@kontourai/flow-agents 1.4.0 → 2.0.1

package/docs/adr/0017-anti-gaming-trust-security-model.md

@@ -0,0 +1,155 @@
+---
+title: "ADR 0017: The Anti-Gaming Trust Security Model — Layered Defense + External CI Anchor"
+---
+
+# ADR 0017: The Anti-Gaming Trust Security Model — Layered Defense + External CI Anchor
+
+Status: Accepted
+
+## Context
+
+Flow Agents runs an autonomous coding agent that produces work and *reports its own
+completion* through a trust gate (the Stop hook `stop-goal-fit.js`, ADR 0010 / ADR 0004):
+the agent records evidence/claims into a `trust.bundle`, and the gate decides whether the
+work may be marked complete.
+
+This is a self-grading exam. The motivating question (from the owner): *"How do I know the
+agent isn't leaving a security hole it will use to tamper with the process later?"* The
+honest answer is that you cannot trust the agent's self-report, and — critically — you
+cannot trust the **author of the gate** either: an agent that builds the gate can build a
+hole into it while truthfully reporting "all tests green."
+
+This ADR records the threat model, the layered defense that resulted from a 7-round
+adversarial-hardening loop (PRs #213–#228), what each layer does and does **not** defend,
+the residuals, and how the whole thing is activated.
+
+## Threat model
+
+The adversary is the running agent itself (or a future agent), which has shell access and
+can write any file in the workspace. The defining property the loop kept rediscovering:
+
+> **The gate's strongest checks key off agent-controlled inputs.**
+> `state.json.status` (completion gating + block regime), command strings (exit-code
+> laundering like `npm test || true`), the sourced shell profile (`FLOW_AGENTS_GOAL_FIT_MODE=off`),
+> and the gate/CI source itself are all writable by the agent.
+
+A gate that runs *inside* the agent's environment and judges from state the agent writes
+can always be dodged by self-declaration. Therefore no purely-local control is airtight; the
+authoritative anchor must live somewhere the agent cannot pre-disable or post-forge — **CI**.
+
+## Decision: a layered defense, anchored externally
+
+### Layer 1 — Local gate (fast feedback, bar-raiser)
+`scripts/hooks/stop-goal-fit.js` + `evidence-capture.js` + `config-protection.js`.
+- **Re-derive, don't trust:** the gate re-derives claim status from evidence via
+  `@kontourai/surface` (`deriveClaimStatus`) rather than trusting stored status (ADR 0010).
+- **Independent capture:** `evidence-capture.js` records real command results to a
+  hash-chained `command-log.jsonl`; the gate cross-references claimed-passes against it
+  ("caught false-completion" blocks). `captureCrossReference` is FlowDefinition-aware so it
+  sees kit-typed (`builder.*`) claims, not only `workflow.*` (#214).
+- **Captured-FAIL reconciliation, namespace-agnostic + status-independent (#218, #219):**
+  any claim asserting pass for a command whose latest capture is FAIL blocks, on every stop,
+  regardless of self-declared status.
+- **Exit-code laundering:** a claimed verify command containing *any* `||` (or trailing
+  `; true`/`exit 0`) is rejected — it masks the real exit code (#219, #227).
+- **Anti-forgery:** `config-protection.js` blocks agent Write/Edit/redirect/`cp` to the
+  kill-switch + truth-source files (`.claude/settings.json`, shell profiles,
+  `.flow-agents/<slug>/current.json|state.json|trust.bundle`, `delivery/trust.bundle`)
+  (#216, #220, #227). Path traversal in `active_flow_id` is rejected (#215, #217).
+  `MAX_BLOCKS` never auto-releases a hard block (#216).
+
+### Layer 2 — External CI anchor (authoritative)
+`scripts/ci/trust-reconcile.js` + `.github/workflows/trust-reconcile.yml`.
+- On a PR, in a clean CI environment the agent cannot pre-disable, **re-run the real
+  verification fresh** (`trust-reconcile-verify` = `build && eval:static`; integration +
+  the anti-gaming suite run in the required `ci.yml` lanes — see Layer 4), and **reconcile**
+  the delivered bundle's claims against CI's own results: a claimed-pass that CI shows FAIL,
+  a command CI never ran, or a laundered command → **divergence, job fails** (#222, #226).
+- CI **never trusts** the agent's bundle as a truth source — it only uses it to detect
+  divergence. Bundle command labels are **never executed** (no CI-RCE); they are string-
+  compared against repo-declared canonical commands only.
+- Fail-open on bundle absence (the fresh verify still gates); fail-closed on divergence and
+  on a compile-only / laundered verify config (#226).
+
+### Layer 3 — Provenance (un-forgeable)
+`scripts/ci/mint-attestation.js`. CI mints an in-toto/DSSE attestation over its *own* fresh
+results, signed via keyless Sigstore. The local agent has no ambient OIDC identity, so it
+**cannot mint a trusted signature** — a fabricated "green" cannot be signed (#224).
+
+### Layer 4 — Enforcement guards (so the gate itself can't be silently weakened)
+- The **anti-gaming regression suite** (`evals/ci/antigaming-suite.sh`, 17 tests) runs in
+  the **required** `ci.yml` "Runtime and Kit" lane (#228). Weakening any gate/anchor/
+  protection — or deleting a regression test — turns the lane red and cannot merge.
+- **CODEOWNERS** (#221, #228) requires owner review for the gate hooks, the CI definition,
+  and the verify config (`package.json`, `scripts/ci/`, `evals/ci/`, `evals/run.sh`).
+- Branch protection on `main`: required status checks + `enforce_admins`.
+
+### Delivery transport
+`delivery/trust.bundle` (gitignored by default; the deliver skill `git add -f`s it at an
+actual delivery) carries the session bundle to CI; CI reconciles it against fresh truth
+(#223, #1b). `publishDelivery` writes it via `fs` at `record-release`.
+
+## How the layers map to the threat model
+
+| Agent capability | Defended by |
+|---|---|
+| Lie in the bundle (claim pass) | L1 re-derive + capture cross-ref; L2 fresh re-run + reconcile |
+| Launder the exit code (`\|\| true`) | L1 + L2 laundering screen |
+| Forge `state.json`/`trust.bundle`/`current.json` | L1 config-protection; L2 doesn't trust them |
+| Disable the local gate (env/profile) | L2 (CI ignores the agent's env) |
+| Weaken the gate/anchor source | L4 required anti-gaming suite + CODEOWNERS |
+| Fabricate a signed "green" | L3 (no local OIDC) |
+
+## The adversarial-hardening method (and why it is part of the decision)
+
+The architecture above was **not** designed up front; it was *earned* by an adversarial
+loop, and that loop is itself the policy: **author self-certification is insufficient.**
+Across 7 rounds, fresh-context adversaries (red-team + security audit, told to distrust the
+author's "verified" claims) found and we closed 7+ real holes — several of which were
+shipped by the gate's own author while reporting tests green. The loop is run to convergence
+(a round that finds nothing newly exploitable beyond known residuals). The required
+anti-gaming suite (L4) is how convergence is kept enforced over time.
+
+## Residuals (honest — this is a bar-raiser, not a wall)
+
+- **Local env kill-switch:** an agent can write a shell profile via interpreter one-liners
+  (`node -e`, `py`-style `-c` invocations) or runtime-constructed paths that
+  `config-protection` cannot fully enumerate, setting
+  `FLOW_AGENTS_GOAL_FIT_MODE=off` for the next local hook. *Mitigated by:* L2 (CI is
+  unaffected by the agent's env) + L4.
+- **Wrapper-script verify:** an agent could point `trust-reconcile-verify` at a script that
+  exits 0 without `||`. *Mitigated by:* CODEOWNERS on the verify config (L4) + the required
+  anti-gaming suite running independently of the verify command.
+- **Runtime-path / exotic-tool forge** (`rsync`, `dd`, `path.join(...)`) of protected files:
+  not caught at the hook layer. *Mitigated by:* L2 not trusting those files + human review.
+- **The irreducible boundary:** an admin/owner can bypass branch protection or approve a
+  malicious change. That is the trust-the-humans boundary; it is documented, not closed.
+
+The consistent principle: **the real tamper-proof boundary is external — the CI anchor's
+fresh re-run, CI-minted signatures, and human (owner) review. The local gate raises the cost
+of casual/direct self-tampering; it does not claim to stop a determined agent on its own.**
+
+## Activation (required, server-side — issue #225)
+
+The CI anchor and CODEOWNERS run and report today, but two settings (admin-only, not in the
+repo) **arm** them as no-bypass gates:
+1. Add **`Trust Reconcile`** as a required, no-bypass status check on `main`.
+2. Enable **"Require review from Code Owners."**
+
+Until set, `Trust Reconcile` + CODEOWNERS are advisory. The anti-gaming suite (L4) is
+*already* blocking because it rides the existing required "Runtime and Kit" check.
+
+## Consequences
+
+- The trust gate's correctness no longer depends on trusting the agent, its claims, or its
+  environment — only on the external CI anchor + human review, which the agent cannot reach.
+- Any change that weakens the gate/anchor/protections is caught by the required anti-gaming
+  suite and cannot merge.
+- The model is reusable for the product: a downstream repo adds the `trust-reconcile` job +
+  the anti-gaming suite as required checks to get the same external anchor (Phase 3, future).
+
+## Related
+
+ADR 0004 (gates expect Surface claims), ADR 0010 (workflow trust state as a hachure bundle),
+ADR 0012 (liveness claims), ADR 0016 (three-hard-boundary model — the gate is core,
+FlowDefinition-driven). Implementation: PRs #213–#228. Activation: issue #225.

package/docs/agent-system-guidebook.md

@@ -126,7 +126,7 @@ The important source areas are:
 | `context/contracts/` | Shared workflow contracts for planning, execution, verification, delivery, sandboxing, and governance adapters. |
 | `scripts/` | Build, validation, hook, telemetry, and sidecar tooling. |
 | `evals/` | Static, behavioral, integration, and bundle-install tests. |
-| `packaging/` | Pack definitions and cross-runtime export rules. |
+| `packaging/` | Cross-runtime export manifest and packaging rules. |
 | `docs/` | Durable explanation of the operating model and roadmap. |
 
 Flow Agents currently carries local workflow sidecars and hooks while Flow is being separated into its own Kontour product layer. The intended boundary is that Flow owns generic steps, gates, transitions, Flow Runs, exceptions, and Flow Reports; Flow Agents owns the agent-facing modes, skills, provider settings, runtime adapters, and Console experience that make those flows useful.
@@ -248,18 +248,11 @@ The repo has tests for:
 
 The intended pattern is that every important workflow rule gets a test at the lowest useful layer: static checks for text contracts, integration checks for scripts and hooks, and behavioral evals for runtime agent behavior when practical.
 
-### Packs
+### Neutral base and Kits
 
-Packs keep the global surface understandable.
+Every install ships the full standalone base — the `skills/`, `agents/`, and `powers/` directories are the neutral multi-framework toolbox, always present and never filtered at install time.
 
-`packaging/packs.json` groups capabilities into sets. Currently defined:
-
-- `core`
-- `development`
-
-Future packs (knowledge, AWS, experimental) are deferred until another producer proof shows repeated friction.
-
-All-pack installs remain the default today. `FLOW_AGENTS_PACKS` lets users opt into a smaller installed surface, and domain depth belongs in packs so a global setup can be narrowed without changing the source bundle.
+Opinion and depth live in Flow Kits (builder, knowledge, release-evidence), surfaced through the Kit Catalog and activated when a workflow needs them. The Kit Catalog is the product-facing vocabulary; the standalone base is the doer's toolbox.
 
 ## How A Request Flows
 
@@ -383,7 +376,7 @@ The next useful improvements are:
 
 - stronger live behavioral evals that prove hook output changes agent behavior across every runtime, not only that hooks emit guidance
 - richer guide examples for non-code knowledge workflows
-- clearer pack selection guidance for global installs
+- clearer Kit Catalog activation guidance for global installs
 - a Veritas advisory-readiness spike through the optional governance adapter boundary
 - a self-validation loop that automatically proposes docs, eval, or skill updates after repeated workflow friction
 

package/docs/context-map.md

@@ -23,7 +23,7 @@ Generated by `npm run context-map`. Regenerate after changing agents, skills, sc
 | evals | canonical copy | Static, integration, install, and behavioral eval fixtures. |
 | kits | canonical copy | Project directory. |
 | packaging | canonical copy | Project directory. |
-| powers | canonical copy | Optional MCP/tool integration packs. |
+| powers | canonical copy | Optional MCP/tool capability bundles. |
 | prompts | canonical copy | Reusable prompt entry points. |
 | schemas | canonical copy | JSON Schema contracts for machine-readable workflow artifacts. |
 | scripts | canonical copy | Build, validation, hook, telemetry, workflow, and import/export utilities. |
@@ -40,6 +40,7 @@ Generated by `npm run context-map`. Regenerate after changing agents, skills, sc
 | Integration suite | bash evals/run.sh integration |
 | Workflow artifacts | npm run workflow:validate-artifacts -- --require-sidecars --require-critique .flow-agents/<slug> |
 | Workflow sidecars | npm run workflow:sidecar -- --help |
+| Claim lookup | npm run workflow:sidecar -- claim <id> <dir> |
 | Context map drift | npm run context-map:check |
 | Bundle build | npm run build:bundles |
 
@@ -65,10 +66,12 @@ Primary tools: `npm run workflow:sidecar`, `npm run workflow:validate-artifacts`
 
 | Skill | Source | When To Load |
 | --- | --- | --- |
+| continue-work | kits/builder/skills/continue-work/SKILL.md | Advance a multi-slice work item to its next increment via a fresh-context handoff. Use when one or more slices of a multi-slice issue have landed and the next undone slice should be built. Routes the next slice through pull-work + pickup... |
 | deliver | kits/builder/skills/deliver/SKILL.md | Delivery workflow — selected work to delivered code. Ensures pull-work + pickup-probe preflight, then chains plan-work → execute-plan → review-work → verify-work → loop on failure without requiring user interaction between cleanly determ... |
 | evidence-gate | kits/builder/skills/evidence-gate/SKILL.md | Evaluate whether completed work is trustworthy enough for human review, merge, or release. Use after implementation, verify-work, provider checks, CI, or remediation to map acceptance criteria to evidence, inspect scope integrity, classi... |
 | execute-plan | kits/builder/skills/execute-plan/SKILL.md | Parallel execution primitive — plan artifact path to implemented code via tool-worker (x4). Reads plan directly. Updates session file between waves. |
 | fix-bug | kits/builder/skills/fix-bug/SKILL.md | Bug fix orchestrator — diagnose → plan-work → execute-plan → review-work → verify-work → loop. Diagnosis phase is unique to bugs, then chains the same primitives. |
+| gate-review | kits/builder/skills/gate-review/SKILL.md | Enumerate gate fires and suspected misses from the session's Hachure trust.bundle, classify each as correct/false_block/missed_block using Surface's resolveInquiry to produce canonical InquiryRecords, route findings to learning-review, a... |
 | idea-to-backlog | kits/builder/skills/idea-to-backlog/SKILL.md | Turn raw product or technical ideas into shaped, prioritized, executable GitHub issue backlog. Use for idea intake, ideation, product shaping, spike/prototype decisions, PRD-like feature briefs, prioritization, and backlog creation befor... |
 | learning-review | kits/builder/skills/learning-review/SKILL.md | Capture post-merge, post-deploy, or post-incident learnings and feed them back into backlog, workflow skills, tests, docs, or knowledge. Use after release readiness, post-deploy checks, retrospectives, failed gates, or repeated workflow... |
 | plan-work | kits/builder/skills/plan-work/SKILL.md | Code planning primitive — goal + directory to structured execution plan. Delegates to tool-planner. No resume, no ideation. |
@@ -119,15 +122,6 @@ Primary tools: `npm run workflow:sidecar`, `npm run workflow:validate-artifacts`
 | dependency-checker | powers/dependency-checker/POWER.md |
 | playwright | powers/playwright/POWER.md |
 
-## Packs
-
-Pack composition is defined in `packaging/packs.json`. The current builder exports pack metadata in bundle catalogs, and generated install scripts support opt-in `FLOW_AGENTS_PACKS` filtering while leaving all packs installed by default.
-
-| Pack | Default | Skills | Agents | Powers | Purpose |
-| --- | --- | --- | --- | --- | --- |
-| core | yes | 2 | 5 | 1 | Small default surface for reliable coding and workflow execution. |
-| development | no | 4 | 9 | 1 | Development workflow depth for backlog, release, dependency, GitHub, TDD, and frontend work. |
-
 ## Current Workflow State
 
 Runtime workflow state is excluded from the committed map.

package/docs/index.md

@@ -61,13 +61,14 @@ The four canonical policy classes are defined in the <a href="spec/runtime-hook-
 | Core harness | opencode | agents, skills, plugin, opencode.json | L1 — no prompt-submit hook |
 | Core harness | pi | extension, skills, AGENTS.md | L1 — no stop hook |
 | Official framework adapter | AWS Strands (Python) | `integrations/strands/` spike/preview | L0 + config protection via cancellation |
+| Official framework adapter | AWS Strands (TypeScript) | `integrations/strands-ts/` native-import preview | shipped telemetry + native config protection; L2-targeted policies run through the conformance shim |
 | Conformance-certified | Community / third-party | Self-certify | Conformance kit in development |
 
-Documented gaps: opencode has no native `prompt.submit`-equivalent event; pi has no stop hook; Codex live hook influence on model context is limited. The <a href="spec/runtime-hook-surface.html">Runtime Hook Surface spec</a> names every gap explicitly using the canonical event taxonomy.
+Documented gaps: opencode has no native `prompt.submit`-equivalent event; pi has no stop hook; Codex live hook influence on model context is limited; Strands TS workflow steering, quality-gate, and stop-goal-fit coverage is conformance-shim-only. The <a href="spec/runtime-hook-surface.html">Runtime Hook Surface spec</a> names every gap explicitly using the canonical event taxonomy.
 
 ## Framework adapters
 
-The same canonical policies wire into agent frameworks as in-process language-native packages. `integrations/strands/` contains `flow-agents-strands`, a Python `HookProvider` that emits the canonical telemetry taxonomy and enforces config protection via `BeforeToolCallEvent` cancellation — 50 unit tests, no Strands SDK required. This is a spike/preview. See <a href="spec/runtime-hook-surface.html">the spec</a> for the full framework adapter mapping and minimum viable adapter pseudocode.
+The same canonical policies wire into agent frameworks as in-process language-native packages. `integrations/strands/` contains `flow-agents-strands`, a Python `HookProvider` that emits the canonical telemetry taxonomy and enforces config protection via `BeforeToolCallEvent` cancellation — 50 unit tests, no Strands SDK required. `integrations/strands-ts/` adds a native-import TypeScript preview with shipped telemetry callbacks and native config-protection blocking; workflow-steering, quality-gate, and stop-goal-fit policy coverage is exercised by the conformance shim only. See <a href="spec/runtime-hook-surface.html">the spec</a> for the full framework adapter mapping and minimum viable adapter pseudocode.
 
 ## Quick Start
 

package/docs/integrations/framework-adapter.md

@@ -180,12 +180,12 @@ The following limitations are from `integrations/strands/README.md` and reflect
 
 8. **Quality-gate policy omitted**: `quality-gate.js` invokes ruff/biome after edits. There is no clear Strands analogue yet.
 
-## Conformance declaration
+## Conformance status
 
-The Strands adapter is L0 plus config protection via `BeforeToolCallEvent` cancellation. A full conformance declaration would read:
+The Strands adapter is L0 plus config protection via `BeforeToolCallEvent` cancellation. Its current status is:
 
 ```
-conformance_level: L0  (+ config-protection via BeforeToolCallEvent)
+conformance_status: L0  (+ config-protection via BeforeToolCallEvent)
 host: AWS Strands Agents
 event_coverage:
   agentSpawn: AgentInitializedEvent (full fidelity)
@@ -228,6 +228,8 @@ python3 -m unittest discover
 
 `@kontourai/flow-agents-strands` is the first **native-import** consumer of the policy engine contract. Where the Python adapter spawns a subprocess for each `BeforeToolCallEvent` policy check, the TS adapter calls `config-protection.js`'s exported `run()` function directly — zero subprocess overhead on the hot path.
 
+The shipped native callback surface is telemetry plus config-protection blocking. The adapter's workflow steering, quality-gate, and stop-goal-fit checks are conformance-shim-only through `bin/conformance-shim.mjs`; it is not a claim that production `FlowAgentsHooks` runs all four policies directly in Strands TS callbacks.
+
 ### Key differences from the Python adapter
 
 | | Python adapter | TypeScript adapter |
@@ -235,9 +237,20 @@ python3 -m unittest discover
 | Engine binding | subprocess (`node run-hook.js …`) | `require("config-protection.js").run()` — in-process |
 | Strands SDK | `register_hooks(registry)` → `registry.add_callback` | `registerHooks(registry)` → `registry.addCallback` |
 | Cancel signal | `event.cancel_tool = reason` | `event.cancel = reason` (TS variant) |
-| Conformance | L0 + config-protection | L2 (all four policy classes via shim) |
+| Conformance | L0 + config-protection | L2-targeted policy coverage via conformance shim |
 | Test framework | stdlib unittest (Python) | node:test (no extra deps) |
 
+### TypeScript capability states
+
+| Capability | State | Public behavior |
+| --- | --- | --- |
+| Telemetry callbacks | shipped | Production callbacks emit canonical JSONL events. |
+| Config-protection hot path | shipped | Native `run()` import blocks via `event.cancel`. |
+| Workflow steering | structural-only | L2-targeted checks run through the conformance shim; production callbacks emit telemetry only. |
+| Quality-gate | structural-only | L2-targeted checks run through the conformance shim. |
+| Stop-goal-fit | structural-only | L2-targeted checks run through the conformance shim. |
+| Analytics channel, Console/HTTP sink, subagent events, permission requests, token usage | unavailable | These gaps are not wired in the TypeScript adapter. |
+
 ### Constructing FlowAgentsHooks (TypeScript)
 
 ```typescript
@@ -264,7 +277,7 @@ The TS adapter exports `STRANDS_TO_CANONICAL` matching the Python adapter's dict
 
 ### Conformance
 
-The TS adapter achieves **L2** via `bin/conformance-shim.mjs`:
+The TS adapter runs its L2-targeted policy coverage through `bin/conformance-shim.mjs`:
 
 ```bash
 node packaging/conformance/run-conformance.js \
@@ -272,4 +285,4 @@ node packaging/conformance/run-conformance.js \
   --level L2
 ```
 
-12/12 fixtures pass. See `integrations/strands-ts/README.md` for the full conformance declaration and limitations.
+This is the validation path for the canonical fixture contract through the shim while the shipped native adapter remains telemetry plus native config-protection. Current status: the L2 target is not passing. The runner reports 18/20 fixtures passing with highest achieved level L0; `stop-goal-fit--warn-active-delivery.json` and `workflow-steering--reground-session-start.json` remain failing. Treat runner output as the current status for that target; do not read it as a production callback capability. See `integrations/strands-ts/README.md` for the full conformance declaration and limitations.

package/docs/integrations/index.md

@@ -22,7 +22,7 @@ Flow Agents reaches host runtimes and agent frameworks through two distinct dist
 | L1 | L0 plus workflow steering and stop-goal-fit in warning mode |
 | L2 | L1 plus config protection (blocking) and quality gate — the reference level |
 
-Claude Code and Codex are L2 reference implementations. opencode is L1 (no prompt-submit hook). pi is L1 (no stop hook). The Strands adapter is L0 plus config protection via `BeforeToolCallEvent` cancellation.
+Claude Code and Codex are L2 reference implementations. opencode is L1 (no prompt-submit hook). pi is L1 (no stop hook). The Strands Python adapter is L0 plus config protection via `BeforeToolCallEvent` cancellation. The Strands TypeScript adapter ships telemetry callbacks plus native config protection; workflow steering, quality-gate, and stop-goal-fit policy coverage is available through the conformance shim only.
 
 The <a href="../spec/runtime-hook-surface.html">Runtime Hook Surface spec</a> defines the canonical event taxonomy, policy classes, conformance levels, and engine contract in full.
 
@@ -55,4 +55,4 @@ The <a href="../spec/runtime-hook-surface.html">Runtime Hook Surface spec</a> de
 
 ## TypeScript native-import adapter
 
-`integrations/strands-ts/` (`@kontourai/flow-agents-strands`) is the first native-import consumer of the policy engine contract. It binds the `config-protection.js` `run()` function directly — no subprocess on the hot path. Achieves **L2** conformance. See `integrations/strands-ts/README.md` and the [Framework Adapter](framework-adapter.html) page for the full comparison with the Python adapter.
+`integrations/strands-ts/` (`@kontourai/flow-agents-strands`) is the first native-import consumer of the policy engine contract. It binds the `config-protection.js` `run()` function directly — no subprocess on the hot path. Shipped native behavior is telemetry callbacks plus config-protection blocking; workflow steering, quality-gate, and stop-goal-fit run through the conformance shim rather than production Strands TS callbacks. See `integrations/strands-ts/README.md` and the [Framework Adapter](framework-adapter.html) page for the full comparison with the Python adapter.

package/docs/north-star.md

@@ -46,7 +46,7 @@ Flow Agents should only invent a format when no durable standard or Kontour foun
 
 Do not load the whole operating manual into every session.
 
-Flow Agents should expose small discovery metadata first, then load guidance only when it is useful. Skills, powers, workflow contracts, context packs, and references should be activated just in time.
+Flow Agents should expose small discovery metadata first, then load guidance only when it is useful. Skills, powers, workflow contracts, context bundles, and references should be activated just in time.
 
 ### Reliability Over Ceremony
 
@@ -148,7 +148,7 @@ The goal is not to add ceremony. The goal is to make agents more reliable while
 | --- | --- | --- |
 | [x] | North star | Durable direction documented in `docs/north-star.md`. |
 | [x] | Layer taxonomy | Repo vocabulary clearly separates rules, skills, powers, agents, workflows, knowledge, and evidence. |
-| [x] | Core vs optional packs | Pack composition manifest exists and generated install scripts support opt-in `FLOW_AGENTS_PACKS` filtering while preserving all-pack installs by default. |
+| [x] | Neutral base vs Kit depth | The standalone `skills/`/`agents/`/`powers/` base always installs; opinion and depth live in Flow Kits surfaced through the Kit Catalog and activated on demand. |
 | [x] | Standards register | Supported standards and Flow Agents-owned formats are documented with adoption rules. |
 | [ ] | Structured workflow state | Draft schemas, contracts, validation, explicit current-session identity, delegation-safe agent event logs, sidecar writer commands, and direct workflow-skill writer instructions exist for state, acceptance, evidence, handoff, critique, release, and learning; automatic enforcement remains partial. |
 | [ ] | Context map | Generated repo/context map exists; workflow steering and core planner/worker/verifier agents now use it, but broader agent coverage remains. |
@@ -180,7 +180,7 @@ Tasks:
 
 - Document the public layers: rules, skills, powers, agents, workflows, knowledge, and evidence. **Done:** see https://github.com/kontourai/flow-agents/blob/main/docs/operating-layers.md.
 - Mark which directories are canonical source, generated exports, runtime state, and optional integrations.
-- Decide which workflow skills are part of the core pack and which are optional domain packs. **Started:** `packaging/packs.json` defines core and development packs.
+- Separate the neutral standalone base (always installed) from opinionated depth in Flow Kits. **Done:** the `skills/`/`agents/`/`powers/` base always ships; Kits carry depth through the Kit Catalog.
 - Add a standards register that lists each external standard, how Flow Agents uses it, and what Flow Agents-owned schemas still exist. **Done:** see https://github.com/kontourai/flow-agents/blob/main/docs/standards-register.md.
 - Add a "do not invent without checking standards" rule to contributor docs.
 
@@ -214,7 +214,7 @@ Exit criteria:
 
 Tasks:
 
-- Generate a compact context map for each repo: structure, commands, test strategy, key conventions, recent workflow state, and available packs. **Started:** `npm run context-map --` writes `docs/context-map.md` and supports drift checks.
+- Generate a compact context map for each repo: structure, commands, test strategy, key conventions, recent workflow state, and available Kits. **Started:** `npm run context-map --` writes `docs/context-map.md` and supports drift checks.
 - Extend hooks so they can surface file-specific, workflow-specific, or evidence-specific guidance without loading whole docs. **Started:** workflow steering now emits ambient reminders after non-subagent tools when sidecars show `not_verified`, `needs_decision`, `blocked`, `failed`, or `needs_user`.
 - Add skill discovery metadata that lets agents choose a skill from a short summary, then progressively load the body.
 - Add missing-evidence prompts: when a workflow is about to stop without proof, show the specific gate that failed. **Started:** the Goal Fit stop hook now reads `state.json`, `evidence.json`, and `critique.json` to report unfinished phase, next action, failed checks, `NOT_VERIFIED` gaps, and open critique findings.

package/docs/operating-layers.md

@@ -89,14 +89,14 @@ If a proposed artifact seems to belong to multiple layers, split it. For example
 - workflow state for a specific update task
 - evidence for the scan result
 
-## Core Surface And Kit Filtering
+## Neutral Base And Kit Depth
 
-The default Flow Agents surface should remain small. Flow Kits add workflow depth without making every installation carry every concept. The current install implementation still has legacy composition metadata under `packaging/`; treat that as compatibility/build mechanics while the Kit Catalog becomes the product-facing vocabulary.
+Every install ships the full standalone base: the `skills/`, `agents/`, and `powers/` directories are the neutral multi-framework toolbox, always present. Flow Kits add workflow depth and opinion on top of that base, surfaced through the Kit Catalog — the product-facing vocabulary — and activated when a workflow needs them. `packaging/` holds the cross-harness export manifest and build mechanics only; it no longer carries any install-time composition layer.
 
 Do not duplicate full membership lists in prose. Update the canonical kit and packaging metadata, then regenerate the Context Map for the current skill, agent, power, and Flow Kit counts:
 https://github.com/kontourai/flow-agents/blob/main/docs/context-map.md
 
-Kit boundaries should be validated by usage data, context budget impact, and whether users can predict what will load before making install filtering the default behavior.
+Kit boundaries should be validated by usage data, context budget impact, and whether users can predict what the Kit Catalog will activate.
 
 ## Design Checks
 

package/docs/plans/adr-0010-phase2-gate-recompute.md

@@ -0,0 +1,55 @@
+# Plan — ADR 0010 Phase 2: gate recomputes the trust bundle (+ maximal enrichment)
+
+**Status:** Workstream A (maximal enrichment) + B-core (gate enforces on the bundle) **shipped** in this PR; see [ADR 0010](../adr/0010-workflow-trust-state-as-hachure-bundle.md) for the authoritative phase status. **Remaining (the careful follow-on):** B's hardening — re-derive-at-gate via Surface `buildTrustReport` (async hook restructure) and removal of the `DELIVERY_TYPES`/markdown parsing (completes [ADR 0009](../adr/0009-canonical-hook-core-kit-boundary.md)) — plus Phases 3–4. The constraint that blocks a naive markdown rip-out is in Workstream B below: `prove-capture-teeth` seeds raw evidence+log and relies on markdown detection.
+
+## Baseline (already shipped — do NOT rebuild)
+
+- **Phase 1 emit is done + wired.** `src/cli/workflow-sidecar.ts` → `buildTrustBundle()` maps `evidence.checks` / `acceptance.criteria` / `critique` → claims+evidence+events, **recomputes status via `@kontourai/surface`'s `deriveClaimStatus`**, and `writeTrustBundle()` validates + writes `.flow-agents/<slug>/trust.bundle`. Wired into `record-evidence` / `record-critique` / `advance-state` (lines 688/743/832/897). Fail-open; `@kontourai/surface` is an **optional** dep, loaded via dynamic `import()` (`tryLoadSurface`).
+- Gates already expect `trust.bundle` claims (ADR 0004 / #97). Surface exports `deriveClaimStatus`, `buildTrustReport(bundle) → TrustReport` (the recompute), `validateTrustBundle`. ESM-only.
+- `stop-goal-fit.js` currently enforces off **bespoke `evidence.json` + Builder markdown** (`## Definition Of Done` / `## Goal Fit Gate`, `DELIVERY_TYPES` skill-names) + the capture cross-reference (`command-log.jsonl`). It already has: `current.json` active-task scoping, pre-execution/terminal gating, escape hatch, `FLOW_AGENTS_GOAL_FIT_MODE`.
+
+## Goal
+
+1. **Gate recomputes the bundle** (`buildTrustReport`) and enforces on the *report's* claim statuses — replacing bespoke `evidence.json` + Builder-markdown parsing.
+2. **Maximal enrichment** of the emit: add verification-**policies** (currently `policies: []`) and fold **`command-log` capture** into the bundle's evidence.
+3. Correct ADR 0010's "implementation not started" line.
+
+## Workstream A — Maximal enrichment of the emit (do FIRST)
+
+File: `src/cli/workflow-sidecar.ts` → `buildTrustBundle()`.
+
+- **A1 — policies.** Emit a `VerificationPolicy` per claimType (`workflow.check.*`, `workflow.acceptance.criterion`, `workflow.critique.review`) and pass them into `deriveClaimStatus` + the bundle's `policies[]` (today `[]` → status derives without policy). Required fields (from `surface/src/types.ts` `VerificationPolicy`): `id, claimType, requiredEvidence, acceptanceCriteria, reviewAuthority, validityRule, stalenessTriggers, conflictRules, impactLevel`.
+- **A2 — capture as evidence.** Read `.flow-agents/<slug>/command-log.jsonl`; for checks whose command was captured, add `Evidence` with `execution { runner:"bash", exitCode, isError, label }` + `passing`/`blocking` from the real captured result (the deterministic capture, now first-class bundle evidence).
+- **Proof:** `validateTrustBundle` stays valid; extend `evals/integration/test_workflow_sidecar_writer.sh` to assert policies + capture evidence are present and statuses derive correctly.
+
+## Workstream B — Phase 2: gate recomputes the bundle
+
+File: `scripts/hooks/stop-goal-fit.js`.
+
+- **B1** Resolve the active task dir (already done via `current.json` / state scoping) and read its `trust.bundle`.
+- **B2** Recompute via Surface `buildTrustReport(bundle)` — dynamic `import()`, **fail-open** (mirror `workflow-sidecar`'s `tryLoadSurface`).
+- **B3** Block on the **report's** statuses: any blocking-impact claim with `fail`/`disputed` (and per-policy `unknown`) → block. This **replaces** the bespoke `evidence.verdict`/`checks` parsing and the markdown DOD/Goal-Fit parsing. **Preserve:** the false-completion catch (a failed capture must surface as a `disputed` claim → block), pre-exec/terminal gating, escape hatch, `MODE`.
+- **B4** Remove the Builder-markdown coupling (`## Definition Of Done` / `## Goal Fit Gate` parsing, `DELIVERY_TYPES`/`--deliver` skill-name detection) → realizes ADR 0009's de-coupling. Detect the artifact by the kit-neutral signal (`state.json` presence), not skill names.
+- **Fallback:** when Surface/bundle is unavailable → fall back to bespoke `state.json`/`evidence.json` status checks (NEVER markdown). Bundle-recompute when available; schema-status fallback otherwise.
+- **Proof:** `prove-capture-teeth` **8/8** (the catch now via report), conformance **L2** (add bundle-based fixtures), goal-fit + escape-hatch + steering integration green.
+
+## Workstream C — Docs
+
+- Correct `docs/adr/0010` : Phase 1 shipped (`buildTrustBundle`/`writeTrustBundle`); remainder = Phase 2 (this) + maximal + Phase 3.
+- **Phase 3 (separate, later):** Surface **Trust Panel** projection (`@kontourai/surface/trust-panel/element`) over the local bundle; optional Console sink per ADR 0010's local-first distribution model.
+
+## Sequencing, proof gates, hygiene
+
+- Order: **A → B → C.** After *every* edit to `stop-goal-fit.js`, re-run `prove-capture-teeth` + the goal-fit suite (this hook broke twice from haste — change incrementally).
+- Per-gate green required: `tsc` build, static+integration evals, conformance L2, `prove-capture-teeth` 8/8.
+- Work in an **isolated git worktree off latest `origin/main`** (this is a busy multi-agent repo — 5+ active worktrees). **Before starting, check `feat/gate-review` and `chore/gate-vocabulary-migration` aren't colliding.** Surgical commits, one PR, shepherd CI (the `pre-push` source-validation needs `node_modules/.bin` on `PATH`; never `--no-verify`).
+
+## Guardrails (don't violate)
+
+- **Consume, never fork:** use Surface's `buildTrustReport`/`deriveClaimStatus`; do not reimplement status logic in flow-agents.
+- **Boundary (ADR 0009):** the gate reads the canonical bundle (core), not Builder markdown (kit).
+- **Determinism preserved:** the proven "claimed-pass but capture shows fail → block" must still hold via the report (failed capture event → `disputed` claim).
+
+## Key files
+
+`src/cli/workflow-sidecar.ts` (`buildTrustBundle`), `scripts/hooks/stop-goal-fit.js`, `surface/src/types.ts` (Policy/Event/Claim shapes), `schemas/workflow-evidence.schema.json`, `evals/integration/test_workflow_sidecar_writer.sh`, `evals/acceptance/prove-capture-teeth.sh`, `packaging/conformance/fixtures/`, `docs/adr/0009`+`0010`.

package/docs/repository-structure.md

@@ -27,7 +27,7 @@ This is the canonical developer-facing map for the Flow Agents repository. Use i
                                 # canonical workflow bundle content
   kits/                        # Flow Kit catalog and bundled kit assets
   schemas/                     # JSON sidecar and provider schemas
-  packaging/                   # bundle/export manifests and pack definitions
+  packaging/                   # bundle/export manifests and packaging rules
   evals/                       # eval harness, fixtures, static checks, integration checks
   docs/                        # durable docs and GitHub Pages source
   integrations/                # optional external integration config
@@ -56,7 +56,7 @@ This is the canonical developer-facing map for the Flow Agents repository. Use i
 | `evals/` | canonical eval source plus ignored results | Harness, cases, fixtures, static checks, integration checks. | `evals/results/*.json`, reports, and CI logs are generated output unless intentionally tracked fixtures. | Do not remove fixtures without reference proof; generated results can be local cleanup candidates. |
 | `integrations/` | optional integration source | Integration config shipped with the repo. | Source; local run state belongs under ignored runtime roots. | Keep optional and adapter-driven. |
 | `kits/` | canonical Flow Kit source | Kit Catalog and bundled Builder Kit assets. | Exported and validated by Flow Kit commands. | Preserve catalog paths and validation coverage. |
-| `packaging/` | canonical packaging source | Manifest, pack definitions, and packaging docs. | Drives generated bundles under `dist/`. | Update before changing export shape. |
+| `packaging/` | canonical packaging source | Manifest, export rules, and packaging docs. | Drives generated bundles under `dist/`. | Update before changing export shape. |
 | `powers/` | canonical source | Optional MCP/tool capability bundles. | Exported where supported. | Keep activation guidance separate from credentials. |
 | `prompts/` | canonical source | Saved prompt entry points. | Exported where supported. | Promote stable procedures into skills when needed. |
 | `schemas/` | canonical source | JSON schemas for sidecars and provider/resource records. | Used by validators and workflow tooling. | Schema changes require artifact validation. |

package/docs/skills-map.md

@@ -14,6 +14,7 @@ For practical operator instructions and copy/paste prompts, see https://github.c
 - `design-probe`: generic one-question-at-a-time probing interview; Builder Kit uses this step before planning when the build flow needs shared understanding or a pickup decision.
 - `pickup-probe`: Builder Kit specialization of `design-probe` for selected work items; records scope, provider state, WIP/conflict scans, risks, decisions, unresolved questions, accepted gaps, and planning readiness.
 - `plan-work` / `execute-plan` / `deliver`: Definition Of Done, execution orchestration, and local delivery closure.
+- `continue-work`: advance a multi-slice work item to its next increment via a fresh-context handoff; restores the durable record (resume surface), derives the next undone slice from the issue plus merged PRs, and routes that slice **through** `pull-work` + `pickup-probe` (never around the gate) before handing off fresh per ADR 0013.
 - `review-work`: report-only critique for quality, security triggers, architecture fit, and standards findings.
 - `verify-work`: behavior evidence mapped to acceptance criteria and Goal Fit.
 - `evidence-gate`: trust assessment for completed work: acceptance evidence, integrity checks, CI confidence, and next step.