@kungfu-tech/kfd 1.0.0-alpha.2 → 1.0.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,161 @@
1
+ {
2
+ "id": "kfd-standard-package",
3
+ "standard": "kfd-1",
4
+ "source": {
5
+ "repo": "kungfu-systems/kfd",
6
+ "factSource": "standards.json"
7
+ },
8
+ "contractWorld": {
9
+ "id": "kfd-standard-package",
10
+ "kind": "standard-metadata",
11
+ "name": "KFD standards metadata and release propagation surfaces",
12
+ "schemaId": "https://kfd.libkungfu.dev/schemas/kfd-1/contract-world.schema.json",
13
+ "digest": "sha256:394139c8915426e81eee7f7ea9f3d8209eb0e2b566ddadfccbddea2a3563585d"
14
+ },
15
+ "canonicalPolicy": {
16
+ "path": "standards.json",
17
+ "sha256": "394139c8915426e81eee7f7ea9f3d8209eb0e2b566ddadfccbddea2a3563585d"
18
+ },
19
+ "registry": {
20
+ "path": "registry.json",
21
+ "sha256": "b83cfadeb726e18f96ec4f7451c66091892f4964420dd81939d1120108991c38"
22
+ },
23
+ "surfaces": [
24
+ {
25
+ "name": "kfd-1-document",
26
+ "sourcePath": "decisions/kfd-1.md",
27
+ "sourceSha256": "2ef7438b0737009d36da248d2ecec5f788d46a93b184efadf5e2e31ca20254f0",
28
+ "artifactPath": "decisions/kfd-1.md",
29
+ "expectedSha256": "2ef7438b0737009d36da248d2ecec5f788d46a93b184efadf5e2e31ca20254f0",
30
+ "byteForByte": true
31
+ },
32
+ {
33
+ "name": "kfd-2-document",
34
+ "sourcePath": "decisions/kfd-2.md",
35
+ "sourceSha256": "b8be7b7526dcec9ea501998056c55f546492abc4eb63484a9bb8856eb434b710",
36
+ "artifactPath": "decisions/kfd-2.md",
37
+ "expectedSha256": "b8be7b7526dcec9ea501998056c55f546492abc4eb63484a9bb8856eb434b710",
38
+ "byteForByte": true
39
+ },
40
+ {
41
+ "name": "kfd-3-document",
42
+ "sourcePath": "decisions/kfd-3.md",
43
+ "sourceSha256": "e329bef41ab5cb689346333df317b39918ea1016424a872e438eea8090070b96",
44
+ "artifactPath": "decisions/kfd-3.md",
45
+ "expectedSha256": "e329bef41ab5cb689346333df317b39918ea1016424a872e438eea8090070b96",
46
+ "byteForByte": true
47
+ },
48
+ {
49
+ "name": "kfd-registry",
50
+ "sourcePath": "registry.json",
51
+ "sourceSha256": "b83cfadeb726e18f96ec4f7451c66091892f4964420dd81939d1120108991c38",
52
+ "artifactPath": "registry.json",
53
+ "expectedSha256": "b83cfadeb726e18f96ec4f7451c66091892f4964420dd81939d1120108991c38",
54
+ "byteForByte": true
55
+ },
56
+ {
57
+ "name": "kfd-standards",
58
+ "sourcePath": "standards.json",
59
+ "sourceSha256": "394139c8915426e81eee7f7ea9f3d8209eb0e2b566ddadfccbddea2a3563585d",
60
+ "artifactPath": "standards.json",
61
+ "expectedSha256": "394139c8915426e81eee7f7ea9f3d8209eb0e2b566ddadfccbddea2a3563585d",
62
+ "byteForByte": true
63
+ },
64
+ {
65
+ "name": "kfd-standards-schema",
66
+ "sourcePath": "schemas/kfd-standards.schema.json",
67
+ "sourceSha256": "2ecc7049d13463700f143f4e8c40488d6587484c94d26e827c239eeedc892336",
68
+ "artifactPath": "schemas/kfd-standards.schema.json",
69
+ "expectedSha256": "2ecc7049d13463700f143f4e8c40488d6587484c94d26e827c239eeedc892336",
70
+ "byteForByte": true
71
+ },
72
+ {
73
+ "name": "kfd-1-contract-world-schema",
74
+ "sourcePath": "schemas/kfd-1/contract-world.schema.json",
75
+ "sourceSha256": "6be00cca75c80bf96429eb62336989d8931ea380d86388fcb8b834dcf8d3c13b",
76
+ "artifactPath": "schemas/kfd-1/contract-world.schema.json",
77
+ "expectedSha256": "6be00cca75c80bf96429eb62336989d8931ea380d86388fcb8b834dcf8d3c13b",
78
+ "byteForByte": true
79
+ },
80
+ {
81
+ "name": "kfd-1-witness-schema",
82
+ "sourcePath": "schemas/kfd-1/witness.schema.json",
83
+ "sourceSha256": "50104a2962cb75cc1da634fa65553e993f87d8fb9b3c237f0609a2208ad4c1f3",
84
+ "artifactPath": "schemas/kfd-1/witness.schema.json",
85
+ "expectedSha256": "50104a2962cb75cc1da634fa65553e993f87d8fb9b3c237f0609a2208ad4c1f3",
86
+ "byteForByte": true
87
+ },
88
+ {
89
+ "name": "kfd-2-release-claims-schema",
90
+ "sourcePath": "schemas/kfd-2/release-claims.schema.json",
91
+ "sourceSha256": "cf90ef7d0a7c2abc33af0d97d793b7e9c3ed96335da0b79a082523139282963e",
92
+ "artifactPath": "schemas/kfd-2/release-claims.schema.json",
93
+ "expectedSha256": "cf90ef7d0a7c2abc33af0d97d793b7e9c3ed96335da0b79a082523139282963e",
94
+ "byteForByte": true
95
+ },
96
+ {
97
+ "name": "kfd-2-release-trust-passport-schema",
98
+ "sourcePath": "schemas/kfd-2/release-trust-passport.schema.json",
99
+ "sourceSha256": "92bdd34c0575d18240d1c8be12e86034209f54819048ead9617e7aa2e539aaef",
100
+ "artifactPath": "schemas/kfd-2/release-trust-passport.schema.json",
101
+ "expectedSha256": "92bdd34c0575d18240d1c8be12e86034209f54819048ead9617e7aa2e539aaef",
102
+ "byteForByte": true
103
+ },
104
+ {
105
+ "name": "kfd-3-collaboration-interface-schema",
106
+ "sourcePath": "schemas/kfd-3/collaboration-interface.schema.json",
107
+ "sourceSha256": "03e8d54c08f26bf8aff570995142684b04f0c97578c5fb58d29bc9f1559206d6",
108
+ "artifactPath": "schemas/kfd-3/collaboration-interface.schema.json",
109
+ "expectedSha256": "03e8d54c08f26bf8aff570995142684b04f0c97578c5fb58d29bc9f1559206d6",
110
+ "byteForByte": true
111
+ },
112
+ {
113
+ "name": "kfd-3-witness-schema",
114
+ "sourcePath": "schemas/kfd-3/witness.schema.json",
115
+ "sourceSha256": "cb80768ab8a4f90f86d256555b1995ddb516371ccbe291a8c28581fa371ccd10",
116
+ "artifactPath": "schemas/kfd-3/witness.schema.json",
117
+ "expectedSha256": "cb80768ab8a4f90f86d256555b1995ddb516371ccbe291a8c28581fa371ccd10",
118
+ "byteForByte": true
119
+ },
120
+ {
121
+ "name": "release-propagation-graph",
122
+ "sourcePath": "buildchain.release-propagation.json",
123
+ "sourceSha256": "007b465f3a69b25cf9bb7554e8c0e8727dbd5d5440b2e496d8c257f0ef69c011",
124
+ "artifactPath": "buildchain.release-propagation.json",
125
+ "expectedSha256": "007b465f3a69b25cf9bb7554e8c0e8727dbd5d5440b2e496d8c257f0ef69c011",
126
+ "byteForByte": true
127
+ },
128
+ {
129
+ "name": "buildchain-build-workflow",
130
+ "sourcePath": ".github/workflows/build.yml",
131
+ "sourceSha256": "a3e3f935897f16af86f468c8ee0a4500e2d68828e62411df88684087c65a73ad",
132
+ "artifactPath": ".github/workflows/build.yml",
133
+ "expectedSha256": "a3e3f935897f16af86f468c8ee0a4500e2d68828e62411df88684087c65a73ad",
134
+ "byteForByte": true
135
+ },
136
+ {
137
+ "name": "buildchain-ref-promotion-workflow",
138
+ "sourcePath": ".github/workflows/buildchain-ref-promotion.yml",
139
+ "sourceSha256": "f947f5ab19a856914ea03fb094580c9c7cf4b63d6690b88240b7558b40778e2e",
140
+ "artifactPath": ".github/workflows/buildchain-ref-promotion.yml",
141
+ "expectedSha256": "f947f5ab19a856914ea03fb094580c9c7cf4b63d6690b88240b7558b40778e2e",
142
+ "byteForByte": true
143
+ },
144
+ {
145
+ "name": "release-propagation-workflow",
146
+ "sourcePath": ".github/workflows/release-propagation.yml",
147
+ "sourceSha256": "216710af3be1ac6e85dc50836f21e4bdfe7a28fdec47647e843baa2cc7c9b4e7",
148
+ "artifactPath": ".github/workflows/release-propagation.yml",
149
+ "expectedSha256": "216710af3be1ac6e85dc50836f21e4bdfe7a28fdec47647e843baa2cc7c9b4e7",
150
+ "byteForByte": true
151
+ },
152
+ {
153
+ "name": "verify-workflow",
154
+ "sourcePath": ".github/workflows/verify.yml",
155
+ "sourceSha256": "448f4b6b8263399005a9866cee7906f5334cf5e3daea7d13c70768e586576947",
156
+ "artifactPath": ".github/workflows/verify.yml",
157
+ "expectedSha256": "448f4b6b8263399005a9866cee7906f5334cf5e3daea7d13c70768e586576947",
158
+ "byteForByte": true
159
+ }
160
+ ]
161
+ }
package/README.md CHANGED
@@ -115,13 +115,34 @@ e.g. `https://kfd.libkungfu.dev/1`). This repository publishes
115
115
 
116
116
  Machine consumers that need KFD-owned standard identity should read
117
117
  `standards.json`. It is the versioned metadata surface for stable standard
118
- keys, document routes, schema IDs, and KFD-owned concept names. In Node or
119
- TypeScript projects, import it as:
118
+ keys, document routes and SHA-256 digests, schema IDs, KFD-owned concept names,
119
+ and machine-interface contract versions. In Node or TypeScript projects, import
120
+ it as:
120
121
 
121
122
  ```js
122
123
  import standards from "@kungfu-tech/kfd/standards.json" with { type: "json" };
123
124
  ```
124
125
 
126
+ KFD package semver is only the distribution version. KFD-owned machine
127
+ interfaces carry their own `schemaVersion` and `contract` fields. Compatible
128
+ additions may keep the same interface version; semantic changes, required-field
129
+ changes, verification meaning changes, or responsibility-boundary changes must
130
+ use a new interface version or contract.
131
+
132
+ KFD-2 publishes release-claims and release-trust-passport schemas under
133
+ `schemas/kfd-2/`. These schemas let Buildchain and other release systems audit
134
+ whether public release claims are bound to source facts, evidence, hashes,
135
+ audit boundaries, residual risk, and responsibility state. See
136
+ [`docs/kfd-2-release-trust.md`](docs/kfd-2-release-trust.md).
137
+
138
+ KFD-3 also publishes a general collaboration-interface schema and witness
139
+ schema under `schemas/kfd-3/`. These schemas are for participant-facing product
140
+ interfaces, not only agent APIs. A product such as Kungfu may implement an
141
+ agent-first profile, but that profile remains a product-specific realization of
142
+ KFD-3. The KFD-owned boundary is the standard vocabulary, schema IDs, and
143
+ closed-world evidence shape. See
144
+ [`docs/kfd-3-collaboration-interface.md`](docs/kfd-3-collaboration-interface.md).
145
+
125
146
  ## Current decisions
126
147
 
127
148
  | ID | Kind | Title | Status |
@@ -150,6 +171,8 @@ standards.json machine-readable KFD standard metadata (schemaVersion 1,
150
171
  contract kfd-standards-metadata)
151
172
  schemas/ JSON schemas for package metadata and KFD-owned schema IDs
152
173
  site/ machine-readable site bundle for kfd.libkungfu.dev renderers
174
+ buildchain.release-propagation.json
175
+ Buildchain release propagation graph for KFD -> site consumers
153
176
  release-impact.json
154
177
  Buildchain surface-aware impact ledger for production release passports
155
178
  scripts/ conformance check: registry and documents must agree
@@ -157,7 +180,8 @@ scripts/ conformance check: registry and documents must agree
157
180
 
158
181
  `node scripts/check.mjs` (also `pnpm run check`) verifies numbering
159
182
  uniqueness, registry/document agreement, standards metadata/schema agreement,
160
- status validity, and the release impact ledger required by Buildchain
183
+ status validity, decision document SHA-256 bindings, interface contract
184
+ version bindings, and the release impact ledger required by Buildchain
161
185
  production release passports. Releases are governed by Buildchain; this package
162
186
  versions itself under KFD-1's own rules: the outer package line remains `v1.0`,
163
187
  while patch and prerelease numbers are advanced by Buildchain release
@@ -0,0 +1,25 @@
1
+ {
2
+ "schemaVersion": 1,
3
+ "contract": "kungfu-buildchain-release-propagation-graph",
4
+ "nodes": [
5
+ {
6
+ "id": "kfd",
7
+ "repository": "kungfu-systems/kfd",
8
+ "package": "@kungfu-tech/kfd"
9
+ },
10
+ {
11
+ "id": "site-libkungfu-dev",
12
+ "repository": "kungfu-systems/site-libkungfu-dev",
13
+ "lockPath": "buildchain.upstreams/kfd.release.json",
14
+ "baseRef": "dev/v2/v2.7"
15
+ }
16
+ ],
17
+ "edges": [
18
+ {
19
+ "id": "kfd-to-site-libkungfu-dev",
20
+ "from": "kfd",
21
+ "to": "site-libkungfu-dev",
22
+ "channelPolicy": "preserve"
23
+ }
24
+ ]
25
+ }
package/docs/MAP.md CHANGED
@@ -8,9 +8,11 @@
8
8
  | What should a site renderer consume to render `kfd.libkungfu.dev`? | [`../site/kfd-site.json`](../site/kfd-site.json) |
9
9
  | What is the top-level product accountability principle? | [KFD-2](../decisions/kfd-2.md) |
10
10
  | What stance should products take toward humans and agents as reasoning participants? | [KFD-3](../decisions/kfd-3.md) |
11
+ | What schema should products use for KFD-3 participant-facing collaboration interfaces? | [`kfd-3-collaboration-interface.md`](kfd-3-collaboration-interface.md) |
11
12
  | What does a specific decision say? | [`../decisions/`](../decisions) (index: [`../registry.json`](../registry.json)) |
12
13
  | What machine metadata should Buildchain or another consumer import for KFD standard identity and schema IDs? | [`../standards.json`](../standards.json) |
13
14
  | What schema validates the standards metadata surface? | [`../schemas/kfd-standards.schema.json`](../schemas/kfd-standards.schema.json) |
15
+ | What schema should release systems use for KFD-2 release claims and trust passports? | [`kfd-2-release-trust.md`](kfd-2-release-trust.md) |
14
16
  | How do I cite a decision? | [`../README.md`](../README.md) — cite by number, e.g. `KFD-1` |
15
17
  | How do decisions change over time? | [`../CONTRIBUTING.md`](../CONTRIBUTING.md) — append-only; explicit supersession mints a new number |
16
18
  | How is this package versioned and released? | [KFD-1](../decisions/kfd-1.md) applied to itself; Buildchain governs releases |
@@ -0,0 +1,46 @@
1
+ # KFD-2 Release Trust Metadata
2
+
3
+ KFD-2 says that trust must start from inspectable facts and responsibility
4
+ state. For releases, that means a product must not ask users or agents to trust
5
+ release claims only because they appear in prose, changelogs, or repository
6
+ history.
7
+
8
+ This package defines two KFD-owned machine interfaces:
9
+
10
+ - `schemas/kfd-2/release-claims.schema.json`: the product's declared public
11
+ release claims.
12
+ - `schemas/kfd-2/release-trust-passport.schema.json`: the verifier's result
13
+ after auditing those claims against evidence.
14
+
15
+ The intended Buildchain flow is:
16
+
17
+ ```text
18
+ release claims -> evidence audit -> release trust passport -> release passport
19
+ ```
20
+
21
+ Each claim should declare the statement being made, the source of the claim,
22
+ machine-readable evidence, the audit boundary, residual risk, and responsibility
23
+ state. The trust passport should then record whether each claim is bound to
24
+ evidence, which evidence was checked, what the result was, and who owns the
25
+ release decision.
26
+
27
+ ## Interface Versioning
28
+
29
+ KFD package semver is only the distribution version. It is not the version of a
30
+ KFD-owned machine interface.
31
+
32
+ Every KFD-owned machine interface uses:
33
+
34
+ - `schemaVersion`: the interface version consumed by tools.
35
+ - `contract`: the stable contract name, such as `kfd-2-release-claims`.
36
+ - `$id`: the canonical schema URL for the current stable interface.
37
+
38
+ Compatible additions may keep `schemaVersion: 1`. A change that alters required
39
+ fields, field semantics, verification meaning, audit boundary semantics, or
40
+ responsibility semantics must not silently reuse the same interface contract.
41
+ It must introduce a new interface version or, when the standard itself changes,
42
+ a new KFD decision or amendment path.
43
+
44
+ The same rule applies to KFD-1 and KFD-3 schemas. Their current schemas already
45
+ carry `schemaVersion: 1` and a `contract` value; this document makes the
46
+ evolution rule explicit across the KFD package.
@@ -0,0 +1,59 @@
1
+ # KFD-3 Collaboration Interface
2
+
3
+ KFD-3 is a cooperation standard for intelligent participants. It is not an
4
+ agent-only standard. Products can use it for humans, agents, operators,
5
+ extension authors, API consumers, hosted-service users, service integrators,
6
+ maintainers, and other participants who need to understand value, choices, and
7
+ constraints before cooperating.
8
+
9
+ The KFD-owned schema surface is intentionally general:
10
+
11
+ - `schemas/kfd-3/collaboration-interface.schema.json` declares a product's
12
+ participant-facing collaboration interface.
13
+ - `schemas/kfd-3/witness.schema.json` declares release or build evidence that
14
+ the interface is discoverable, classified, constraint-transparent, and closed
15
+ over reachable participant-facing entrypoints.
16
+
17
+ KFD owns the standard identity, schema IDs, concept names, and compatibility
18
+ rules. Product repositories own their concrete profiles. For example, Kungfu
19
+ may expose an agent-first profile because agents are a first-class participant
20
+ in the current product, but that profile remains a Kungfu implementation of
21
+ KFD-3 rather than the definition of KFD-3 itself.
22
+
23
+ ## Required shape
24
+
25
+ A product collaboration interface should identify:
26
+
27
+ - participant profiles, such as `human`, `agent`, `operator`,
28
+ `extension-author`, or `api-consumer`;
29
+ - minimal entrypoints that let each participant discover the rest of the
30
+ interface;
31
+ - participant-visible surfaces, such as CLI commands, JSON APIs, manuals,
32
+ skills, GUI routes, envelopes, packages, or protocols;
33
+ - visible constraints, including what is restricted, why, and where review or
34
+ escalation happens;
35
+ - choice paths that let participants choose or decline safe cooperation modes;
36
+ - a closure policy for reachable participant-facing entrypoints.
37
+
38
+ The KFD-3 witness schema is intentionally stricter about closure: a passing
39
+ closed-world proof reports reachable entrypoints, classified entrypoints, and
40
+ an empty `unclassifiedEntrypoints` list. This prevents a product from exposing
41
+ a participant-facing or callable backdoor API outside the declared interface.
42
+
43
+ ## Product profile boundary
44
+
45
+ Concrete product profiles may add their own contracts, registry fields, command
46
+ metadata, generated manuals, or audit output. Those fields should reference the
47
+ KFD-3 schema IDs from `standards.json` instead of copying KFD-owned terms.
48
+
49
+ Examples:
50
+
51
+ - A Kungfu agent-first bridge can map local commands, provider skills, command
52
+ metadata, and operating manuals into a KFD-3 collaboration interface.
53
+ - A Buildchain release passport can carry a KFD-3 witness once a downstream
54
+ product can freeze and verify the concrete interface artifact.
55
+ - A hosted surface can use the same standard to show where policy constraints,
56
+ permission gates, and user choices are visible before cooperation is
57
+ requested.
58
+
59
+ This keeps KFD-3 general while making real product interfaces testable.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kungfu-tech/kfd",
3
- "version": "1.0.0-alpha.2",
3
+ "version": "1.0.0-alpha.4",
4
4
  "description": "Kung Fu Decisions (KFD): the kungfu-systems organization-wide decision registry, as a consumable artifact",
5
5
  "license": "Apache-2.0",
6
6
  "files": [
@@ -10,6 +10,8 @@
10
10
  "standards.json",
11
11
  "schemas",
12
12
  "site",
13
+ "buildchain.release-propagation.json",
14
+ ".buildchain/kfd-1/contract-world.witness.json",
13
15
  "docs"
14
16
  ],
15
17
  "exports": {
@@ -18,6 +20,8 @@
18
20
  "./registry.json": "./registry.json",
19
21
  "./standards.json": "./standards.json",
20
22
  "./site/kfd-site.json": "./site/kfd-site.json",
23
+ "./buildchain.release-propagation.json": "./buildchain.release-propagation.json",
24
+ "./buildchain/kfd-1/contract-world.witness.json": "./.buildchain/kfd-1/contract-world.witness.json",
21
25
  "./schemas/*.json": "./schemas/*.json",
22
26
  "./schemas/*/*.json": "./schemas/*/*.json",
23
27
  "./decisions/*.md": "./decisions/*.md",