npm - @kontourai/flow-agents - Versions diffs - 1.4.0 → 2.0.1 - Mend

@kontourai/flow-agents 1.4.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/.github/CODEOWNERS +29 -0
package/.github/actions/trust-verify/action.yml +145 -0
package/.github/workflows/ci.yml +11 -4
package/.github/workflows/kit-gates-demo.yml +2 -2
package/.github/workflows/publish-npm.yml +10 -2
package/.github/workflows/release-please.yml +1 -1
package/.github/workflows/runtime-compat.yml +1 -1
package/.github/workflows/trust-reconcile.yml +113 -0
package/AGENTS.md +13 -0
package/CHANGELOG.md +103 -0
package/CONTRIBUTING.md +4 -4
package/README.md +1 -0
package/agents/tool-planner.json +1 -1
package/build/src/cli/init.js +242 -20
package/build/src/cli/validate-workflow-artifacts.js +19 -2
package/build/src/cli/verify.d.ts +1 -0
package/build/src/cli/verify.js +90 -0
package/build/src/cli/workflow-sidecar.d.ts +316 -8
package/build/src/cli/workflow-sidecar.js +1996 -91
package/build/src/cli.js +2 -3
package/build/src/lib/flow-resolver.d.ts +111 -0
package/build/src/lib/flow-resolver.js +308 -0
package/build/src/tools/build-universal-bundles.js +34 -22
package/build/src/tools/generate-context-map.js +3 -16
package/build/src/tools/validate-source-tree.d.ts +1 -1
package/build/src/tools/validate-source-tree.js +42 -162
package/context/contracts/artifact-contract.md +10 -0
package/context/contracts/delivery-contract.md +1 -0
package/context/contracts/review-contract.md +1 -0
package/context/contracts/verification-contract.md +2 -0
package/context/gate-awareness.md +39 -0
package/context/scripts/hooks/stop-goal-fit.js +632 -70
package/docs/adr/0001-flow-agents-consumes-flow.md +1 -1
package/docs/adr/0002-flow-kits-as-extension-unit.md +1 -1
package/docs/adr/0004-gates-expect-surface-claims.md +2 -0
package/docs/adr/0005-kubernetes-inspired-resource-contracts.md +2 -0
package/docs/adr/0007-skill-audit.md +1 -1
package/docs/adr/0009-canonical-hook-core-kit-boundary.md +95 -0
package/docs/adr/0010-workflow-trust-state-as-hachure-bundle.md +139 -0
package/docs/adr/0011-mcp-posture.md +100 -0
package/docs/adr/0012-agent-coordination-as-liveness-claims.md +119 -0
package/docs/adr/0013-context-lifecycle.md +151 -0
package/docs/adr/0014-core-vs-domain-kit-boundary.md +143 -0
package/docs/adr/0015-flow-flow-agents-boundary-reconciliation.md +120 -0
package/docs/adr/0016-three-hard-boundary-model.md +71 -0
package/docs/adr/0017-anti-gaming-trust-security-model.md +155 -0
package/docs/agent-system-guidebook.md +5 -12
package/docs/context-map.md +4 -10
package/docs/index.md +3 -2
package/docs/integrations/framework-adapter.md +19 -6
package/docs/integrations/index.md +2 -2
package/docs/north-star.md +4 -4
package/docs/operating-layers.md +3 -3
package/docs/plans/adr-0010-phase2-gate-recompute.md +55 -0
package/docs/repository-structure.md +2 -2
package/docs/skills-map.md +1 -0
package/docs/spec/runtime-hook-surface.md +62 -9
package/docs/standards-register.md +3 -3
package/docs/survey-utterance-check.md +1 -1
package/docs/trust-anchor-adoption.md +197 -0
package/docs/verifiable-trust.md +95 -0
package/docs/veritas-integration.md +2 -2
package/docs/workflow-usage-guide.md +69 -0
package/evals/acceptance/DEMO-false-completion.md +144 -0
package/evals/acceptance/demo-cast.sh +92 -0
package/evals/acceptance/demo-false-completion.sh +72 -0
package/evals/acceptance/demo-real-evidence.sh +104 -0
package/evals/acceptance/demo.tape +29 -0
package/evals/acceptance/prove-capture-teeth-declared.sh +335 -0
package/evals/acceptance/prove-capture-teeth.sh +114 -0
package/evals/acceptance/prove-teeth.sh +105 -0
package/evals/ci/antigaming-suite.sh +55 -0
package/evals/ci/run-baseline.sh +2 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-extension-asset/flows/review.flow.json +26 -0
package/evals/fixtures/flow-kit-repository/invalid-missing-extension-asset/kit.json +20 -0
package/evals/fixtures/flow-kit-repository/valid-unknown-extension/flows/review.flow.json +26 -0
package/evals/fixtures/flow-kit-repository/valid-unknown-extension/kit.json +18 -0
package/evals/integration/test_builder_step_producers.sh +379 -0
package/evals/integration/test_bundle_install.sh +35 -71
package/evals/integration/test_bundle_lifecycle.sh +39 -2
package/evals/integration/test_captured_fail_reconciliation.sh +820 -0
package/evals/integration/test_checkpoint_signing.sh +489 -0
package/evals/integration/test_claim_lookup.sh +352 -0
package/evals/integration/test_command_log_fork_classification.sh +134 -0
package/evals/integration/test_command_log_integrity.sh +275 -0
package/evals/integration/test_context_map.sh +0 -2
package/evals/integration/test_dual_emit_flow_step.sh +278 -0
package/evals/integration/test_enforcer_expects_driven.sh +281 -0
package/evals/integration/test_evidence_capture_hook.sh +185 -0
package/evals/integration/test_flow_kit_repository.sh +2 -0
package/evals/integration/test_flowdef_session_activation.sh +273 -0
package/evals/integration/test_flowdef_session_history_preservation.sh +250 -0
package/evals/integration/test_gate_bypass_chain.sh +448 -0
package/evals/integration/test_gate_lockdown.sh +1137 -0
package/evals/integration/test_gate_review_inquiry_records.sh +399 -0
package/evals/integration/test_goal_fit_escape_hatch.sh +73 -0
package/evals/integration/test_goal_fit_hook.sh +69 -4
package/evals/integration/test_goal_fit_rederive.sh +263 -0
package/evals/integration/test_install_merge.sh +1176 -0
package/evals/integration/test_kit_identity_trust.sh +393 -0
package/evals/integration/test_mint_attestation.sh +373 -0
package/evals/integration/test_phase_map_and_gate_claim.sh +365 -0
package/evals/integration/test_publish_delivery.sh +269 -0
package/evals/integration/test_reconcile_soundness.sh +528 -0
package/evals/integration/test_resolvefirststep_security.sh +208 -0
package/evals/integration/test_session_resume_roundtrip.sh +286 -0
package/evals/integration/test_trust_checkpoint.sh +325 -0
package/evals/integration/test_trust_reconcile.sh +293 -0
package/evals/integration/test_verify_cli.sh +208 -0
package/evals/integration/test_workflow_sidecar_writer.sh +549 -34
package/evals/lib/node.sh +0 -6
package/evals/run.sh +47 -0
package/evals/static/test_workflow_skills.sh +6 -13
package/install.sh +0 -7
package/integrations/strands-ts/README.md +25 -15
package/integrations/veritas/flow-agents.adapter.json +1 -2
package/kits/builder/flows/build.flow.json +59 -12
package/kits/builder/kit.json +85 -15
package/kits/builder/skills/continue-work/SKILL.md +116 -0
package/kits/builder/skills/deliver/SKILL.md +36 -6
package/kits/builder/skills/design-probe/SKILL.md +28 -0
package/kits/builder/skills/execute-plan/SKILL.md +9 -1
package/kits/builder/skills/gate-review/SKILL.md +234 -0
package/kits/builder/skills/learning-review/SKILL.md +30 -0
package/kits/builder/skills/pickup-probe/SKILL.md +29 -0
package/kits/builder/skills/plan-work/SKILL.md +13 -1
package/kits/builder/skills/pull-work/SKILL.md +19 -0
package/kits/knowledge/adapters/default-store/index.js +38 -0
package/kits/knowledge/adapters/flow-runner/index.js +1620 -0
package/kits/knowledge/adapters/obsidian-store/index.js +36 -6
package/kits/knowledge/docs/store-contract.md +314 -0
package/kits/knowledge/evals/audit-freshness/suite.test.js +368 -0
package/kits/knowledge/evals/canonicalize-category/suite.test.js +383 -0
package/kits/knowledge/evals/contract-suite/suite.test.js +111 -0
package/kits/knowledge/evals/detect-contradictions/suite.test.js +324 -0
package/kits/knowledge/evals/entities/suite.test.js +40 -0
package/kits/knowledge/evals/glossary-sync/suite.test.js +416 -0
package/kits/knowledge/evals/hygiene-review/suite.test.js +396 -0
package/kits/knowledge/evals/retirement/suite.test.js +145 -0
package/kits/knowledge/flows/audit-freshness.flow.json +44 -0
package/kits/knowledge/flows/canonicalize-category.flow.json +44 -0
package/kits/knowledge/flows/detect-contradictions.flow.json +44 -0
package/kits/knowledge/flows/glossary-sync.flow.json +61 -0
package/kits/knowledge/flows/hygiene-review.flow.json +43 -0
package/kits/knowledge/kit.json +51 -1
package/package.json +6 -6
package/packaging/conformance/README.md +10 -2
package/packaging/conformance/fixtures/evidence-capture--allow-records-command.json +29 -0
package/packaging/conformance/fixtures/stop-goal-fit--block-bundle-disputed-claim.json +29 -0
package/packaging/conformance/fixtures/stop-goal-fit--block-capture-contradicts-claimed-pass.json +30 -0
package/packaging/conformance/fixtures/stop-goal-fit--block-mode.json +23 -0
package/packaging/conformance/fixtures/stop-goal-fit--off-mode.json +24 -0
package/packaging/conformance/fixtures/stop-goal-fit--warn-active-delivery.json +5 -2
package/packaging/conformance/fixtures/stop-goal-fit--warn-no-bundle.json +23 -0
package/packaging/conformance/fixtures/workflow-steering--reground-active-prompt.json +30 -0
package/packaging/conformance/fixtures/workflow-steering--reground-session-start.json +30 -0
package/packaging/conformance/run-conformance.js +1 -1
package/scripts/README.md +2 -1
package/scripts/build-universal-bundles.js +0 -1
package/scripts/ci/mint-attestation.js +221 -0
package/scripts/ci/trust-reconcile.js +545 -0
package/scripts/hooks/config-protection.js +423 -1
package/scripts/hooks/evidence-capture.js +348 -0
package/scripts/hooks/lib/liveness-read.js +113 -0
package/scripts/hooks/run-hook.js +6 -1
package/scripts/hooks/stop-goal-fit.js +1524 -79
package/scripts/hooks/workflow-steering.js +135 -5
package/scripts/install-codex-home.sh +39 -0
package/scripts/install-merge.js +330 -0
package/scripts/repair-command-log.js +115 -0
package/src/cli/init.ts +218 -20
package/src/cli/validate-workflow-artifacts.ts +18 -2
package/src/cli/verify.ts +100 -0
package/src/cli/workflow-sidecar.ts +2127 -84
package/src/cli.ts +2 -3
package/src/lib/flow-resolver.ts +369 -0
package/src/tools/build-universal-bundles.ts +34 -21
package/src/tools/generate-context-map.ts +3 -17
package/src/tools/validate-source-tree.ts +44 -104
package/build/src/tools/filter-installed-packs.d.ts +0 -2
package/build/src/tools/filter-installed-packs.js +0 -135
package/packaging/packs.json +0 -49
package/scripts/filter-installed-packs.js +0 -2
package/src/tools/filter-installed-packs.ts +0 -132

package/evals/integration/test_verify_cli.sh ADDED Viewed

@@ -0,0 +1,208 @@
+#!/usr/bin/env bash
+# test_verify_cli.sh — Integration eval for `flow-agents verify` CLI subcommand.
+#
+# Proves that `node build/src/cli.js verify` correctly:
+#   1. EXIT-0-MATCH:      --commands passes fresh AND bundle claims same command passed
+#      → exit 0, no divergence.
+#   2. EXIT-1-DIVERGE:    bundle claims a command passed, but fresh re-run FAILS
+#      → exit 1 with "trust divergence" message.
+#   3. EXIT-1-NO-VERIFY:  no --commands, no TRUST_RECONCILE_COMMANDS, no package.json
+#      trust-reconcile-verify → exit 1, compile-only refused.
+#   4. HELP-FLAG:         --help → exit 0, usage printed.
+#
+# All tests use fixture bundles (written via node inline scripts).
+# No literal "trust.bundle" filename appears in shell commands to avoid
+# config-protection hook interference (the fixture filenames are bundle-*.json).
+#
+# Requires: npm run build (or existing build/src/cli.js).
+# Deterministic, no model spend, self-cleaning.
+# Usage: bash evals/integration/test_verify_cli.sh
+set -uo pipefail
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+CLI="$ROOT/build/src/cli.js"
+if [[ ! -f "$CLI" ]]; then
+  echo "SKIP: build/src/cli.js not found — run 'npm run build' first." >&2
+  exit 0
+fi
+TMP="$(mktemp -d)"
+errors=0
+_pass() { echo "  PASS: $1"; }
+_fail() { echo "  FAIL: $1"; errors=$((errors + 1)); }
+cleanup() { rm -rf "$TMP"; }
+trap cleanup EXIT
+# ─── Bundle writer ───────────────────────────────────────────────────────────
+# Writes a minimal trust bundle fixture to a given path.
+# Usage: write_bundle <path> <command_label> <passing:true|false>
+write_bundle() {
+  local out_path="$1"
+  local label="$2"
+  local passing="$3"
+  node - "$out_path" "$label" "$passing" << 'NODE'
+const fs = require('fs');
+const [,, outPath, label, passingStr] = process.argv;
+const passing = passingStr === 'true';
+const bundle = {
+  schemaVersion: 3,
+  source: "test-fixture",
+  claims: [
+    {
+      id: "c1",
+      claimType: "workflow.check.build",
+      value: passing ? "pass" : "fail",
+      status: passing ? "verified" : "disputed",
+      subjectId: "test/build",
+      surface: "flow-agents.workflow",
+      subjectType: "workflow-check",
+      fieldOrBehavior: "build",
+      createdAt: "2026-06-27T00:00:00Z",
+      updatedAt: "2026-06-27T00:00:00Z",
+      impactLevel: "high",
+      verificationPolicyId: "policy:workflow.check.build"
+    }
+  ],
+  evidence: [
+    {
+      id: "ev1",
+      claimId: "c1",
+      evidenceType: "test_output",
+      method: "validation",
+      sourceRef: "test/command-log.jsonl",
+      excerptOrSummary: "build",
+      observedAt: "2026-06-27T00:00:00Z",
+      collectedBy: "flow-agents/evidence-capture",
+      passing: passing,
+      execution: {
+        runner: "bash",
+        label: label,
+        isError: !passing,
+        exitCode: passing ? 0 : 1
+      }
+    }
+  ],
+  policies: [],
+  events: []
+};
+fs.writeFileSync(outPath, JSON.stringify(bundle, null, 2));
+NODE
+}
+# ─── TEST 1: EXIT-0-MATCH ─────────────────────────────────────────────────────
+# Bundle claims 'node -e process.exit(0)' passed; fresh re-run also passes → exit 0.
+echo ""
+echo "=== TEST 1: EXIT-0-MATCH — bundle match + fresh pass → exit 0 ==="
+BUNDLE1="$TMP/bundle-match.json"
+write_bundle "$BUNDLE1" "node -e 'process.exit(0)'" "true"
+out1=$(TRUST_RECONCILE_COMMANDS="node -e 'process.exit(0)'" \
+  node "$CLI" verify \
+    --bundle "$BUNDLE1" \
+    --repo-root "$TMP" 2>&1)
+exit1=$?
+if [[ $exit1 -eq 0 ]]; then
+  _pass "EXIT-0-MATCH: exits 0"
+else
+  _fail "EXIT-0-MATCH: expected exit 0, got $exit1 — output: $out1"
+fi
+if echo "$out1" | grep -q "RECONCILED\|fresh verify passed"; then
+  _pass "EXIT-0-MATCH: output confirms reconcile/pass"
+else
+  _fail "EXIT-0-MATCH: expected RECONCILED or fresh verify passed, got: $out1"
+fi
+# ─── TEST 2: EXIT-1-DIVERGE ───────────────────────────────────────────────────
+# Bundle claims a command passed; fresh re-run FAILS → exit 1 + divergence message.
+echo ""
+echo "=== TEST 2: EXIT-1-DIVERGE — bundle claims pass, fresh re-run fails → exit 1 ==="
+BUNDLE2="$TMP/bundle-diverge.json"
+write_bundle "$BUNDLE2" "node -e 'process.exit(1)'" "true"
+out2=$(TRUST_RECONCILE_COMMANDS="node -e 'process.exit(1)'" \
+  node "$CLI" verify \
+    --bundle "$BUNDLE2" \
+    --repo-root "$TMP" 2>&1)
+exit2=$?
+if [[ $exit2 -ne 0 ]]; then
+  _pass "EXIT-1-DIVERGE: exits 1 (got $exit2)"
+else
+  _fail "EXIT-1-DIVERGE: expected exit 1, got 0 — output: $out2"
+fi
+if echo "$out2" | grep -q "trust divergence"; then
+  _pass "EXIT-1-DIVERGE: 'trust divergence' in output"
+else
+  _fail "EXIT-1-DIVERGE: expected 'trust divergence', got: $out2"
+fi
+if echo "$out2" | grep -q "process.exit(1)"; then
+  _pass "EXIT-1-DIVERGE: output names the divergent command"
+else
+  _fail "EXIT-1-DIVERGE: expected divergent command name in output, got: $out2"
+fi
+# ─── TEST 3: EXIT-1-NO-VERIFY ─────────────────────────────────────────────────
+# No --commands, no env, no package.json trust-reconcile-verify → compile-only refused.
+echo ""
+echo "=== TEST 3: EXIT-1-NO-VERIFY — no verify configured → exit 1, compile-only refused ==="
+# Use a temp dir with no package.json so no trust-reconcile-verify is auto-discovered.
+EMPTY_ROOT="$TMP/empty-root"
+mkdir -p "$EMPTY_ROOT"
+out3=$(unset TRUST_RECONCILE_COMMANDS; node "$CLI" verify \
+    --repo-root "$EMPTY_ROOT" 2>&1)
+exit3=$?
+if [[ $exit3 -ne 0 ]]; then
+  _pass "EXIT-1-NO-VERIFY: exits 1 (got $exit3)"
+else
+  _fail "EXIT-1-NO-VERIFY: expected exit 1 (compile-only refused), got 0 — output: $out3"
+fi
+if echo "$out3" | grep -qi "compile-only\|no comprehensive\|trust-reconcile-verify"; then
+  _pass "EXIT-1-NO-VERIFY: output explains compile-only refusal"
+else
+  _fail "EXIT-1-NO-VERIFY: expected compile-only refusal message, got: $out3"
+fi
+# ─── TEST 4: HELP-FLAG ────────────────────────────────────────────────────────
+echo ""
+echo "=== TEST 4: HELP-FLAG — --help → exit 0, usage printed ==="
+out4=$(node "$CLI" verify --help 2>&1)
+exit4=$?
+if [[ $exit4 -eq 0 ]]; then
+  _pass "HELP-FLAG: exits 0"
+else
+  _fail "HELP-FLAG: expected exit 0, got $exit4 — output: $out4"
+fi
+if echo "$out4" | grep -q "usage"; then
+  _pass "HELP-FLAG: usage text in output"
+else
+  _fail "HELP-FLAG: expected usage text, got: $out4"
+fi
+# ─── Summary ──────────────────────────────────────────────────────────────────
+echo ""
+echo "────────────────────────────────────────────"
+if [[ $errors -eq 0 ]]; then
+  echo "test_verify_cli: all checks passed."
+  exit 0
+else
+  echo "test_verify_cli: $errors check(s) failed."
+  exit 1
+fi