agentxchain 2.100.0 → 2.102.0

package/src/commands/doctor.js

@@ -4,6 +4,7 @@ import { join } from 'path';
 import chalk from 'chalk';
 import { loadConfig, loadLock, findProjectRoot } from '../lib/config.js';
 import { validateProject } from '../lib/validation.js';
+import { runAdmissionControl } from '../lib/admission-control.js';
 import { getWatchPid } from './watch.js';
 import { getDashboardPid, getDashboardSession } from './dashboard.js';
 import { loadNormalizedConfig, detectConfigVersion } from '../lib/normalized-config.js';
@@ -235,6 +236,22 @@ function governedDoctor(root, rawConfig, opts) {
     }
   }
 
+  // 10. Admission control — static dead-end detection
+  if (normalized) {
+    const admission = runAdmissionControl(normalized, rawConfig);
+    if (!admission.ok) {
+      const errSummary = admission.errors.slice(0, 2).map(e => e.replace(/^ADM-\d+: /, '')).join('; ');
+      checks.push({ id: 'admission_control', name: 'Admission control', level: 'fail', detail: errSummary });
+    } else if (admission.warnings.length > 0) {
+      // ADM-003 warnings are advisory (external approval is a legitimate pattern),
+      // so report as info rather than warn to avoid noisy defaults.
+      const infoSummary = admission.warnings.slice(0, 2).map(w => w.replace(/^ADM-\d+: /, '')).join('; ');
+      checks.push({ id: 'admission_control', name: 'Admission control', level: 'info', detail: infoSummary });
+    } else {
+      checks.push({ id: 'admission_control', name: 'Admission control', level: 'pass', detail: 'No dead-end configs detected' });
+    }
+  }
+
   // Compute summary
   const failCount = checks.filter(c => c.level === 'fail').length;
   const warnCount = checks.filter(c => c.level === 'warn').length;

package/src/commands/verify.js

@@ -6,6 +6,7 @@ import { validateStagedTurnResult } from '../lib/turn-result-validator.js';
 import { getTurnStagingResultPath } from '../lib/turn-paths.js';
 import { resolve } from 'node:path';
 import { loadExportArtifact, verifyExportArtifact } from '../lib/export-verifier.js';
+import { buildExportDiff, resolveExportArtifact } from '../lib/export-diff.js';
 import { verifyProtocolConformance } from '../lib/protocol-conformance.js';
 import {
   DEFAULT_VERIFICATION_REPLAY_TIMEOUT_MS,
@@ -72,6 +73,18 @@ function emitProtocolVerifyError(format, message) {
   console.log(chalk.red(`Protocol verification failed: ${message}`));
 }
 
+function emitVerifyDiffError(format, message) {
+  if (format === 'json') {
+    console.log(JSON.stringify({
+      overall: 'error',
+      message,
+    }, null, 2));
+    return;
+  }
+
+  console.log(chalk.red(`Diff verification failed: ${message}`));
+}
+
 export async function verifyExportCommand(opts) {
   const format = opts.format || 'text';
   const loaded = loadExportArtifact(opts.input || '-', process.cwd());
@@ -104,6 +117,75 @@ export async function verifyExportCommand(opts) {
   process.exit(result.ok ? 0 : 1);
 }
 
+export async function verifyDiffCommand(leftRef, rightRef, opts = {}) {
+  const format = opts.format || 'text';
+  const leftLoaded = resolveExportArtifact(leftRef);
+  if (!leftLoaded.ok) {
+    emitVerifyDiffError(format, leftLoaded.error);
+    process.exit(2);
+  }
+
+  const rightLoaded = resolveExportArtifact(rightRef);
+  if (!rightLoaded.ok) {
+    emitVerifyDiffError(format, rightLoaded.error);
+    process.exit(2);
+  }
+
+  if (leftLoaded.artifact.export_kind !== rightLoaded.artifact.export_kind) {
+    emitVerifyDiffError(
+      format,
+      `Export kinds do not match: ${leftLoaded.artifact.export_kind} vs ${rightLoaded.artifact.export_kind}`,
+    );
+    process.exit(2);
+  }
+
+  const leftVerification = verifyExportArtifact(leftLoaded.artifact);
+  const rightVerification = verifyExportArtifact(rightLoaded.artifact);
+  const leftReport = { ...leftVerification.report, input: leftLoaded.resolved_ref };
+  const rightReport = { ...rightVerification.report, input: rightLoaded.resolved_ref };
+
+  let diff = null;
+  let overall = 'pass';
+  let exitCode = 0;
+  let message = null;
+
+  if (!leftVerification.ok || !rightVerification.ok) {
+    overall = 'fail';
+    exitCode = 1;
+    message = 'Diff skipped because one or both exports failed verification.';
+  } else {
+    const diffResult = buildExportDiff(leftLoaded.artifact, rightLoaded.artifact, {
+      left_ref: leftLoaded.resolved_ref,
+      right_ref: rightLoaded.resolved_ref,
+    });
+    if (!diffResult.ok) {
+      emitVerifyDiffError(format, diffResult.error);
+      process.exit(2);
+    }
+    diff = diffResult.diff;
+    if (diff.has_regressions) {
+      overall = 'fail';
+      exitCode = 1;
+    }
+  }
+
+  const report = {
+    overall,
+    left: leftReport,
+    right: rightReport,
+    diff,
+    message,
+  };
+
+  if (format === 'json') {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    printVerifyDiffReport(report);
+  }
+
+  process.exit(exitCode);
+}
+
 export async function verifyTurnCommand(turnId, opts = {}) {
   const context = loadProjectContext();
   if (!context) {
@@ -237,6 +319,54 @@ function printExportReport(report) {
   console.log('');
 }
 
+function printVerifyDiffReport(report) {
+  console.log('');
+  console.log(chalk.bold('  AgentXchain Diff Verification'));
+  console.log(chalk.dim('  ' + '─'.repeat(41)));
+  console.log(chalk.dim(`  Left: ${report.left.input}`));
+  console.log(chalk.dim(`  Right: ${report.right.input}`));
+  console.log('');
+
+  const overallLabel = report.overall === 'pass'
+    ? chalk.green('PASS')
+    : report.overall === 'fail'
+      ? chalk.red('FAIL')
+      : chalk.red('ERROR');
+  console.log(`  Overall: ${overallLabel}`);
+  console.log(`  Left export: ${formatVerifyStatus(report.left.overall)}`);
+  console.log(`  Right export: ${formatVerifyStatus(report.right.overall)}`);
+
+  if (report.diff) {
+    console.log(chalk.dim(`  Diff subject: ${report.diff.subject_kind}`));
+    console.log(chalk.dim(`  Changed: ${report.diff.changed ? 'yes' : 'no'}`));
+    console.log(chalk.dim(`  Governance regressions: ${report.diff.regression_count}`));
+  }
+
+  if (report.message) {
+    console.log(chalk.yellow(`  ${report.message}`));
+  }
+
+  for (const error of report.left.errors || []) {
+    console.log(chalk.red(`    left ✗ ${error}`));
+  }
+  for (const error of report.right.errors || []) {
+    console.log(chalk.red(`    right ✗ ${error}`));
+  }
+
+  if (report.diff?.regressions?.length > 0) {
+    console.log('');
+    console.log(chalk.bold.red('  Governance Regressions'));
+    for (const regression of report.diff.regressions) {
+      const severity = regression.severity === 'error'
+        ? chalk.red(`[${regression.severity}]`)
+        : chalk.yellow(`[${regression.severity}]`);
+      console.log(`    ${severity} ${regression.id}: ${regression.message}`);
+    }
+  }
+
+  console.log('');
+}
+
 function resolveTargetTurnId(requestedTurnId, activeTurns) {
   const turnIds = Object.keys(activeTurns);
 
@@ -351,3 +481,9 @@ function formatOutcome(outcome) {
   if (outcome === 'mismatch') return chalk.red('mismatch');
   return chalk.yellow('not_reproducible');
 }
+
+function formatVerifyStatus(status) {
+  if (status === 'pass') return chalk.green('PASS');
+  if (status === 'fail') return chalk.red('FAIL');
+  return chalk.red(String(status || 'error').toUpperCase());
+}

package/src/lib/admission-control.js

@@ -0,0 +1,247 @@
+/**
+ * Admission Control — pre-run static analysis that rejects governed configs
+ * which cannot possibly reach completion.
+ *
+ * Pure function: no filesystem access, no state reads.
+ *
+ * Checks:
+ *   ADM-001  No file producer for gated phase
+ *   ADM-002  Authoritative writer unreachable for owned artifacts
+ *   ADM-003  Impossible human approval topology (warning only)
+ *   ADM-004  Owned artifact owner cannot write
+ *
+ * See .planning/ADMISSION_CONTROL_SPEC.md for full spec.
+ */
+
+import { getEffectiveGateArtifacts } from './gate-evaluator.js';
+
+/**
+ * Run all admission control checks against a governed config.
+ *
+ * @param {object} config - normalized governed config
+ * @param {object} rawConfig - raw agentxchain.json (for workflow_kit, gates, approval_policy)
+ * @returns {{ ok: boolean, errors: string[], warnings: string[] }}
+ */
+export function runAdmissionControl(config, rawConfig) {
+  const errors = [];
+  const warnings = [];
+
+  const routing = config?.routing;
+  const gates = config?.gates || rawConfig?.gates;
+  const roles = config?.roles;
+  const runtimes = config?.runtimes || rawConfig?.runtimes;
+
+  if (!routing) {
+    return { ok: true, errors, warnings };
+  }
+
+  // ADM-001 + ADM-002 + ADM-004: per-phase gate analysis
+  if (gates) {
+    for (const [phase, route] of Object.entries(routing)) {
+      const exitGateId = route?.exit_gate;
+      if (!exitGateId || !gates[exitGateId]) continue;
+
+      const gateDef = gates[exitGateId];
+      const effectiveArtifacts = getEffectiveGateArtifacts(config, gateDef, phase);
+      const requiredArtifacts = effectiveArtifacts.filter(a => a.required);
+
+      if (requiredArtifacts.length === 0) continue;
+
+      // Collect all roles routed to this phase
+      const candidateRoleIds = [
+        route?.entry_role,
+        ...(Array.isArray(route?.allowed_next_roles) ? route.allowed_next_roles : []),
+      ].filter(Boolean);
+
+      const uniqueRoleIds = [...new Set(candidateRoleIds)];
+
+      // ADM-001: check if any role can produce files
+      // Manual runtime roles are excluded — human operators can produce files
+      // outside the governed turn mechanism regardless of write_authority.
+      // Note: normalized config uses runtime_id, raw config uses runtime.
+      const rolesWithAuthority = uniqueRoleIds
+        .map(id => {
+          const role = roles?.[id];
+          const rtKey = role?.runtime_id || role?.runtime;
+          return { id, role, runtime: runtimes?.[rtKey] };
+        })
+        .filter(({ role }) => role);
+
+      const hasFileProducer = rolesWithAuthority.some(({ role, runtime }) =>
+        canRoleProduceFiles(role, runtime));
+
+      // Only flag non-manual roles as review_only dead-ends
+      const nonManualRoles = rolesWithAuthority.filter(({ runtime }) => runtime?.type !== 'manual');
+      if (!hasFileProducer && nonManualRoles.length > 0) {
+        const roleSummary = nonManualRoles
+          .map(({ id, role }) => `${id}:${role.write_authority}`)
+          .join(', ');
+        const fileSummary = requiredArtifacts.map(a => a.path).join(', ');
+        errors.push(
+          `ADM-001: Phase "${phase}" gate "${exitGateId}" requires files (${fileSummary}) but all routed roles are review_only (${roleSummary}). No agent can produce the required artifacts.`
+        );
+      }
+
+      // ADM-002: check owned_by roles are reachable in this phase
+      for (const artifact of requiredArtifacts) {
+        if (!artifact.owned_by) continue;
+        if (!uniqueRoleIds.includes(artifact.owned_by)) {
+          errors.push(
+            `ADM-002: Phase "${phase}" artifact "${artifact.path}" is owned_by "${artifact.owned_by}" but that role is not in the phase routing (entry_role or allowed_next_roles). The ownership predicate can never be satisfied.`
+          );
+          continue;
+        }
+
+        const ownerRole = roles?.[artifact.owned_by];
+        if (!ownerRole) continue;
+        const ownerRuntimeKey = ownerRole.runtime_id || ownerRole.runtime;
+        const ownerRuntime = runtimes?.[ownerRuntimeKey];
+
+        if (!canRoleProduceFiles(ownerRole, ownerRuntime)) {
+          errors.push(
+            `ADM-004: Phase "${phase}" artifact "${artifact.path}" is owned_by "${artifact.owned_by}" but that role is ${ownerRole.write_authority} on runtime type "${ownerRuntime?.type || 'unknown'}". The owner can participate in the phase but cannot produce the required artifact.`
+          );
+        }
+      }
+    }
+  }
+
+  // ADM-003: impossible human approval topology
+  checkHumanApprovalTopology(config, rawConfig, routing, gates, roles, runtimes, warnings);
+
+  return {
+    ok: errors.length === 0,
+    errors,
+    warnings,
+  };
+}
+
+/**
+ * ADM-003: Check whether human approval requirements are reachable.
+ * Emits warnings (not errors) because external approval paths are legitimate.
+ */
+function checkHumanApprovalTopology(config, rawConfig, routing, gates, roles, runtimes, warnings) {
+  // Determine if any manual runtime exists
+  const hasManualRuntime = runtimes
+    ? Object.values(runtimes).some(rt => rt?.type === 'manual')
+    : false;
+
+  // If there's a manual runtime, human approval is always reachable
+  if (hasManualRuntime) return;
+
+  const approvalPolicy = config?.approval_policy || rawConfig?.approval_policy;
+
+  // Collect phases/gates that require human approval
+  const humanApprovalPoints = [];
+
+  for (const [phase, route] of Object.entries(routing)) {
+    const exitGateId = route?.exit_gate;
+    if (!exitGateId || !gates?.[exitGateId]) continue;
+
+    const gateDef = gates[exitGateId];
+    if (gateDef.requires_human_approval) {
+      // Check if approval_policy overrides to auto_approve for this transition
+      if (!isAutoApprovedByPolicy(approvalPolicy, 'phase_transitions', phase)) {
+        humanApprovalPoints.push({ type: 'phase_transition', phase, gate: exitGateId });
+      }
+    }
+  }
+
+  // Check run_completion gates
+  const completionGateId = config?.completion_gate || rawConfig?.completion_gate;
+  if (completionGateId && gates?.[completionGateId]) {
+    const gateDef = gates[completionGateId];
+    if (gateDef.requires_human_approval) {
+      if (!isAutoApprovedByPolicy(approvalPolicy, 'run_completion', null)) {
+        humanApprovalPoints.push({ type: 'run_completion', gate: completionGateId });
+      }
+    }
+  }
+
+  // Also check approval_policy for explicit require_human actions
+  if (approvalPolicy?.phase_transitions) {
+    const pt = approvalPolicy.phase_transitions;
+    if (pt.default === 'require_human') {
+      // Every phase transition defaults to human approval
+      for (const phase of Object.keys(routing)) {
+        const hasAutoOverride = (pt.rules || []).some(rule =>
+          rule.action === 'auto_approve' && matchesPhaseRule(rule, phase));
+        if (!hasAutoOverride) {
+          const already = humanApprovalPoints.some(p => p.type === 'phase_transition' && p.phase === phase);
+          if (!already) {
+            humanApprovalPoints.push({ type: 'phase_transition', phase, gate: routing[phase]?.exit_gate || '(policy)' });
+          }
+        }
+      }
+    }
+    if (Array.isArray(pt.rules)) {
+      for (const rule of pt.rules) {
+        if (rule.action === 'require_human' && rule.from_phase) {
+          const already = humanApprovalPoints.some(p => p.type === 'phase_transition' && p.phase === rule.from_phase);
+          if (!already) {
+            humanApprovalPoints.push({ type: 'phase_transition', phase: rule.from_phase, gate: '(policy)' });
+          }
+        }
+      }
+    }
+  }
+
+  if (approvalPolicy?.run_completion?.action === 'require_human') {
+    const already = humanApprovalPoints.some(p => p.type === 'run_completion');
+    if (!already) {
+      humanApprovalPoints.push({ type: 'run_completion', gate: '(policy)' });
+    }
+  }
+
+  for (const point of humanApprovalPoints) {
+    if (point.type === 'phase_transition') {
+      warnings.push(
+        `ADM-003: Phase "${point.phase}" requires human approval (gate "${point.gate}") but no role uses runtime type "manual". The run will pause at pending_phase_transition and require external approval (CLI, dashboard, or webhook).`
+      );
+    } else {
+      warnings.push(
+        `ADM-003: Run completion requires human approval (gate "${point.gate}") but no role uses runtime type "manual". The run will pause at pending_run_completion and require external approval.`
+      );
+    }
+  }
+}
+
+function isAutoApprovedByPolicy(approvalPolicy, section, phase) {
+  if (!approvalPolicy) return false;
+
+  if (section === 'phase_transitions') {
+    const pt = approvalPolicy.phase_transitions;
+    if (!pt) return false;
+
+    // Check specific rules first
+    if (Array.isArray(pt.rules)) {
+      for (const rule of pt.rules) {
+        if (rule.action === 'auto_approve' && matchesPhaseRule(rule, phase)) {
+          return true;
+        }
+      }
+    }
+
+    // Fall back to default
+    return pt.default === 'auto_approve';
+  }
+
+  if (section === 'run_completion') {
+    return approvalPolicy.run_completion?.action === 'auto_approve';
+  }
+
+  return false;
+}
+
+function matchesPhaseRule(rule, phase) {
+  // A rule matches if from_phase is unset or matches the phase
+  if (rule.from_phase && rule.from_phase !== phase) return false;
+  return true;
+}
+
+function canRoleProduceFiles(role, runtime) {
+  if (!role) return false;
+  return runtime?.type === 'manual'
+    || role.write_authority === 'authoritative'
+    || role.write_authority === 'proposed';
+}

package/src/lib/export-diff.js

@@ -193,6 +193,7 @@ function normalizeRunExport(artifact) {
     run_id: summary.run_id || null,
     status: summary.status || null,
     phase: summary.phase || null,
+    workflow_phase_order: Array.isArray(summary.workflow_phase_order) ? summary.workflow_phase_order : null,
     project_name: artifact.project?.name || null,
     project_goal: summary.project_goal || artifact.project?.goal || null,
     provenance_trigger: summary.provenance?.trigger || null,
@@ -213,6 +214,7 @@ function normalizeRunExport(artifact) {
     budget_warn_mode: budgetStatus.warn_mode === true,
     budget_exhausted: budgetStatus.exhausted === true,
     phase_gate_status: normalizeGateStatusMap(phaseGateStatus),
+    delegation_missing_decisions: normalizeDelegationMissingMap(summary.delegation_summary),
   };
 }
 
@@ -227,6 +229,7 @@ function normalizeCoordinatorExport(artifact) {
     super_run_id: summary.super_run_id || null,
     status: summary.status || null,
     phase: summary.phase || null,
+    workflow_phase_order: Array.isArray(summary.workflow_phase_order) ? summary.workflow_phase_order : null,
     project_name: artifact.coordinator?.project_name || null,
     barrier_count: toNumber(summary.barrier_count),
     history_entries: toNumber(summary.history_entries),
@@ -354,6 +357,27 @@ function normalizeNumericMap(value) {
   );
 }
 
+function normalizeDelegationMissingMap(summary) {
+  if (!summary || typeof summary !== 'object' || Array.isArray(summary)) return {};
+  const chains = Array.isArray(summary.delegation_chains) ? summary.delegation_chains : [];
+  const entries = [];
+  for (const chain of chains) {
+    const delegations = Array.isArray(chain?.delegations) ? chain.delegations : [];
+    for (const delegation of delegations) {
+      if (!delegation || typeof delegation !== 'object' || Array.isArray(delegation)) continue;
+      const delegationId = typeof delegation.delegation_id === 'string' && delegation.delegation_id.trim()
+        ? delegation.delegation_id.trim()
+        : null;
+      if (!delegationId) continue;
+      entries.push([
+        delegationId,
+        normalizeStringArray(delegation.missing_decision_ids),
+      ]);
+    }
+  }
+  return Object.fromEntries(entries.sort(([left], [right]) => left.localeCompare(right, 'en')));
+}
+
 function toNumber(value) {
   return typeof value === 'number' ? value : null;
 }
@@ -391,6 +415,55 @@ function detectRunRegressions(left, right) {
     });
   }
 
+  const leftHasPhaseOrder = Array.isArray(left.workflow_phase_order) && left.workflow_phase_order.length > 0;
+  const rightHasPhaseOrder = Array.isArray(right.workflow_phase_order) && right.workflow_phase_order.length > 0;
+  const phaseOrderDrift = leftHasPhaseOrder && rightHasPhaseOrder && !isEqual(left.workflow_phase_order, right.workflow_phase_order);
+
+  if (phaseOrderDrift) {
+    regressions.push({
+      id: `REG-PHASE-ORDER-${String(++counter).padStart(3, '0')}`,
+      category: 'phase',
+      severity: 'warning',
+      message: 'Workflow phase order changed between exports; directional phase comparison skipped',
+      field: 'workflow_phase_order',
+      left: left.workflow_phase_order,
+      right: right.workflow_phase_order,
+    });
+  }
+
+  // Phase regression: backward movement in workflow phase order
+  if (left.phase && right.phase === null) {
+    // Phase disappeared — information loss
+    regressions.push({
+      id: `REG-PHASE-${String(++counter).padStart(3, '0')}`,
+      category: 'phase',
+      severity: 'warning',
+      message: `Phase regressed from "${left.phase}" to null (phase information lost)`,
+      field: 'phase',
+      left: left.phase,
+      right: null,
+    });
+  } else if (left.phase && right.phase && left.phase !== right.phase) {
+    const canCompareDirection = leftHasPhaseOrder && rightHasPhaseOrder && !phaseOrderDrift;
+    if (canCompareDirection) {
+      const phaseOrder = right.workflow_phase_order;
+      const leftIndex = phaseOrder.indexOf(left.phase);
+      const rightIndex = phaseOrder.indexOf(right.phase);
+      // Only flag when both phases are known and right is earlier than left
+      if (leftIndex !== -1 && rightIndex !== -1 && rightIndex < leftIndex) {
+        regressions.push({
+          id: `REG-PHASE-${String(++counter).padStart(3, '0')}`,
+          category: 'phase',
+          severity: 'warning',
+          message: `Phase moved backward from "${left.phase}" (position ${leftIndex}) to "${right.phase}" (position ${rightIndex})`,
+          field: 'phase',
+          left: left.phase,
+          right: right.phase,
+        });
+      }
+    }
+  }
+
   // Budget warn_mode regression
   if (left.budget_warn_mode === false && right.budget_warn_mode === true) {
     regressions.push({
@@ -432,6 +505,29 @@ function detectRunRegressions(left, right) {
     });
   }
 
+  // Delegation contract regressions: newly missing required decisions.
+  const allDelegationIds = new Set([
+    ...Object.keys(left.delegation_missing_decisions || {}),
+    ...Object.keys(right.delegation_missing_decisions || {}),
+  ]);
+  for (const delegationId of allDelegationIds) {
+    const leftMissing = normalizeStringArray((left.delegation_missing_decisions || {})[delegationId]);
+    const rightMissing = normalizeStringArray((right.delegation_missing_decisions || {})[delegationId]);
+    const leftSet = new Set(leftMissing);
+    const newlyMissing = rightMissing.filter((decisionId) => !leftSet.has(decisionId));
+    if (newlyMissing.length > 0) {
+      regressions.push({
+        id: `REG-DELEGATION-MISSING-${String(++counter).padStart(3, '0')}`,
+        category: 'delegation',
+        severity: 'error',
+        message: `Delegation "${delegationId}" is now missing required decisions: ${newlyMissing.join(', ')}`,
+        field: `delegation_summary.${delegationId}.missing_decision_ids`,
+        left: leftMissing,
+        right: rightMissing,
+      });
+    }
+  }
+
   // Gate regressions: passed/approved -> failed/blocked
   const allGateIds = new Set([...Object.keys(left.phase_gate_status || {}), ...Object.keys(right.phase_gate_status || {})]);
   for (const gateId of allGateIds) {

package/src/lib/export-verifier.js

@@ -31,6 +31,52 @@ function addError(errors, path, message) {
   errors.push(`${path}: ${message}`);
 }
 
+function verifyWorkflowPhaseOrder(summary, errors, summaryPath = 'summary') {
+  const phaseOrder = summary?.workflow_phase_order;
+  if (phaseOrder === undefined || phaseOrder === null) {
+    return;
+  }
+
+  const path = `${summaryPath}.workflow_phase_order`;
+  if (!Array.isArray(phaseOrder)) {
+    addError(errors, path, 'must be an array or null');
+    return;
+  }
+
+  if (phaseOrder.length === 0) {
+    addError(errors, path, 'must not be empty when present');
+    return;
+  }
+
+  const seen = new Set();
+  for (let index = 0; index < phaseOrder.length; index += 1) {
+    const entry = phaseOrder[index];
+    const entryPath = `${path}[${index}]`;
+    if (typeof entry !== 'string') {
+      addError(errors, entryPath, 'must be a string');
+      continue;
+    }
+    const trimmed = entry.trim();
+    if (!trimmed) {
+      addError(errors, entryPath, 'must not be blank');
+      continue;
+    }
+    if (trimmed !== entry) {
+      addError(errors, entryPath, 'must be trimmed');
+      continue;
+    }
+    if (seen.has(entry)) {
+      addError(errors, path, `must not contain duplicate phase "${entry}"`);
+      continue;
+    }
+    seen.add(entry);
+  }
+
+  if (summary.phase !== null && summary.phase !== undefined && !seen.has(summary.phase)) {
+    addError(errors, `${summaryPath}.phase`, 'must appear in summary.workflow_phase_order when workflow_phase_order is present');
+  }
+}
+
 function verifyFileEntry(relPath, entry, errors) {
   const path = `files.${relPath}`;
   if (!entry || typeof entry !== 'object' || Array.isArray(entry)) {
@@ -539,6 +585,8 @@ function verifyRunExport(artifact, errors) {
     addError(errors, 'summary.phase', 'must match state.phase');
   }
 
+  verifyWorkflowPhaseOrder(artifact.summary, errors);
+
   const expectedHistoryEntries = countJsonl(artifact.files, '.agentxchain/history.jsonl');
   const expectedDecisionEntries = countJsonl(artifact.files, '.agentxchain/decision-ledger.jsonl');
   const expectedHookAuditEntries = countJsonl(artifact.files, '.agentxchain/hook-audit.jsonl');
@@ -628,6 +676,7 @@ function verifyCoordinatorExport(artifact, errors) {
     if (artifact.summary.phase !== (coordinatorState?.phase || null)) {
       addError(errors, 'summary.phase', 'must match coordinator state phase');
     }
+    verifyWorkflowPhaseOrder(artifact.summary, errors);
     if (!isDeepStrictEqual(artifact.summary.repo_run_statuses, expectedStatuses)) {
       addError(errors, 'summary.repo_run_statuses', 'must match coordinator state repo run statuses');
     }

package/src/lib/export.js

@@ -454,6 +454,9 @@ export function buildRunExport(startDir = process.cwd()) {
         run_id: state?.run_id || null,
         status: state?.status || null,
         phase: state?.phase || null,
+        workflow_phase_order: config.routing && Object.keys(config.routing).length > 0
+          ? Object.keys(config.routing)
+          : null,
         provenance: normalizeRunProvenance(state?.provenance),
         inherited_context: state?.inherited_context || null,
         active_turn_ids: activeTurns,
@@ -640,6 +643,10 @@ export function buildCoordinatorExport(startDir = process.cwd()) {
         super_run_id: coordState?.super_run_id || null,
         status: coordState?.status || null,
         phase: coordState?.phase || null,
+        workflow_phase_order: rawConfig.routing && typeof rawConfig.routing === 'object'
+            && Object.keys(rawConfig.routing).length > 0
+          ? Object.keys(rawConfig.routing)
+          : null,
         repo_run_statuses: repoRunStatuses,
         barrier_count: barrierCount,
         history_entries: countJsonl(files, '.agentxchain/multirepo/history.jsonl'),