npm - @xemahq/kernel-contracts - Versions diffs - 0.1.0 - Mend

@xemahq/kernel-contracts 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (802) hide show

package/dist/agent-composition/index.d.ts +7 -0
package/dist/agent-composition/index.d.ts.map +1 -0
package/dist/agent-composition/index.js +23 -0
package/dist/agent-composition/index.js.map +1 -0
package/dist/agent-composition/lib/capability-layer.d.ts +11 -0
package/dist/agent-composition/lib/capability-layer.d.ts.map +1 -0
package/dist/agent-composition/lib/capability-layer.js +10 -0
package/dist/agent-composition/lib/capability-layer.js.map +1 -0
package/dist/agent-composition/lib/composition-limits-schema.d.ts +4 -0
package/dist/agent-composition/lib/composition-limits-schema.d.ts.map +1 -0
package/dist/agent-composition/lib/composition-limits-schema.js +13 -0
package/dist/agent-composition/lib/composition-limits-schema.js.map +1 -0
package/dist/agent-composition/lib/composition-workspace.d.ts +35 -0
package/dist/agent-composition/lib/composition-workspace.d.ts.map +1 -0
package/dist/agent-composition/lib/composition-workspace.js +9 -0
package/dist/agent-composition/lib/composition-workspace.js.map +1 -0
package/dist/agent-composition/lib/composition.d.ts +66 -0
package/dist/agent-composition/lib/composition.d.ts.map +1 -0
package/dist/agent-composition/lib/composition.js +18 -0
package/dist/agent-composition/lib/composition.js.map +1 -0
package/dist/agent-composition/lib/intrinsic-floor.d.ts +15 -0
package/dist/agent-composition/lib/intrinsic-floor.d.ts.map +1 -0
package/dist/agent-composition/lib/intrinsic-floor.js +22 -0
package/dist/agent-composition/lib/intrinsic-floor.js.map +1 -0
package/dist/agent-composition/lib/model-resolution-matrix.d.ts +38 -0
package/dist/agent-composition/lib/model-resolution-matrix.d.ts.map +1 -0
package/dist/agent-composition/lib/model-resolution-matrix.js +12 -0
package/dist/agent-composition/lib/model-resolution-matrix.js.map +1 -0
package/dist/agent-workspace/awp-spec.json +225 -0
package/dist/agent-workspace/index.d.ts +12 -0
package/dist/agent-workspace/index.d.ts.map +1 -0
package/dist/agent-workspace/index.js +28 -0
package/dist/agent-workspace/index.js.map +1 -0
package/dist/agent-workspace/lib/agent-run-context.d.ts +12 -0
package/dist/agent-workspace/lib/agent-run-context.d.ts.map +1 -0
package/dist/agent-workspace/lib/agent-run-context.js +3 -0
package/dist/agent-workspace/lib/agent-run-context.js.map +1 -0
package/dist/agent-workspace/lib/agent-tool-defaults.d.ts +21 -0
package/dist/agent-workspace/lib/agent-tool-defaults.d.ts.map +1 -0
package/dist/agent-workspace/lib/agent-tool-defaults.js +111 -0
package/dist/agent-workspace/lib/agent-tool-defaults.js.map +1 -0
package/dist/agent-workspace/lib/awp-v1.d.ts +15 -0
package/dist/agent-workspace/lib/awp-v1.d.ts.map +1 -0
package/dist/agent-workspace/lib/awp-v1.js +197 -0
package/dist/agent-workspace/lib/awp-v1.js.map +1 -0
package/dist/agent-workspace/lib/context-json.d.ts +35 -0
package/dist/agent-workspace/lib/context-json.d.ts.map +1 -0
package/dist/agent-workspace/lib/context-json.js +3 -0
package/dist/agent-workspace/lib/context-json.js.map +1 -0
package/dist/agent-workspace/lib/deliverable-spec-ref.d.ts +10 -0
package/dist/agent-workspace/lib/deliverable-spec-ref.d.ts.map +1 -0
package/dist/agent-workspace/lib/deliverable-spec-ref.js +33 -0
package/dist/agent-workspace/lib/deliverable-spec-ref.js.map +1 -0
package/dist/agent-workspace/lib/endpoint-fetch-spec.d.ts +31 -0
package/dist/agent-workspace/lib/endpoint-fetch-spec.d.ts.map +1 -0
package/dist/agent-workspace/lib/endpoint-fetch-spec.js +20 -0
package/dist/agent-workspace/lib/endpoint-fetch-spec.js.map +1 -0
package/dist/agent-workspace/lib/manifest.d.ts +28 -0
package/dist/agent-workspace/lib/manifest.d.ts.map +1 -0
package/dist/agent-workspace/lib/manifest.js +16 -0
package/dist/agent-workspace/lib/manifest.js.map +1 -0
package/dist/agent-workspace/lib/mount-apply.d.ts +42 -0
package/dist/agent-workspace/lib/mount-apply.d.ts.map +1 -0
package/dist/agent-workspace/lib/mount-apply.js +15 -0
package/dist/agent-workspace/lib/mount-apply.js.map +1 -0
package/dist/agent-workspace/lib/working-file.d.ts +20 -0
package/dist/agent-workspace/lib/working-file.d.ts.map +1 -0
package/dist/agent-workspace/lib/working-file.js +42 -0
package/dist/agent-workspace/lib/working-file.js.map +1 -0
package/dist/agent-workspace/lib/workspace-layout.d.ts +34 -0
package/dist/agent-workspace/lib/workspace-layout.d.ts.map +1 -0
package/dist/agent-workspace/lib/workspace-layout.js +31 -0
package/dist/agent-workspace/lib/workspace-layout.js.map +1 -0
package/dist/agent-workspace/lib/workspace-spec.d.ts +61 -0
package/dist/agent-workspace/lib/workspace-spec.d.ts.map +1 -0
package/dist/agent-workspace/lib/workspace-spec.js +19 -0
package/dist/agent-workspace/lib/workspace-spec.js.map +1 -0
package/dist/biome/index.d.ts +11 -0
package/dist/biome/index.d.ts.map +1 -0
package/dist/biome/index.js +27 -0
package/dist/biome/index.js.map +1 -0
package/dist/biome/lib/biome-api.d.ts +12 -0
package/dist/biome/lib/biome-api.d.ts.map +1 -0
package/dist/biome/lib/biome-api.js +14 -0
package/dist/biome/lib/biome-api.js.map +1 -0
package/dist/biome/lib/biome-capability-refs.d.ts +11 -0
package/dist/biome/lib/biome-capability-refs.d.ts.map +1 -0
package/dist/biome/lib/biome-capability-refs.js +12 -0
package/dist/biome/lib/biome-capability-refs.js.map +1 -0
package/dist/biome/lib/biome-engines.d.ts +6 -0
package/dist/biome/lib/biome-engines.d.ts.map +1 -0
package/dist/biome/lib/biome-engines.js +8 -0
package/dist/biome/lib/biome-engines.js.map +1 -0
package/dist/biome/lib/biome-lifecycle-hooks.d.ts +10 -0
package/dist/biome/lib/biome-lifecycle-hooks.d.ts.map +1 -0
package/dist/biome/lib/biome-lifecycle-hooks.js +12 -0
package/dist/biome/lib/biome-lifecycle-hooks.js.map +1 -0
package/dist/biome/lib/biome-lifecycle.d.ts +12 -0
package/dist/biome/lib/biome-lifecycle.d.ts.map +1 -0
package/dist/biome/lib/biome-lifecycle.js +16 -0
package/dist/biome/lib/biome-lifecycle.js.map +1 -0
package/dist/biome/lib/biome-manifest.d.ts +36 -0
package/dist/biome/lib/biome-manifest.d.ts.map +1 -0
package/dist/biome/lib/biome-manifest.js +38 -0
package/dist/biome/lib/biome-manifest.js.map +1 -0
package/dist/biome/lib/biome-permissions.d.ts +9 -0
package/dist/biome/lib/biome-permissions.d.ts.map +1 -0
package/dist/biome/lib/biome-permissions.js +11 -0
package/dist/biome/lib/biome-permissions.js.map +1 -0
package/dist/biome/lib/biome-scope.d.ts +9 -0
package/dist/biome/lib/biome-scope.d.ts.map +1 -0
package/dist/biome/lib/biome-scope.js +13 -0
package/dist/biome/lib/biome-scope.js.map +1 -0
package/dist/biome/lib/biome-trust-tier.d.ts +11 -0
package/dist/biome/lib/biome-trust-tier.d.ts.map +1 -0
package/dist/biome/lib/biome-trust-tier.js +15 -0
package/dist/biome/lib/biome-trust-tier.js.map +1 -0
package/dist/biome/lib/trust-tier-policies.d.ts +8 -0
package/dist/biome/lib/trust-tier-policies.d.ts.map +1 -0
package/dist/biome/lib/trust-tier-policies.js +66 -0
package/dist/biome/lib/trust-tier-policies.js.map +1 -0
package/dist/capability/index.d.ts +9 -0
package/dist/capability/index.d.ts.map +1 -0
package/dist/capability/index.js +25 -0
package/dist/capability/index.js.map +1 -0
package/dist/capability/lib/capability-contribution.d.ts +18 -0
package/dist/capability/lib/capability-contribution.d.ts.map +1 -0
package/dist/capability/lib/capability-contribution.js +23 -0
package/dist/capability/lib/capability-contribution.js.map +1 -0
package/dist/capability/lib/capability-grant.d.ts +22 -0
package/dist/capability/lib/capability-grant.d.ts.map +1 -0
package/dist/capability/lib/capability-grant.js +27 -0
package/dist/capability/lib/capability-grant.js.map +1 -0
package/dist/capability/lib/capability-policy.d.ts +12 -0
package/dist/capability/lib/capability-policy.d.ts.map +1 -0
package/dist/capability/lib/capability-policy.js +14 -0
package/dist/capability/lib/capability-policy.js.map +1 -0
package/dist/capability/lib/capability-ref.d.ts +19 -0
package/dist/capability/lib/capability-ref.d.ts.map +1 -0
package/dist/capability/lib/capability-ref.js +63 -0
package/dist/capability/lib/capability-ref.js.map +1 -0
package/dist/capability/lib/errors.d.ts +60 -0
package/dist/capability/lib/errors.d.ts.map +1 -0
package/dist/capability/lib/errors.js +73 -0
package/dist/capability/lib/errors.js.map +1 -0
package/dist/capability/lib/meta-tool.d.ts +77 -0
package/dist/capability/lib/meta-tool.d.ts.map +1 -0
package/dist/capability/lib/meta-tool.js +76 -0
package/dist/capability/lib/meta-tool.js.map +1 -0
package/dist/capability/lib/permission-profile.d.ts +35 -0
package/dist/capability/lib/permission-profile.d.ts.map +1 -0
package/dist/capability/lib/permission-profile.js +38 -0
package/dist/capability/lib/permission-profile.js.map +1 -0
package/dist/capability/lib/shell-command-descriptor.d.ts +19 -0
package/dist/capability/lib/shell-command-descriptor.d.ts.map +1 -0
package/dist/capability/lib/shell-command-descriptor.js +20 -0
package/dist/capability/lib/shell-command-descriptor.js.map +1 -0
package/dist/contribution/index.d.ts +5 -0
package/dist/contribution/index.d.ts.map +1 -0
package/dist/contribution/index.js +21 -0
package/dist/contribution/index.js.map +1 -0
package/dist/contribution/lib/contribution-kind.d.ts +44 -0
package/dist/contribution/lib/contribution-kind.d.ts.map +1 -0
package/dist/contribution/lib/contribution-kind.js +47 -0
package/dist/contribution/lib/contribution-kind.js.map +1 -0
package/dist/contribution/lib/contribution-source.d.ts +11 -0
package/dist/contribution/lib/contribution-source.d.ts.map +1 -0
package/dist/contribution/lib/contribution-source.js +14 -0
package/dist/contribution/lib/contribution-source.js.map +1 -0
package/dist/contribution/lib/contribution.d.ts +36 -0
package/dist/contribution/lib/contribution.d.ts.map +1 -0
package/dist/contribution/lib/contribution.js +56 -0
package/dist/contribution/lib/contribution.js.map +1 -0
package/dist/contribution/lib/registry.d.ts +25 -0
package/dist/contribution/lib/registry.d.ts.map +1 -0
package/dist/contribution/lib/registry.js +54 -0
package/dist/contribution/lib/registry.js.map +1 -0
package/dist/document-templates/index.d.ts +3 -0
package/dist/document-templates/index.d.ts.map +1 -0
package/dist/document-templates/index.js +19 -0
package/dist/document-templates/index.js.map +1 -0
package/dist/document-templates/lib/document-template.d.ts +24 -0
package/dist/document-templates/lib/document-template.d.ts.map +1 -0
package/dist/document-templates/lib/document-template.js +10 -0
package/dist/document-templates/lib/document-template.js.map +1 -0
package/dist/document-templates/lib/index.d.ts +3 -0
package/dist/document-templates/lib/index.d.ts.map +1 -0
package/dist/document-templates/lib/index.js +19 -0
package/dist/document-templates/lib/index.js.map +1 -0
package/dist/document-templates/lib/rendering-shape.d.ts +7 -0
package/dist/document-templates/lib/rendering-shape.d.ts.map +1 -0
package/dist/document-templates/lib/rendering-shape.js +20 -0
package/dist/document-templates/lib/rendering-shape.js.map +1 -0
package/dist/document-themes/index.d.ts +3 -0
package/dist/document-themes/index.d.ts.map +1 -0
package/dist/document-themes/index.js +19 -0
package/dist/document-themes/index.js.map +1 -0
package/dist/document-themes/lib/component-vocabulary.d.ts +16 -0
package/dist/document-themes/lib/component-vocabulary.d.ts.map +1 -0
package/dist/document-themes/lib/component-vocabulary.js +55 -0
package/dist/document-themes/lib/component-vocabulary.js.map +1 -0
package/dist/document-themes/lib/document-theme.d.ts +57 -0
package/dist/document-themes/lib/document-theme.d.ts.map +1 -0
package/dist/document-themes/lib/document-theme.js +10 -0
package/dist/document-themes/lib/document-theme.js.map +1 -0
package/dist/document-themes/lib/index.d.ts +3 -0
package/dist/document-themes/lib/index.d.ts.map +1 -0
package/dist/document-themes/lib/index.js +19 -0
package/dist/document-themes/lib/index.js.map +1 -0
package/dist/entitlement/index.d.ts +2 -0
package/dist/entitlement/index.d.ts.map +1 -0
package/dist/entitlement/index.js +18 -0
package/dist/entitlement/index.js.map +1 -0
package/dist/entitlement/lib/entitlement.d.ts +25 -0
package/dist/entitlement/lib/entitlement.d.ts.map +1 -0
package/dist/entitlement/lib/entitlement.js +54 -0
package/dist/entitlement/lib/entitlement.js.map +1 -0
package/dist/execution-context/index.d.ts +4 -0
package/dist/execution-context/index.d.ts.map +1 -0
package/dist/execution-context/index.js +20 -0
package/dist/execution-context/index.js.map +1 -0
package/dist/execution-context/lib/caller.d.ts +19 -0
package/dist/execution-context/lib/caller.d.ts.map +1 -0
package/dist/execution-context/lib/caller.js +22 -0
package/dist/execution-context/lib/caller.js.map +1 -0
package/dist/execution-context/lib/execution-context.d.ts +60 -0
package/dist/execution-context/lib/execution-context.d.ts.map +1 -0
package/dist/execution-context/lib/execution-context.js +58 -0
package/dist/execution-context/lib/execution-context.js.map +1 -0
package/dist/execution-context/lib/subject.d.ts +3 -0
package/dist/execution-context/lib/subject.d.ts.map +1 -0
package/dist/execution-context/lib/subject.js +11 -0
package/dist/execution-context/lib/subject.js.map +1 -0
package/dist/execution-environment/index.d.ts +4 -0
package/dist/execution-environment/index.d.ts.map +1 -0
package/dist/execution-environment/index.js +20 -0
package/dist/execution-environment/index.js.map +1 -0
package/dist/execution-environment/lib/approval-rule.d.ts +10 -0
package/dist/execution-environment/lib/approval-rule.d.ts.map +1 -0
package/dist/execution-environment/lib/approval-rule.js +12 -0
package/dist/execution-environment/lib/approval-rule.js.map +1 -0
package/dist/execution-environment/lib/built-in-environments.d.ts +16 -0
package/dist/execution-environment/lib/built-in-environments.d.ts.map +1 -0
package/dist/execution-environment/lib/built-in-environments.js +33 -0
package/dist/execution-environment/lib/built-in-environments.js.map +1 -0
package/dist/execution-environment/lib/execution-environment.d.ts +58 -0
package/dist/execution-environment/lib/execution-environment.d.ts.map +1 -0
package/dist/execution-environment/lib/execution-environment.js +89 -0
package/dist/execution-environment/lib/execution-environment.js.map +1 -0
package/dist/kernel-state/index.d.ts +4 -0
package/dist/kernel-state/index.d.ts.map +1 -0
package/dist/kernel-state/index.js +20 -0
package/dist/kernel-state/index.js.map +1 -0
package/dist/kernel-state/lib/adapter-kind.d.ts +5 -0
package/dist/kernel-state/lib/adapter-kind.d.ts.map +1 -0
package/dist/kernel-state/lib/adapter-kind.js +9 -0
package/dist/kernel-state/lib/adapter-kind.js.map +1 -0
package/dist/kernel-state/lib/kernel-state.d.ts +37 -0
package/dist/kernel-state/lib/kernel-state.d.ts.map +1 -0
package/dist/kernel-state/lib/kernel-state.js +9 -0
package/dist/kernel-state/lib/kernel-state.js.map +1 -0
package/dist/kernel-state/lib/key-grammar.d.ts +16 -0
package/dist/kernel-state/lib/key-grammar.d.ts.map +1 -0
package/dist/kernel-state/lib/key-grammar.js +56 -0
package/dist/kernel-state/lib/key-grammar.js.map +1 -0
package/dist/llm-gateway/index.d.ts +3 -0
package/dist/llm-gateway/index.d.ts.map +1 -0
package/dist/llm-gateway/index.js +19 -0
package/dist/llm-gateway/index.js.map +1 -0
package/dist/llm-gateway/lib/caller.d.ts +14 -0
package/dist/llm-gateway/lib/caller.d.ts.map +1 -0
package/dist/llm-gateway/lib/caller.js +11 -0
package/dist/llm-gateway/lib/caller.js.map +1 -0
package/dist/llm-gateway/lib/errors.d.ts +27 -0
package/dist/llm-gateway/lib/errors.d.ts.map +1 -0
package/dist/llm-gateway/lib/errors.js +36 -0
package/dist/llm-gateway/lib/errors.js.map +1 -0
package/dist/mcp-tool/index.d.ts +7 -0
package/dist/mcp-tool/index.d.ts.map +1 -0
package/dist/mcp-tool/index.js +23 -0
package/dist/mcp-tool/index.js.map +1 -0
package/dist/mcp-tool/lib/mcp-protocol.d.ts +75 -0
package/dist/mcp-tool/lib/mcp-protocol.d.ts.map +1 -0
package/dist/mcp-tool/lib/mcp-protocol.js +19 -0
package/dist/mcp-tool/lib/mcp-protocol.js.map +1 -0
package/dist/mcp-tool/lib/mcp-server-config.d.ts +8 -0
package/dist/mcp-tool/lib/mcp-server-config.d.ts.map +1 -0
package/dist/mcp-tool/lib/mcp-server-config.js +3 -0
package/dist/mcp-tool/lib/mcp-server-config.js.map +1 -0
package/dist/mcp-tool/lib/provider-kind.d.ts +10 -0
package/dist/mcp-tool/lib/provider-kind.d.ts.map +1 -0
package/dist/mcp-tool/lib/provider-kind.js +14 -0
package/dist/mcp-tool/lib/provider-kind.js.map +1 -0
package/dist/mcp-tool/lib/resolver-scope.d.ts +16 -0
package/dist/mcp-tool/lib/resolver-scope.d.ts.map +1 -0
package/dist/mcp-tool/lib/resolver-scope.js +12 -0
package/dist/mcp-tool/lib/resolver-scope.js.map +1 -0
package/dist/mcp-tool/lib/tool-provider.d.ts +21 -0
package/dist/mcp-tool/lib/tool-provider.d.ts.map +1 -0
package/dist/mcp-tool/lib/tool-provider.js +3 -0
package/dist/mcp-tool/lib/tool-provider.js.map +1 -0
package/dist/mcp-tool/lib/tool-selection.d.ts +34 -0
package/dist/mcp-tool/lib/tool-selection.d.ts.map +1 -0
package/dist/mcp-tool/lib/tool-selection.js +18 -0
package/dist/mcp-tool/lib/tool-selection.js.map +1 -0
package/dist/object/index.d.ts +5 -0
package/dist/object/index.d.ts.map +1 -0
package/dist/object/index.js +21 -0
package/dist/object/index.js.map +1 -0
package/dist/object/lib/object-lifecycle.d.ts +8 -0
package/dist/object/lib/object-lifecycle.d.ts.map +1 -0
package/dist/object/lib/object-lifecycle.js +12 -0
package/dist/object/lib/object-lifecycle.js.map +1 -0
package/dist/object/lib/xema-object-kind.d.ts +43 -0
package/dist/object/lib/xema-object-kind.d.ts.map +1 -0
package/dist/object/lib/xema-object-kind.js +47 -0
package/dist/object/lib/xema-object-kind.js.map +1 -0
package/dist/object/lib/xema-object-ref.d.ts +20 -0
package/dist/object/lib/xema-object-ref.d.ts.map +1 -0
package/dist/object/lib/xema-object-ref.js +133 -0
package/dist/object/lib/xema-object-ref.js.map +1 -0
package/dist/object/lib/xema-object.d.ts +24 -0
package/dist/object/lib/xema-object.d.ts.map +1 -0
package/dist/object/lib/xema-object.js +24 -0
package/dist/object/lib/xema-object.js.map +1 -0
package/dist/policy/index.d.ts +4 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/policy/index.js +20 -0
package/dist/policy/index.js.map +1 -0
package/dist/policy/lib/obligations.d.ts +91 -0
package/dist/policy/lib/obligations.d.ts.map +1 -0
package/dist/policy/lib/obligations.js +76 -0
package/dist/policy/lib/obligations.js.map +1 -0
package/dist/policy/lib/policy.d.ts +29 -0
package/dist/policy/lib/policy.d.ts.map +1 -0
package/dist/policy/lib/policy.js +32 -0
package/dist/policy/lib/policy.js.map +1 -0
package/dist/policy/lib/route-hints.d.ts +11 -0
package/dist/policy/lib/route-hints.d.ts.map +1 -0
package/dist/policy/lib/route-hints.js +15 -0
package/dist/policy/lib/route-hints.js.map +1 -0
package/dist/runner/index.d.ts +12 -0
package/dist/runner/index.d.ts.map +1 -0
package/dist/runner/index.js +28 -0
package/dist/runner/index.js.map +1 -0
package/dist/runner/lib/dispatch.d.ts +13 -0
package/dist/runner/lib/dispatch.d.ts.map +1 -0
package/dist/runner/lib/dispatch.js +15 -0
package/dist/runner/lib/dispatch.js.map +1 -0
package/dist/runner/lib/input-hash.d.ts +2 -0
package/dist/runner/lib/input-hash.d.ts.map +1 -0
package/dist/runner/lib/input-hash.js +37 -0
package/dist/runner/lib/input-hash.js.map +1 -0
package/dist/runner/lib/job-token.d.ts +22 -0
package/dist/runner/lib/job-token.d.ts.map +1 -0
package/dist/runner/lib/job-token.js +3 -0
package/dist/runner/lib/job-token.js.map +1 -0
package/dist/runner/lib/runner-attestation.d.ts +10 -0
package/dist/runner/lib/runner-attestation.d.ts.map +1 -0
package/dist/runner/lib/runner-attestation.js +5 -0
package/dist/runner/lib/runner-attestation.js.map +1 -0
package/dist/runner/lib/runner-job.d.ts +26 -0
package/dist/runner/lib/runner-job.d.ts.map +1 -0
package/dist/runner/lib/runner-job.js +36 -0
package/dist/runner/lib/runner-job.js.map +1 -0
package/dist/runner/lib/runner-kind.d.ts +2 -0
package/dist/runner/lib/runner-kind.d.ts.map +1 -0
package/dist/runner/lib/runner-kind.js +7 -0
package/dist/runner/lib/runner-kind.js.map +1 -0
package/dist/runner/lib/runner-mode.d.ts +5 -0
package/dist/runner/lib/runner-mode.d.ts.map +1 -0
package/dist/runner/lib/runner-mode.js +9 -0
package/dist/runner/lib/runner-mode.js.map +1 -0
package/dist/runner/lib/runner-plane.d.ts +19 -0
package/dist/runner/lib/runner-plane.d.ts.map +1 -0
package/dist/runner/lib/runner-plane.js +31 -0
package/dist/runner/lib/runner-plane.js.map +1 -0
package/dist/runner/lib/runner-registration.d.ts +60 -0
package/dist/runner/lib/runner-registration.d.ts.map +1 -0
package/dist/runner/lib/runner-registration.js +62 -0
package/dist/runner/lib/runner-registration.js.map +1 -0
package/dist/runner/lib/runner.d.ts +24 -0
package/dist/runner/lib/runner.d.ts.map +1 -0
package/dist/runner/lib/runner.js +26 -0
package/dist/runner/lib/runner.js.map +1 -0
package/dist/runner/lib/runtime-isolation.d.ts +10 -0
package/dist/runner/lib/runtime-isolation.d.ts.map +1 -0
package/dist/runner/lib/runtime-isolation.js +23 -0
package/dist/runner/lib/runtime-isolation.js.map +1 -0
package/dist/search-source/index.d.ts +5 -0
package/dist/search-source/index.d.ts.map +1 -0
package/dist/search-source/index.js +21 -0
package/dist/search-source/index.js.map +1 -0
package/dist/search-source/lib/indexable-document.d.ts +40 -0
package/dist/search-source/lib/indexable-document.d.ts.map +1 -0
package/dist/search-source/lib/indexable-document.js +26 -0
package/dist/search-source/lib/indexable-document.js.map +1 -0
package/dist/search-source/lib/search-index-event.d.ts +52 -0
package/dist/search-source/lib/search-index-event.d.ts.map +1 -0
package/dist/search-source/lib/search-index-event.js +29 -0
package/dist/search-source/lib/search-index-event.js.map +1 -0
package/dist/search-source/lib/search-replay.d.ts +46 -0
package/dist/search-source/lib/search-replay.d.ts.map +1 -0
package/dist/search-source/lib/search-replay.js +36 -0
package/dist/search-source/lib/search-replay.js.map +1 -0
package/dist/search-source/lib/search-source-descriptor.d.ts +15 -0
package/dist/search-source/lib/search-source-descriptor.d.ts.map +1 -0
package/dist/search-source/lib/search-source-descriptor.js +3 -0
package/dist/search-source/lib/search-source-descriptor.js.map +1 -0
package/dist/service-registry/index.d.ts +4 -0
package/dist/service-registry/index.d.ts.map +1 -0
package/dist/service-registry/index.js +20 -0
package/dist/service-registry/index.js.map +1 -0
package/dist/service-registry/lib/inject-service.d.ts +6 -0
package/dist/service-registry/lib/inject-service.d.ts.map +1 -0
package/dist/service-registry/lib/inject-service.js +5 -0
package/dist/service-registry/lib/inject-service.js.map +1 -0
package/dist/service-registry/lib/service-descriptor.d.ts +28 -0
package/dist/service-registry/lib/service-descriptor.d.ts.map +1 -0
package/dist/service-registry/lib/service-descriptor.js +17 -0
package/dist/service-registry/lib/service-descriptor.js.map +1 -0
package/dist/service-registry/lib/service-registry-client.d.ts +30 -0
package/dist/service-registry/lib/service-registry-client.d.ts.map +1 -0
package/dist/service-registry/lib/service-registry-client.js +3 -0
package/dist/service-registry/lib/service-registry-client.js.map +1 -0
package/dist/skill/index.d.ts +5 -0
package/dist/skill/index.d.ts.map +1 -0
package/dist/skill/index.js +21 -0
package/dist/skill/index.js.map +1 -0
package/dist/skill/lib/skill-enums.d.ts +41 -0
package/dist/skill/lib/skill-enums.d.ts.map +1 -0
package/dist/skill/lib/skill-enums.js +54 -0
package/dist/skill/lib/skill-enums.js.map +1 -0
package/dist/skill/lib/skill-governance.d.ts +106 -0
package/dist/skill/lib/skill-governance.d.ts.map +1 -0
package/dist/skill/lib/skill-governance.js +61 -0
package/dist/skill/lib/skill-governance.js.map +1 -0
package/dist/skill/lib/skill-source.d.ts +14 -0
package/dist/skill/lib/skill-source.d.ts.map +1 -0
package/dist/skill/lib/skill-source.js +3 -0
package/dist/skill/lib/skill-source.js.map +1 -0
package/dist/skill/lib/skill.d.ts +52 -0
package/dist/skill/lib/skill.d.ts.map +1 -0
package/dist/skill/lib/skill.js +3 -0
package/dist/skill/lib/skill.js.map +1 -0
package/dist/space/index.d.ts +4 -0
package/dist/space/index.d.ts.map +1 -0
package/dist/space/index.js +20 -0
package/dist/space/index.js.map +1 -0
package/dist/space/lib/space-ref-parser.d.ts +8 -0
package/dist/space/lib/space-ref-parser.d.ts.map +1 -0
package/dist/space/lib/space-ref-parser.js +149 -0
package/dist/space/lib/space-ref-parser.js.map +1 -0
package/dist/space/lib/space-traversal.d.ts +3 -0
package/dist/space/lib/space-traversal.d.ts.map +1 -0
package/dist/space/lib/space-traversal.js +56 -0
package/dist/space/lib/space-traversal.js.map +1 -0
package/dist/space/lib/space.d.ts +53 -0
package/dist/space/lib/space.d.ts.map +1 -0
package/dist/space/lib/space.js +98 -0
package/dist/space/lib/space.js.map +1 -0
package/dist/subject/index.d.ts +3 -0
package/dist/subject/index.d.ts.map +1 -0
package/dist/subject/index.js +19 -0
package/dist/subject/index.js.map +1 -0
package/dist/subject/lib/subject.d.ts +29 -0
package/dist/subject/lib/subject.d.ts.map +1 -0
package/dist/subject/lib/subject.js +47 -0
package/dist/subject/lib/subject.js.map +1 -0
package/dist/subject/lib/token-class.d.ts +11 -0
package/dist/subject/lib/token-class.d.ts.map +1 -0
package/dist/subject/lib/token-class.js +15 -0
package/dist/subject/lib/token-class.js.map +1 -0
package/dist/workflow/index.d.ts +31 -0
package/dist/workflow/index.d.ts.map +1 -0
package/dist/workflow/index.js +47 -0
package/dist/workflow/index.js.map +1 -0
package/dist/workflow/lib/action-ref.d.ts +12 -0
package/dist/workflow/lib/action-ref.d.ts.map +1 -0
package/dist/workflow/lib/action-ref.js +3 -0
package/dist/workflow/lib/action-ref.js.map +1 -0
package/dist/workflow/lib/activity-outputs.d.ts +14 -0
package/dist/workflow/lib/activity-outputs.d.ts.map +1 -0
package/dist/workflow/lib/activity-outputs.js +3 -0
package/dist/workflow/lib/activity-outputs.js.map +1 -0
package/dist/workflow/lib/agent-role.d.ts +6 -0
package/dist/workflow/lib/agent-role.d.ts.map +1 -0
package/dist/workflow/lib/agent-role.js +41 -0
package/dist/workflow/lib/agent-role.js.map +1 -0
package/dist/workflow/lib/artifact-ref.d.ts +21 -0
package/dist/workflow/lib/artifact-ref.d.ts.map +1 -0
package/dist/workflow/lib/artifact-ref.js +38 -0
package/dist/workflow/lib/artifact-ref.js.map +1 -0
package/dist/workflow/lib/briefcase.d.ts +107 -0
package/dist/workflow/lib/briefcase.d.ts.map +1 -0
package/dist/workflow/lib/briefcase.js +62 -0
package/dist/workflow/lib/briefcase.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/canonical-concept-registry.d.ts +18 -0
package/dist/workflow/lib/canonical-concepts/canonical-concept-registry.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/canonical-concept-registry.js +45 -0
package/dist/workflow/lib/canonical-concepts/canonical-concept-registry.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/change-intent.concepts.d.ts +3 -0
package/dist/workflow/lib/canonical-concepts/concepts/change-intent.concepts.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/change-intent.concepts.js +79 -0
package/dist/workflow/lib/canonical-concepts/concepts/change-intent.concepts.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/concern.concepts.d.ts +3 -0
package/dist/workflow/lib/canonical-concepts/concepts/concern.concepts.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/concern.concepts.js +133 -0
package/dist/workflow/lib/canonical-concepts/concepts/concern.concepts.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/domain.concepts.d.ts +3 -0
package/dist/workflow/lib/canonical-concepts/concepts/domain.concepts.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/domain.concepts.js +116 -0
package/dist/workflow/lib/canonical-concepts/concepts/domain.concepts.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/index.d.ts +8 -0
package/dist/workflow/lib/canonical-concepts/concepts/index.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/index.js +18 -0
package/dist/workflow/lib/canonical-concepts/concepts/index.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/technology.concepts.d.ts +3 -0
package/dist/workflow/lib/canonical-concepts/concepts/technology.concepts.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/concepts/technology.concepts.js +462 -0
package/dist/workflow/lib/canonical-concepts/concepts/technology.concepts.js.map +1 -0
package/dist/workflow/lib/canonical-concepts/index.d.ts +3 -0
package/dist/workflow/lib/canonical-concepts/index.d.ts.map +1 -0
package/dist/workflow/lib/canonical-concepts/index.js +16 -0
package/dist/workflow/lib/canonical-concepts/index.js.map +1 -0
package/dist/workflow/lib/catalog-taxonomies.d.ts +41 -0
package/dist/workflow/lib/catalog-taxonomies.d.ts.map +1 -0
package/dist/workflow/lib/catalog-taxonomies.js +3475 -0
package/dist/workflow/lib/catalog-taxonomies.js.map +1 -0
package/dist/workflow/lib/compiled-run.d.ts +118 -0
package/dist/workflow/lib/compiled-run.d.ts.map +1 -0
package/dist/workflow/lib/compiled-run.js +3 -0
package/dist/workflow/lib/compiled-run.js.map +1 -0
package/dist/workflow/lib/compiled-working-file.d.ts +11 -0
package/dist/workflow/lib/compiled-working-file.d.ts.map +1 -0
package/dist/workflow/lib/compiled-working-file.js +3 -0
package/dist/workflow/lib/compiled-working-file.js.map +1 -0
package/dist/workflow/lib/compiled-workspace-manifest.d.ts +101 -0
package/dist/workflow/lib/compiled-workspace-manifest.d.ts.map +1 -0
package/dist/workflow/lib/compiled-workspace-manifest.js +3 -0
package/dist/workflow/lib/compiled-workspace-manifest.js.map +1 -0
package/dist/workflow/lib/concurrency-group.d.ts +6 -0
package/dist/workflow/lib/concurrency-group.d.ts.map +1 -0
package/dist/workflow/lib/concurrency-group.js +3 -0
package/dist/workflow/lib/concurrency-group.js.map +1 -0
package/dist/workflow/lib/deliverable-result.d.ts +124 -0
package/dist/workflow/lib/deliverable-result.d.ts.map +1 -0
package/dist/workflow/lib/deliverable-result.js +27 -0
package/dist/workflow/lib/deliverable-result.js.map +1 -0
package/dist/workflow/lib/domain-tag.d.ts +2 -0
package/dist/workflow/lib/domain-tag.d.ts.map +1 -0
package/dist/workflow/lib/domain-tag.js +3 -0
package/dist/workflow/lib/domain-tag.js.map +1 -0
package/dist/workflow/lib/enums.d.ts +138 -0
package/dist/workflow/lib/enums.d.ts.map +1 -0
package/dist/workflow/lib/enums.js +166 -0
package/dist/workflow/lib/enums.js.map +1 -0
package/dist/workflow/lib/errors.d.ts +35 -0
package/dist/workflow/lib/errors.d.ts.map +1 -0
package/dist/workflow/lib/errors.js +62 -0
package/dist/workflow/lib/errors.js.map +1 -0
package/dist/workflow/lib/job-run.d.ts +32 -0
package/dist/workflow/lib/job-run.d.ts.map +1 -0
package/dist/workflow/lib/job-run.js +3 -0
package/dist/workflow/lib/job-run.js.map +1 -0
package/dist/workflow/lib/model-ref.d.ts +40 -0
package/dist/workflow/lib/model-ref.d.ts.map +1 -0
package/dist/workflow/lib/model-ref.js +34 -0
package/dist/workflow/lib/model-ref.js.map +1 -0
package/dist/workflow/lib/mount-plan.d.ts +105 -0
package/dist/workflow/lib/mount-plan.d.ts.map +1 -0
package/dist/workflow/lib/mount-plan.js +3 -0
package/dist/workflow/lib/mount-plan.js.map +1 -0
package/dist/workflow/lib/phase-report.d.ts +9 -0
package/dist/workflow/lib/phase-report.d.ts.map +1 -0
package/dist/workflow/lib/phase-report.js +30 -0
package/dist/workflow/lib/phase-report.js.map +1 -0
package/dist/workflow/lib/platform-task-queue.d.ts +17 -0
package/dist/workflow/lib/platform-task-queue.d.ts.map +1 -0
package/dist/workflow/lib/platform-task-queue.js +33 -0
package/dist/workflow/lib/platform-task-queue.js.map +1 -0
package/dist/workflow/lib/review-subject/index.d.ts +5 -0
package/dist/workflow/lib/review-subject/index.d.ts.map +1 -0
package/dist/workflow/lib/review-subject/index.js +8 -0
package/dist/workflow/lib/review-subject/index.js.map +1 -0
package/dist/workflow/lib/review-subject/kinds.d.ts +5 -0
package/dist/workflow/lib/review-subject/kinds.d.ts.map +1 -0
package/dist/workflow/lib/review-subject/kinds.js +9 -0
package/dist/workflow/lib/review-subject/kinds.js.map +1 -0
package/dist/workflow/lib/review-subject/narrow.d.ts +5 -0
package/dist/workflow/lib/review-subject/narrow.d.ts.map +1 -0
package/dist/workflow/lib/review-subject/narrow.js +79 -0
package/dist/workflow/lib/review-subject/narrow.js.map +1 -0
package/dist/workflow/lib/review-subject/producers/artifact-ref.d.ts +9 -0
package/dist/workflow/lib/review-subject/producers/artifact-ref.d.ts.map +1 -0
package/dist/workflow/lib/review-subject/producers/artifact-ref.js +16 -0
package/dist/workflow/lib/review-subject/producers/artifact-ref.js.map +1 -0
package/dist/workflow/lib/review-subject/producers/string.d.ts +7 -0
package/dist/workflow/lib/review-subject/producers/string.d.ts.map +1 -0
package/dist/workflow/lib/review-subject/producers/string.js +11 -0
package/dist/workflow/lib/review-subject/producers/string.js.map +1 -0
package/dist/workflow/lib/role-capability.d.ts +16 -0
package/dist/workflow/lib/role-capability.d.ts.map +1 -0
package/dist/workflow/lib/role-capability.js +19 -0
package/dist/workflow/lib/role-capability.js.map +1 -0
package/dist/workflow/lib/run-progress.d.ts +100 -0
package/dist/workflow/lib/run-progress.d.ts.map +1 -0
package/dist/workflow/lib/run-progress.js +96 -0
package/dist/workflow/lib/run-progress.js.map +1 -0
package/dist/workflow/lib/sampling-profiles.d.ts +18 -0
package/dist/workflow/lib/sampling-profiles.d.ts.map +1 -0
package/dist/workflow/lib/sampling-profiles.js +56 -0
package/dist/workflow/lib/sampling-profiles.js.map +1 -0
package/dist/workflow/lib/snapshot-ref.d.ts +10 -0
package/dist/workflow/lib/snapshot-ref.d.ts.map +1 -0
package/dist/workflow/lib/snapshot-ref.js +3 -0
package/dist/workflow/lib/snapshot-ref.js.map +1 -0
package/dist/workflow/lib/temporal-namespace.d.ts +5 -0
package/dist/workflow/lib/temporal-namespace.d.ts.map +1 -0
package/dist/workflow/lib/temporal-namespace.js +34 -0
package/dist/workflow/lib/temporal-namespace.js.map +1 -0
package/dist/workflow/lib/trigger-payload.d.ts +35 -0
package/dist/workflow/lib/trigger-payload.d.ts.map +1 -0
package/dist/workflow/lib/trigger-payload.js +3 -0
package/dist/workflow/lib/trigger-payload.js.map +1 -0
package/dist/workflow/lib/variable-requirement.d.ts +18 -0
package/dist/workflow/lib/variable-requirement.d.ts.map +1 -0
package/dist/workflow/lib/variable-requirement.js +3 -0
package/dist/workflow/lib/variable-requirement.js.map +1 -0
package/dist/workflow/lib/work-item-payloads.d.ts +114 -0
package/dist/workflow/lib/work-item-payloads.d.ts.map +1 -0
package/dist/workflow/lib/work-item-payloads.js +60 -0
package/dist/workflow/lib/work-item-payloads.js.map +1 -0
package/dist/workflow/lib/workflow-stage.d.ts +11 -0
package/dist/workflow/lib/workflow-stage.d.ts.map +1 -0
package/dist/workflow/lib/workflow-stage.js +28 -0
package/dist/workflow/lib/workflow-stage.js.map +1 -0
package/dist/workflow/lib/workspace-manifest-enums.d.ts +42 -0
package/dist/workflow/lib/workspace-manifest-enums.d.ts.map +1 -0
package/dist/workflow/lib/workspace-manifest-enums.js +80 -0
package/dist/workflow/lib/workspace-manifest-enums.js.map +1 -0
package/package.json +173 -0
package/src/agent-composition/index.ts +17 -0
package/src/agent-composition/lib/capability-layer.ts +46 -0
package/src/agent-composition/lib/composition-limits-schema.ts +38 -0
package/src/agent-composition/lib/composition-workspace.ts +210 -0
package/src/agent-composition/lib/composition.ts +205 -0
package/src/agent-composition/lib/intrinsic-floor.ts +50 -0
package/src/agent-composition/lib/model-resolution-matrix.ts +112 -0
package/src/agent-workspace/index.ts +27 -0
package/src/agent-workspace/lib/agent-run-context.ts +44 -0
package/src/agent-workspace/lib/agent-tool-defaults.ts +252 -0
package/src/agent-workspace/lib/awp-v1.ts +289 -0
package/src/agent-workspace/lib/context-json.ts +92 -0
package/src/agent-workspace/lib/deliverable-spec-ref.ts +60 -0
package/src/agent-workspace/lib/endpoint-fetch-spec.ts +66 -0
package/src/agent-workspace/lib/manifest.ts +53 -0
package/src/agent-workspace/lib/mount-apply.ts +79 -0
package/src/agent-workspace/lib/working-file.ts +173 -0
package/src/agent-workspace/lib/workspace-layout.ts +106 -0
package/src/agent-workspace/lib/workspace-spec.ts +212 -0
package/src/biome/index.ts +10 -0
package/src/biome/lib/biome-api.ts +33 -0
package/src/biome/lib/biome-capability-refs.ts +29 -0
package/src/biome/lib/biome-engines.ts +18 -0
package/src/biome/lib/biome-lifecycle-hooks.ts +28 -0
package/src/biome/lib/biome-lifecycle.ts +29 -0
package/src/biome/lib/biome-manifest.ts +102 -0
package/src/biome/lib/biome-permissions.ts +35 -0
package/src/biome/lib/biome-scope.ts +19 -0
package/src/biome/lib/biome-trust-tier.ts +21 -0
package/src/biome/lib/trust-tier-policies.ts +99 -0
package/src/capability/index.ts +8 -0
package/src/capability/lib/capability-contribution.ts +99 -0
package/src/capability/lib/capability-grant.ts +90 -0
package/src/capability/lib/capability-policy.ts +37 -0
package/src/capability/lib/capability-ref.ts +138 -0
package/src/capability/lib/errors.ts +180 -0
package/src/capability/lib/meta-tool.ts +213 -0
package/src/capability/lib/permission-profile.ts +91 -0
package/src/capability/lib/shell-command-descriptor.ts +66 -0
package/src/contribution/index.ts +4 -0
package/src/contribution/lib/contribution-kind.ts +132 -0
package/src/contribution/lib/contribution-source.ts +29 -0
package/src/contribution/lib/contribution.ts +209 -0
package/src/contribution/lib/registry.ts +100 -0
package/src/document-templates/index.ts +24 -0
package/src/document-templates/lib/document-template.ts +88 -0
package/src/document-templates/lib/index.ts +2 -0
package/src/document-templates/lib/rendering-shape.ts +48 -0
package/src/document-themes/index.ts +21 -0
package/src/document-themes/lib/component-vocabulary.ts +100 -0
package/src/document-themes/lib/document-theme.ts +110 -0
package/src/document-themes/lib/index.ts +2 -0
package/src/entitlement/index.ts +1 -0
package/src/entitlement/lib/entitlement.ts +142 -0
package/src/execution-context/index.ts +3 -0
package/src/execution-context/lib/caller.ts +46 -0
package/src/execution-context/lib/execution-context.ts +205 -0
package/src/execution-context/lib/subject.ts +17 -0
package/src/execution-environment/index.ts +3 -0
package/src/execution-environment/lib/approval-rule.ts +32 -0
package/src/execution-environment/lib/built-in-environments.ts +89 -0
package/src/execution-environment/lib/execution-environment.ts +266 -0
package/src/kernel-state/index.ts +3 -0
package/src/kernel-state/lib/adapter-kind.ts +18 -0
package/src/kernel-state/lib/kernel-state.ts +139 -0
package/src/kernel-state/lib/key-grammar.ts +105 -0
package/src/llm-gateway/index.ts +2 -0
package/src/llm-gateway/lib/caller.ts +48 -0
package/src/llm-gateway/lib/errors.ts +111 -0
package/src/mcp-tool/index.ts +6 -0
package/src/mcp-tool/lib/mcp-protocol.ts +94 -0
package/src/mcp-tool/lib/mcp-server-config.ts +17 -0
package/src/mcp-tool/lib/provider-kind.ts +35 -0
package/src/mcp-tool/lib/resolver-scope.ts +32 -0
package/src/mcp-tool/lib/tool-provider.ts +62 -0
package/src/mcp-tool/lib/tool-selection.ts +48 -0
package/src/object/index.ts +4 -0
package/src/object/lib/object-lifecycle.ts +22 -0
package/src/object/lib/xema-object-kind.ts +73 -0
package/src/object/lib/xema-object-ref.ts +233 -0
package/src/object/lib/xema-object.ts +81 -0
package/src/policy/index.ts +3 -0
package/src/policy/lib/obligations.ts +155 -0
package/src/policy/lib/policy.ts +104 -0
package/src/policy/lib/route-hints.ts +51 -0
package/src/runner/index.ts +11 -0
package/src/runner/lib/dispatch.ts +61 -0
package/src/runner/lib/input-hash.ts +66 -0
package/src/runner/lib/job-token.ts +80 -0
package/src/runner/lib/runner-attestation.ts +53 -0
package/src/runner/lib/runner-job.ts +90 -0
package/src/runner/lib/runner-kind.ts +10 -0
package/src/runner/lib/runner-mode.ts +16 -0
package/src/runner/lib/runner-plane.ts +101 -0
package/src/runner/lib/runner-registration.ts +204 -0
package/src/runner/lib/runner.ts +103 -0
package/src/runner/lib/runtime-isolation.ts +53 -0
package/src/search-source/index.ts +4 -0
package/src/search-source/lib/indexable-document.ts +70 -0
package/src/search-source/lib/search-index-event.ts +56 -0
package/src/search-source/lib/search-replay.ts +96 -0
package/src/search-source/lib/search-source-descriptor.ts +50 -0
package/src/service-registry/index.ts +3 -0
package/src/service-registry/lib/inject-service.ts +25 -0
package/src/service-registry/lib/service-descriptor.ts +75 -0
package/src/service-registry/lib/service-registry-client.ts +107 -0
package/src/skill/index.ts +15 -0
package/src/skill/lib/skill-enums.ts +124 -0
package/src/skill/lib/skill-governance.ts +281 -0
package/src/skill/lib/skill-source.ts +41 -0
package/src/skill/lib/skill.ts +150 -0
package/src/space/index.ts +3 -0
package/src/space/lib/space-ref-parser.ts +198 -0
package/src/space/lib/space-traversal.ts +55 -0
package/src/space/lib/space.ts +173 -0
package/src/subject/index.ts +2 -0
package/src/subject/lib/subject.ts +111 -0
package/src/subject/lib/token-class.ts +27 -0
package/src/workflow/index.ts +45 -0
package/src/workflow/lib/action-ref.ts +48 -0
package/src/workflow/lib/activity-outputs.ts +105 -0
package/src/workflow/lib/agent-role.ts +136 -0
package/src/workflow/lib/artifact-ref.ts +93 -0
package/src/workflow/lib/briefcase.ts +194 -0
package/src/workflow/lib/canonical-concepts/canonical-concept-registry.ts +99 -0
package/src/workflow/lib/canonical-concepts/concepts/change-intent.concepts.ts +124 -0
package/src/workflow/lib/canonical-concepts/concepts/concern.concepts.ts +194 -0
package/src/workflow/lib/canonical-concepts/concepts/domain.concepts.ts +205 -0
package/src/workflow/lib/canonical-concepts/concepts/index.ts +15 -0
package/src/workflow/lib/canonical-concepts/concepts/technology.concepts.ts +667 -0
package/src/workflow/lib/canonical-concepts/index.ts +2 -0
package/src/workflow/lib/catalog-taxonomies.ts +3695 -0
package/src/workflow/lib/compiled-run.ts +376 -0
package/src/workflow/lib/compiled-working-file.ts +35 -0
package/src/workflow/lib/compiled-workspace-manifest.ts +185 -0
package/src/workflow/lib/concurrency-group.ts +17 -0
package/src/workflow/lib/deliverable-result.ts +238 -0
package/src/workflow/lib/domain-tag.ts +48 -0
package/src/workflow/lib/enums.ts +288 -0
package/src/workflow/lib/errors.ts +171 -0
package/src/workflow/lib/job-run.ts +65 -0
package/src/workflow/lib/model-ref.ts +118 -0
package/src/workflow/lib/mount-plan.ts +230 -0
package/src/workflow/lib/phase-report.ts +67 -0
package/src/workflow/lib/platform-task-queue.ts +83 -0
package/src/workflow/lib/review-subject/index.ts +15 -0
package/src/workflow/lib/review-subject/kinds.ts +31 -0
package/src/workflow/lib/review-subject/narrow.ts +123 -0
package/src/workflow/lib/review-subject/producers/artifact-ref.ts +33 -0
package/src/workflow/lib/review-subject/producers/string.ts +24 -0
package/src/workflow/lib/role-capability.ts +80 -0
package/src/workflow/lib/run-progress.ts +254 -0
package/src/workflow/lib/sampling-profiles.ts +153 -0
package/src/workflow/lib/snapshot-ref.ts +27 -0
package/src/workflow/lib/temporal-namespace.ts +78 -0
package/src/workflow/lib/trigger-payload.ts +69 -0
package/src/workflow/lib/variable-requirement.ts +66 -0
package/src/workflow/lib/work-item-payloads.ts +139 -0
package/src/workflow/lib/workflow-stage.ts +89 -0
package/src/workflow/lib/workspace-manifest-enums.ts +143 -0

package/src/document-themes/lib/document-theme.ts ADDED Viewed

@@ -0,0 +1,110 @@
+// ═══════════════════════════════════════════════════════════════════════════
+// ── DocumentTheme manifest + tokens ──
+//
+// The shape every theme — built-in, biome-shipped, org-authored —
+// conforms to. The registry persists `manifest`, `tokens`, and `css`
+// separately so the FE can fetch only what it needs (manifest for the
+// gallery; manifest+tokens+css when activating a theme on a document).
+// ═══════════════════════════════════════════════════════════════════════════
+import type { RenderingShape } from '../../document-templates';
+/**
+ * Same 3-tier scope as templates. Resolution precedence:
+ * ORG > BIOME > SYSTEM (most specific wins). Themes are scoped at the
+ * registry level; per-page selection is via `Page.themeRef` (a ref into
+ * this registry).
+ */
+export enum DocumentThemeScope {
+  SYSTEM = 'SYSTEM',
+  BIOME = 'BIOME',
+  ORG = 'ORG',
+}
+/**
+ * Manifest entry — the metadata fetched for the theme gallery and the
+ * theme dropdown in the document topbar.
+ *
+ * `supportedShapes` lets a theme opt out of rendering shapes that don't
+ * fit it visually (e.g. a heavily-decorated letter theme might exclude
+ * `ANIMATED_SLIDES`). Empty / unset = supports all shapes.
+ *
+ * `supportedFormats` lets a theme constrain itself to a subset of paper
+ * formats (e.g. a poster theme might only support TABLOID). Empty /
+ * unset = supports all formats.
+ */
+export interface DocumentThemeManifest {
+  readonly slug: string;
+  readonly name: string;
+  readonly description: string;
+  readonly supportedShapes?: readonly RenderingShape[];
+  readonly supportedFormats?: readonly string[];
+  readonly previewThumbnailUrl?: string;
+  readonly version: string;
+  readonly scope: DocumentThemeScope;
+}
+/**
+ * The token pack — `theme.json`. Closed VOCABULARY (the keys defined
+ * here), open VALUES (the strings each implementation picks).
+ *
+ * Themes are expected to populate the full token surface; missing keys
+ * fall back to the system default theme's tokens at resolution time
+ * (registry-side defaulting, not silent — logged + emitted as a
+ * warning so theme authors notice).
+ */
+export interface DocumentThemeTokens {
+  readonly color: {
+    readonly ink: string;
+    readonly paper: string;
+    readonly accent: string;
+    readonly accentInk: string;
+    readonly muted: string;
+    readonly mutedInk: string;
+    readonly rule: string;
+    readonly success: string;
+    readonly warn: string;
+    readonly danger: string;
+  };
+  readonly type: {
+    readonly familySans: string;
+    readonly familySerif: string;
+    readonly familyMono: string;
+    /** [display, title, h2, h3, body, caption, overline] — pt values. */
+    readonly scalePt: readonly [number, number, number, number, number, number, number];
+    /** Matching line-heights for the scale. */
+    readonly lineHeight: readonly [number, number, number, number, number, number, number];
+    /** Matching weights for the scale. */
+    readonly weight: readonly [number, number, number, number, number, number, number];
+  };
+  readonly space: {
+    /** mm values used by `@page` margins and macro layout. */
+    readonly pageMargin: { top: number; right: number; bottom: number; left: number };
+    /** Generic spacing scale (0/4/8/12/16/24/32/48 — px). */
+    readonly scalePx: readonly [number, number, number, number, number, number, number, number];
+  };
+  readonly radius: {
+    /** Corner radii — px. */
+    readonly scalePx: readonly [number, number, number, number];
+  };
+}
+/**
+ * Full theme bundle the kb-api theme endpoint returns on activation.
+ * `css` is the serialized theme stylesheet (already token-substituted
+ * OR using CSS custom properties that reference the same tokens — the
+ * runtime treats it as an opaque string).
+ */
+export interface DocumentTheme {
+  readonly manifest: DocumentThemeManifest;
+  readonly tokens: DocumentThemeTokens;
+  readonly css: string;
+}
+/**
+ * Wire-shape reference to a theme — `<scope>:<slug>` (system or
+ * biome) or `<scope>:<orgId>:<slug>` (org). Matches
+ * DocumentTemplateRef's encoding so consumers parse both with one
+ * helper.
+ */
+export type DocumentThemeRef = string;

package/src/document-themes/lib/index.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export * from './document-theme';
2	+ export * from './component-vocabulary';

package/src/entitlement/index.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './lib/entitlement';

package/src/entitlement/lib/entitlement.ts ADDED Viewed

@@ -0,0 +1,142 @@
+import { z } from 'zod';
+/**
+ * The Xema deployment/org edition. Closed set — the build is compiled for
+ * exactly one ceiling edition, and an org is provisioned at exactly one
+ * edition (never above the build ceiling).
+ *
+ * `Community` is the FAIL-CLOSED default: any ambiguity in resolution
+ * (missing config, missing org row, malformed upstream payload) collapses to
+ * `Community`. Enterprise capability is granted only on an explicit, valid
+ * `Enterprise` signal at BOTH the deployment ceiling AND the org row.
+ */
+export enum Edition {
+  Community = 'community',
+  Enterprise = 'enterprise',
+}
+export const EditionSchema = z.nativeEnum(Edition);
+/**
+ * The closed set of feature keys other Xema features gate on. Each key names a
+ * single Enterprise-gated capability; a key being absent from an
+ * `EntitlementSet.features` map (or set to `false`) means NOT entitled.
+ *
+ * Closed set — adding a gated feature is a kernel change. Never gate on a
+ * free-form string; always reference a member of this enum so the boundary
+ * between "known gated feature" and "typo / unknown feature" stays explicit
+ * (an unknown key can never be entitled).
+ */
+export enum EntitlementKey {
+  /** Nested / hierarchical teams (sub-teams within teams). */
+  TeamsNested = 'teams.nested',
+  /** Delegated team administration (team-scoped admins below the org admin). */
+  TeamsDelegatedAdmin = 'teams.delegatedAdmin',
+  /** SCIM provisioning for teams/membership. */
+  TeamsScim = 'teams.scim',
+  /** Custom (org-authored) roles beyond the built-in role set. */
+  RolesCustom = 'roles.custom',
+  /** Access-request approval workflow. */
+  AccessRequestWorkflow = 'access.requestWorkflow',
+  /** External OIDC identity-provider federation (SSO). */
+  SsoOidcFederation = 'sso.oidc-federation',
+}
+export const EntitlementKeySchema = z.nativeEnum(EntitlementKey);
+/**
+ * An entitlement decision for a single org: the resolved `edition` plus a
+ * per-feature map. A feature is entitled only when its key maps to `true`;
+ * absent or `false` ⇒ not entitled (fail-closed).
+ */
+export interface EntitlementSet {
+  edition: Edition;
+  features: Partial<Record<EntitlementKey, boolean>>;
+}
+export const EntitlementSetSchema = z.object({
+  edition: EditionSchema,
+  features: z.record(EntitlementKeySchema, z.boolean()),
+}) as z.ZodType<EntitlementSet>;
+/**
+ * The fully-locked-down Community entitlement: Community edition with every
+ * gated feature off. Returned by every fail-closed path.
+ */
+const COMMUNITY_ENTITLEMENT: EntitlementSet = {
+  edition: Edition.Community,
+  features: {},
+};
+/**
+ * Resolve the EFFECTIVE entitlement for an org as
+ * **`effective = min(deploymentCeiling, orgEntitlement)`**.
+ *
+ * FAIL-CLOSED rules (a compromised or stale org row can never exceed the build
+ * edition, and any ambiguity collapses to Community):
+ *
+ * 1. If `deploymentCeiling` is `Community`, the result is ALWAYS Community with
+ *    every gated feature `false`, regardless of what the org row claims. The
+ *    build simply does not contain Enterprise capability to grant.
+ * 2. If the org entitlement is `undefined` (unknown / absent / not yet
+ *    provisioned), the result is the Community default.
+ * 3. If `deploymentCeiling` is `Enterprise` but the org row's edition is
+ *    `Community`, the org is Community and every feature is `false`.
+ * 4. Only when BOTH the ceiling and the org row are `Enterprise` are the org's
+ *    `true` feature flags honored; any non-`true` (absent / `false`) feature
+ *    stays off.
+ *
+ * Never grants MORE than the org explicitly enabled, and never more than the
+ * build ceiling allows. There is no path that returns Enterprise without an
+ * explicit Enterprise signal on both sides.
+ */
+export function resolveEffectiveEntitlement(
+  deploymentCeiling: Edition,
+  orgEntitlement: EntitlementSet | undefined,
+): EntitlementSet {
+  // Rule 1: a Community build can never grant Enterprise.
+  if (deploymentCeiling !== Edition.Enterprise) {
+    return { edition: Edition.Community, features: {} };
+  }
+  // Rule 2: unknown / absent org ⇒ Community default.
+  if (!orgEntitlement) {
+    return { edition: Edition.Community, features: {} };
+  }
+  // Rule 3: org row not Enterprise ⇒ Community, all features off.
+  if (orgEntitlement.edition !== Edition.Enterprise) {
+    return { edition: Edition.Community, features: {} };
+  }
+  // Rule 4: ceiling AND org are Enterprise — honor only explicit `true` flags.
+  const features: Partial<Record<EntitlementKey, boolean>> = {};
+  for (const key of Object.values(EntitlementKey)) {
+    if (orgEntitlement.features[key] === true) {
+      features[key] = true;
+    }
+  }
+  return { edition: Edition.Enterprise, features };
+}
+/** Re-exported for callers that want the canonical fail-closed default. */
+export { COMMUNITY_ENTITLEMENT };
+/**
+ * Whether a single feature is entitled under an already-resolved EFFECTIVE
+ * entitlement. Fail-closed: returns `true` ONLY when the effective edition is
+ * `Enterprise` AND the feature flag is explicitly `true`. Any absent / `false`
+ * / unknown state ⇒ `false`.
+ *
+ * Always call this against the output of `resolveEffectiveEntitlement` — never
+ * against a raw org row, so the deployment ceiling has already been applied.
+ */
+export function isFeatureEntitled(
+  effective: EntitlementSet,
+  key: EntitlementKey,
+): boolean {
+  return (
+    effective.edition === Edition.Enterprise &&
+    effective.features[key] === true
+  );
+}

package/src/execution-context/index.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export * from './lib/subject';
+export * from './lib/caller';
+export * from './lib/execution-context';

package/src/execution-context/lib/caller.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { z } from 'zod';
+/**
+ * Closed caller-kind set (plan v4.3 §A.3).
+ *
+ * Distinguishes how the invocation entered the system — drives audit
+ * shape, default obligations (e.g. `Web` callers default to `audit` +
+ * `redact-secrets`), and route-hint fallbacks. Closed set.
+ */
+export enum CallerKind {
+  Web = 'web',
+  Api = 'api',
+  Agent = 'agent',
+  Workflow = 'workflow',
+  Shell = 'shell',
+  Scheduler = 'scheduler',
+}
+export const CallerKindSchema = z.nativeEnum(CallerKind);
+/**
+ * `Caller` — entry-point envelope captured on every invocation.
+ *
+ * v4.3 contract shape per plan §A.3:
+ *   { kind: CallerKind; appId?; sessionId?; ip?; userAgent? }
+ *
+ * `appId` and `sessionId` are populated when the caller is an embedded
+ * app or interactive session; `ip` + `userAgent` come from the HTTP edge
+ * (public-gateway-api) and are dropped at internal hops to avoid silent
+ * PII propagation past the audit boundary.
+ */
+export interface Caller {
+  kind: CallerKind;
+  appId?: string;
+  sessionId?: string;
+  ip?: string;
+  userAgent?: string;
+}
+export const CallerSchema = z.object({
+  kind: CallerKindSchema,
+  appId: z.string().min(1).optional(),
+  sessionId: z.string().min(1).optional(),
+  ip: z.string().min(1).optional(),
+  userAgent: z.string().min(1).optional(),
+}) as z.ZodType<Caller>;

package/src/execution-context/lib/execution-context.ts ADDED Viewed

@@ -0,0 +1,205 @@
+import { z } from 'zod';
+import {
+  CapabilityRefSchema,
+  type CapabilityRef,
+} from '../../capability';
+import {
+  ExecutionEnvironmentKind,
+  ExecutionEnvironmentKindSchema,
+} from '../../execution-environment';
+import {
+  DataClassification,
+  DataClassificationSchema,
+  SpaceRefSchema,
+  type SpaceRef,
+} from '../../space';
+import { CallerSchema, type Caller } from './caller';
+import {
+  ActingForRefSchema,
+  SubjectRefSchema,
+  type ActingForRef,
+  type SubjectRef,
+} from './subject';
+/**
+ * Closed biome trust-tier set referenced by `ExecutionContext.biome`
+ * (plan v4.3 §A.3).
+ *
+ * Tier ordering goes Untrusted → Community → Verified → Official; OPA
+ * policy bundles MAY gate a capability to a minimum tier, but the kernel
+ * never assumes a fallback default — `signatureVerified=false` on a non-
+ * `Untrusted` tier MUST fail-fast at the gateway.
+ */
+export enum BiomeTrustTier {
+  Official = 'official',
+  Verified = 'verified',
+  Community = 'community',
+  Untrusted = 'untrusted',
+}
+export const BiomeTrustTierSchema = z.nativeEnum(BiomeTrustTier);
+/**
+ * Biome attestation block carried on `ExecutionContext.biome` (plan
+ * v4.3 §A.3). Set when the capability is provided by a biome (vs. an
+ * embedded built-in). `signatureVerified` is the Cosign verdict from the
+ * biome-fetcher-api at install time.
+ */
+export interface ExecutionContextBiome {
+  id: string;
+  version: string;
+  trustTier: BiomeTrustTier;
+  signatureVerified: boolean;
+}
+export const ExecutionContextBiomeSchema = z.object({
+  id: z.string().min(1),
+  version: z.string().min(1),
+  trustTier: BiomeTrustTierSchema,
+  signatureVerified: z.boolean(),
+}) as z.ZodType<ExecutionContextBiome>;
+/**
+ * Environment block carried on `ExecutionContext.environment` (plan
+ * v4.3 §A.3).
+ *
+ * `id` is the canonical `environment:<slug>` ref (string-typed here to
+ * keep the envelope JSON-clean — the kernel-side reference type lives in
+ * `@xemahq/execution-environment-contracts`).
+ *
+ * `kind` is the {@link ExecutionEnvironmentKind} value matched against the eight
+ * built-in environments + the `trusted-dev` escape hatch. The internal
+ * identifier `ExecutionEnvironmentKind` is still named "Zone" — the rename to
+ * `ExecutionEnvironmentKind` is scheduled for Phase A.5 (plan §A.1
+ * follow-up sweep), not Phase A.3.
+ */
+export interface ExecutionContextEnvironment {
+  id: string;
+  kind: ExecutionEnvironmentKind;
+}
+export const ExecutionContextEnvironmentSchema = z.object({
+  id: z.string().min(1),
+  kind: ExecutionEnvironmentKindSchema,
+}) as z.ZodType<ExecutionContextEnvironment>;
+/**
+ * Capability block carried on `ExecutionContext.capability` (plan
+ * v4.3 §A.3).
+ *
+ * `ref` is the canonical capability reference (`<biome>:<verb>@<major>`).
+ * `inputHash` is an optional SHA-256 fingerprint of the JSON-serialised
+ * input — used for cache-key composition and audit replay. Omitted on
+ * invocations whose input is non-deterministic (e.g. streaming uploads).
+ */
+export interface ExecutionContextCapability {
+  ref: CapabilityRef;
+  inputHash?: string;
+}
+export const ExecutionContextCapabilitySchema = z.object({
+  ref: CapabilityRefSchema,
+  inputHash: z.string().min(1).optional(),
+}) as z.ZodType<ExecutionContextCapability>;
+/**
+ * Resource block carried on `ExecutionContext.resource` (plan v4.3 §A.3).
+ *
+ * Set when the invocation targets a specific persistent object (a
+ * XemaObject, a document, an SCM file). `ref` is the resource reference
+ * (XVFS path or domain ref); `classification` MUST be carried alongside
+ * because policy obligations like `redact-secrets` and
+ * `restrict-output-classification` key on it.
+ */
+export interface ExecutionContextResource {
+  ref: string;
+  classification: DataClassification;
+}
+export const ExecutionContextResourceSchema = z.object({
+  ref: z.string().min(1),
+  classification: DataClassificationSchema,
+}) as z.ZodType<ExecutionContextResource>;
+/**
+ * Constraints block carried on `ExecutionContext.constraints` (plan
+ * v4.3 §A.3).
+ *
+ * Per-invocation caps + flags the gateway derives from the caller's
+ * grant, the org's environment policy, and the capability's defaults.
+ * `requireCustomerEdge` is a hard runner-selection constraint (see
+ * `RouteHint.requireCustomerEdge` in `@xemahq/policy-contracts`).
+ *
+ * Omitted fields mean "no constraint at this layer"; the runner MUST
+ * still respect downstream layers (e.g. org-level cost budgets).
+ */
+export interface ExecutionContextConstraints {
+  maxCostUsd?: number;
+  maxDurationSeconds?: number;
+  requireApproval?: boolean;
+  requireAudit?: boolean;
+  requireCustomerEdge?: boolean;
+}
+export const ExecutionContextConstraintsSchema = z.object({
+  maxCostUsd: z.number().nonnegative().optional(),
+  maxDurationSeconds: z.number().int().nonnegative().optional(),
+  requireApproval: z.boolean().optional(),
+  requireAudit: z.boolean().optional(),
+  requireCustomerEdge: z.boolean().optional(),
+}) as z.ZodType<ExecutionContextConstraints>;
+/**
+ * `ExecutionContext` — the per-invocation envelope (plan v4.3 §A.3).
+ *
+ * Constructed by `biomes/xema-capability-router/api/xema-capability-router` at the gateway boundary,
+ * passed verbatim to `authorization-api` for the policy check, and
+ * forwarded to the dispatched runner. Audit, policy, and runner all
+ * read the SAME shape — no parallel envelopes.
+ *
+ * Wave 4 (Phase A.5) wires this through `dispatch.service.ts`. This
+ * package is contract-only — no consumer rewiring lives here.
+ */
+export interface ExecutionContext {
+  id: string;
+  requestId: string;
+  traceId: string;
+  subject: SubjectRef;
+  caller: Caller;
+  space: SpaceRef;
+  environment: ExecutionContextEnvironment;
+  biome?: ExecutionContextBiome;
+  capability: ExecutionContextCapability;
+  resource?: ExecutionContextResource;
+  constraints?: ExecutionContextConstraints;
+  /**
+   * RFC 8693 delegation chain (`act`), outermost-acting-first. Built at the
+   * gateway from `RequestContext.actorChain` and carried through policy → audit
+   * → credential-broker. Empty/omitted for a non-delegated invocation
+   * (plan §W4 / Pillar 3.2).
+   */
+  actorChain?: ActingForRef[];
+  /**
+   * Opaque credential-binding id the PDP selected for this invocation
+   * (`PolicyDecision.credentialBindingId`). When present, the executing
+   * gateway/runner resolves it via the credential-broker. NEVER a secret
+   * (plan §W4 / Pillar 3.2).
+   */
+  credentialBindingId?: string;
+}
+export const ExecutionContextSchema = z.object({
+  id: z.string().min(1),
+  requestId: z.string().min(1),
+  traceId: z.string().min(1),
+  subject: SubjectRefSchema,
+  caller: CallerSchema,
+  space: SpaceRefSchema,
+  environment: ExecutionContextEnvironmentSchema,
+  biome: ExecutionContextBiomeSchema.optional(),
+  capability: ExecutionContextCapabilitySchema,
+  resource: ExecutionContextResourceSchema.optional(),
+  constraints: ExecutionContextConstraintsSchema.optional(),
+  actorChain: z.array(ActingForRefSchema).optional(),
+  credentialBindingId: z.string().min(1).optional(),
+}) as z.ZodType<ExecutionContext>;

package/src/execution-context/lib/subject.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * The canonical subject taxonomy now lives in `@xemahq/subject-contracts`
+ * (the single closed `SubjectKind`, the `{ kind, id, roles?, actingFor? }`
+ * `SubjectRef`, the `ActingForRef` delegation pointer, and the
+ * `subjectRefToString`/`parseSubjectRef` composite bridges). This module
+ * re-exports that surface so existing `@xemahq/execution-context-contracts`
+ * importers are unaffected. Do NOT redeclare a `SubjectKind`/`SubjectRef` here.
+ */
+export {
+  SubjectKind,
+  SubjectKindSchema,
+  SubjectRefSchema,
+  ActingForRefSchema,
+  subjectRefToString,
+  parseSubjectRef,
+} from '../../subject';
+export type { SubjectRef, ActingForRef } from '../../subject';

package/src/execution-environment/index.ts ADDED Viewed

@@ -0,0 +1,3 @@
+export * from './lib/built-in-environments';
+export * from './lib/approval-rule';
+export * from './lib/execution-environment';

package/src/execution-environment/lib/approval-rule.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { z } from 'zod';
+import {
+  CapabilityRefSchema,
+  type CapabilityRef,
+} from '../../capability';
+/**
+ * Per-environment approval rule (plan §3.4 `ExecutionEnvironment.approvalRules[]`,
+ * §30.7 Human-in-the-loop approval at runtime).
+ *
+ * When a runtime invocation matches a rule whose `capability` ref covers the
+ * call, the gateway suspends the invocation, emits an `ApprovalRequested`
+ * CloudEvent, and renders a typed approval dialog. The rule may further
+ * require a specific approver role and/or a minimum approver count.
+ *
+ * `requireApproverCount` defaults are NOT encoded here — the gateway
+ * fail-fasts on a missing/invalid count rather than substituting a silent
+ * default (engineering constitution: no silent fallbacks).
+ */
+export interface ApprovalRule {
+  capability: CapabilityRef;
+  requireRole?: string;
+  requireApproverCount?: number;
+  reason?: string;
+}
+export const ApprovalRuleSchema = z.object({
+  capability: CapabilityRefSchema,
+  requireRole: z.string().min(1).optional(),
+  requireApproverCount: z.number().int().positive().optional(),
+  reason: z.string().min(1).optional(),
+}) as z.ZodType<ApprovalRule>;

package/src/execution-environment/lib/built-in-environments.ts ADDED Viewed

@@ -0,0 +1,89 @@
+import { z } from 'zod';
+/**
+ * Closed set of built-in Execution Environment kinds.
+ *
+ * Plan-of-record: v4.3 §2 vocabulary table (`Zone → Environment` row),
+ * §3.4 (the eight built-in environments that cover every story we have
+ * today), and §30.6 (`trusted-dev` environment — the developer escape
+ * hatch).
+ *
+ * v1 ships ONLY these built-ins; custom environments are an explicit v2
+ * extension (plan §16). The downstream `ExecutionEnvironment.scope` type
+ * intentionally widens to `ExecutionEnvironmentKind | string` for future-
+ * proofing, but at v1 the only legal scope values are members of this
+ * enum — see `isExecutionEnvironmentKind`.
+ *
+ * Slugs are stable wire identifiers and MUST NOT change once shipped;
+ * they appear in `ExecutionEnvironmentRef` (`environment:<slug>`), in
+ * capability grants, and in audit logs.
+ */
+export enum ExecutionEnvironmentKind {
+  /** Platform operators / migrations. */
+  System = 'system',
+  /** Org admins; biome install/uninstall. */
+  Org = 'org',
+  /** Project members; default agent/workflow runtime. */
+  Project = 'project',
+  /** Apps configured for an audience. */
+  App = 'app',
+  /** Interactive session bounded by user permissions. */
+  Session = 'session',
+  /**
+   * Biome build/test (Linux container OK here) + agent-generated biome
+   * staging. NOT the same as `TrustedDev` — `Sandbox` is for untrusted
+   * biomes the org is evaluating.
+   */
+  Sandbox = 'sandbox',
+  /** External delegated sessions (chat widgets, customer portals). */
+  Public = 'public',
+  /** Biome inspected for publication; no real org data access. */
+  StoreReview = 'store-review',
+  /**
+   * Local-dev / personal-sandbox environment (plan §30.6). Inside it the
+   * Capability Gateway grants every capability the biome *declared* in
+   * its manifest, no resource glob, no rate limit, no human approval.
+   * Audit-log still records every call so devs can inspect what their
+   * biome *would* do in production. Only `power-user-developer` profile
+   * can be installed here, and the environment is never reachable from
+   * production data.
+   */
+  TrustedDev = 'trusted-dev',
+}
+export const ExecutionEnvironmentKindSchema = z.nativeEnum(ExecutionEnvironmentKind);
+/**
+ * Stable, ordered list of every built-in environment slug. Seeded at
+ * boot by `authorization-api` / `object-registry-api` per plan §17.5
+ * step 1.
+ *
+ * Ordering is intentional (system → org → project → app → session →
+ * sandbox → public → store-review → trusted-dev) and matches the table
+ * in §3.4 followed by the dev escape hatch from §30.6. Do not reorder
+ * without a coordinated migration of any consumer that relies on
+ * positional iteration.
+ */
+export const BUILT_IN_ENVIRONMENT_SLUGS: readonly ExecutionEnvironmentKind[] = [
+  ExecutionEnvironmentKind.System,
+  ExecutionEnvironmentKind.Org,
+  ExecutionEnvironmentKind.Project,
+  ExecutionEnvironmentKind.App,
+  ExecutionEnvironmentKind.Session,
+  ExecutionEnvironmentKind.Sandbox,
+  ExecutionEnvironmentKind.Public,
+  ExecutionEnvironmentKind.StoreReview,
+  ExecutionEnvironmentKind.TrustedDev,
+] as const;
+/**
+ * Narrowing guard: returns `true` iff `slug` is one of the built-in
+ * environment slugs. Used by `ExecutionEnvironmentSchema` and the
+ * authorization-api to refuse custom-scoped environments at v1 (plan §16
+ * non-goal).
+ */
+export function isExecutionEnvironmentKind(
+  slug: string,
+): slug is ExecutionEnvironmentKind {
+  return (BUILT_IN_ENVIRONMENT_SLUGS as readonly string[]).includes(slug);
+}