@simplium/hive 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/CHANGELOG.md +225 -0
  2. package/LICENSE +190 -0
  3. package/README.md +148 -0
  4. package/bin/hive-init.mjs +82 -0
  5. package/dist/claude/agents/ai-ml-engineer.md +3252 -0
  6. package/dist/claude/agents/api-designer.md +2425 -0
  7. package/dist/claude/agents/architecture-planner.md +3275 -0
  8. package/dist/claude/agents/backend-developer.md +1498 -0
  9. package/dist/claude/agents/billing-payments.md +2057 -0
  10. package/dist/claude/agents/competitive-intelligence.md +2695 -0
  11. package/dist/claude/agents/cost-optimization.md +1340 -0
  12. package/dist/claude/agents/customer-success.md +3382 -0
  13. package/dist/claude/agents/data-analyst.md +1764 -0
  14. package/dist/claude/agents/database-engineer.md +1758 -0
  15. package/dist/claude/agents/frontend-developer.md +3427 -0
  16. package/dist/claude/agents/incident-response.md +1777 -0
  17. package/dist/claude/agents/legal-compliance.md +2974 -0
  18. package/dist/claude/agents/orchestrator.md +1839 -0
  19. package/dist/claude/agents/product-manager.md +1247 -0
  20. package/dist/claude/agents/security-auditor.md +333 -0
  21. package/dist/claude/agents/test-engineer.md +1607 -0
  22. package/dist/claude/agents/ux-research.md +2563 -0
  23. package/dist/claude/hooks/hive-log.mjs +108 -0
  24. package/dist/claude/skills/accessibility.md +2973 -0
  25. package/dist/claude/skills/analytics-implementation.md +2810 -0
  26. package/dist/claude/skills/brand-design-system.md +1791 -0
  27. package/dist/claude/skills/cloud-infrastructure.md +1743 -0
  28. package/dist/claude/skills/devops-engineer.md +956 -0
  29. package/dist/claude/skills/documentation-writer.md +3243 -0
  30. package/dist/claude/skills/email-deliverability.md +2875 -0
  31. package/dist/claude/skills/growth-analytics.md +3187 -0
  32. package/dist/claude/skills/landing-page-cro.md +1844 -0
  33. package/dist/claude/skills/marketing-communications.md +2552 -0
  34. package/dist/claude/skills/mobile-development.md +1947 -0
  35. package/dist/claude/skills/observability.md +1550 -0
  36. package/dist/claude/skills/release-manager.md +1467 -0
  37. package/dist/claude/skills/search.md +1961 -0
  38. package/dist/claude/skills/seo-aeo-geo.md +878 -0
  39. package/dist/claude/skills/translator-i18n.md +1630 -0
  40. package/dist/claude/skills/voice-ai.md +554 -0
  41. package/dist/claude/skills/web-performance.md +1088 -0
  42. package/hooks/hive-log.mjs +108 -0
  43. package/package.json +77 -0
package/CHANGELOG.md ADDED
@@ -0,0 +1,225 @@
1
+ # Changelog
2
+
3
+ All notable changes to this project will be documented in this file.
4
+
5
+ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
+ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
+
8
+ ---
9
+
10
+ ## [Unreleased]
11
+
12
+ Remaining work: npm publish (`@simplium/hive` — org verification + `npm publish`, package is pack-tested); OpenCode adapter (Q4 access pending); GDPR/DPA with Anthropic (R7, external action); Phase 3 public docs.
13
+
14
+ ---
15
+
16
+ ## [4.0.0] - 2026-07-02
17
+
18
+ HIVE becomes a **pure agent governance layer**: the Layer 2 runtime is gone, traceability is automatic, the capability pack is distributable via npm, and definitions are empirically evaluable. All claims verified by command.
19
+
20
+ ### BREAKING — Removed
21
+ - **Layer 2 NestJS runtime removed** (`apps/hive-runtime`, `packages/hive-core`, Turborepo). Preserved intact in the [`legacy/layer2-runtime`](https://github.com/marcablanca/hive-framework/tree/legacy/layer2-runtime) branch. The `hive` CLI (`run`/`stats`/`learn`) no longer exists; per ADR-000 the host runtime executes agents
22
+ - With it goes its entire dependency surface: **`npm audit` now reports 0 vulnerabilities** (was 8 moderate, all in the NestJS/express chain)
23
+
24
+ ### Added
25
+ - **Automatic traceability hook** (`hooks/hive-log.mjs`) — zero-dep PostToolUse hook: every HIVE agent invoked via the Task tool is logged to `HIVE-LOG.md` (ISO 42001 A.9) and `.claude/hive-events.jsonl` (machine-readable stream for external observability, e.g. Argos). Replaces the honor-system self-logging footer; never blocks tool flow; ignores non-HIVE subagents. Installed by `init-project` in consumers and dogfooded in this repo
26
+ - **npm package** — `@simplium/hive` with `npx hive-init <dir>` zero-dep installer; `prepack` renders the consumer payload into `dist/claude` (aborts unless 18+18). Pack-tested end to end (tarball → install → bin). `private: true` kept as publish guard until the npm org is verified
27
+ - **Layer 1 evals** (`npm run eval`) — 5 golden tasks against the live API using the real adapter body + assigned model per agent; structural checks, cost from API usage fields, `HIVE_EVAL_BUDGET_USD` cap, stale model IDs surface as findings; honest SKIP without `ANTHROPIC_API_KEY`
28
+ - **`scripts/lib/adapter-render.ts`** — single source of truth for permission translation and adapter rendering (was duplicated across both generators)
29
+ - **Typecheck gate** (`npm run typecheck`) in CI, replacing the removed build step
30
+ - 7 new tests (6 hook + 1 eval skip-path); suite total 15, now 100% aimed at the live surface
31
+
32
+ ### Changed
33
+ - README rewritten around the **agent governance layer / capability pack** positioning (explicitly not an AgentOS)
34
+ - `@hive/core` types/schemas inlined into `scripts/lib/` (runtime-only types dropped)
35
+ - CI actions bumped to v5 (Node 24 runners); repo is flat — no workspaces, no turbo
36
+ - `.env.example` reduced to eval configuration
37
+ - `audit_prompt.md` moved to `docs/auditorias/`
38
+
39
+ ---
40
+
41
+ ## [3.2.0] - 2026-07-02
42
+
43
+ Post-audit remediation (forensic audit 2026-07-02 verified the declared state as reliable; this release closes the P2/P3/P4 findings). All claims verified by command.
44
+
45
+ ### Added
46
+ - **Root test suite for Layer 1 generator/ops scripts** (`scripts/scripts.spec.ts`, 8 tests): validate, reindex determinism, adapter contract (18+18 files, `human_approval` ⇒ `disallowedTools: Bash`, version stamp), init-project install + dry-run, log-session append/reject, cost-report. Closes the coverage gap where all 161 tests lived in the ADR-000-superseded runtime layer. Total suite: 169
47
+ - **`log-session --file <path>`** — target log override (testability; default unchanged)
48
+ - **CI gate: generated files in sync** — `reindex` + `adapters` + `git diff --exit-code` fails the build if `AGENT_INDEX.yaml` or `.claude/` adapters drift from sources
49
+
50
+ ### Changed
51
+ - **Package manager: pnpm → npm** per the ecosystem mandate (npm in all environments): npm workspaces replace `pnpm-workspace.yaml`, `package-lock.json` tracked (3.0.3 lockfile lesson applied), CI runs `npm ci` and npm-form gates, live docs / agent sources / Golden Path B / generated adapters use npm command forms (`npm run X -- <args>`). Historical audit records under `audit/` kept verbatim
52
+ - **`reindex` is deterministic** — keeps the existing `AGENT_INDEX.yaml` untouched when only generation dates would change (no more date churn)
53
+ - **Quickstart restructured** — Layer 1 `init-project` is the primary path; the Layer 2 runtime is explicitly marked as reference (ADR-000) and its live-API/DB end-to-end flow declared out of release verification
54
+ - `--max-warnings 0` enforced inside each workspace `lint` script (was a fragile CI passthrough arg)
55
+ - `hive.config.ts` monorepo root detection now keys on `turbo.json` (was `pnpm-workspace.yaml`, removed in this release)
56
+
57
+ ### Fixed
58
+ - README version badge said 3.0.3 while package.json was 3.1.0
59
+ - Last live v2 model reference (`GEMINI` in documentation-writer footer) removed; agent history table kept as record
60
+ - RISK-REGISTER R6 stamp wording made version-agnostic (was frozen at v3.0.3)
61
+
62
+ ---
63
+
64
+ ## [3.1.0] - 2026-06-22
65
+
66
+ Post-audit implementation. All claims in this entry are verified; no aspirational items. Tests: 161/161.
67
+
68
+ ### Added
69
+ - **Claude Code Layer 1 discovery** — `.claude/agents/` (18 agents) and `.claude/skills/` (18 skills) generated from HIVE source definitions; agents carry native `disallowedTools` translated from the HIVE abstract permission model
70
+ - **`pnpm adapters`** (`scripts/generate-adapters.ts`) — regenerates Claude Code adapters for this repo; idempotent; includes HIVE version stamp per file
71
+ - **`pnpm init-project <dir>`** (`scripts/init-project.ts`) — installs Layer 1 adapters in any consumer project without forking; run again after `git pull` to update
72
+ - **`pnpm log-session`** (`scripts/log-session.ts`) — appends an agent invocation row to `HIVE-LOG.md`; covers ISO 42001 A.9 traceability for Layer 1 usage
73
+ - **`pnpm cost-report`** (`scripts/cost-report.ts`) — reads `HIVE-LOG.md`, infers model from adapters, calculates estimated cost (75%/25% in/out ratio) per agent; alerts when average session cost exceeds `max_cost_per_task`
74
+ - **`HIVE-LOG.md`** — append-only session log tracked in git; `git log` of the file is the audit trail
75
+ - **ESLint flat config** (`eslint.config.mjs`) — `typescript-eslint` + `eslint-config-prettier`; 0 errors, 0 warnings; `pnpm lint` now executes (was phantom since 3.0.0)
76
+ - **CI: lint gate** — `pnpm lint -- --max-warnings 0` added before build
77
+ - **CI: security audit gate** — `pnpm audit --audit-level=high` (0 current high vulns; gate catches regressions)
78
+ - **Prompt injection guard** — `[Security — Prompt Injection Guard]` block inserted into all 36 agent/skill definitions (LLM01/OWASP)
79
+
80
+ ### Fixed
81
+ - **Pricing** (`hive.config.ts`): opus input 15→5, output 75→25; haiku input 0.25→1, output 1.25→5 — all prior cost trail in USD was wrong
82
+ - **JIT savings** (README): "~85%" corrected to "over 90% (measured: 93–98%, see `scripts/measure-jit.ts`)"
83
+ - **Test count** (README, docs): 153→161 (was wrong since 3.0.0)
84
+ - **Human approval enforcement**: `human_approval: true` now maps to `disallowedTools: [Bash]` in Claude Code adapters; 7 blocking agents cannot execute shell commands without the host session surfacing them for approval — replaces the phantom gate that was never implemented in the harness
85
+ - Removed `REDIS_URL` from `.env.example` (Redis never used in runtime)
86
+ - Removed unused `fileURLToPath` import (`hive.config.ts`) and `loadAgent` import (`agent-loader.service.ts`)
87
+ - Gemini v2 fields (`fallback_to_gemini_when`, `gemini-3-pro` entries) removed from 7 definition bodies — HIVE v3 is Anthropic-only
88
+ - `claude-3-5-sonnet-20241022` → `claude-sonnet-4-6` in ai-ml-engineer code examples
89
+ - Antigravity runtime commands labeled `[Runtime: Antigravity — v2 legacy]` in web-performance, seo-aeo-geo, documentation-writer skills
90
+
91
+ ### Changed
92
+ - **vitest** 2.1.0 → 3.2.6 (eliminates critical vulnerability; 161/161 tests pass on v3)
93
+ - **@nestjs/config** 3.x → 4.x (drops lodash dependency, eliminates high vulnerability)
94
+ - **pnpm overrides**: `multer ≥2.1.1`, `form-data ≥4.0.6`, `vite ≥6.4.2` — force patched versions of transitive deps not directly upgradable
95
+ - **ADR-000** status: direction decided (A2) and implemented for Claude Code; OpenCode pending
96
+ - **IMPLEMENTATION-PLAN**: D1.2 BullMQ/Redis, D1.6 WebSocket, D3.1-D3.4 MCP marked with honest status (not shipped / partial)
97
+ - **`[Unreleased]`**: Phase 2 scope superseded by ADR-000 A2 decision
98
+
99
+ ### Security
100
+ - Vulnerabilities: 17 (1 critical dev-only, 4 high) → 10 (0 critical, 0 high) via dep updates and pnpm overrides
101
+ - Prompt injection: 0/36 → 36/36 definitions with explicit injection guard
102
+
103
+ ---
104
+
105
+ ## [3.0.3] - 2026-04-21
106
+
107
+ ### Fixed
108
+ - CI was failing because `pnpm-lock.yaml` was excluded by `.gitignore`; lockfile now tracked so `pnpm install --frozen-lockfile` resolves on the runner
109
+ - Prisma client was never generated during build, breaking typecheck for `PrismaService`; `build` script now runs `prisma generate && tsc`, and a `postinstall` hook keeps local dev in sync
110
+ - `learn.command.ts` typed `entries` parameters with `ReturnType<ErrorCaptureService["parseJournal"]>`, but `parseJournal` is async; wrapped with `Awaited<...>` to unwrap the Promise
111
+
112
+ ### Added
113
+ - `db:migrate` and `db:generate` scripts in `@hive/runtime` for local Prisma workflows
114
+
115
+ ---
116
+
117
+ ## [3.0.2] - 2026-04-20
118
+
119
+ ### Added
120
+ - `README.md` rewritten in English: reflects the v3 runtime, CLI, validation pipeline, MCP bridge; removes stale v2.x content
121
+ - `CHANGELOG.md` (this file) following Keep a Changelog + SemVer
122
+ - `package.json` metadata: `description`, `license`, `author`, `repository`, `homepage`, `bugs`, `keywords`, `engines`
123
+
124
+ ---
125
+
126
+ ## [3.0.1] - 2026-04-05
127
+
128
+ ### Fixed
129
+ - Corrected Anthropic model IDs used by the executor
130
+ - Made ErrorCapture I/O async to avoid blocking the event loop
131
+ - Downgraded missing-MCP warning to nominal severity when a server is optional
132
+
133
+ ---
134
+
135
+ ## [3.0.0] - 2026-04-05
136
+
137
+ Phase 0 + Phase 1 complete. Full rewrite introducing the NestJS runtime, Turborepo monorepo, and the v3 agent/skill format.
138
+
139
+ ### Added
140
+ - **v3 agent/skill format** — YAML frontmatter + Markdown body; all 36 entries live in per-directory `AGENT.md` / `SKILL.md` files
141
+ - **36 agents/skills migrated** — all entries from v2.x converted to v3 format with required frontmatter fields (`type`, `tier`, `known_failure_modes`, `stacks`, `mcp_required`)
142
+ - **Turborepo monorepo** — `hive-framework` root with `apps/hive-runtime` and `packages/hive-core` workspaces; managed with pnpm
143
+ - **`hive-core` package** — shared types, validation schemas, and utilities
144
+ - **`hive-runtime` NestJS application** — bootstraps as both HTTP gateway and CLI context; no global HTTP server needed for CLI use
145
+ - **Agent loader** — reads `AGENT_INDEX.yaml` at runtime for JIT agent resolution
146
+ - **Agent selector** — keyword + tier + stack matching to pick the best agent for a task
147
+ - **Executor** — calls Claude API with the resolved agent prompt and task description
148
+ - **Prisma + PostgreSQL persistence** — task records, token usage, cost, and event log stored via Prisma ORM
149
+ - **Task queue + TaskRouter** — priority-aware routing with dependency resolution
150
+ - **MCP bridge with fallback** — health-check nominal; no active MCP connections in this release *(corrected 3.1.0)*
151
+ - **Validation pipeline** — four stages: structural validation → evidence checking → confidence scoring → escalation routing
152
+ - **Confidence scoring** — per-output score; low-confidence results escalate or request human approval
153
+ - **Human approval gate** — `human_approval` field validated by schema; runtime enforcement was not implemented in this release *(corrected 3.1.0: enforcement added via `disallowedTools` in Claude Code adapters)*
154
+ - **Event system** — typed event bus for task lifecycle events
155
+ - **Cost tracking** — per-task token count and estimated cost persisted and queryable; pricing had errors corrected in 3.1.0
156
+ - **Structured logging** — Pino installed; used in one code path in this release *(corrected 3.1.0)*
157
+ - **CLI (`hive run` / `hive stats` / `hive learn`)** — thin CLI wrapper over the NestJS app context
158
+ - **Gateway API** — REST endpoints (3 endpoints); WebSocket not implemented in this release *(corrected 3.1.0)*
159
+ - **Evals + golden tests** — regression suite covering golden-path scenarios for both stacks
160
+ - **CI workflow** — GitHub Actions pipeline running build and test; lint gate was not functional in this release *(corrected 3.1.0)*
161
+ - **Error capture hook** — structured error recording with full task context
162
+ - **`hive learn` command** — processes recent outcomes to update confidence baselines
163
+ - **161 tests** — unit and integration tests (Vitest) *(was documented as 153; actual count verified 3.1.0)*
164
+ - **Apache 2.0 license**
165
+
166
+ ### Changed
167
+ - `AGENT_INDEX.yaml` is now auto-generated by `pnpm reindex` from frontmatter; do not edit manually
168
+ - Replaced flat agent directory with tiered structure (`00-orchestrator` through `07-support`)
169
+ - Modularized large agents exceeding the 25K token limit; extracted reference material to per-agent `references/` directories (45 module files relocated)
170
+
171
+ ---
172
+
173
+ ## [2.3.0] - 2026-01-XX
174
+
175
+ ### Added
176
+ - Golden Paths for Stack A (Laravel) and Stack B (Next.js) with clear directory architecture
177
+ - MCP documentation: global vs project-level MCP configuration
178
+ - Improved `CLAUDE.md` templates with explicit stack declarations
179
+
180
+ ### Changed
181
+ - Security rules updated to define production boundaries more precisely
182
+ - MCPs categorized and documented in `docs/protocols/mcp-registry.md`
183
+
184
+ ---
185
+
186
+ ## [2.2.0] - 2026-01-XX
187
+
188
+ ### Added
189
+ - PRP (Product Requirements Prompt) system integrated into the Orchestrator
190
+ - `PRPValidator` — validates PRP completeness before task decomposition
191
+ - `PRPToTasksConverter` — converts a PRP into routable sub-tasks
192
+ - Full PRP template with annotated example
193
+
194
+ ---
195
+
196
+ ## [2.1.0] - 2026-01-XX
197
+
198
+ ### Added
199
+ - **JIT Mapping** — `AGENT_INDEX.yaml` for agent discovery; only the selected agent's definition is loaded per task (~85% token context reduction)
200
+ - `pnpm reindex` script to regenerate the index from agent frontmatter
201
+
202
+ ---
203
+
204
+ ## [2.0.0] - 2026-01-XX
205
+
206
+ ### Added
207
+ - 36th agent: `brand-design-system`
208
+ - Multi-model assignment per agent: Opus for blocking tiers, Sonnet for critical, Gemini for content/support
209
+ - Tier system with three levels: Blocking / Critical / Support
210
+ - `human_approval: true` flag on 7 critical agents
211
+ - `upgrade_to_opus_when` field for Sonnet agents that may need escalation
212
+ - `known_failure_modes` field required for Tier 0 and Tier 1 agents
213
+
214
+ ### Changed
215
+ - All agent definitions updated with tier, model, and escalation metadata
216
+
217
+ ---
218
+
219
+ ## [1.0.0] - 2026-01-XX
220
+
221
+ ### Added
222
+ - Initial release: 35 specialized agents covering orchestration, development, quality, infrastructure, intelligence, growth, and support
223
+ - Central Orchestrator agent with task routing logic
224
+ - Anti-fabrication system: `[AF-v2]` footer requirement and evidence checks
225
+ - Initial `CLAUDE.md` with framework conventions
package/LICENSE ADDED
@@ -0,0 +1,190 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+ 1. Definitions.
8
+
9
+ "License" shall mean the terms and conditions for use, reproduction,
10
+ and distribution as defined by Sections 1 through 9 of this document.
11
+
12
+ "Licensor" shall mean the copyright owner or entity authorized by
13
+ the copyright owner that is granting the License.
14
+
15
+ "Legal Entity" shall mean the union of the acting entity and all
16
+ other entities that control, are controlled by, or are under common
17
+ control with that entity. For the purposes of this definition,
18
+ "control" means (i) the power, direct or indirect, to cause the
19
+ direction or management of such entity, whether by contract or
20
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
21
+ outstanding shares, or (iii) beneficial ownership of such entity.
22
+
23
+ "You" (or "Your") shall mean an individual or Legal Entity
24
+ exercising permissions granted by this License.
25
+
26
+ "Source" form shall mean the preferred form for making modifications,
27
+ including but not limited to software source code, documentation
28
+ source, and configuration files.
29
+
30
+ "Object" form shall mean any form resulting from mechanical
31
+ transformation or translation of a Source form, including but
32
+ not limited to compiled object code, generated documentation,
33
+ and conversions to other media types.
34
+
35
+ "Work" shall mean the work of authorship, whether in Source or
36
+ Object form, made available under the License, as indicated by a
37
+ copyright notice that is included in or attached to the work
38
+ (an example is provided in the Appendix below).
39
+
40
+ "Derivative Works" shall mean any work, whether in Source or Object
41
+ form, that is based on (or derived from) the Work and for which the
42
+ editorial revisions, annotations, elaborations, or other modifications
43
+ represent, as a whole, an original work of authorship. For the purposes
44
+ of this License, Derivative Works shall not include works that remain
45
+ separable from, or merely link (or bind by name) to the interfaces of,
46
+ the Work and Derivative Works thereof.
47
+
48
+ "Contribution" shall mean any work of authorship, including
49
+ the original version of the Work and any modifications or additions
50
+ to that Work or Derivative Works thereof, that is intentionally
51
+ submitted to the Licensor for inclusion in the Work by the copyright owner
52
+ or by an individual or Legal Entity authorized to submit on behalf of
53
+ the copyright owner. For the purposes of this definition, "submitted"
54
+ means any form of electronic, verbal, or written communication sent
55
+ to the Licensor or its representatives, including but not limited to
56
+ communication on electronic mailing lists, source code control systems,
57
+ and issue tracking systems that are managed by, or on behalf of, the
58
+ Licensor for the purpose of discussing and improving the Work, but
59
+ excluding communication that is conspicuously marked or otherwise
60
+ designated in writing by the copyright owner as "Not a Contribution."
61
+
62
+ "Contributor" shall mean Licensor and any individual or Legal Entity
63
+ on behalf of whom a Contribution has been received by the Licensor and
64
+ subsequently incorporated within the Work.
65
+
66
+ 2. Grant of Copyright License. Subject to the terms and conditions of
67
+ this License, each Contributor hereby grants to You a perpetual,
68
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69
+ copyright license to reproduce, prepare Derivative Works of,
70
+ publicly display, publicly perform, sublicense, and distribute the
71
+ Work and such Derivative Works in Source or Object form.
72
+
73
+ 3. Grant of Patent License. Subject to the terms and conditions of
74
+ this License, each Contributor hereby grants to You a perpetual,
75
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76
+ (except as stated in this section) patent license to make, have made,
77
+ use, offer to sell, sell, import, and otherwise transfer the Work,
78
+ where such license applies only to those patent claims licensable
79
+ by such Contributor that are necessarily infringed by their
80
+ Contribution(s) alone or by combination of their Contribution(s)
81
+ with the Work to which such Contribution(s) was submitted. If You
82
+ institute patent litigation against any entity (including a
83
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
84
+ or a Contribution incorporated within the Work constitutes direct
85
+ or contributory patent infringement, then any patent licenses
86
+ granted to You under this License for that Work shall terminate
87
+ as of the date such litigation is filed.
88
+
89
+ 4. Redistribution. You may reproduce and distribute copies of the
90
+ Work or Derivative Works thereof in any medium, with or without
91
+ modifications, and in Source or Object form, provided that You
92
+ meet the following conditions:
93
+
94
+ (a) You must give any other recipients of the Work or
95
+ Derivative Works a copy of this License; and
96
+
97
+ (b) You must cause any modified files to carry prominent notices
98
+ stating that You changed the files; and
99
+
100
+ (c) You must retain, in the Source form of any Derivative Works
101
+ that You distribute, all copyright, patent, trademark, and
102
+ attribution notices from the Source form of the Work,
103
+ excluding those notices that do not pertain to any part of
104
+ the Derivative Works; and
105
+
106
+ (d) If the Work includes a "NOTICE" text file as part of its
107
+ distribution, then any Derivative Works that You distribute must
108
+ include a readable copy of the attribution notices contained
109
+ within such NOTICE file, excluding any notices that do not
110
+ pertain to any part of the Derivative Works, in at least one
111
+ of the following places: within a NOTICE text file distributed
112
+ as part of the Derivative Works; within the Source form or
113
+ documentation, if provided along with the Derivative Works; or,
114
+ within a display generated by the Derivative Works, if and
115
+ wherever such third-party notices normally appear. The contents
116
+ of the NOTICE file are for informational purposes only and
117
+ do not modify the License. You may add Your own attribution
118
+ notices within Derivative Works that You distribute, alongside
119
+ or as an addendum to the NOTICE text from the Work, provided
120
+ that such additional attribution notices cannot be construed
121
+ as modifying the License.
122
+
123
+ You may add Your own copyright statement to Your modifications and
124
+ may provide additional or different license terms and conditions
125
+ for use, reproduction, or distribution of Your modifications, or
126
+ for any such Derivative Works as a whole, provided Your use,
127
+ reproduction, and distribution of the Work otherwise complies with
128
+ the conditions stated in this License.
129
+
130
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
131
+ any Contribution intentionally submitted for inclusion in the Work
132
+ by You to the Licensor shall be under the terms and conditions of
133
+ this License, without any additional terms or conditions.
134
+ Notwithstanding the above, nothing herein shall supersede or modify
135
+ the terms of any separate license agreement you may have executed
136
+ with Licensor regarding such Contributions.
137
+
138
+ 6. Trademarks. This License does not grant permission to use the trade
139
+ names, trademarks, service marks, or product names of the Licensor,
140
+ except as required for reasonable and customary use in describing the
141
+ origin of the Work and reproducing the content of the NOTICE file.
142
+
143
+ 7. Disclaimer of Warranty. Unless required by applicable law or
144
+ agreed to in writing, Licensor provides the Work (and each
145
+ Contributor provides its Contributions) on an "AS IS" BASIS,
146
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147
+ implied, including, without limitation, any warranties or conditions
148
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149
+ PARTICULAR PURPOSE. You are solely responsible for determining the
150
+ appropriateness of using or redistributing the Work and assume any
151
+ risks associated with Your exercise of permissions under this License.
152
+
153
+ 8. Limitation of Liability. In no event and under no legal theory,
154
+ whether in tort (including negligence), contract, or otherwise,
155
+ unless required by applicable law (such as deliberate and grossly
156
+ negligent acts) or agreed to in writing, shall any Contributor be
157
+ liable to You for damages, including any direct, indirect, special,
158
+ incidental, or consequential damages of any character arising as a
159
+ result of this License or out of the use or inability to use the
160
+ Work (including but not limited to damages for loss of goodwill,
161
+ work stoppage, computer failure or malfunction, or any and all
162
+ other commercial damages or losses), even if such Contributor
163
+ has been advised of the possibility of such damages.
164
+
165
+ 9. Accepting Warranty or Additional Liability. While redistributing
166
+ the Work or Derivative Works thereof, You may choose to offer,
167
+ and charge a fee for, acceptance of support, warranty, indemnity,
168
+ or other liability obligations and/or rights consistent with this
169
+ License. However, in accepting such obligations, You may act only
170
+ on Your own behalf and on Your sole responsibility, not on behalf
171
+ of any other Contributor, and only if You agree to indemnify,
172
+ defend, and hold each Contributor harmless for any liability
173
+ incurred by, or claims asserted against, such Contributor by reason
174
+ of your accepting any such warranty or additional liability.
175
+
176
+ END OF TERMS AND CONDITIONS
177
+
178
+ Copyright 2024-2026 Jose de Vivar / Simplium
179
+
180
+ Licensed under the Apache License, Version 2.0 (the "License");
181
+ you may not use this file except in compliance with the License.
182
+ You may obtain a copy of the License at
183
+
184
+ http://www.apache.org/licenses/LICENSE-2.0
185
+
186
+ Unless required by applicable law or agreed to in writing, software
187
+ distributed under the License is distributed on an "AS IS" BASIS,
188
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
189
+ See the License for the specific language governing permissions and
190
+ limitations under the License.
package/README.md ADDED
@@ -0,0 +1,148 @@
1
+ # HIVE Framework
2
+
3
+ **Agent governance layer — 36 curated agent & skill definitions with a portable permission model, traceability, and evidence-based discipline. Installs into any Claude Code project.**
4
+
5
+ [![CI](https://github.com/marcablanca/hive-framework/actions/workflows/ci.yml/badge.svg)](https://github.com/marcablanca/hive-framework/actions/workflows/ci.yml)
6
+ [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)
7
+ [![Version](https://img.shields.io/badge/version-4.0.0-brightgreen.svg)](CHANGELOG.md)
8
+ [![Node](https://img.shields.io/badge/node-%3E%3D22-green.svg)](package.json)
9
+ [![npm](https://img.shields.io/badge/npm-11-CB3837.svg)](package.json)
10
+
11
+ ---
12
+
13
+ ## What is HIVE
14
+
15
+ HIVE is an **agent governance layer**, not an AgentOS: the operating system is provided by the host runtime (Claude Code today; others via adapter generators). HIVE supplies the workforce and the policy — a **capability pack** of 36 definitions (18 agents + 18 skills) covering the full software development lifecycle, each with:
16
+
17
+ - an **abstract permission model** (`file_system` / `network` / `database` / `human_approval`) translated to each runtime's native enforcement (Claude Code: `disallowedTools`)
18
+ - **tiers and `known_failure_modes`** — criticality-aware routing metadata
19
+ - **anti-fabrication discipline** — evidence requirements and prompt-injection guards baked into every definition
20
+ - **traceability** — automatic invocation logging to `HIVE-LOG.md` (ISO 42001 A.9) plus a JSONL event stream for external observability
21
+
22
+ Definitions target two stacks: **Stack A** (PHP 8.3 / Laravel / MySQL / Plesk) and **Stack B** (Next.js 15 / NestJS / Prisma / PostgreSQL).
23
+
24
+ > The former Layer 2 NestJS runtime was retired per [ADR-000](audit/ADR-000-rearchitecture-options.md) and removed in v4. It is preserved in the [`legacy/layer2-runtime`](https://github.com/marcablanca/hive-framework/tree/legacy/layer2-runtime) branch.
25
+
26
+ ---
27
+
28
+ ## Quickstart
29
+
30
+ ```bash
31
+ git clone https://github.com/marcablanca/hive-framework.git
32
+ cd hive-framework
33
+ npm install
34
+ npm run init-project -- /path/to/your-project
35
+ ```
36
+
37
+ This installs 18 agents + 18 skills into the target project's `.claude/` (with native permission translation and version stamps) plus the auto-logging hook. Open the project in Claude Code — everything is discovered natively. Re-run after pulling a new HIVE version to update.
38
+
39
+ ---
40
+
41
+ ## Architecture
42
+
43
+ ```
44
+ 0*-*/AGENT.md · SKILL.md 36 source definitions (frontmatter + body)
45
+
46
+ ├── npm run validate schema gate (Zod) — 0 errors required
47
+ ├── npm run reindex AGENT_INDEX.yaml (JIT index, deterministic)
48
+
49
+ ├── npm run adapters .claude/agents + .claude/skills (this repo)
50
+ └── npm run init-project same, into any consumer project
51
+
52
+
53
+ Host runtime (Claude Code)
54
+ native discovery · disallowedTools enforcement · hooks
55
+
56
+ ├── HIVE-LOG.md automatic invocation log (ISO 42001 A.9)
57
+ └── hive-events.jsonl event stream for external observability
58
+ ```
59
+
60
+ ### Tier System
61
+
62
+ Agents and skills are organized into 8 tiers (00–07), from highest criticality to support roles:
63
+
64
+ | Tier | Name | Description |
65
+ |------|------|-------------|
66
+ | 00 | Orchestrator | Central coordinator; routes and manages all tasks |
67
+ | 01 | Foundation | Architecture, product, legal/compliance, brand |
68
+ | 02 | Core Development | Backend, frontend, API, database |
69
+ | 03 | Quality & Security | Testing, security auditing, performance, accessibility |
70
+ | 04 | Infrastructure | DevOps, cloud, billing, incident response, search |
71
+ | 05 | Intelligence | AI/ML, data analysis, analytics, observability, voice |
72
+ | 06 | Growth | SEO, marketing, CRO, email, mobile |
73
+ | 07 | Support | Docs, releases, i18n, UX research, competitive intel |
74
+
75
+ 7 agents in blocking tiers carry `human_approval: true`, translated to `disallowedTools: [Bash]` in Claude Code so shell actions surface through the host approval flow.
76
+
77
+ ---
78
+
79
+ ## Agents & Skills Catalog
80
+
81
+ 36 total = 18 agents + 18 skills. Sourced from `AGENT_INDEX.yaml`.
82
+
83
+ | Tier | Focus | Agents | Skills |
84
+ |------|-------|--------|--------|
85
+ | 00 — Orchestrator | Task routing, coordination | orchestrator | — |
86
+ | 01 — Foundation | Architecture, product, legal | architecture-planner, legal-compliance, product-manager | brand-design-system |
87
+ | 02 — Core Development | Backend, frontend, API, DB | backend-developer, frontend-developer, api-designer, database-engineer | — |
88
+ | 03 — Quality & Security | Tests, security, perf, a11y | test-engineer, security-auditor | web-performance, accessibility |
89
+ | 04 — Infrastructure | DevOps, cloud, billing, search | billing-payments, incident-response | cloud-infrastructure, devops-engineer, search |
90
+ | 05 — Intelligence | AI/ML, data, analytics, voice | ai-ml-engineer, data-analyst | analytics-implementation, observability, voice-ai |
91
+ | 06 — Growth | SEO, marketing, CRO, email, mobile | — | email-deliverability, growth-analytics, landing-page-cro, marketing-communications, mobile-development, seo-aeo-geo |
92
+ | 07 — Support | Docs, releases, i18n, UX, research | competitive-intelligence, cost-optimization, customer-success, ux-research | documentation-writer, release-manager, translator-i18n |
93
+
94
+ Model distribution: 7 opus / 28 sonnet / 1 haiku. JIT index reduces per-task context by 93–98% vs loading all definitions (`npx tsx scripts/measure-jit.ts`).
95
+
96
+ ---
97
+
98
+ ## Scripts Reference
99
+
100
+ | Command | Description |
101
+ |---------|-------------|
102
+ | `npm run init-project -- <dir>` | Install/update Layer 1 (adapters + hook) in a consumer project |
103
+ | `npm run adapters` | Regenerate this repo's `.claude/` adapters from sources |
104
+ | `npm run validate` | Validate all 36 definitions against the frontmatter schema |
105
+ | `npm run reindex` | Regenerate `AGENT_INDEX.yaml` (deterministic — no date churn) |
106
+ | `npm run log-session -- --agent <n> --task "..." --outcome <O>` | Manually append an invocation to `HIVE-LOG.md` |
107
+ | `npm run cost-report` | Estimated cost per agent from `HIVE-LOG.md`, with budget alerts |
108
+ | `npm run secrets-audit` | Scan definitions for hardcoded secrets |
109
+ | `npm run eval` | Layer 1 evals against the live API (needs `ANTHROPIC_API_KEY`; skips honestly without it) |
110
+ | `npm test` / `npm run lint` / `npm run typecheck` | Offline quality gates (also in CI) |
111
+
112
+ ---
113
+
114
+ ## Golden Paths
115
+
116
+ Step-by-step walkthroughs for common workflows on each stack:
117
+
118
+ - [Golden Path — Stack A (Laravel)](docs/GOLDEN-PATH-STACK-A.md) — PHP / Laravel / Filament / MySQL
119
+ - [Golden Path — Stack B (Next.js)](docs/GOLDEN-PATH-STACK-B.md) — Next.js / NestJS / Prisma / PostgreSQL
120
+
121
+ ---
122
+
123
+ ## Roadmap
124
+
125
+ | Phase | Status | Scope |
126
+ |-------|--------|-------|
127
+ | Phase 0 — Agent migration | Complete | 36 definitions in v3 YAML frontmatter format |
128
+ | Phase 1 — Core runtime | Retired | NestJS runtime built, then superseded by ADR-000; preserved in `legacy/layer2-runtime` |
129
+ | Phase 2 — Governance layer | Complete | Adapter generators, permission translation, traceability hook, Layer 1 evals, distribution without fork |
130
+ | Phase 3 — Ecosystem | In progress | npm publish (`npx @simplium/hive`, package ready — org verification pending), OpenCode adapter, public docs |
131
+
132
+ ---
133
+
134
+ ## Documentation
135
+
136
+ - [HIVE Rules & Conventions](docs/HIVE-RULES.md)
137
+ - [Changelog](CHANGELOG.md)
138
+ - [Audit trail (2026)](audit/AUDIT-REPORT.md)
139
+
140
+ ---
141
+
142
+ ## License
143
+
144
+ Licensed under [Apache 2.0](LICENSE).
145
+
146
+ ## Author
147
+
148
+ Built by José at [Simplium.io](https://simplium.io).
@@ -0,0 +1,82 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * HIVE Layer 1 installer (npm package bin).
4
+ *
5
+ * Usage:
6
+ * npx @simplium/hive <target-dir> # install/update into a project
7
+ * npx @simplium/hive . # install into current dir
8
+ *
9
+ * Copies the pre-rendered adapters shipped in the package (dist/claude/)
10
+ * into <target>/.claude/ and wires the traceability hook into settings.json.
11
+ * Zero runtime dependencies. Idempotent: re-run after upgrading the package.
12
+ */
13
+
14
+ import { readFileSync, writeFileSync, mkdirSync, copyFileSync, readdirSync, existsSync } from "node:fs";
15
+ import { join, dirname, resolve } from "node:path";
16
+ import { fileURLToPath } from "node:url";
17
+
18
+ const PKG_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), "..");
19
+ const PAYLOAD = join(PKG_ROOT, "dist", "claude");
20
+ const HOOK_COMMAND = 'node "$CLAUDE_PROJECT_DIR/.claude/hooks/hive-log.mjs"';
21
+
22
+ function fail(msg) {
23
+ console.error(`✖ ${msg}`);
24
+ process.exit(1);
25
+ }
26
+
27
+ const rawTarget = process.argv[2];
28
+ if (!rawTarget) {
29
+ console.error("Usage: npx @simplium/hive <target-directory>");
30
+ process.exit(1);
31
+ }
32
+ const target = resolve(process.cwd(), rawTarget);
33
+ if (!existsSync(target)) fail(`Target directory does not exist: ${target}`);
34
+ if (!existsSync(PAYLOAD)) fail("Package payload missing (dist/claude) — was the package built with prepack?");
35
+
36
+ const version = JSON.parse(readFileSync(join(PKG_ROOT, "package.json"), "utf-8")).version;
37
+
38
+ function copyDir(fromDir, toDir) {
39
+ mkdirSync(toDir, { recursive: true });
40
+ let n = 0;
41
+ for (const f of readdirSync(fromDir)) {
42
+ copyFileSync(join(fromDir, f), join(toDir, f));
43
+ n++;
44
+ }
45
+ return n;
46
+ }
47
+
48
+ const agents = copyDir(join(PAYLOAD, "agents"), join(target, ".claude", "agents"));
49
+ const skills = copyDir(join(PAYLOAD, "skills"), join(target, ".claude", "skills"));
50
+ copyDir(join(PAYLOAD, "hooks"), join(target, ".claude", "hooks"));
51
+
52
+ // Wire the hook into settings.json (merge; never clobber unrelated config)
53
+ const settingsPath = join(target, ".claude", "settings.json");
54
+ let hookNote = "settings.json wired (PostToolUse → Task)";
55
+ let settings = {};
56
+ if (existsSync(settingsPath)) {
57
+ try {
58
+ settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
59
+ } catch {
60
+ settings = null;
61
+ hookNote = `settings.json is not valid JSON — add the PostToolUse hook manually (command: ${HOOK_COMMAND})`;
62
+ }
63
+ }
64
+ if (settings !== null) {
65
+ const hooks = settings.hooks ?? {};
66
+ const post = hooks.PostToolUse ?? [];
67
+ const wired = post.some(m => (m.hooks ?? []).some(h => (h.command ?? "").includes("hive-log.mjs")));
68
+ if (wired) {
69
+ hookNote = "settings.json already wired";
70
+ } else {
71
+ post.push({ matcher: "Task", hooks: [{ type: "command", command: HOOK_COMMAND }] });
72
+ hooks.PostToolUse = post;
73
+ settings.hooks = hooks;
74
+ writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf-8");
75
+ }
76
+ }
77
+
78
+ console.log(`\nHIVE Framework v${version}`);
79
+ console.log(`✅ Installed: ${agents} agents + ${skills} skills + hook → ${target}/.claude/`);
80
+ console.log(` ${hookNote}`);
81
+ console.log(`\n Next: open ${target} in Claude Code — agents and skills are discovered natively.`);
82
+ console.log(` Update: npx @simplium/hive@latest ${rawTarget} after a new HIVE release.\n`);