agentic-orchestrator 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (108) hide show
  1. package/.claude/settings.local.json +6 -1
  2. package/README.md +81 -54
  3. package/agentic/orchestrator/defaults/policy.defaults.yaml +212 -0
  4. package/agentic/orchestrator/schemas/adapters.schema.json +17 -4
  5. package/agentic/orchestrator/schemas/agents.schema.json +58 -13
  6. package/agentic/orchestrator/schemas/gates.schema.json +88 -17
  7. package/agentic/orchestrator/schemas/index.schema.json +172 -37
  8. package/agentic/orchestrator/schemas/multi-project.schema.json +85 -17
  9. package/agentic/orchestrator/schemas/plan.schema.json +135 -30
  10. package/agentic/orchestrator/schemas/policy.schema.json +198 -69
  11. package/agentic/orchestrator/schemas/policy.user.schema.json +165 -0
  12. package/agentic/orchestrator/schemas/qa_test_index.schema.json +71 -14
  13. package/agentic/orchestrator/schemas/state.schema.json +196 -39
  14. package/apps/control-plane/scripts/validate-architecture-rules.mjs +5 -3
  15. package/apps/control-plane/scripts/validate-docker-mcp-contract.mjs +0 -3
  16. package/apps/control-plane/scripts/validate-mcp-contracts.ts +2 -6
  17. package/apps/control-plane/src/application/services/policy-loader-service.ts +115 -0
  18. package/apps/control-plane/src/cli/aop.ts +35 -1
  19. package/apps/control-plane/src/cli/cli-argument-parser.ts +4 -0
  20. package/apps/control-plane/src/cli/help-command-handler.ts +2 -1
  21. package/apps/control-plane/src/cli/init-command-handler.ts +136 -27
  22. package/apps/control-plane/src/cli/retry-command-handler.ts +3 -6
  23. package/apps/control-plane/src/cli/types.ts +1 -0
  24. package/apps/control-plane/src/core/git.ts +1 -3
  25. package/apps/control-plane/src/core/kernel.ts +3 -6
  26. package/apps/control-plane/src/core/schemas.ts +36 -1
  27. package/apps/control-plane/src/interfaces/cli/bootstrap.ts +1 -1
  28. package/apps/control-plane/src/mcp/tool-registry-loader.ts +37 -1
  29. package/apps/control-plane/src/supervisor/qa-wave-executor.ts +1 -1
  30. package/apps/control-plane/test/aop.spec.ts +37 -0
  31. package/apps/control-plane/test/batch-operations.spec.ts +5 -3
  32. package/apps/control-plane/test/bootstrap-attach.spec.ts +28 -18
  33. package/apps/control-plane/test/bootstrap-edge-cases.spec.ts +25 -15
  34. package/apps/control-plane/test/bootstrap.spec.ts +30 -22
  35. package/apps/control-plane/test/cli.unit.spec.ts +55 -10
  36. package/apps/control-plane/test/core-utils.spec.ts +12 -3
  37. package/apps/control-plane/test/feature-deletion-service.spec.ts +2 -1
  38. package/apps/control-plane/test/feature-lifecycle.spec.ts +1 -1
  39. package/apps/control-plane/test/helpers.ts +22 -2
  40. package/apps/control-plane/test/init-wizard.spec.ts +160 -7
  41. package/apps/control-plane/test/issue-tracker.spec.ts +3 -3
  42. package/apps/control-plane/test/kernel.spec.ts +62 -0
  43. package/apps/control-plane/test/lock-service.spec.ts +4 -4
  44. package/apps/control-plane/test/policy-loader-service.spec.ts +346 -0
  45. package/apps/control-plane/test/reactions.spec.ts +8 -6
  46. package/apps/control-plane/test/resume-command.spec.ts +31 -15
  47. package/apps/control-plane/test/supervisor.unit.spec.ts +2 -2
  48. package/apps/control-plane/test/tool-registry-loader.spec.ts +12 -0
  49. package/apps/control-plane/vitest.config.ts +1 -1
  50. package/dist/apps/control-plane/application/services/policy-loader-service.d.ts +24 -0
  51. package/dist/apps/control-plane/application/services/policy-loader-service.js +90 -0
  52. package/dist/apps/control-plane/application/services/policy-loader-service.js.map +1 -0
  53. package/dist/apps/control-plane/application/tools/tool-metadata.js +1 -0
  54. package/dist/apps/control-plane/application/tools/tool-metadata.js.map +1 -1
  55. package/dist/apps/control-plane/cli/aop.js +33 -1
  56. package/dist/apps/control-plane/cli/aop.js.map +1 -1
  57. package/dist/apps/control-plane/cli/cli-argument-parser.js +4 -0
  58. package/dist/apps/control-plane/cli/cli-argument-parser.js.map +1 -1
  59. package/dist/apps/control-plane/cli/dashboard-command-handler.js +11 -5
  60. package/dist/apps/control-plane/cli/dashboard-command-handler.js.map +1 -1
  61. package/dist/apps/control-plane/cli/help-command-handler.js +5 -4
  62. package/dist/apps/control-plane/cli/help-command-handler.js.map +1 -1
  63. package/dist/apps/control-plane/cli/init-command-handler.d.ts +1 -0
  64. package/dist/apps/control-plane/cli/init-command-handler.js +110 -26
  65. package/dist/apps/control-plane/cli/init-command-handler.js.map +1 -1
  66. package/dist/apps/control-plane/cli/retry-command-handler.js +3 -6
  67. package/dist/apps/control-plane/cli/retry-command-handler.js.map +1 -1
  68. package/dist/apps/control-plane/cli/types.d.ts +1 -0
  69. package/dist/apps/control-plane/core/git.js +1 -3
  70. package/dist/apps/control-plane/core/git.js.map +1 -1
  71. package/dist/apps/control-plane/core/kernel.js +3 -5
  72. package/dist/apps/control-plane/core/kernel.js.map +1 -1
  73. package/dist/apps/control-plane/core/schemas.d.ts +2 -0
  74. package/dist/apps/control-plane/core/schemas.js +31 -1
  75. package/dist/apps/control-plane/core/schemas.js.map +1 -1
  76. package/dist/apps/control-plane/interfaces/cli/bootstrap.js +1 -1
  77. package/dist/apps/control-plane/interfaces/cli/bootstrap.js.map +1 -1
  78. package/dist/apps/control-plane/mcp/tool-registry-loader.d.ts +2 -0
  79. package/dist/apps/control-plane/mcp/tool-registry-loader.js +31 -1
  80. package/dist/apps/control-plane/mcp/tool-registry-loader.js.map +1 -1
  81. package/dist/apps/control-plane/supervisor/build-wave-executor.js +1 -1
  82. package/dist/apps/control-plane/supervisor/build-wave-executor.js.map +1 -1
  83. package/dist/apps/control-plane/supervisor/qa-wave-executor.js +1 -1
  84. package/dist/apps/control-plane/supervisor/qa-wave-executor.js.map +1 -1
  85. package/package.json +18 -17
  86. package/packages/web-dashboard/package.json +1 -1
  87. package/packages/web-dashboard/src/app/api/actions/route.ts +2 -2
  88. package/packages/web-dashboard/src/app/api/events/route.ts +1 -1
  89. package/packages/web-dashboard/src/app/api/features/[id]/checkout/route.ts +1 -1
  90. package/packages/web-dashboard/src/app/api/features/[id]/diff/route.ts +1 -1
  91. package/packages/web-dashboard/src/app/api/features/[id]/evidence/[artifact]/route.ts +1 -1
  92. package/packages/web-dashboard/src/app/api/features/[id]/review/route.ts +2 -2
  93. package/packages/web-dashboard/src/app/api/features/[id]/route.ts +1 -1
  94. package/packages/web-dashboard/src/app/api/projects/route.ts +2 -2
  95. package/packages/web-dashboard/src/app/api/status/route.ts +1 -1
  96. package/packages/web-dashboard/src/app/page.tsx +1 -1
  97. package/packages/web-dashboard/src/lib/aop-client.ts +1 -1
  98. package/packages/web-dashboard/src/lib/orchestrator-tools.ts +1 -1
  99. package/packages/web-dashboard/tsconfig.json +1 -0
  100. package/spec-files/completed/agentic_orchestrator_init_policy_ux_simplification_spec.md +481 -0
  101. package/spec-files/outstanding/agentic_orchestrator_artifact_database_publishing_spec.md +500 -0
  102. package/spec-files/outstanding/agentic_orchestrator_observability_integrity_diagnostics_spec.md +500 -195
  103. package/spec-files/outstanding/agentic_orchestrator_performance_improvements_spec.md +471 -162
  104. package/spec-files/outstanding/agentic_orchestrator_planning_review_quality_spec.md +532 -268
  105. package/spec-files/outstanding/agentic_orchestrator_productization_commercial_spec.md +645 -0
  106. package/spec-files/progress.md +99 -2
  107. package/tsconfig.base.json +4 -0
  108. /package/spec-files/{outstanding → completed}/agentic_orchestrator_validator_hardening_spec.md +0 -0
@@ -0,0 +1,645 @@
1
+ # Feature Spec: Commercial Productization and Monetization Platform (AOP)
2
+
3
+ > **Purpose of this document**: Define a concrete, implementation-ready path to turn Agentic-Orchestrator from a strong local tool into a product customers will pay for by adding team-scale governance, hosted audit durability, enterprise identity controls, and usage-based commercial operations.
4
+
5
+ **Version:** 1.0
6
+ **Date:** 2026-03-04
7
+ **Status:** Draft (Productization Program)
8
+ **Roadmap Mapping:** M39-M44
9
+
10
+ ---
11
+
12
+ ## 0. Standards and Dependencies
13
+
14
+ ### 0.1 Required Standards
15
+
16
+ All implementation MUST preserve:
17
+ - deterministic kernel behavior and normalized error envelopes
18
+ - local execution viability when cloud/commercial services are unavailable
19
+ - MCP/in-process transport parity for tool contracts
20
+ - strict schema-driven policy evolution (`policy.schema.json`, `policy.user.schema.json`)
21
+ - architecture boundary validation and contract validation (`validate:architecture`, `validate:mcp-contracts`)
22
+
23
+ ### 0.2 Required Upstream Inputs
24
+
25
+ Implementing agents MUST read:
26
+ - `README.md`
27
+ - `spec-files/outstanding/agentic_orchestrator_quality_adoption_execution_spec.md`
28
+ - `spec-files/outstanding/agentic_orchestrator_enterprise_governance_dashboard_spec.md`
29
+ - `spec-files/outstanding/agentic_orchestrator_artifact_database_publishing_spec.md`
30
+ - `apps/control-plane/src/mcp/tool-runtime.ts`
31
+ - `apps/control-plane/src/mcp/operation-ledger.ts`
32
+ - `apps/control-plane/src/application/tools/tool-metadata.ts`
33
+ - `apps/control-plane/src/application/services/cost-tracking-service.ts`
34
+ - `apps/control-plane/src/core/kernel.ts`
35
+ - `apps/control-plane/src/core/constants.ts`
36
+ - `apps/control-plane/src/core/error-codes.ts`
37
+ - `apps/control-plane/src/cli/types.ts`
38
+ - `apps/control-plane/src/cli/cli-argument-parser.ts`
39
+ - `apps/control-plane/src/cli/help-command-handler.ts`
40
+ - `apps/control-plane/src/interfaces/cli/bootstrap.ts`
41
+ - `agentic/orchestrator/defaults/policy.defaults.yaml`
42
+ - `agentic/orchestrator/schemas/policy.schema.json`
43
+ - `agentic/orchestrator/schemas/policy.user.schema.json`
44
+ - `agentic/orchestrator/tools/catalog.json`
45
+ - `packages/web-dashboard/src/lib/aop-client.ts`
46
+ - `packages/web-dashboard/src/lib/types.ts`
47
+ - `packages/web-dashboard/src/app/page.tsx`
48
+
49
+ ### 0.3 Feature Scope
50
+
51
+ This spec implements:
52
+ - **P1** Product packaging and entitlement model
53
+ - **P2** Workspace identity and cloud connectivity (`auth`, `whoami`, workspace binding)
54
+ - **P3** Entitlement enforcement and offline cache semantics
55
+ - **P4** Usage metering and billing event pipeline
56
+ - **P5** Hosted audit history sync (building on artifact publishing)
57
+ - **P6** Team/enterprise dashboard capabilities and tenant-aware APIs
58
+
59
+ Out of scope:
60
+ - fully automated sales/CRM workflows
61
+ - payment processor selection lock-in (Stripe is default implementation target, not protocol requirement)
62
+ - replacing local `.aop/**` as source of truth
63
+
64
+ ---
65
+
66
+ ## 1. Monetization Thesis (What Customers Pay For)
67
+
68
+ ### 1.1 Free vs Paid Value Boundary
69
+
70
+ Customers do not pay for basic local orchestration. They pay for organizational risk reduction and operational scale:
71
+ - durable audit history across runs/repos/teams
72
+ - enterprise identity, authorization, and compliance evidence
73
+ - usage analytics, cost controls, and executive reporting
74
+ - managed reliability with entitlements, retention, and SLA-backed operations
75
+
76
+ ### 1.2 Product Packaging (Normative)
77
+
78
+ | Tier | Primary Buyer | Included Capabilities | Technical Gate |
79
+ |---|---|---|---|
80
+ | Community (Free) | Individual devs | Local deterministic orchestration, local dashboard, local `.aop` artifacts | `product.mode=community` |
81
+ | Team (Paid) | Eng managers | Multi-user workspace, hosted artifact retention, trend analytics, shared dashboard | `entitlements.features.team_workspace=true` |
82
+ | Enterprise (Paid) | Platform/security | SSO/SAML/OIDC, SCIM, compliance exports, policy packs, long retention, private deployment | `entitlements.features.enterprise_controls=true` |
83
+
84
+ ### 1.3 Billable Dimensions
85
+
86
+ Billing MUST be derivable from deterministic metering events:
87
+ - `active_seats` (distinct active users per billing period)
88
+ - `orchestrated_runs` (count of completed run IDs)
89
+ - `artifact_storage_gb_month` (hosted storage footprint)
90
+ - `artifact_retention_days` (retention tier)
91
+ - optional overage dimension: `tool_invocations` beyond plan allowance
92
+
93
+ ---
94
+
95
+ ## 2. Architectural Critique of Current State
96
+
97
+ 1. **No tenancy model**
98
+ - Current runtime is repository-local with no first-class `organization/workspace/project` contract.
99
+ - Result: no customer/account boundary for paid features.
100
+
101
+ 2. **No entitlement boundary in tool execution path**
102
+ - `ToolRuntime.callTool()` enforces RBAC and schema, but not plan/tier entitlements.
103
+ - Result: no deterministic paid feature gate.
104
+
105
+ 3. **No canonical usage-metering stream for billing**
106
+ - Cost tracking exists per feature, but there is no auditable, periodized commercial usage event model.
107
+ - Result: cannot invoice reliably.
108
+
109
+ 4. **Dashboard is filesystem-local and single-tenant**
110
+ - Dashboard reads `.aop/**` directly via local API routes.
111
+ - Result: cannot support paid multi-user workspace analytics without a hosted backend.
112
+
113
+ 5. **No customer auth lifecycle in CLI**
114
+ - CLI has no login/whoami/workspace binding flow.
115
+ - Result: no secure binding to subscription and entitlements.
116
+
117
+ 6. **Artifact persistence exists but is not yet monetization-connected**
118
+ - Artifact publishing spec exists, but not tied to product plans, retention SKUs, or workspace-level access.
119
+ - Result: technical capability without commercial control plane.
120
+
121
+ ---
122
+
123
+ ## 3. Target Product Architecture
124
+
125
+ ### 3.1 Architecture Summary
126
+
127
+ Retain the current deterministic local control-plane as execution engine. Add an optional commercial control hub and sync plane.
128
+
129
+ 1. **Local Execution Plane (existing, enhanced)**
130
+ - Runs orchestrator and writes canonical `.aop/**` artifacts.
131
+ - Emits usage events and optional cloud-sync batches.
132
+
133
+ 2. **Commercial Control Hub (new)**
134
+ - Multi-tenant API for auth, workspaces, entitlements, usage ingest, artifact indexing, and billing summaries.
135
+ - Can be hosted SaaS or self-hosted enterprise deployment.
136
+
137
+ 3. **Entitlement Cache Layer (new, local)**
138
+ - Local signed entitlement snapshot with TTL + grace behavior.
139
+ - Ensures paid features can be enforced deterministically even during temporary cloud outages.
140
+
141
+ 4. **Billing/Metering Pipeline (new)**
142
+ - Usage event ingestion -> aggregation -> invoice line item derivation.
143
+
144
+ ### 3.2 Non-Negotiable Boundary Rules
145
+
146
+ - Core free orchestration (`run`, local gates, local artifacts) MUST remain functional without cloud.
147
+ - Paid-only features MUST fail with explicit entitlement errors, never silent downgrades.
148
+ - Entitlement and usage calculations MUST be deterministic from persisted events.
149
+ - Billing logic MUST never mutate execution outcomes retroactively.
150
+
151
+ ---
152
+
153
+ ## 4. Contracts and Schema Deltas
154
+
155
+ ## 4.1 Policy Extensions (Defaults + User Schema + Full Schema)
156
+
157
+ Add:
158
+
159
+ ```yaml
160
+ innovation:
161
+ commercial_productization: false
162
+
163
+ product:
164
+ mode: community # community | team | enterprise
165
+ cloud:
166
+ enabled: false
167
+ endpoint: ""
168
+ workspace_id: ""
169
+ api_token_env: AOP_CLOUD_API_TOKEN
170
+ sync_mode: best_effort # best_effort | required
171
+ sync_triggers:
172
+ - post_run # post_run | manual
173
+ entitlements:
174
+ enabled: false
175
+ cache_ttl_seconds: 900
176
+ grace_period_hours: 168
177
+ fail_mode: grace_then_block_paid # allow_cached | grace_then_block_paid
178
+ metering:
179
+ enabled: false
180
+ flush_interval_seconds: 60
181
+ max_batch_size: 500
182
+ retention:
183
+ hosted_artifact_days: 30
184
+ ```
185
+
186
+ Normative behavior:
187
+ - all productization toggles default off
188
+ - `product.mode=community` implies no paid-only enforcement
189
+ - if `product.mode in {team, enterprise}`, `entitlements.enabled=true` is required
190
+ - `sync_mode=required` affects only paid sync operations, never base local run completion
191
+
192
+ ## 4.2 Entitlement Snapshot Contract
193
+
194
+ Path:
195
+
196
+ ```text
197
+ .aop/runtime/entitlements/cache.json
198
+ ```
199
+
200
+ Contract:
201
+
202
+ ```json
203
+ {
204
+ "workspace_id": "ws_123",
205
+ "plan": "team",
206
+ "fetched_at": "2026-03-04T10:00:00.000Z",
207
+ "expires_at": "2026-03-04T10:15:00.000Z",
208
+ "grace_expires_at": "2026-03-11T10:15:00.000Z",
209
+ "features": {
210
+ "team_workspace": true,
211
+ "hosted_audit_history": true,
212
+ "enterprise_controls": false,
213
+ "sso": false,
214
+ "scim": false
215
+ },
216
+ "limits": {
217
+ "max_seats": 25,
218
+ "max_projects": 50,
219
+ "artifact_retention_days": 30
220
+ },
221
+ "signature": "base64:..."
222
+ }
223
+ ```
224
+
225
+ Rules:
226
+ - snapshot must be signed by control hub key and verified locally
227
+ - expired snapshot inside grace can run with warning; outside grace paid features block
228
+ - missing snapshot in team/enterprise mode returns explicit entitlement error for paid operations
229
+
230
+ ## 4.3 Usage Metering Event Contract
231
+
232
+ Path:
233
+
234
+ ```text
235
+ .aop/runtime/usage/events/<run_id>.jsonl
236
+ .aop/runtime/usage/checkpoints/last_flush.json
237
+ ```
238
+
239
+ Event contract:
240
+
241
+ ```json
242
+ {
243
+ "event_id": "evt_01J...",
244
+ "ts": "2026-03-04T10:01:12.000Z",
245
+ "workspace_id": "ws_123",
246
+ "project_id": "proj_abc",
247
+ "run_id": "run:...",
248
+ "feature_id": "payment_retry_guard",
249
+ "event_type": "tool_invocation",
250
+ "dimensions": {
251
+ "tool_name": "repo.apply_patch",
252
+ "actor_type": "builder",
253
+ "result": "ok",
254
+ "latency_ms": 173
255
+ },
256
+ "billable_units": {
257
+ "tool_invocations": 1
258
+ }
259
+ }
260
+ ```
261
+
262
+ Rules:
263
+ - `event_id` must be deterministic (UUIDv7 allowed; stable dedupe key must also be emitted)
264
+ - flush must be idempotent with server-side dedupe key `(workspace_id,event_id)`
265
+ - local writes are append-only and never block core tool execution in best-effort mode
266
+
267
+ ## 4.4 Hosted Artifact Sync Contract
268
+
269
+ This extends the artifact publishing foundation into commercial product behavior.
270
+
271
+ Paths:
272
+
273
+ ```text
274
+ .aop/runtime/cloud-sync/checkpoints/<run_id>.json
275
+ .aop/runtime/cloud-sync/last_sync.json
276
+ ```
277
+
278
+ Checkpoint contract:
279
+
280
+ ```json
281
+ {
282
+ "run_id": "run:...",
283
+ "target": "control_hub",
284
+ "status": "succeeded",
285
+ "last_synced_at": "2026-03-04T10:09:00.000Z",
286
+ "artifact_count": 242,
287
+ "bytes_synced": 8172634,
288
+ "revision": 3
289
+ }
290
+ ```
291
+
292
+ ## 4.5 New Tool Surface
293
+
294
+ 1. `entitlements.get` (read-only)
295
+ - returns active entitlement snapshot and effective capability matrix.
296
+
297
+ 2. `usage.summary_get` (read-only)
298
+ - returns local and remote usage summary for current workspace/project.
299
+
300
+ 3. `artifacts.sync_remote` (mutating)
301
+ - pushes run artifacts and usage events to control hub.
302
+
303
+ 4. `billing.subscription_get` (read-only)
304
+ - returns plan, period usage, and overage status.
305
+
306
+ Required wiring for all tools:
307
+ - `apps/control-plane/src/core/constants.ts`
308
+ - `apps/control-plane/src/core/kernel.ts`
309
+ - `apps/control-plane/src/application/tools/tool-metadata.ts`
310
+ - `agentic/orchestrator/tools/catalog.json`
311
+ - `agentic/orchestrator/tools/schemas/input/*.json`
312
+ - `agentic/orchestrator/tools/schemas/output/*.json`
313
+ - RBAC in `policy.defaults.yaml`
314
+ - regenerated `agentic/orchestrator/tools.md`
315
+
316
+ ## 4.6 CLI Surface Changes
317
+
318
+ Add commands:
319
+ - `aop auth login --endpoint <url> --workspace <id> [--token-env <ENV>]`
320
+ - `aop auth whoami`
321
+ - `aop auth logout`
322
+ - `aop cloud sync [--run-id <id>|--latest] [--strict]`
323
+ - `aop usage [--period current] [--json]`
324
+ - `aop billing [--json]`
325
+
326
+ Required CLI wiring:
327
+ - `apps/control-plane/src/cli/types.ts`
328
+ - `apps/control-plane/src/cli/cli-argument-parser.ts`
329
+ - `apps/control-plane/src/cli/help-command-handler.ts`
330
+ - `apps/control-plane/src/interfaces/cli/bootstrap.ts`
331
+ - new handlers under `apps/control-plane/src/cli/*`
332
+
333
+ ## 4.7 Error Code Additions
334
+
335
+ Add to `apps/control-plane/src/core/error-codes.ts`:
336
+ - `entitlement_required`
337
+ - `entitlement_cache_missing`
338
+ - `entitlement_signature_invalid`
339
+ - `entitlement_expired`
340
+ - `cloud_auth_failed`
341
+ - `cloud_workspace_unbound`
342
+ - `cloud_sync_failed`
343
+ - `metering_flush_failed`
344
+ - `billing_overage_blocked`
345
+
346
+ ---
347
+
348
+ ## 5. Detailed Implementation Plan (Normative)
349
+
350
+ ## CP0: Contract Scaffolding and Feature Flags
351
+
352
+ ### Goals
353
+ - add policy/schema/tool/CLI scaffolding with defaults off
354
+
355
+ ### File Targets
356
+ - `agentic/orchestrator/defaults/policy.defaults.yaml`
357
+ - `agentic/orchestrator/schemas/policy.schema.json`
358
+ - `agentic/orchestrator/schemas/policy.user.schema.json`
359
+ - `apps/control-plane/src/core/constants.ts`
360
+ - `apps/control-plane/src/core/error-codes.ts`
361
+ - `agentic/orchestrator/tools/catalog.json`
362
+ - input/output schemas for new tools
363
+ - `agentic/orchestrator/tools.md`
364
+
365
+ ### Mandatory Checks
366
+ - `npm run validate:mcp-contracts`
367
+ - `npm run validate:architecture`
368
+
369
+ Exit criteria:
370
+ - policy loads with new fields
371
+ - tool catalog/schemas/docs are consistent
372
+
373
+ ---
374
+
375
+ ## CP1: Workspace Auth and Binding
376
+
377
+ ### Design
378
+
379
+ Introduce a control-hub client and local credential binding.
380
+
381
+ ### Implementation Targets
382
+ - `apps/control-plane/src/application/services/cloud-auth-service.ts` (new)
383
+ - `apps/control-plane/src/application/services/workspace-binding-service.ts` (new)
384
+ - `apps/control-plane/src/cli/auth-command-handler.ts` (new)
385
+ - `apps/control-plane/src/cli/types.ts` / parser / bootstrap wiring
386
+ - `.aop/runtime/cloud-auth/session.json` contract helper in `path-layout.ts`
387
+
388
+ ### Rules
389
+ - credentials never stored in plaintext if token env indirection exists
390
+ - `whoami` reads from validated local session + optional remote refresh
391
+ - auth failures must not break non-commercial local operations
392
+
393
+ ### Tests
394
+ - `apps/control-plane/test/cloud-auth-service.spec.ts` (new)
395
+ - `apps/control-plane/test/cli.unit.spec.ts` auth parser/help coverage
396
+
397
+ Exit criteria:
398
+ - `auth login/whoami/logout` deterministic and tested
399
+
400
+ ---
401
+
402
+ ## CP2: Entitlement Engine and Enforcement
403
+
404
+ ### Design
405
+
406
+ Enforce paid features through a central entitlement service queried by tool runtime and selected CLI paths.
407
+
408
+ ### Implementation Targets
409
+ - `apps/control-plane/src/application/services/entitlement-service.ts` (new)
410
+ - `apps/control-plane/src/mcp/tool-runtime.ts` (pre-execution entitlement gate)
411
+ - `apps/control-plane/src/application/tools/tool-metadata.ts` (required entitlement tag per paid tool)
412
+ - `apps/control-plane/src/core/kernel.ts` (tool wrappers where needed)
413
+
414
+ ### Rules
415
+ - entitlement checks apply only to paid operations
416
+ - core orchestration commands remain accessible in community mode
417
+ - grace behavior driven solely by policy + cache timestamps
418
+
419
+ ### Tests
420
+ - `apps/control-plane/test/entitlement-service.spec.ts` (new)
421
+ - extend `apps/control-plane/test/tool-runtime.spec.ts`
422
+ - extend `apps/control-plane/test/mcp.spec.ts` for entitlement failures and parity
423
+
424
+ Exit criteria:
425
+ - paid tool calls blocked deterministically when not entitled
426
+ - no regressions in community flow
427
+
428
+ ---
429
+
430
+ ## CP3: Usage Metering Pipeline
431
+
432
+ ### Design
433
+
434
+ Emit deterministic usage events from runtime boundaries and flush in batches.
435
+
436
+ ### Implementation Targets
437
+ - `apps/control-plane/src/application/services/usage-metering-service.ts` (new)
438
+ - `apps/control-plane/src/mcp/tool-runtime.ts` (tool invocation events)
439
+ - `apps/control-plane/src/supervisor/run-coordinator.ts` (run lifecycle events)
440
+ - `apps/control-plane/src/application/services/cost-tracking-service.ts` (alignment with billable dimensions)
441
+ - `apps/control-plane/src/cli/usage-command-handler.ts` (new)
442
+
443
+ ### Rules
444
+ - event writes append-only and non-blocking by default
445
+ - dedupe keys required on remote flush
446
+ - local summary always available even when cloud is unavailable
447
+
448
+ ### Tests
449
+ - `apps/control-plane/test/usage-metering-service.spec.ts` (new)
450
+ - integration test for end-to-end run event emission
451
+
452
+ Exit criteria:
453
+ - usage events generated for run start/end, tool invocations, gate execution
454
+ - local summary and remote flush both deterministic
455
+
456
+ ---
457
+
458
+ ## CP4: Hosted Artifact and Audit Sync
459
+
460
+ ### Design
461
+
462
+ Build on artifact publishing to support control-hub sync and retention-aware indexing.
463
+
464
+ ### Implementation Targets
465
+ - `apps/control-plane/src/application/services/artifact-publisher-service.ts` (extend)
466
+ - `apps/control-plane/src/application/services/cloud-sync-service.ts` (new)
467
+ - `apps/control-plane/src/cli/cloud-sync-command-handler.ts` (new)
468
+ - `apps/control-plane/src/cli/run-command-handler.ts` (post-run sync trigger)
469
+
470
+ ### Rules
471
+ - `sync_mode=best_effort` must not fail base run completion
472
+ - `sync_mode=required` fails paid sync action only, with explicit error
473
+ - checkpoints guarantee idempotent retries
474
+
475
+ ### Tests
476
+ - `apps/control-plane/test/cloud-sync-service.spec.ts` (new)
477
+ - extend run-command tests for post-run sync outcomes
478
+
479
+ Exit criteria:
480
+ - remote sync supports full run + retry without duplicate logical records
481
+
482
+ ---
483
+
484
+ ## CP5: Tenant-Aware Dashboard and Team Features
485
+
486
+ ### Design
487
+
488
+ Enable workspace-scoped views and paid analytics in dashboard APIs/UI.
489
+
490
+ ### Implementation Targets
491
+ - `packages/web-dashboard/src/lib/aop-client.ts`
492
+ - `packages/web-dashboard/src/lib/types.ts`
493
+ - `packages/web-dashboard/src/app/api/*` routes for workspace/billing/usage
494
+ - `packages/web-dashboard/src/app/page.tsx` (workspace selector, paid analytics cards)
495
+
496
+ ### Rules
497
+ - paid panels hidden when entitlement absent
498
+ - APIs enforce workspace identity server-side, not only UI checks
499
+
500
+ ### Tests
501
+ - dashboard API integration tests for workspace isolation
502
+ - UI tests for entitlement-conditioned rendering
503
+
504
+ Exit criteria:
505
+ - team dashboards show cross-run metrics and audit trend views per workspace
506
+
507
+ ---
508
+
509
+ ## CP6: Commercial Control Hub (New Service)
510
+
511
+ ### Design
512
+
513
+ Introduce a new multi-tenant backend service inside this monorepo.
514
+
515
+ ### New Workspace Targets
516
+ - `apps/control-hub-api/` (new)
517
+ - `apps/control-hub-api/src/auth/*`
518
+ - `apps/control-hub-api/src/tenancy/*`
519
+ - `apps/control-hub-api/src/entitlements/*`
520
+ - `apps/control-hub-api/src/metering/*`
521
+ - `apps/control-hub-api/src/artifacts/*`
522
+ - `apps/control-hub-api/src/billing/*`
523
+ - `apps/control-hub-api/src/db/migrations/*`
524
+
525
+ ### Minimum API Contract
526
+ - `GET /v1/whoami`
527
+ - `GET /v1/entitlements/current`
528
+ - `POST /v1/usage/events:ingest`
529
+ - `POST /v1/artifacts/sync`
530
+ - `GET /v1/billing/subscription`
531
+
532
+ ### Data Model (Minimum)
533
+ - `organizations`
534
+ - `workspaces`
535
+ - `projects`
536
+ - `memberships`
537
+ - `subscriptions`
538
+ - `entitlement_snapshots`
539
+ - `usage_events`
540
+ - `usage_aggregates`
541
+ - `artifact_runs`
542
+
543
+ ### Exit criteria
544
+ - control-plane can authenticate and sync against control-hub in staging
545
+ - metering and entitlement endpoints are production-safe with tenant isolation tests
546
+
547
+ ---
548
+
549
+ ## CP7: Rollout, Migration, and Commercial Readiness
550
+
551
+ ### Rollout Phases
552
+ 1. Internal dogfood: community mode + optional auth only.
553
+ 2. Pilot customers: team mode with best-effort sync and warning-only overage.
554
+ 3. Paid GA: required entitlement checks for paid operations, invoicing enabled.
555
+ 4. Enterprise GA: SSO/SCIM/compliance controls enabled by entitlement.
556
+
557
+ ### Migration Rules
558
+ - existing repos require no config changes for community mode
559
+ - `aop init --advanced-policy` adds product section templates
560
+ - paid mode onboarding requires explicit `aop auth login` and workspace bind
561
+
562
+ ### Rollback Rules
563
+ - disable `innovation.commercial_productization` to return to community behavior
564
+ - keep usage/artifact logs; do not delete commercial runtime artifacts on rollback
565
+
566
+ ---
567
+
568
+ ## 6. Test Strategy (Normative)
569
+
570
+ ### 6.1 Unit Tests
571
+ - entitlement signature and expiry/grace logic
572
+ - metering event generation and dedupe keys
573
+ - cloud sync checkpoint idempotency
574
+
575
+ ### 6.2 Integration Tests
576
+ - end-to-end paid flow: login -> entitlement fetch -> run -> usage flush -> artifact sync
577
+ - tenant isolation: workspace A cannot read workspace B assets
578
+
579
+ ### 6.3 Contract/Parity Tests
580
+ - new tools validated in MCP and in-process modes
581
+ - CLI commands parse/help/bootstrap coverage for `auth`, `cloud sync`, `usage`, `billing`
582
+
583
+ ### 6.4 Regression Tests
584
+ - community mode behavior unchanged when productization disabled
585
+ - run completion unaffected by cloud outage in best-effort mode
586
+
587
+ ---
588
+
589
+ ## 7. Acceptance Criteria
590
+
591
+ 1. Community users can run existing workflows unchanged with productization disabled.
592
+ 2. Team/enterprise mode requires valid workspace auth and entitlement snapshot.
593
+ 3. Paid features are blocked with explicit entitlement errors when unauthorized.
594
+ 4. Usage events are persisted locally and can be flushed idempotently to control-hub.
595
+ 5. Artifact sync supports durable hosted audit history and deterministic retry behavior.
596
+ 6. Dashboard can render tenant-aware, entitlement-gated analytics without data leakage.
597
+ 7. Billing summary endpoint returns plan usage and overage signals from deterministic aggregates.
598
+ 8. Quality gates pass: `lint`, `typecheck`, `test`, `validate:mcp-contracts`, `validate:architecture`.
599
+
600
+ ---
601
+
602
+ ## 8. Core Tradeoffs
603
+
604
+ 1. **Fail-open reliability vs revenue enforcement**
605
+ - strict entitlement blocking improves monetization control but risks customer-facing outages.
606
+ - chosen path: core execution always local-safe; paid operations enforce with TTL+grace.
607
+
608
+ 2. **Hosted convenience vs data sovereignty**
609
+ - SaaS enables fast value but regulated customers need self-hosting.
610
+ - chosen path: same APIs for hosted and enterprise self-hosted control-hub.
611
+
612
+ 3. **Metering granularity vs runtime overhead**
613
+ - finer events improve billing accuracy but increase write/flush cost.
614
+ - chosen path: bounded JSONL events, batched flush, deterministic aggregation.
615
+
616
+ 4. **Broad paywall vs trust/adoption**
617
+ - over-gating core capabilities harms OSS adoption.
618
+ - chosen path: keep deterministic orchestration free; monetize team governance, hosted retention, enterprise controls.
619
+
620
+ ---
621
+
622
+ ## 9. Risks and Mitigations
623
+
624
+ - Risk: entitlement service outage blocks paying customers.
625
+ - Mitigation: signed local cache + grace period + explicit degraded-mode warnings.
626
+
627
+ - Risk: billing disputes due to inconsistent metering.
628
+ - Mitigation: immutable event log, deterministic aggregation jobs, exportable customer usage report.
629
+
630
+ - Risk: tenant data leakage.
631
+ - Mitigation: mandatory workspace scoping in every API query plus isolation integration tests.
632
+
633
+ - Risk: implementation spread across too many subsystems.
634
+ - Mitigation: CP0-first contract scaffolding and phased rollout with strict exit criteria.
635
+
636
+ ---
637
+
638
+ ## 10. Definition of Done
639
+
640
+ A completed implementation session for this program MUST provide:
641
+ - phase-by-phase completion notes (CP0-CP7)
642
+ - policy/schema/catalog/tool docs deltas and rationale
643
+ - executed validation/test commands with outcomes
644
+ - rollout/rollback runbook notes
645
+ - `spec-files/progress.md` entry with completed milestones and remaining commercialization tasks