@ludecker/aaac 1.1.0 → 1.1.1

package/src/run-engine/init-run.mjs

@@ -15,6 +15,11 @@ import {
   promptFromHook,
 } from "./lib.mjs";
 import { recordLog, recordDecision } from "./log.mjs";
+import {
+  resolveCapabilitiesWithRuntime,
+  evaluateCapabilityRuntimePolicy,
+  loadObjectMaturity,
+} from "./capability-evidence.mjs";
 
 async function readStdin() {
   return new Promise((resolve) => {
@@ -64,6 +69,14 @@ const runId = `run_${date}_${slugify(parsed.command + (parsed.domain ? `-${parse
 const entry = registry.commands[parsed.command];
 fs.mkdirSync(runDir(runId), { recursive: true });
 
+const runObject = entry.object ?? null;
+const runVerb = entry.verb ?? parsed.command.split("-")[0];
+const objectMaturity = loadObjectMaturity(runObject);
+const capabilitiesResolved = resolveCapabilitiesWithRuntime(runObject, runVerb);
+const capabilityRuntimePolicy = evaluateCapabilityRuntimePolicy(capabilitiesResolved, {
+  object_maturity: objectMaturity,
+});
+
 const manifest = {
   run_id: runId,
   conversation_id: conversationId,
@@ -84,7 +97,9 @@ const manifest = {
   artifacts: {},
   checkpoints: [],
   log: [],
-  capabilities_resolved: {},
+  capabilities_resolved: capabilitiesResolved,
+  capability_runtime: capabilityRuntimePolicy,
+  capability_runtime_approved: false,
   confidence: { architecture: null, requirements: null, scope: null },
   gates: { stack: entry.gate_stack ?? null, results: {} },
   swarm: { task_launches_this_phase: 0, phase: pending[0] },
@@ -131,6 +146,41 @@ recordDecision(manifest, {
   evidence: parsed.raw,
 });
 
+for (const [capabilityId, resolution] of Object.entries(manifest.capabilities_resolved)) {
+  recordLog(manifest, {
+    event: "capability_resolved",
+    phase: "dispatch",
+    phase_kind: "work",
+    detail: `${capabilityId}:${(resolution.providers ?? []).map((p) => p.id).join(",")} state=${resolution.runtime?.state ?? "experimental"}`,
+    level: "debug",
+  });
+}
+
+recordLog(manifest, {
+  event: "capability_runtime_evaluated",
+  phase: "dispatch",
+  phase_kind: "work",
+  detail: `action=${capabilityRuntimePolicy.action} maturity=${objectMaturity}`,
+  level: "info",
+});
+
+if (capabilityRuntimePolicy.action === "warn") {
+  recordLog(manifest, {
+    event: "capability_runtime_warn",
+    phase: "dispatch",
+    phase_kind: "work",
+    detail: capabilityRuntimePolicy.reasons.join("; "),
+    level: "warn",
+  });
+}
+
+recordDecision(manifest, {
+  phase: "dispatch",
+  decision: "capability_runtime",
+  reason: capabilityRuntimePolicy.action,
+  evidence: capabilityRuntimePolicy.reasons.join("; ") || "allow",
+});
+
 recordLog(manifest, {
   event: "phase_start",
   phase: pending[0],

package/src/run-engine/lib.mjs

@@ -5,6 +5,7 @@ import { fileURLToPath } from "url";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 export const CURSOR_ROOT = path.resolve(__dirname, "../../..");
+export const REPO_ROOT = path.resolve(CURSOR_ROOT, "..");
 export const AAAC_ROOT = path.join(CURSOR_ROOT, "aaac");
 export const STATE_ROOT = path.join(AAAC_ROOT, "state");
 export const RUNS_ROOT = path.join(STATE_ROOT, "runs");
@@ -12,6 +13,10 @@ export const ACTIVE_RUN_PATH = path.join(STATE_ROOT, "active-run.json");
 export const ACTIVE_RUNS_DIR = path.join(STATE_ROOT, "active-runs");
 export const REGISTRY_PATH = path.join(AAAC_ROOT, "runtime-registry.json");
 export const ENFORCEMENT_PATH = path.join(AAAC_ROOT, "enforcement.json");
+export const ONTOLOGY_PATH = path.join(AAAC_ROOT, "ontology.json");
+export const CAPABILITY_REGISTRY_PATH = path.join(AAAC_ROOT, "capabilities", "registry.json");
+export const PROMOTION_RULES_PATH = path.join(AAAC_ROOT, "capabilities", "promotion-rules.json");
+export const CAPABILITY_STATS_PATH = path.join(STATE_ROOT, "capability-stats.json");
 
 export function readJson(filePath, fallback = null) {
   try {

package/src/run-engine/verify-website-build.mjs

@@ -0,0 +1,148 @@
+#!/usr/bin/env node
+/**
+ * Verify website static assets + production build.
+ * Used by advance-phase on create/update/fix verify completion.
+ *
+ * Usage:
+ *   node verify-website-build.mjs [--run-id <run_id>] [--skip-build]
+ */
+import fs from "fs";
+import path from "path";
+import { spawnSync } from "child_process";
+import { fileURLToPath } from "url";
+import { REPO_ROOT, runDir, isoNow, writeJson } from "./lib.mjs";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const WEBSITE_ROOT = path.join(REPO_ROOT, "apps/website");
+const INDEX_HTML = path.join(WEBSITE_ROOT, "index.html");
+
+const args = process.argv.slice(2);
+const runIdIdx = args.indexOf("--run-id");
+const runId = runIdIdx >= 0 ? args[runIdIdx + 1] : null;
+const skipBuild = args.includes("--skip-build");
+
+const results = {
+  status: "pass",
+  checked_at: isoNow(),
+  static_assets: { status: "pass", missing: [] },
+  build: { status: skipBuild ? "skipped" : "pending", command: "pnpm --filter @ludecker/website build" },
+};
+
+function fail(section, detail) {
+  results.status = "fail";
+  if (section === "static_assets") {
+    results.static_assets.status = "fail";
+    results.static_assets.missing.push(detail);
+  } else if (section === "build") {
+    results.build.status = "fail";
+    results.build.detail = detail;
+  }
+  console.error(`[verify-website-build] FAIL ${section}: ${detail}`);
+}
+
+function resolveRootAsset(assetPath) {
+  const rel = assetPath.replace(/^\//, "");
+  const candidates = [
+    path.join(WEBSITE_ROOT, "public", rel),
+    path.join(WEBSITE_ROOT, rel),
+  ];
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+
+function checkStaticAssets() {
+  if (!fs.existsSync(INDEX_HTML)) {
+    fail("static_assets", `missing index.html at ${INDEX_HTML}`);
+    return;
+  }
+
+  const html = fs.readFileSync(INDEX_HTML, "utf8");
+  const rootRefs = [
+    ...html.matchAll(/\b(?:href|src)="(\/[^"#?]+)"/g),
+  ].map((match) => match[1]);
+
+  const seen = new Set();
+  for (const ref of rootRefs) {
+    if (seen.has(ref) || ref.startsWith("//")) continue;
+    seen.add(ref);
+
+    const resolved = resolveRootAsset(ref);
+    if (!resolved) {
+      fail(
+        "static_assets",
+        `${ref} not found under apps/website/public/ or apps/website/ (Vite dev resolves root paths to project root)`,
+      );
+    }
+  }
+}
+
+function runBuild() {
+  if (skipBuild) return;
+
+  const proc = spawnSync(
+    "pnpm",
+    ["--filter", "@ludecker/website", "build"],
+    {
+      cwd: REPO_ROOT,
+      encoding: "utf8",
+      env: { ...process.env, CI: "1" },
+    },
+  );
+
+  if (proc.status !== 0) {
+    const detail = [proc.stderr, proc.stdout].filter(Boolean).join("\n").trim();
+    results.build.status = "fail";
+    results.build.exit_code = proc.status ?? 1;
+    fail("build", detail || `exit ${proc.status}`);
+    return;
+  }
+
+  results.build.status = "pass";
+  results.build.exit_code = 0;
+}
+
+function writeArtifact() {
+  if (!runId) return;
+
+  const artifactDir = path.join(runDir(runId), "artifacts");
+  fs.mkdirSync(artifactDir, { recursive: true });
+
+  const yaml = [
+    `status: ${results.status}`,
+    `checked_at: ${results.checked_at}`,
+    "static_assets:",
+    `  status: ${results.static_assets.status}`,
+    `  missing: ${JSON.stringify(results.static_assets.missing)}`,
+    "build:",
+    `  status: ${results.build.status}`,
+    `  command: ${JSON.stringify(results.build.command)}`,
+    results.build.exit_code != null ? `  exit_code: ${results.build.exit_code}` : null,
+    results.build.detail ? `  detail: ${JSON.stringify(results.build.detail)}` : null,
+  ]
+    .filter(Boolean)
+    .join("\n");
+
+  fs.writeFileSync(path.join(artifactDir, "verify.yaml"), `${yaml}\n`);
+
+  const manifestPath = path.join(runDir(runId), "run.json");
+  try {
+    const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
+    manifest.artifacts = manifest.artifacts ?? {};
+    manifest.artifacts.verify = results;
+    manifest.updated_at = isoNow();
+    writeJson(manifestPath, manifest);
+  } catch {
+    // run.json may not exist in standalone invocations
+  }
+}
+
+checkStaticAssets();
+runBuild();
+writeArtifact();
+
+console.log(JSON.stringify({ ok: results.status === "pass", ...results }));
+process.exit(results.status === "pass" ? 0 : 1);

package/templates/cursor/aaac/capabilities/promotion-rules.json

@@ -0,0 +1,64 @@
+{
+  "version": 1,
+  "description": "Evidence-driven capability lifecycle promotion thresholds. State belongs to capability, not provider.",
+  "states": ["experimental", "validated", "trusted", "canonical", "deprecated"],
+  "default_state": "experimental",
+  "thresholds": {
+    "validated": {
+      "min_invocations": 10
+    },
+    "trusted": {
+      "min_invocations": 25,
+      "min_success_rate": 0.8,
+      "max_rollback_rate": 0.05,
+      "max_gate_failure_rate": 0.2
+    },
+    "canonical": {
+      "min_invocations": 100,
+      "min_success_rate": 0.95,
+      "max_rollback_rate": 0.01,
+      "max_gate_failure_rate": 0.1,
+      "manual_approval": true
+    }
+  },
+  "demotion": {
+    "from_trusted": {
+      "min_invocations": 20,
+      "min_success_rate_below": 0.7
+    },
+    "to_deprecated": {
+      "manual_only": true
+    }
+  },
+  "fitness_scoring": {
+    "pass": 100,
+    "warning": 75,
+    "fail": 0
+  },
+  "runtime": {
+    "by_state": {
+      "experimental": {
+        "warn": true,
+        "require_approval_on": ["critical", "protected"]
+      },
+      "validated": {},
+      "trusted": {},
+      "canonical": {},
+      "deprecated": {
+        "block_execute": true
+      }
+    },
+    "evidence_triggers": [
+      {
+        "min_invocations": 5,
+        "min_success_rate_below": 0.5,
+        "action": "require_approval"
+      },
+      {
+        "min_invocations": 10,
+        "min_avg_fitness_below": 60,
+        "action": "require_approval"
+      }
+    ]
+  }
+}

package/templates/cursor/aaac/capabilities/registry.json

@@ -2,44 +2,44 @@
   "version": 2,
   "capabilities": {
     "ui-design": {
-      "description": "Design tokens, component CSS, presentational UI",
+      "description": "Design tokens, component CSS, Figma alignment",
       "providers": [
-        { "id": "component", "type": "skill", "path": "skills/shared/component" }
+        { "id": "ludecker-design-system", "type": "skill", "path": "skills/ludecker/design-system" }
       ]
     },
     "ux-design": {
-      "description": "User flows, readability, navigation clarity",
+      "description": "Editorial readability, publish flow, navigation clarity",
       "providers": [
-        { "id": "workflow", "type": "skill", "path": "skills/shared/workflow" }
+        { "id": "ludecker-user-experience", "type": "skill", "path": "skills/ludecker/user-experience" }
       ]
     },
     "api-design": {
       "description": "Contracts and validation at boundaries",
       "providers": [
-        { "id": "integration", "type": "skill", "path": "skills/shared/integration" }
+        { "id": "ludecker-api-first", "type": "skill", "path": "skills/ludecker/api-first" }
       ]
     },
     "database-design": {
-      "description": "Schema, migrations, persistence contracts",
+      "description": "Schema, migrations, RLS, type mirrors",
       "providers": [
-        { "id": "schema", "type": "skill", "path": "skills/shared/schema" },
-        { "id": "migration", "type": "skill", "path": "skills/shared/migration" }
+        { "id": "ludecker-database-schema", "type": "skill", "path": "skills/ludecker/database-schema" },
+        { "id": "supabase-mcp", "type": "mcp", "optional": true, "note": "Apply migrations and RLS via Supabase MCP" }
       ]
     },
     "security": {
-      "description": "Auth, secrets, access control — extend with project skills",
+      "description": "Auth, RLS, secrets, CMS gates",
       "providers": [
-        { "id": "architecture", "type": "skill", "path": "skills/shared/architecture" }
+        { "id": "ludecker-security", "type": "skill", "path": "skills/ludecker/security" }
       ]
     },
     "infrastructure": {
-      "description": "Deploy, hosting, environment",
+      "description": "Deploy, Render, env, hosting",
       "providers": [
-        { "id": "platform-release", "type": "skill", "path": "skills/shared/platform-release" }
+        { "id": "ludecker-infrastructure", "type": "skill", "path": "skills/ludecker/infrastructure" }
       ]
     },
     "layer-boundaries": {
-      "description": "SSOT, import direction, module layers",
+      "description": "SSOT, import direction, monorepo layers",
       "providers": [
         { "id": "architecture", "type": "skill", "path": "skills/shared/architecture" }
       ]
@@ -65,7 +65,8 @@
     "migration-model": {
       "description": "Migration scripts and apply procedure",
       "providers": [
-        { "id": "migration", "type": "skill", "path": "skills/shared/migration" }
+        { "id": "migration", "type": "skill", "path": "skills/shared/migration" },
+        { "id": "supabase-mcp", "type": "mcp", "optional": true }
       ]
     },
     "workflow-model": {
@@ -101,6 +102,7 @@
   },
   "resolution": {
     "graph_skill_keys": "providers where type=skill → id maps to graph skills key",
-    "run_record": "all providers including type=mcp recorded on Run.capabilities_resolved and decisions"
+    "run_record": "all providers including type=mcp recorded on Run.capabilities_resolved and decisions",
+    "lifecycle": "cross-run state in state/capability-stats.json; promotion thresholds in promotion-rules.json; updated by capability-evidence.mjs after each completed Run"
   }
 }

package/templates/cursor/aaac/dispatch.md

@@ -51,7 +51,7 @@ Read [graph.yaml](graph.yaml) and [ontology.json](ontology.json).
 - **Lifecycle (work):** [lifecycle/lifecycle.json](lifecycle/lifecycle.json) `verbs.*.work_phases`
 - **Gates (approval):** [governance/gates.json](governance/gates.json) — composed into runtime per `verb_runtime` in graph
 - **Maturity:** read `object_maturity.<object>` and apply `maturity_rules.<level>` (may require extra gate phases)
-- **Capabilities:** resolve `object_capabilities.<object>` via [capabilities/registry.json](capabilities/registry.json) — record all providers (skill + mcp) on Run
+- **Capabilities:** resolve `object_capabilities.<object>` via [capabilities/registry.json](capabilities/registry.json) — `init-run.mjs` records providers on `Run.capabilities_resolved`; on completion `capability-evidence.mjs` aggregates evidence into [state/capability-stats.json](state/capability-stats.json) and evaluates [capabilities/promotion-rules.json](capabilities/promotion-rules.json)
 - **Dependencies:** [dependencies.yaml](dependencies.yaml)
 - **Fitness:** [fitness-functions.yaml](fitness-functions.yaml) — includes `minimal_complexity` for create/update/fix
 - **Complexity:** [complexity.yaml](complexity.yaml) + [minimal-complexity.md](../policies/minimal-complexity.md) for create/update/fix
@@ -144,7 +144,7 @@ Do **not** proceed until user approves in chat. On approval: log decision, set `
 1. **discover** — 4–6 parallel Task agents per [discovery/SKILL.md](../skills/shared/discovery/SKILL.md)
 2. **investigate_swarm** — 7 parallel Task agents per investigation Mode A — **one message**
 3. **root_cause** — artifact required; confidence ≥ 0.7 before plan
-4. **verify** — fix verify swarm (3 parallel) per [testing/SKILL.md](../skills/shared/testing/SKILL.md); fail if `repro_status: not_fixed`
+4. **verify** — fix verify swarm (3 parallel) per [testing/SKILL.md](../skills/shared/testing/SKILL.md); **website build gate** (`verify-website-build.mjs`) must pass for create/update/fix; fail if `repro_status: not_fixed`
 
 Skipping swarms because the issue "looks simple" is a **contract violation** for `fix-module` / `fix-bug` / `fix_mode`.
 

package/templates/cursor/aaac/enforcement.json

@@ -1,8 +1,9 @@
 {
-  "version": 1,
+  "version": 2,
   "description": "AAAC runtime enforcement — SSOT for hooks and run engine",
   "edit_phases": ["execute", "sync_inventory", "persist", "write"],
-  "artifact_write_phases": ["plan", "report"],
+  "artifact_write_phases": ["plan", "report", "verify"],
+  "verify_verbs": ["create", "update", "fix"],
   "swarm_min_agents": {
     "discover": 4,
     "investigate_swarm": 7,
@@ -13,10 +14,12 @@
     "investigate_swarm": ["artifacts/investigation.md"],
     "root_cause": ["artifacts/root_cause.yaml"],
     "plan": ["artifacts/plan.yaml"],
+    "verify": ["artifacts/verify.yaml"],
     "report": ["artifacts/report.md"]
   },
   "allowed_path_prefixes": {
-    "run_artifacts": [".cursor/aaac/state/runs/", "aaac/state/runs/"]
+    "run_artifacts": [".cursor/aaac/state/runs/", "aaac/state/runs/"],
+    "write_article": [".cursor/write-article-runs/"]
   },
   "fix_commands": ["fix-module", "fix-bug", "module-fix", "bug-fix"]
 }

package/templates/cursor/aaac/governance/gates.json

@@ -29,7 +29,9 @@
         "plan missing requirement_map or unjustified create",
         "impact proceed false",
         "rollback unverified",
-        "user intent contains requires approval"
+        "user intent contains requires approval",
+        "capability runtime require_approval",
+        "capability state deprecated"
       ],
       "run_fields": {
         "status": "blocked",

package/templates/cursor/aaac/layers.md

@@ -36,6 +36,8 @@ Execution Layer
 ├─ Verb orchestrators          .cursor/skills/shared/verbs/*/orchestrator/
 ├─ Shared pipeline skills      .cursor/skills/shared/
 ├─ Capability registry         .cursor/aaac/capabilities/registry.json
+├─ Capability promotion rules  .cursor/aaac/capabilities/promotion-rules.json
+├─ Capability stats (derived)  .cursor/aaac/state/capability-stats.json
 ├─ Agent specs                 .cursor/agents/
 
 Knowledge Layer
@@ -87,6 +89,7 @@ Policies → Ontology → Graph → Create Run
 → Lifecycle (work) + Gates (composed into Run.pending)
 → Orchestrator → Capabilities resolved (recorded on Run)
 → Execute phases → Update Run → Report
+→ Run completes → capability-evidence.mjs → update capability-stats.json + evaluate promotion
 ```
 
 ## Deprecated

package/templates/cursor/aaac/observability/telemetry.yaml

@@ -21,6 +21,9 @@ log_on:
   - human_approval_required
   - human_approval_received
   - capability_resolved
+  - evidence_aggregated
+  - capability_promoted
+  - evidence_aggregation_failed
   - skill_loaded
   - doc_loaded
   - agent_spawned

package/templates/cursor/aaac/run/schema.json

@@ -22,6 +22,8 @@
     "checkpoints": [],
     "log": [],
     "capabilities_resolved": {},
+    "capability_evidence_processed": false,
+    "capability_evidence_outcomes": [],
     "confidence": {
       "architecture": null,
       "requirements": null,

package/templates/cursor/aaac/scripts/run-engine/advance-phase.mjs

@@ -5,6 +5,8 @@
  */
 import fs from "fs";
 import path from "path";
+import { spawnSync } from "child_process";
+import { fileURLToPath } from "url";
 import {
   loadRegistry,
   loadEnforcement,
@@ -18,6 +20,14 @@ import {
   saveActiveRun,
 } from "./lib.mjs";
 import { recordLog } from "./log.mjs";
+import {
+  processRunEvidence,
+  evaluateCapabilityRuntimePolicy,
+  resolveCapabilitiesWithRuntime,
+  loadObjectMaturity,
+} from "./capability-evidence.mjs";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
 const runId = process.argv[2];
 const completedPhase = process.argv[3];
@@ -67,6 +77,46 @@ if (minAgents && launches < minAgents && !force) {
   process.exit(2);
 }
 
+const verifyVerbs = enforcement.verify_verbs ?? ["create", "update", "fix"];
+if (
+  completedPhase === "verify" &&
+  verifyVerbs.includes(manifest.verb) &&
+  !force
+) {
+  const verifyScript = path.join(__dirname, "verify-website-build.mjs");
+  const verifyRun = spawnSync("node", [verifyScript, "--run-id", runId], {
+    encoding: "utf8",
+  });
+  if (verifyRun.status !== 0) {
+    const detail =
+      verifyRun.stderr?.trim() ||
+      verifyRun.stdout?.trim() ||
+      "verify-website-build failed";
+    recordLog(manifest, {
+      event: "gate_fail",
+      phase: completedPhase,
+      phase_kind: manifest.phase_kind,
+      detail: `website verify failed: ${detail.slice(0, 500)}`,
+      level: "warn",
+    });
+    manifest.updated_at = isoNow();
+    writeJson(manifestPath, manifest);
+    console.error(
+      "Website verify failed (static assets + vite build). Fix errors, then re-run:\n" +
+        `  node .cursor/aaac/scripts/run-engine/verify-website-build.mjs --run-id ${runId}\n` +
+        detail,
+    );
+    process.exit(2);
+  }
+  recordLog(manifest, {
+    event: "verify_website_pass",
+    phase: completedPhase,
+    phase_kind: manifest.phase_kind,
+    detail: "static assets + vite build",
+    level: "info",
+  });
+}
+
 const requiredArtifacts = enforcement.phase_artifacts?.[completedPhase] ?? [];
 for (const rel of requiredArtifacts) {
   const artifactPath = path.join(runDir(runId), rel);
@@ -119,7 +169,68 @@ recordLog(manifest, {
   level: "info",
 });
 
-const nextPhase = manifest.pending.shift() ?? null;
+let nextPhase = manifest.pending.shift() ?? null;
+
+if (nextPhase === "execute" && !force) {
+  const resolved =
+    manifest.capabilities_resolved &&
+    Object.keys(manifest.capabilities_resolved).length > 0
+      ? manifest.capabilities_resolved
+      : resolveCapabilitiesWithRuntime(manifest.object, manifest.verb);
+  const policy = evaluateCapabilityRuntimePolicy(resolved, {
+    object_maturity: loadObjectMaturity(manifest.object),
+  });
+  manifest.capability_runtime = policy;
+
+  const needsBlock =
+    policy.action === "block" ||
+    (policy.action === "require_approval" && !manifest.capability_runtime_approved);
+
+  if (needsBlock) {
+    manifest.pending.unshift(nextPhase);
+    nextPhase = null;
+    manifest.status = "blocked";
+    manifest.awaiting_approval = policy.action === "require_approval";
+    manifest.blocked_reason = policy.reasons.join("; ") || "capability runtime policy";
+    recordLog(manifest, {
+      event: "gate_fail",
+      phase: completedPhase,
+      phase_kind: manifest.phase_kind,
+      detail: `capability runtime ${policy.action}: ${manifest.blocked_reason}`,
+      level: "warn",
+    });
+    manifest.updated_at = isoNow();
+    writeJson(manifestPath, manifest);
+    saveActiveRun(manifest.conversation_id ?? null, {
+      run_id: runId,
+      conversation_id: manifest.conversation_id ?? null,
+      command: manifest.command,
+      phase: manifest.phase,
+      status: manifest.status,
+      task_launches_this_phase: 0,
+      edit_allowed: false,
+      started_at: manifest.created_at,
+    });
+    console.error(
+      `Capability runtime ${policy.action}: ${manifest.blocked_reason}. ` +
+        (policy.action === "require_approval"
+          ? "User must approve in chat; set capability_runtime_approved on Run and retry."
+          : "Cannot proceed to execute."),
+    );
+    process.exit(2);
+  }
+
+  if (policy.action === "warn") {
+    recordLog(manifest, {
+      event: "capability_runtime_warn",
+      phase: completedPhase,
+      phase_kind: manifest.phase_kind,
+      detail: policy.reasons.join("; "),
+      level: "warn",
+    });
+  }
+}
+
 if (!nextPhase) {
   manifest.status = "completed";
   manifest.phase = "report";
@@ -131,6 +242,46 @@ if (!nextPhase) {
     detail: "all phases completed",
     level: "info",
   });
+
+  try {
+    const evidenceResult = processRunEvidence(runId, { manifest, skipManifestWrite: true });
+    if (evidenceResult.ok && !evidenceResult.skipped) {
+      manifest.capability_evidence_processed = true;
+      manifest.capability_evidence_outcomes = evidenceResult.outcomes;
+      if (
+        !manifest.capabilities_resolved ||
+        !Object.keys(manifest.capabilities_resolved).length
+      ) {
+        manifest.capabilities_resolved = evidenceResult.resolved;
+      }
+      recordLog(manifest, {
+        event: "evidence_aggregated",
+        phase: "report",
+        phase_kind: "work",
+        detail: `capabilities=${(evidenceResult.capabilities ?? []).join(",")}`,
+        level: "info",
+      });
+      for (const outcome of evidenceResult.outcomes ?? []) {
+        if (outcome.previous_state !== outcome.new_state) {
+          recordLog(manifest, {
+            event: "capability_promoted",
+            phase: "report",
+            phase_kind: "work",
+            detail: `${outcome.capability_id}:${outcome.previous_state}→${outcome.new_state}`,
+            level: "info",
+          });
+        }
+      }
+    }
+  } catch (err) {
+    recordLog(manifest, {
+      event: "evidence_aggregation_failed",
+      phase: "report",
+      phase_kind: "work",
+      detail: String(err.message ?? err).slice(0, 300),
+      level: "warn",
+    });
+  }
 } else {
   manifest.phase = nextPhase;
   manifest.phase_kind = phaseKind(nextPhase, registry);