aienvmp 0.1.65 → 0.1.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,30 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.1.67
4
+
5
+ - Added a dashboard `First read` strip with status, first file, review targets, and local operation mode.
6
+ - Kept the detailed dashboard cards below the top decision area so humans get a faster scan without losing AI context.
7
+ - Added `maintenanceLoop` to the AI preflight contract so agents can repeat refresh, decide, inspect, plan, intent, checkpoint, and handoff steps.
8
+ - Surfaced the maintenance loop in `context --json`, `summary.md`, `AIENV.md`, schema metadata, and regression tests.
9
+ - Added `maintenanceLoop.sbomReview` so AI agents can connect SBOM risk, scanner confidence, review targets, and dependency-change commands.
10
+ - Added medium light-SBOM risk planning guidance to recommended actions.
11
+ - Added `strictDecision` so AI agents and CI can distinguish local warn-only checks from optional strict gates.
12
+ - Surfaced local `doctor --json` and scoped CI strict commands in summary, dashboard, status/context JSON, and tests.
13
+ - Added `handoff.continuation` so the next AI receives maintenance-loop, SBOM-review, and strict-decision guidance without parsing the full preflight.
14
+ - Added the continuation summary to plain Markdown handoff output and schema metadata.
15
+ - Reworked the README first-read flow around shared AI workspaces, the 10-second command path, and the AI maintenance loop.
16
+ - Added `aiLoop` to `schema --json` and plain schema output so AI consumers see the same loop described in the README.
17
+
18
+ ## 0.1.66
19
+
20
+ - Added `aienvmp resolve --target <target>` to resolve all open intents for one environment target.
21
+ - Added `aienvmp resolve --all` to close all open intents after coordination.
22
+ - Added `resolve --json` output so AI agents can read resolved refs and counts directly.
23
+ - Kept single-intent `resolve --id` behavior for precise manual cleanup.
24
+ - Updated coordination recommended actions to point at target-based resolve.
25
+ - Updated CLI help and README command guidance for the simplified resolve flow.
26
+ - Added regression tests for target resolve, all resolve, JSON output, and coordination action commands.
27
+
3
28
  ## 0.1.65
4
29
 
5
30
  - Added a dashboard `Next command` bar directly below the AI control strip.
package/README.md CHANGED
@@ -6,28 +6,54 @@
6
6
 
7
7
  **AI Environment Map.**
8
8
 
9
- `aienvmp` is a lightweight env map and light SBOM for shared AI coding machines.
9
+ `aienvmp` is a lightweight env map and light SBOM for AI coding workspaces.
10
10
 
11
- It helps Codex, Claude, Gemini, and humans avoid silent runtime, package manager, dependency, Docker, and security drift.
11
+ It helps Codex, Claude, Gemini, and humans avoid silent runtime, package manager, dependency, Docker, and security drift on shared machines.
12
+
13
+ **Use it when multiple AI agents or people touch the same server, repo, laptop, or CI workspace.**
14
+
15
+ ## Why
16
+
17
+ - one AI-readable environment map
18
+ - one lightweight SBOM view
19
+ - one append-only intent and change timeline
20
+ - one human dashboard
21
+ - advisory by default, strict only when requested
12
22
 
13
23
  ## 10-Second Use
14
24
 
15
25
  ```bash
16
26
  npx aienvmp sync
17
27
  npx aienvmp status
28
+ npx aienvmp handoff
29
+ ```
30
+
31
+ For AI details:
32
+
33
+ ```bash
18
34
  npx aienvmp context --json
19
35
  npx aienvmp schema --json
20
36
  ```
21
37
 
22
- Before environment changes:
38
+ Before an environment-affecting change:
23
39
 
24
40
  ```bash
25
- npx aienvmp intent --actor agent:codex --action "change dependency" --target dependency
26
- npx aienvmp checkpoint --actor agent:codex --summary "dependency-change" --target dependency
41
+ npx aienvmp intent --actor agent:id --action "planned-change" --target dependency
42
+ npx aienvmp checkpoint --actor agent:id --summary "dependency-change" --target dependency
27
43
  ```
28
44
 
29
- Use `--dir <workspace>` when AI or CI runs outside the target project.
30
- Warnings are advisory by default. Use `doctor --strict <scope>` only when you want CI-style failure.
45
+ Use `--dir <workspace>` when AI or CI runs outside the target project. Warnings do not block local work by default.
46
+
47
+ ## AI Loop
48
+
49
+ 1. `sync` refreshes `AIENV.md`, status, summary, SBOM, ledger, and dashboard.
50
+ 2. `status` gives the 5-line clear/review decision.
51
+ 3. `context --json` gives AI the full preflight contract.
52
+ 4. `intent` records planned env changes before touching dependencies, runtimes, package managers, Docker, or global tools.
53
+ 5. `checkpoint` records the accepted change, refreshes outputs, and writes a handoff.
54
+ 6. `handoff` tells the next AI what to read, what to avoid, and whether SBOM/strict review is needed.
55
+
56
+ Local mode is warn-only. Use `doctor --strict security|policy|coordination|all` only for CI or explicit human-requested gates.
31
57
 
32
58
  ## What It Creates
33
59
 
@@ -46,23 +72,12 @@ AIENV.md # Markdown env map for AI agents
46
72
 
47
73
  ## AI Contract
48
74
 
49
- - `status`, `context`, `plan`, and `handoff` share one preflight contract.
50
- - `schema --json` prints the stable AI-readable output contract without scanning.
51
- - `summary.md` is the short CI/AI handoff view, with `AI readiness`, signals, and next action first.
52
- - `status.json.nextAgent` tells the next AI what to read and whether to review first.
53
- - `aiReadiness` gives a one-field ready/review signal for AI continuation.
54
- - `collaboration` gives the shortest multi-agent env-change status, targets, and next command.
55
- - `dashboard.html` starts with a 3-card AI control strip plus one next command.
56
- - `dependencyReadSet` lists manifests and lockfiles before package or security changes.
57
- - `sbomRisk` gives AI a compact light-SBOM risk level, signals, and next command.
58
- - `sbom.json.aiDependencyReview` connects SBOM risk, scanner confidence, and safe dependency-change steps.
59
- - `coordination.conflictTargets` shows where multiple agents are planning changes.
60
- - `agentActivity.multiActorTargets` shows where multiple agents actually recorded env changes.
61
- - `followUps` shows records that still need `sync`, `status`, or `handoff`.
62
- - `handoff` carries dependency read-set and protocol guidance for the next AI.
63
- - Light SBOM includes source/confidence hints; verify security claims with dedicated scanners.
64
- - `enforcementProfile.gate` explains when checks warn, fail, and set exit codes.
65
- - Everything is advisory by default; strict failure is opt-in with `doctor --strict` or `--ci`.
75
+ - `status`, `context`, `plan`, and `handoff` share one additive preflight contract.
76
+ - `maintenanceLoop` gives AI the recurring env-management loop.
77
+ - `sbomRisk` and `sbomReview` connect light SBOM risk to safe dependency-change steps.
78
+ - `collaboration`, `coordination`, and `agentActivity` show multi-agent conflicts and shared targets.
79
+ - `strictDecision` separates local warn-only checks from optional CI strict gates.
80
+ - `schema --json` prints the stable machine-readable contract without scanning.
66
81
 
67
82
  ## Agent Files
68
83
 
@@ -94,6 +109,7 @@ aienvmp schema --json # stable output contract for AI/CI consumers
94
109
  aienvmp plan --write # read-only action plan
95
110
  aienvmp handoff --record # next-agent summary
96
111
  aienvmp intent # record planned env change
112
+ aienvmp resolve --target dependency --actor agent:id
97
113
  aienvmp record # record what changed
98
114
  aienvmp checkpoint # record + sync + status + handoff after env change
99
115
  aienvmp doctor --strict security|policy|coordination|all
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "aienvmp",
3
- "version": "0.1.65",
3
+ "version": "0.1.67",
4
4
  "description": "AI-first environment maps and lightweight runtime SBOMs for shared development machines.",
5
5
  "type": "module",
6
6
  "bin": {
package/src/actions.js CHANGED
@@ -12,7 +12,7 @@ export function recommendedActions(manifest = {}, context = {}) {
12
12
  }
13
13
 
14
14
  if (warnings.some((warning) => warning.code === "conflicting-open-intents")) {
15
- actions.push(action("coordinate-agents", "high", "coordination", "Multiple agents are planning changes to the same environment target. Coordinate with the user before proceeding."));
15
+ actions.push(action("coordinate-agents", "high", "coordination", "Multiple agents are planning changes to the same environment target. Coordinate with the user before proceeding.", "aienvmp resolve --actor agent:id --target <target> --status resolved"));
16
16
  }
17
17
 
18
18
  if (warnings.some((warning) => warning.code === "multi-agent-records")) {
@@ -44,8 +44,14 @@ function sbomRiskActions(risk = {}) {
44
44
  if (risk.scanner === "off" && risk.vulnerabilityCount === 0) {
45
45
  actions.push(action("scan-sbom-risk", "medium", "security", "Run a read-only security scan before dependency or release decisions.", "aienvmp sync --security"));
46
46
  }
47
- if (["urgent", "high"].includes(risk.level)) {
48
- actions.push(action("review-sbom-risk", "high", "security", `Review light SBOM risk summary before dependency changes: ${(risk.signals || []).slice(0, 2).join("; ") || risk.level}.`, "aienvmp plan --write"));
47
+ if (["urgent", "high", "medium"].includes(risk.level)) {
48
+ actions.push(action(
49
+ "review-sbom-risk",
50
+ ["urgent", "high"].includes(risk.level) ? "high" : "medium",
51
+ "security",
52
+ `Review light SBOM risk summary before dependency changes: ${(risk.signals || []).slice(0, 2).join("; ") || risk.level}.`,
53
+ "aienvmp plan --write"
54
+ ));
49
55
  }
50
56
  return actions;
51
57
  }
package/src/cli.js CHANGED
@@ -137,7 +137,7 @@ Advanced:
137
137
  aienvmp init [--dir .]
138
138
  aienvmp scan [--dir .] [--deep] [--security]
139
139
  aienvmp intent [--dir .] --actor agent:codex --action "install pnpm"
140
- aienvmp resolve [--dir .] --actor human:you --id <intent-id> [--status resolved|cancelled]
140
+ aienvmp resolve [--dir .] --actor human:you (--id <intent-id>|--target dependency|--all) [--status resolved|cancelled] [--json]
141
141
  aienvmp record [--dir .] --actor agent:codex --summary "updated .nvmrc" [--target node] [--before 20] [--after 24]
142
142
  aienvmp checkpoint [--dir .] --actor agent:codex --summary "updated dependency" [--target dependency]
143
143
  aienvmp snippet [agents|codex|claude|gemini] [--write AGENTS.md]
@@ -28,6 +28,7 @@ export async function contextWorkspace(args) {
28
28
  preflight,
29
29
  aiReadiness: preflight.aiReadiness,
30
30
  collaboration: preflight.collaboration,
31
+ maintenanceLoop: preflight.maintenanceLoop,
31
32
  coordination: preflight.coordination,
32
33
  agentPointers: preflight.agentPointers,
33
34
  sbomRisk: preflight.sbomRisk,
@@ -62,6 +62,7 @@ export function buildHandoff(manifest, timeline = [], warnings = [], intents = [
62
62
  inventory: inventorySummary(manifest.inventory),
63
63
  security: securitySummary(manifest.security),
64
64
  dependencyHandoff: dependencyHandoffSummary(preflight),
65
+ continuation: continuationSummary(preflight),
65
66
  coordination: preflight.coordination,
66
67
  agentActivity: preflight.agentActivity,
67
68
  policy: {
@@ -86,6 +87,37 @@ export function buildHandoff(manifest, timeline = [], warnings = [], intents = [
86
87
  };
87
88
  }
88
89
 
90
+ function continuationSummary(preflight = {}) {
91
+ const maintenanceLoop = preflight.maintenanceLoop || {};
92
+ const strictDecision = preflight.enforcementProfile?.strictDecision || preflight.enforcement?.strictDecision || {};
93
+ const sbomReview = maintenanceLoop.sbomReview || {};
94
+ return {
95
+ status: preflight.state || "unknown",
96
+ nextCommand: maintenanceLoop.nextCommand || preflight.nextCommand || "aienvmp status --json",
97
+ readOrder: (maintenanceLoop.readOrder || preflight.readOrder || []).slice(0, 4),
98
+ maintenance: {
99
+ mode: maintenanceLoop.mode || "advisory",
100
+ localImpact: maintenanceLoop.localImpact || "read-only until an AI or human records a change",
101
+ sbomCommand: maintenanceLoop.sbomCommand || "aienvmp sbom --json",
102
+ rule: maintenanceLoop.rule || "Keep local operation advisory and lightweight."
103
+ },
104
+ sbomReview: {
105
+ status: sbomReview.status || "unknown",
106
+ riskLevel: sbomReview.riskLevel || "unknown",
107
+ securityConfidence: sbomReview.securityConfidence || "unknown",
108
+ nextCommand: sbomReview.nextCommand || maintenanceLoop.sbomCommand || "aienvmp sbom --json",
109
+ reviewTargets: (sbomReview.reviewTargets || []).slice(0, 5)
110
+ },
111
+ strict: {
112
+ localCommand: strictDecision.localCommand || "aienvmp doctor --json",
113
+ local: strictDecision.local || "warn-only",
114
+ shouldFailLocal: strictDecision.shouldFailLocal === true,
115
+ ciCommand: strictDecision.ciCommand || "aienvmp doctor --strict all --json",
116
+ rule: strictDecision.rule || "Local checks stay advisory; strict failure is opt-in."
117
+ }
118
+ };
119
+ }
120
+
89
121
  function dependencyHandoffSummary(preflight = {}) {
90
122
  const protocol = preflight.dependencyChangeProtocol || {};
91
123
  return {
@@ -5,18 +5,32 @@ import { intentsPath, workspaceDir } from "../paths.js";
5
5
  export async function resolveWorkspace(args) {
6
6
  const dir = workspaceDir(args);
7
7
  const actor = required(args.actor, "actor");
8
- const requested = required(args.id || args.ref, "id");
9
- const ref = await resolveIntentRef(dir, requested);
10
- const entry = {
11
- at: new Date().toISOString(),
8
+ const refs = await resolveIntentRefs(dir, args);
9
+ const now = new Date().toISOString();
10
+ const entries = refs.map((ref) => ({
11
+ at: now,
12
12
  type: "intent-resolved",
13
13
  actor,
14
14
  ref,
15
15
  status: args.status || "resolved",
16
16
  reason: args.reason || ""
17
+ }));
18
+ for (const entry of entries) {
19
+ await appendJsonLine(intentsPath(dir), entry);
20
+ }
21
+ const output = {
22
+ status: args.status || "resolved",
23
+ count: entries.length,
24
+ refs,
25
+ actor,
26
+ reason: args.reason || ""
17
27
  };
18
- await appendJsonLine(intentsPath(dir), entry);
19
- console.log(`intent ${entry.status}: ${ref}`);
28
+ if (args.json) {
29
+ console.log(JSON.stringify(output, null, 2));
30
+ } else if (!args.quiet) {
31
+ console.log(`intents ${output.status}: ${output.count}${refs.length ? ` (${refs.join(", ")})` : ""}`);
32
+ }
33
+ return output;
20
34
  }
21
35
 
22
36
  function required(value, name) {
@@ -24,8 +38,22 @@ function required(value, name) {
24
38
  return String(value);
25
39
  }
26
40
 
27
- async function resolveIntentRef(dir, requested) {
41
+ async function resolveIntentRefs(dir, args) {
28
42
  const open = openIntents(await readJsonl(intentsPath(dir)));
43
+ if (args.all) return open.map((intent) => intent.id);
44
+ if (args.target) {
45
+ const target = String(args.target).trim().toLowerCase();
46
+ const refs = open
47
+ .filter((intent) => String(intent.target || "").trim().toLowerCase() === target)
48
+ .map((intent) => intent.id);
49
+ if (!refs.length) throw new Error(`resolve: no open intents for target "${target}"`);
50
+ return refs;
51
+ }
52
+ const requested = required(args.id || args.ref, "id");
53
+ return [await resolveIntentRef(open, requested)];
54
+ }
55
+
56
+ async function resolveIntentRef(open, requested) {
29
57
  const matches = open.filter((intent) => intent.id === requested || intent.id.startsWith(requested));
30
58
  if (matches.length === 1) return matches[0].id;
31
59
  if (matches.length > 1) {
@@ -10,6 +10,7 @@ export async function schemaWorkspace(args = {}) {
10
10
  console.log(`status: ${schema.outputs.status.command}`);
11
11
  console.log(`context: ${schema.outputs.context.command}`);
12
12
  console.log(`handoff: ${schema.outputs.handoff.command}`);
13
+ console.log(`loop: ${schema.aiLoop.steps.map((item) => item.command).join(" -> ")}`);
13
14
  console.log(`rule: ${schema.compatibility.consumerRule}`);
14
15
  }
15
16
  return schema;
@@ -38,6 +38,8 @@ export function renderSummary(status = {}, manifest = {}) {
38
38
  const coordination = status.coordination || {};
39
39
  const activity = status.agentActivity || {};
40
40
  const collaboration = status.collaboration || {};
41
+ const maintenanceLoop = status.maintenanceLoop || {};
42
+ const sbomReview = maintenanceLoop.sbomReview || {};
41
43
  const workspace = manifest.workspace?.root || manifest.workspace?.name || ".";
42
44
  const next = status.nextCommand || status.decision?.nextCommand || "aienvmp status";
43
45
  const readFirst = status.nextAgent?.readFirst || ".aienvmp/status.json";
@@ -58,6 +60,7 @@ export function renderSummary(status = {}, manifest = {}) {
58
60
  const aiNext = aiReadiness.next || "Run aienvmp context --json for details.";
59
61
  const aiDependencyReview = manifest.lightSbom?.aiDependencyReview || {};
60
62
  const strictPlan = status.enforcementProfile?.strictPlan || status.enforcement?.strictPlan || {};
63
+ const strictDecision = status.enforcementProfile?.strictDecision || status.enforcement?.strictDecision || {};
61
64
 
62
65
  return [
63
66
  "# aienvmp summary",
@@ -66,9 +69,11 @@ export function renderSummary(status = {}, manifest = {}) {
66
69
  `- AI signals: ${aiSignals.length ? aiSignals.join("; ") : "none"}`,
67
70
  `- AI next: ${aiNext}`,
68
71
  `- AI collaboration: ${collaboration.status || "unknown"} / ${toList(collaboration.activeTargets).join(", ") || "none"} / ${collaboration.nextCommand || "aienvmp status --json"}`,
72
+ `- AI maintenance loop: ${maintenanceLoop.nextCommand || next}`,
69
73
  `- AI safe local work: ${toList(aiReadiness.safeProjectLocalActions)[0] || "read artifacts and avoid environment changes until reviewed"}`,
70
74
  `- AI read first: ${readFirst}, then ${detail}`,
71
75
  `- mode: advisory by default; strict is opt-in with ${strict}`,
76
+ `- local check: ${strictDecision.localCommand || "aienvmp doctor --json"} (${strictDecision.local || "warn-only"})`,
72
77
  `- CI strict: ${strictPlan.ciCommand || `${strict} --json`}`,
73
78
  "",
74
79
  `- state: ${status.state || "unknown"}`,
@@ -84,6 +89,7 @@ export function renderSummary(status = {}, manifest = {}) {
84
89
  `- collaboration rule: ${collaboration.rule || "Record intent before shared environment changes."}`,
85
90
  `- coordination: ${coordination.next || "No open environment intents."}`,
86
91
  `- recent agent activity: ${activity.next || "No environment records need coordination."}`,
92
+ `- maintenance rule: ${maintenanceLoop.rule || "Refresh, inspect, record intent, checkpoint, and hand off without blocking local operation."}`,
87
93
  `- conflict targets: ${conflictTargets.length ? conflictTargets.join(", ") : "none"}`,
88
94
  `- multi-actor targets: ${multiActorTargets.length ? multiActorTargets.join(", ") : "none"}`,
89
95
  "",
@@ -91,6 +97,7 @@ export function renderSummary(status = {}, manifest = {}) {
91
97
  "",
92
98
  `- source: ${manifest.lightSbom?.source?.dependencies || "project manifests"}`,
93
99
  `- confidence: transitive ${manifest.lightSbom?.confidence?.transitiveDependencies || "not-resolved"}`,
100
+ `- maintenance SBOM review: ${sbomReview.status || "unknown"} / ${sbomReview.securityConfidence || "unknown"} / ${sbomReview.nextCommand || maintenanceLoop.sbomCommand || "aienvmp sbom --json"}`,
94
101
  `- AI dependency review: ${aiDependencyReview.status || "unknown"} / ${aiDependencyReview.securityConfidence || "unknown"} / ${aiDependencyReview.beforeDependencyChange?.[0] || "aienvmp sbom --json"}`,
95
102
  `- signals: ${riskSignals.length ? riskSignals.join("; ") : "none"}`,
96
103
  `- verify: ${sbomRisk.next || "Use a dedicated scanner for security decisions."}`,
package/src/contract.js CHANGED
@@ -4,7 +4,7 @@ export function preflightContract() {
4
4
  version: 1,
5
5
  stability: "additive",
6
6
  requiredFields: ["schemaVersion", "state", "decision", "quickstart", "commands", "artifacts"],
7
- aiEntryFields: ["state", "summary", "aiReadiness", "collaboration", "nextAgent", "coordination", "agentActivity", "agentPointers", "sbomRisk", "followUps", "dependencyReadSet", "dependencyChangeProtocol"],
7
+ aiEntryFields: ["state", "summary", "aiReadiness", "collaboration", "maintenanceLoop", "nextAgent", "coordination", "agentActivity", "agentPointers", "sbomRisk", "followUps", "dependencyReadSet", "dependencyChangeProtocol"],
8
8
  rule: "Consumers should ignore unknown fields and treat missing optional fields as unavailable."
9
9
  };
10
10
  }
@@ -14,6 +14,20 @@ export function schemaContract() {
14
14
  schemaVersion: 1,
15
15
  name: "aienvmp-contract",
16
16
  purpose: "Stable AI-readable contract for aienvmp outputs.",
17
+ aiLoop: {
18
+ name: "AI maintenance loop",
19
+ purpose: "Shared lightweight workflow for AI agents that maintain one workspace environment.",
20
+ localMode: "warn-only",
21
+ steps: [
22
+ { step: "sync", command: "aienvmp sync", purpose: "refresh AIENV.md, status, summary, SBOM, ledger, and dashboard" },
23
+ { step: "status", command: "aienvmp status", purpose: "read the 5-line clear/review decision" },
24
+ { step: "context", command: "aienvmp context --json", purpose: "read the full AI preflight contract when details are needed" },
25
+ { step: "intent", command: "aienvmp intent --actor agent:id --action planned-change --target dependency", purpose: "record planned environment-affecting changes before touching shared state" },
26
+ { step: "checkpoint", command: "aienvmp checkpoint --actor agent:id --summary dependency-change --target dependency", purpose: "record accepted changes, refresh outputs, and write handoff context" },
27
+ { step: "handoff", command: "aienvmp handoff", purpose: "tell the next AI what to read, avoid, and review" }
28
+ ],
29
+ strictRule: "Local checks are warn-only; use doctor --strict only for CI or explicit human-requested gates."
30
+ },
17
31
  outputs: {
18
32
  status: {
19
33
  file: ".aienvmp/status.json",
@@ -29,11 +43,11 @@ export function schemaContract() {
29
43
  },
30
44
  context: {
31
45
  command: "aienvmp context --json",
32
- rootFields: ["status", "preflight", "aiReadiness", "collaboration", "coordination", "agentPointers", "decision", "enforcement", "recommendedActions", "workspace", "dependencySnapshot", "lightSbom", "warnings"]
46
+ rootFields: ["status", "preflight", "aiReadiness", "collaboration", "maintenanceLoop", "coordination", "agentPointers", "decision", "enforcement", "recommendedActions", "workspace", "dependencySnapshot", "lightSbom", "warnings"]
33
47
  },
34
48
  handoff: {
35
49
  command: "aienvmp handoff --json",
36
- rootFields: ["status", "decision", "preflight", "coordination", "dependencyHandoff", "openIntents", "warnings", "recommendedActions", "recentChanges"]
50
+ rootFields: ["status", "decision", "preflight", "continuation", "coordination", "dependencyHandoff", "openIntents", "warnings", "recommendedActions", "recentChanges"]
37
51
  },
38
52
  manifest: {
39
53
  file: ".aienvmp/manifest.json",
@@ -57,6 +71,8 @@ export function schemaContract() {
57
71
  localBehavior: "read-only; this command does not scan, install, update, or lock anything.",
58
72
  aiReadinessRule: "When aiReadiness.level is review, project-local code work may still continue if aiReadiness.projectLocalWork is allowed; environment changes should follow intent/review guidance.",
59
73
  collaborationRule: "Use collaboration.status, activeTargets, and nextCommand as the shortest multi-agent environment coordination hint.",
74
+ maintenanceLoopRule: "Use maintenanceLoop as the short recurring AI workflow: refresh, decide, inspect, plan, intent, checkpoint, and handoff without blocking local operation.",
75
+ strictDecisionRule: "Use enforcement.strictDecision or preflight.enforcementProfile.strictDecision for the shortest local warn-only vs CI strict decision.",
60
76
  strictPlanRule: "Use enforcement.strictPlan or preflight.enforcementProfile.strictPlan to choose the narrowest explicit strict scope for CI."
61
77
  }
62
78
  };
@@ -34,6 +34,7 @@ export function enforcementAdvice(warnings = []) {
34
34
  suggestedStrictScopes,
35
35
  scopes: scopeResults,
36
36
  strictPlan: strictScopePlan(suggestedStrictScopes, scopeResults),
37
+ strictDecision: strictDecision(suggestedStrictScopes, scopeResults),
37
38
  recommendedCommand: suggestedStrictScopes.length
38
39
  ? `aienvmp doctor --strict ${suggestedStrictScopes[0]}`
39
40
  : "aienvmp doctor --strict all",
@@ -41,6 +42,29 @@ export function enforcementAdvice(warnings = []) {
41
42
  };
42
43
  }
43
44
 
45
+ export function strictDecision(suggestedStrictScopes = [], scopeResults = []) {
46
+ const recommendedScope = suggestedStrictScopes[0] || "all";
47
+ const failingScopes = suggestedStrictScopes.slice();
48
+ const passingScopes = scopeResults
49
+ .filter((item) => item.scope !== "all" && item.status === "pass")
50
+ .map((item) => item.scope);
51
+ return {
52
+ local: "warn-only",
53
+ localCommand: "aienvmp doctor --json",
54
+ shouldFailLocal: false,
55
+ ci: failingScopes.length ? "fail-on-recommended-scope" : "optional-health-check",
56
+ recommendedScope,
57
+ recommendedCommand: `aienvmp doctor --strict ${recommendedScope}`,
58
+ ciCommand: `aienvmp doctor --strict ${recommendedScope} --json`,
59
+ failingScopes,
60
+ passingScopes,
61
+ rule: failingScopes.length
62
+ ? "Keep local operation advisory; use the first failing scope only when CI or the user wants a gate."
63
+ : "Keep local operation advisory; use --strict all only for explicit CI health checks.",
64
+ whenToUseStrict: "CI, release checks, or explicit human-requested verification."
65
+ };
66
+ }
67
+
44
68
  export function strictScopePlan(suggestedStrictScopes = [], scopeResults = []) {
45
69
  const firstScope = suggestedStrictScopes[0] || "all";
46
70
  return {
package/src/preflight.js CHANGED
@@ -20,6 +20,16 @@ export function buildPreflight(manifest = {}, warnings = [], intents = [], timel
20
20
  const agentPointers = agentPointerSummary(manifest.agentFiles);
21
21
  const aiReadiness = aiReadinessSummary({ state, decision, coordination, agentActivity, agentPointers, sbomRisk, followUps });
22
22
  const collaboration = collaborationSummary({ state, decision, coordination, agentActivity, followUps, aiReadiness });
23
+ const maintenanceLoop = maintenanceLoopSummary({
24
+ state,
25
+ decision,
26
+ topAction,
27
+ followUps,
28
+ sbomRisk,
29
+ aiDependencyReview: manifest.lightSbom?.aiDependencyReview,
30
+ dependencyReadSet,
31
+ collaboration
32
+ });
23
33
  return {
24
34
  schemaVersion: 1,
25
35
  contract: preflightContract(),
@@ -38,6 +48,7 @@ export function buildPreflight(manifest = {}, warnings = [], intents = [], timel
38
48
  reason: "Avoid disrupting shared servers or developer machines while still making drift visible.",
39
49
  recommendedStrictCommand: enforcement.recommendedCommand,
40
50
  strictPlan: enforcement.strictPlan,
51
+ strictDecision: enforcement.strictDecision,
41
52
  strictCommands: [
42
53
  "aienvmp doctor --strict security",
43
54
  "aienvmp doctor --strict policy",
@@ -63,6 +74,7 @@ export function buildPreflight(manifest = {}, warnings = [], intents = [], timel
63
74
  coordination,
64
75
  agentActivity,
65
76
  collaboration,
77
+ maintenanceLoop,
66
78
  agentPointers,
67
79
  aiReadiness,
68
80
  sbomRisk,
@@ -90,7 +102,81 @@ export function buildPreflight(manifest = {}, warnings = [], intents = [], timel
90
102
  recordIntent: intentTargets[0]?.command || "aienvmp intent --actor agent:id --action planned-change"
91
103
  },
92
104
  topAction,
93
- nextCommand: topAction?.command || decision.nextCommand
105
+ nextCommand: maintenanceLoop.nextCommand || topAction?.command || decision.nextCommand
106
+ };
107
+ }
108
+
109
+ function maintenanceLoopSummary({ state, decision, topAction, followUps, sbomRisk, aiDependencyReview = {}, dependencyReadSet, collaboration }) {
110
+ const followUpCommand = firstFollowUpCommand(followUps);
111
+ const dependencyAware = dependencyReadSet.length > 0;
112
+ const securityReview = ["urgent", "high", "medium"].includes(sbomRisk?.level || "");
113
+ const scannerOff = sbomRisk?.scanner === "off" || aiDependencyReview.securityConfidence === "scanner-off";
114
+ const nextCommand = followUpCommand
115
+ || collaboration?.nextCommand
116
+ || topAction?.command
117
+ || decision?.nextCommand
118
+ || "aienvmp status --json";
119
+ const triggers = [
120
+ "start of an AI coding session",
121
+ "before runtime, dependency, package manager, Docker, or global tool changes",
122
+ "after accepted environment changes",
123
+ "before handing work to another AI or human"
124
+ ];
125
+ if (securityReview) triggers.push("before dependency or release decisions when SBOM risk is not clear");
126
+ return {
127
+ mode: "advisory",
128
+ localImpact: "read-only until an AI or human intentionally records intent, checkpoint, or handoff",
129
+ state,
130
+ nextCommand,
131
+ triggers,
132
+ readOrder: [
133
+ ".aienvmp/status.json",
134
+ ".aienvmp/summary.md",
135
+ "aienvmp context --json",
136
+ "AIENV.md"
137
+ ],
138
+ cycle: [
139
+ { step: "refresh", command: "aienvmp sync", when: "workspace env map may be stale" },
140
+ { step: "decide", command: "aienvmp status --json", when: "first AI read or quick gate" },
141
+ { step: "inspect", command: "aienvmp context --json", when: "status is review-required or details are needed" },
142
+ { step: "plan", command: "aienvmp plan --write", when: "warnings, SBOM risk, or multi-agent activity need a read-only plan" },
143
+ { step: "intent", command: dependencyAware ? "aienvmp intent --actor agent:id --action planned-change --target dependency" : "aienvmp intent --actor agent:id --action planned-change --target environment", when: "before environment-affecting changes" },
144
+ { step: "checkpoint", command: dependencyAware ? "aienvmp checkpoint --actor agent:id --summary dependency-change --target dependency" : "aienvmp checkpoint --actor agent:id --summary what-changed --target environment", when: "after accepted environment-affecting changes" },
145
+ { step: "handoff", command: "aienvmp handoff --record --actor agent:id", when: "before another AI continues environment work" }
146
+ ],
147
+ sbomCommand: securityReview || scannerOff ? "aienvmp sync --security" : "aienvmp sbom --json",
148
+ sbomReview: sbomReviewSummary({ sbomRisk, aiDependencyReview, securityReview, scannerOff }),
149
+ rule: "Keep local operation advisory and lightweight; use strict checks only when CI or the user explicitly asks."
150
+ };
151
+ }
152
+
153
+ function sbomReviewSummary({ sbomRisk = {}, aiDependencyReview = {}, securityReview = false, scannerOff = false }) {
154
+ const status = securityReview || aiDependencyReview.status === "review" ? "review" : "ready";
155
+ const before = aiDependencyReview.beforeDependencyChange?.length
156
+ ? aiDependencyReview.beforeDependencyChange
157
+ : [
158
+ scannerOff ? "aienvmp sync --security" : "aienvmp sbom --json",
159
+ "aienvmp intent --actor agent:id --action dependency-review --target dependency",
160
+ "aienvmp plan --write"
161
+ ];
162
+ const after = aiDependencyReview.afterDependencyChange?.length
163
+ ? aiDependencyReview.afterDependencyChange
164
+ : [
165
+ "run the narrowest relevant project validation",
166
+ "aienvmp checkpoint --actor agent:id --summary dependency-change --target dependency"
167
+ ];
168
+ return {
169
+ status,
170
+ riskLevel: sbomRisk.level || "unknown",
171
+ score: Number(sbomRisk.score || 0),
172
+ securityConfidence: aiDependencyReview.securityConfidence || (scannerOff ? "scanner-off" : "unknown"),
173
+ reviewTargets: aiDependencyReview.reviewTargets || sbomRisk.reviewTargets || [],
174
+ nextCommand: before[0] || "aienvmp sbom --json",
175
+ beforeDependencyChange: before,
176
+ afterDependencyChange: after,
177
+ rule: status === "review"
178
+ ? "Review SBOM risk, package manager policy, and dependency read set before dependency changes."
179
+ : "Keep SBOM review lightweight; run security scan before dependency or release decisions when scanner confidence is low."
94
180
  };
95
181
  }
96
182
 
package/src/render.js CHANGED
@@ -71,6 +71,7 @@ export function renderAIEnv(manifest, timeline = [], warnings = [], intents = []
71
71
  function preflightLines(preflight = {}) {
72
72
  const quickstart = preflight.quickstart;
73
73
  const targets = preflight.intentTargets || [];
74
+ const maintenanceLoop = preflight.maintenanceLoop || {};
74
75
  const lines = ["## 10-Second AI Flow", ""];
75
76
  if (quickstart) {
76
77
  lines.push(`- Read first: \`${quickstart.readFirst}\``);
@@ -82,6 +83,9 @@ function preflightLines(preflight = {}) {
82
83
  } else {
83
84
  lines.push("- Run `aienvmp status --write`, then `aienvmp context --json` before environment changes.");
84
85
  }
86
+ if (maintenanceLoop.nextCommand) {
87
+ lines.push(`- Maintenance loop: \`${maintenanceLoop.nextCommand}\` - ${maintenanceLoop.rule || "refresh, inspect, record intent, checkpoint, and hand off"}`);
88
+ }
85
89
  lines.push("", "## Recommended Intent Targets", "");
86
90
  if (targets.length) {
87
91
  for (const target of targets.slice(0, 5)) {
@@ -212,6 +216,9 @@ export function renderHandoff(handoff) {
212
216
  `- Inventory: ${handoff.inventory?.mode || "basic"}${handoff.inventory?.enabled ? " enabled" : " disabled"}`,
213
217
  `- Security: ${handoff.security?.mode || "basic"}${handoff.security?.enabled ? ` enabled (${handoff.security.summary?.total || 0} vulnerabilities)` : " disabled"}`,
214
218
  "",
219
+ "AI continuation:",
220
+ ...continuationHandoffLines(handoff.continuation),
221
+ "",
215
222
  "Open intents:",
216
223
  ...(handoff.openIntents.length ? handoff.openIntents.map((i) => `- ${i.actor}: ${i.action}${i.target ? ` (${i.target})` : ""}`) : ["- none"]),
217
224
  "",
@@ -242,6 +249,20 @@ export function renderHandoff(handoff) {
242
249
  return lines.join("\n");
243
250
  }
244
251
 
252
+ function continuationHandoffLines(continuation = {}) {
253
+ const strict = continuation.strict || {};
254
+ const sbomReview = continuation.sbomReview || {};
255
+ const maintenance = continuation.maintenance || {};
256
+ return [
257
+ `- Next: ${continuation.nextCommand || "aienvmp status --json"}`,
258
+ `- Read: ${(continuation.readOrder || []).join(", ") || ".aienvmp/status.json"}`,
259
+ `- Local check: ${strict.localCommand || "aienvmp doctor --json"} (${strict.local || "warn-only"})`,
260
+ `- CI strict: ${strict.ciCommand || "aienvmp doctor --strict all --json"}`,
261
+ `- SBOM review: ${sbomReview.status || "unknown"} / ${sbomReview.riskLevel || "unknown"} / ${sbomReview.nextCommand || maintenance.sbomCommand || "aienvmp sbom --json"}`,
262
+ `- Rule: ${maintenance.rule || strict.rule || "Keep local operation advisory and lightweight."}`
263
+ ];
264
+ }
265
+
245
266
  function coordinationHandoffLines(coordination = {}) {
246
267
  const conflicts = coordination.conflictTargets || [];
247
268
  if (conflicts.length) return [`- Conflicts: ${conflicts.join(", ")}`, `- Next: ${coordination.next || "review open intents"}`];
@@ -392,6 +413,10 @@ h1,h2,h3,p{margin:0}h1{font-size:clamp(28px,4vw,46px);line-height:1.02;margin-to
392
413
  .nextbar b{color:var(--green);font-size:12px;text-transform:uppercase;letter-spacing:.08em}
393
414
  .nextbar code{display:inline-block;max-width:100%;white-space:normal;overflow-wrap:anywhere}
394
415
  .nextbar span{color:var(--muted);font-size:12px;overflow-wrap:anywhere}
416
+ .brief{display:grid;grid-template-columns:1fr 1fr 1fr 1fr;gap:8px;margin:0 0 14px}
417
+ .brief-item{border:1px solid var(--line2);background:rgba(9,19,16,.9);border-radius:8px;padding:10px;min-width:0}
418
+ .brief-k{color:var(--muted);font-size:11px;font-weight:800;text-transform:uppercase;letter-spacing:.08em}
419
+ .brief-v{margin-top:5px;font-size:13px;font-weight:700;color:var(--text);overflow-wrap:anywhere}
395
420
  .audit{display:grid;grid-template-columns:1.2fr repeat(3,minmax(0,.8fr));gap:12px;margin:14px 0}
396
421
  .audit-item{border:1px solid var(--line);background:rgba(13,24,21,.92);border-radius:8px;padding:14px;min-width:0}
397
422
  .audit-item.primary{background:linear-gradient(135deg,rgba(19,61,42,.88),rgba(9,19,16,.95))}
@@ -417,8 +442,10 @@ code{color:var(--code);background:#0a2017;border:1px solid #17462f;padding:2px 6
417
442
  @media (max-width:860px){header,.layout{grid-template-columns:1fr}.metrics{grid-template-columns:repeat(2,1fr)}.grid{grid-template-columns:1fr}.agents{grid-template-columns:1fr}}
418
443
  @media (max-width:860px){.control{grid-template-columns:1fr}}
419
444
  @media (max-width:860px){.nextbar{grid-template-columns:1fr}}
445
+ @media (max-width:860px){.brief{grid-template-columns:1fr 1fr}}
420
446
  @media (max-width:860px){.audit{grid-template-columns:1fr 1fr}}
421
447
  @media (max-width:520px){.shell{padding:14px}.metrics{grid-template-columns:1fr}.event{grid-template-columns:1fr}h1{font-size:32px}}
448
+ @media (max-width:520px){.brief{grid-template-columns:1fr}}
422
449
  @media (max-width:520px){.audit{grid-template-columns:1fr}}
423
450
  </style>
424
451
  </head>
@@ -488,7 +515,8 @@ const enforcementProfile=manifest.preflight?.enforcementProfile||{};
488
515
  const strictCommands=enforcementProfile.strictCommands||[];
489
516
  const gate=enforcementProfile.gate||{};
490
517
  const strictPlan=enforcementProfile.strictPlan||{};
491
- const enforcementHtml=\`<table><tr><th>Default</th><td><code>\${esc(gate.defaultMode||enforcementProfile.defaultMode||'advisory')}</code> \${esc(gate.localDefault||'warn-only')}</td></tr><tr><th>Strict</th><td><code>\${esc(gate.strictMode||'off')}</code></td></tr><tr><th>Fail</th><td>\${esc(gate.failCondition||'never in default mode')}</td></tr><tr><th>Exit</th><td>\${esc(gate.exitCode||'0 unless the command itself errors')}</td></tr><tr><th>Recommended</th><td><code>\${esc(strictPlan.recommendedStrictCommand||enforcementProfile.recommendedStrictCommand||'aienvmp doctor --strict all')}</code></td></tr><tr><th>CI</th><td><code>\${esc(strictPlan.ciCommand||'aienvmp doctor --strict all --json')}</code></td></tr></table><div class="timeline">\${strictCommands.slice(0,4).map(cmd=>\`<div class="event"><time>CI</time><div><code>\${esc(cmd)}</code></div></div>\`).join('')}</div><div class="path">\${esc(strictPlan.rule||gate.rule||enforcementProfile.reason||'Warnings stay advisory unless strict mode is requested.')}</div>\`;
518
+ const strictDecision=enforcementProfile.strictDecision||{};
519
+ const enforcementHtml=\`<table><tr><th>Default</th><td><code>\${esc(gate.defaultMode||enforcementProfile.defaultMode||'advisory')}</code> \${esc(gate.localDefault||'warn-only')}</td></tr><tr><th>Local</th><td><code>\${esc(strictDecision.localCommand||'aienvmp doctor --json')}</code> \${esc(strictDecision.local||'warn-only')}</td></tr><tr><th>Strict</th><td><code>\${esc(gate.strictMode||'off')}</code></td></tr><tr><th>Fail</th><td>\${esc(gate.failCondition||'never in default mode')}</td></tr><tr><th>Exit</th><td>\${esc(gate.exitCode||'0 unless the command itself errors')}</td></tr><tr><th>Recommended</th><td><code>\${esc(strictDecision.recommendedCommand||strictPlan.recommendedStrictCommand||enforcementProfile.recommendedStrictCommand||'aienvmp doctor --strict all')}</code></td></tr><tr><th>CI</th><td><code>\${esc(strictDecision.ciCommand||strictPlan.ciCommand||'aienvmp doctor --strict all --json')}</code></td></tr></table><div class="timeline">\${strictCommands.slice(0,4).map(cmd=>\`<div class="event"><time>CI</time><div><code>\${esc(cmd)}</code></div></div>\`).join('')}</div><div class="path">\${esc(strictDecision.rule||strictPlan.rule||gate.rule||enforcementProfile.reason||'Warnings stay advisory unless strict mode is requested.')}</div>\`;
492
520
  const contract=manifest.preflight?.contract||{};
493
521
  const contractHtml=contract.name?\`<table><tr><th>Name</th><td><code>\${esc(contract.name)}</code></td></tr><tr><th>Version</th><td><code>\${esc(contract.version||1)}</code></td></tr><tr><th>Stability</th><td><code>\${esc(contract.stability||'additive')}</code></td></tr><tr><th>AI fields</th><td>\${esc((contract.aiEntryFields||[]).join(', ')||'none')}</td></tr></table><div class="path">\${esc(contract.rule||'Ignore unknown fields.')}</div>\`:'<div class="okline">Run <code>aienvmp status --write</code> to include AI contract metadata.</div>';
494
522
  const intentTargets=manifest.preflight?.intentTargets||[];
@@ -530,6 +558,10 @@ const coordination=manifest.preflight?.coordination||{};
530
558
  const conflictTargets=coordination.conflictTargets||[];
531
559
  const handoffFiles=nextAgent.dependencyFiles?.length?nextAgent.dependencyFiles:(dependencyReadSet[0]?[dependencyReadSet[0].manifest,...(dependencyReadSet[0].lockfiles||[])].filter(Boolean):[]);
532
560
  const handoffNext=nextAgent.rule||(reviewRequired?'Review warnings and open intents':'Continue project-local work');
561
+ const firstRead=nextAgent.readFirst||'.aienvmp/status.json';
562
+ const reviewTargets=[...new Set([...(conflictTargets||[]),...(collaboration.activeTargets||[]),...(riskSummary.reviewTargets||[])].filter(Boolean))];
563
+ const safeMode=enforcementProfile.gate?.localDefault||enforcementProfile.localOperation||'warn-only';
564
+ const briefItem=(key,value)=>\`<div class="brief-item"><div class="brief-k">\${key}</div><div class="brief-v">\${esc(value)}</div></div>\`;
533
565
  const handoffHtml=\`<table><tr><th>Status</th><td>\${reviewRequired?'review-required':'clear'}</td></tr><tr><th>Trust</th><td><code>\${esc(trustState)}</code></td></tr><tr><th>Read first</th><td><code>\${esc(nextAgent.readFirst||'.aienvmp/status.json')}</code></td></tr><tr><th>Dependency files</th><td>\${handoffFiles.length?'<code>'+esc(handoffFiles.join(', '))+'</code>':'none'}</td></tr><tr><th>Conflicts</th><td>\${conflictTargets.length?'<code>'+esc(conflictTargets.join(', '))+'</code>':'none'}</td></tr><tr><th>Next</th><td>\${esc(handoffNext)}</td></tr></table>\`;
534
566
  document.getElementById('app').innerHTML=\`
535
567
  <header>
@@ -550,6 +582,12 @@ document.getElementById('app').innerHTML=\`
550
582
  <code>\${esc(nextCommand)}</code>
551
583
  <span>\${esc(nextReason)}</span>
552
584
  </section>
585
+ <section class="brief" aria-label="First read">
586
+ \${briefItem('Status',reviewRequired?'review required':'clear')}
587
+ \${briefItem('Read first',firstRead)}
588
+ \${briefItem('Review targets',reviewTargets.length?reviewTargets.slice(0,4).join(', '):'none')}
589
+ \${briefItem('Local mode',safeMode)}
590
+ </section>
553
591
  <section class="audit" aria-label="Audit summary">
554
592
  \${auditItem('AI decision',reviewRequired?'review required':'can proceed',nextAction,reviewRequired?'review':'primary')}
555
593
  \${auditItem('AI readiness',aiReadiness.level||'unknown',aiReadinessHint,aiReadiness.level==='ready'?'primary':'review')}