@neuroverseos/governance 0.1.6 → 0.2.2

package/dist/adapters/openclaw.cjs

@@ -37,6 +37,232 @@ __export(openclaw_exports, {
 });
 module.exports = __toCommonJS(openclaw_exports);
 
+// src/engine/plan-engine.ts
+function keywordMatch(eventText, step) {
+  const stepText = [
+    step.label,
+    step.description ?? "",
+    ...step.tags ?? []
+  ].join(" ").toLowerCase();
+  const keywords = stepText.split(/\s+/).filter((w) => w.length > 3);
+  if (keywords.length === 0) return false;
+  const matched = keywords.filter((kw) => eventText.includes(kw));
+  return matched.length >= Math.ceil(keywords.length * 0.5);
+}
+function tokenSimilarity(a, b) {
+  const tokensA = new Set(a.toLowerCase().split(/\s+/).filter((w) => w.length > 2));
+  const tokensB = new Set(b.toLowerCase().split(/\s+/).filter((w) => w.length > 2));
+  if (tokensA.size === 0 || tokensB.size === 0) return 0;
+  let intersection = 0;
+  for (const t of tokensA) {
+    if (tokensB.has(t)) intersection++;
+  }
+  const union = (/* @__PURE__ */ new Set([...tokensA, ...tokensB])).size;
+  return union > 0 ? intersection / union : 0;
+}
+function findMatchingStep(eventText, event, steps) {
+  const pendingOrActive = steps.filter((s) => s.status === "pending" || s.status === "active");
+  if (pendingOrActive.length === 0) {
+    return { matched: null, closest: null, closestScore: 0 };
+  }
+  for (const step of pendingOrActive) {
+    if (keywordMatch(eventText, step)) {
+      if (step.tools && event.tool && !step.tools.includes(event.tool)) {
+        continue;
+      }
+      return { matched: step, closest: step, closestScore: 1 };
+    }
+  }
+  const intentText = [event.intent, event.tool ?? "", event.scope ?? ""].join(" ");
+  let bestStep = null;
+  let bestScore = 0;
+  for (const step of pendingOrActive) {
+    const stepText = [step.label, step.description ?? "", ...step.tags ?? []].join(" ");
+    const score = tokenSimilarity(intentText, stepText);
+    if (score > bestScore) {
+      bestScore = score;
+      bestStep = step;
+    }
+  }
+  const SIMILARITY_THRESHOLD = 0.35;
+  if (bestScore >= SIMILARITY_THRESHOLD && bestStep) {
+    if (bestStep.tools && event.tool && !bestStep.tools.includes(event.tool)) {
+      return { matched: null, closest: bestStep, closestScore: bestScore };
+    }
+    return { matched: bestStep, closest: bestStep, closestScore: bestScore };
+  }
+  return { matched: null, closest: bestStep, closestScore: bestScore };
+}
+function isSequenceValid(step, plan) {
+  if (!plan.sequential) return true;
+  if (!step.requires || step.requires.length === 0) return true;
+  return step.requires.every((reqId) => {
+    const reqStep = plan.steps.find((s) => s.id === reqId);
+    return reqStep?.status === "completed";
+  });
+}
+function checkConstraints(event, eventText, constraints) {
+  const checks = [];
+  for (const constraint of constraints) {
+    if (constraint.type === "approval") {
+      if (constraint.trigger && eventText.includes(constraint.trigger.substring(0, 10).toLowerCase())) {
+        checks.push({ constraintId: constraint.id, passed: false, reason: constraint.description });
+        return { violated: constraint, checks };
+      }
+      const keywords = constraint.description.toLowerCase().split(/\s+/).filter((w) => w.length > 3);
+      const relevant = keywords.some((kw) => eventText.includes(kw));
+      if (relevant) {
+        checks.push({ constraintId: constraint.id, passed: false, reason: constraint.description });
+        return { violated: constraint, checks };
+      }
+      checks.push({ constraintId: constraint.id, passed: true });
+      continue;
+    }
+    if (constraint.type === "scope" && constraint.trigger) {
+      const keywords = constraint.trigger.split(/\s+/).filter((w) => w.length > 3);
+      const violated = keywords.length > 0 && keywords.every((kw) => eventText.includes(kw));
+      checks.push({
+        constraintId: constraint.id,
+        passed: !violated,
+        reason: violated ? constraint.description : void 0
+      });
+      if (violated) {
+        return { violated: constraint, checks };
+      }
+      continue;
+    }
+    checks.push({ constraintId: constraint.id, passed: true });
+  }
+  return { violated: null, checks };
+}
+function getPlanProgress(plan) {
+  const completed = plan.steps.filter((s) => s.status === "completed").length;
+  const total = plan.steps.length;
+  return {
+    completed,
+    total,
+    percentage: total > 0 ? Math.round(completed / total * 100) : 0
+  };
+}
+function advancePlan(plan, stepId, evidence) {
+  const step = plan.steps.find((s) => s.id === stepId);
+  if (!step) {
+    return { success: false, reason: `Step "${stepId}" not found in plan.` };
+  }
+  if (step.status === "completed") {
+    return { success: false, reason: `Step "${stepId}" is already completed.` };
+  }
+  const mode = plan.completion ?? "trust";
+  if (mode === "verified" && step.verify) {
+    if (!evidence) {
+      return {
+        success: false,
+        reason: `Step "${step.label}" requires evidence (verify: ${step.verify}). Provide evidence to advance.`
+      };
+    }
+    if (evidence.type !== step.verify) {
+      return {
+        success: false,
+        reason: `Evidence type "${evidence.type}" does not match required verification "${step.verify}".`
+      };
+    }
+  }
+  const updatedPlan = {
+    ...plan,
+    steps: plan.steps.map(
+      (s) => s.id === stepId ? { ...s, status: "completed" } : s
+    )
+  };
+  return {
+    success: true,
+    plan: updatedPlan,
+    evidence: evidence ?? void 0
+  };
+}
+function evaluatePlan(event, plan) {
+  const progress = getPlanProgress(plan);
+  if (plan.expires_at) {
+    const expiresAt = new Date(plan.expires_at).getTime();
+    if (Date.now() > expiresAt) {
+      return {
+        allowed: true,
+        status: "PLAN_COMPLETE",
+        reason: "Plan has expired.",
+        progress
+      };
+    }
+  }
+  if (progress.completed === progress.total) {
+    return {
+      allowed: true,
+      status: "PLAN_COMPLETE",
+      reason: "All plan steps are completed.",
+      progress
+    };
+  }
+  const eventText = [
+    event.intent,
+    event.tool ?? "",
+    event.scope ?? ""
+  ].join(" ").toLowerCase();
+  const { matched, closest, closestScore } = findMatchingStep(eventText, event, plan.steps);
+  if (!matched) {
+    return {
+      allowed: false,
+      status: "OFF_PLAN",
+      reason: "Action does not match any plan step.",
+      closestStep: closest?.label,
+      similarityScore: closestScore,
+      progress
+    };
+  }
+  if (!isSequenceValid(matched, plan)) {
+    const pendingDeps = (matched.requires ?? []).filter((reqId) => plan.steps.find((s) => s.id === reqId)?.status !== "completed").join(", ");
+    return {
+      allowed: false,
+      status: "OFF_PLAN",
+      reason: `Step "${matched.label}" requires completion of: ${pendingDeps}`,
+      matchedStep: matched.id,
+      progress
+    };
+  }
+  const { violated } = checkConstraints(event, eventText, plan.constraints);
+  if (violated) {
+    return {
+      allowed: false,
+      status: "CONSTRAINT_VIOLATED",
+      reason: violated.description,
+      matchedStep: matched.id,
+      progress
+    };
+  }
+  return {
+    allowed: true,
+    status: "ON_PLAN",
+    reason: `Matches step: ${matched.label}`,
+    matchedStep: matched.id,
+    progress
+  };
+}
+function buildPlanCheck(event, plan, verdict) {
+  const eventText = [event.intent, event.tool ?? "", event.scope ?? ""].join(" ").toLowerCase();
+  const { matched, closest, closestScore } = findMatchingStep(eventText, event, plan.steps);
+  const { checks: constraintChecks } = checkConstraints(event, eventText, plan.constraints);
+  const progress = getPlanProgress(plan);
+  return {
+    planId: plan.plan_id,
+    matched: !!matched,
+    matchedStepId: matched?.id,
+    matchedStepLabel: matched?.label,
+    closestStepId: !matched ? closest?.id : void 0,
+    closestStepLabel: !matched ? closest?.label : void 0,
+    similarityScore: !matched ? closestScore : void 0,
+    sequenceValid: matched ? isSequenceValid(matched, plan) : void 0,
+    constraintsChecked: constraintChecks,
+    progress: { completed: progress.completed, total: progress.total }
+  };
+}
+
 // src/engine/guard-engine.ts
 var PROMPT_INJECTION_PATTERNS = [
   // Instruction override
@@ -128,6 +354,7 @@ function evaluateGuard(event, world, options = {}) {
   const eventText = (event.intent + " " + (event.tool ?? "") + " " + (event.scope ?? "")).toLowerCase();
   const invariantChecks = [];
   const safetyChecks = [];
+  let planCheckResult;
   const roleChecks = [];
   const guardChecks = [];
   const kernelRuleChecks = [];
@@ -155,6 +382,7 @@ function evaluateGuard(event, world, options = {}) {
         includeTrace ? buildTrace(
           invariantChecks,
           safetyChecks,
+          planCheckResult,
           roleChecks,
           guardChecks,
           kernelRuleChecks,
@@ -183,6 +411,7 @@ function evaluateGuard(event, world, options = {}) {
       includeTrace ? buildTrace(
         invariantChecks,
         safetyChecks,
+        planCheckResult,
         roleChecks,
         guardChecks,
         kernelRuleChecks,
@@ -193,6 +422,42 @@ function evaluateGuard(event, world, options = {}) {
       ) : void 0
     );
   }
+  if (options.plan) {
+    const planVerdict = evaluatePlan(event, options.plan);
+    planCheckResult = buildPlanCheck(event, options.plan, planVerdict);
+    if (!planVerdict.allowed && planVerdict.status !== "PLAN_COMPLETE") {
+      decidingLayer = "plan-enforcement";
+      decidingId = `plan-${options.plan.plan_id}`;
+      const planStatus = planVerdict.status === "CONSTRAINT_VIOLATED" ? "PAUSE" : "BLOCK";
+      let reason = planVerdict.reason ?? "Action blocked by plan.";
+      if (planVerdict.status === "OFF_PLAN" && planVerdict.closestStep) {
+        reason += ` Closest step: "${planVerdict.closestStep}" (similarity: ${(planVerdict.similarityScore ?? 0).toFixed(2)})`;
+      }
+      return buildVerdict(
+        planStatus,
+        reason,
+        `plan-${options.plan.plan_id}`,
+        void 0,
+        world,
+        level,
+        invariantChecks,
+        guardsMatched,
+        rulesMatched,
+        includeTrace ? buildTrace(
+          invariantChecks,
+          safetyChecks,
+          planCheckResult,
+          roleChecks,
+          guardChecks,
+          kernelRuleChecks,
+          levelChecks,
+          decidingLayer,
+          decidingId,
+          startTime
+        ) : void 0
+      );
+    }
+  }
   const roleVerdict = checkRoleRules(event, eventText, world, roleChecks);
   if (roleVerdict) {
     decidingLayer = "role";
@@ -210,6 +475,7 @@ function evaluateGuard(event, world, options = {}) {
       includeTrace ? buildTrace(
         invariantChecks,
         safetyChecks,
+        planCheckResult,
         roleChecks,
         guardChecks,
         kernelRuleChecks,
@@ -238,6 +504,7 @@ function evaluateGuard(event, world, options = {}) {
         includeTrace ? buildTrace(
           invariantChecks,
           safetyChecks,
+          planCheckResult,
           roleChecks,
           guardChecks,
           kernelRuleChecks,
@@ -266,6 +533,7 @@ function evaluateGuard(event, world, options = {}) {
       includeTrace ? buildTrace(
         invariantChecks,
         safetyChecks,
+        planCheckResult,
         roleChecks,
         guardChecks,
         kernelRuleChecks,
@@ -293,6 +561,7 @@ function evaluateGuard(event, world, options = {}) {
       includeTrace ? buildTrace(
         invariantChecks,
         safetyChecks,
+        planCheckResult,
         roleChecks,
         guardChecks,
         kernelRuleChecks,
@@ -317,6 +586,7 @@ function evaluateGuard(event, world, options = {}) {
     includeTrace ? buildTrace(
       invariantChecks,
       safetyChecks,
+      planCheckResult,
       roleChecks,
       guardChecks,
       kernelRuleChecks,
@@ -654,8 +924,8 @@ function matchesKeywords(eventText, ruleText) {
 function eventToAllowlistKey(event) {
   return `${(event.tool ?? "*").toLowerCase()}::${event.intent.toLowerCase().trim()}`;
 }
-function buildTrace(invariantChecks, safetyChecks, roleChecks, guardChecks, kernelRuleChecks, levelChecks, decidingLayer, decidingId, startTime) {
-  return {
+function buildTrace(invariantChecks, safetyChecks, planCheck, roleChecks, guardChecks, kernelRuleChecks, levelChecks, decidingLayer, decidingId, startTime) {
+  const trace = {
     invariantChecks,
     safetyChecks,
     roleChecks,
@@ -673,6 +943,7 @@ function buildTrace(invariantChecks, safetyChecks, roleChecks, guardChecks, kern
         "safety-scope-escape",
         "safety-execution-claim",
         "safety-execution-intent",
+        "plan-enforcement",
         "role-rules",
         "declarative-guards",
         "kernel-rules",
@@ -682,6 +953,10 @@ function buildTrace(invariantChecks, safetyChecks, roleChecks, guardChecks, kern
     },
     durationMs: performance.now() - startTime
   };
+  if (planCheck) {
+    trace.planCheck = planCheck;
+  }
+  return trace;
 }
 function buildVerdict(status, reason, ruleId, warning, world, level, invariantChecks, guardsMatched, rulesMatched, trace) {
   const evidence = {
@@ -807,12 +1082,15 @@ var NeuroVersePlugin = class {
   options;
   engineOptions;
   mapAction;
+  activePlan;
   constructor(world, options = {}) {
     this.world = world;
     this.options = options;
+    this.activePlan = options.plan;
     this.engineOptions = {
       trace: options.trace ?? false,
-      level: options.level
+      level: options.level,
+      plan: this.activePlan
     };
     this.mapAction = options.mapAction ?? defaultMapAction;
   }
@@ -824,6 +1102,7 @@ var NeuroVersePlugin = class {
    */
   beforeAction(action) {
     const event = this.mapAction(action, "input");
+    this.engineOptions.plan = this.activePlan;
     const verdict = evaluateGuard(event, this.world, this.engineOptions);
     const result = {
       allowed: verdict.status === "ALLOW",
@@ -834,6 +1113,21 @@ var NeuroVersePlugin = class {
     if (verdict.status === "BLOCK") {
       throw new GovernanceBlockedError(verdict, action);
     }
+    if (verdict.status === "ALLOW" && this.activePlan) {
+      const planVerdict = evaluatePlan(event, this.activePlan);
+      if (planVerdict.matchedStep) {
+        const advResult = advancePlan(this.activePlan, planVerdict.matchedStep);
+        if (advResult.success && advResult.plan) {
+          this.activePlan = advResult.plan;
+          this.engineOptions.plan = this.activePlan;
+        }
+        const progress = getPlanProgress(this.activePlan);
+        this.options.onPlanProgress?.(progress);
+        if (progress.completed === progress.total) {
+          this.options.onPlanComplete?.();
+        }
+      }
+    }
     return result;
   }
   /**

package/dist/adapters/openclaw.d.cts

@@ -1,4 +1,4 @@
-import { G as GuardVerdict, W as WorldDefinition, a as GuardEvent } from '../guard-contract-D_RQz9kt.cjs';
+import { G as GuardVerdict, W as WorldDefinition, a as GuardEvent, P as PlanDefinition, b as PlanProgress } from '../guard-contract-Cm91Kp4j.cjs';
 
 /**
  * NeuroVerse Adapter — OpenClaw
@@ -38,6 +38,12 @@ interface NeuroVersePluginOptions {
     mapAction?: (action: AgentAction, direction: 'input' | 'output') => GuardEvent;
     /** Whether to evaluate output actions (post-action). Default: false. */
     evaluateOutputs?: boolean;
+    /** Active plan overlay for task-scoped governance. */
+    plan?: PlanDefinition;
+    /** Called when plan progress changes. */
+    onPlanProgress?: (progress: PlanProgress) => void;
+    /** Called when all plan steps are completed. */
+    onPlanComplete?: () => void;
 }
 declare class GovernanceBlockedError extends Error {
     readonly verdict: GuardVerdict;
@@ -57,6 +63,7 @@ declare class NeuroVersePlugin {
     private options;
     private engineOptions;
     private mapAction;
+    private activePlan?;
     constructor(world: WorldDefinition, options?: NeuroVersePluginOptions);
     /**
      * Evaluate an action before execution.

package/dist/adapters/openclaw.d.ts

@@ -1,4 +1,4 @@
-import { G as GuardVerdict, W as WorldDefinition, a as GuardEvent } from '../guard-contract-D_RQz9kt.js';
+import { G as GuardVerdict, W as WorldDefinition, a as GuardEvent, P as PlanDefinition, b as PlanProgress } from '../guard-contract-Cm91Kp4j.js';
 
 /**
  * NeuroVerse Adapter — OpenClaw
@@ -38,6 +38,12 @@ interface NeuroVersePluginOptions {
     mapAction?: (action: AgentAction, direction: 'input' | 'output') => GuardEvent;
     /** Whether to evaluate output actions (post-action). Default: false. */
     evaluateOutputs?: boolean;
+    /** Active plan overlay for task-scoped governance. */
+    plan?: PlanDefinition;
+    /** Called when plan progress changes. */
+    onPlanProgress?: (progress: PlanProgress) => void;
+    /** Called when all plan steps are completed. */
+    onPlanComplete?: () => void;
 }
 declare class GovernanceBlockedError extends Error {
     readonly verdict: GuardVerdict;
@@ -57,6 +63,7 @@ declare class NeuroVersePlugin {
     private options;
     private engineOptions;
     private mapAction;
+    private activePlan?;
     constructor(world: WorldDefinition, options?: NeuroVersePluginOptions);
     /**
      * Evaluate an action before execution.

package/dist/adapters/openclaw.js

@@ -3,9 +3,11 @@ import {
   NeuroVersePlugin,
   createNeuroVersePlugin,
   createNeuroVersePluginFromWorld
-} from "../chunk-CROPZ75A.js";
-import "../chunk-B4NF3OLW.js";
-import "../chunk-M3TZFGHO.js";
+} from "../chunk-SKU3GAPD.js";
+import "../chunk-4JRYGIO7.js";
+import "../chunk-JZPQGIKR.js";
+import "../chunk-4QXB6PEO.js";
+import "../chunk-YZFATT7X.js";
 export {
   GovernanceBlockedError,
   NeuroVersePlugin,

package/dist/{bootstrap-H4HHKQ5G.js → bootstrap-GXVDZNF7.js}

@@ -5,6 +5,7 @@ import {
   emitWorldDefinition,
   parseWorldMarkdown
 } from "./chunk-XPDMYECO.js";
+import "./chunk-YZFATT7X.js";
 
 // src/cli/bootstrap.ts
 function parseArgs(argv) {
@@ -81,7 +82,7 @@ async function main(argv = process.argv.slice(2)) {
     await writeWorldFiles(args.outputPath, emitResult.world);
     let validateReport;
     if (args.validate) {
-      const { validateWorld } = await import("./validate-engine-657D75OG.js");
+      const { validateWorld } = await import("./validate-engine-UIABSIHD.js");
       validateReport = validateWorld(emitResult.world);
     }
     const result = {

package/dist/{build-73KAVHEY.js → build-P42YFKQV.js}

@@ -2,15 +2,17 @@ import {
   DeriveInputError,
   DeriveProviderError,
   deriveWorld
-} from "./chunk-D7BGWV2J.js";
+} from "./chunk-NF5POFCI.js";
 import {
   DERIVE_EXIT_CODES
-} from "./chunk-T4X42QXC.js";
+} from "./chunk-Q6O7ZLO2.js";
+import "./chunk-OT6PXH54.js";
 import {
   emitWorldDefinition,
   parseWorldMarkdown
 } from "./chunk-XPDMYECO.js";
-import "./chunk-O5OMJMIE.js";
+import "./chunk-7P3S7MAY.js";
+import "./chunk-YZFATT7X.js";
 
 // src/cli/build.ts
 var FINDING_LABELS = {
@@ -74,6 +76,34 @@ function traceCausalChains(rules) {
   }
   return unique.slice(0, 3);
 }
+function renderGovernanceHealth(health) {
+  const lines = [];
+  lines.push("GOVERNANCE HEALTH");
+  lines.push(`  Coverage: ${health.surfacesCovered} / ${health.surfacesTotal} action surfaces governed`);
+  lines.push(`  Invariants enforced: ${health.invariantsEnforced} / ${health.invariantsTotal}`);
+  if (health.shadowedGuards > 0) {
+    lines.push(`  Shadowed guards: ${health.shadowedGuards}`);
+  }
+  if (health.unenforcedInvariants > 0) {
+    lines.push(`  Unenforced invariants: ${health.unenforcedInvariants}`);
+  }
+  if (health.unreachableRules > 0) {
+    lines.push(`  Unreachable rules: ${health.unreachableRules}`);
+  }
+  if (health.incompleteStateCoverage > 0) {
+    lines.push(`  Incomplete state coverage: ${health.incompleteStateCoverage}`);
+  }
+  if (health.surfaces.length > 0) {
+    lines.push("");
+    lines.push("  Surfaces:");
+    for (const s of health.surfaces) {
+      lines.push(`    ${s.name}: ${s.governed ? "governed" : "unguarded"}`);
+    }
+  }
+  lines.push("");
+  lines.push(`  Risk level: ${health.riskLevel.charAt(0).toUpperCase() + health.riskLevel.slice(1)}`);
+  return lines.join("\n");
+}
 function parseArgs(argv) {
   let inputPath = "";
   let outputDir;
@@ -304,5 +334,6 @@ Next steps:
 export {
   humanLabel,
   main,
+  renderGovernanceHealth,
   traceCausalChains
 };

package/dist/{chunk-Z2S2HIV5.js → chunk-2NICNKOM.js}

@@ -1,9 +1,9 @@
 import {
   evaluateGuard
-} from "./chunk-B4NF3OLW.js";
+} from "./chunk-4JRYGIO7.js";
 import {
   loadWorld
-} from "./chunk-M3TZFGHO.js";
+} from "./chunk-JZPQGIKR.js";
 
 // src/adapters/express.ts
 function methodToCategory(method) {