agentboot 0.2.0 → 0.3.1

package/scripts/compile.ts

@@ -33,9 +33,13 @@ import chalk from "chalk";
 import {
   type AgentBootConfig,
   type PersonaConfig,
+  type DomainManifest,
+  type PluginManifest,
   resolveConfigPath,
   loadConfig,
   stripJsoncComments,
+  flattenNodes,
+  groupsToNodes,
 } from "./lib/config.js";
 
 // ---------------------------------------------------------------------------
@@ -210,7 +214,7 @@ function injectTraits(
 // ---------------------------------------------------------------------------
 
 function buildSkillOutput(
-  personaName: string,
+  _personaName: string,
   _personaConfig: PersonaConfig | null,
   composedContent: string,
   config: AgentBootConfig,
@@ -451,7 +455,7 @@ function compileInstructions(
         // Insert provenance after the closing --- of frontmatter.
         const fmMatch = content.match(/^(---\n[\s\S]*?\n---\n)/);
         if (fmMatch) {
-          const afterFm = content.slice(fmMatch[1].length);
+          const afterFm = content.slice(fmMatch[1]!.length);
           finalContent = `${fmMatch[1]}\n${provenanceHeader(srcPath, config)}${afterFm}`;
         } else {
           finalContent = `${provenanceHeader(srcPath, config)}${content}`;
@@ -665,7 +669,7 @@ function generateSettingsJson(
     // Validate hook event names against known CC events
     const validEvents = [
       "PreToolUse", "PostToolUse", "Notification", "Stop",
-      "SubagentStop", "SubagentStart",
+      "SubagentStop", "SubagentStart", "UserPromptSubmit", "SessionEnd",
     ];
     for (const key of Object.keys(hooks)) {
       if (!validEvents.includes(key)) {
@@ -677,8 +681,8 @@ function generateSettingsJson(
   }
 
   const settings: Record<string, unknown> = {};
-  if (hooks) settings.hooks = hooks;
-  if (permissions) settings.permissions = permissions;
+  if (hooks) settings["hooks"] = hooks;
+  if (permissions) settings["permissions"] = permissions;
 
   const settingsPath = path.join(distPath, "claude", scopePath, "settings.json");
   fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf-8");
@@ -708,6 +712,603 @@ function generateMcpJson(
   fs.writeFileSync(mcpPath, JSON.stringify(mcpJson, null, 2) + "\n", "utf-8");
 }
 
+// ---------------------------------------------------------------------------
+// AB-53: Domain layer loading
+// ---------------------------------------------------------------------------
+
+function loadDomainManifest(domainDir: string): DomainManifest | null {
+  const manifestPath = path.join(domainDir, "agentboot.domain.json");
+  if (!fs.existsSync(manifestPath)) {
+    return null;
+  }
+  try {
+    const raw = fs.readFileSync(manifestPath, "utf-8");
+    return JSON.parse(stripJsoncComments(raw)) as DomainManifest;
+  } catch {
+    log(chalk.yellow(`  ⚠ Failed to parse agentboot.domain.json in ${domainDir}`));
+    return null;
+  }
+}
+
+function compileDomains(
+  config: AgentBootConfig,
+  configDir: string,
+  distPath: string,
+  traits: Map<string, TraitContent>,
+  outputFormats: string[]
+): CompileResult[] {
+  const domains = config.domains;
+  if (!domains || domains.length === 0) return [];
+
+  log(chalk.cyan("\nCompiling domain layers..."));
+  const results: CompileResult[] = [];
+
+  for (const domainRef of domains) {
+    const domainPath = typeof domainRef === "string"
+      ? path.resolve(configDir, domainRef)
+      : path.resolve(configDir, domainRef.path ?? `./domains/${domainRef.name}`);
+
+    if (!fs.existsSync(domainPath)) {
+      log(chalk.yellow(`  ⚠ Domain not found: ${domainPath}`));
+      continue;
+    }
+
+    // S3 fix: path traversal protection — resolve symlinks then check boundary
+    const boundary = path.resolve(configDir);
+    const realDomainPath = fs.realpathSync(domainPath);
+    if (!realDomainPath.startsWith(boundary + path.sep) && realDomainPath !== boundary) {
+      log(chalk.red(`  ✗ Domain path escapes project boundary: ${domainPath} → ${realDomainPath}`));
+      continue;
+    }
+
+    const manifest = loadDomainManifest(domainPath);
+    const domainName = manifest?.name ?? path.basename(domainPath);
+    log(chalk.gray(`  Domain: ${domainName}${manifest?.version ? ` v${manifest.version}` : ""}`));
+
+    // Load domain-specific traits
+    const domainTraitsDir = path.join(domainPath, "traits");
+    if (fs.existsSync(domainTraitsDir)) {
+      const domainTraits = loadTraits(domainTraitsDir, undefined);
+      for (const [name, trait] of domainTraits) {
+        if (traits.has(name)) {
+          log(chalk.yellow(`    ⚠ Domain trait '${name}' shadows existing trait`));
+        }
+        traits.set(name, trait);
+      }
+      log(chalk.gray(`    + ${domainTraits.size} trait(s)`));
+    }
+
+    // Compile domain personas
+    const domainPersonasDir = path.join(domainPath, "personas");
+    if (fs.existsSync(domainPersonasDir)) {
+      const personaDirs = fs.readdirSync(domainPersonasDir).filter((entry) =>
+        fs.statSync(path.join(domainPersonasDir, entry)).isDirectory()
+      );
+      for (const personaName of personaDirs) {
+        const personaDir = path.join(domainPersonasDir, personaName);
+        const result = compilePersona(
+          personaName,
+          personaDir,
+          traits,
+          config,
+          distPath,
+          `domains/${domainName}`
+        );
+        results.push(result);
+        log(`    ${chalk.green("✓")} ${personaName}`);
+      }
+    }
+
+    // Compile domain instructions
+    const domainInstructionsDir = path.join(domainPath, "instructions");
+    compileInstructions(
+      domainInstructionsDir,
+      undefined,
+      distPath,
+      `domains/${domainName}`,
+      config,
+      outputFormats
+    );
+  }
+
+  return results;
+}
+
+// ---------------------------------------------------------------------------
+// AB-57: Plugin structure generation
+// ---------------------------------------------------------------------------
+
+function generatePluginOutput(
+  config: AgentBootConfig,
+  distPath: string,
+  allResults: CompileResult[],
+  personasBaseDir: string,
+  traits: Map<string, TraitContent>
+): void {
+  const pluginDir = path.join(distPath, "plugin");
+  ensureDir(pluginDir);
+
+  const pkgPath = path.join(ROOT, "package.json");
+  const pkg = fs.existsSync(pkgPath)
+    ? JSON.parse(fs.readFileSync(pkgPath, "utf-8"))
+    : { version: "0.0.0" };
+
+  const personas: PluginManifest["personas"] = [];
+  const traitEntries: PluginManifest["traits"] = [];
+  const hookEntries: PluginManifest["hooks"] = [];
+  const ruleEntries: PluginManifest["rules"] = [];
+
+  // Copy agents and skills from claude output
+  const claudeCorePath = path.join(distPath, "claude", "core");
+
+  // Agents
+  const agentsDir = path.join(claudeCorePath, "agents");
+  const pluginAgentsDir = path.join(pluginDir, "agents");
+  if (fs.existsSync(agentsDir)) {
+    ensureDir(pluginAgentsDir);
+    for (const file of fs.readdirSync(agentsDir)) {
+      fs.copyFileSync(path.join(agentsDir, file), path.join(pluginAgentsDir, file));
+    }
+  }
+
+  // Skills
+  const skillsDir = path.join(claudeCorePath, "skills");
+  const pluginSkillsDir = path.join(pluginDir, "skills");
+  if (fs.existsSync(skillsDir)) {
+    ensureDir(pluginSkillsDir);
+    for (const skillFolder of fs.readdirSync(skillsDir)) {
+      const src = path.join(skillsDir, skillFolder);
+      if (fs.statSync(src).isDirectory()) {
+        const dest = path.join(pluginSkillsDir, skillFolder);
+        ensureDir(dest);
+        for (const file of fs.readdirSync(src)) {
+          fs.copyFileSync(path.join(src, file), path.join(dest, file));
+        }
+      }
+    }
+  }
+
+  // Traits
+  const pluginTraitsDir = path.join(pluginDir, "traits");
+  ensureDir(pluginTraitsDir);
+  for (const [name, trait] of traits) {
+    fs.writeFileSync(path.join(pluginTraitsDir, `${name}.md`), trait.content, "utf-8");
+    traitEntries.push({ id: name, path: `traits/${name}.md` });
+  }
+
+  // Rules
+  const rulesDir = path.join(claudeCorePath, "rules");
+  const pluginRulesDir = path.join(pluginDir, "rules");
+  if (fs.existsSync(rulesDir)) {
+    ensureDir(pluginRulesDir);
+    for (const file of fs.readdirSync(rulesDir)) {
+      fs.copyFileSync(path.join(rulesDir, file), path.join(pluginRulesDir, file));
+      ruleEntries.push({ path: `rules/${file}` });
+    }
+  }
+
+  // Hooks directory (compliance hooks go here)
+  const pluginHooksDir = path.join(pluginDir, "hooks");
+  ensureDir(pluginHooksDir);
+
+  // Build persona entries
+  for (const result of allResults.filter((r) => r.platforms.length > 0 && r.scope === "core")) {
+    const personaConfigPath = path.join(personasBaseDir, result.persona, "persona.config.json");
+    let pc: PersonaConfig | null = null;
+    if (fs.existsSync(personaConfigPath)) {
+      try {
+        pc = JSON.parse(fs.readFileSync(personaConfigPath, "utf-8")) as PersonaConfig;
+      } catch { /* skip */ }
+    }
+
+    const invocation = pc?.invocation ?? `/${result.persona}`;
+    const skillName = invocation.replace(/^\//, "");
+
+    personas.push({
+      id: result.persona,
+      name: pc?.name ?? result.persona,
+      description: pc?.description ?? "",
+      model: pc?.model,
+      agent_path: `agents/${result.persona}.md`,
+      skill_path: `skills/${skillName}/SKILL.md`,
+    });
+  }
+
+  // Generate plugin.json
+  const pluginManifest: PluginManifest = {
+    name: `@${config.org}/${config.org}-personas`,
+    version: pkg.version,
+    description: `Agentic personas for ${config.orgDisplayName ?? config.org}`,
+    author: config.orgDisplayName ?? config.org,
+    license: "Apache-2.0",
+    agentboot_version: pkg.version,
+    personas,
+    traits: traitEntries,
+    hooks: hookEntries.length > 0 ? hookEntries : undefined,
+    rules: ruleEntries.length > 0 ? ruleEntries : undefined,
+  };
+
+  fs.writeFileSync(
+    path.join(pluginDir, "plugin.json"),
+    JSON.stringify(pluginManifest, null, 2) + "\n",
+    "utf-8"
+  );
+
+  log(chalk.gray(`  → Plugin output written to dist/plugin/`));
+}
+
+// ---------------------------------------------------------------------------
+// AB-59/60/63: Compliance & audit trail hook generation
+// ---------------------------------------------------------------------------
+
+function generateComplianceHooks(
+  config: AgentBootConfig,
+  distPath: string,
+  scopePath: string
+): void {
+  const hooksDir = path.join(distPath, "claude", scopePath, "hooks");
+  ensureDir(hooksDir);
+
+  // AB-59: Input scanning hook (UserPromptSubmit)
+  // S4 fix: use printf instead of echo to avoid flag interpretation
+  // S5 fix: add set -uo pipefail and jq dependency check
+  // Note: -e intentionally omitted because grep -q returns 1 on no-match
+  const inputScanHook = `#!/bin/bash
+# AgentBoot compliance hook — input scanning (AB-59)
+# Event: UserPromptSubmit
+# Generated by AgentBoot. Do not edit manually.
+
+set -uo pipefail
+command -v jq >/dev/null 2>&1 || { echo '{"decision":"block","reason":"AgentBoot: jq is required for input scanning"}'; exit 2; }
+
+INPUT=$(cat)
+PROMPT=$(printf '%s' "$INPUT" | jq -r '.prompt // empty') || { echo '{"decision":"block","reason":"AgentBoot: Failed to parse hook input"}'; exit 2; }
+
+# Scan for potential credential leaks in prompts
+PATTERNS=(
+  'password[[:space:]]*[:=]'
+  'api[_-]?key[[:space:]]*[:=]'
+  'secret[[:space:]]*[:=]'
+  'token[[:space:]]*[:=]'
+  'AKIA[A-Z0-9]{16}'
+  'sk-[a-zA-Z0-9]{20,}'
+  'ghp_[a-zA-Z0-9]{36}'
+  'xox[bp]-[a-zA-Z0-9-]+'
+  'sk_live_[a-zA-Z0-9]+'
+  'BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY'
+)
+
+for pattern in "\${PATTERNS[@]}"; do
+  if printf '%s' "$PROMPT" | grep -qiE "$pattern"; then
+    echo '{"decision":"block","reason":"AgentBoot: Potential credential detected in prompt. Remove secrets before proceeding."}'
+    exit 2
+  fi
+done
+
+exit 0
+`;
+
+  // AB-60: Output scanning hook (Stop)
+  const outputScanHook = `#!/bin/bash
+# AgentBoot compliance hook — output scanning (AB-60)
+# Event: Stop
+# Generated by AgentBoot. Do not edit manually.
+
+set -uo pipefail
+command -v jq >/dev/null 2>&1 || exit 0
+
+INPUT=$(cat)
+RESPONSE=$(printf '%s' "$INPUT" | jq -r '.response // empty') || exit 0
+
+# Scan for accidental credential exposure in output
+PATTERNS=(
+  'AKIA[A-Z0-9]{16}'
+  'sk-[a-zA-Z0-9]{20,}'
+  'ghp_[a-zA-Z0-9]{36}'
+  'eyJ[a-zA-Z0-9_-]{10,}\\.eyJ'
+  'xox[bp]-[a-zA-Z0-9-]+'
+  'sk_live_[a-zA-Z0-9]+'
+  'BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY'
+)
+
+for pattern in "\${PATTERNS[@]}"; do
+  if printf '%s' "$RESPONSE" | grep -qiE "$pattern"; then
+    echo "AgentBoot WARNING: Potential credential in output — review before sharing" >&2
+  fi
+done
+
+exit 0
+`;
+
+  // AB-63: Audit trail hook (SubagentStart/Stop, PostToolUse, SessionEnd)
+  // S1 fix: use jq for safe JSON construction (no shell interpolation)
+  // S2 fix: validate and sanitize telemetry.logPath
+  let rawLogPath = config.telemetry?.logPath ?? "$HOME/.agentboot/telemetry.ndjson";
+  // Normalize ~ to $HOME (~ is not expanded inside bash variable defaults)
+  rawLogPath = rawLogPath.replace(/^~\//, "$HOME/");
+  // Always reject path traversal
+  if (/\.\./.test(rawLogPath)) {
+    log(chalk.red(`  ✗ telemetry.logPath contains path traversal: ${rawLogPath}`));
+    log(chalk.red(`    Use a simple path like ~/.agentboot/telemetry.ndjson`));
+    process.exit(1);
+  }
+  // Reject shell metacharacters, exempting only a leading $HOME
+  const pathWithoutHome = rawLogPath.replace(/^\$HOME/, "");
+  if (/[`$|;&\n]/.test(pathWithoutHome)) {
+    log(chalk.red(`  ✗ telemetry.logPath contains unsafe shell characters: ${rawLogPath}`));
+    log(chalk.red(`    Use a simple path like ~/.agentboot/telemetry.ndjson`));
+    process.exit(1);
+  }
+
+  const includeDevId = config.telemetry?.includeDevId ?? false;
+
+  let devIdBlock = "";
+  if (includeDevId === "hashed") {
+    devIdBlock = `DEV_ID=$(git config user.email 2>/dev/null | shasum -a 256 | cut -d' ' -f1)`;
+  } else if (includeDevId === "email") {
+    log(chalk.yellow(`  ⚠ telemetry.includeDevId is "email" — raw emails will be in telemetry logs. Consider "hashed" for privacy.`));
+    devIdBlock = `DEV_ID=$(git config user.email 2>/dev/null || echo "unknown")`;
+  } else {
+    devIdBlock = `DEV_ID=""`;
+  }
+
+  const auditTrailHook = `#!/bin/bash
+# AgentBoot audit trail hook (AB-63)
+# Events: SubagentStart, SubagentStop, PostToolUse, SessionEnd
+# Generated by AgentBoot. Do not edit manually.
+
+command -v jq >/dev/null 2>&1 || exit 0
+
+TELEMETRY_LOG="\${AGENTBOOT_TELEMETRY_LOG:-${rawLogPath}}"
+umask 077
+mkdir -p "$(dirname "$TELEMETRY_LOG")"
+
+INPUT=$(cat)
+EVENT_NAME=$(printf '%s' "$INPUT" | jq -r '.hook_event_name // empty')
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+${devIdBlock}
+
+# Use jq for safe JSON construction — prevents shell injection via agent_type/tool_name
+case "$EVENT_NAME" in
+  SubagentStart)
+    printf '%s' "$INPUT" | jq -c --arg ts "$TIMESTAMP" --arg status "started" --arg dev "$DEV_ID" \\
+      '{event:"persona_invocation",persona_id:.agent_type,timestamp:$ts,status:$status,dev_id:$dev}' >> "$TELEMETRY_LOG"
+    ;;
+  SubagentStop)
+    printf '%s' "$INPUT" | jq -c --arg ts "$TIMESTAMP" --arg status "completed" --arg dev "$DEV_ID" \\
+      '{event:"persona_invocation",persona_id:.agent_type,timestamp:$ts,status:$status,dev_id:$dev}' >> "$TELEMETRY_LOG"
+    ;;
+  PostToolUse)
+    printf '%s' "$INPUT" | jq -c --arg ts "$TIMESTAMP" --arg dev "$DEV_ID" \\
+      '{event:"hook_execution",persona_id:.agent_type,tool_name:.tool_name,timestamp:$ts,dev_id:$dev}' >> "$TELEMETRY_LOG"
+    ;;
+  SessionEnd)
+    jq -n -c --arg ts "$TIMESTAMP" --arg dev "$DEV_ID" \\
+      '{event:"session_summary",timestamp:$ts,dev_id:$dev}' >> "$TELEMETRY_LOG"
+    ;;
+esac
+
+exit 0
+`;
+
+  fs.writeFileSync(path.join(hooksDir, "agentboot-input-scan.sh"), inputScanHook, { mode: 0o755 });
+  fs.writeFileSync(path.join(hooksDir, "agentboot-output-scan.sh"), outputScanHook, { mode: 0o755 });
+  fs.writeFileSync(path.join(hooksDir, "agentboot-telemetry.sh"), auditTrailHook, { mode: 0o755 });
+
+  // Also generate the plugin hooks
+  const pluginHooksDir = path.join(distPath, "plugin", "hooks");
+  if (fs.existsSync(path.join(distPath, "plugin"))) {
+    ensureDir(pluginHooksDir);
+    fs.writeFileSync(path.join(pluginHooksDir, "agentboot-input-scan.sh"), inputScanHook, { mode: 0o755 });
+    fs.writeFileSync(path.join(pluginHooksDir, "agentboot-output-scan.sh"), outputScanHook, { mode: 0o755 });
+    fs.writeFileSync(path.join(pluginHooksDir, "agentboot-telemetry.sh"), auditTrailHook, { mode: 0o755 });
+  }
+
+  log(chalk.gray(`  → Compliance hooks written (input-scan, output-scan, telemetry)`));
+}
+
+// ---------------------------------------------------------------------------
+// AB-59/60/63: Generate settings.json hooks entries for compliance
+// ---------------------------------------------------------------------------
+
+function generateComplianceSettingsJson(
+  _config: AgentBootConfig,
+  distPath: string,
+  scopePath: string
+): void {
+  // Read existing settings.json if any, merge compliance hooks into it
+  const settingsPath = path.join(distPath, "claude", scopePath, "settings.json");
+  let settings: Record<string, unknown> = {};
+  if (fs.existsSync(settingsPath)) {
+    try {
+      settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+    } catch { /* start fresh */ }
+  }
+
+  const hooks = (settings["hooks"] ?? {}) as Record<string, unknown>;
+
+  // B1 fix: append compliance hooks instead of overwriting user-defined hooks
+  const appendHook = (event: string, entry: unknown) => {
+    hooks[event] = [
+      ...(Array.isArray(hooks[event]) ? hooks[event] as unknown[] : []),
+      entry,
+    ];
+  };
+
+  // AB-59: Input scanning
+  appendHook("UserPromptSubmit", {
+    matcher: "",
+    hooks: [{ type: "command", command: ".claude/hooks/agentboot-input-scan.sh", timeout: 5000 }],
+  });
+
+  // AB-60: Output scanning
+  appendHook("Stop", {
+    matcher: "",
+    hooks: [{ type: "command", command: ".claude/hooks/agentboot-output-scan.sh", timeout: 5000, async: true }],
+  });
+
+  // AB-63: Audit trail
+  appendHook("SubagentStart", {
+    matcher: "",
+    hooks: [{ type: "command", command: ".claude/hooks/agentboot-telemetry.sh", timeout: 3000, async: true }],
+  });
+  appendHook("SubagentStop", {
+    matcher: "",
+    hooks: [{ type: "command", command: ".claude/hooks/agentboot-telemetry.sh", timeout: 3000, async: true }],
+  });
+  appendHook("PostToolUse", {
+    matcher: "Edit|Write|Bash",
+    hooks: [{ type: "command", command: ".claude/hooks/agentboot-telemetry.sh", timeout: 3000, async: true }],
+  });
+  // B3 fix: register SessionEnd (matches the case in telemetry hook script)
+  appendHook("SessionEnd", {
+    matcher: "",
+    hooks: [{ type: "command", command: ".claude/hooks/agentboot-telemetry.sh", timeout: 3000, async: true }],
+  });
+
+  settings["hooks"] = hooks;
+  fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n", "utf-8");
+}
+
+// ---------------------------------------------------------------------------
+// AB-64: Telemetry NDJSON schema file
+// ---------------------------------------------------------------------------
+
+function generateTelemetrySchema(distPath: string): void {
+  const schema = {
+    $schema: "http://json-schema.org/draft-07/schema#",
+    $id: "https://agentboot.dev/schema/telemetry-event/v1",
+    title: "AgentBoot Telemetry Event",
+    type: "object",
+    required: ["event", "persona_id", "timestamp"],
+    properties: {
+      event: {
+        type: "string",
+        enum: ["persona_invocation", "persona_error", "hook_execution", "session_summary"],
+        description: "Event type",
+      },
+      persona_id: { type: "string", description: "Persona identifier" },
+      persona_version: { type: "string", description: "Persona version" },
+      model: { type: "string", description: "Model used" },
+      scope: { type: "string", description: "Scope path: 'org:group:team'" },
+      input_tokens: { type: "integer" },
+      output_tokens: { type: "integer" },
+      thinking_tokens: { type: "integer" },
+      tool_calls: { type: "integer" },
+      duration_ms: { type: "integer" },
+      cost_usd: { type: "number" },
+      findings_count: {
+        type: "object",
+        properties: {
+          CRITICAL: { type: "integer" },
+          ERROR: { type: "integer" },
+          WARN: { type: "integer" },
+          INFO: { type: "integer" },
+        },
+      },
+      suggestions: { type: "integer" },
+      timestamp: { type: "string", format: "date-time" },
+      session_id: { type: "string" },
+      dev_id: { type: "string", description: "Developer identifier (hashed or email per config)" },
+      status: { type: "string", enum: ["started", "completed", "error"] },
+      tool_name: { type: "string", description: "Tool name for hook_execution events" },
+    },
+  };
+
+  const schemaDir = path.join(distPath, "schema");
+  ensureDir(schemaDir);
+  fs.writeFileSync(
+    path.join(schemaDir, "telemetry-event.v1.json"),
+    JSON.stringify(schema, null, 2) + "\n",
+    "utf-8"
+  );
+  log(chalk.gray(`  → Telemetry schema written to dist/schema/`));
+}
+
+// ---------------------------------------------------------------------------
+// AB-61: Managed settings artifact generation
+// ---------------------------------------------------------------------------
+
+function generateManagedSettings(config: AgentBootConfig, distPath: string): void {
+  const managed = config.managed;
+  if (!managed?.enabled) return;
+
+  log(chalk.cyan("\nGenerating managed settings..."));
+
+  const managedDir = path.join(distPath, "managed");
+  ensureDir(managedDir);
+
+  // Managed settings carry HARD guardrails only
+  const managedSettings: Record<string, unknown> = {};
+
+  // Permissions: deny dangerous tools
+  if (managed.guardrails?.denyTools && managed.guardrails.denyTools.length > 0) {
+    managedSettings["permissions"] = {
+      deny: managed.guardrails.denyTools,
+    };
+  }
+
+  // Force audit logging
+  if (managed.guardrails?.requireAuditLog) {
+    managedSettings["hooks"] = {
+      SubagentStart: [
+        {
+          matcher: "",
+          hooks: [{ type: "command", command: ".claude/hooks/agentboot-telemetry.sh", timeout: 3000, async: true }],
+        },
+      ],
+      SubagentStop: [
+        {
+          matcher: "",
+          hooks: [{ type: "command", command: ".claude/hooks/agentboot-telemetry.sh", timeout: 3000, async: true }],
+        },
+      ],
+    };
+  }
+
+  fs.writeFileSync(
+    path.join(managedDir, "managed-settings.json"),
+    JSON.stringify(managedSettings, null, 2) + "\n",
+    "utf-8"
+  );
+
+  // Managed CLAUDE.md (minimal, HARD guardrails only)
+  const managedClaudeMd = [
+    `# ${config.orgDisplayName ?? config.org} — Managed Configuration`,
+    "",
+    "<!-- Managed by IT. Do not modify. -->",
+    "",
+    "This configuration is enforced by your organization's IT policy.",
+    "Contact your platform team for changes.",
+    "",
+  ].join("\n");
+
+  fs.writeFileSync(path.join(managedDir, "CLAUDE.md"), managedClaudeMd, "utf-8");
+
+  // MCP config if needed
+  if (config.claude?.mcpServers) {
+    fs.writeFileSync(
+      path.join(managedDir, "managed-mcp.json"),
+      JSON.stringify({ mcpServers: config.claude.mcpServers }, null, 2) + "\n",
+      "utf-8"
+    );
+  }
+
+  // Output path guidance
+  const platformPaths: Record<string, string> = {
+    jamf: "/Library/Application Support/Claude/",
+    intune: "C:\\ProgramData\\Claude\\",
+    jumpcloud: "/etc/claude-code/",
+    kandji: "/Library/Application Support/Claude/",
+    other: "./managed-output/",
+  };
+  const platform = managed.platform ?? "other";
+  const targetPath = platformPaths[platform] ?? platformPaths["other"];
+
+  log(chalk.gray(`  → Managed settings written to dist/managed/`));
+  log(chalk.gray(`  → Target MDM path: ${targetPath}`));
+}
+
 // ---------------------------------------------------------------------------
 // Main entry point
 // ---------------------------------------------------------------------------
@@ -744,14 +1345,25 @@ function main(): void {
   const coreTraitsDir = path.join(coreDir, "traits");
   const coreInstructionsDir = path.join(coreDir, "instructions");
 
-  const validFormats = ["skill", "claude", "copilot"];
-  const outputFormats = config.personas?.outputFormats ?? validFormats;
+  const validFormats = ["skill", "claude", "copilot", "plugin"];
+  const outputFormats = config.personas?.outputFormats ?? ["skill", "claude", "copilot"];
   const unknownFormats = outputFormats.filter((f) => !validFormats.includes(f));
   if (unknownFormats.length > 0) {
     console.error(chalk.red(`Unknown output format(s): ${unknownFormats.join(", ")}. Valid: ${validFormats.join(", ")}`));
     process.exit(1);
   }
 
+  // AB-88: Resolve N-tier scope tree
+  // B13 fix: warn if both groups and nodes defined
+  if (config.groups && config.nodes) {
+    log(chalk.yellow("  ⚠ Both 'groups' and 'nodes' defined — 'nodes' takes precedence. Remove 'groups' to suppress this warning."));
+  }
+  const scopeNodes = config.nodes
+    ? config.nodes
+    : config.groups
+      ? groupsToNodes(config.groups)
+      : undefined;
+
   // Load traits.
   const enabledTraits = config.traits?.enabled;
   const traits = loadTraits(coreTraitsDir, enabledTraits);
@@ -877,104 +1489,119 @@ function main(): void {
   }
 
   // ---------------------------------------------------------------------------
-  // 2. Compile group-level overrides → dist/{platform}/groups/{group}/{persona}/
+  // 2. Compile scope nodes (AB-88: N-tier replaces flat groups/teams)
+  //    Also provides backward compat with legacy groups/teams config.
   // ---------------------------------------------------------------------------
 
-  if (config.groups) {
-    log(chalk.cyan("\nCompiling group-level personas..."));
-
-    for (const groupName of Object.keys(config.groups)) {
-      const groupPersonasDir = path.join(ROOT, "groups", groupName, "personas");
-
-      if (!fs.existsSync(groupPersonasDir)) {
-        continue;
-      }
-
-      const groupPersonaDirs = fs.readdirSync(groupPersonasDir).filter((entry) =>
-        fs.statSync(path.join(groupPersonasDir, entry)).isDirectory()
+  if (scopeNodes) {
+    log(chalk.cyan("\nCompiling scope nodes..."));
+    const flatNodes = flattenNodes(scopeNodes);
+    let nodePersonasFound = false;
+
+    for (const { path: nodePath } of flatNodes) {
+      // Look for personas at nodes/{path}/personas/
+      const nodePersonasDir = path.join(ROOT, "nodes", nodePath, "personas");
+
+      // Also check legacy paths: groups/{name}/personas/ and teams/{group}/{team}/personas/
+      const parts = nodePath.split("/");
+      const legacyGroupDir = parts.length === 1
+        ? path.join(ROOT, "groups", parts[0]!, "personas")
+        : undefined;
+      const legacyTeamDir = parts.length === 2
+        ? path.join(ROOT, "teams", parts[0]!, parts[1]!, "personas")
+        : undefined;
+
+      const personasDir = fs.existsSync(nodePersonasDir)
+        ? nodePersonasDir
+        : legacyGroupDir && fs.existsSync(legacyGroupDir)
+          ? legacyGroupDir
+          : legacyTeamDir && fs.existsSync(legacyTeamDir)
+            ? legacyTeamDir
+            : null;
+
+      if (!personasDir) continue;
+
+      nodePersonasFound = true;
+      const nodePersonaDirs = fs.readdirSync(personasDir).filter((entry) =>
+        fs.statSync(path.join(personasDir, entry)).isDirectory()
       );
 
-      for (const personaName of groupPersonaDirs) {
+      for (const personaName of nodePersonaDirs) {
         if (enabledPersonas && !enabledPersonas.includes(personaName)) {
           continue;
         }
 
-        const personaDir = path.join(groupPersonasDir, personaName);
+        const personaDir = path.join(personasDir, personaName);
+        // Use first part as group name, second as team name for trait resolution
+        const groupName = parts[0];
+        const teamName = parts.length >= 2 ? parts[parts.length - 1] : undefined;
+
         const result = compilePersona(
           personaName,
           personaDir,
           traits,
           config,
           distPath,
-          `groups/${groupName}`,
-          groupName
+          `nodes/${nodePath}`,
+          groupName,
+          teamName
         );
         allResults.push(result);
-        log(`  ${chalk.green("✓")} ${groupName}/${personaName}`);
+        log(`  ${chalk.green("✓")} ${nodePath}/${personaName}`);
       }
     }
+
+    if (!nodePersonasFound) {
+      log(chalk.gray("  (no node-level overrides found)"));
+    }
   }
 
   // ---------------------------------------------------------------------------
-  // 3. Compile team-level overrides → dist/{platform}/teams/{group}/{team}/{persona}/
+  // 2b. AB-53: Compile domain layers
   // ---------------------------------------------------------------------------
 
-  if (config.groups) {
-    log(chalk.cyan("\nCompiling team-level personas..."));
-    let teamPersonasFound = false;
+  const domainResults = compileDomains(config, configDir, distPath, traits, outputFormats);
+  allResults.push(...domainResults);
 
-    for (const groupName of Object.keys(config.groups)) {
-      const teams = config.groups[groupName]!.teams ?? [];
+  // ---------------------------------------------------------------------------
+  // 4. Generate PERSONAS.md index in each platform
+  // ---------------------------------------------------------------------------
 
-      for (const teamName of teams) {
-        const teamPersonasDir = path.join(ROOT, "teams", groupName, teamName, "personas");
+  generatePersonasIndex(allResults, config, corePersonasDir, distPath, "core", outputFormats);
+  log(chalk.gray("\n  → PERSONAS.md written to each platform"));
 
-        if (!fs.existsSync(teamPersonasDir)) {
-          continue;
-        }
+  // ---------------------------------------------------------------------------
+  // 5. AB-57: Plugin output generation
+  // ---------------------------------------------------------------------------
 
-        teamPersonasFound = true;
+  // B5 fix: Only generate plugin output when claude format is active (plugin is always derived from claude)
+  if (outputFormats.includes("claude")) {
+    generatePluginOutput(config, distPath, allResults, corePersonasDir, traits);
+  }
 
-        const teamPersonaDirs = fs.readdirSync(teamPersonasDir).filter((entry) =>
-          fs.statSync(path.join(teamPersonasDir, entry)).isDirectory()
-        );
+  // ---------------------------------------------------------------------------
+  // 6. AB-59/60/63: Compliance & audit trail hooks
+  // ---------------------------------------------------------------------------
 
-        for (const personaName of teamPersonaDirs) {
-          if (enabledPersonas && !enabledPersonas.includes(personaName)) {
-            continue;
-          }
+  if (outputFormats.includes("claude")) {
+    generateComplianceHooks(config, distPath, "core");
+    generateComplianceSettingsJson(config, distPath, "core");
+  }
 
-          const personaDir = path.join(teamPersonasDir, personaName);
-          const result = compilePersona(
-            personaName,
-            personaDir,
-            traits,
-            config,
-            distPath,
-            `teams/${groupName}/${teamName}`,  // scopePath → dist/{platform}/teams/{group}/{team}/{persona}/
-            groupName,
-            teamName
-          );
-          allResults.push(result);
-          log(`  ${chalk.green("✓")} ${groupName}/${teamName}/${personaName}`);
-        }
-      }
-    }
+  // ---------------------------------------------------------------------------
+  // 7. AB-64: Telemetry NDJSON schema
+  // ---------------------------------------------------------------------------
 
-    if (!teamPersonasFound) {
-      log(chalk.gray("  (no team-level overrides found)"));
-    }
-  }
+  generateTelemetrySchema(distPath);
 
   // ---------------------------------------------------------------------------
-  // 4. Generate PERSONAS.md index in each platform
+  // 8. AB-61: Managed settings
   // ---------------------------------------------------------------------------
 
-  generatePersonasIndex(allResults, config, corePersonasDir, distPath, "core", outputFormats);
-  log(chalk.gray("\n  → PERSONAS.md written to each platform"));
+  generateManagedSettings(config, distPath);
 
   // ---------------------------------------------------------------------------
-  // 5. AB-25: Token budget estimation
+  // 9. AB-25: Token budget estimation
   // ---------------------------------------------------------------------------
 
   const tokenBudget = config.output?.tokenBudget?.warnAt ?? 8000;
@@ -1003,7 +1630,6 @@ function main(): void {
   // ---------------------------------------------------------------------------
 
   const successCount = allResults.filter((r) => r.platforms.length > 0).length;
-  const platformCount = allResults.reduce((acc, r) => acc + r.platforms.length, 0);
 
   log(
     chalk.bold(