discovery: if delivery/trust.bundle or delivery/trust.checkpoint.json
+        # exists in the checkout, CI reconciles per-command claimed passes against fresh
+        # results automatically. When absent, only the fresh verify is enforced (fail-open).
+        # Phase 2: on success, writes ci-trust-reconcile-results.json to RUNNER_TEMP
+        # for mint-attestation.js to consume.
+
+      # Phase 2: Mint signed attestation over CI's own fresh results.
+      # Runs only when the trust-reconcile step passes (default step condition:
+      # previous steps must succeed). The job stays red if reconcile fails.
+      - name: Mint attestation
+        run: node scripts/ci/mint-attestation.js
+        # Sigstore keyless signing uses the OIDC token from id-token: write (above).
+        # Locally (no OIDC): signStatementWithSigstore returns null → writes unsigned
+        # in-toto statement → exits 0 (fail-open). The job does not crash.
+
+      - name: Upload attestation
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: trust-attestation
+          path: |
+            trust.attestation.sig.json
+            trust.attestation.intoto.json
+            trust.attestation.status.json
+          if-no-files-found: ignore
+          retention-days: 30

package/AGENTS.md

@@ -9,11 +9,24 @@ This bundle was generated from the canonical source in this repo. Treat the repo
 - **Evidence hygiene:** issue/PR permalinks must pin a real commit SHA (`git rev-parse`, never typed by hand); claims about behavior need command/test evidence.
 - `.flow-agents/` runtime artifacts stay untracked; durable records belong in docs/, issues, or tracked source.
 
+### Operating discipline (working agreements)
+
+Confirmed agreements for developing this repo — the *kit-discipline* bucket of ADR 0013, seeded here by hand (encoded by us, shipped uniform; the kit does not self-evolve on user machines). Keep this list short and principle-level; let stale entries be pruned.
+
+- **Consume, never fork — survey before building.** Before adding any concept/command/schema, check what already exists (exported `@kontourai/*` types, ADRs, skills/commands) *and what's in flight* (open PRs, branches, `git worktree list`). Many agents run here in parallel; work is often already built or being built (ADR 0008/0010).
+- **Coordinate shared-area changes; surface, don't brute-force.** When a change touches code another agent is actively in (e.g. `workflow-sidecar.ts`, the gate), prefer an additive change and flag the overlap on the issue; build on the latest `origin/main` in an isolated `git worktree`. **The working tree is shared across agents — clean up only the worktrees *you* created (match your own path prefix); never `git worktree remove` "all non-main" worktrees, which destroys another agent's uncommitted state** (branches/commits survive, but in-progress working-dir changes do not).
+- **A "flake" or a silent success is a real bug — root-cause it, never re-run past it.** Flakiness is usually a real race or fail-open; an operation that can pass without doing its job, or drop data silently, *is* the bug.
+- **Prove it; don't design on assumption.** Gate changes on the suite (`prove-capture-teeth`, conformance L2, `test_workflow_sidecar_writer`, `tsc`) before merge; verify load-bearing assumptions with a quick experiment, not reasoning alone.
+- **Name the primitive, not the use-case.** Center the general mechanism (e.g. a *liveness policy*); the use-case is a label, the primitive is the abstraction.
+- **Merge mechanics:** strict protection + a fast `main` makes CLI merges racy — `update-branch` for a clean window, then merge; never `--no-verify`; `pre-push` validation needs `node_modules/.bin` on `PATH`; keep dev + CI Node in sync via `.tool-versions`. **During a fast-`main` *burst*, do not reflexively `update-branch`** — each one resets CI to pending and you lose the race; let the *current* CI settle, then `--admin`-merge a **verified, isolated, conflict-free** PR (admin bypasses only the up-to-date requirement, never a check — use only when the change cannot conflict with the newer `main`).
+- **Delegate the next increment via fresh-context handoff (`continue-work`).** A multi-slice item's next slice is best run in a *fresh* context that inherits the durable system, not this session's history (ADR 0013): spawn an agent (or a new session) pointed at the issue + these operating agreements + the precedent PRs. Prompt size scales with **novelty** — a precedented, mechanical slice needs only the minimal template (task + entry artifact + precedent); novel work (a new skill, a subtle composition) needs the subtlety spelled out. **Parallelize the *implementation*** of independent slices; **serialize only the *merge*** where they share a file (e.g. a kit's flow-runner).
+
 ## Shared Conventions
 
 - `skills/`, `context/`, `powers/`, `prompts/`, `scripts/`, and `evals/` were copied from the canonical source.
 - Cross-session task artifacts should live under `.flow-agents`.
 - Kiro-only hook wiring was stripped from exported non-Kiro agents to keep the package portable.
+- **Gate awareness:** `context/gate-awareness.md` — the three active gates (goal-fit/Stop, evidence-capture, reground), why a block is the system working, and how to diagnose a suspected missed block.
 
 ## Exported Agents
 

package/CHANGELOG.md

@@ -1,5 +1,100 @@
 # Changelog
 
+## [2.0.0](https://github.com/kontourai/flow-agents/compare/v1.4.0...v2.0.0) (2026-06-27)
+
+
+### ⚠ BREAKING CHANGES
+
+* **liveness:** rename coord→liveness + lifecycle-driven liveness claims (ADR 0012) ([#154](https://github.com/kontourai/flow-agents/issues/154))
+
+### Features
+
+* activate FlowDefinition-driven sessions + fix carry-forward history loss (ADR 0016 Abstraction A, Step 0+1) ([#208](https://github.com/kontourai/flow-agents/issues/208)) ([7e0120f](https://github.com/kontourai/flow-agents/commit/7e0120fd60779186dbe87db5cad313d479ff4ef8))
+* **builder:** add continue-work skill for fresh-context slice handoff ([#190](https://github.com/kontourai/flow-agents/issues/190)) ([8353fef](https://github.com/kontourai/flow-agents/commit/8353fef09967f813304c39f111b31861f4ca6fd0))
+* **builder:** phase_map + advance-state active-step + record-gate-claim mechanism (ADR 0016 Abstraction A, P-d increment 1) ([#206](https://github.com/kontourai/flow-agents/issues/206)) ([9c67730](https://github.com/kontourai/flow-agents/commit/9c677309e6716485f1d2df4e15071379b8dc28fe))
+* **builder:** wire 6 step producers via record-gate-claim + flip required:true + fix --expectation targeting (ADR 0016 Abstraction A, P-d increment 2) ([#207](https://github.com/kontourai/flow-agents/issues/207)) ([4cf6e52](https://github.com/kontourai/flow-agents/commit/4cf6e524f97b7ea4dd739e9de83aedcfb07ba055))
+* **ci:** CI mints a signed attestation over its own verification results (CI anchor Phase 2) ([#224](https://github.com/kontourai/flow-agents/issues/224)) ([017505b](https://github.com/kontourai/flow-agents/commit/017505b9f7d2200eacf2dd681182dc968d61dc23))
+* **ci:** publish session bundle to delivery/ at delivery — feed the trust-reconcile anchor (Phase 1b) ([#223](https://github.com/kontourai/flow-agents/issues/223)) ([d9476d8](https://github.com/kontourai/flow-agents/commit/d9476d847310d348c20f53ba824756a30a1b23b0))
+* **ci:** trust-reconcile job — the external anti-gaming anchor (CI anchor Phase 1) ([#222](https://github.com/kontourai/flow-agents/issues/222)) ([1678866](https://github.com/kontourai/flow-agents/commit/1678866f6c967117bb09e15b9546c89462b392f3))
+* **context:** add gate-awareness self-critique doc + AGENTS.md reference ([#118](https://github.com/kontourai/flow-agents/issues/118)) ([#123](https://github.com/kontourai/flow-agents/issues/123)) ([45e3841](https://github.com/kontourai/flow-agents/commit/45e38410a8c9276713675531d25d4870f99b1be8))
+* **coord:** agent coordination as liveness claims — claim/heartbeat/release/status (ADR 0012) ([#150](https://github.com/kontourai/flow-agents/issues/150)) ([ed248ed](https://github.com/kontourai/flow-agents/commit/ed248edbe39a39ac7403ffdce316d4c19fda25b0))
+* **core:** FlowDefinition-driven claim production — shared flow-resolver + producer dual-emit (ADR 0016 Abstraction A, P-a/P-b) ([#204](https://github.com/kontourai/flow-agents/issues/204)) ([5368017](https://github.com/kontourai/flow-agents/commit/536801781d8bb2d2e00754539d16efa050cb2d42))
+* **core:** gate enforces on the active FlowDefinition's expects[] (ADR 0016 Abstraction A, P-c) ([#205](https://github.com/kontourai/flow-agents/issues/205)) ([dd0dab2](https://github.com/kontourai/flow-agents/commit/dd0dab20d513e26ce57354137e9931bdd15c0633))
+* **gate-review:** deterministic gate-calibration via canonical Surface InquiryRecord ([#119](https://github.com/kontourai/flow-agents/issues/119)) ([#132](https://github.com/kontourai/flow-agents/issues/132)) ([d5ec073](https://github.com/kontourai/flow-agents/commit/d5ec073bcd3c0ba3075993453db0f932cf381686))
+* **goal-fit:** re-derive trust.bundle claim status at the gate (ADR 0010 Phase 2 hardening) ([#136](https://github.com/kontourai/flow-agents/issues/136)) ([face2cb](https://github.com/kontourai/flow-agents/commit/face2cb5f2bcacd65c70dc22da72e0585874cde3))
+* **hooks:** capture-first evidence determinism for command checks ([#115](https://github.com/kontourai/flow-agents/issues/115)) ([a5bd12f](https://github.com/kontourai/flow-agents/commit/a5bd12f0ad7629b79043356dae3e34acd22aabd0))
+* **hooks:** goal-fit teeth + active-goal reground (block false-completion, survive compaction) ([#113](https://github.com/kontourai/flow-agents/issues/113)) ([40ba70b](https://github.com/kontourai/flow-agents/commit/40ba70bdf351d885965ae2e70861e07745547237))
+* **install:** extend merge-aware install to codex — preserve user hooks.json ([#117](https://github.com/kontourai/flow-agents/issues/117)) ([#158](https://github.com/kontourai/flow-agents/issues/158)) ([212f097](https://github.com/kontourai/flow-agents/commit/212f097de0ec266d5d6ea6e016a3123c3f39d465))
+* **install:** merge opencode.json + uniform version stamp across all runtimes ([#117](https://github.com/kontourai/flow-agents/issues/117)) ([#159](https://github.com/kontourai/flow-agents/issues/159)) ([bab6f68](https://github.com/kontourai/flow-agents/commit/bab6f684c0c5bdc36588d4b25f6e595333e76939))
+* **install:** merge-aware global installs — opencode/codex --global + codex-home (closes [#117](https://github.com/kontourai/flow-agents/issues/117) deferred gaps) ([#188](https://github.com/kontourai/flow-agents/issues/188)) ([a133b39](https://github.com/kontourai/flow-agents/commit/a133b39a77bd108ccc39b879086e74d4f93ed435))
+* **install:** merge-aware install for claude-code — preserve user config + version stamp + --global ([#117](https://github.com/kontourai/flow-agents/issues/117)) ([#157](https://github.com/kontourai/flow-agents/issues/157)) ([01d03c0](https://github.com/kontourai/flow-agents/commit/01d03c006d41fd9b2579675637bc3a07f64d0624))
+* **knowledge:** add glossary-sync and detect-contradictions hygiene flows ([#106](https://github.com/kontourai/flow-agents/issues/106)) ([#197](https://github.com/kontourai/flow-agents/issues/197)) ([6c34c38](https://github.com/kontourai/flow-agents/commit/6c34c38560120ea61c47a6c52946c6273e28f69a))
+* **knowledge:** add hygiene-review orchestrator over the four hygiene flows ([#106](https://github.com/kontourai/flow-agents/issues/106)) ([#199](https://github.com/kontourai/flow-agents/issues/199)) ([34ecf37](https://github.com/kontourai/flow-agents/commit/34ecf37bf6cf125ac368800c1ba5aada53d37c82))
+* **knowledge:** add knowledge.audit-freshness hygiene flow ([#106](https://github.com/kontourai/flow-agents/issues/106)) ([#189](https://github.com/kontourai/flow-agents/issues/189)) ([33f7ebb](https://github.com/kontourai/flow-agents/commit/33f7ebb2ebacce007ab690ea0f802b5476dc8385))
+* **knowledge:** add knowledge.canonicalize-category hygiene flow ([#106](https://github.com/kontourai/flow-agents/issues/106)) ([#193](https://github.com/kontourai/flow-agents/issues/193)) ([e5a02ce](https://github.com/kontourai/flow-agents/commit/e5a02ceb703f51387623260df95c7a262709b633))
+* **knowledge:** add store reindex() — rebuild graph index from records (recovery, [#106](https://github.com/kontourai/flow-agents/issues/106)) ([#185](https://github.com/kontourai/flow-agents/issues/185)) ([377bf59](https://github.com/kontourai/flow-agents/commit/377bf59802d29e6fce0dae0bfc793cd5f4e493dc))
+* per-run trust checkpoint — terminal seal + freshness drift on resume (consume surface checkpointFromReport/diffFreshness) ([#210](https://github.com/kontourai/flow-agents/issues/210)) ([04a6e63](https://github.com/kontourai/flow-agents/commit/04a6e6344ff1e921b8f0c4bd8b93ddd753e61adb))
+* productize the trust anchor — `flow-agents verify` CLI + reusable composite Action + adoption docs (CI anchor Phase 3) ([#231](https://github.com/kontourai/flow-agents/issues/231)) ([305515f](https://github.com/kontourai/flow-agents/commit/305515f2594fafc3815b847024c1d91a9a7db1fe))
+* remove legacy packs layer entirely (no backwards compatibility) ([#121](https://github.com/kontourai/flow-agents/issues/121)) ([a7325b5](https://github.com/kontourai/flow-agents/commit/a7325b5447de1e91524a1118ab44a497ab462be8))
+* **resume:** liveness-aware + claim-aware RESUME block on SessionStart ([#153](https://github.com/kontourai/flow-agents/issues/153), first slice) ([#184](https://github.com/kontourai/flow-agents/issues/184)) ([71155bd](https://github.com/kontourai/flow-agents/commit/71155bd01f6b5cb8c20cd7b9e75567f2e9dae9aa))
+* retire the -legacy dual-emit shadow — FlowDefinition-driven sessions are declared-only (ADR 0016, P-d) ([#209](https://github.com/kontourai/flow-agents/issues/209)) ([d9073de](https://github.com/kontourai/flow-agents/commit/d9073decd73de3cc436669c9d8fab8070e515373))
+* sign the terminal checkpoint at release — in-toto/DSSE attestation (consume surface Sigstore, the real external integrity anchor) ([#211](https://github.com/kontourai/flow-agents/issues/211)) ([df8df2f](https://github.com/kontourai/flow-agents/commit/df8df2f1a6bfdc8494fb064414975c48600b5627))
+* tamper-evident command-log.jsonl via hash-chain — the gate detects an altered/removed capture entry (B2) ([#212](https://github.com/kontourai/flow-agents/issues/212)) ([ff9b058](https://github.com/kontourai/flow-agents/commit/ff9b05867370775f918377d1a9a647cc867fd18c))
+* **trust-bundle:** maximal enrichment + gate enforces on the canonical bundle (ADR 0010 Ph1+2 core) ([#133](https://github.com/kontourai/flow-agents/issues/133)) ([fa4115e](https://github.com/kontourai/flow-agents/commit/fa4115eb84fde743db60e066de745a0811360ac4))
+* **trust-mcp:** opt-in trust-mcp command to wire Surface's MCP for trust surfacing ([#137](https://github.com/kontourai/flow-agents/issues/137)) ([#141](https://github.com/kontourai/flow-agents/issues/141)) ([b7beb43](https://github.com/kontourai/flow-agents/commit/b7beb4335afcc2bdd6fd0abd278dd4023c08a63b))
+* **trust-panel:** render-trust-panel — project the bundle to a standalone Surface Trust Panel (ADR 0010 Phase 3 local) ([#135](https://github.com/kontourai/flow-agents/issues/135)) ([e1b3c35](https://github.com/kontourai/flow-agents/commit/e1b3c357156c2b5b631e5ad68cda378b73a5aab5))
+* **trust-panel:** render-trust-panel also emits trust-report.json (universal Surface input) ([#140](https://github.com/kontourai/flow-agents/issues/140)) ([c430634](https://github.com/kontourai/flow-agents/commit/c4306341a42948db3604b0b4b14d6f930301a4e5))
+* **validate:** guard against duplicate ADR numbers in validate-source-tree ([#191](https://github.com/kontourai/flow-agents/issues/191)) ([d0592eb](https://github.com/kontourai/flow-agents/commit/d0592eb09f1206c7c77a3836dfba18935a19f2f3))
+* **workflow-sidecar:** claim-lookup tool — status + failing evidence + how-to-verify + why ([#162](https://github.com/kontourai/flow-agents/issues/162)) ([#173](https://github.com/kontourai/flow-agents/issues/173)) ([4b72cba](https://github.com/kontourai/flow-agents/commit/4b72cbace5cb3007ddad593e947e03cb173e4df3))
+* **workflow-sidecar:** deterministic session slug from work-item ref ([#161](https://github.com/kontourai/flow-agents/issues/161)) ([#165](https://github.com/kontourai/flow-agents/issues/165)) ([e69fa26](https://github.com/kontourai/flow-agents/commit/e69fa26fcb8b63f1f216d8f31ac43622decd808d))
+* **workflow-sidecar:** dual-write workflow trust state as local Hachure trust.bundle (ADR 0010 Phase 1) ([#126](https://github.com/kontourai/flow-agents/issues/126)) ([#130](https://github.com/kontourai/flow-agents/issues/130)) ([a9b8fd6](https://github.com/kontourai/flow-agents/commit/a9b8fd6061d05a3d73321108c942769c005bff11))
+
+
+### Fixes
+
+* **goal-fit:** re-derive-tamper block fires independent of backstop + protect it in CI ([#196](https://github.com/kontourai/flow-agents/issues/196)) ([9d13212](https://github.com/kontourai/flow-agents/commit/9d13212bb9b72c979d7c1de0aa64299aeb483d53))
+* **knowledge:** auto-close spent proposal artifact on retire apply ([#106](https://github.com/kontourai/flow-agents/issues/106)) ([#186](https://github.com/kontourai/flow-agents/issues/186)) ([9835c06](https://github.com/kontourai/flow-agents/commit/9835c066a61ad99c6addda07a5387aa5e606165b))
+* **security:** captureCrossReference now sees declared-type claims — declared-type false-completions BLOCK (adversarial review Finding 1, CRITICAL) ([#214](https://github.com/kontourai/flow-agents/issues/214)) ([0d1d4de](https://github.com/kontourai/flow-agents/commit/0d1d4def66164bb2f584074796338d594c951cff))
+* **security:** captured-FAIL reconciliation — close the namespace-agnostic false-completion bypass (Round 2 red-team CRITICAL) + fix [#216](https://github.com/kontourai/flow-agents/issues/216) over-block ([#218](https://github.com/kontourai/flow-agents/issues/218)) ([e9bf229](https://github.com/kontourai/flow-agents/commit/e9bf229ee3380282cb60db3645e7969f6129929c))
+* **security:** checkpoint signature now signs the on-disk bytes — attestation moved to a companion file (adversarial review HIGH/A02) ([#213](https://github.com/kontourai/flow-agents/issues/213)) ([b27fd14](https://github.com/kontourai/flow-agents/commit/b27fd1478549f867409f7053e2a9044ba337fb85))
+* **security:** CI anchor verifies the REAL deliverable, not just compilation (Round 5 soundness) ([#226](https://github.com/kontourai/flow-agents/issues/226)) ([1117624](https://github.com/kontourai/flow-agents/commit/111762482272658e56bbbf8d4f51d5af6ea4e647))
+* **security:** close the full gate-bypass chain — path-traversal sanitization + empty-gateExpects union (adversarial review HIGH/A01/A04) ([#215](https://github.com/kontourai/flow-agents/issues/215)) ([2554656](https://github.com/kontourai/flow-agents/commit/2554656551c01e9b63b2acc98b83c862a1b29d59))
+* **security:** lock down gate bypass surfaces — config protection, MAX_BLOCKS hard-block guard, fail-closed (adversarial review Findings 2 + fail-opens) ([#216](https://github.com/kontourai/flow-agents/issues/216)) ([370ebc5](https://github.com/kontourai/flow-agents/commit/370ebc5edfdc80a53a2c4154b0767e9be4221b6f))
+* **security:** protect state.json + trust.bundle from agent Write/Edit; best-effort flag node -e/sed -i/python -c profile writes (Round 4 audit) ([#220](https://github.com/kontourai/flow-agents/issues/220)) ([ef68054](https://github.com/kontourai/flow-agents/commit/ef680545d5c351dca3a4abf4d21c95eb7e44576e))
+* **security:** resolveFirstStep traversal + tee multi-file evasion (Round 2 audit MEDIUM/LOW) ([#217](https://github.com/kontourai/flow-agents/issues/217)) ([ac1f3cd](https://github.com/kontourai/flow-agents/commit/ac1f3cdc99b90e16a593dc5380eda5cc469af98a))
+* **security:** robust laundering detection (any ||) + delivery/ bundle protection (Round 5) ([#227](https://github.com/kontourai/flow-agents/issues/227)) ([d09bebe](https://github.com/kontourai/flow-agents/commit/d09bebe14e30779b193e225f4ecc2ff98e0ca00c))
+* **security:** run the anti-gaming suite in a REQUIRED CI lane + screen the canonical verify + own the verify config (Round 7) ([#228](https://github.com/kontourai/flow-agents/issues/228)) ([0d68ab1](https://github.com/kontourai/flow-agents/commit/0d68ab13caffd8f703f552e56a03a6c5499d1d51))
+* **security:** status-independent false-completion check + drop Case B over-block + flag exit-code laundering (Round 4) ([#219](https://github.com/kontourai/flow-agents/issues/219)) ([ef53339](https://github.com/kontourai/flow-agents/commit/ef53339ef6ad5e92275f8753ee59d73628020142))
+* untrack accidental node_modules symlink + harden .gitignore ([#181](https://github.com/kontourai/flow-agents/issues/181) fallout) ([#182](https://github.com/kontourai/flow-agents/issues/182)) ([9042ff6](https://github.com/kontourai/flow-agents/commit/9042ff6a029c75a4555d4b94daa2291b3284930a))
+* **writers:** bundle-writers fail loudly instead of silently losing data ([#156](https://github.com/kontourai/flow-agents/issues/156)) ([#160](https://github.com/kontourai/flow-agents/issues/160)) ([6e9e3a6](https://github.com/kontourai/flow-agents/commit/6e9e3a69119f40c571360025426687d0ff69f3a4))
+
+
+### Documentation
+
+* **adr:** ADR 0011 — MCP posture (enforcement stays hooks; Surface owns MCP projection; no auto-injected config) ([#138](https://github.com/kontourai/flow-agents/issues/138)) ([e65f2ae](https://github.com/kontourai/flow-agents/commit/e65f2ae593617ef8e31a154a6847135f91d4ff83))
+* **adr:** ADR 0012 — agent coordination as Hachure liveness claims ([#145](https://github.com/kontourai/flow-agents/issues/145)) ([c57138f](https://github.com/kontourai/flow-agents/commit/c57138f0ff075578a381c398d549baca814edb10))
+* **adr:** ADR 0013 — context lifecycle (workflow-boundary compaction, freshness-gated reuse, learning split) ([#163](https://github.com/kontourai/flow-agents/issues/163)) ([0589687](https://github.com/kontourai/flow-agents/commit/0589687d46e42c951a64e5e1b9a727e7691fe384))
+* **adr:** ADR 0015 reassessment — Tiers 1 & 2 closed-by-evaluation (audit overstated drift) ([#198](https://github.com/kontourai/flow-agents/issues/198)) ([dde8c21](https://github.com/kontourai/flow-agents/commit/dde8c212e0c5f974e6bb9097c72806288f4be53f))
+* **adr:** ADR 0016 — the three-hard-boundary model (FlowDefinition-driven kit-agnostic core) + sync 0014/0009/0004/0005 ([#203](https://github.com/kontourai/flow-agents/issues/203)) ([6ded109](https://github.com/kontourai/flow-agents/commit/6ded109802679a11d0edf88207a429f92eef8321))
+* **adr:** ADR 0017 — the anti-gaming trust security model (layered defense + external CI anchor) ([#229](https://github.com/kontourai/flow-agents/issues/229)) ([bf794ce](https://github.com/kontourai/flow-agents/commit/bf794ce06a7b5e71579479813affa15e0859ef41))
+* **adr:** correct ADR 0015 — Tier 2 reopened as Resource Contract migration (was wrongly closed) ([#202](https://github.com/kontourai/flow-agents/issues/202)) ([ec3a67b](https://github.com/kontourai/flow-agents/commit/ec3a67b8ca82fa7fedc579b5b404b58dcd5a708e))
+* **adr:** renumber Flow/Flow-Agents boundary ADR 0014 → 0015 (resolve duplicate) ([#181](https://github.com/kontourai/flow-agents/issues/181)) ([1b581b7](https://github.com/kontourai/flow-agents/commit/1b581b722a060961e4deae6b775da68f7c350616))
+* **agents:** capture merge-burst + fresh-handoff learnings in operating agreements ([#192](https://github.com/kontourai/flow-agents/issues/192)) ([31d5473](https://github.com/kontourai/flow-agents/commit/31d547330771fc77a4930fa8727ac078151d8ff4))
+* **agents:** scope worktree cleanup to your own paths (operating agreement) ([#201](https://github.com/kontourai/flow-agents/issues/201)) ([ae6cf41](https://github.com/kontourai/flow-agents/commit/ae6cf413a0b79658855d991a56fc4916400277db))
+* **contracts:** fail-loud + flake-is-a-real-bug in core review/verification contracts ([#170](https://github.com/kontourai/flow-agents/issues/170)) ([c25b48c](https://github.com/kontourai/flow-agents/commit/c25b48c7e58cda0c2803a44646996615c4de6cf7))
+* seed kit-development operating agreements in AGENTS.md (ADR 0013) ([#164](https://github.com/kontourai/flow-agents/issues/164)) ([0b6e765](https://github.com/kontourai/flow-agents/commit/0b6e765a2348ddc709f6829cc163c1379498193a))
+* Verifiable Trust — user-facing value/use-case doc for the anti-gaming trust model ([#230](https://github.com/kontourai/flow-agents/issues/230)) ([8710e29](https://github.com/kontourai/flow-agents/commit/8710e29ec9a0ea15f6e22e82e5d695a19aadc3b6))
+
+
+### Refactoring
+
+* **goal-fit:** drop bespoke markdown/DELIVERY_TYPES gate parsing — verdict is bundle-driven (ADR 0010 2c) ([#139](https://github.com/kontourai/flow-agents/issues/139)) ([342d7aa](https://github.com/kontourai/flow-agents/commit/342d7aaecea93c156a11a49467cb7167af888654))
+* **goal-fit:** gate consumers read the trust.bundle, not bespoke sidecars (ADR 0010 Phase 4b) ([#146](https://github.com/kontourai/flow-agents/issues/146)) ([7ae2e2c](https://github.com/kontourai/flow-agents/commit/7ae2e2ce04205c874810596c5db132dfdf0ad85a))
+* **liveness:** rename coord→liveness + lifecycle-driven liveness claims (ADR 0012) ([#154](https://github.com/kontourai/flow-agents/issues/154)) ([4576e0e](https://github.com/kontourai/flow-agents/commit/4576e0e8a03eaa49a3de9acf46a35c22b4cc36aa))
+* **workflow-sidecar:** bundle is the primary artifact, sidecars projected (ADR 0010 Phase 4a) ([#144](https://github.com/kontourai/flow-agents/issues/144)) ([256ee9e](https://github.com/kontourai/flow-agents/commit/256ee9ef0879344c9c61724a8b58314b9a48129c))
+* **workflow-sidecar:** consume surface's validateTrustBundle — retire bespoke validator ([#175](https://github.com/kontourai/flow-agents/issues/175), Tier 0) ([#180](https://github.com/kontourai/flow-agents/issues/180)) ([0cee634](https://github.com/kontourai/flow-agents/commit/0cee63421c7b327b608abef54b3a327d2187b2b3))
+* **workflow-sidecar:** retire bespoke sidecars — bundle-only workspace (ADR 0010 Phase 4c) ([#152](https://github.com/kontourai/flow-agents/issues/152)) ([03432cb](https://github.com/kontourai/flow-agents/commit/03432cb536eeb90a49638391d506ecd6df7acfaa))
+
 ## [1.4.0](https://github.com/kontourai/flow-agents/compare/v1.3.0...v1.4.0) (2026-06-16)
 
 

package/CONTRIBUTING.md

@@ -9,11 +9,11 @@ Agents. This file is the footnote for people developing the product itself.
 
 - keep the core product generic — no machine-specific paths, usernames, or
   private workspace assumptions in tracked source
-- the public bundle ships the `core` and `development` packs; keep new work
-  inside that scope
+- the public bundle ships the full standalone base (skills, agents, powers) plus
+  the Flow Kits; keep new work inside that scope
 - prefer install/use clarity over maintainer cleverness
-- update the relevant docs, `packaging/packs.json`, and `packaging/manifest.json`
-  whenever you add or remove a skill, agent, or power
+- update the relevant docs, `kits/catalog.json`, and `packaging/manifest.json`
+  whenever you add or remove a skill, agent, power, or kit
 - keep `docs/context-map.md` current with `npm run context-map`
 - run `npm run build && npm run validate:source && bash evals/ci/run-baseline.sh`
   before opening a PR

package/README.md

@@ -28,6 +28,7 @@ Flow Agents addresses this with a process-discipline layer that sits between the
 - **Durable workflow state** — schema-validated sidecars under `.flow-agents/` record acceptance criteria, evidence, critique, handoff, and learning, so any session can resume from recorded state instead of chat memory.
 - **Four canonical policies** — workflow steering (phase reminders at each turn), quality gate (per-file checks after edits), stop-goal-fit (evidence check before the agent stops), and config protection (veto writes to linter/formatter configs). Each policy class has a canonical script under `scripts/hooks/` and compiles to the host's native hook format.
 - **Evidence over confidence** — important work ends with tests, browser checks, CI results, review findings, governance reports, or an explicit `NOT_VERIFIED` gap. Optional [Veritas](docs/veritas-integration.md) integration attaches repo-governance evidence without making it mandatory.
+- **Verifiable, un-gameable "done"** — the agent can't mark work complete that isn't: the gate re-derives the verdict from independent evidence, an external CI anchor re-runs the verification fresh and fails the merge on any divergence, and CI mints a Sigstore-signed record of what shipped. See [Verifiable Trust — why "done" actually means done](docs/verifiable-trust.md).
 - **Evals that keep the bundle honest** — 77 integration and 36 static bundle assertions validate the skills, contracts, fixtures, and hook influence as the bundle evolves.
 
 ## Flow Agents as a process-discipline layer

package/agents/tool-planner.json

@@ -52,6 +52,6 @@
   },
   "name" : "tool-planner",
   "description" : "Delegate to me for codebase analysis and execution planning. Explores code, identifies patterns and dependencies, and writes plan/sidecar artifacts under .flow-agents. No production file modifications.",
-  "prompt" : "You are a codebase analyst. You explore code and produce structured execution plans.\n\n## Shared Contracts\nFollow `context/contracts/artifact-contract.md` and `context/contracts/planning-contract.md`. Those contracts are the source of truth for plan artifact format, Definition Of Done, evidence-bearing acceptance criteria, stop-short risks, structured sidecars, and parallel wave rules.\n\n## Flow Kit Boundary\nFlow owns Flow Definition gate semantics, typed `expects`, `kind: \"trust.bundle\"`, trusted producer config, and gate overrides. Flow Agents coordinates Flow Kit installation, runtime adapters, local control, and workflow artifacts. For Builder Kit work, use Kit Catalog, Flow Kit, Builder Kit, Probe, and `design-probe` vocabulary.\n\n## Important: Explore First, Then Plan\nYou have full read-only access to the codebase. If `docs/context-map.md` exists, read it before broad exploration so you can use the known repo shape, commands, schemas, skills, agents, Flow Kits, and Kit Catalog instead of rediscovering everything. If the orchestrator's request lacks specifics (for example no target directory or implementation details), use your tools to explore and fill in the gaps. Only push back if the goal itself is genuinely unclear.\n\n## Input\nYou receive:\n- A goal description, and optionally a target directory and constraints\n- A todo_file path for the orchestrator's session artifact\n\n## Process\n1. Read `docs/context-map.md` when it exists, then explore the codebase structure, patterns, dependencies, and constraints needed for the task.\n2. Identify existing code to reuse.\n3. Produce a plan artifact beside the todo_file, using the artifact path rules from `context/contracts/artifact-contract.md`.\n4. Create or update `state.json`, `acceptance.json`, and `handoff.json` beside the workflow artifact using the schemas under `schemas/`.\n5. Decompose work into parallel waves using `context/contracts/planning-contract.md`.\n6. Return the plan content and sidecar paths in your response so the orchestrator can read them directly.\n\n## Rules\n- Do not write production code.\n- Every task needs concrete acceptance criteria and evidence expectations.\n- The Definition Of Done must describe the user-facing finish line, not just implementation tasks.\n- `acceptance.json` must preserve the Definition Of Done criteria as pending criteria until verification updates them.\n- `state.json` must name the current phase/status and next action.\n- `handoff.json` must give the next agent or future session enough context to continue.\n- Include enough context per task that a worker can execute without rediscovering the whole codebase.",
+  "prompt" : "You are a codebase analyst. You explore code and produce structured execution plans.\n\n## Shared Contracts\nFollow `context/contracts/artifact-contract.md` and `context/contracts/planning-contract.md`. Those contracts are the source of truth for plan artifact format, Definition Of Done, evidence-bearing acceptance criteria, stop-short risks, structured sidecars, and parallel wave rules.\n\n## Flow Kit Boundary\nFlow owns Flow Definition gate semantics, typed `expects`, `kind: \"trust.bundle\"`, trusted producer config, and gate overrides. Flow Agents coordinates Flow Kit installation, runtime adapters, local control, and workflow artifacts. For Builder Kit work, use Kit Catalog, Flow Kit, Builder Kit, Probe, and `design-probe` vocabulary.\n\n## Important: Explore First, Then Plan\nYou have full read-only access to the codebase. If `docs/context-map.md` exists, read it before broad exploration so you can use the known repo shape, commands, schemas, skills, agents, Flow Kits, and Kit Catalog instead of rediscovering everything. If the orchestrator's request lacks specifics (for example no target directory or implementation details), use your tools to explore and fill in the gaps. Only push back if the goal itself is genuinely unclear.\n\n## Input\nYou receive:\n- A goal description, and optionally a target directory and constraints\n- A todo_file path for the orchestrator's session artifact\n\n## Process\n1. Read `docs/context-map.md` when it exists, then explore the codebase structure, patterns, dependencies, and constraints needed for the task.\n2. Identify existing code to reuse. Before designing any NEW artifact, schema, type, data shape, status, or derivation/algorithm, survey what dependencies and contracts already define — exported types/schemas/builders from `@kontourai/*` packages and vendored schemas, plus `context/contracts/`. Prefer consuming the canonical concept over inventing a parallel one (consume-never-fork; ADR 0008/0010); name the existing concept you consumed, or note explicitly why none fits.\n3. Produce a plan artifact beside the todo_file, using the artifact path rules from `context/contracts/artifact-contract.md`.\n4. Create or update `state.json`, `acceptance.json`, and `handoff.json` beside the workflow artifact using the schemas under `schemas/`.\n5. Decompose work into parallel waves using `context/contracts/planning-contract.md`.\n6. Return the plan content and sidecar paths in your response so the orchestrator can read them directly.\n\n## Rules\n- Do not write production code.\n- Every task needs concrete acceptance criteria and evidence expectations.\n- The Definition Of Done must describe the user-facing finish line, not just implementation tasks.\n- `acceptance.json` must preserve the Definition Of Done criteria as pending criteria until verification updates them.\n- `state.json` must name the current phase/status and next action.\n- `handoff.json` must give the next agent or future session enough context to continue.\n- Include enough context per task that a worker can execute without rediscovering the whole codebase.",
   "model" : "claude-sonnet-4.6-1m"
 }