npm - @vauban-org/agent-sdk - Versions diffs - 1.0.0 → 1.2.0 - Mend

@vauban-org/agent-sdk 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (442) hide show

package/CONTRACT.md +6401 -813
package/dist/adapters/llm/anthropic-direct.d.ts +1 -0
package/dist/adapters/llm/anthropic-direct.d.ts.map +1 -1
package/dist/adapters/llm/anthropic-direct.js +43 -0
package/dist/adapters/llm/anthropic-direct.js.map +1 -1
package/dist/adapters/llm/cascade.d.ts.map +1 -1
package/dist/adapters/llm/cascade.js +57 -14
package/dist/adapters/llm/cascade.js.map +1 -1
package/dist/adapters/llm/litellm.d.ts +2 -0
package/dist/adapters/llm/litellm.d.ts.map +1 -1
package/dist/adapters/llm/litellm.js +44 -0
package/dist/adapters/llm/litellm.js.map +1 -1
package/dist/compute/difficulty-estimator.d.ts +53 -0
package/dist/compute/difficulty-estimator.d.ts.map +1 -0
package/dist/compute/difficulty-estimator.js +82 -0
package/dist/compute/difficulty-estimator.js.map +1 -0
package/dist/compute/strategies/mixture-of-agents.d.ts +40 -0
package/dist/compute/strategies/mixture-of-agents.d.ts.map +1 -0
package/dist/compute/strategies/mixture-of-agents.js +110 -0
package/dist/compute/strategies/mixture-of-agents.js.map +1 -0
package/dist/compute/strategies/tree-of-thoughts.d.ts +48 -0
package/dist/compute/strategies/tree-of-thoughts.d.ts.map +1 -0
package/dist/compute/strategies/tree-of-thoughts.js +242 -0
package/dist/compute/strategies/tree-of-thoughts.js.map +1 -0
package/dist/compute/strategies/two-phase-orient.d.ts +72 -0
package/dist/compute/strategies/two-phase-orient.d.ts.map +1 -0
package/dist/compute/strategies/two-phase-orient.js +85 -0
package/dist/compute/strategies/two-phase-orient.js.map +1 -0
package/dist/constitution/types.d.ts +10 -10
package/dist/container/protocol.d.ts +134 -0
package/dist/container/protocol.d.ts.map +1 -0
package/dist/container/protocol.js +157 -0
package/dist/container/protocol.js.map +1 -0
package/dist/container/runtime.d.ts +140 -0
package/dist/container/runtime.d.ts.map +1 -0
package/dist/container/runtime.js +256 -0
package/dist/container/runtime.js.map +1 -0
package/dist/events/catalogue.d.ts +46 -46
package/dist/events/schemas/agent.completed.v1.d.ts +4 -4
package/dist/events/schemas/agent.failed.v1.d.ts +2 -2
package/dist/events/schemas/agent.hitl_resolved.v1.d.ts +2 -2
package/dist/events/schemas/agent.started.v1.d.ts +2 -2
package/dist/events/schemas/brain.skill.extracted.v1.d.ts +4 -4
package/dist/events/schemas/cc.cost.anomaly_detected.v1.d.ts +2 -2
package/dist/events/schemas/cc.cost.recorded.v1.d.ts +4 -4
package/dist/events/schemas/citadel.sprint.analyzed.v1.d.ts +6 -6
package/dist/events/schemas/citadel.sprint.closed.v1.d.ts +2 -2
package/dist/events/schemas/forge.inbox.reply_classified.v1.d.ts +6 -6
package/dist/events/schemas/forge.lead.qualified.v1.d.ts +2 -2
package/dist/events/schemas/forge.outreach.sent.v1.d.ts +4 -4
package/dist/events/schemas/incident.detected.v1.d.ts +2 -2
package/dist/events/schemas/vauban.goal.checked.v1.d.ts +2 -2
package/dist/events/schemas/vauban.rebalancing.checked.v1.d.ts +2 -2
package/dist/events/schemas/vauban.tax.checked.v1.d.ts +2 -2
package/dist/events/schemas/vauban.vault.analyzed.v1.d.ts +6 -6
package/dist/identity/agent-persona.d.ts +73 -0
package/dist/identity/agent-persona.d.ts.map +1 -0
package/dist/identity/agent-persona.js +165 -0
package/dist/identity/agent-persona.js.map +1 -0
package/dist/identity/persona-prompt.d.ts +25 -0
package/dist/identity/persona-prompt.d.ts.map +1 -0
package/dist/identity/persona-prompt.js +71 -0
package/dist/identity/persona-prompt.js.map +1 -0
package/dist/identity/persona-schema.d.ts +120 -0
package/dist/identity/persona-schema.d.ts.map +1 -0
package/dist/identity/persona-schema.js +103 -0
package/dist/identity/persona-schema.js.map +1 -0
package/dist/index.d.ts +37 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +29 -1
package/dist/index.js.map +1 -1
package/dist/loop/minimal-loop.js +293 -287
package/dist/memory/episodic-rrf.d.ts +114 -0
package/dist/memory/episodic-rrf.d.ts.map +1 -0
package/dist/memory/episodic-rrf.js +148 -0
package/dist/memory/episodic-rrf.js.map +1 -0
package/dist/mesh/attenuation.d.ts +78 -0
package/dist/mesh/attenuation.d.ts.map +1 -0
package/dist/mesh/attenuation.js +141 -0
package/dist/mesh/attenuation.js.map +1 -0
package/dist/mesh/delegate.d.ts +96 -0
package/dist/mesh/delegate.d.ts.map +1 -0
package/dist/mesh/delegate.js +172 -0
package/dist/mesh/delegate.js.map +1 -0
package/dist/mesh/dispatcher.d.ts +119 -0
package/dist/mesh/dispatcher.d.ts.map +1 -0
package/dist/mesh/dispatcher.js +207 -0
package/dist/mesh/dispatcher.js.map +1 -0
package/dist/mesh/index.d.ts +12 -0
package/dist/mesh/index.d.ts.map +1 -0
package/dist/mesh/index.js +11 -0
package/dist/mesh/index.js.map +1 -0
package/dist/mesh/types.d.ts +30 -0
package/dist/mesh/types.d.ts.map +1 -0
package/dist/mesh/types.js +11 -0
package/dist/mesh/types.js.map +1 -0
package/dist/orchestration/ooda/skills.d.ts +104 -0
package/dist/orchestration/ooda/skills.d.ts.map +1 -1
package/dist/orchestration/ooda/skills.js +106 -0
package/dist/orchestration/ooda/skills.js.map +1 -1
package/dist/ports/bastion-action.contract.test.d.ts +11 -0
package/dist/ports/bastion-action.contract.test.d.ts.map +1 -0
package/dist/ports/bastion-action.contract.test.js +238 -0
package/dist/ports/bastion-action.contract.test.js.map +1 -0
package/dist/ports/bastion-action.d.ts +133 -0
package/dist/ports/bastion-action.d.ts.map +1 -0
package/dist/ports/bastion-action.js +73 -0
package/dist/ports/bastion-action.js.map +1 -0
package/dist/ports/brain.d.ts +31 -0
package/dist/ports/brain.d.ts.map +1 -1
package/dist/ports/brain.js +115 -1
package/dist/ports/brain.js.map +1 -1
package/dist/ports/citadel-action.contract.test.d.ts +11 -0
package/dist/ports/citadel-action.contract.test.d.ts.map +1 -0
package/dist/ports/citadel-action.contract.test.js +317 -0
package/dist/ports/citadel-action.contract.test.js.map +1 -0
package/dist/ports/citadel-action.d.ts +111 -0
package/dist/ports/citadel-action.d.ts.map +1 -0
package/dist/ports/citadel-action.js +62 -0
package/dist/ports/citadel-action.js.map +1 -0
package/dist/ports/compliance-contract.d.ts +123 -0
package/dist/ports/compliance-contract.d.ts.map +1 -0
package/dist/ports/compliance-contract.js +35 -0
package/dist/ports/compliance-contract.js.map +1 -0
package/dist/ports/db.d.ts +38 -0
package/dist/ports/db.d.ts.map +1 -1
package/dist/ports/db.js +88 -1
package/dist/ports/db.js.map +1 -1
package/dist/ports/delegation.contract.test.d.ts +9 -0
package/dist/ports/delegation.contract.test.d.ts.map +1 -0
package/dist/ports/delegation.contract.test.js +337 -0
package/dist/ports/delegation.contract.test.js.map +1 -0
package/dist/ports/delegation.d.ts +134 -0
package/dist/ports/delegation.d.ts.map +1 -0
package/dist/ports/delegation.js +105 -0
package/dist/ports/delegation.js.map +1 -0
package/dist/ports/event-bus.d.ts +29 -0
package/dist/ports/event-bus.d.ts.map +1 -1
package/dist/ports/event-bus.js +106 -1
package/dist/ports/event-bus.js.map +1 -1
package/dist/ports/federation.contract.test.d.ts +9 -0
package/dist/ports/federation.contract.test.d.ts.map +1 -0
package/dist/ports/federation.contract.test.js +279 -0
package/dist/ports/federation.contract.test.js.map +1 -0
package/dist/ports/federation.d.ts +140 -0
package/dist/ports/federation.d.ts.map +1 -0
package/dist/ports/federation.js +57 -0
package/dist/ports/federation.js.map +1 -0
package/dist/ports/index.d.ts +28 -2
package/dist/ports/index.d.ts.map +1 -1
package/dist/ports/index.js +17 -2
package/dist/ports/index.js.map +1 -1
package/dist/ports/llm-provider.d.ts +37 -0
package/dist/ports/llm-provider.d.ts.map +1 -1
package/dist/ports/llm-provider.js +99 -1
package/dist/ports/llm-provider.js.map +1 -1
package/dist/ports/logger.d.ts +27 -0
package/dist/ports/logger.d.ts.map +1 -1
package/dist/ports/logger.js +87 -0
package/dist/ports/logger.js.map +1 -1
package/dist/ports/manifest-registry.contract.test.d.ts +9 -0
package/dist/ports/manifest-registry.contract.test.d.ts.map +1 -0
package/dist/ports/manifest-registry.contract.test.js +246 -0
package/dist/ports/manifest-registry.contract.test.js.map +1 -0
package/dist/ports/manifest-registry.d.ts +116 -0
package/dist/ports/manifest-registry.d.ts.map +1 -0
package/dist/ports/manifest-registry.js +79 -0
package/dist/ports/manifest-registry.js.map +1 -0
package/dist/ports/observability.contract.test.d.ts +12 -0
package/dist/ports/observability.contract.test.d.ts.map +1 -0
package/dist/ports/observability.contract.test.js +260 -0
package/dist/ports/observability.contract.test.js.map +1 -0
package/dist/ports/observability.d.ts +98 -0
package/dist/ports/observability.d.ts.map +1 -0
package/dist/ports/observability.js +59 -0
package/dist/ports/observability.js.map +1 -0
package/dist/ports/outcome.d.ts +26 -0
package/dist/ports/outcome.d.ts.map +1 -1
package/dist/ports/outcome.js +62 -1
package/dist/ports/outcome.js.map +1 -1
package/dist/ports/privacy.contract.test.d.ts +12 -0
package/dist/ports/privacy.contract.test.d.ts.map +1 -0
package/dist/ports/privacy.contract.test.js +325 -0
package/dist/ports/privacy.contract.test.js.map +1 -0
package/dist/ports/privacy.d.ts +132 -0
package/dist/ports/privacy.d.ts.map +1 -0
package/dist/ports/privacy.js +83 -0
package/dist/ports/privacy.js.map +1 -0
package/dist/ports/tenant-context.contract.test.d.ts +14 -0
package/dist/ports/tenant-context.contract.test.d.ts.map +1 -0
package/dist/ports/tenant-context.contract.test.js +352 -0
package/dist/ports/tenant-context.contract.test.js.map +1 -0
package/dist/ports/tenant-context.d.ts +103 -0
package/dist/ports/tenant-context.d.ts.map +1 -0
package/dist/ports/tenant-context.js +48 -0
package/dist/ports/tenant-context.js.map +1 -0
package/dist/ports/vauban-finance-action.contract.test.d.ts +11 -0
package/dist/ports/vauban-finance-action.contract.test.d.ts.map +1 -0
package/dist/ports/vauban-finance-action.contract.test.js +260 -0
package/dist/ports/vauban-finance-action.contract.test.js.map +1 -0
package/dist/ports/vauban-finance-action.d.ts +106 -0
package/dist/ports/vauban-finance-action.d.ts.map +1 -0
package/dist/ports/vauban-finance-action.js +60 -0
package/dist/ports/vauban-finance-action.js.map +1 -0
package/dist/ports/workflow-runtime.d.ts +204 -0
package/dist/ports/workflow-runtime.d.ts.map +1 -0
package/dist/ports/workflow-runtime.js +72 -0
package/dist/ports/workflow-runtime.js.map +1 -0
package/dist/proof/cert-verify.d.ts +80 -0
package/dist/proof/cert-verify.d.ts.map +1 -0
package/dist/proof/cert-verify.js +178 -0
package/dist/proof/cert-verify.js.map +1 -0
package/dist/replay/replay.d.ts.map +1 -1
package/dist/replay/replay.js +5 -1
package/dist/replay/replay.js.map +1 -1
package/dist/retry/index.d.ts +129 -0
package/dist/retry/index.d.ts.map +1 -0
package/dist/retry/index.js +156 -0
package/dist/retry/index.js.map +1 -0
package/dist/retry/presets.d.ts +39 -0
package/dist/retry/presets.d.ts.map +1 -0
package/dist/retry/presets.js +69 -0
package/dist/retry/presets.js.map +1 -0
package/dist/skill-loop/ab-runner.d.ts +67 -0
package/dist/skill-loop/ab-runner.d.ts.map +1 -0
package/dist/skill-loop/ab-runner.js +160 -0
package/dist/skill-loop/ab-runner.js.map +1 -0
package/dist/skill-loop/adoption.d.ts +67 -0
package/dist/skill-loop/adoption.d.ts.map +1 -0
package/dist/skill-loop/adoption.js +126 -0
package/dist/skill-loop/adoption.js.map +1 -0
package/dist/skill-loop/candidate.d.ts +45 -0
package/dist/skill-loop/candidate.d.ts.map +1 -0
package/dist/skill-loop/candidate.js +43 -0
package/dist/skill-loop/candidate.js.map +1 -0
package/dist/skill-loop/evaluator.d.ts +42 -0
package/dist/skill-loop/evaluator.d.ts.map +1 -0
package/dist/skill-loop/evaluator.js +184 -0
package/dist/skill-loop/evaluator.js.map +1 -0
package/dist/skill-loop/index.d.ts +27 -0
package/dist/skill-loop/index.d.ts.map +1 -0
package/dist/skill-loop/index.js +27 -0
package/dist/skill-loop/index.js.map +1 -0
package/dist/skill-loop/reflexion-replay.d.ts +87 -0
package/dist/skill-loop/reflexion-replay.d.ts.map +1 -0
package/dist/skill-loop/reflexion-replay.js +110 -0
package/dist/skill-loop/reflexion-replay.js.map +1 -0
package/dist/skill-loop/sign-off.d.ts +88 -0
package/dist/skill-loop/sign-off.d.ts.map +1 -0
package/dist/skill-loop/sign-off.js +146 -0
package/dist/skill-loop/sign-off.js.map +1 -0
package/dist/skill-loop/value-metric.d.ts +55 -0
package/dist/skill-loop/value-metric.d.ts.map +1 -0
package/dist/skill-loop/value-metric.js +69 -0
package/dist/skill-loop/value-metric.js.map +1 -0
package/dist/skill-loop/versioning.d.ts +36 -0
package/dist/skill-loop/versioning.d.ts.map +1 -0
package/dist/skill-loop/versioning.js +47 -0
package/dist/skill-loop/versioning.js.map +1 -0
package/dist/skill-manifest/anchor.d.ts +91 -0
package/dist/skill-manifest/anchor.d.ts.map +1 -0
package/dist/skill-manifest/anchor.js +331 -0
package/dist/skill-manifest/anchor.js.map +1 -0
package/dist/skill-manifest/builder.d.ts +47 -0
package/dist/skill-manifest/builder.d.ts.map +1 -0
package/dist/skill-manifest/builder.js +93 -0
package/dist/skill-manifest/builder.js.map +1 -0
package/dist/skill-manifest/index.d.ts +13 -0
package/dist/skill-manifest/index.d.ts.map +1 -0
package/dist/skill-manifest/index.js +9 -0
package/dist/skill-manifest/index.js.map +1 -0
package/dist/skill-manifest/types.d.ts +67 -0
package/dist/skill-manifest/types.d.ts.map +1 -0
package/dist/skill-manifest/types.js +16 -0
package/dist/skill-manifest/types.js.map +1 -0
package/dist/skill-manifest/verifier.d.ts +42 -0
package/dist/skill-manifest/verifier.d.ts.map +1 -0
package/dist/skill-manifest/verifier.js +136 -0
package/dist/skill-manifest/verifier.js.map +1 -0
package/dist/skills/brain-query.d.ts +4 -4
package/dist/skills/brain-store.d.ts +6 -6
package/dist/skills/errors.d.ts +15 -0
package/dist/skills/errors.d.ts.map +1 -1
package/dist/skills/errors.js +21 -0
package/dist/skills/errors.js.map +1 -1
package/dist/skills/hitl-request.d.ts +2 -2
package/dist/skills/index.d.ts +3 -1
package/dist/skills/index.d.ts.map +1 -1
package/dist/skills/index.js +4 -1
package/dist/skills/index.js.map +1 -1
package/dist/skills/markdown/loader.d.ts +52 -0
package/dist/skills/markdown/loader.d.ts.map +1 -0
package/dist/skills/markdown/loader.js +93 -0
package/dist/skills/markdown/loader.js.map +1 -0
package/dist/skills/markdown/schema.d.ts +432 -0
package/dist/skills/markdown/schema.d.ts.map +1 -0
package/dist/skills/markdown/schema.js +121 -0
package/dist/skills/markdown/schema.js.map +1 -0
package/dist/skills/poc-md-loader/markdown-loader.d.ts +77 -0
package/dist/skills/poc-md-loader/markdown-loader.d.ts.map +1 -0
package/dist/skills/poc-md-loader/markdown-loader.js +125 -0
package/dist/skills/poc-md-loader/markdown-loader.js.map +1 -0
package/dist/skills/poc-md-loader/runner.d.ts +24 -0
package/dist/skills/poc-md-loader/runner.d.ts.map +1 -0
package/dist/skills/poc-md-loader/runner.js +57 -0
package/dist/skills/poc-md-loader/runner.js.map +1 -0
package/dist/skills/poc-md-loader/vitest.poc.config.d.ts +3 -0
package/dist/skills/poc-md-loader/vitest.poc.config.d.ts.map +1 -0
package/dist/skills/poc-md-loader/vitest.poc.config.js +13 -0
package/dist/skills/poc-md-loader/vitest.poc.config.js.map +1 -0
package/dist/skills/poc-md-loader/web-search/script.d.ts +33 -0
package/dist/skills/poc-md-loader/web-search/script.d.ts.map +1 -0
package/dist/skills/poc-md-loader/web-search/script.js +75 -0
package/dist/skills/poc-md-loader/web-search/script.js.map +1 -0
package/dist/skills/record-outcome.d.ts +4 -4
package/dist/skills/send-email.d.ts.map +1 -1
package/dist/skills/send-email.js +15 -3
package/dist/skills/send-email.js.map +1 -1
package/dist/skills/slack-notify.d.ts +4 -4
package/dist/skills/starknet-balance.d.ts +1 -1
package/dist/skills/telegram-notify.d.ts +4 -4
package/dist/skills/web-search.d.ts +1 -1
package/dist/testing/index.d.ts +3 -0
package/dist/testing/test-brain-port.d.ts +4 -0
package/dist/testing/test-brain-port.d.ts.map +1 -1
package/dist/testing/test-brain-port.js +75 -20
package/dist/testing/test-brain-port.js.map +1 -1
package/dist/testing/test-event-bus.d.ts.map +1 -1
package/dist/testing/test-event-bus.js +89 -36
package/dist/testing/test-event-bus.js.map +1 -1
package/dist/trace/schema.d.ts +1 -1
package/dist/trace/schema.d.ts.map +1 -1
package/dist/trace/schema.js +1 -1
package/dist/trace/schema.js.map +1 -1
package/dist/verify/formal/index.d.ts +44 -0
package/dist/verify/formal/index.d.ts.map +1 -0
package/dist/verify/formal/index.js +98 -0
package/dist/verify/formal/index.js.map +1 -0
package/dist/verify/formal/policy.d.ts +105 -0
package/dist/verify/formal/policy.d.ts.map +1 -0
package/dist/verify/formal/policy.js +159 -0
package/dist/verify/formal/policy.js.map +1 -0
package/dist/verify/formal/result.d.ts +50 -0
package/dist/verify/formal/result.d.ts.map +1 -0
package/dist/verify/formal/result.js +21 -0
package/dist/verify/formal/result.js.map +1 -0
package/dist/verify/formal/solver.d.ts +67 -0
package/dist/verify/formal/solver.d.ts.map +1 -0
package/dist/verify/formal/solver.js +184 -0
package/dist/verify/formal/solver.js.map +1 -0
package/dist/verify/formal/spec-language.d.ts +80 -0
package/dist/verify/formal/spec-language.d.ts.map +1 -0
package/dist/verify/formal/spec-language.js +219 -0
package/dist/verify/formal/spec-language.js.map +1 -0
package/docs/attestation.md +199 -0
package/docs/identity.md +193 -0
package/package.json +34 -17
package/src/adapters/llm/anthropic-direct.ts +51 -0
package/src/adapters/llm/cascade.ts +64 -19
package/src/adapters/llm/litellm.ts +49 -0
package/src/compute/difficulty-estimator.ts +111 -0
package/src/compute/strategies/mixture-of-agents.ts +150 -0
package/src/compute/strategies/tree-of-thoughts.ts +293 -0
package/src/compute/strategies/two-phase-orient.ts +147 -0
package/src/container/protocol.ts +243 -0
package/src/container/runtime.ts +424 -0
package/src/db/migrations/026_formal_verify_results.sql +30 -0
package/src/identity/agent-persona.ts +203 -0
package/src/identity/persona-prompt.ts +84 -0
package/src/identity/persona-schema.ts +127 -0
package/src/index.ts +338 -1
package/src/memory/episodic-rrf.ts +224 -0
package/src/mesh/attenuation.ts +190 -0
package/src/mesh/delegate.ts +254 -0
package/src/mesh/dispatcher.ts +301 -0
package/src/mesh/index.ts +39 -0
package/src/mesh/types.ts +31 -0
package/src/orchestration/ooda/skills.ts +177 -0
package/src/ports/bastion-action.contract.test.ts +355 -0
package/src/ports/bastion-action.ts +198 -0
package/src/ports/brain.ts +177 -15
package/src/ports/citadel-action.contract.test.ts +430 -0
package/src/ports/citadel-action.ts +174 -0
package/src/ports/compliance-contract.ts +191 -0
package/src/ports/db.ts +98 -0
package/src/ports/delegation.contract.test.ts +428 -0
package/src/ports/delegation.ts +211 -0
package/src/ports/event-bus.ts +133 -0
package/src/ports/federation.contract.test.ts +355 -0
package/src/ports/federation.ts +190 -0
package/src/ports/index.ts +186 -1
package/src/ports/llm-provider.ts +123 -0
package/src/ports/logger.ts +104 -0
package/src/ports/manifest-registry.contract.test.ts +324 -0
package/src/ports/manifest-registry.ts +188 -0
package/src/ports/observability.contract.test.ts +315 -0
package/src/ports/observability.ts +150 -0
package/src/ports/outcome.ts +69 -0
package/src/ports/privacy.contract.test.ts +413 -0
package/src/ports/privacy.ts +207 -0
package/src/ports/tenant-context.contract.test.ts +454 -0
package/src/ports/tenant-context.ts +150 -0
package/src/ports/vauban-finance-action.contract.test.ts +335 -0
package/src/ports/vauban-finance-action.ts +166 -0
package/src/ports/workflow-runtime.ts +327 -0
package/src/proof/cert-verify.ts +249 -0
package/src/replay/replay.ts +11 -8
package/src/retry/index.ts +227 -0
package/src/retry/presets.ts +75 -0
package/src/skill-loop/ab-runner.ts +196 -0
package/src/skill-loop/adoption.ts +188 -0
package/src/skill-loop/candidate.ts +75 -0
package/src/skill-loop/evaluator.ts +238 -0
package/src/skill-loop/index.ts +51 -0
package/src/skill-loop/reflexion-replay.ts +173 -0
package/src/skill-loop/sign-off.ts +247 -0
package/src/skill-loop/value-metric.ts +120 -0
package/src/skill-loop/versioning.ts +75 -0
package/src/skill-manifest/anchor.ts +401 -0
package/src/skill-manifest/builder.ts +129 -0
package/src/skill-manifest/index.ts +18 -0
package/src/skill-manifest/types.ts +72 -0
package/src/skill-manifest/verifier.ts +198 -0
package/src/skills/errors.ts +30 -2
package/src/skills/index.ts +19 -0
package/src/skills/markdown/loader.ts +129 -0
package/src/skills/markdown/schema.ts +144 -0
package/src/skills/poc-md-loader/e2e-parity.test.ts +237 -0
package/src/skills/poc-md-loader/markdown-loader.ts +161 -0
package/src/skills/poc-md-loader/runner.ts +82 -0
package/src/skills/poc-md-loader/vitest.poc.config.ts +13 -0
package/src/skills/poc-md-loader/web-search/SKILL.md +42 -0
package/src/skills/poc-md-loader/web-search/script.ts +109 -0
package/src/skills/send-email.ts +15 -3
package/src/testing/test-brain-port.ts +98 -24
package/src/testing/test-event-bus.ts +104 -43
package/src/trace/schema.ts +1 -1
package/src/verify/formal/index.ts +154 -0
package/src/verify/formal/policy.ts +253 -0
package/src/verify/formal/result.ts +52 -0
package/src/verify/formal/solver.ts +235 -0
package/src/verify/formal/spec-language.ts +274 -0

package/src/ports/workflow-runtime.ts ADDED Viewed

@@ -0,0 +1,327 @@
+/**
+ * WorkflowRuntimePort — durable workflow execution port (S3 spec).
+ *
+ * Defines: 9-state machine, journal invariants I-S3-1..8, replay determinism,
+ * ctx.* primitives, lease takeover pattern, handler versioning.
+ *
+ * Default adapter: DBOSWorkflowAdapter (DBOS-TS Apache 2.0, Postgres-native).
+ * Swap-able to Temporal/Restate via this port + test contract T-S3-1..12.
+ */
+// ─── Workflow run state machine (S3 §3.1) ─────────────────────────────────────
+export type WorkflowStatus =
+  | "PENDING"
+  | "RUNNING"
+  | "SLEEPING"
+  | "WAITING_SIGNAL"
+  | "AWAITING_BLOCK"
+  | "AWAITING_EVENT"
+  | "DONE"
+  | "FAILED"
+  | "CANCELLED";
+// ─── Journal types (S3 §4) ────────────────────────────────────────────────────
+export type StepKind =
+  | "tool_call"
+  | "sleep"
+  | "wait_signal"
+  | "await_block"
+  | "await_event"
+  | "submit_tx"
+  | "human"
+  | "ctx_now"
+  | "ctx_random"
+  | "ctx_uuid"
+  | "child_workflow";
+export type StepStatus = "pending" | "running" | "done" | "failed";
+export interface JournalEntry {
+  readonly journal_id: bigint;
+  readonly run_id: string; // UUID
+  readonly step_index: number; // monotone, I-S3-1
+  readonly step_name: string;
+  readonly step_kind: StepKind;
+  readonly status: StepStatus;
+  readonly input: unknown; // CBOR-encoded at rest
+  readonly output?: unknown;
+  readonly error?: { message: string; stack?: string };
+  readonly idempotency_key?: string; // 32-byte hex, I-S3-3
+  readonly started_at: Date;
+  readonly finished_at?: Date;
+}
+// ─── Workflow run (S3 §3.1 + §7) ─────────────────────────────────────────────
+export interface WorkflowRun<TOutput = unknown> {
+  readonly run_id: string;
+  readonly workflow_name: string;
+  readonly workflow_version: string; // locked per I-S3-6
+  readonly status: WorkflowStatus;
+  readonly input: unknown;
+  readonly output?: TOutput;
+  readonly error?: string;
+  readonly lease_owner?: string;
+  readonly lease_expires_at?: Date;
+  readonly wake_at?: Date;
+  readonly started_at: Date;
+  readonly finished_at?: Date;
+  readonly tenant_id: string;
+  readonly manifest_hash?: string; // crosslink S1
+}
+// ─── Step options ─────────────────────────────────────────────────────────────
+export interface StepOpts {
+  readonly maxAttempts?: number; // default 3, EC-S3-6
+  readonly backoffMs?: number; // default 1000 (1s/2s/4s)
+  readonly idempotencyKey?: string;
+  readonly timeoutMs?: number;
+}
+// ─── WorkflowContext — ctx.* primitives (S3 §5.3) ────────────────────────────
+export interface WorkflowContext {
+  readonly runId: string;
+  readonly tenantId: string;
+  readonly workflowName: string;
+  readonly workflowVersion: string;
+  readonly abortSignal: AbortSignal;
+  /**
+   * Wrap any side-effectful operation. Journaled + replayed from journal.
+   * FORBIDDEN outside ctx.step(): Date.now, Math.random, fetch, fs.*, etc. (S3 §5.4)
+   */
+  step<T>(name: string, fn: () => Promise<T>, opts?: StepOpts): Promise<T>;
+  /** Deterministic timestamp — journaled (Q3.2). Never use Date.now() in handlers. */
+  now(): Promise<Date>;
+  /** Deterministic random [0,1) — journaled (Q3.2). Never use Math.random(). */
+  random(): Promise<number>;
+  /** Deterministic UUID v4 — journaled (Q3.2). Never use crypto.randomUUID(). */
+  uuid(): Promise<string>;
+  /** Durable sleep until absolute timestamp. EC-S3-8: t < now() → no-op. */
+  sleepUntil(t: Date): Promise<void>;
+  /** Durable sleep for duration in ms. */
+  sleepFor(durationMs: number): Promise<void>;
+  /**
+   * Wait for a named signal. Returns signal payload.
+   * Times out → WorkflowSignalTimeoutError (S3 §3.3: FAILED, 'signal_timeout').
+   */
+  waitForSignal<T = unknown>(name: string, timeoutMs?: number): Promise<T>;
+  /** Await Starknet block height ≥ n. Transitions: RUNNING → AWAITING_BLOCK → RUNNING. */
+  awaitStarknetBlock(blockHeight: number): Promise<void>;
+  /** Await matching event from event bus. Transitions: RUNNING → AWAITING_EVENT → RUNNING. */
+  awaitEvent<T = unknown>(filter: EventFilter): Promise<T>;
+  /** Spawn a child workflow. Parent waits for child completion. */
+  childWorkflow<TInput, TOutput>(
+    name: string,
+    input: TInput,
+    opts?: ChildWorkflowOpts
+  ): Promise<TOutput>;
+  /** Cooperative cancellation. Step handlers should poll ctx.abortSignal. */
+  cancel(reason: string): Promise<void>;
+}
+export interface EventFilter {
+  readonly source?: string;
+  readonly type?: string;
+  readonly tenantId?: string;
+  readonly [key: string]: unknown;
+}
+export interface ChildWorkflowOpts {
+  readonly tenantId?: string;
+  readonly version?: string;
+  readonly idempotencyKey?: string;
+}
+// ─── Handler type ─────────────────────────────────────────────────────────────
+export type WorkflowHandler<TInput = unknown, TOutput = unknown> = (
+  ctx: WorkflowContext,
+  input: TInput
+) => Promise<TOutput>;
+// ─── Migration (S3 §6.3) ──────────────────────────────────────────────────────
+export type JournalMigrator = (journal: JournalEntry[]) => JournalEntry[];
+export interface MigrationResult {
+  readonly ok: boolean;
+  readonly run_id: string;
+  readonly from_version: string;
+  readonly to_version: string;
+  readonly entries_migrated: number;
+  readonly error?: string;
+}
+// ─── WorkflowRuntimePort ──────────────────────────────────────────────────────
+export interface StartWorkflowOpts {
+  readonly workflowName: string;
+  readonly workflowVersion: string;
+  readonly tenantId: string;
+  readonly input: unknown;
+  readonly idempotencyKey?: string;
+  readonly manifestHash?: string;
+}
+export interface ResumeWorkflowOpts {
+  readonly workerId: string;
+  readonly leaseTtlSeconds?: number; // default 60
+}
+export interface SendSignalOpts {
+  readonly payload?: unknown;
+}
+export interface WorkflowRuntimePort {
+  /**
+   * Register a handler for a workflow name + version.
+   * Must be called before start() for that workflow type.
+   */
+  register<TInput, TOutput>(
+    name: string,
+    version: string,
+    handler: WorkflowHandler<TInput, TOutput>
+  ): void;
+  /**
+   * Start a new workflow run. Returns run_id.
+   * Idempotent if idempotencyKey provided and run already exists.
+   */
+  start(opts: StartWorkflowOpts): Promise<string>;
+  /**
+   * Attempt to acquire lease and execute a pending/sleeping run.
+   * Returns null if no eligible run found (no work to do).
+   * Runs handler to completion (or suspension) before returning.
+   */
+  executeNext(opts: ResumeWorkflowOpts): Promise<WorkflowRun | null>;
+  /** Get current state of a run. */
+  getStatus(runId: string): Promise<WorkflowRun | null>;
+  /**
+   * Wait for a run to reach DONE or FAILED.
+   * Polls internally — do not call in a tight loop.
+   */
+  waitForCompletion<TOutput>(
+    runId: string,
+    opts?: { timeoutMs?: number; pollIntervalMs?: number }
+  ): Promise<WorkflowRun<TOutput>>;
+  /** Send a named signal to a waiting run (S3 §3.3). */
+  sendSignal(
+    runId: string,
+    signalName: string,
+    opts?: SendSignalOpts
+  ): Promise<void>;
+  /**
+   * Cancel a run cooperatively (S3 §3.3, EC-S3-7).
+   * Sets AbortSignal on next step boundary. Hard abort after 30s.
+   */
+  cancel(runId: string, reason: string): Promise<void>;
+  /**
+   * Migrate a suspended run to a new handler version (S3 §6.3).
+   * Only valid for runs in SLEEPING | WAITING_SIGNAL | AWAITING_* states.
+   */
+  migrateRun(
+    runId: string,
+    fromVersion: string,
+    toVersion: string,
+    migrator: JournalMigrator
+  ): Promise<MigrationResult>;
+  /** Read the journal entries for a run (read-only, audit). */
+  getJournal(runId: string): Promise<JournalEntry[]>;
+  /**
+   * Start the worker polling loop.
+   * Worker polls for PENDING runs and calls executeNext() in a loop.
+   */
+  startWorker(opts?: {
+    workerId?: string;
+    pollIntervalMs?: number;
+    maxConcurrent?: number;
+  }): Promise<void>;
+  /** Stop the worker polling loop gracefully. */
+  stopWorker(): Promise<void>;
+}
+// ─── Typed errors ─────────────────────────────────────────────────────────────
+export class WorkflowNotFoundError extends Error {
+  constructor(public readonly runId: string) {
+    super(`Workflow run not found: ${runId}`);
+    this.name = "WorkflowNotFoundError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+}
+export class WorkflowNonDeterminismError extends Error {
+  constructor(
+    public readonly runId: string,
+    public readonly stepIndex: number,
+    public readonly expected: string,
+    public readonly actual: string
+  ) {
+    super(
+      `Non-determinism at step ${stepIndex}: expected ${expected}, got ${actual} (run=${runId})`
+    );
+    this.name = "WorkflowNonDeterminismError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+}
+export class WorkflowSignalTimeoutError extends Error {
+  constructor(
+    public readonly runId: string,
+    public readonly signalName: string,
+    public readonly timeoutMs: number
+  ) {
+    super(`Signal '${signalName}' timeout after ${timeoutMs}ms (run=${runId})`);
+    this.name = "WorkflowSignalTimeoutError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+}
+export class WorkflowLeaseConflictError extends Error {
+  constructor(
+    public readonly runId: string,
+    public readonly currentOwner: string
+  ) {
+    super(`Cannot acquire lease for run ${runId}: held by ${currentOwner}`);
+    this.name = "WorkflowLeaseConflictError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+}
+export class WorkflowVersionMismatchError extends Error {
+  constructor(
+    public readonly runId: string,
+    public readonly expected: string,
+    public readonly actual: string
+  ) {
+    super(
+      `Version mismatch for run ${runId}: expected ${expected}, got ${actual}`
+    );
+    this.name = "WorkflowVersionMismatchError";
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+}

package/src/proof/cert-verify.ts ADDED Viewed

@@ -0,0 +1,249 @@
+/**
+ * Run Certificate verifier — standalone surface for external clients (CLI, dashboards).
+ *
+ * This module is the **single source of truth** for offline verification of a
+ * `SignedRunProofCertificate`. The CC server (`src/proof/ed25519-{signer,verifier}.ts`)
+ * holds the signing side (DB-coupled assembly + signing); this module holds the
+ * verification side, which is intentionally dependency-free (no DB, no MCP).
+ *
+ * Pipeline (mirrors server signer):
+ *   1. Strip embedded `signature` field
+ *   2. JCS-canonicalize (RFC 8785 subset: sorted keys, -0 → 0)
+ *   3. SHA-256 → first 31 bytes → felt252-safe
+ *   4. Poseidon([0x1, sha_felt, CERT_MARKER_FELT]) → cert_hash_felt252
+ *   5. Felt → 32-byte buffer → Ed25519 verify
+ *
+ * Domain separator: `CERT_MARKER_FELT` = UTF-8 "run_cert" felt252 (right-aligned).
+ *
+ * @see ../../../src/proof/ed25519-signer.ts (signer, CC server)
+ * @see docs/ietf/draft-vauban-skill-attestation-00.md (RFC profile)
+ * @public
+ */
+import {
+  createHash,
+  createPublicKey,
+  verify as cryptoVerify,
+  type KeyObject,
+} from "node:crypto";
+import { hash } from "starknet";
+// ─── Types ────────────────────────────────────────────────────────────────────
+/**
+ * Ed25519 signature payload embedded in `SignedRunProofCertificate`.
+ * Mirrors the server-side `SignaturePayload` (single field schema).
+ */
+export interface SignaturePayload {
+  alg: "Ed25519";
+  kid: string;
+  value: string;
+  pubkey_spki_b64: string;
+  cert_hash_felt252: string;
+  signed_at: string;
+}
+/**
+ * A `SignedRunProofCertificate` for verification purposes — only the fields
+ * the verifier touches are typed. The cert may carry additional fields
+ * (decision_chain, merkle_root, etc.) which the verifier preserves but does
+ * not inspect.
+ */
+export interface SignedRunProofCertificateLike {
+  signature?: SignaturePayload;
+  // ... plus arbitrary other fields, opaque to the verifier
+  [key: string]: unknown;
+}
+export type CertVerifyFailReason =
+  | "missing_signature"
+  | "wrong_alg"
+  | "hash_mismatch"
+  | "pubkey_unresolvable"
+  | "kid_mismatch"
+  | "signature_invalid"
+  | "malformed_signature";
+export interface CertVerifyResult {
+  valid: boolean;
+  reason?: CertVerifyFailReason;
+  details?: string;
+  recomputed_cert_hash_felt252: string;
+}
+export interface CertVerifyOptions {
+  expectedPublicKey?: KeyObject;
+  expectedKid?: string;
+}
+// ─── Constants ────────────────────────────────────────────────────────────────
+/** Domain separator: UTF-8 "run_cert" → felt252 right-aligned, zero-padded. */
+export const CERT_MARKER_FELT: string =
+  "0x" + Buffer.from("run_cert", "utf8").toString("hex").padStart(62, "0");
+// ─── JCS canonicalization (RFC 8785 subset) ──────────────────────────────────
+function normalizeValue(value: unknown): unknown {
+  if (value === null) return null;
+  if (typeof value === "number") {
+    if (Object.is(value, -0)) return 0;
+    return value;
+  }
+  if (Array.isArray(value)) return value.map(normalizeValue);
+  if (typeof value === "object") {
+    const obj = value as Record<string, unknown>;
+    const sorted: Record<string, unknown> = {};
+    for (const key of Object.keys(obj).sort()) {
+      sorted[key] = normalizeValue(obj[key]);
+    }
+    return sorted;
+  }
+  return value;
+}
+function canonicalizeJcs(data: Record<string, unknown>): string {
+  return JSON.stringify(normalizeValue(data));
+}
+// ─── Felt helpers ─────────────────────────────────────────────────────────────
+function felt252ToBytes(felt: string): Buffer {
+  const hex = felt.replace(/^0x/, "").padStart(64, "0");
+  return Buffer.from(hex, "hex");
+}
+/**
+ * Compute the felt252 hash that Ed25519 signs over for a Run Certificate.
+ * Strips any embedded `signature` field before hashing — verification is
+ * idempotent.
+ */
+export function computeCertHashFelt252(
+  cert: SignedRunProofCertificateLike
+): string {
+  const { signature: _stripped, ...unsigned } = cert;
+  void _stripped;
+  const canonical = canonicalizeJcs(unsigned as Record<string, unknown>);
+  const sha = createHash("sha256").update(canonical, "utf8").digest("hex");
+  const shaFelt = "0x" + sha.substring(0, 62);
+  return hash.computePoseidonHashOnElements(["0x1", shaFelt, CERT_MARKER_FELT]);
+}
+// ─── Public-key reconstruction ────────────────────────────────────────────────
+/**
+ * Reconstruct an Ed25519 `KeyObject` from base64 SPKI DER (as embedded in
+ * `signature.pubkey_spki_b64`).
+ *
+ * @throws if base64 is malformed or the key is not Ed25519.
+ */
+export function publicKeyFromSpkiB64(pubkeySpkiB64: string): KeyObject {
+  const der = Buffer.from(pubkeySpkiB64, "base64");
+  if (der.length === 0) {
+    throw new Error("[cert-verify] empty SPKI buffer");
+  }
+  const key = createPublicKey({ key: der, format: "der", type: "spki" });
+  if (key.asymmetricKeyType !== "ed25519") {
+    throw new Error(
+      `[cert-verify] SPKI is not Ed25519 (got ${key.asymmetricKeyType})`
+    );
+  }
+  return key;
+}
+// ─── Verifier ─────────────────────────────────────────────────────────────────
+/**
+ * Verify a signed Run Certificate. Returns a structured result — never throws
+ * on verification failure (only on malformed input).
+ *
+ * The 7 possible failure reasons are typed via `CertVerifyFailReason` so callers
+ * can branch precisely. `recomputed_cert_hash_felt252` is always returned for
+ * audit trail / debug inspection.
+ */
+export function verifyRunCertificate(
+  cert: SignedRunProofCertificateLike,
+  opts: CertVerifyOptions = {}
+): CertVerifyResult {
+  const recomputed = computeCertHashFelt252(cert);
+  const sig = cert.signature;
+  if (!sig) {
+    return {
+      valid: false,
+      reason: "missing_signature",
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  if (sig.alg !== "Ed25519") {
+    return {
+      valid: false,
+      reason: "wrong_alg",
+      details: `expected Ed25519, got ${String(sig.alg)}`,
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  if (sig.cert_hash_felt252 !== recomputed) {
+    return {
+      valid: false,
+      reason: "hash_mismatch",
+      details: `embedded=${sig.cert_hash_felt252} recomputed=${recomputed}`,
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  if (opts.expectedKid && opts.expectedKid !== sig.kid) {
+    return {
+      valid: false,
+      reason: "kid_mismatch",
+      details: `expected kid=${opts.expectedKid}, got ${sig.kid}`,
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  let pubkey: KeyObject;
+  if (opts.expectedPublicKey) {
+    pubkey = opts.expectedPublicKey;
+  } else {
+    try {
+      pubkey = publicKeyFromSpkiB64(sig.pubkey_spki_b64);
+    } catch (err) {
+      return {
+        valid: false,
+        reason: "pubkey_unresolvable",
+        details: err instanceof Error ? err.message : String(err),
+        recomputed_cert_hash_felt252: recomputed,
+      };
+    }
+  }
+  let sigBytes: Buffer;
+  try {
+    sigBytes = Buffer.from(sig.value, "base64");
+  } catch {
+    return {
+      valid: false,
+      reason: "malformed_signature",
+      details: "signature.value is not valid base64",
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  if (sigBytes.length !== 64) {
+    return {
+      valid: false,
+      reason: "malformed_signature",
+      details: `Ed25519 signature must be 64 bytes (got ${sigBytes.length})`,
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  const msgBytes = felt252ToBytes(recomputed);
+  const ok = cryptoVerify(null, msgBytes, pubkey, sigBytes);
+  if (!ok) {
+    return {
+      valid: false,
+      reason: "signature_invalid",
+      recomputed_cert_hash_felt252: recomputed,
+    };
+  }
+  return { valid: true, recomputed_cert_hash_felt252: recomputed };
+}

package/src/replay/replay.ts CHANGED Viewed

@@ -158,7 +158,7 @@ export interface ReplayRunner {
 export class NonDeterministicReplayError extends Error {
   constructor(
     public readonly stepIndex: number,
-    public readonly reason: string,
+    public readonly reason: string
   ) {
     super(`Non-deterministic replay at step ${stepIndex}: ${reason}`);
     this.name = "NonDeterministicReplayError";
@@ -171,10 +171,7 @@ export class NonDeterministicReplayError extends Error {
  * Compute a step-level diff between two traces.
  * Returns an empty array if the traces are identical at the step level.
  */
-function diffTraces(
-  original: Trace,
-  replayed: Trace,
-): ReplayResult["diff"] {
+function diffTraces(original: Trace, replayed: Trace): ReplayResult["diff"] {
   const diffs: NonNullable<ReplayResult["diff"]> = [];
   const minLen = Math.min(original.steps.length, replayed.steps.length);
@@ -223,16 +220,22 @@ export async function replayFrom(
   runId: string,
   loader: ReplayLoader,
   runner: ReplayRunner,
-  opts?: { mode?: ReplayMode; fromStepIndex?: number },
+  opts?: { mode?: ReplayMode; fromStepIndex?: number }
 ): Promise<ReplayResult> {
   const mode = opts?.mode ?? "strict";
   // 1. Load original artifacts
-  const [originalTrace, artifacts] = await Promise.all([
+  const [rawTrace, artifacts] = await Promise.all([
     loader.loadOriginalTrace(runId),
     loader.loadCacheEntries(runId),
   ]);
+  // Auto-migrate traces recorded under the draft schema to the frozen 1.0.0
+  const originalTrace =
+    (rawTrace.schemaVersion as string) === "0.1.0-draft"
+      ? { ...rawTrace, schemaVersion: "1.0.0" as const }
+      : rawTrace;
   // 2. Import concrete implementations lazily to avoid circular references
   const { RecordedClock } = await import("./clock.js");
   const { RecordedRandom } = await import("./random.js");
@@ -241,7 +244,7 @@ export async function replayFrom(
   const random = new RecordedRandom(
     artifacts.recordedNext,
     artifacts.recordedUuids,
-    mode,
+    mode
   );
   // 3. Build the replay context