@prism-d1/cli 1.0.27 → 1.0.29

package/dist/assets/eval-harness/run-eval.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+# run-eval.sh — Evaluate a single file against a rubric using Bedrock.
+#
+# Usage: ./run-eval.sh <rubric-file> <input-file> [--spec <spec-file>]
+#
+# Output (stdout, parsed by workflow):
+#   Score: <0-1>
+#   Result: PASS|FAIL
+#
+# Exit: 0=pass, 1=fail, 2=error
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CONFIG_FILE="${SCRIPT_DIR}/eval-config.json"
+
+# --- Args ---
+RUBRIC_FILE=""
+INPUT_FILE=""
+SPEC_FILE=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --spec) SPEC_FILE="$2"; shift 2 ;;
+    *) if [[ -z "${RUBRIC_FILE}" ]]; then RUBRIC_FILE="$1"
+       elif [[ -z "${INPUT_FILE}" ]]; then INPUT_FILE="$1"
+       fi; shift ;;
+  esac
+done
+
+[[ -f "${RUBRIC_FILE}" ]] || { echo "Error: rubric not found: ${RUBRIC_FILE}" >&2; exit 2; }
+[[ -f "${INPUT_FILE}" ]] || { echo "Error: file not found: ${INPUT_FILE}" >&2; exit 2; }
+[[ -f "${CONFIG_FILE}" ]] || { echo "Error: eval-config.json not found" >&2; exit 2; }
+
+# --- Config ---
+EVAL_MODEL=$(jq -r '.eval_model_id' "${CONFIG_FILE}")
+PASS_THRESHOLD=$(jq -r '.pass_threshold' "${CONFIG_FILE}")
+AWS_REGION=$(jq -r '.aws_region' "${CONFIG_FILE}")
+
+RUBRIC_NAME=$(jq -r '.rubric_name' "${RUBRIC_FILE}")
+CODE_CONTENT=$(cat "${INPUT_FILE}")
+
+# --- Filter criteria: skip requires_spec criteria when no spec provided ---
+CRITERIA_FILTER='if $spec == "" then .criteria | map(select(.requires_spec != true)) else .criteria end'
+ACTIVE_CRITERIA=$(jq --arg spec "${SPEC_FILE}" "${CRITERIA_FILTER}" "${RUBRIC_FILE}")
+ACTIVE_COUNT=$(echo "${ACTIVE_CRITERIA}" | jq 'length')
+
+if [[ "${ACTIVE_COUNT}" -eq 0 ]]; then
+  echo "Skipped: ${RUBRIC_NAME} (all criteria require spec)"
+  echo "Score: 0"
+  echo "Result: SKIP"
+  echo "Hallucinations: 0"
+  exit 0
+fi
+
+# --- Build rubric text for prompt ---
+RUBRIC_CRITERIA=$(echo "${ACTIVE_CRITERIA}" | jq -r '.[] | "- \(.name) [weight=\(.weight)]: \(.description)\n  Scoring: \(.scoring | if type == "object" then to_entries | map("\(.key): \(.value)") | join("; ") else . end)"')
+
+SPEC_SECTION="No spec provided. Evaluate based on code quality criteria only."
+if [[ -n "${SPEC_FILE}" && -f "${SPEC_FILE}" ]]; then
+  SPEC_SECTION=$(cat "${SPEC_FILE}")
+fi
+
+# --- Prompt (ask for per-criterion scores, we calculate weighted average) ---
+EVAL_PROMPT="You are a code quality evaluator. Evaluate the following code against the rubric criteria.
+
+## Spec
+${SPEC_SECTION}
+
+## Code Under Evaluation
+--- FILE: ${INPUT_FILE} ---
+${CODE_CONTENT}
+
+## Rubric Criteria
+${RUBRIC_CRITERIA}
+
+Respond in this exact JSON format (no other text):
+{\"evaluations\": [{\"criterion\": \"<name>\", \"score\": <0.0-1.0>, \"rationale\": \"<brief>\"}]}"
+
+# --- Call Bedrock ---
+BODY_FILE=$(mktemp)
+RESP_FILE=$(mktemp)
+trap 'rm -f "${BODY_FILE}" "${RESP_FILE}"' EXIT
+
+jq -n --arg p "${EVAL_PROMPT}" \
+  '{anthropic_version:"bedrock-2023-05-31",max_tokens:2000,messages:[{role:"user",content:$p}]}' > "${BODY_FILE}"
+
+aws bedrock-runtime invoke-model \
+  --region "${AWS_REGION}" \
+  --model-id "${EVAL_MODEL}" \
+  --content-type "application/json" \
+  --accept "application/json" \
+  --body "fileb://${BODY_FILE}" \
+  "${RESP_FILE}" 2>/dev/null || { echo "Error: Bedrock invoke failed" >&2; exit 2; }
+
+# --- Parse response ---
+EVAL_JSON=$(jq -r '.content[0].text' "${RESP_FILE}" 2>/dev/null | sed -n '/^{/,/^}/p') || true
+[[ -n "${EVAL_JSON}" ]] || { echo "Error: could not parse model response" >&2; exit 2; }
+
+# --- Calculate weighted score (client-side, don't trust LLM math) ---
+OVERALL=$(echo "${EVAL_JSON}" | jq --argjson criteria "${ACTIVE_CRITERIA}" '
+  ($criteria | map(.weight) | add) as $total_weight |
+  [.evaluations[] as $e |
+    ($criteria[] | select(.name == $e.criterion)) as $c |
+    ($e.score * $c.weight)
+  ] | (add // 0) / $total_weight')
+
+# --- Detect hallucinations ---
+HALLUCINATIONS=$(echo "${EVAL_JSON}" | jq '[.evaluations[] | select(.rationale | test("hallucinated|does not exist|not found"; "i"))] | length')
+
+# --- Output (workflow parses these lines) ---
+echo "${EVAL_JSON}" | jq -r '.evaluations[] | "\(.criterion): \(.score) — \(.rationale)"'
+echo ""
+printf "Score: %.4f\n" "${OVERALL}"
+echo "Result: $(echo "${OVERALL} >= ${PASS_THRESHOLD}" | bc -l | grep -q '^1' && echo "PASS" || echo "FAIL")"
+echo "Hallucinations: ${HALLUCINATIONS}"
+
+# --- Exit ---
+if (( $(echo "${OVERALL} < ${PASS_THRESHOLD}" | bc -l) )); then
+  exit 1
+fi
+exit 0

package/dist/assets/github-workflows/README.md

@@ -0,0 +1,110 @@
+# GitHub Actions Workflows
+
+Reusable GitHub Actions workflows for PRISM D1 Velocity metric collection.
+
+## Workflows
+
+| Workflow | Trigger | Purpose |
+|---|---|---|
+| `prism-ai-metrics.yml` | PR merge to main | Calculates AI-to-merge ratio, token usage, lead time. Emits `prism.d1.pr` + `prism.d1.deploy` events |
+| `prism-eval-gate.yml` | PR open/update | Evaluates AI-generated code per-file with auto-selected rubrics, waits for Security Agent, blocks merge on failure |
+| `prism-agent-eval.yml` | PR modifying agent code | Runs agent in mock mode, evaluates output with agent-quality rubric |
+| `prism-dora-weekly.yml` | Weekly (Monday 09:00 UTC) | Calculates DORA + AI-DORA metrics, emits to EventBridge + CloudWatch |
+
+## Setup
+
+### 1. Configure AWS OIDC
+
+```bash
+bash prism-cli bootstrapper setup-github-oidc
+```
+
+This interactively creates:
+- OIDC identity provider for `token.actions.githubusercontent.com`
+- IAM role `GitHubActions-<repo>` with trust policy scoped to your repo
+- Inline policy with `events:PutEvents` and `bedrock:InvokeModel`
+
+For the weekly workflow, manually add `cloudwatch:PutMetricData` to the role policy.
+
+### 2. Set Repository Secret
+
+In GitHub: Settings → Secrets and variables → Actions → New repository secret:
+
+| Secret | Value |
+|---|---|
+| `PRISM_METRICS_ROLE_ARN` | ARN printed by `setup-github-oidc` |
+
+### 3. Install Git Hooks + Config
+
+```bash
+bash prism-cli bootstrapper install-git-hooks
+```
+
+Creates `.prism/config.json` with your team ID (read by all workflows).
+
+### 4. Install Eval Harness
+
+```bash
+# Workshop mode — bring your own rubric
+bash prism-cli bootstrapper install-eval-harness
+
+# Production mode — includes all 5 rubrics
+bash prism-cli bootstrapper install-eval-harness --with-rubrics
+```
+
+This copies `.prism/eval-harness/`, `eval-config.json`, rubrics, and the `prism-eval-gate.yml` workflow.
+
+### 5. Copy Remaining Workflows
+
+```bash
+mkdir -p .github/workflows
+cp bootstrapper/github-workflows/prism-ai-metrics.yml .github/workflows/
+cp bootstrapper/github-workflows/prism-dora-weekly.yml .github/workflows/
+# Optional — only if you have agents with --mock support:
+cp bootstrapper/github-workflows/prism-agent-eval.yml .github/workflows/
+```
+
+## IAM Permissions
+
+The OIDC role needs:
+
+| Permission | Used by |
+|---|---|
+| `events:PutEvents` | All workflows |
+| `bedrock:InvokeModel` | eval-gate, agent-eval |
+| `cloudwatch:PutMetricData` | dora-weekly |
+
+## Customization
+
+| Setting | How |
+|---|---|
+| Branch | Edit `branches` in each workflow |
+| AWS region | Edit `aws-region` field + EventBridge commands |
+| Eval threshold | Edit `.prism/.prism/eval-harness/eval-config.json` → `pass_threshold` |
+| Eval model | Edit `.prism/.prism/eval-harness/eval-config.json` → `eval_model_id` |
+| Weekly schedule | Edit cron in `prism-dora-weekly.yml` (default: `0 9 * * 1`) |
+
+## Events Emitted
+
+| Detail Type | Source Workflow | Destination |
+|---|---|---|
+| `prism.d1.pr` | ai-metrics | EventBridge |
+| `prism.d1.deploy` | ai-metrics | EventBridge |
+| `prism.d1.eval` | eval-gate | EventBridge |
+| `prism.d1.agent.eval` | agent-eval | EventBridge |
+| `prism.d1.assessment` | dora-weekly | EventBridge |
+| `prism.d1.security.code_review` | eval-gate (Security Agent) | EventBridge |
+| `AIAdoptionRate`, `SpecCoverage`, tool counts | dora-weekly | CloudWatch |
+
+All EventBridge events use source `prism.d1.velocity` and bus `prism-d1-metrics`.
+
+## Troubleshooting
+
+| Issue | Solution |
+|---|---|
+| OIDC auth fails | Verify trust policy `sub` matches `repo:org/repo:*` |
+| EventBridge put fails | Check `events:PutEvents` on bus ARN |
+| Eval gate always skips | Ensure commits have `AI-Origin:` trailers (install git hooks) |
+| Weekly not running | Workflow must exist on default branch; test with `workflow_dispatch` |
+| Agent eval skips | No `agent/main.py` found — add `--mock` support to your agent |
+| Security Agent timeout | Agent takes 2+ min to start; workflow waits up to 12 min total |

package/dist/assets/github-workflows/prism-agent-eval.yml

@@ -0,0 +1,313 @@
+# prism-agent-eval.yml -- Evaluate agent outputs on PRs that modify agent code.
+#
+# Copy this file to .github/workflows/prism-agent-eval.yml in your repo.
+#
+# Required setup:
+#   - OIDC provider configured for GitHub Actions in your AWS account
+#   - IAM role with bedrock:InvokeModel and events:PutEvents permissions
+#   - Repository secret PRISM_METRICS_ROLE_ARN set to the OIDC role ARN
+#   - .prism/config.json committed to the repo (created by: bash prism-cli bootstrapper install-git-hooks)
+#   - .prism/eval-harness/ installed (run: bash prism-cli bootstrapper install-eval-harness)
+#   - (Optional) Agent entry point supports --mock flag for dry-run execution
+
+name: PRISM Agent Eval
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main, master]
+    paths:
+      - 'agent/**'
+      - 'agents/**'
+      - 'mcp-servers/**'
+      - '**/agent*.py'
+      - '**/agent*.ts'
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  agent-eval:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        with:
+          role-to-assume: ${{ secrets.PRISM_METRICS_ROLE_ARN }}
+          aws-region: us-west-2
+
+      - name: Read team ID from .prism/config.json
+        id: prism-config
+        run: |
+          if [[ -f .prism/config.json ]]; then
+            TEAM_ID=$(jq -r '.team_id' .prism/config.json)
+          else
+            echo "::error::.prism/config.json not found. Run bootstrapper/metric-hooks/install.sh first."
+            exit 1
+          fi
+          echo "team_id=${TEAM_ID}" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -qq && sudo apt-get install -y -qq jq bc
+          pip install --quiet strands-agents strands-agents-tools requests
+
+      - name: Identify agent changes
+        id: detect-agent
+        run: |
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.sha }}"
+
+          # Find changed files in agent-related paths
+          AGENT_FILES=$(git diff --name-only "${BASE_SHA}..${HEAD_SHA}" \
+            | grep -E '(^agent/|^agents/|^mcp-servers/|agent.*\.(py|ts)$)' || true)
+
+          if [[ -z "${AGENT_FILES}" ]]; then
+            echo "No agent-related files changed."
+            echo "has_agent_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "has_agent_changes=true" >> "$GITHUB_OUTPUT"
+          echo "${AGENT_FILES}" > /tmp/agent-changed-files.txt
+
+          FILE_COUNT=$(echo "${AGENT_FILES}" | wc -l | tr -d ' ')
+          echo "Found ${FILE_COUNT} changed agent files."
+          echo "file_count=${FILE_COUNT}" >> "$GITHUB_OUTPUT"
+
+      - name: Run agent in mock mode
+        id: agent-run
+        if: steps.detect-agent.outputs.has_agent_changes == 'true'
+        run: |
+          # Look for agent entry points and run them with --mock flag
+          # The --mock flag should make the agent execute its workflow
+          # without real side effects, using stubbed tool responses.
+
+          AGENT_ENTRY=""
+          for CANDIDATE in agent/main.py agents/main.py agent.py; do
+            if [[ -f "${CANDIDATE}" ]]; then
+              AGENT_ENTRY="${CANDIDATE}"
+              break
+            fi
+          done
+
+          if [[ -z "${AGENT_ENTRY}" ]]; then
+            echo "No agent entry point found. Skipping mock run."
+            echo "mock_ran=false" >> "$GITHUB_OUTPUT"
+            echo "{}" > /tmp/agent-output.json
+            exit 0
+          fi
+
+          echo "Running agent in mock mode: ${AGENT_ENTRY}"
+          echo "mock_ran=true" >> "$GITHUB_OUTPUT"
+
+          set +e
+          python "${AGENT_ENTRY}" --mock > /tmp/agent-output.json 2>/tmp/agent-stderr.log
+          EXIT_CODE=$?
+          set -e
+
+          if [[ "${EXIT_CODE}" -ne 0 ]]; then
+            echo "Agent mock run exited with code ${EXIT_CODE}"
+            echo "agent_exit_code=${EXIT_CODE}" >> "$GITHUB_OUTPUT"
+            # Still continue to evaluate whatever output was produced
+          else
+            echo "agent_exit_code=0" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Evaluate agent output
+        id: eval
+        if: steps.detect-agent.outputs.has_agent_changes == 'true'
+        run: |
+          set -o pipefail
+          chmod +x .prism/eval-harness/run-eval.sh
+
+          RUBRIC=".prism/eval-harness/rubrics/agent-quality.json"
+
+          # If agent produced output, evaluate it
+          if [[ -s /tmp/agent-output.json ]]; then
+            EVAL_TARGET="/tmp/agent-output.json"
+          else
+            # Fall back to evaluating the agent source code itself
+            EVAL_TARGET=$(head -1 /tmp/agent-changed-files.txt)
+          fi
+
+          echo "Evaluating: ${EVAL_TARGET} against ${RUBRIC}"
+
+          set +e
+          OUTPUT=$(./.prism/eval-harness/run-eval.sh "${RUBRIC}" "${EVAL_TARGET}" 2>&1)
+          EXIT_CODE=$?
+          set -e
+
+          SCORE=$(echo "${OUTPUT}" | grep '^Score:' | awk '{print $2}' || echo "0")
+          RESULT=$(echo "${OUTPUT}" | grep '^Result:' | awk '{print $2}' || echo "UNKNOWN")
+
+          echo "score=${SCORE}" >> "$GITHUB_OUTPUT"
+          echo "result=${RESULT}" >> "$GITHUB_OUTPUT"
+
+          # Extract per-criteria scores if available
+          TASK_COMPLETION=$(echo "${OUTPUT}" | grep 'task_completion' | awk '{print $NF}' || echo "N/A")
+          TOOL_EFFICIENCY=$(echo "${OUTPUT}" | grep 'tool_usage_efficiency' | awk '{print $NF}' || echo "N/A")
+          GUARDRAIL_COMPLIANCE=$(echo "${OUTPUT}" | grep 'guardrail_compliance' | awk '{print $NF}' || echo "N/A")
+          REASONING_QUALITY=$(echo "${OUTPUT}" | grep 'reasoning_trace_quality' | awk '{print $NF}' || echo "N/A")
+          ERROR_RECOVERY=$(echo "${OUTPUT}" | grep 'error_recovery' | awk '{print $NF}' || echo "N/A")
+
+          echo "task_completion=${TASK_COMPLETION}" >> "$GITHUB_OUTPUT"
+          echo "tool_efficiency=${TOOL_EFFICIENCY}" >> "$GITHUB_OUTPUT"
+          echo "guardrail_compliance=${GUARDRAIL_COMPLIANCE}" >> "$GITHUB_OUTPUT"
+          echo "reasoning_quality=${REASONING_QUALITY}" >> "$GITHUB_OUTPUT"
+          echo "error_recovery=${ERROR_RECOVERY}" >> "$GITHUB_OUTPUT"
+
+      - name: Post PR comment
+        if: steps.detect-agent.outputs.has_agent_changes == 'true'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const score = '${{ steps.eval.outputs.score }}';
+            const result = '${{ steps.eval.outputs.result }}';
+            const mockRan = '${{ steps.agent-run.outputs.mock_ran }}';
+            const agentExit = '${{ steps.agent-run.outputs.agent_exit_code }}';
+            const fileCount = '${{ steps.detect-agent.outputs.file_count }}';
+            const emoji = result === 'PASS' ? ':white_check_mark:' : ':x:';
+
+            const taskCompletion = '${{ steps.eval.outputs.task_completion }}';
+            const toolEfficiency = '${{ steps.eval.outputs.tool_efficiency }}';
+            const guardrailCompliance = '${{ steps.eval.outputs.guardrail_compliance }}';
+            const reasoningQuality = '${{ steps.eval.outputs.reasoning_quality }}';
+            const errorRecovery = '${{ steps.eval.outputs.error_recovery }}';
+
+            const mockStatus = mockRan === 'true'
+              ? (agentExit === '0' ? ':white_check_mark: Mock run succeeded' : `:warning: Mock run exited with code ${agentExit}`)
+              : ':information_source: No agent entry point found — evaluated source code only';
+
+            const body = `## ${emoji} PRISM Agent Eval — ${result}
+
+            **Overall Score**: ${score} | **Agent Files Changed**: ${fileCount}
+
+            ${mockStatus}
+
+            ### Criteria Breakdown
+
+            | Criteria | Score | Weight |
+            |---|---|---|
+            | Task Completion | ${taskCompletion} | 0.30 |
+            | Tool Usage Efficiency | ${toolEfficiency} | 0.20 |
+            | Guardrail Compliance | ${guardrailCompliance} | 0.20 |
+            | Reasoning Trace Quality | ${reasoningQuality} | 0.15 |
+            | Error Recovery | ${errorRecovery} | 0.15 |
+
+            > Threshold: 0.82 | Rubric: agent-quality.json | Evaluated by Amazon Bedrock
+            > [PRISM D1 Velocity](${{ github.server_url }}/${{ github.repository }})`;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+
+            const existingComment = comments.find(c => c.body.includes('PRISM Agent Eval'));
+
+            if (existingComment) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existingComment.id,
+                body: body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: body,
+              });
+            }
+
+      - name: Post skip comment
+        if: steps.detect-agent.outputs.has_agent_changes != 'true'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+            const existing = comments.find(c => c.body.includes('PRISM Agent Eval'));
+            if (!existing) {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: ':white_check_mark: **PRISM Agent Eval** — No agent code changes detected. Evaluation skipped.',
+              });
+            }
+
+      - name: Emit prism.d1.agent.eval event
+        if: steps.detect-agent.outputs.has_agent_changes == 'true'
+        env:
+          SCORE: ${{ steps.eval.outputs.score }}
+        run: |
+          TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+          EVAL_EVENT=$(jq -n \
+            --arg team_id "${{ steps.prism-config.outputs.team_id }}" \
+            --arg repo "${{ github.repository }}" \
+            --arg timestamp "${TIMESTAMP}" \
+            --argjson score "${SCORE:-0}" \
+            --arg result "${{ steps.eval.outputs.result }}" \
+            --argjson file_count "${{ steps.detect-agent.outputs.file_count }}" \
+            --arg pr_number "${{ github.event.pull_request.number }}" \
+            --arg mock_ran "${{ steps.agent-run.outputs.mock_ran }}" \
+            '{
+              "team_id": $team_id,
+              "repo": $repo,
+              "timestamp": $timestamp,
+              "prism_level": 3,
+              "metric": {
+                "name": "agent_eval_score",
+                "value": $score,
+                "unit": "score"
+              },
+              "ai_context": {
+                "tool": "bedrock-eval",
+                "model": "anthropic.claude-sonnet-4-20250514",
+                "origin": "ai-generated"
+              },
+              "ai_dora": {
+                "eval_gate_pass_rate": (if $result == "PASS" then 1.0 else 0.0 end)
+              },
+              "agent_eval": {
+                "file_count": $file_count,
+                "result": $result,
+                "mock_ran": ($mock_ran == "true"),
+                "pr_number": ($pr_number | tonumber),
+                "rubric": "agent-quality"
+              }
+            }')
+
+          aws events put-events \
+            --region us-west-2 \
+            --entries "[{
+              \"Source\": \"prism.d1.velocity\",
+              \"DetailType\": \"prism.d1.agent.eval\",
+              \"EventBusName\": \"prism-d1-metrics\",
+              \"Detail\": $(echo "${EVAL_EVENT}" | jq -c '.' | jq -Rs '.')
+            }]"
+
+      - name: Fail if eval gate failed
+        if: steps.eval.outputs.result == 'FAIL'
+        run: |
+          echo "Agent eval gate FAILED. Agent output scored below threshold."
+          exit 1