@nimiplatform/nimi-coding 0.1.0

package/adapters/codex/profile.yaml

@@ -0,0 +1,78 @@
+version: 1
+adapter_profile:
+  id: codex
+  host_class: native_codex_sdk_host
+  upstream_seed_profile: external_ai_host
+  purpose: >
+    Constrain native Codex SDK execution to act as a direct Codex host for
+    nimicoding topic-loop dispatch, using @openai/codex-sdk thread runs without
+    promoting Codex thread state into semantic truth.
+  semantic_owner:
+    - .nimi/methodology
+    - .nimi/spec
+    - .nimi/contracts
+    - .nimi/config
+  operational_owner:
+    - .codex
+    - .nimi/local
+    - .nimi/cache
+  admitted_skill_surfaces:
+    - spec_reconstruction
+    - doc_spec_audit
+    - audit_sweep
+    - high_risk_execution
+    - topic_loop_execution
+    - authority_convergence_audit
+  prompt_handoff:
+    bootstrap_surface:
+      - nimicoding handoff --skill spec_reconstruction --prompt
+      - nimicoding handoff --skill doc_spec_audit --prompt
+      - nimicoding handoff --skill audit_sweep --prompt
+      - nimicoding handoff --skill high_risk_execution --prompt
+    future_surface:
+      status: active_via_codex_sdk
+      commands:
+        - Codex.startThread().run
+        - Codex.resumeThread().run
+  output_handoff:
+    worker_output_target: .nimi/local/outputs/** candidate artifact
+    evidence_target: .nimi/local/evidence/** candidate artifact
+    closeout_target: local-only closeout payload unless later admitted
+  authority_convergence_audit:
+    execution_projection: codex_subagent_auditor
+    dispatch_source: nimicoding topic audit dispatch
+    output_target: .nimi/local/outputs/** candidate audit evidence
+    semantic_effect: none_until_manager_records_topic_audit_result
+    required_prompt_posture:
+      - audit_only_no_code_or_spec_edits
+      - report_PASS_NEEDS_REVISION_or_FAIL
+      - list_blocking_findings_concerns_deferred_non_blockers_and_authority_refs
+  native_review_boundary:
+    approval_review:
+      scope: lower_layer_permission_review
+      semantic_effect: none
+      evidence_target: .nimi/local/evidence/** candidate artifact
+    github_auto_review:
+      scope: lower_layer_pr_review_findings
+      semantic_effect: evidence_only
+      evidence_target: .nimi/local/evidence/** candidate artifact
+    forbidden_semantic_substitutions:
+      - wave_admission
+      - packet_freeze
+      - result_verdict
+      - wave_closeout
+      - topic_closeout
+      - true_close
+  hard_constraints:
+    - codex_sdk_must_not_become_semantic_owner
+    - codex_sdk_must_not_write_canonical_.nimi/spec_truth_directly_without_validator_admission
+    - codex_sdk_must_not_define_acceptance_disposition_or_finding_judgment
+    - codex_thread_state_must_remain_operational_only
+    - codex_sdk_runs_must_be_recorded_in_topic_run_ledger
+    - codex_native_approval_review_must_remain_permission_review_only
+    - codex_github_auto_review_must_remain_evidence_only
+    - codex_review_must_not_substitute_nimicoding_semantic_commands
+    - unresolved_authority_or_missing_context_must_fail_closed
+    - codex_subagent_authority_convergence_output_must_remain_candidate_evidence
+  current_gaps:
+    - topic_semantic_orchestrator_command_surface_not_yet_packaged

package/adapters/oh-my-codex/README.md

@@ -0,0 +1,185 @@
+# oh-my-codex Adapter Sketch
+
+This adapter sketch defines how to use `@nimiplatform/nimi-coding` with
+`oh-my-codex` (OMX) without turning OMX into the semantic owner.
+
+## Intent
+
+Use OMX for:
+
+- multi-agent or role-based execution
+- external host routing
+- long-running or autonomy-first execution behavior
+- operational observability
+
+Keep `nimicoding` responsible for:
+
+- project-local `.nimi/**` truth
+- authority boundaries
+- handoff constraints
+- packet, prompt, worker-output, and acceptance schema ownership
+- fail-closed validation
+
+## Boundary
+
+Treat the systems as layered rather than merged:
+
+- `@nimiplatform/nimi-coding` is the semantic kernel.
+- `oh-my-codex` is a constrained external execution host.
+- This adapter is only the bridge.
+
+OMX may read `.nimi/**` and produce execution artifacts, but it must not:
+
+- become the owner of `.nimi/spec/**`
+- treat cutover readiness as an authority flip
+- decide semantic acceptance or final disposition
+- redefine methodology state from `.omx/**` runtime state
+- bypass `nimicoding doctor`, `handoff`, or validator gates
+
+## Current Audit Summary
+
+The current package is already boundary-complete for standalone adapter use:
+
+- bootstrap seeding includes `skill-manifest`, `host-profile`, delegated
+  `skill-runtime`, and `skill-handoff`
+- `doctor` fail-closes when delegated-runtime posture, host-adapter truth, or
+  the package-owned OMX adapter overlay drifts
+- the generic external-host compatibility contract remains the baseline, and
+  OMX only adds an admitted overlay on top of it
+- `nimicoding doctor` and `nimicoding handoff` now report the supported
+  host posture directly from that packaged compatibility contract, alongside
+  named overlay status and future-only host-specific surfaces
+- `handoff --json` exports the authoritative machine contract, while
+  `handoff --prompt` remains a human-readable projection, and both include
+  selected OMX overlay metadata
+- `closeout` safely projects external results into local-only artifacts
+- execution artifact validators already exist for packet, orchestration-state,
+  prompt, worker-output, and acceptance
+
+The main remaining gap is not boundary definition. It is automation:
+
+- `high_risk_execution` now has a packaged local-only result contract
+- this package intentionally does not ship a packet-bound run kernel,
+  provider execution, or automatic canonical semantic promotion loop
+- the adapter profile marks `run-next-prompt` as a future-only, not-packaged
+  surface rather than an available standalone command
+
+That means OMX interop is already viable for prompt/output/evidence handoff,
+named host-profile recognition, and explicit manager-owned admission, but
+final high-risk completion should still stay bounded by `nimicoding`
+validators, explicit local closeout/decision/ingest/review surfaces, and
+manual manager-side admission rather than automatic semantic promotion. The
+canonical admission target is now also shape-validated by a package-owned
+admission schema contract before `nimicoding` accepts it as semantic truth.
+
+## Recommended First-User Flow
+
+### 1. Bootstrap project-local truth
+
+Run inside the target project:
+
+```sh
+nimicoding start
+nimicoding doctor
+```
+
+The result must keep delegated runtime ownership and non-self-hosted posture
+clean before OMX is introduced.
+
+### 2. Reconstruct `.nimi/spec/**` through explicit handoff
+
+Export the authoritative bootstrap handoff contract:
+
+```sh
+nimicoding handoff --skill spec_reconstruction --json
+```
+
+Use the JSON payload as OMX's machine contract. `--prompt` may still be used
+as a host briefing, but it is not the authoritative surface. OMX should
+return only the declared canonical tree outputs and must not invent new semantic
+owners. In this monorepo the explicit cutover batch has already made
+`.nimi/spec/**` the current authority root; OMX still must not redefine that
+authority or promote its own runtime state into semantic truth.
+
+Then project the closeout locally:
+
+```sh
+nimicoding closeout \
+  --skill spec_reconstruction \
+  --outcome completed \
+  --verified-at 2026-04-11T00:00:00Z \
+  --from <result.json> \
+  --write-local
+```
+
+### 3. Audit drift before execution
+
+If needed:
+
+```sh
+nimicoding handoff --skill doc_spec_audit --prompt
+nimicoding closeout --skill doc_spec_audit --outcome completed --verified-at <utc> --from <result.json> --write-local
+```
+
+This stays local-only and must not replace semantic truth.
+
+### 4. Dispatch high-risk execution through OMX
+
+Export the high-risk handoff contract:
+
+```sh
+nimicoding handoff --skill high_risk_execution --json
+```
+
+OMX should consume the declared `.nimi/**` context and produce:
+
+- packet/orchestration/prompt/worker-output/evidence refs under the declared
+  local artifact roots in `.nimi/config/external-execution-artifacts.yaml`
+- a local-only external execution summary that satisfies the packaged
+  `high_risk_execution` result contract
+- no claim of semantic completion, acceptance, or disposition
+
+The worker output must satisfy the seeded schema and include the strict
+`Runner Signal` block shape expected by the promoted internal methodology.
+
+### 5. Keep semantic review in `nimicoding`
+
+For now, treat OMX output as execution candidate material:
+
+- validate packet, prompt, worker-output, and acceptance mechanically
+- keep final acceptance/disposition under manager-owned `nimicoding` review
+- keep `.omx/**` state operational only
+
+In practice, this means the first real user can use OMX as the execution host
+today, while standalone `nimicoding` remains the host-agnostic semantic and
+interop boundary package. The promoted internal
+[`nimi-coding`](/Users/snwozy/nimi-realm/nimi/nimi-coding) still owns
+packet-bound runtime, provider-backed execution, scheduler, notification, and
+automation surfaces, even though standalone
+`nimicoding closeout` can now import a fail-closed local-only execution
+summary and `nimicoding ingest-high-risk-execution` can mechanically validate
+the referenced packet/prompt/output candidates while
+`nimicoding review-high-risk-execution` can project a manager-ready local
+attachment bundle, `nimicoding decide-high-risk-execution` can record a
+manager-owned local disposition, and `nimicoding admit-high-risk-decision`
+can explicitly write canonical summary admission into `.nimi/spec` without
+promoting OMX runtime state.
+
+## Mapping
+
+| OMX concern | Adapter rule | `nimicoding` owner |
+|---|---|---|
+| planning/execution routing | operational only | none |
+| prompt handoff | consume exported prompt/context | `.nimi/methodology/skill-handoff.yaml` |
+| worker output | write candidate artifact only under declared local roots | `.nimi/contracts/worker-output.schema.yaml` |
+| evidence | write candidate artifact only under declared local roots | packet/evidence contract family |
+| final disposition | OMX must not decide | manager-reviewed `nimicoding` semantics |
+
+## Next Product Steps
+
+The minimum follow-up work from here is:
+
+1. Add canonical semantic promotion automation around the explicit admission
+   surface so manager-owned decisions no longer require manual admission steps.
+2. Keep host-specific runtime execution support out of standalone unless a
+   later admitted packet explicitly expands package ownership.

package/adapters/oh-my-codex/profile.yaml

@@ -0,0 +1,46 @@
+version: 1
+adapter_profile:
+  id: oh_my_codex
+  host_class: external_execution_host
+  upstream_seed_profile: external_ai_host
+  purpose: >
+    Constrain oh-my-codex to act as an external execution host for
+    nimicoding handoff/prompt/output/evidence exchange without promoting OMX
+    runtime state into semantic truth.
+  semantic_owner:
+    - .nimi/methodology
+    - .nimi/spec
+    - .nimi/contracts
+    - .nimi/config
+  operational_owner:
+    - .omx
+    - .nimi/local
+    - .nimi/cache
+  admitted_skill_surfaces:
+    - spec_reconstruction
+    - doc_spec_audit
+    - audit_sweep
+    - high_risk_execution
+  prompt_handoff:
+    bootstrap_surface:
+      - nimicoding handoff --skill spec_reconstruction --prompt
+      - nimicoding handoff --skill doc_spec_audit --prompt
+      - nimicoding handoff --skill audit_sweep --prompt
+      - nimicoding handoff --skill high_risk_execution --prompt
+    future_surface:
+      status: future_only_not_packaged
+      commands:
+        - nimicoding run-next-prompt
+  output_handoff:
+    worker_output_target: .nimi/local/outputs/** candidate artifact
+    evidence_target: .nimi/local/evidence/** candidate artifact
+    closeout_target: local-only closeout payload unless later admitted
+  hard_constraints:
+    - omx_must_not_become_semantic_owner
+    - omx_must_not_write_canonical_.nimi/spec_truth_directly_without_validator_admission
+    - omx_must_not_define_acceptance_disposition_or_finding_judgment
+    - omx_runtime_state_must_remain_operational_only
+    - unresolved_authority_or_missing_context_must_fail_closed
+  current_gaps:
+    - automatic_semantic_admission_automation_not_packaged_in_standalone
+    - host_specific_runtime_execution_not_packaged_in_standalone

package/bin/nimicoding.mjs

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+
+import { runCli } from "../cli/nimicoding.mjs";
+
+const exitCode = await runCli(process.argv.slice(2));
+process.exit(exitCode);

package/cli/commands/admit-high-risk-decision.mjs

@@ -0,0 +1,108 @@
+import {
+  buildHighRiskAdmissionPayload,
+  formatHighRiskAdmissionPayload,
+  writeHighRiskAdmission,
+} from "../lib/high-risk-admission.mjs";
+import { localize } from "../lib/ui.mjs";
+
+function parseAdmitHighRiskDecisionOptions(args) {
+  const options = {
+    fromPath: null,
+    admittedAt: null,
+    json: false,
+    writeSpec: false,
+  };
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+
+    if (arg === "--json") {
+      options.json = true;
+      continue;
+    }
+
+    if (arg === "--write-spec") {
+      options.writeSpec = true;
+      continue;
+    }
+
+    if (arg === "--from" || arg === "--admitted-at") {
+      const next = args[index + 1];
+      if (!next || next.startsWith("--")) {
+        return {
+          ok: false,
+          error: `${localize(
+            `nimicoding admit-high-risk-decision refused: ${arg} requires a value.`,
+            `nimicoding admit-high-risk-decision 已拒绝：${arg} 需要一个值。`,
+          )}\n`,
+        };
+      }
+
+      if (arg === "--from") {
+        options.fromPath = next;
+      } else {
+        options.admittedAt = next;
+      }
+      index += 1;
+      continue;
+    }
+
+    return {
+      ok: false,
+      error: `${localize(
+        `nimicoding admit-high-risk-decision refused: unknown option ${arg}.`,
+        `nimicoding admit-high-risk-decision 已拒绝：未知选项 ${arg}。`,
+      )}\n`,
+    };
+  }
+
+  if (!options.fromPath) {
+    return {
+      ok: false,
+      error: `${localize(
+        "nimicoding admit-high-risk-decision refused: explicit --from is required.",
+        "nimicoding admit-high-risk-decision 已拒绝：必须显式提供 `--from`。",
+      )}\n`,
+    };
+  }
+
+  if (!options.admittedAt) {
+    return {
+      ok: false,
+      error: `${localize(
+        "nimicoding admit-high-risk-decision refused: explicit --admitted-at is required.",
+        "nimicoding admit-high-risk-decision 已拒绝：必须显式提供 `--admitted-at`。",
+      )}\n`,
+    };
+  }
+
+  return { ok: true, options };
+}
+
+export async function runAdmitHighRiskDecision(args) {
+  const parsed = parseAdmitHighRiskDecisionOptions(args);
+  if (!parsed.ok) {
+    process.stderr.write(parsed.error);
+    return 2;
+  }
+
+  const payload = await buildHighRiskAdmissionPayload(process.cwd(), parsed.options);
+  if (payload.inputError) {
+    process.stderr.write(payload.error);
+    return payload.exitCode;
+  }
+
+  if (payload.ok && parsed.options.writeSpec) {
+    await writeHighRiskAdmission(process.cwd(), payload);
+  }
+
+  if (parsed.options.json) {
+    process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+  } else {
+    process.stdout.write(formatHighRiskAdmissionPayload(payload));
+  }
+
+  return payload.exitCode;
+}
+
+export { parseAdmitHighRiskDecisionOptions };