npm - @vauban-org/agent-sdk - Versions diffs - 0.17.4 → 1.2.0 - Mend

@vauban-org/agent-sdk 0.17.4 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (506) hide show

package/CONTRACT.md +6401 -813
package/dist/adapters/llm/anthropic-direct.d.ts +1 -0
package/dist/adapters/llm/anthropic-direct.d.ts.map +1 -1
package/dist/adapters/llm/anthropic-direct.js +43 -0
package/dist/adapters/llm/anthropic-direct.js.map +1 -1
package/dist/adapters/llm/cascade.d.ts.map +1 -1
package/dist/adapters/llm/cascade.js +57 -14
package/dist/adapters/llm/cascade.js.map +1 -1
package/dist/adapters/llm/litellm.d.ts +2 -0
package/dist/adapters/llm/litellm.d.ts.map +1 -1
package/dist/adapters/llm/litellm.js +44 -0
package/dist/adapters/llm/litellm.js.map +1 -1
package/dist/compute/difficulty-estimator.d.ts +53 -0
package/dist/compute/difficulty-estimator.d.ts.map +1 -0
package/dist/compute/difficulty-estimator.js +82 -0
package/dist/compute/difficulty-estimator.js.map +1 -0
package/dist/compute/strategies/mixture-of-agents.d.ts +40 -0
package/dist/compute/strategies/mixture-of-agents.d.ts.map +1 -0
package/dist/compute/strategies/mixture-of-agents.js +110 -0
package/dist/compute/strategies/mixture-of-agents.js.map +1 -0
package/dist/compute/strategies/tree-of-thoughts.d.ts +48 -0
package/dist/compute/strategies/tree-of-thoughts.d.ts.map +1 -0
package/dist/compute/strategies/tree-of-thoughts.js +242 -0
package/dist/compute/strategies/tree-of-thoughts.js.map +1 -0
package/dist/compute/strategies/two-phase-orient.d.ts +72 -0
package/dist/compute/strategies/two-phase-orient.d.ts.map +1 -0
package/dist/compute/strategies/two-phase-orient.js +85 -0
package/dist/compute/strategies/two-phase-orient.js.map +1 -0
package/dist/constitution/types.d.ts +10 -10
package/dist/container/protocol.d.ts +134 -0
package/dist/container/protocol.d.ts.map +1 -0
package/dist/container/protocol.js +157 -0
package/dist/container/protocol.js.map +1 -0
package/dist/container/runtime.d.ts +140 -0
package/dist/container/runtime.d.ts.map +1 -0
package/dist/container/runtime.js +256 -0
package/dist/container/runtime.js.map +1 -0
package/dist/events/catalogue.d.ts +327 -30
package/dist/events/catalogue.d.ts.map +1 -1
package/dist/events/catalogue.js +18 -0
package/dist/events/catalogue.js.map +1 -1
package/dist/events/index.d.ts +9 -0
package/dist/events/index.d.ts.map +1 -1
package/dist/events/index.js +9 -0
package/dist/events/index.js.map +1 -1
package/dist/events/schemas/agent.completed.v1.d.ts +4 -4
package/dist/events/schemas/agent.failed.v1.d.ts +2 -2
package/dist/events/schemas/agent.hitl_resolved.v1.d.ts +2 -2
package/dist/events/schemas/agent.started.v1.d.ts +2 -2
package/dist/events/schemas/brain.skill.extracted.v1.d.ts +4 -4
package/dist/events/schemas/cc.cost.anomaly_detected.v1.d.ts +2 -2
package/dist/events/schemas/cc.cost.recorded.v1.d.ts +4 -4
package/dist/events/schemas/citadel.sprint.analyzed.v1.d.ts +55 -0
package/dist/events/schemas/citadel.sprint.analyzed.v1.d.ts.map +1 -0
package/dist/events/schemas/citadel.sprint.analyzed.v1.js +22 -0
package/dist/events/schemas/citadel.sprint.analyzed.v1.js.map +1 -0
package/dist/events/schemas/citadel.sprint.closed.v1.d.ts +2 -2
package/dist/events/schemas/forge.inbox.reply_classified.v1.d.ts +33 -0
package/dist/events/schemas/forge.inbox.reply_classified.v1.d.ts.map +1 -0
package/dist/events/schemas/forge.inbox.reply_classified.v1.js +15 -0
package/dist/events/schemas/forge.inbox.reply_classified.v1.js.map +1 -0
package/dist/events/schemas/forge.lead.qualified.v1.d.ts +2 -2
package/dist/events/schemas/forge.outreach.sent.v1.d.ts +4 -4
package/dist/events/schemas/incident.detected.v1.d.ts +2 -2
package/dist/events/schemas/vauban-finance.forecast.generated.v1.d.ts +21 -0
package/dist/events/schemas/vauban-finance.forecast.generated.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban-finance.forecast.generated.v1.js +11 -0
package/dist/events/schemas/vauban-finance.forecast.generated.v1.js.map +1 -0
package/dist/events/schemas/vauban-finance.trade.executed.v1.d.ts +24 -0
package/dist/events/schemas/vauban-finance.trade.executed.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban-finance.trade.executed.v1.js +12 -0
package/dist/events/schemas/vauban-finance.trade.executed.v1.js.map +1 -0
package/dist/events/schemas/vauban.goal.checked.v1.d.ts +21 -0
package/dist/events/schemas/vauban.goal.checked.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban.goal.checked.v1.js +11 -0
package/dist/events/schemas/vauban.goal.checked.v1.js.map +1 -0
package/dist/events/schemas/vauban.rebalancing.checked.v1.d.ts +21 -0
package/dist/events/schemas/vauban.rebalancing.checked.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban.rebalancing.checked.v1.js +11 -0
package/dist/events/schemas/vauban.rebalancing.checked.v1.js.map +1 -0
package/dist/events/schemas/vauban.tax.checked.v1.d.ts +21 -0
package/dist/events/schemas/vauban.tax.checked.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban.tax.checked.v1.js +11 -0
package/dist/events/schemas/vauban.tax.checked.v1.js.map +1 -0
package/dist/events/schemas/vauban.vault.analyzed.v1.d.ts +59 -0
package/dist/events/schemas/vauban.vault.analyzed.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban.vault.analyzed.v1.js +19 -0
package/dist/events/schemas/vauban.vault.analyzed.v1.js.map +1 -0
package/dist/events/schemas/vauban.vault.compounded.v1.d.ts +24 -0
package/dist/events/schemas/vauban.vault.compounded.v1.d.ts.map +1 -0
package/dist/events/schemas/vauban.vault.compounded.v1.js +12 -0
package/dist/events/schemas/vauban.vault.compounded.v1.js.map +1 -0
package/dist/identity/agent-persona.d.ts +73 -0
package/dist/identity/agent-persona.d.ts.map +1 -0
package/dist/identity/agent-persona.js +165 -0
package/dist/identity/agent-persona.js.map +1 -0
package/dist/identity/persona-prompt.d.ts +25 -0
package/dist/identity/persona-prompt.d.ts.map +1 -0
package/dist/identity/persona-prompt.js +71 -0
package/dist/identity/persona-prompt.js.map +1 -0
package/dist/identity/persona-schema.d.ts +120 -0
package/dist/identity/persona-schema.d.ts.map +1 -0
package/dist/identity/persona-schema.js +103 -0
package/dist/identity/persona-schema.js.map +1 -0
package/dist/index.d.ts +37 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +29 -1
package/dist/index.js.map +1 -1
package/dist/loop/index.d.ts +1 -1
package/dist/loop/index.d.ts.map +1 -1
package/dist/loop/index.js.map +1 -1
package/dist/loop/minimal-loop.js +293 -287
package/dist/loop/sdk-loop.d.ts +1 -3
package/dist/loop/sdk-loop.d.ts.map +1 -1
package/dist/loop/sdk-loop.js +1 -1
package/dist/loop/sdk-loop.js.map +1 -1
package/dist/memory/episodic-rrf.d.ts +114 -0
package/dist/memory/episodic-rrf.d.ts.map +1 -0
package/dist/memory/episodic-rrf.js +148 -0
package/dist/memory/episodic-rrf.js.map +1 -0
package/dist/mesh/attenuation.d.ts +78 -0
package/dist/mesh/attenuation.d.ts.map +1 -0
package/dist/mesh/attenuation.js +141 -0
package/dist/mesh/attenuation.js.map +1 -0
package/dist/mesh/delegate.d.ts +96 -0
package/dist/mesh/delegate.d.ts.map +1 -0
package/dist/mesh/delegate.js +172 -0
package/dist/mesh/delegate.js.map +1 -0
package/dist/mesh/dispatcher.d.ts +119 -0
package/dist/mesh/dispatcher.d.ts.map +1 -0
package/dist/mesh/dispatcher.js +207 -0
package/dist/mesh/dispatcher.js.map +1 -0
package/dist/mesh/index.d.ts +12 -0
package/dist/mesh/index.d.ts.map +1 -0
package/dist/mesh/index.js +11 -0
package/dist/mesh/index.js.map +1 -0
package/dist/mesh/types.d.ts +30 -0
package/dist/mesh/types.d.ts.map +1 -0
package/dist/mesh/types.js +11 -0
package/dist/mesh/types.js.map +1 -0
package/dist/orchestration/ooda/skills.d.ts +104 -0
package/dist/orchestration/ooda/skills.d.ts.map +1 -1
package/dist/orchestration/ooda/skills.js +106 -0
package/dist/orchestration/ooda/skills.js.map +1 -1
package/dist/orchestration/ooda/types.d.ts +3 -8
package/dist/orchestration/ooda/types.d.ts.map +1 -1
package/dist/ports/bastion-action.contract.test.d.ts +11 -0
package/dist/ports/bastion-action.contract.test.d.ts.map +1 -0
package/dist/ports/bastion-action.contract.test.js +238 -0
package/dist/ports/bastion-action.contract.test.js.map +1 -0
package/dist/ports/bastion-action.d.ts +133 -0
package/dist/ports/bastion-action.d.ts.map +1 -0
package/dist/ports/bastion-action.js +73 -0
package/dist/ports/bastion-action.js.map +1 -0
package/dist/ports/brain.d.ts +31 -0
package/dist/ports/brain.d.ts.map +1 -1
package/dist/ports/brain.js +115 -1
package/dist/ports/brain.js.map +1 -1
package/dist/ports/citadel-action.contract.test.d.ts +11 -0
package/dist/ports/citadel-action.contract.test.d.ts.map +1 -0
package/dist/ports/citadel-action.contract.test.js +317 -0
package/dist/ports/citadel-action.contract.test.js.map +1 -0
package/dist/ports/citadel-action.d.ts +111 -0
package/dist/ports/citadel-action.d.ts.map +1 -0
package/dist/ports/citadel-action.js +62 -0
package/dist/ports/citadel-action.js.map +1 -0
package/dist/ports/compliance-contract.d.ts +123 -0
package/dist/ports/compliance-contract.d.ts.map +1 -0
package/dist/ports/compliance-contract.js +35 -0
package/dist/ports/compliance-contract.js.map +1 -0
package/dist/ports/db.d.ts +38 -0
package/dist/ports/db.d.ts.map +1 -1
package/dist/ports/db.js +88 -1
package/dist/ports/db.js.map +1 -1
package/dist/ports/delegation.contract.test.d.ts +9 -0
package/dist/ports/delegation.contract.test.d.ts.map +1 -0
package/dist/ports/delegation.contract.test.js +337 -0
package/dist/ports/delegation.contract.test.js.map +1 -0
package/dist/ports/delegation.d.ts +134 -0
package/dist/ports/delegation.d.ts.map +1 -0
package/dist/ports/delegation.js +105 -0
package/dist/ports/delegation.js.map +1 -0
package/dist/ports/event-bus.d.ts +29 -13
package/dist/ports/event-bus.d.ts.map +1 -1
package/dist/ports/event-bus.js +106 -1
package/dist/ports/event-bus.js.map +1 -1
package/dist/ports/federation.contract.test.d.ts +9 -0
package/dist/ports/federation.contract.test.d.ts.map +1 -0
package/dist/ports/federation.contract.test.js +279 -0
package/dist/ports/federation.contract.test.js.map +1 -0
package/dist/ports/federation.d.ts +140 -0
package/dist/ports/federation.d.ts.map +1 -0
package/dist/ports/federation.js +57 -0
package/dist/ports/federation.js.map +1 -0
package/dist/ports/index.d.ts +28 -2
package/dist/ports/index.d.ts.map +1 -1
package/dist/ports/index.js +17 -2
package/dist/ports/index.js.map +1 -1
package/dist/ports/llm-provider.d.ts +37 -0
package/dist/ports/llm-provider.d.ts.map +1 -1
package/dist/ports/llm-provider.js +99 -1
package/dist/ports/llm-provider.js.map +1 -1
package/dist/ports/logger.d.ts +27 -0
package/dist/ports/logger.d.ts.map +1 -1
package/dist/ports/logger.js +87 -0
package/dist/ports/logger.js.map +1 -1
package/dist/ports/manifest-registry.contract.test.d.ts +9 -0
package/dist/ports/manifest-registry.contract.test.d.ts.map +1 -0
package/dist/ports/manifest-registry.contract.test.js +246 -0
package/dist/ports/manifest-registry.contract.test.js.map +1 -0
package/dist/ports/manifest-registry.d.ts +116 -0
package/dist/ports/manifest-registry.d.ts.map +1 -0
package/dist/ports/manifest-registry.js +79 -0
package/dist/ports/manifest-registry.js.map +1 -0
package/dist/ports/observability.contract.test.d.ts +12 -0
package/dist/ports/observability.contract.test.d.ts.map +1 -0
package/dist/ports/observability.contract.test.js +260 -0
package/dist/ports/observability.contract.test.js.map +1 -0
package/dist/ports/observability.d.ts +98 -0
package/dist/ports/observability.d.ts.map +1 -0
package/dist/ports/observability.js +59 -0
package/dist/ports/observability.js.map +1 -0
package/dist/ports/outcome.d.ts +26 -0
package/dist/ports/outcome.d.ts.map +1 -1
package/dist/ports/outcome.js +62 -1
package/dist/ports/outcome.js.map +1 -1
package/dist/ports/privacy.contract.test.d.ts +12 -0
package/dist/ports/privacy.contract.test.d.ts.map +1 -0
package/dist/ports/privacy.contract.test.js +325 -0
package/dist/ports/privacy.contract.test.js.map +1 -0
package/dist/ports/privacy.d.ts +132 -0
package/dist/ports/privacy.d.ts.map +1 -0
package/dist/ports/privacy.js +83 -0
package/dist/ports/privacy.js.map +1 -0
package/dist/ports/tenant-context.contract.test.d.ts +14 -0
package/dist/ports/tenant-context.contract.test.d.ts.map +1 -0
package/dist/ports/tenant-context.contract.test.js +352 -0
package/dist/ports/tenant-context.contract.test.js.map +1 -0
package/dist/ports/tenant-context.d.ts +103 -0
package/dist/ports/tenant-context.d.ts.map +1 -0
package/dist/ports/tenant-context.js +48 -0
package/dist/ports/tenant-context.js.map +1 -0
package/dist/ports/vauban-finance-action.contract.test.d.ts +11 -0
package/dist/ports/vauban-finance-action.contract.test.d.ts.map +1 -0
package/dist/ports/vauban-finance-action.contract.test.js +260 -0
package/dist/ports/vauban-finance-action.contract.test.js.map +1 -0
package/dist/ports/vauban-finance-action.d.ts +106 -0
package/dist/ports/vauban-finance-action.d.ts.map +1 -0
package/dist/ports/vauban-finance-action.js +60 -0
package/dist/ports/vauban-finance-action.js.map +1 -0
package/dist/ports/workflow-runtime.d.ts +204 -0
package/dist/ports/workflow-runtime.d.ts.map +1 -0
package/dist/ports/workflow-runtime.js +72 -0
package/dist/ports/workflow-runtime.js.map +1 -0
package/dist/proof/cert-verify.d.ts +80 -0
package/dist/proof/cert-verify.d.ts.map +1 -0
package/dist/proof/cert-verify.js +178 -0
package/dist/proof/cert-verify.js.map +1 -0
package/dist/replay/replay.d.ts.map +1 -1
package/dist/replay/replay.js +5 -1
package/dist/replay/replay.js.map +1 -1
package/dist/retry/index.d.ts +129 -0
package/dist/retry/index.d.ts.map +1 -0
package/dist/retry/index.js +156 -0
package/dist/retry/index.js.map +1 -0
package/dist/retry/presets.d.ts +39 -0
package/dist/retry/presets.d.ts.map +1 -0
package/dist/retry/presets.js +69 -0
package/dist/retry/presets.js.map +1 -0
package/dist/skill-loop/ab-runner.d.ts +67 -0
package/dist/skill-loop/ab-runner.d.ts.map +1 -0
package/dist/skill-loop/ab-runner.js +160 -0
package/dist/skill-loop/ab-runner.js.map +1 -0
package/dist/skill-loop/adoption.d.ts +67 -0
package/dist/skill-loop/adoption.d.ts.map +1 -0
package/dist/skill-loop/adoption.js +126 -0
package/dist/skill-loop/adoption.js.map +1 -0
package/dist/skill-loop/candidate.d.ts +45 -0
package/dist/skill-loop/candidate.d.ts.map +1 -0
package/dist/skill-loop/candidate.js +43 -0
package/dist/skill-loop/candidate.js.map +1 -0
package/dist/skill-loop/evaluator.d.ts +42 -0
package/dist/skill-loop/evaluator.d.ts.map +1 -0
package/dist/skill-loop/evaluator.js +184 -0
package/dist/skill-loop/evaluator.js.map +1 -0
package/dist/skill-loop/index.d.ts +27 -0
package/dist/skill-loop/index.d.ts.map +1 -0
package/dist/skill-loop/index.js +27 -0
package/dist/skill-loop/index.js.map +1 -0
package/dist/skill-loop/reflexion-replay.d.ts +87 -0
package/dist/skill-loop/reflexion-replay.d.ts.map +1 -0
package/dist/skill-loop/reflexion-replay.js +110 -0
package/dist/skill-loop/reflexion-replay.js.map +1 -0
package/dist/skill-loop/sign-off.d.ts +88 -0
package/dist/skill-loop/sign-off.d.ts.map +1 -0
package/dist/skill-loop/sign-off.js +146 -0
package/dist/skill-loop/sign-off.js.map +1 -0
package/dist/skill-loop/value-metric.d.ts +55 -0
package/dist/skill-loop/value-metric.d.ts.map +1 -0
package/dist/skill-loop/value-metric.js +69 -0
package/dist/skill-loop/value-metric.js.map +1 -0
package/dist/skill-loop/versioning.d.ts +36 -0
package/dist/skill-loop/versioning.d.ts.map +1 -0
package/dist/skill-loop/versioning.js +47 -0
package/dist/skill-loop/versioning.js.map +1 -0
package/dist/skill-manifest/anchor.d.ts +91 -0
package/dist/skill-manifest/anchor.d.ts.map +1 -0
package/dist/skill-manifest/anchor.js +331 -0
package/dist/skill-manifest/anchor.js.map +1 -0
package/dist/skill-manifest/builder.d.ts +47 -0
package/dist/skill-manifest/builder.d.ts.map +1 -0
package/dist/skill-manifest/builder.js +93 -0
package/dist/skill-manifest/builder.js.map +1 -0
package/dist/skill-manifest/index.d.ts +13 -0
package/dist/skill-manifest/index.d.ts.map +1 -0
package/dist/skill-manifest/index.js +9 -0
package/dist/skill-manifest/index.js.map +1 -0
package/dist/skill-manifest/types.d.ts +67 -0
package/dist/skill-manifest/types.d.ts.map +1 -0
package/dist/skill-manifest/types.js +16 -0
package/dist/skill-manifest/types.js.map +1 -0
package/dist/skill-manifest/verifier.d.ts +42 -0
package/dist/skill-manifest/verifier.d.ts.map +1 -0
package/dist/skill-manifest/verifier.js +136 -0
package/dist/skill-manifest/verifier.js.map +1 -0
package/dist/skills/brain-query.d.ts +4 -4
package/dist/skills/brain-store.d.ts +6 -6
package/dist/skills/errors.d.ts +15 -0
package/dist/skills/errors.d.ts.map +1 -1
package/dist/skills/errors.js +21 -0
package/dist/skills/errors.js.map +1 -1
package/dist/skills/hitl-request.d.ts +2 -2
package/dist/skills/index.d.ts +3 -1
package/dist/skills/index.d.ts.map +1 -1
package/dist/skills/index.js +4 -1
package/dist/skills/index.js.map +1 -1
package/dist/skills/markdown/loader.d.ts +52 -0
package/dist/skills/markdown/loader.d.ts.map +1 -0
package/dist/skills/markdown/loader.js +93 -0
package/dist/skills/markdown/loader.js.map +1 -0
package/dist/skills/markdown/schema.d.ts +432 -0
package/dist/skills/markdown/schema.d.ts.map +1 -0
package/dist/skills/markdown/schema.js +121 -0
package/dist/skills/markdown/schema.js.map +1 -0
package/dist/skills/poc-md-loader/markdown-loader.d.ts +77 -0
package/dist/skills/poc-md-loader/markdown-loader.d.ts.map +1 -0
package/dist/skills/poc-md-loader/markdown-loader.js +125 -0
package/dist/skills/poc-md-loader/markdown-loader.js.map +1 -0
package/dist/skills/poc-md-loader/runner.d.ts +24 -0
package/dist/skills/poc-md-loader/runner.d.ts.map +1 -0
package/dist/skills/poc-md-loader/runner.js +57 -0
package/dist/skills/poc-md-loader/runner.js.map +1 -0
package/dist/skills/poc-md-loader/vitest.poc.config.d.ts +3 -0
package/dist/skills/poc-md-loader/vitest.poc.config.d.ts.map +1 -0
package/dist/skills/poc-md-loader/vitest.poc.config.js +13 -0
package/dist/skills/poc-md-loader/vitest.poc.config.js.map +1 -0
package/dist/skills/poc-md-loader/web-search/script.d.ts +33 -0
package/dist/skills/poc-md-loader/web-search/script.d.ts.map +1 -0
package/dist/skills/poc-md-loader/web-search/script.js +75 -0
package/dist/skills/poc-md-loader/web-search/script.js.map +1 -0
package/dist/skills/record-outcome.d.ts +4 -4
package/dist/skills/send-email.d.ts.map +1 -1
package/dist/skills/send-email.js +15 -3
package/dist/skills/send-email.js.map +1 -1
package/dist/skills/slack-notify.d.ts +4 -4
package/dist/skills/starknet-balance.d.ts +1 -1
package/dist/skills/telegram-notify.d.ts +4 -4
package/dist/skills/web-search.d.ts +1 -1
package/dist/testing/contracts/event-bus.contract.d.ts.map +1 -1
package/dist/testing/contracts/event-bus.contract.js +14 -12
package/dist/testing/contracts/event-bus.contract.js.map +1 -1
package/dist/testing/index.d.ts +3 -0
package/dist/testing/test-brain-port.d.ts +4 -0
package/dist/testing/test-brain-port.d.ts.map +1 -1
package/dist/testing/test-brain-port.js +75 -20
package/dist/testing/test-brain-port.js.map +1 -1
package/dist/testing/test-event-bus.d.ts.map +1 -1
package/dist/testing/test-event-bus.js +89 -36
package/dist/testing/test-event-bus.js.map +1 -1
package/dist/trace/schema.d.ts +1 -1
package/dist/trace/schema.d.ts.map +1 -1
package/dist/trace/schema.js +1 -1
package/dist/trace/schema.js.map +1 -1
package/dist/verify/formal/index.d.ts +44 -0
package/dist/verify/formal/index.d.ts.map +1 -0
package/dist/verify/formal/index.js +98 -0
package/dist/verify/formal/index.js.map +1 -0
package/dist/verify/formal/policy.d.ts +105 -0
package/dist/verify/formal/policy.d.ts.map +1 -0
package/dist/verify/formal/policy.js +159 -0
package/dist/verify/formal/policy.js.map +1 -0
package/dist/verify/formal/result.d.ts +50 -0
package/dist/verify/formal/result.d.ts.map +1 -0
package/dist/verify/formal/result.js +21 -0
package/dist/verify/formal/result.js.map +1 -0
package/dist/verify/formal/solver.d.ts +67 -0
package/dist/verify/formal/solver.d.ts.map +1 -0
package/dist/verify/formal/solver.js +184 -0
package/dist/verify/formal/solver.js.map +1 -0
package/dist/verify/formal/spec-language.d.ts +80 -0
package/dist/verify/formal/spec-language.d.ts.map +1 -0
package/dist/verify/formal/spec-language.js +219 -0
package/dist/verify/formal/spec-language.js.map +1 -0
package/docs/attestation.md +199 -0
package/docs/identity.md +193 -0
package/package.json +22 -1
package/src/adapters/llm/anthropic-direct.ts +51 -0
package/src/adapters/llm/cascade.ts +64 -19
package/src/adapters/llm/litellm.ts +49 -0
package/src/compute/difficulty-estimator.ts +111 -0
package/src/compute/strategies/mixture-of-agents.ts +150 -0
package/src/compute/strategies/tree-of-thoughts.ts +293 -0
package/src/compute/strategies/two-phase-orient.ts +147 -0
package/src/container/protocol.ts +243 -0
package/src/container/runtime.ts +424 -0
package/src/db/migrations/026_formal_verify_results.sql +30 -0
package/src/events/catalogue.ts +54 -0
package/src/events/index.ts +9 -0
package/src/events/schemas/citadel.sprint.analyzed.v1.ts +23 -0
package/src/events/schemas/forge.inbox.reply_classified.v1.ts +15 -0
package/src/events/schemas/vauban-finance.forecast.generated.v1.ts +11 -0
package/src/events/schemas/vauban-finance.trade.executed.v1.ts +12 -0
package/src/events/schemas/vauban.goal.checked.v1.ts +11 -0
package/src/events/schemas/vauban.rebalancing.checked.v1.ts +11 -0
package/src/events/schemas/vauban.tax.checked.v1.ts +11 -0
package/src/events/schemas/vauban.vault.analyzed.v1.ts +21 -0
package/src/events/schemas/vauban.vault.compounded.v1.ts +12 -0
package/src/identity/agent-persona.ts +203 -0
package/src/identity/persona-prompt.ts +84 -0
package/src/identity/persona-schema.ts +127 -0
package/src/index.ts +338 -1
package/src/loop/index.ts +0 -1
package/src/loop/sdk-loop.ts +5 -8
package/src/memory/episodic-rrf.ts +224 -0
package/src/mesh/attenuation.ts +190 -0
package/src/mesh/delegate.ts +254 -0
package/src/mesh/dispatcher.ts +301 -0
package/src/mesh/index.ts +39 -0
package/src/mesh/types.ts +31 -0
package/src/orchestration/ooda/skills.ts +177 -0
package/src/orchestration/ooda/types.ts +3 -9
package/src/ports/bastion-action.contract.test.ts +355 -0
package/src/ports/bastion-action.ts +198 -0
package/src/ports/brain.ts +177 -15
package/src/ports/citadel-action.contract.test.ts +430 -0
package/src/ports/citadel-action.ts +174 -0
package/src/ports/compliance-contract.ts +191 -0
package/src/ports/db.ts +98 -0
package/src/ports/delegation.contract.test.ts +428 -0
package/src/ports/delegation.ts +211 -0
package/src/ports/event-bus.ts +133 -18
package/src/ports/federation.contract.test.ts +355 -0
package/src/ports/federation.ts +190 -0
package/src/ports/index.ts +186 -1
package/src/ports/llm-provider.ts +123 -0
package/src/ports/logger.ts +104 -0
package/src/ports/manifest-registry.contract.test.ts +324 -0
package/src/ports/manifest-registry.ts +188 -0
package/src/ports/observability.contract.test.ts +315 -0
package/src/ports/observability.ts +150 -0
package/src/ports/outcome.ts +69 -0
package/src/ports/privacy.contract.test.ts +413 -0
package/src/ports/privacy.ts +207 -0
package/src/ports/tenant-context.contract.test.ts +454 -0
package/src/ports/tenant-context.ts +150 -0
package/src/ports/vauban-finance-action.contract.test.ts +335 -0
package/src/ports/vauban-finance-action.ts +166 -0
package/src/ports/workflow-runtime.ts +327 -0
package/src/proof/cert-verify.ts +249 -0
package/src/replay/replay.ts +11 -8
package/src/retry/index.ts +227 -0
package/src/retry/presets.ts +75 -0
package/src/skill-loop/ab-runner.ts +196 -0
package/src/skill-loop/adoption.ts +188 -0
package/src/skill-loop/candidate.ts +75 -0
package/src/skill-loop/evaluator.ts +238 -0
package/src/skill-loop/index.ts +51 -0
package/src/skill-loop/reflexion-replay.ts +173 -0
package/src/skill-loop/sign-off.ts +247 -0
package/src/skill-loop/value-metric.ts +120 -0
package/src/skill-loop/versioning.ts +75 -0
package/src/skill-manifest/anchor.ts +401 -0
package/src/skill-manifest/builder.ts +129 -0
package/src/skill-manifest/index.ts +18 -0
package/src/skill-manifest/types.ts +72 -0
package/src/skill-manifest/verifier.ts +198 -0
package/src/skills/errors.ts +30 -2
package/src/skills/index.ts +19 -0
package/src/skills/markdown/loader.ts +129 -0
package/src/skills/markdown/schema.ts +144 -0
package/src/skills/poc-md-loader/e2e-parity.test.ts +237 -0
package/src/skills/poc-md-loader/markdown-loader.ts +161 -0
package/src/skills/poc-md-loader/runner.ts +82 -0
package/src/skills/poc-md-loader/vitest.poc.config.ts +13 -0
package/src/skills/poc-md-loader/web-search/SKILL.md +42 -0
package/src/skills/poc-md-loader/web-search/script.ts +109 -0
package/src/skills/send-email.ts +15 -3
package/src/testing/contracts/event-bus.contract.ts +16 -14
package/src/testing/test-brain-port.ts +98 -24
package/src/testing/test-event-bus.ts +104 -43
package/src/trace/schema.ts +1 -1
package/src/verify/formal/index.ts +154 -0
package/src/verify/formal/policy.ts +253 -0
package/src/verify/formal/result.ts +52 -0
package/src/verify/formal/solver.ts +235 -0
package/src/verify/formal/spec-language.ts +274 -0

package/src/container/protocol.ts ADDED Viewed

@@ -0,0 +1,243 @@
+/**
+ * Container Execution Protocol — standard contract for running automations
+ * inside containers or as local binaries.
+ *
+ * Contract:
+ *
+ *   Input (via env vars):
+ *     VAUBAN_EXECUTION_ID    — unique execution identifier (UUID)
+ *     VAUBAN_AUTOMATION_NAME — automation name (kebab-case)
+ *     VAUBAN_INPUT           — JSON-encoded input parameters
+ *     VAUBAN_TIMEOUT         — timeout in seconds
+ *     VAUBAN_MODE            — execution mode (default: "execute")
+ *
+ *   Output (via stdout, last non-empty line, JSON):
+ *     { "status": "completed", "output": <any> }
+ *     { "status": "failed", "error": { "code": "...", "message": "...", "details"?: <any> } }
+ *
+ *   Diagnostics (via stderr, optional, one JSON object per line):
+ *     { "level": "info", "message": "...", "timestamp": "..." }
+ *     { "progress": 0.5, "message": "..." }
+ *
+ * @public @since 1.2.0
+ */
+/**
+ * Reserved environment variable names. All caller env merged on top must NOT
+ * shadow these keys, or the automation's view of its own context becomes
+ * undefined.
+ *
+ * @public
+ */
+export const PROTOCOL_ENV = {
+  EXECUTION_ID: "VAUBAN_EXECUTION_ID",
+  AUTOMATION_NAME: "VAUBAN_AUTOMATION_NAME",
+  INPUT: "VAUBAN_INPUT",
+  TIMEOUT: "VAUBAN_TIMEOUT",
+  MODE: "VAUBAN_MODE",
+} as const;
+/**
+ * Default protocol mode set when caller does not specify one.
+ * @public
+ */
+export const DEFAULT_PROTOCOL_MODE = "execute";
+/**
+ * Final status reported by a container/binary on stdout.
+ * @public
+ */
+export type ProtocolStatus = "completed" | "failed";
+/**
+ * Discriminated union of protocol outputs parsed from stdout.
+ * @public
+ */
+export type ProtocolResult<T = unknown> =
+  | { readonly status: "completed"; readonly output: T }
+  | {
+      readonly status: "failed";
+      readonly error: {
+        readonly code: string;
+        readonly message: string;
+        readonly details?: unknown;
+      };
+    };
+/**
+ * Outcome of an execution attempt, combining protocol result with timing,
+ * captured logs, and propagated metadata.
+ *
+ * @public
+ */
+export interface ExecutionResult<T = unknown> {
+  readonly executionId: string;
+  readonly automationName: string;
+  readonly status: "completed" | "failed" | "timeout";
+  readonly input: unknown;
+  readonly output?: T;
+  readonly error?: {
+    code: string;
+    message: string;
+    details?: unknown;
+  };
+  readonly startedAt: Date;
+  readonly completedAt: Date;
+  readonly durationMs: number;
+  readonly logs: ReadonlyArray<{
+    readonly level: string;
+    readonly message: string;
+    readonly timestamp: string;
+  }>;
+}
+/**
+ * Thrown when stdout does not contain a parseable protocol result on its last
+ * non-empty line.
+ *
+ * @public
+ */
+export class ProtocolParseError extends Error {
+  readonly rawTail: string;
+  constructor(reason: string, rawTail: string) {
+    super(`container-protocol: ${reason}`);
+    this.name = "ProtocolParseError";
+    this.rawTail = rawTail;
+  }
+}
+/**
+ * Build the protocol's environment variables. Caller `extraEnv` is merged
+ * AFTER protocol env, so it cannot accidentally override reserved keys.
+ *
+ * @public
+ */
+export function buildProtocolEnv(args: {
+  executionId: string;
+  automationName: string;
+  input: unknown;
+  timeoutSeconds: number;
+  mode?: string;
+  extraEnv?: Readonly<Record<string, string>>;
+}): Record<string, string> {
+  const env: Record<string, string> = {};
+  if (args.extraEnv) {
+    for (const [k, v] of Object.entries(args.extraEnv)) {
+      env[k] = v;
+    }
+  }
+  env[PROTOCOL_ENV.EXECUTION_ID] = args.executionId;
+  env[PROTOCOL_ENV.AUTOMATION_NAME] = args.automationName;
+  env[PROTOCOL_ENV.INPUT] = JSON.stringify(args.input);
+  env[PROTOCOL_ENV.TIMEOUT] = String(args.timeoutSeconds);
+  env[PROTOCOL_ENV.MODE] = args.mode ?? DEFAULT_PROTOCOL_MODE;
+  return env;
+}
+/**
+ * Parse the last non-empty line of stdout as a {@link ProtocolResult}.
+ *
+ * @throws {@link ProtocolParseError} when stdout is empty, has no JSON tail,
+ *   or the JSON does not match the protocol shape.
+ *
+ * @public
+ */
+export function parseProtocolOutput<T = unknown>(
+  stdout: string
+): ProtocolResult<T> {
+  const trimmed = stdout.trim();
+  if (trimmed.length === 0) {
+    throw new ProtocolParseError("stdout is empty", "");
+  }
+  const lines = trimmed.split("\n");
+  const lastLine = lines[lines.length - 1]!.trim();
+  if (lastLine.length === 0) {
+    throw new ProtocolParseError(
+      "last stdout line is empty",
+      trimmed.slice(-200)
+    );
+  }
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(lastLine);
+  } catch {
+    throw new ProtocolParseError(
+      "last stdout line is not valid JSON",
+      lastLine.slice(0, 500)
+    );
+  }
+  if (typeof parsed !== "object" || parsed === null || !("status" in parsed)) {
+    throw new ProtocolParseError(
+      "protocol JSON missing 'status' field",
+      lastLine.slice(0, 500)
+    );
+  }
+  const obj = parsed as Record<string, unknown>;
+  const status = obj["status"];
+  if (status === "completed") {
+    return { status: "completed", output: (obj["output"] ?? null) as T };
+  }
+  if (status === "failed") {
+    const err = (obj["error"] as Record<string, unknown> | undefined) ?? {};
+    const code =
+      typeof err["code"] === "string" ? (err["code"] as string) : "UNKNOWN";
+    const message =
+      typeof err["message"] === "string"
+        ? (err["message"] as string)
+        : "(no message)";
+    const details = err["details"];
+    return { status: "failed", error: { code, message, details } };
+  }
+  throw new ProtocolParseError(
+    `unknown protocol status: ${String(status)}`,
+    lastLine.slice(0, 500)
+  );
+}
+/**
+ * Parse stderr lines as JSON log entries when possible; fall back to plain
+ * text wrapped at level "info". Used by {@link ContainerRuntime} to populate
+ * `ExecutionResult.logs`.
+ *
+ * @public
+ */
+export function parseStderrLogs(stderr: string): Array<{
+  level: string;
+  message: string;
+  timestamp: string;
+}> {
+  const logs: Array<{ level: string; message: string; timestamp: string }> = [];
+  const lines = stderr.split("\n");
+  for (const raw of lines) {
+    const line = raw.trim();
+    if (line.length === 0) continue;
+    try {
+      const obj = JSON.parse(line) as Record<string, unknown>;
+      logs.push({
+        level:
+          typeof obj["level"] === "string" ? (obj["level"] as string) : "info",
+        message:
+          typeof obj["message"] === "string"
+            ? (obj["message"] as string)
+            : line.slice(0, 500),
+        timestamp:
+          typeof obj["timestamp"] === "string"
+            ? (obj["timestamp"] as string)
+            : new Date().toISOString(),
+      });
+    } catch {
+      logs.push({
+        level: "info",
+        message: line.slice(0, 500),
+        timestamp: new Date().toISOString(),
+      });
+    }
+  }
+  return logs;
+}

package/src/container/runtime.ts ADDED Viewed

@@ -0,0 +1,424 @@
+/**
+ * ContainerRuntime — execute automations as local binaries or as containers,
+ * speaking the {@link ./protocol.ts | Container Execution Protocol}.
+ *
+ * Two modes:
+ *
+ *   - **Binary**: spawn a local executable directly (Rust/Go/Python binary).
+ *     The runtime uses `node:child_process.spawn` by default; tests inject a
+ *     `SpawnFn` to avoid actually running anything.
+ *
+ *   - **Container**: delegate to a host-provided {@link SandboxExecutor}.
+ *     This is structurally compatible with Command Center's `DockerExecutor`
+ *     (hardened isolation), so the SDK stays decoupled from any specific
+ *     sandbox implementation.
+ *
+ * @public @since 1.2.0
+ */
+import { randomUUID } from "node:crypto";
+import { type ChildProcess, spawn as nodeSpawn } from "node:child_process";
+import {
+  buildProtocolEnv,
+  type ExecutionResult,
+  parseProtocolOutput,
+  parseStderrLogs,
+  ProtocolParseError,
+} from "./protocol.js";
+/**
+ * Description of a sandboxed job — structurally identical to Command Center's
+ * `SandboxJob`. Defined here so the SDK has no dependency on a specific
+ * sandbox implementation.
+ *
+ * @public
+ */
+export interface SandboxJob {
+  image: string;
+  command: string[];
+  stdin?: string;
+  env?: Record<string, string>;
+  cwd?: string;
+  timeoutMs: number;
+  networkMode?: "none" | "outbound" | "bridge";
+  readOnlyRoot?: boolean;
+  memoryMb?: number;
+  cpuQuota?: number;
+}
+/**
+ * Outcome of a sandbox run — structurally identical to Command Center's
+ * `SandboxResult`.
+ *
+ * @public
+ */
+export interface SandboxResult {
+  exitCode: number;
+  stdout: string;
+  stderr: string;
+  timedOut: boolean;
+  durationMs: number;
+}
+/**
+ * Port for a process sandbox (Docker, Firecracker, etc.). The host injects an
+ * implementation at runtime; the SDK never depends on a concrete sandbox.
+ *
+ * @public
+ */
+export interface SandboxExecutor {
+  run(job: SandboxJob): Promise<SandboxResult>;
+}
+/**
+ * Spawn function signature, mirrors `node:child_process.spawn`. Injectable so
+ * tests can avoid spawning real subprocesses.
+ *
+ * @public
+ */
+export type SpawnFn = (
+  cmd: string,
+  args: string[],
+  opts: {
+    env?: NodeJS.ProcessEnv;
+    cwd?: string;
+    stdio: ["pipe", "pipe", "pipe"];
+    signal?: AbortSignal;
+  }
+) => ChildProcess;
+/**
+ * Options for {@link ContainerRuntime.executeContainer}.
+ *
+ * @public
+ */
+export interface ContainerExecutionOptions {
+  executionId?: string;
+  timeoutSeconds?: number;
+  extraEnv?: Record<string, string>;
+  mode?: string;
+  networkMode?: "none" | "outbound" | "bridge";
+  readOnlyRoot?: boolean;
+  memoryMb?: number;
+  cpuQuota?: number;
+}
+/**
+ * Options for {@link ContainerRuntime.executeBinary}.
+ *
+ * @public
+ */
+export interface BinaryExecutionOptions {
+  executionId?: string;
+  timeoutSeconds?: number;
+  extraEnv?: Record<string, string>;
+  cwd?: string;
+  mode?: string;
+}
+/**
+ * Construct a {@link ContainerRuntime} bound to a {@link SandboxExecutor}
+ * (for container mode) and optionally a custom {@link SpawnFn} (for binary
+ * mode tests).
+ *
+ * @public
+ */
+export interface ContainerRuntimeOptions {
+  /** Sandbox executor for container mode. Required if executeContainer() is called. */
+  sandbox?: SandboxExecutor;
+  /** Spawn function for binary mode. Defaults to node:child_process.spawn. */
+  spawnFn?: SpawnFn;
+  /** Default timeout when callers don't specify one. */
+  defaultTimeoutSeconds?: number;
+}
+const DEFAULT_TIMEOUT_SECONDS = 300;
+const MAX_OUTPUT_BYTES = 1_048_576; // 1 MB
+const TRUNCATION_MARKER = "\n[TRUNCATED — output exceeded 1 MB]";
+/**
+ * Run automations via either a sandboxed container (host-injected) or a local
+ * binary subprocess. Both paths produce a uniform {@link ExecutionResult}.
+ *
+ * @public
+ */
+export class ContainerRuntime {
+  private readonly sandbox: SandboxExecutor | undefined;
+  private readonly spawnFn: SpawnFn;
+  private readonly defaultTimeoutSeconds: number;
+  constructor(opts: ContainerRuntimeOptions = {}) {
+    this.sandbox = opts.sandbox;
+    this.spawnFn = opts.spawnFn ?? (nodeSpawn as unknown as SpawnFn);
+    this.defaultTimeoutSeconds =
+      opts.defaultTimeoutSeconds ?? DEFAULT_TIMEOUT_SECONDS;
+  }
+  /**
+   * Execute an automation packaged as a container image. Delegates to the
+   * injected {@link SandboxExecutor} so isolation policy (caps, network,
+   * read-only FS) lives in the host implementation.
+   */
+  async executeContainer<T = unknown>(
+    image: string,
+    automationName: string,
+    input: unknown,
+    options: ContainerExecutionOptions = {}
+  ): Promise<ExecutionResult<T>> {
+    if (!this.sandbox) {
+      throw new Error(
+        "ContainerRuntime.executeContainer: no SandboxExecutor injected"
+      );
+    }
+    const executionId = options.executionId ?? randomUUID();
+    const timeoutSeconds = options.timeoutSeconds ?? this.defaultTimeoutSeconds;
+    const startedAt = new Date();
+    const env = buildProtocolEnv({
+      executionId,
+      automationName,
+      input,
+      timeoutSeconds,
+      mode: options.mode,
+      extraEnv: options.extraEnv,
+    });
+    const job: SandboxJob = {
+      image,
+      command: [],
+      env,
+      timeoutMs: timeoutSeconds * 1000,
+      networkMode: options.networkMode ?? "none",
+      readOnlyRoot: options.readOnlyRoot ?? true,
+      memoryMb: options.memoryMb ?? 256,
+      cpuQuota: options.cpuQuota ?? 0.5,
+    };
+    const result = await this.sandbox.run(job);
+    return this.toExecutionResult<T>({
+      executionId,
+      automationName,
+      input,
+      startedAt,
+      sandboxResult: result,
+    });
+  }
+  /**
+   * Execute an automation packaged as a local binary (Rust release, Python
+   * wrapper, shell script). No container — just a hardened subprocess.
+   */
+  async executeBinary<T = unknown>(
+    command: string[],
+    automationName: string,
+    input: unknown,
+    options: BinaryExecutionOptions = {}
+  ): Promise<ExecutionResult<T>> {
+    if (!Array.isArray(command) || command.length === 0) {
+      throw new Error(
+        "ContainerRuntime.executeBinary: command must be a non-empty array"
+      );
+    }
+    const executionId = options.executionId ?? randomUUID();
+    const timeoutSeconds = options.timeoutSeconds ?? this.defaultTimeoutSeconds;
+    const startedAt = new Date();
+    const protocolEnv = buildProtocolEnv({
+      executionId,
+      automationName,
+      input,
+      timeoutSeconds,
+      mode: options.mode,
+      extraEnv: options.extraEnv,
+    });
+    const env: NodeJS.ProcessEnv = { ...process.env, ...protocolEnv };
+    const result = await this.runSubprocess({
+      cmd: command[0]!,
+      args: command.slice(1),
+      env,
+      cwd: options.cwd,
+      timeoutMs: timeoutSeconds * 1000,
+    });
+    return this.toExecutionResult<T>({
+      executionId,
+      automationName,
+      input,
+      startedAt,
+      sandboxResult: result,
+    });
+  }
+  // ─── Internals ────────────────────────────────────────────────────────
+  private async runSubprocess(args: {
+    cmd: string;
+    args: string[];
+    env: NodeJS.ProcessEnv;
+    cwd: string | undefined;
+    timeoutMs: number;
+  }): Promise<SandboxResult> {
+    const startedAt = Date.now();
+    const abortController = new AbortController();
+    const timeoutHandle = setTimeout(
+      () => abortController.abort(),
+      args.timeoutMs
+    );
+    let stdoutBuf = "";
+    let stderrBuf = "";
+    let timedOut = false;
+    const spawnOpts: {
+      env?: NodeJS.ProcessEnv;
+      cwd?: string;
+      stdio: ["pipe", "pipe", "pipe"];
+      signal?: AbortSignal;
+    } = {
+      env: args.env,
+      stdio: ["pipe", "pipe", "pipe"],
+      signal: abortController.signal,
+    };
+    if (args.cwd !== undefined) spawnOpts.cwd = args.cwd;
+    const child = this.spawnFn(args.cmd, args.args, spawnOpts);
+    if (child.stdin) child.stdin.end();
+    child.stdout?.on("data", (chunk: Buffer) => {
+      const remaining = MAX_OUTPUT_BYTES - Buffer.byteLength(stdoutBuf, "utf8");
+      if (remaining <= 0) return;
+      const piece = chunk.toString("utf8");
+      if (Buffer.byteLength(piece, "utf8") <= remaining) {
+        stdoutBuf += piece;
+      } else {
+        stdoutBuf += piece.slice(0, remaining) + TRUNCATION_MARKER;
+      }
+    });
+    child.stderr?.on("data", (chunk: Buffer) => {
+      const remaining = MAX_OUTPUT_BYTES - Buffer.byteLength(stderrBuf, "utf8");
+      if (remaining <= 0) return;
+      const piece = chunk.toString("utf8");
+      if (Buffer.byteLength(piece, "utf8") <= remaining) {
+        stderrBuf += piece;
+      } else {
+        stderrBuf += piece.slice(0, remaining) + TRUNCATION_MARKER;
+      }
+    });
+    const exitCode = await new Promise<number>((resolve) => {
+      child.on("close", (code) => resolve(code ?? 1));
+      child.on("error", (err: NodeJS.ErrnoException) => {
+        if (err.name === "AbortError" || abortController.signal.aborted) {
+          timedOut = true;
+          resolve(137);
+        } else {
+          resolve(1);
+        }
+      });
+    });
+    clearTimeout(timeoutHandle);
+    return {
+      exitCode,
+      stdout: stdoutBuf,
+      stderr: stderrBuf,
+      timedOut,
+      durationMs: Date.now() - startedAt,
+    };
+  }
+  private toExecutionResult<T>(args: {
+    executionId: string;
+    automationName: string;
+    input: unknown;
+    startedAt: Date;
+    sandboxResult: SandboxResult;
+  }): ExecutionResult<T> {
+    const completedAt = new Date(
+      args.startedAt.getTime() + args.sandboxResult.durationMs
+    );
+    const logs = parseStderrLogs(args.sandboxResult.stderr);
+    if (args.sandboxResult.timedOut) {
+      return {
+        executionId: args.executionId,
+        automationName: args.automationName,
+        status: "timeout",
+        input: args.input,
+        error: {
+          code: "TIMEOUT",
+          message: `execution timed out after ${args.sandboxResult.durationMs}ms`,
+        },
+        startedAt: args.startedAt,
+        completedAt,
+        durationMs: args.sandboxResult.durationMs,
+        logs,
+      };
+    }
+    // Try to parse the protocol result FIRST — a non-zero exit with a valid
+    // protocol "failed" payload is a business failure, not a container crash.
+    try {
+      const protocol = parseProtocolOutput<T>(args.sandboxResult.stdout);
+      if (protocol.status === "completed") {
+        return {
+          executionId: args.executionId,
+          automationName: args.automationName,
+          status: "completed",
+          input: args.input,
+          output: protocol.output,
+          startedAt: args.startedAt,
+          completedAt,
+          durationMs: args.sandboxResult.durationMs,
+          logs,
+        };
+      }
+      return {
+        executionId: args.executionId,
+        automationName: args.automationName,
+        status: "failed",
+        input: args.input,
+        error: { ...protocol.error },
+        startedAt: args.startedAt,
+        completedAt,
+        durationMs: args.sandboxResult.durationMs,
+        logs,
+      };
+    } catch (err) {
+      // No parseable protocol output. If the process exited non-zero, surface
+      // it as a container crash; otherwise the binary returned 0 but said
+      // nothing useful — also a protocol violation.
+      const code =
+        args.sandboxResult.exitCode === 0
+          ? "INVALID_OUTPUT"
+          : "CONTAINER_EXIT_ERROR";
+      const message =
+        args.sandboxResult.exitCode === 0
+          ? "process exited 0 but produced no protocol result"
+          : `process exited with code ${args.sandboxResult.exitCode}`;
+      const stderrTail = args.sandboxResult.stderr.slice(-2000);
+      const stdoutTail = args.sandboxResult.stdout.slice(-2000);
+      const rawTail = err instanceof ProtocolParseError ? err.rawTail : "";
+      return {
+        executionId: args.executionId,
+        automationName: args.automationName,
+        status: "failed",
+        input: args.input,
+        error: {
+          code,
+          message,
+          details: { stderr: stderrTail, stdout: stdoutTail, rawTail },
+        },
+        startedAt: args.startedAt,
+        completedAt,
+        durationMs: args.sandboxResult.durationMs,
+        logs,
+      };
+    }
+  }
+}

package/src/db/migrations/026_formal_verify_results.sql ADDED Viewed

@@ -0,0 +1,30 @@
+-- 026_formal_verify_results.sql
+--
+-- Sprint-587 — Persistence for Z3 formal verification outcomes.
+--
+-- One row per (cycle_id, axiom) verification attempt. UNKNOWN and SKIPPED
+-- are first-class states (NOT folded into SAFE/UNSAFE). The `mode` and
+-- `context` columns preserve enough metadata to reproduce the decision
+-- under a different policy without re-running the solver.
+CREATE TABLE IF NOT EXISTS formal_verify_results (
+  id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  cycle_id        TEXT NOT NULL,
+  axiom           TEXT NOT NULL,
+  state           TEXT NOT NULL CHECK (state IN ('SAFE','UNSAFE','UNKNOWN','SKIPPED')),
+  rationale       TEXT,
+  witness         TEXT,
+  counterexample  TEXT,
+  time_ms         INT,
+  mode            TEXT NOT NULL DEFAULT 'permissive'
+                  CHECK (mode IN ('strict','permissive','audit_only')),
+  context         TEXT NOT NULL DEFAULT 'runtime'
+                  CHECK (context IN ('runtime','skill_ingestion')),
+  created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_formal_verify_cycle
+  ON formal_verify_results (cycle_id);
+CREATE INDEX IF NOT EXISTS idx_formal_verify_state
+  ON formal_verify_results (state, created_at DESC);