npm - @pixelbyte-software/pixcode - Versions diffs - 1.42.2 → 1.42.4 - Mend

@pixelbyte-software/pixcode 1.42.2 → 1.42.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/server/modules/orchestration/tasks/task-run-graph.ts ADDED Viewed

@@ -0,0 +1,219 @@
+import type { WorkflowNodeRun, WorkflowRun } from '@/modules/orchestration/workflows/workflow.types.js';
+import { workflowStore } from '@/modules/orchestration/workflows/workflow-store.js';
+import { orchestrationTaskService } from '@/modules/orchestration/tasks/orchestration-task.service.js';
+import type { OrchestrationTask } from '@/modules/orchestration/tasks/orchestration-task.types.js';
+export const PIXCODE_TASK_RUN_GRAPH_PROTOCOL = 'pixcode.task-run-graph.v1';
+export type TaskRunGraphCriterionStatus = 'pending' | 'passed' | 'failed';
+export interface TaskRunGraphCriterion {
+  id: string;
+  label: string;
+  status: TaskRunGraphCriterionStatus;
+  source: 'taskmaster' | 'workflow';
+}
+export interface TaskRunGraphRunSummary {
+  id: string;
+  workflowId: string;
+  status: WorkflowRun['status'];
+  startedAt: number;
+  finishedAt?: number;
+  taskmasterId?: string;
+  orchestrationTaskId?: string;
+  changedFiles: string[];
+}
+export interface TaskRunGraph {
+  protocol: typeof PIXCODE_TASK_RUN_GRAPH_PROTOCOL;
+  projectId: string;
+  taskmasterId?: string;
+  orchestrationTaskId?: string;
+  workflowRuns: TaskRunGraphRunSummary[];
+  changedFiles: string[];
+  acceptanceCriteria: TaskRunGraphCriterion[];
+  status: {
+    totalRuns: number;
+    completedRuns: number;
+    failedRuns: number;
+    passedCriteria: number;
+    failedCriteria: number;
+  };
+}
+function readString(value: unknown): string | undefined {
+  return typeof value === 'string' && value.trim() ? value.trim() : undefined;
+}
+function readRecord(value: unknown): Record<string, unknown> | undefined {
+  return value && typeof value === 'object' ? value as Record<string, unknown> : undefined;
+}
+function uniqueStrings(values: Array<string | undefined>): string[] {
+  return [...new Set(values.filter((value): value is string => Boolean(value?.trim())))]
+    .sort((a, b) => a.localeCompare(b));
+}
+function taskStatusPassed(status: unknown): boolean {
+  const normalized = String(status ?? '').toLocaleLowerCase('en');
+  return normalized === 'done' || normalized === 'completed';
+}
+function taskStatusFailed(status: unknown): boolean {
+  const normalized = String(status ?? '').toLocaleLowerCase('en');
+  return normalized === 'failed' || normalized === 'blocked' || normalized === 'cancelled' || normalized === 'canceled';
+}
+function criterionStatus(status: unknown): TaskRunGraphCriterionStatus {
+  if (taskStatusPassed(status)) return 'passed';
+  if (taskStatusFailed(status)) return 'failed';
+  return 'pending';
+}
+function taskmasterAcceptanceCriteria(taskmasterTask: Record<string, unknown> | undefined): TaskRunGraphCriterion[] {
+  if (!taskmasterTask) return [];
+  const criteria: TaskRunGraphCriterion[] = [];
+  const testStrategy = readString(taskmasterTask.testStrategy) ?? readString(taskmasterTask.test_strategy);
+  if (testStrategy) {
+    criteria.push({
+      id: 'test-strategy',
+      label: testStrategy,
+      status: criterionStatus(taskmasterTask.status),
+      source: 'taskmaster',
+    });
+  }
+  const subtasks = Array.isArray(taskmasterTask.subtasks) ? taskmasterTask.subtasks : [];
+  subtasks.forEach((subtask, index) => {
+    const record = readRecord(subtask);
+    if (!record) return;
+    const title = readString(record.title);
+    if (!title) return;
+    criteria.push({
+      id: `subtask-${readString(record.id) ?? index + 1}`,
+      label: title,
+      status: criterionStatus(record.status),
+      source: 'taskmaster',
+    });
+  });
+  return criteria;
+}
+function metadataTaskmasterId(run: WorkflowRun): string | undefined {
+  return readString(run.metadata?.taskmasterId)
+    ?? readString(readRecord(run.metadata?.taskGraph)?.taskmasterId)
+    ?? readString(readRecord(run.metadata?.replay)?.taskmasterId);
+}
+function metadataOrchestrationTaskId(run: WorkflowRun): string | undefined {
+  return readString(run.metadata?.orchestrationTaskId)
+    ?? readString(readRecord(run.metadata?.taskGraph)?.orchestrationTaskId);
+}
+function artifactChangedFiles(node: WorkflowNodeRun): string[] {
+  const files: string[] = [];
+  if (node.handoffArtifact?.changedFiles) {
+    files.push(...node.handoffArtifact.changedFiles);
+  }
+  for (const artifact of node.artifacts ?? []) {
+    const data = readRecord(artifact.data);
+    const metadata = readRecord(artifact.metadata);
+    const candidates = [
+      readString(metadata?.path),
+      readString(metadata?.file),
+      readString(data?.path),
+      readString(data?.file),
+    ];
+    files.push(...candidates.filter((value): value is string => Boolean(value)));
+    for (const key of ['files', 'changedFiles']) {
+      const value = data?.[key] ?? metadata?.[key];
+      if (Array.isArray(value)) {
+        files.push(...value.map((entry) => readString(entry)).filter((entry): entry is string => Boolean(entry)));
+      }
+    }
+  }
+  return uniqueStrings(files);
+}
+export function changedFilesFromWorkflowRun(run: WorkflowRun): string[] {
+  return uniqueStrings(run.nodeRuns.flatMap((node) => artifactChangedFiles(node)));
+}
+function workflowRunMatchesTask(run: WorkflowRun, task: OrchestrationTask | undefined, taskmasterId: string | undefined): boolean {
+  const runTaskmasterId = metadataTaskmasterId(run);
+  const runOrchestrationTaskId = metadataOrchestrationTaskId(run);
+  if (taskmasterId && runTaskmasterId === taskmasterId) return true;
+  if (task?.id && runOrchestrationTaskId === task.id) return true;
+  if (task?.workflowRunIds?.includes(run.id)) return true;
+  return false;
+}
+function runSummary(run: WorkflowRun): TaskRunGraphRunSummary {
+  return {
+    id: run.id,
+    workflowId: run.workflowId,
+    status: run.status,
+    startedAt: run.startedAt,
+    finishedAt: run.finishedAt,
+    taskmasterId: metadataTaskmasterId(run),
+    orchestrationTaskId: metadataOrchestrationTaskId(run),
+    changedFiles: changedFilesFromWorkflowRun(run),
+  };
+}
+export function buildTaskRunGraph({
+  projectId,
+  taskmasterId,
+  taskmasterTask,
+}: {
+  projectId: string;
+  taskmasterId?: string;
+  taskmasterTask?: Record<string, unknown>;
+}): TaskRunGraph {
+  const orchestrationTask = taskmasterId
+    ? orchestrationTaskService.list(projectId).find((task) => task.taskmasterId === taskmasterId)
+    : undefined;
+  const workflowRuns = workflowStore
+    .listRuns()
+    .filter((run) => workflowRunMatchesTask(run, orchestrationTask, taskmasterId))
+    .map(runSummary);
+  const workflowCriteria: TaskRunGraphCriterion[] = workflowRuns.map((run) => ({
+    id: `run-${run.id}`,
+    label: `Workflow ${run.workflowId} ${run.status}`,
+    status: run.status === 'completed' ? 'passed' : run.status === 'failed' || run.status === 'canceled' ? 'failed' : 'pending',
+    source: 'workflow',
+  }));
+  const acceptanceCriteria = [
+    ...taskmasterAcceptanceCriteria(taskmasterTask),
+    ...(orchestrationTask?.acceptanceCriteria ?? []),
+    ...workflowCriteria,
+  ];
+  const changedFiles = uniqueStrings([
+    ...(orchestrationTask?.changedFiles ?? []),
+    ...workflowRuns.flatMap((run) => run.changedFiles),
+  ]);
+  return {
+    protocol: PIXCODE_TASK_RUN_GRAPH_PROTOCOL,
+    projectId,
+    taskmasterId,
+    orchestrationTaskId: orchestrationTask?.id,
+    workflowRuns,
+    changedFiles,
+    acceptanceCriteria,
+    status: {
+      totalRuns: workflowRuns.length,
+      completedRuns: workflowRuns.filter((run) => run.status === 'completed').length,
+      failedRuns: workflowRuns.filter((run) => run.status === 'failed' || run.status === 'canceled').length,
+      passedCriteria: acceptanceCriteria.filter((criterion) => criterion.status === 'passed').length,
+      failedCriteria: acceptanceCriteria.filter((criterion) => criterion.status === 'failed').length,
+    },
+  };
+}

package/server/modules/orchestration/workflows/workflow-runner.ts CHANGED Viewed

@@ -21,6 +21,13 @@ import {
   classifyWorkflowFailure,
   resolveWorkflowFallbackDecision,
 } from '@/modules/orchestration/workflows/workflow-fallback-policy.js';
+import {
+  evaluatePermissionRequest,
+  resolvePermissionPolicyFromMetadata,
+  type PermissionDecision,
+  type PermissionPolicy,
+  type PermissionPolicyEvent,
+} from '@/modules/orchestration/security/permission-policy.js';
 import {
   type ResolvedWorkspaceTarget,
   resolveWorkflowWorkspace,
@@ -28,6 +35,7 @@ import {
   workspaceTargetMetadata,
 } from '@/modules/orchestration/workflows/workspace-target.js';
 import { workflowStore } from '@/modules/orchestration/workflows/workflow-store.js';
+import { orchestrationTaskService } from '@/modules/orchestration/tasks/orchestration-task.service.js';
 // @ts-ignore — plain-JS service
 import {
   getDefaultProviderModel,
@@ -35,7 +43,12 @@ import {
   getStaticProviderModels,
 } from '@/services/model-registry.js';
 // @ts-ignore — plain-JS service
-import { notifyRunFailed, notifyRunStopped } from '@/services/notification-orchestrator.js';
+import {
+  createNotificationEvent,
+  notifyRunFailed,
+  notifyRunStopped,
+  notifyUserIfEnabled,
+} from '@/services/notification-orchestrator.js';
 const TERMINAL = new Set(['completed', 'failed', 'canceled']);
 const SKIPPED = 'skipped';
@@ -244,6 +257,49 @@ function notifyWorkflowRunFinished(run: WorkflowRun): void {
   }
 }
+function permissionPolicyFromRun(run: WorkflowRun): PermissionPolicy {
+  return resolvePermissionPolicyFromMetadata(run.metadata);
+}
+function permissionPolicyEvents(run: WorkflowRun): PermissionPolicyEvent[] {
+  return Array.isArray(run.metadata?.permissionPolicyEvents)
+    ? run.metadata.permissionPolicyEvents.filter((event): event is PermissionPolicyEvent =>
+      Boolean(event && typeof event === 'object'),
+    )
+    : [];
+}
+function permissionApprovalRequests(run: WorkflowRun): Array<Record<string, unknown>> {
+  return Array.isArray(run.metadata?.pendingPermissionApprovals)
+    ? run.metadata.pendingPermissionApprovals.filter((event): event is Record<string, unknown> =>
+      Boolean(event && typeof event === 'object'),
+    )
+    : [];
+}
+function notifyPermissionApprovalRequested(run: WorkflowRun, decision: PermissionDecision): void {
+  const userId = readNotificationUserId(run.metadata);
+  if (!userId || !decision.approvalRequest) return;
+  const event = (createNotificationEvent as unknown as (payload: Record<string, unknown>) => unknown)({
+    provider: 'system',
+    sessionId: run.id,
+    kind: 'action_required',
+    code: 'permission.required',
+    meta: {
+      toolName: decision.capabilities.join(', '),
+      sessionName: workflowNotificationTitle(run),
+    },
+    severity: 'warning',
+    requiresUserAction: true,
+    dedupeKey: `workflow:permission:${run.id}:${decision.requestId}`,
+  });
+  (notifyUserIfEnabled as (payload: { userId: string | number; event: unknown }) => void)({
+    userId,
+    event,
+  });
+}
 function readBoolean(value: unknown): boolean | undefined {
   return typeof value === 'boolean' ? value : undefined;
 }
@@ -1215,8 +1271,10 @@ class WorkflowRunner {
     const runtimeWorkflow = expandWorkflowForRun(workflow, metadata);
     validateWorkflow(runtimeWorkflow);
     const workspaceTarget = resolveWorkflowWorkspace(metadata);
-    const runMetadata = {
+    const permissionPolicy = resolvePermissionPolicyFromMetadata(metadata);
+    const runMetadata: Record<string, unknown> = {
       ...metadata,
+      permissionPolicy,
       projectPath: workspaceTarget.projectPath,
       selectedProjectPath: workspaceTarget.selectedProjectPath,
       workspaceTarget: workspaceTargetMetadata(workspaceTarget),
@@ -1232,6 +1290,10 @@ class WorkflowRunner {
       metadata: runMetadata,
     };
     workflowStore.setRun(run);
+    const orchestrationTaskId = readString(runMetadata.orchestrationTaskId);
+    if (orchestrationTaskId) {
+      orchestrationTaskService.linkWorkflowRun(orchestrationTaskId, run);
+    }
     void this.execute(runtimeWorkflow, run);
     return run;
   }
@@ -1591,11 +1653,43 @@ class WorkflowRunner {
     } finally {
       run.finishedAt = run.finishedAt ?? Date.now();
       workflowStore.setRun(run);
+      orchestrationTaskService.updateFromWorkflowRun(run);
       notifyWorkflowRunFinished(run);
       this.cancelingRuns.delete(run.id);
     }
   }
+  private recordPermissionDecision(
+    run: WorkflowRun,
+    nodeRun: WorkflowNodeRun,
+    decision: PermissionDecision,
+  ): void {
+    nodeRun.permissionDecisions = [
+      ...(nodeRun.permissionDecisions ?? []),
+      decision,
+    ];
+    const existingApprovals = permissionApprovalRequests(run)
+      .filter((approval) => approval.id !== decision.approvalRequest?.id);
+    run.metadata = {
+      ...run.metadata,
+      permissionPolicyEvents: [
+        ...permissionPolicyEvents(run),
+        decision.event,
+      ],
+      pendingPermissionApprovals: decision.approvalRequest
+        ? [
+          ...existingApprovals,
+          decision.approvalRequest,
+        ]
+        : existingApprovals,
+    };
+    if (decision.approvalRequest) {
+      notifyPermissionApprovalRequested(run, decision);
+    }
+  }
   private async executeNode(
     node: WorkflowNode,
     workflow: Workflow,
@@ -1674,6 +1768,49 @@ class WorkflowRunner {
       };
       workflowStore.setRun(run);
     }
+    const permissionPolicy = permissionPolicyFromRun(run);
+    nodeRun.permissionPolicy = permissionPolicy;
+    const permissionDecision = evaluatePermissionRequest({
+      policy: permissionPolicy,
+      request: {
+        source: 'workflow_node',
+        toolName: node.adapterId,
+        input: {
+          assignment: node.assignment,
+          stage: node.stage,
+          toolsSettings: node.toolsSettings,
+        },
+        cwd: projectPath,
+        workspacePath: workspaceTarget.appRoot,
+        targetPaths: [projectPath],
+        summary: [
+          node.agentLabel || node.id,
+          node.stage ? `stage=${node.stage}` : undefined,
+          node.assignment,
+        ].filter(Boolean).join(' / '),
+      },
+      context: {
+        runId: run.id,
+        nodeId: node.id,
+        workflowId: run.workflowId,
+        adapterId: node.adapterId,
+        agentLabel: node.agentLabel,
+        userId: readNotificationUserId(run.metadata),
+      },
+    });
+    this.recordPermissionDecision(run, nodeRun, permissionDecision);
+    workflowStore.setRun(run);
+    if (permissionDecision.behavior === 'deny') {
+      nodeRun.finishedAt = Date.now();
+      nodeRun.status = 'failed';
+      nodeRun.error = permissionDecision.message;
+      workflowStore.setRun(run);
+      if (node.onFail === 'continue') {
+        completed.add(node.id);
+        return;
+      }
+      throw new Error(permissionDecision.message);
+    }
     let body: { id?: string; error?: { message?: string } };
     try {
       const submit = await fetch(`${localA2ABaseUrl()}/tasks`, {
@@ -1695,6 +1832,15 @@ class WorkflowRunner {
             assignment: node.assignment,
             model: effectiveModel,
             permissionMode: effectivePermissionMode,
+            permissionPolicy,
+            permissionPolicyContext: {
+              runId: run.id,
+              nodeId: node.id,
+              workflowId: run.workflowId,
+              adapterId: node.adapterId,
+              agentLabel: node.agentLabel,
+              userId: readNotificationUserId(run.metadata),
+            },
             toolsSettings: node.toolsSettings,
             projectPath,
             workspaceTarget: workspaceTargetMetadata(workspaceTarget),

package/server/modules/orchestration/workflows/workflow-trace.ts CHANGED Viewed

@@ -216,6 +216,38 @@ export function buildWorkflowTrace(run: WorkflowRun): WorkflowTraceEvent[] {
     });
   });
+  const permissionPolicyEvents = Array.isArray(run.metadata?.permissionPolicyEvents)
+    ? run.metadata.permissionPolicyEvents
+    : [];
+  permissionPolicyEvents.forEach((event, index) => {
+    const record = readRecord(event);
+    if (!record) return;
+    const behavior = readString(record.behavior);
+    const capabilities = Array.isArray(record.capabilities)
+      ? record.capabilities.filter((item): item is string => typeof item === 'string')
+      : [];
+    pushEvent(events, {
+      id: traceId([run.id, 'permission-policy', readString(record.id) ?? index]),
+      type: 'permission_policy',
+      severity: behavior === 'deny' ? 'error' : behavior === 'prompt' ? 'warning' : 'info',
+      status: behavior === 'deny' ? 'failed' : behavior === 'prompt' ? 'submitted' : 'completed',
+      timestamp: typeof record.createdAt === 'number' ? record.createdAt : run.startedAt + 0.85 + index,
+      actor: 'Pixcode',
+      nodeId: readString(record.nodeId),
+      adapterId: readString(record.adapterId),
+      agentLabel: readString(record.agentLabel),
+      title: 'Permission policy decision',
+      titleKey: 'workflow.trace.permissionPolicy',
+      summary: redactTraceText([
+        `Decision: ${behavior ?? readString(record.status) ?? 'unknown'}`,
+        capabilities.length > 0 ? `Capabilities: ${capabilities.join(', ')}` : undefined,
+        readString(record.summary),
+        readString(record.message),
+      ].filter(Boolean).join('\n'), run),
+      metadata: record,
+    });
+  });
   run.nodeRuns.forEach((node, index) => {
     const base = eventBase(node);
     const timestamp = nodeTimestamp(run, node, index);

package/server/modules/orchestration/workflows/workflow.routes.ts CHANGED Viewed

@@ -9,6 +9,14 @@ import {
 import { workflowStore } from '@/modules/orchestration/workflows/workflow-store.js';
 import { buildWorkflowTrace } from '@/modules/orchestration/workflows/workflow-trace.js';
 import { findPixcodeAppRoot } from '@/modules/orchestration/workflows/workspace-target.js';
+import {
+  DEFAULT_PERMISSION_POLICY,
+  PERMISSION_CAPABILITIES,
+  PERMISSION_POLICY_MODES,
+  PIXCODE_PERMISSION_POLICY_PROTOCOL,
+  evaluatePermissionRequest,
+  normalizePermissionPolicy,
+} from '@/modules/orchestration/security/permission-policy.js';
 const TERMINAL_RUN_STATES = new Set(['completed', 'failed', 'canceled']);
@@ -73,6 +81,36 @@ function replayOptions(req: express.Request): {
   };
 }
+function readRunArray(run: { metadata?: Record<string, unknown> }, key: string): Array<Record<string, unknown>> {
+  const value = run.metadata?.[key];
+  return Array.isArray(value)
+    ? value.filter((item): item is Record<string, unknown> => Boolean(item && typeof item === 'object'))
+    : [];
+}
+function updateApproval(
+  run: { metadata?: Record<string, unknown> },
+  requestId: string,
+  patch: Record<string, unknown>,
+): boolean {
+  const approvals = readRunArray(run, 'pendingPermissionApprovals');
+  let changed = false;
+  const nextApprovals = approvals.map((approval) => {
+    if (approval.id !== requestId) return approval;
+    changed = true;
+    return {
+      ...approval,
+      ...patch,
+    };
+  });
+  if (!changed) return false;
+  run.metadata = {
+    ...run.metadata,
+    pendingPermissionApprovals: nextApprovals,
+  };
+  return true;
+}
 function sendRunSnapshot(res: express.Response, runId: string): boolean {
   const run = workflowStore.getRun(runId);
   if (!run) {
@@ -162,6 +200,89 @@ export function createWorkflowRouter(): Router {
     });
   });
+  router.get('/workflows/permission-policy', (_req, res) => {
+    res.json({
+      protocol: PIXCODE_PERMISSION_POLICY_PROTOCOL,
+      capabilities: PERMISSION_CAPABILITIES,
+      modes: PERMISSION_POLICY_MODES,
+      defaultPolicy: DEFAULT_PERMISSION_POLICY,
+    });
+  });
+  router.post('/workflows/permission-policy/evaluate', (req, res) => {
+    try {
+      res.json({
+        decision: evaluatePermissionRequest({
+          policy: normalizePermissionPolicy(req.body?.policy),
+          request: req.body?.request ?? { source: 'api' },
+        }),
+      });
+    } catch (error) {
+      res.status(400).json({
+        error: {
+          code: 'PERMISSION_POLICY_INVALID',
+          message: error instanceof Error ? error.message : String(error),
+        },
+      });
+    }
+  });
+  router.get('/workflows/runs/:runId/permission-approvals', (req, res) => {
+    const run = workflowStore.getRun(req.params.runId);
+    if (!run) {
+      res.status(404).json({ error: { code: 'RUN_NOT_FOUND', message: req.params.runId } });
+      return;
+    }
+    res.json({
+      runId: run.id,
+      pendingApprovals: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status === 'pending'),
+      approvalHistory: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status !== 'pending'),
+    });
+  });
+  router.post('/workflows/runs/:runId/permission-approvals/:requestId', (req, res) => {
+    const run = workflowStore.getRun(req.params.runId);
+    if (!run) {
+      res.status(404).json({ error: { code: 'RUN_NOT_FOUND', message: req.params.runId } });
+      return;
+    }
+    const allow = req.body?.allow === true;
+    const deny = req.body?.allow === false;
+    if (!allow && !deny) {
+      res.status(400).json({
+        error: {
+          code: 'PERMISSION_DECISION_REQUIRED',
+          message: 'Permission approval requires allow=true or allow=false.',
+        },
+      });
+      return;
+    }
+    const updated = updateApproval(run, req.params.requestId, {
+      status: allow ? 'allowed' : 'denied',
+      resolvedAt: Date.now(),
+      resolvedBy: readRequestUserId(req),
+      resolutionMessage: readOptionalString(req.body?.message),
+    });
+    if (!updated) {
+      res.status(404).json({ error: { code: 'APPROVAL_NOT_FOUND', message: req.params.requestId } });
+      return;
+    }
+    workflowStore.setRun(run);
+    res.json({
+      runId: run.id,
+      pendingApprovals: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status === 'pending'),
+      approvalHistory: readRunArray(run, 'pendingPermissionApprovals')
+        .filter((approval) => approval.status !== 'pending'),
+    });
+  });
   router.get('/workflows/runs/:runId/replay-plan', (req, res) => {
     const run = workflowStore.getRun(req.params.runId);
     if (!run) {

package/server/modules/orchestration/workflows/workflow.types.ts CHANGED Viewed

@@ -1,6 +1,10 @@
 import type { WorkflowContextPacket } from '@/modules/orchestration/workflows/context-packet.js';
 import type { WorkflowFallbackTrigger } from '@/modules/orchestration/workflows/workflow-fallback-policy.js';
 import type { WorkflowHandoffArtifact } from '@/modules/orchestration/workflows/handoff-artifact.js';
+import type {
+  PermissionDecision,
+  PermissionPolicy,
+} from '@/modules/orchestration/security/permission-policy.js';
 export type WorkflowRunStatus = 'queued' | 'running' | 'completed' | 'failed' | 'canceled';
 export type WorkflowNodeStatus = WorkflowRunStatus | 'skipped';
@@ -18,6 +22,8 @@ export interface WorkflowNode {
   assignment?: string;
   model?: string;
   permissionMode?: string;
+  permissionPolicy?: PermissionPolicy;
+  permissionDecisions?: PermissionDecision[];
   toolsSettings?: Record<string, unknown>;
   isolation?: 'host' | 'worktree' | 'docker';
   timeoutMs?: number;
@@ -44,6 +50,8 @@ export interface WorkflowNodeRun {
   promptPreview?: string;
   model?: string;
   permissionMode?: string;
+  permissionPolicy?: PermissionPolicy;
+  permissionDecisions?: PermissionDecision[];
   timeoutMs?: number;
   stage?: string;
   internal?: boolean;
@@ -84,7 +92,7 @@ export interface WorkflowRun {
 export interface WorkflowTraceEvent {
   id: string;
-  type: 'run' | 'node' | 'provider' | 'message' | 'artifact' | 'file' | 'error';
+  type: 'run' | 'node' | 'provider' | 'message' | 'artifact' | 'file' | 'error' | 'permission_policy';
   severity: 'info' | 'warning' | 'error';
   status: WorkflowRunStatus | WorkflowNodeStatus | 'submitted';
   timestamp: number;