@zonease/aiworker-cli 0.13.1 → 0.14.0

package/official-apps/aiworker-hr/dist/host-mounted.js

@@ -14791,13 +14791,17 @@ function createSoulAppManifest(input, options = {}) {
 function createSoulAppClient(options) {
   const fetcher = options.fetch ?? fetch;
   const prefix = options.baseUrl?.replace(/\/$/, "") ?? "";
-  const headers = options.token ? { authorization: `Bearer ${options.token}` } : undefined;
+  const headers = {};
+  if (options.token)
+    headers.authorization = `Bearer ${options.token}`;
+  if (options.mountToken)
+    headers["x-aiworker-mount-token"] = options.mountToken;
   async function json(route, init) {
     const res = await fetcher(`${prefix}${route}`, {
       ...init,
       headers: {
         ...init?.body ? { "content-type": "application/json" } : {},
-        ...headers,
+        ...Object.keys(headers).length ? headers : {},
         ...init?.headers
       }
     });
@@ -15450,7 +15454,11 @@ function serveHostMounted(port = Number(Bun.env.PORT ?? 0)) {
         const hostUrl = request.headers.get("x-aiworker-host-url") ?? Bun.env.AIWORKER_HOST_URL;
         if (!hostUrl)
           return Response.json({ appId: hrSoulAppManifest2.id, broker: "not-configured", permissions: [] });
-        const client = createSoulAppClient({ appId: hrSoulAppManifest2.id, baseUrl: hostUrl });
+        const client = createSoulAppClient({
+          appId: hrSoulAppManifest2.id,
+          baseUrl: hostUrl,
+          mountToken: request.headers.get("x-aiworker-mount-token") ?? undefined
+        });
         return Response.json(await client.broker.permissions.list());
       }
       if (url.pathname === "/protocol/capabilities") {
@@ -15570,7 +15578,11 @@ async function persistPeopleProfileDraft(request) {
     return { ok: true };
   const draftKey = `drafts/people-profile/${context.workspaceId ?? "app"}`;
   const workspaceRef = context.workspaceId ?? "app";
-  const client = createSoulAppClient({ appId: hrSoulAppManifest2.id, baseUrl: context.hostUrl });
+  const client = createSoulAppClient({
+    appId: hrSoulAppManifest2.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken
+  });
   try {
     await client.broker.storage.put(draftKey, {
       appId: hrSoulAppManifest2.id,
@@ -15628,7 +15640,11 @@ async function queryBrokerPeopleProfileSearch(request, query) {
   const context = readMountContext(request);
   if (!context?.hostUrl)
     return null;
-  const client = createSoulAppClient({ appId: hrSoulAppManifest2.id, baseUrl: context.hostUrl });
+  const client = createSoulAppClient({
+    appId: hrSoulAppManifest2.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken
+  });
   try {
     const result = await client.broker.search.query(query, brokerScope(context));
     return Array.isArray(result.items) ? result.items : null;
@@ -15648,6 +15664,7 @@ function readMountContext(request) {
     return {
       brokerUrl: typeof parsed.brokerUrl === "string" ? parsed.brokerUrl : undefined,
       hostUrl: request.headers.get("x-aiworker-host-url") ?? undefined,
+      mountToken: request.headers.get("x-aiworker-mount-token") ?? undefined,
       operatorId: typeof parsed.operatorId === "string" ? parsed.operatorId : null,
       sessionId: typeof parsed.sessionId === "string" ? parsed.sessionId : null,
       surface: surface ? {

package/official-apps/aiworker-hr/dist/index.js

@@ -14791,13 +14791,17 @@ function createSoulAppManifest(input, options = {}) {
 function createSoulAppClient(options) {
   const fetcher = options.fetch ?? fetch;
   const prefix = options.baseUrl?.replace(/\/$/, "") ?? "";
-  const headers = options.token ? { authorization: `Bearer ${options.token}` } : undefined;
+  const headers = {};
+  if (options.token)
+    headers.authorization = `Bearer ${options.token}`;
+  if (options.mountToken)
+    headers["x-aiworker-mount-token"] = options.mountToken;
   async function json(route, init) {
     const res = await fetcher(`${prefix}${route}`, {
       ...init,
       headers: {
         ...init?.body ? { "content-type": "application/json" } : {},
-        ...headers,
+        ...Object.keys(headers).length ? headers : {},
         ...init?.headers
       }
     });

package/official-apps/aiworker-hr/dist/standalone.js

@@ -14791,13 +14791,17 @@ function createSoulAppManifest(input, options = {}) {
 function createSoulAppClient(options) {
   const fetcher = options.fetch ?? fetch;
   const prefix = options.baseUrl?.replace(/\/$/, "") ?? "";
-  const headers = options.token ? { authorization: `Bearer ${options.token}` } : undefined;
+  const headers = {};
+  if (options.token)
+    headers.authorization = `Bearer ${options.token}`;
+  if (options.mountToken)
+    headers["x-aiworker-mount-token"] = options.mountToken;
   async function json(route, init) {
     const res = await fetcher(`${prefix}${route}`, {
       ...init,
       headers: {
         ...init?.body ? { "content-type": "application/json" } : {},
-        ...headers,
+        ...Object.keys(headers).length ? headers : {},
         ...init?.headers
       }
     });

package/official-apps/aiworker-hr/skills/candidate-profile/SKILL.md

@@ -0,0 +1,32 @@
+---
+name: candidate-profile
+description: Build and update a source-backed Candidate People Profile for hiring review.
+capabilities:
+  - hr-profile
+  - recruiting
+  - evidence-review
+---
+
+# Candidate Profile
+
+Use this skill when the workspace profile represents a candidate or candidate
+pool member.
+
+## Profile Contract
+
+- Treat `README.md` as the accepted Candidate Profile.
+- Treat files under `artifacts/` as proposed profile changes until review.
+- Keep confirmed facts, missing evidence, weak signals, and next HR actions
+  separate.
+- Do not infer protected-class attributes, personal judgments, or employment
+  commitments.
+
+## Output Shape
+
+For proposed updates, write a markdown artifact with:
+
+1. Current candidate summary
+2. Role-relevant evidence
+3. Missing or conflicting evidence
+4. Hiring risks and compliance notes
+5. Human reviewer next actions

package/official-apps/aiworker-hr/skills/evidence-screening/SKILL.md

@@ -0,0 +1,32 @@
+---
+name: evidence-screening
+description: Screen HR evidence for source quality, role relevance, missing facts, and risk.
+capabilities:
+  - hr-evidence
+  - candidate-screen
+  - risk-review
+---
+
+# Evidence Screening
+
+Use this skill to evaluate resumes, ATS packets, interview notes, employee
+records, or lifecycle touchpoints before they influence a People Profile.
+
+## Screening Standard
+
+- Tie every positive or negative signal to source evidence.
+- Mark weak, stale, missing, or conflicting evidence explicitly.
+- Separate role-related criteria from unsupported personal judgments.
+- Keep raw sensitive evidence out of durable profile history unless reviewed.
+- Prefer descriptor references over copying private evidence bodies.
+
+## Output Shape
+
+Create an evidence matrix with:
+
+1. Evidence source
+2. Role or lifecycle relevance
+3. Confidence
+4. Missing information
+5. Risk note
+6. Recommended human follow-up

package/official-apps/aiworker-hr/skills/hiring-risk-review/SKILL.md

@@ -0,0 +1,33 @@
+---
+name: hiring-risk-review
+description: Review HR profile proposals for compliance, privacy, bias, and unsupported claims.
+capabilities:
+  - hiring-risk
+  - compliance-review
+  - privacy-review
+---
+
+# Hiring Risk Review
+
+Use this skill before a proposed HR artifact is promoted into the accepted
+People Profile.
+
+## Risk Review Rules
+
+- Flag protected-class inference, proxy signals, and unsupported personal
+  judgments.
+- Flag copied sensitive evidence that should stay behind a descriptor or source
+  reference.
+- Flag employment commitments, compensation claims, or hiring decisions that are
+  not explicitly human-approved.
+- Separate blocking risks from advisory improvements.
+
+## Output Shape
+
+Return:
+
+1. Verdict recommendation: pass, warn, fail, or needs_review
+2. Blocking findings
+3. Advisory findings
+4. Privacy and evidence retention notes
+5. Required human decision before profile promotion

package/official-apps/aiworker-hr/skills/interview-brief/SKILL.md

@@ -0,0 +1,31 @@
+---
+name: interview-brief
+description: Draft evidence-backed interview briefs, focus areas, and scorecard guidance.
+capabilities:
+  - interview-planning
+  - recruiting
+  - scorecard
+---
+
+# Interview Brief
+
+Use this skill when preparing an interview plan from a Candidate Profile or
+candidate evidence packet.
+
+## Interview Guidance
+
+- Use role-relevant evidence and open questions from the profile.
+- Turn weak or missing evidence into interview focus areas.
+- Avoid protected-class inference and unsupported personal conclusions.
+- Keep the final hiring decision explicitly human-owned.
+
+## Output Shape
+
+Draft:
+
+1. Interview objective
+2. Evidence-backed focus areas
+3. Questions mapped to role criteria
+4. Scorecard guidance
+5. Risks or missing evidence to verify
+6. Reviewer notes for the human panel

package/official-apps/aiworker-hr/skills/profile-update-proposal/SKILL.md

@@ -0,0 +1,29 @@
+---
+name: profile-update-proposal
+description: Convert HR session evidence into a reviewable profile update proposal.
+capabilities:
+  - hr-profile
+  - artifact-proposal
+  - review-prep
+---
+
+# Profile Update Proposal
+
+Use this skill when a session should produce a proposed change for the accepted
+People Profile.
+
+## Rules
+
+- Read `README.md` first to understand the accepted profile baseline.
+- Write proposed changes under `artifacts/<sessionId>/`.
+- Do not update `README.md` directly unless the operator explicitly asks for a
+  reviewed profile revision workflow.
+- Preserve source references, open questions, and human decision ownership.
+
+## Proposal Checklist
+
+- What changed since the accepted profile?
+- Which claims are backed by explicit evidence?
+- Which facts are still missing?
+- Which risks need HR or legal review?
+- What exact review decision is needed before promotion?

package/official-apps/aiworker-hr/src/host-mounted.ts

@@ -8,6 +8,7 @@ import { hrReferenceSoulApp, hrSoulAppManifest } from './index'
 interface MountContext {
   brokerUrl?: string
   hostUrl?: string
+  mountToken?: string
   operatorId?: string | null
   sessionId?: string | null
   surface?: {
@@ -64,7 +65,11 @@ export function serveHostMounted(port = Number(Bun.env.PORT ?? 0)) {
         const hostUrl = request.headers.get('x-aiworker-host-url') ?? Bun.env.AIWORKER_HOST_URL
         if (!hostUrl)
           return Response.json({ appId: hrSoulAppManifest.id, broker: 'not-configured', permissions: [] })
-        const client = createSoulAppClient({ appId: hrSoulAppManifest.id, baseUrl: hostUrl })
+        const client = createSoulAppClient({
+          appId: hrSoulAppManifest.id,
+          baseUrl: hostUrl,
+          mountToken: request.headers.get('x-aiworker-mount-token') ?? undefined,
+        })
         return Response.json(await client.broker.permissions.list())
       }
       if (url.pathname === '/protocol/capabilities') {
@@ -192,7 +197,11 @@ async function persistPeopleProfileDraft(request: Request): Promise<{ message: s
 
   const draftKey = `drafts/people-profile/${context.workspaceId ?? 'app'}`
   const workspaceRef = context.workspaceId ?? 'app'
-  const client = createSoulAppClient({ appId: hrSoulAppManifest.id, baseUrl: context.hostUrl })
+  const client = createSoulAppClient({
+    appId: hrSoulAppManifest.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken,
+  })
   try {
     await client.broker.storage.put(draftKey, {
       appId: hrSoulAppManifest.id,
@@ -255,7 +264,11 @@ async function queryBrokerPeopleProfileSearch(request: Request, query: string):
   if (!context?.hostUrl)
     return null
 
-  const client = createSoulAppClient({ appId: hrSoulAppManifest.id, baseUrl: context.hostUrl })
+  const client = createSoulAppClient({
+    appId: hrSoulAppManifest.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken,
+  })
   try {
     const result = await client.broker.search.query(query, brokerScope(context)) as BrokerSearchResult
     return Array.isArray(result.items) ? result.items : null
@@ -277,6 +290,7 @@ function readMountContext(request: Request): MountContext | null {
     return {
       brokerUrl: typeof parsed.brokerUrl === 'string' ? parsed.brokerUrl : undefined,
       hostUrl: request.headers.get('x-aiworker-host-url') ?? undefined,
+      mountToken: request.headers.get('x-aiworker-mount-token') ?? undefined,
       operatorId: typeof parsed.operatorId === 'string' ? parsed.operatorId : null,
       sessionId: typeof parsed.sessionId === 'string' ? parsed.sessionId : null,
       surface: surface

package/official-apps/aiworker-qa/dist/host-mounted.js

@@ -14791,13 +14791,17 @@ function createSoulAppManifest(input, options = {}) {
 function createSoulAppClient(options) {
   const fetcher = options.fetch ?? fetch;
   const prefix = options.baseUrl?.replace(/\/$/, "") ?? "";
-  const headers = options.token ? { authorization: `Bearer ${options.token}` } : undefined;
+  const headers = {};
+  if (options.token)
+    headers.authorization = `Bearer ${options.token}`;
+  if (options.mountToken)
+    headers["x-aiworker-mount-token"] = options.mountToken;
   async function json(route, init) {
     const res = await fetcher(`${prefix}${route}`, {
       ...init,
       headers: {
         ...init?.body ? { "content-type": "application/json" } : {},
-        ...headers,
+        ...Object.keys(headers).length ? headers : {},
         ...init?.headers
       }
     });
@@ -15434,7 +15438,11 @@ function serveHostMounted(port = Number(Bun.env.PORT ?? 0)) {
         const hostUrl = request.headers.get("x-aiworker-host-url") ?? Bun.env.AIWORKER_HOST_URL;
         if (!hostUrl)
           return Response.json({ appId: qaSoulAppManifest2.id, broker: "not-configured", permissions: [] });
-        const client = createSoulAppClient({ appId: qaSoulAppManifest2.id, baseUrl: hostUrl });
+        const client = createSoulAppClient({
+          appId: qaSoulAppManifest2.id,
+          baseUrl: hostUrl,
+          mountToken: request.headers.get("x-aiworker-mount-token") ?? undefined
+        });
         return Response.json(await client.broker.permissions.list());
       }
       if (url.pathname === "/protocol/capabilities") {
@@ -15548,7 +15556,11 @@ async function persistReleaseGateDraft(request) {
     return { ok: true };
   const draftKey = `drafts/release-gate/${context.workspaceId ?? "app"}`;
   const workspaceRef = context.workspaceId ?? "app";
-  const client = createSoulAppClient({ appId: qaSoulAppManifest2.id, baseUrl: context.hostUrl });
+  const client = createSoulAppClient({
+    appId: qaSoulAppManifest2.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken
+  });
   try {
     await client.broker.storage.put(draftKey, {
       appId: qaSoulAppManifest2.id,
@@ -15606,7 +15618,11 @@ async function queryBrokerReleaseSearch(request, query) {
   const context = readMountContext(request);
   if (!context?.hostUrl)
     return null;
-  const client = createSoulAppClient({ appId: qaSoulAppManifest2.id, baseUrl: context.hostUrl });
+  const client = createSoulAppClient({
+    appId: qaSoulAppManifest2.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken
+  });
   try {
     const result = await client.broker.search.query(query, brokerScope(context));
     return Array.isArray(result.items) ? result.items : null;
@@ -15626,6 +15642,7 @@ function readMountContext(request) {
     return {
       brokerUrl: typeof parsed.brokerUrl === "string" ? parsed.brokerUrl : undefined,
       hostUrl: request.headers.get("x-aiworker-host-url") ?? undefined,
+      mountToken: request.headers.get("x-aiworker-mount-token") ?? undefined,
       operatorId: typeof parsed.operatorId === "string" ? parsed.operatorId : null,
       sessionId: typeof parsed.sessionId === "string" ? parsed.sessionId : null,
       surface: surface ? {

package/official-apps/aiworker-qa/dist/index.js

@@ -14791,13 +14791,17 @@ function createSoulAppManifest(input, options = {}) {
 function createSoulAppClient(options) {
   const fetcher = options.fetch ?? fetch;
   const prefix = options.baseUrl?.replace(/\/$/, "") ?? "";
-  const headers = options.token ? { authorization: `Bearer ${options.token}` } : undefined;
+  const headers = {};
+  if (options.token)
+    headers.authorization = `Bearer ${options.token}`;
+  if (options.mountToken)
+    headers["x-aiworker-mount-token"] = options.mountToken;
   async function json(route, init) {
     const res = await fetcher(`${prefix}${route}`, {
       ...init,
       headers: {
         ...init?.body ? { "content-type": "application/json" } : {},
-        ...headers,
+        ...Object.keys(headers).length ? headers : {},
         ...init?.headers
       }
     });

package/official-apps/aiworker-qa/dist/standalone.js

@@ -14791,13 +14791,17 @@ function createSoulAppManifest(input, options = {}) {
 function createSoulAppClient(options) {
   const fetcher = options.fetch ?? fetch;
   const prefix = options.baseUrl?.replace(/\/$/, "") ?? "";
-  const headers = options.token ? { authorization: `Bearer ${options.token}` } : undefined;
+  const headers = {};
+  if (options.token)
+    headers.authorization = `Bearer ${options.token}`;
+  if (options.mountToken)
+    headers["x-aiworker-mount-token"] = options.mountToken;
   async function json(route, init) {
     const res = await fetcher(`${prefix}${route}`, {
       ...init,
       headers: {
         ...init?.body ? { "content-type": "application/json" } : {},
-        ...headers,
+        ...Object.keys(headers).length ? headers : {},
         ...init?.headers
       }
     });

package/official-apps/aiworker-qa/src/host-mounted.ts

@@ -8,6 +8,7 @@ import { qaReferenceSoulApp, qaSoulAppManifest } from './index'
 interface MountContext {
   brokerUrl?: string
   hostUrl?: string
+  mountToken?: string
   operatorId?: string | null
   sessionId?: string | null
   surface?: {
@@ -64,7 +65,11 @@ export function serveHostMounted(port = Number(Bun.env.PORT ?? 0)) {
         const hostUrl = request.headers.get('x-aiworker-host-url') ?? Bun.env.AIWORKER_HOST_URL
         if (!hostUrl)
           return Response.json({ appId: qaSoulAppManifest.id, broker: 'not-configured', permissions: [] })
-        const client = createSoulAppClient({ appId: qaSoulAppManifest.id, baseUrl: hostUrl })
+        const client = createSoulAppClient({
+          appId: qaSoulAppManifest.id,
+          baseUrl: hostUrl,
+          mountToken: request.headers.get('x-aiworker-mount-token') ?? undefined,
+        })
         return Response.json(await client.broker.permissions.list())
       }
       if (url.pathname === '/protocol/capabilities') {
@@ -186,7 +191,11 @@ async function persistReleaseGateDraft(request: Request): Promise<{ message: str
 
   const draftKey = `drafts/release-gate/${context.workspaceId ?? 'app'}`
   const workspaceRef = context.workspaceId ?? 'app'
-  const client = createSoulAppClient({ appId: qaSoulAppManifest.id, baseUrl: context.hostUrl })
+  const client = createSoulAppClient({
+    appId: qaSoulAppManifest.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken,
+  })
   try {
     await client.broker.storage.put(draftKey, {
       appId: qaSoulAppManifest.id,
@@ -249,7 +258,11 @@ async function queryBrokerReleaseSearch(request: Request, query: string): Promis
   if (!context?.hostUrl)
     return null
 
-  const client = createSoulAppClient({ appId: qaSoulAppManifest.id, baseUrl: context.hostUrl })
+  const client = createSoulAppClient({
+    appId: qaSoulAppManifest.id,
+    baseUrl: context.hostUrl,
+    mountToken: context.mountToken,
+  })
   try {
     const result = await client.broker.search.query(query, brokerScope(context)) as BrokerSearchResult
     return Array.isArray(result.items) ? result.items : null
@@ -271,6 +284,7 @@ function readMountContext(request: Request): MountContext | null {
     return {
       brokerUrl: typeof parsed.brokerUrl === 'string' ? parsed.brokerUrl : undefined,
       hostUrl: request.headers.get('x-aiworker-host-url') ?? undefined,
+      mountToken: request.headers.get('x-aiworker-mount-token') ?? undefined,
       operatorId: typeof parsed.operatorId === 'string' ? parsed.operatorId : null,
       sessionId: typeof parsed.sessionId === 'string' ? parsed.sessionId : null,
       surface: surface

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zonease/aiworker-cli",
-  "version": "0.13.1",
+  "version": "0.14.0",
   "description": "AIWorker CLI — local Host and vertical Soul workspace runtime",
   "license": "MIT",
   "type": "module",