agentxchain 2.101.0 → 2.102.0

package/src/commands/doctor.js

@@ -4,6 +4,7 @@ import { join } from 'path';
 import chalk from 'chalk';
 import { loadConfig, loadLock, findProjectRoot } from '../lib/config.js';
 import { validateProject } from '../lib/validation.js';
+import { runAdmissionControl } from '../lib/admission-control.js';
 import { getWatchPid } from './watch.js';
 import { getDashboardPid, getDashboardSession } from './dashboard.js';
 import { loadNormalizedConfig, detectConfigVersion } from '../lib/normalized-config.js';
@@ -235,6 +236,22 @@ function governedDoctor(root, rawConfig, opts) {
     }
   }
 
+  // 10. Admission control — static dead-end detection
+  if (normalized) {
+    const admission = runAdmissionControl(normalized, rawConfig);
+    if (!admission.ok) {
+      const errSummary = admission.errors.slice(0, 2).map(e => e.replace(/^ADM-\d+: /, '')).join('; ');
+      checks.push({ id: 'admission_control', name: 'Admission control', level: 'fail', detail: errSummary });
+    } else if (admission.warnings.length > 0) {
+      // ADM-003 warnings are advisory (external approval is a legitimate pattern),
+      // so report as info rather than warn to avoid noisy defaults.
+      const infoSummary = admission.warnings.slice(0, 2).map(w => w.replace(/^ADM-\d+: /, '')).join('; ');
+      checks.push({ id: 'admission_control', name: 'Admission control', level: 'info', detail: infoSummary });
+    } else {
+      checks.push({ id: 'admission_control', name: 'Admission control', level: 'pass', detail: 'No dead-end configs detected' });
+    }
+  }
+
   // Compute summary
   const failCount = checks.filter(c => c.level === 'fail').length;
   const warnCount = checks.filter(c => c.level === 'warn').length;

package/src/lib/admission-control.js

@@ -0,0 +1,247 @@
+/**
+ * Admission Control — pre-run static analysis that rejects governed configs
+ * which cannot possibly reach completion.
+ *
+ * Pure function: no filesystem access, no state reads.
+ *
+ * Checks:
+ *   ADM-001  No file producer for gated phase
+ *   ADM-002  Authoritative writer unreachable for owned artifacts
+ *   ADM-003  Impossible human approval topology (warning only)
+ *   ADM-004  Owned artifact owner cannot write
+ *
+ * See .planning/ADMISSION_CONTROL_SPEC.md for full spec.
+ */
+
+import { getEffectiveGateArtifacts } from './gate-evaluator.js';
+
+/**
+ * Run all admission control checks against a governed config.
+ *
+ * @param {object} config - normalized governed config
+ * @param {object} rawConfig - raw agentxchain.json (for workflow_kit, gates, approval_policy)
+ * @returns {{ ok: boolean, errors: string[], warnings: string[] }}
+ */
+export function runAdmissionControl(config, rawConfig) {
+  const errors = [];
+  const warnings = [];
+
+  const routing = config?.routing;
+  const gates = config?.gates || rawConfig?.gates;
+  const roles = config?.roles;
+  const runtimes = config?.runtimes || rawConfig?.runtimes;
+
+  if (!routing) {
+    return { ok: true, errors, warnings };
+  }
+
+  // ADM-001 + ADM-002 + ADM-004: per-phase gate analysis
+  if (gates) {
+    for (const [phase, route] of Object.entries(routing)) {
+      const exitGateId = route?.exit_gate;
+      if (!exitGateId || !gates[exitGateId]) continue;
+
+      const gateDef = gates[exitGateId];
+      const effectiveArtifacts = getEffectiveGateArtifacts(config, gateDef, phase);
+      const requiredArtifacts = effectiveArtifacts.filter(a => a.required);
+
+      if (requiredArtifacts.length === 0) continue;
+
+      // Collect all roles routed to this phase
+      const candidateRoleIds = [
+        route?.entry_role,
+        ...(Array.isArray(route?.allowed_next_roles) ? route.allowed_next_roles : []),
+      ].filter(Boolean);
+
+      const uniqueRoleIds = [...new Set(candidateRoleIds)];
+
+      // ADM-001: check if any role can produce files
+      // Manual runtime roles are excluded — human operators can produce files
+      // outside the governed turn mechanism regardless of write_authority.
+      // Note: normalized config uses runtime_id, raw config uses runtime.
+      const rolesWithAuthority = uniqueRoleIds
+        .map(id => {
+          const role = roles?.[id];
+          const rtKey = role?.runtime_id || role?.runtime;
+          return { id, role, runtime: runtimes?.[rtKey] };
+        })
+        .filter(({ role }) => role);
+
+      const hasFileProducer = rolesWithAuthority.some(({ role, runtime }) =>
+        canRoleProduceFiles(role, runtime));
+
+      // Only flag non-manual roles as review_only dead-ends
+      const nonManualRoles = rolesWithAuthority.filter(({ runtime }) => runtime?.type !== 'manual');
+      if (!hasFileProducer && nonManualRoles.length > 0) {
+        const roleSummary = nonManualRoles
+          .map(({ id, role }) => `${id}:${role.write_authority}`)
+          .join(', ');
+        const fileSummary = requiredArtifacts.map(a => a.path).join(', ');
+        errors.push(
+          `ADM-001: Phase "${phase}" gate "${exitGateId}" requires files (${fileSummary}) but all routed roles are review_only (${roleSummary}). No agent can produce the required artifacts.`
+        );
+      }
+
+      // ADM-002: check owned_by roles are reachable in this phase
+      for (const artifact of requiredArtifacts) {
+        if (!artifact.owned_by) continue;
+        if (!uniqueRoleIds.includes(artifact.owned_by)) {
+          errors.push(
+            `ADM-002: Phase "${phase}" artifact "${artifact.path}" is owned_by "${artifact.owned_by}" but that role is not in the phase routing (entry_role or allowed_next_roles). The ownership predicate can never be satisfied.`
+          );
+          continue;
+        }
+
+        const ownerRole = roles?.[artifact.owned_by];
+        if (!ownerRole) continue;
+        const ownerRuntimeKey = ownerRole.runtime_id || ownerRole.runtime;
+        const ownerRuntime = runtimes?.[ownerRuntimeKey];
+
+        if (!canRoleProduceFiles(ownerRole, ownerRuntime)) {
+          errors.push(
+            `ADM-004: Phase "${phase}" artifact "${artifact.path}" is owned_by "${artifact.owned_by}" but that role is ${ownerRole.write_authority} on runtime type "${ownerRuntime?.type || 'unknown'}". The owner can participate in the phase but cannot produce the required artifact.`
+          );
+        }
+      }
+    }
+  }
+
+  // ADM-003: impossible human approval topology
+  checkHumanApprovalTopology(config, rawConfig, routing, gates, roles, runtimes, warnings);
+
+  return {
+    ok: errors.length === 0,
+    errors,
+    warnings,
+  };
+}
+
+/**
+ * ADM-003: Check whether human approval requirements are reachable.
+ * Emits warnings (not errors) because external approval paths are legitimate.
+ */
+function checkHumanApprovalTopology(config, rawConfig, routing, gates, roles, runtimes, warnings) {
+  // Determine if any manual runtime exists
+  const hasManualRuntime = runtimes
+    ? Object.values(runtimes).some(rt => rt?.type === 'manual')
+    : false;
+
+  // If there's a manual runtime, human approval is always reachable
+  if (hasManualRuntime) return;
+
+  const approvalPolicy = config?.approval_policy || rawConfig?.approval_policy;
+
+  // Collect phases/gates that require human approval
+  const humanApprovalPoints = [];
+
+  for (const [phase, route] of Object.entries(routing)) {
+    const exitGateId = route?.exit_gate;
+    if (!exitGateId || !gates?.[exitGateId]) continue;
+
+    const gateDef = gates[exitGateId];
+    if (gateDef.requires_human_approval) {
+      // Check if approval_policy overrides to auto_approve for this transition
+      if (!isAutoApprovedByPolicy(approvalPolicy, 'phase_transitions', phase)) {
+        humanApprovalPoints.push({ type: 'phase_transition', phase, gate: exitGateId });
+      }
+    }
+  }
+
+  // Check run_completion gates
+  const completionGateId = config?.completion_gate || rawConfig?.completion_gate;
+  if (completionGateId && gates?.[completionGateId]) {
+    const gateDef = gates[completionGateId];
+    if (gateDef.requires_human_approval) {
+      if (!isAutoApprovedByPolicy(approvalPolicy, 'run_completion', null)) {
+        humanApprovalPoints.push({ type: 'run_completion', gate: completionGateId });
+      }
+    }
+  }
+
+  // Also check approval_policy for explicit require_human actions
+  if (approvalPolicy?.phase_transitions) {
+    const pt = approvalPolicy.phase_transitions;
+    if (pt.default === 'require_human') {
+      // Every phase transition defaults to human approval
+      for (const phase of Object.keys(routing)) {
+        const hasAutoOverride = (pt.rules || []).some(rule =>
+          rule.action === 'auto_approve' && matchesPhaseRule(rule, phase));
+        if (!hasAutoOverride) {
+          const already = humanApprovalPoints.some(p => p.type === 'phase_transition' && p.phase === phase);
+          if (!already) {
+            humanApprovalPoints.push({ type: 'phase_transition', phase, gate: routing[phase]?.exit_gate || '(policy)' });
+          }
+        }
+      }
+    }
+    if (Array.isArray(pt.rules)) {
+      for (const rule of pt.rules) {
+        if (rule.action === 'require_human' && rule.from_phase) {
+          const already = humanApprovalPoints.some(p => p.type === 'phase_transition' && p.phase === rule.from_phase);
+          if (!already) {
+            humanApprovalPoints.push({ type: 'phase_transition', phase: rule.from_phase, gate: '(policy)' });
+          }
+        }
+      }
+    }
+  }
+
+  if (approvalPolicy?.run_completion?.action === 'require_human') {
+    const already = humanApprovalPoints.some(p => p.type === 'run_completion');
+    if (!already) {
+      humanApprovalPoints.push({ type: 'run_completion', gate: '(policy)' });
+    }
+  }
+
+  for (const point of humanApprovalPoints) {
+    if (point.type === 'phase_transition') {
+      warnings.push(
+        `ADM-003: Phase "${point.phase}" requires human approval (gate "${point.gate}") but no role uses runtime type "manual". The run will pause at pending_phase_transition and require external approval (CLI, dashboard, or webhook).`
+      );
+    } else {
+      warnings.push(
+        `ADM-003: Run completion requires human approval (gate "${point.gate}") but no role uses runtime type "manual". The run will pause at pending_run_completion and require external approval.`
+      );
+    }
+  }
+}
+
+function isAutoApprovedByPolicy(approvalPolicy, section, phase) {
+  if (!approvalPolicy) return false;
+
+  if (section === 'phase_transitions') {
+    const pt = approvalPolicy.phase_transitions;
+    if (!pt) return false;
+
+    // Check specific rules first
+    if (Array.isArray(pt.rules)) {
+      for (const rule of pt.rules) {
+        if (rule.action === 'auto_approve' && matchesPhaseRule(rule, phase)) {
+          return true;
+        }
+      }
+    }
+
+    // Fall back to default
+    return pt.default === 'auto_approve';
+  }
+
+  if (section === 'run_completion') {
+    return approvalPolicy.run_completion?.action === 'auto_approve';
+  }
+
+  return false;
+}
+
+function matchesPhaseRule(rule, phase) {
+  // A rule matches if from_phase is unset or matches the phase
+  if (rule.from_phase && rule.from_phase !== phase) return false;
+  return true;
+}
+
+function canRoleProduceFiles(role, runtime) {
+  if (!role) return false;
+  return runtime?.type === 'manual'
+    || role.write_authority === 'authoritative'
+    || role.write_authority === 'proposed';
+}

package/src/lib/export-diff.js

@@ -415,6 +415,22 @@ function detectRunRegressions(left, right) {
     });
   }
 
+  const leftHasPhaseOrder = Array.isArray(left.workflow_phase_order) && left.workflow_phase_order.length > 0;
+  const rightHasPhaseOrder = Array.isArray(right.workflow_phase_order) && right.workflow_phase_order.length > 0;
+  const phaseOrderDrift = leftHasPhaseOrder && rightHasPhaseOrder && !isEqual(left.workflow_phase_order, right.workflow_phase_order);
+
+  if (phaseOrderDrift) {
+    regressions.push({
+      id: `REG-PHASE-ORDER-${String(++counter).padStart(3, '0')}`,
+      category: 'phase',
+      severity: 'warning',
+      message: 'Workflow phase order changed between exports; directional phase comparison skipped',
+      field: 'workflow_phase_order',
+      left: left.workflow_phase_order,
+      right: right.workflow_phase_order,
+    });
+  }
+
   // Phase regression: backward movement in workflow phase order
   if (left.phase && right.phase === null) {
     // Phase disappeared — information loss
@@ -428,9 +444,9 @@ function detectRunRegressions(left, right) {
       right: null,
     });
   } else if (left.phase && right.phase && left.phase !== right.phase) {
-    // Use right export's phase order as canonical (or left if right doesn't have one)
-    const phaseOrder = right.workflow_phase_order || left.workflow_phase_order;
-    if (Array.isArray(phaseOrder) && phaseOrder.length > 0) {
+    const canCompareDirection = leftHasPhaseOrder && rightHasPhaseOrder && !phaseOrderDrift;
+    if (canCompareDirection) {
+      const phaseOrder = right.workflow_phase_order;
       const leftIndex = phaseOrder.indexOf(left.phase);
       const rightIndex = phaseOrder.indexOf(right.phase);
       // Only flag when both phases are known and right is earlier than left

package/src/lib/export-verifier.js

@@ -31,6 +31,52 @@ function addError(errors, path, message) {
   errors.push(`${path}: ${message}`);
 }
 
+function verifyWorkflowPhaseOrder(summary, errors, summaryPath = 'summary') {
+  const phaseOrder = summary?.workflow_phase_order;
+  if (phaseOrder === undefined || phaseOrder === null) {
+    return;
+  }
+
+  const path = `${summaryPath}.workflow_phase_order`;
+  if (!Array.isArray(phaseOrder)) {
+    addError(errors, path, 'must be an array or null');
+    return;
+  }
+
+  if (phaseOrder.length === 0) {
+    addError(errors, path, 'must not be empty when present');
+    return;
+  }
+
+  const seen = new Set();
+  for (let index = 0; index < phaseOrder.length; index += 1) {
+    const entry = phaseOrder[index];
+    const entryPath = `${path}[${index}]`;
+    if (typeof entry !== 'string') {
+      addError(errors, entryPath, 'must be a string');
+      continue;
+    }
+    const trimmed = entry.trim();
+    if (!trimmed) {
+      addError(errors, entryPath, 'must not be blank');
+      continue;
+    }
+    if (trimmed !== entry) {
+      addError(errors, entryPath, 'must be trimmed');
+      continue;
+    }
+    if (seen.has(entry)) {
+      addError(errors, path, `must not contain duplicate phase "${entry}"`);
+      continue;
+    }
+    seen.add(entry);
+  }
+
+  if (summary.phase !== null && summary.phase !== undefined && !seen.has(summary.phase)) {
+    addError(errors, `${summaryPath}.phase`, 'must appear in summary.workflow_phase_order when workflow_phase_order is present');
+  }
+}
+
 function verifyFileEntry(relPath, entry, errors) {
   const path = `files.${relPath}`;
   if (!entry || typeof entry !== 'object' || Array.isArray(entry)) {
@@ -539,6 +585,8 @@ function verifyRunExport(artifact, errors) {
     addError(errors, 'summary.phase', 'must match state.phase');
   }
 
+  verifyWorkflowPhaseOrder(artifact.summary, errors);
+
   const expectedHistoryEntries = countJsonl(artifact.files, '.agentxchain/history.jsonl');
   const expectedDecisionEntries = countJsonl(artifact.files, '.agentxchain/decision-ledger.jsonl');
   const expectedHookAuditEntries = countJsonl(artifact.files, '.agentxchain/hook-audit.jsonl');
@@ -628,6 +676,7 @@ function verifyCoordinatorExport(artifact, errors) {
     if (artifact.summary.phase !== (coordinatorState?.phase || null)) {
       addError(errors, 'summary.phase', 'must match coordinator state phase');
     }
+    verifyWorkflowPhaseOrder(artifact.summary, errors);
     if (!isDeepStrictEqual(artifact.summary.repo_run_statuses, expectedStatuses)) {
       addError(errors, 'summary.repo_run_statuses', 'must match coordinator state repo run statuses');
     }

package/src/lib/normalized-config.js

@@ -556,82 +556,13 @@ export function validateV4Config(data, projectRoot) {
     errors.push(...timeoutValidation.errors);
   }
 
-  warnings.push(...collectRemoteReviewOnlyGateWarnings(data));
+  // Admission control (ADM-001..004) is handled by the validate, doctor, and
+  // run-loop paths which call runAdmissionControl() directly. Config schema
+  // validation here should not duplicate that surface.
 
   return { ok: errors.length === 0, errors, warnings };
 }
 
-export function collectRemoteReviewOnlyGateWarnings(data) {
-  const warnings = [];
-  const routing = data?.routing;
-  const gates = data?.gates;
-  const roles = data?.roles;
-  const runtimes = data?.runtimes;
-
-  if (!routing || !gates || !roles || !runtimes) {
-    return warnings;
-  }
-
-  for (const [phase, route] of Object.entries(routing)) {
-    const exitGateId = route?.exit_gate;
-    if (!exitGateId || !gates[exitGateId]) {
-      continue;
-    }
-
-    const requiredFiles = Array.isArray(gates[exitGateId]?.requires_files)
-      ? gates[exitGateId].requires_files.filter(filePath => typeof filePath === 'string' && filePath.trim())
-      : [];
-    if (requiredFiles.length === 0) {
-      continue;
-    }
-
-    const candidateRoleIds = [
-      route?.entry_role,
-      ...(Array.isArray(route?.allowed_next_roles) ? route.allowed_next_roles : []),
-    ].filter((roleId) => roleId && roleId !== 'human');
-
-    if (candidateRoleIds.length === 0) {
-      continue;
-    }
-
-    const candidateRoles = [...new Set(candidateRoleIds)]
-      .map((roleId) => {
-        const role = roles[roleId];
-        const runtime = role?.runtime ? runtimes[role.runtime] : null;
-        if (!role || !runtime) {
-          return null;
-        }
-        return { roleId, role, runtime };
-      })
-      .filter(Boolean);
-
-    if (candidateRoles.length === 0) {
-      continue;
-    }
-
-    const hasFileProducingRole = candidateRoles.some(({ role }) =>
-      role.write_authority === 'authoritative' || role.write_authority === 'proposed');
-    if (hasFileProducingRole) {
-      continue;
-    }
-
-    const allRemoteReviewOnly = candidateRoles.every(({ role, runtime }) =>
-      role.write_authority === 'review_only' && (runtime.type === 'api_proxy' || runtime.type === 'remote_agent'));
-    if (!allRemoteReviewOnly) {
-      continue;
-    }
-
-    const roleSummary = candidateRoles
-      .map(({ roleId, runtime }) => `${roleId}:${runtime.type}`)
-      .join(', ');
-    warnings.push(
-      `Routing "${phase}" exits through gate "${exitGateId}" with requires_files (${requiredFiles.join(', ')}) but all participating roles are review_only remote runtimes (${roleSummary}). Those files cannot be produced through governed turns; add a proposed/authoritative writer, remove the gate files, or expect operator-managed out-of-band artifacts.`,
-    );
-  }
-
-  return warnings;
-}
-
 export function validateBudgetConfig(budget) {
   const errors = [];
 

package/src/lib/run-loop.js

@@ -32,6 +32,7 @@ import {
   RUNNER_INTERFACE_VERSION,
 } from './runner-interface.js';
 
+import { runAdmissionControl } from './admission-control.js';
 import { mkdirSync, writeFileSync } from 'fs';
 import { join, dirname } from 'path';
 
@@ -65,6 +66,13 @@ export async function runLoop(root, config, callbacks, options = {}) {
     }
   };
 
+  // ── Admission control — reject provably dead-end configs ────────────────
+  const admission = runAdmissionControl(config, config);
+  if (!admission.ok) {
+    return makeResult(false, 'admission_rejected', null, 0, [], 0,
+      admission.errors.map(e => `Admission control: ${e}`));
+  }
+
   // ── Initialize if idle ──────────────────────────────────────────────────
   let state = loadState(root, config);
   const shouldRestartCompleted = state?.status === 'completed' && options.startNewRunFromCompleted === true;

package/src/lib/validation.js

@@ -9,7 +9,7 @@ import {
   validateAcceptanceHintCompletion,
   validateGovernedWorkflowKit,
 } from './governed-templates.js';
-import { collectRemoteReviewOnlyGateWarnings } from './normalized-config.js';
+import { runAdmissionControl } from './admission-control.js';
 
 const DEFAULT_REQUIRED_FILES = [
   '.planning/PROJECT.md',
@@ -116,8 +116,10 @@ export function validateGovernedProject(root, rawConfig, config, opts = {}) {
   errors.push(...workflowKit.errors);
   warnings.push(...workflowKit.warnings);
 
-  // Config-shape warnings (dead-end gates, etc.) — mirrors doctor/config --set surfaces
-  warnings.push(...collectRemoteReviewOnlyGateWarnings(rawConfig));
+  // Admission control — reject provably dead-end configs
+  const admission = runAdmissionControl(config, rawConfig);
+  errors.push(...admission.errors);
+  warnings.push(...admission.warnings);
 
   const mustExist = [
     config.files?.state || '.agentxchain/state.json',