@mcrescenzo/opencode-workflows 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/CODE_OF_CONDUCT.md +134 -0
- package/CONTRIBUTING.md +95 -0
- package/LICENSE +21 -0
- package/README.md +746 -0
- package/SECURITY.md +38 -0
- package/commands/repo-bughunt.md +94 -0
- package/commands/repo-review.md +148 -0
- package/commands/workflow-live-gates-release-check.md +143 -0
- package/docs/workflow-plugin.md +400 -0
- package/opencode-workflows.js +5 -0
- package/package.json +86 -0
- package/skills/opencode-workflow-authoring/SKILL.md +180 -0
- package/skills/repo-review-command-protocol/SKILL.md +56 -0
- package/skills/workflow-model-tiering/SKILL.md +57 -0
- package/skills/workflow-plan-review/SKILL.md +91 -0
- package/workflow-kernel/approval-hashing.js +39 -0
- package/workflow-kernel/async-util.js +33 -0
- package/workflow-kernel/audited-shell-policy.js +200 -0
- package/workflow-kernel/authority-policy.js +670 -0
- package/workflow-kernel/budget-accounting.js +142 -0
- package/workflow-kernel/capability-adapter.js +753 -0
- package/workflow-kernel/child-agent-runner.js +1264 -0
- package/workflow-kernel/constants.js +117 -0
- package/workflow-kernel/diagnostics.js +152 -0
- package/workflow-kernel/drain-runtime.js +421 -0
- package/workflow-kernel/errors.js +181 -0
- package/workflow-kernel/event-journal.js +487 -0
- package/workflow-kernel/extension-registry.js +144 -0
- package/workflow-kernel/free-text-redactor.js +91 -0
- package/workflow-kernel/gate-shapes.js +82 -0
- package/workflow-kernel/git-util.js +45 -0
- package/workflow-kernel/index.js +72 -0
- package/workflow-kernel/integration-mode.js +155 -0
- package/workflow-kernel/lane-effort-policy.js +134 -0
- package/workflow-kernel/lifecycle-control.js +608 -0
- package/workflow-kernel/live-gate-probes.js +916 -0
- package/workflow-kernel/notification-toast-cards.js +393 -0
- package/workflow-kernel/notification-toast-policy.js +179 -0
- package/workflow-kernel/notification-toast-scope.js +100 -0
- package/workflow-kernel/notification-toast.js +287 -0
- package/workflow-kernel/path-policy.js +219 -0
- package/workflow-kernel/result-readback.js +106 -0
- package/workflow-kernel/role-template-loading.js +606 -0
- package/workflow-kernel/run-context.js +139 -0
- package/workflow-kernel/run-observability.js +43 -0
- package/workflow-kernel/run-store-fs.js +231 -0
- package/workflow-kernel/run-store-locks.js +180 -0
- package/workflow-kernel/run-store-projections.js +421 -0
- package/workflow-kernel/run-store-rehydrate.js +68 -0
- package/workflow-kernel/run-store-state.js +147 -0
- package/workflow-kernel/run-store-status-format.js +1154 -0
- package/workflow-kernel/run-store-status.js +107 -0
- package/workflow-kernel/sandbox-executor.js +1131 -0
- package/workflow-kernel/session-access.js +56 -0
- package/workflow-kernel/structured-output.js +143 -0
- package/workflow-kernel/test-fix-drain-adapter.js +119 -0
- package/workflow-kernel/text-json.js +136 -0
- package/workflow-kernel/workflow-plugin.js +3017 -0
- package/workflow-kernel/workflow-source.js +444 -0
- package/workflow-kernel/worktree-adapter.js +256 -0
- package/workflow-kernel/worktree-git.js +147 -0
- package/workflows/repo-bughunt.js +362 -0
- package/workflows/repo-cleanup.js +383 -0
- package/workflows/repo-complexity.js +404 -0
- package/workflows/repo-deps.js +457 -0
- package/workflows/repo-modernize.js +395 -0
- package/workflows/repo-perf.js +394 -0
- package/workflows/repo-review.js +831 -0
- package/workflows/repo-security-audit.js +466 -0
- package/workflows/repo-test-gaps.js +377 -0
package/SECURITY.md
ADDED
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
Security fixes are handled on the current `main` branch until the first public
|
|
6
|
+
release process defines versioned support windows. Treat unpublished snapshots
|
|
7
|
+
and local plugin checkouts as unsupported outside their owning checkout.
|
|
8
|
+
|
|
9
|
+
## Reporting A Vulnerability
|
|
10
|
+
|
|
11
|
+
Report suspected sandbox escapes, authority bypasses, unsafe primary-tree writes,
|
|
12
|
+
secret disclosure, or child-process abuse privately through the
|
|
13
|
+
[GitHub Security Advisory flow](https://github.com/mcrescenzo/opencode-workflows/security/advisories/new)
|
|
14
|
+
for this repository. Include a minimal reproduction, affected commit or version,
|
|
15
|
+
and whether the issue needs a configured extension, a project workflow, or only
|
|
16
|
+
core plugin tools.
|
|
17
|
+
|
|
18
|
+
Please do not publish exploit details before there is a coordinated fix or a
|
|
19
|
+
mutual disclosure date. Do not open a public GitHub issue for an unpatched
|
|
20
|
+
vulnerability.
|
|
21
|
+
|
|
22
|
+
## Trust Boundary
|
|
23
|
+
|
|
24
|
+
Workflow scripts are guest code and run inside the QuickJS sandbox with injected
|
|
25
|
+
workflow globals only. They do not receive Node `fs`, `child_process`, `require`,
|
|
26
|
+
or direct domain-store access.
|
|
27
|
+
|
|
28
|
+
Configured workflow extensions are different: they are trusted host modules.
|
|
29
|
+
Adding an extension path to opencode config imports and runs that module in the
|
|
30
|
+
plugin's Node process with normal local privileges before exported capabilities
|
|
31
|
+
are structurally validated. The core plugin does not currently enforce extension
|
|
32
|
+
signatures, hash pins, or a module allowlist.
|
|
33
|
+
|
|
34
|
+
The kernel's authority, path, approval, and live-gate checks protect core guest
|
|
35
|
+
and tool flows. They do not automatically sandbox extension-contributed tools,
|
|
36
|
+
drain adapters, or mutation finalizers. Extension code can call provided guard
|
|
37
|
+
helpers, but that is part of the extension's trusted implementation. Only load
|
|
38
|
+
extensions you trust as local code.
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Run the repo-bughunt read-only review workflow and persist a single-domain report
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
Mode: read-only review. This command runs only the bundled `repo-bughunt` leaf
|
|
6
|
+
workflow, reads back its result, and persists one report artifact under
|
|
7
|
+
`.repo-review/runs/`. Use the `repo-review-command-protocol` skill for the
|
|
8
|
+
shared wrapper steps; this file supplies the bughunt-specific args, workflow
|
|
9
|
+
name, result fields, and report filename.
|
|
10
|
+
Canonical references: `workflow_list({ format: "json" })` is the
|
|
11
|
+
machine-readable workflow discovery surface; tool mutability and safe readback
|
|
12
|
+
are in `docs/workflow-plugin.md#workflow-tool-reference`; raw run artifact
|
|
13
|
+
handling is in the README source-of-truth section.
|
|
14
|
+
|
|
15
|
+
## 1. Bughunt Args
|
|
16
|
+
|
|
17
|
+
Validate `$ARGUMENTS` before touching `workflow_run`.
|
|
18
|
+
|
|
19
|
+
- If `$ARGUMENTS` is empty, default to the engine's thorough read-only review:
|
|
20
|
+
|
|
21
|
+
```json
|
|
22
|
+
{}
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
- If `$ARGUMENTS` is non-empty, it MUST parse as valid JSON and resolve to a
|
|
26
|
+
plain object. If it fails to parse, or parses to a string, number, boolean,
|
|
27
|
+
array, or null, STOP before `workflow_run` and report the argument error.
|
|
28
|
+
- If present, `depth` MUST be one of `quick`, `normal`, or `thorough`.
|
|
29
|
+
- Optional recognized keys: `paths`, `exclude`, `categories`,
|
|
30
|
+
`maxReturnFindings`, `recon`. Pass through only what the user supplied.
|
|
31
|
+
|
|
32
|
+
Carry the validated object forward as `args`.
|
|
33
|
+
|
|
34
|
+
## 2. Models
|
|
35
|
+
|
|
36
|
+
Follow the `workflow-model-tiering` skill before invoking `workflow_run`: call
|
|
37
|
+
`workflow_models`, map `fast` (recon + finders) and `deep` (skeptics) to concrete
|
|
38
|
+
models inside the invoking session family, and confirm with the user only when
|
|
39
|
+
the plan deviates from that family. Pass `modelTiers: { fast, deep }`.
|
|
40
|
+
|
|
41
|
+
## 3. Run, Read, Persist
|
|
42
|
+
|
|
43
|
+
Invoke the bundled workflow by name only, never by file path:
|
|
44
|
+
`workflow_run({ name: "repo-bughunt", args, modelTiers, format: "json" })`.
|
|
45
|
+
|
|
46
|
+
```json
|
|
47
|
+
{
|
|
48
|
+
"name": "repo-bughunt",
|
|
49
|
+
"args": "<the validated args object from step 1>",
|
|
50
|
+
"modelTiers": { "fast": "<fast model>", "deep": "<deep model>" },
|
|
51
|
+
"format": "json"
|
|
52
|
+
}
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
Use `workflow_run` for launch. If it returns a preview, report `.approvalHash`,
|
|
56
|
+
`.authority.profile` (`read-only-review`), and `.modelPlan`, then re-run with
|
|
57
|
+
`approve: true` and the matching `approvalHash`. If configured autoApprove
|
|
58
|
+
launches immediately, report the `runId` and status from that first call.
|
|
59
|
+
|
|
60
|
+
After terminal status, read the redacted envelope with:
|
|
61
|
+
|
|
62
|
+
```json
|
|
63
|
+
{ "runId": "<the run id>", "detail": "result" }
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
That is `workflow_status({ runId, detail: "result" })`. The leaf envelope is at
|
|
67
|
+
`.result.output`: `status`, `summary`, `counts`, `findings`,
|
|
68
|
+
`truncatedFindings`, and `reportMarkdown`.
|
|
69
|
+
|
|
70
|
+
Persist exactly one report:
|
|
71
|
+
|
|
72
|
+
- Directory: `mkdir -p .repo-review/runs`
|
|
73
|
+
- File: `.repo-review/runs/<run-id>-bughunt-report.md`
|
|
74
|
+
- Preferred: write `.result.output.reportMarkdown` when present.
|
|
75
|
+
- Fallback: when `reportMarkdown` is null or omitted for size, synthesize a short
|
|
76
|
+
fallback summary from returned `summary`, `counts`, and `findings` only. State
|
|
77
|
+
that full `reportMarkdown` was omitted for size / 256 KiB cap and do not invent
|
|
78
|
+
findings outside the returned subset.
|
|
79
|
+
- Footer: `Report-only - nothing applied.`
|
|
80
|
+
|
|
81
|
+
## 4. Boundary
|
|
82
|
+
|
|
83
|
+
This command is report-only. Avoid `materialize`, `beads-drain`,
|
|
84
|
+
`workflow_apply`, any `git` write, and any `bd` create/update/close/claim. The
|
|
85
|
+
ONLY allowed workspace write is the local
|
|
86
|
+
`.repo-review/runs/<run-id>-bughunt-report.md` report artifact. `.repo-review/`
|
|
87
|
+
is gitignored; do not stage or commit it.
|
|
88
|
+
|
|
89
|
+
## 5. Report Back
|
|
90
|
+
|
|
91
|
+
Report the validated args, model plan, `approvalHash` when a preview was shown,
|
|
92
|
+
`runId`, terminal status, envelope `status`/`summary`/`counts`, whether
|
|
93
|
+
`reportMarkdown` was present or the size-fallback summary was rendered,
|
|
94
|
+
`truncatedFindings`, and the absolute report path.
|
|
@@ -0,0 +1,148 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Run the repo-review exhaustive read-only review workflow and persist the merged eight-domain report
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
Mode: read-only review. This command runs the bundled `repo-review` META
|
|
6
|
+
workflow over the eight repo-* leaf domains, reads back the unified result, and
|
|
7
|
+
persists one merged report artifact under `.repo-review/runs/`. Use the
|
|
8
|
+
`repo-review-command-protocol` skill for the shared wrapper steps; this file
|
|
9
|
+
supplies the meta-specific args, no-fast-model policy, merged-result fields, and
|
|
10
|
+
materialization offer rule. It is distinct from `/repo-bughunt`, which runs only
|
|
11
|
+
the bughunt leaf.
|
|
12
|
+
Canonical references: `workflow_list({ format: "json" })` is the
|
|
13
|
+
machine-readable workflow discovery surface; tool mutability and safe readback
|
|
14
|
+
are in `docs/workflow-plugin.md#workflow-tool-reference`; raw run artifact
|
|
15
|
+
handling is in the README source-of-truth section.
|
|
16
|
+
|
|
17
|
+
## 1. Meta Args
|
|
18
|
+
|
|
19
|
+
Validate `$ARGUMENTS` before touching `workflow_run`.
|
|
20
|
+
|
|
21
|
+
- If `$ARGUMENTS` is empty, default to an exhaustive full-suite review:
|
|
22
|
+
|
|
23
|
+
```json
|
|
24
|
+
{ "mode": "exhaustive" }
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
- If `$ARGUMENTS` is non-empty, it MUST parse as valid JSON and resolve to a
|
|
28
|
+
plain object. If it fails to parse, or parses to a string, number, boolean,
|
|
29
|
+
array, or null, STOP before `workflow_run` and report the argument error.
|
|
30
|
+
- `mode` is `exhaustive` (default) or `bounded`. Exhaustive uses `depth:
|
|
31
|
+
"thorough"`, high `maxReturnFindings`, and the coverage auditor lane. Bounded
|
|
32
|
+
uses the legacy normal-depth pass.
|
|
33
|
+
- `depth` is `quick`, `normal`, or `thorough` when supplied.
|
|
34
|
+
- Optional recognized keys: `domains`, `paths`, `exclude`, `maxReturnFindings`,
|
|
35
|
+
`batchSize`, `recon`, `maxDirs`, `deepMode`.
|
|
36
|
+
- `deepMode` may select `audited-shell` when the caller explicitly wants the
|
|
37
|
+
command-scoped shell inspection mode and the required gates are verified.
|
|
38
|
+
- `domains` may name any subset of `bughunt`, `security`, `test-gaps`,
|
|
39
|
+
`cleanup`, `modernize`, `perf`, `complexity`, `deps`, or their `repo-*` leaf
|
|
40
|
+
names. Unknown domains are rejected rather than falling back to all domains.
|
|
41
|
+
|
|
42
|
+
Carry the validated object forward as `args`.
|
|
43
|
+
|
|
44
|
+
## 2. Resolve Model Tiers - NO FAST MODELS
|
|
45
|
+
|
|
46
|
+
Follow `workflow-model-tiering` to enumerate available models, but this command
|
|
47
|
+
NEVER selects a fast model. The meta's `fast` and `deep` labels are lane intent
|
|
48
|
+
markers, not permission to pick a low-quality model. Resolve one high-quality
|
|
49
|
+
deep model inside the session family and map both tiers to the same deep model:
|
|
50
|
+
|
|
51
|
+
```json
|
|
52
|
+
{
|
|
53
|
+
"modelTiers": {
|
|
54
|
+
"fast": "<the deep model>",
|
|
55
|
+
"deep": "<the deep model>"
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
If the selected model deviates from the session family, confirm explicitly before
|
|
61
|
+
launch. Do NOT set `maxCost` or `maxTokens`; exhaustive mode spares no expense.
|
|
62
|
+
|
|
63
|
+
## 3. Run, Read, Persist
|
|
64
|
+
|
|
65
|
+
Invoke the bundled workflow by name only, never by file path:
|
|
66
|
+
`workflow_run({ name: "repo-review", args, modelTiers, format: "json" })`.
|
|
67
|
+
|
|
68
|
+
```json
|
|
69
|
+
{
|
|
70
|
+
"name": "repo-review",
|
|
71
|
+
"args": "<the validated args object from step 1>",
|
|
72
|
+
"modelTiers": { "fast": "<deep model>", "deep": "<deep model>" },
|
|
73
|
+
"format": "json"
|
|
74
|
+
}
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
Use `workflow_run` for launch. If it returns a preview, report `.approvalHash`,
|
|
78
|
+
`.authority.profile` (`read-only-review`), and `.modelPlan`, then re-run with
|
|
79
|
+
`approve: true` and the matching `approvalHash`. If configured autoApprove
|
|
80
|
+
launches immediately, report the `runId` and status from that first call. The
|
|
81
|
+
meta never edits, commits, or writes files; nested leaves share the parent
|
|
82
|
+
`maxAgents:100000, concurrency:16` budget. Each leaf's OWN declared `maxAgents`
|
|
83
|
+
and `concurrency` are ignored at runtime under the meta run.
|
|
84
|
+
|
|
85
|
+
After terminal status, read the redacted envelope with:
|
|
86
|
+
|
|
87
|
+
```json
|
|
88
|
+
{ "runId": "<the run id>", "detail": "result" }
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
That is `workflow_status({ runId, detail: "result" })`. The merged envelope is
|
|
92
|
+
at `.result.output` and includes `domain: "repo-review"`, `status`, `summary`,
|
|
93
|
+
`counts`, ranked `findings`, `truncatedFindings`, `reportMarkdown`,
|
|
94
|
+
`leafOutcomes`, `partialCoverage`, `artifactPaths.reportMarkdownPath`,
|
|
95
|
+
`materializationReady`, `materializationBlockers`, `coverageGrade`,
|
|
96
|
+
`coverageAdvisories`, `coverageAudit`, and `artifactPaths.findingsJson`.
|
|
97
|
+
|
|
98
|
+
Persist exactly one report:
|
|
99
|
+
|
|
100
|
+
- Directory: `mkdir -p .repo-review/runs`
|
|
101
|
+
- File: `.repo-review/runs/<run-id>-repo-review-report.md`
|
|
102
|
+
- Preferred: read `artifactPaths.reportMarkdownPath` and use that full ranked cross-domain markdown report.
|
|
103
|
+
- Fallback: if `reportMarkdown` is non-null, treat it as a bounded
|
|
104
|
+
preview/fallback body.
|
|
105
|
+
- Fallback: when `reportMarkdown` is null or omitted for size, synthesize a short
|
|
106
|
+
fallback summary from returned `summary`, `counts`, `leafOutcomes`, and
|
|
107
|
+
`findings` only. State that full `reportMarkdown` was omitted for size /
|
|
108
|
+
256 KiB cap and do not invent findings outside the returned subset.
|
|
109
|
+
- Footer: `Report-only - nothing applied.`
|
|
110
|
+
|
|
111
|
+
## 4. Coverage And Materialization
|
|
112
|
+
|
|
113
|
+
Report `leafOutcomes` and `partialCoverage` so the user sees which domains
|
|
114
|
+
completed or failed. Report materialization readiness separately:
|
|
115
|
+
`materializationReady`, `materializationBlockers`, `coverageGrade`,
|
|
116
|
+
`coverageAdvisories`, and `coverageAudit`.
|
|
117
|
+
|
|
118
|
+
If `materializationReady` is true and there is at least one finding, first
|
|
119
|
+
confirm the Beads extension has contributed `/review-materialize` in the command
|
|
120
|
+
registry. If that command is absent, report that the command is unavailable and
|
|
121
|
+
do not offer an unavailable action. If available, offer the user the option of
|
|
122
|
+
creating a duplicate-aware Beads epic via separately approved
|
|
123
|
+
`/review-materialize` with the completed review's `runId`. The materialization
|
|
124
|
+
tool validates `domain: "repo-review"`, consumes `artifactPaths.findingsJson`,
|
|
125
|
+
passes the full findings through its `findingsPath` handoff, and derives its
|
|
126
|
+
default program label from review-time provenance rather than current `HEAD`.
|
|
127
|
+
|
|
128
|
+
If `materializationReady` is false, list every blocker and state that
|
|
129
|
+
materialization is blocked. Do not proceed.
|
|
130
|
+
|
|
131
|
+
## 5. Boundary
|
|
132
|
+
|
|
133
|
+
This command is report-only. It must never run `materialize`, `beads-drain`,
|
|
134
|
+
`workflow_apply`, any `git` write, or any `bd` create/update/close/claim. The
|
|
135
|
+
ONLY allowed workspace write is the local
|
|
136
|
+
`.repo-review/runs/<run-id>-repo-review-report.md` report artifact. The
|
|
137
|
+
materialization item above is a question to the user, not a mutation from this
|
|
138
|
+
command. `.repo-review/` is gitignored; do not stage or commit it.
|
|
139
|
+
|
|
140
|
+
## 6. Report Back
|
|
141
|
+
|
|
142
|
+
Report the validated args including `mode`, model plan confirming both tiers
|
|
143
|
+
resolved to the same deep model - no fast model, `approvalHash` when a preview
|
|
144
|
+
was shown, `runId`, terminal status, envelope `status`/`summary`/`counts`,
|
|
145
|
+
`leafOutcomes`, `partialCoverage`, `materializationReady`,
|
|
146
|
+
`materializationBlockers`, `coverageGrade`, `coverageAudit`, whether the full
|
|
147
|
+
artifact, bounded `reportMarkdown` preview/fallback, or size-fallback summary
|
|
148
|
+
was used, `truncatedFindings`, and the absolute report path.
|
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Run the opt-in active-runtime workflow live-gate release check
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
Run the active-runtime workflow live-gate release check only because the user explicitly invoked this command or otherwise approved token/worktree side effects.
|
|
6
|
+
Canonical references: live-gate behavior is summarized in the README live-gates
|
|
7
|
+
section, and `workflow_live_gates` mutability/approval requirements are listed in
|
|
8
|
+
`docs/workflow-plugin.md#workflow-tool-reference`.
|
|
9
|
+
|
|
10
|
+
Before running probes, state these side effects briefly:
|
|
11
|
+
|
|
12
|
+
- Session probes can spend model tokens.
|
|
13
|
+
- The concurrency-capacity probe launches `concurrencyProbeLimit` child prompts at once; keep the limit modest unless the user approved a larger burst.
|
|
14
|
+
- Worktree probes can create and remove throwaway worktrees.
|
|
15
|
+
- Background and notification probes can schedule asynchronous OpenCode work.
|
|
16
|
+
- Plugin or command changes require restarting OpenCode before this check reflects them.
|
|
17
|
+
|
|
18
|
+
Then call `workflow_live_gates` with every behavioral probe enabled and `format: "json"`:
|
|
19
|
+
|
|
20
|
+
```json
|
|
21
|
+
{
|
|
22
|
+
"format": "json",
|
|
23
|
+
"approvalIntent": "probe",
|
|
24
|
+
"probePermissionEnforcement": true,
|
|
25
|
+
"probeDeniedBash": true,
|
|
26
|
+
"probeCommandScopedBash": true,
|
|
27
|
+
"probeSecretReadDeny": true,
|
|
28
|
+
"probeStructuredOutput": true,
|
|
29
|
+
"probeWorktreeApi": true,
|
|
30
|
+
"probeDirectoryRooting": true,
|
|
31
|
+
"probeWorktreeEditIsolation": true,
|
|
32
|
+
"probeIntegrationWorktreeIsolation": true,
|
|
33
|
+
"probeBackgroundContinuation": true,
|
|
34
|
+
"probeConcurrencyCapacity": true,
|
|
35
|
+
"concurrencyProbeLimit": 16,
|
|
36
|
+
"probeCancellation": true,
|
|
37
|
+
"probeWorkflowNotification": true
|
|
38
|
+
}
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
Report the raw JSON evidence in the transcript or point to the exact saved evidence location if the output is too large.
|
|
42
|
+
|
|
43
|
+
Readiness is reported per capability tier, not as a single all-gates verdict,
|
|
44
|
+
because the non-dry `beads-drain` profile (`drain-autonomous-local`) uses
|
|
45
|
+
integration-worktree isolation and does not require the native edit-mode
|
|
46
|
+
worktree gates. Conflating the tiers overblocks valid Beads readiness.
|
|
47
|
+
|
|
48
|
+
## Full / native edit-mode readiness
|
|
49
|
+
|
|
50
|
+
All gates verified. Required for `edit-plan-only` and any workflow that edits through the
|
|
51
|
+
native worktree API.
|
|
52
|
+
|
|
53
|
+
Pass criteria:
|
|
54
|
+
|
|
55
|
+
- `configured` is `true`.
|
|
56
|
+
- `verified` is `true`.
|
|
57
|
+
- Every entry in `gates` has `state: "verified"` and `verified: true`, including
|
|
58
|
+
`worktreeApi` and `worktreeEditIsolation`.
|
|
59
|
+
|
|
60
|
+
If any gate is `blocked`, `available-unverified`, or `failed-with-evidence`, do not claim
|
|
61
|
+
full/native edit-mode release readiness. Report `[release-gate:blocked]` with the tier
|
|
62
|
+
(`full-edit`), the non-verified gate names, and evidence.
|
|
63
|
+
|
|
64
|
+
## Non-dry beads-drain readiness
|
|
65
|
+
|
|
66
|
+
Only the Beads-required gate subset must be verified. This subset mirrors
|
|
67
|
+
`NON_DRY_DRAIN_REQUIRED_GATES` in `workflow-kernel/authority-policy.js`:
|
|
68
|
+
|
|
69
|
+
- `permissionEnforcement`
|
|
70
|
+
- `commandScopedBash`
|
|
71
|
+
- `secretReadDeny`
|
|
72
|
+
- `structuredOutput`
|
|
73
|
+
- `directoryRooting`
|
|
74
|
+
- `integrationWorktreeIsolation`
|
|
75
|
+
- `cancellation`
|
|
76
|
+
|
|
77
|
+
The native worktree gates `worktreeApi` and `worktreeEditIsolation` are NOT required for
|
|
78
|
+
non-dry Beads readiness, because Beads profiles use integration-worktree isolation instead.
|
|
79
|
+
`backgroundContinuation` and `workflowNotification` are also not in the Beads subset.
|
|
80
|
+
|
|
81
|
+
Pass criteria for non-dry Beads readiness:
|
|
82
|
+
|
|
83
|
+
- `configured` is `true`.
|
|
84
|
+
- Every gate listed in the Beads subset above has `state: "verified"` and `verified: true`.
|
|
85
|
+
|
|
86
|
+
If a Beads-subset gate is `blocked`, `available-unverified`, or `failed-with-evidence`, do
|
|
87
|
+
not claim non-dry beads-drain release readiness. Report `[release-gate:blocked]` with the
|
|
88
|
+
tier (`beads-non-dry`), only the non-verified Beads-subset gate names, and evidence. Do not
|
|
89
|
+
include native worktree gates in the Beads blocked message.
|
|
90
|
+
|
|
91
|
+
A `[release-gate:blocked]` for `full-edit` does NOT imply Beads is blocked, and a
|
|
92
|
+
`[release-gate:blocked]` for `beads-non-dry` does NOT imply full/native edit is blocked.
|
|
93
|
+
|
|
94
|
+
## Evidence-strength caveat (do not overclaim permission or rooting gates)
|
|
95
|
+
|
|
96
|
+
A verified gate is not always equivalent to directly-observed target behavior. Each
|
|
97
|
+
verified gate carries an `evidenceStrength` field:
|
|
98
|
+
|
|
99
|
+
- `observed` — the probe directly observed the target behavior (a denied tool part,
|
|
100
|
+
denial text, a thrown denial, a successful create/remove, a completed sentinel read,
|
|
101
|
+
etc.). Strong evidence.
|
|
102
|
+
- `no-attempt-fallback` — the probe observed no tool attempt at all (the denied tool
|
|
103
|
+
appears hidden/unavailable) and verified only that retained deny rules held and no
|
|
104
|
+
successful tool call occurred. This is a compatibility path for runtimes that hide
|
|
105
|
+
fully-denied tools, not behavioral enforcement proof. Used only by
|
|
106
|
+
`permissionEnforcement`.
|
|
107
|
+
- `model-text-only` — the probe observed only model-reported text matching the expected
|
|
108
|
+
value, without a deterministic tool result. Historically used by `directoryRooting` when
|
|
109
|
+
the child echoed the assigned directory but did not perform (or did not expose) the
|
|
110
|
+
sentinel read tool call. The model can echo a directory without being rooted there, so
|
|
111
|
+
this is not equivalent to an observed tool-anchored rooting proof. As of the R31 fix
|
|
112
|
+
(`directoryRooting`) and the integration-worktree rooting hardening
|
|
113
|
+
(`integrationWorktreeIsolation`), neither gate PRODUCES this strength anymore: a text-only
|
|
114
|
+
echo is reported as `available-unverified` (verified=false), so the required rooting
|
|
115
|
+
authority cannot be satisfied without a completed `read` tool part returning unique
|
|
116
|
+
on-disk sentinel content. The strength is retained for the down-ranker's scope lock.
|
|
117
|
+
- `in-process-smoke` — the probe verified only in-process event-loop yield and did not
|
|
118
|
+
exercise the OpenCode background subsystem. Used by `backgroundContinuation`. Restart
|
|
119
|
+
survival is not implied; production background continuation across OpenCode restart is
|
|
120
|
+
out of scope for this gate.
|
|
121
|
+
|
|
122
|
+
`commandScopedBash` and `secretReadDeny` stay strict: they do not use the
|
|
123
|
+
`no-attempt-fallback` and report `blocked` when no tool attempt is observable.
|
|
124
|
+
|
|
125
|
+
Before claiming non-dry readiness, inspect each verified gate's `evidenceStrength`:
|
|
126
|
+
|
|
127
|
+
- If every required gate is `observed`, the readiness verdict above holds as-is.
|
|
128
|
+
- If `permissionEnforcement` is `no-attempt-fallback`, do NOT claim equivalence to an
|
|
129
|
+
observed denial. Report `[release-gate:weak-evidence]` with the gate name and state
|
|
130
|
+
that the hidden/no-attempt fallback was accepted only if an explicit policy/operator
|
|
131
|
+
decision confirms this runtime hides fully-denied tools by design. Without that
|
|
132
|
+
explicit acceptance, treat the gate as not-yet-proven and do not advance to a non-dry
|
|
133
|
+
release verdict.
|
|
134
|
+
- If `directoryRooting` or `integrationWorktreeIsolation` is `available-unverified` with
|
|
135
|
+
"model-reported cwd text" evidence, do NOT claim deterministic runtime/tool rooting
|
|
136
|
+
evidence. The child echoed the target directory without a completed sentinel `read`, so
|
|
137
|
+
rooting is unproven. Report `[release-gate:weak-evidence]` and request a runtime/tool-
|
|
138
|
+
anchored sentinel read before advancing to a non-dry release verdict. (Pre-fix these
|
|
139
|
+
gates could return `verified` with `evidenceStrength:"model-text-only"`; both now
|
|
140
|
+
downgrade a text-only echo to `available-unverified`.)
|
|
141
|
+
- `backgroundContinuation` is always `in-process-smoke` in this build. Treat its
|
|
142
|
+
`verified` state as proof of in-process continuation only and never as restart
|
|
143
|
+
survival. Restart-surviving background execution is out of scope.
|