apcore-js 0.1.0

package/planning/acl-system/tasks/pattern-matching.md

@@ -0,0 +1,152 @@
+# Task: matchPattern() Wildcard Matching (Algorithm A08)
+
+## Goal
+
+Implement the `matchPattern()` utility function that performs wildcard glob-style pattern matching against module IDs. The algorithm (designated A08) splits patterns on `*` delimiters and verifies each literal segment appears in order within the target string, supporting prefix, suffix, infix, and multi-wildcard patterns.
+
+## Files Involved
+
+- `src/utils/pattern.ts` -- Standalone utility function (~30 lines)
+
+## Steps (TDD)
+
+### 1. Write failing tests for all pattern matching cases
+
+```typescript
+// tests/utils/pattern.test.ts
+import { describe, it, expect } from 'vitest';
+import { matchPattern } from '../../src/utils/pattern.js';
+
+describe('matchPattern (Algorithm A08)', () => {
+  describe('exact matching', () => {
+    it('should match identical strings', () => {
+      expect(matchPattern('moduleA', 'moduleA')).toBe(true);
+    });
+
+    it('should reject non-matching strings', () => {
+      expect(matchPattern('moduleA', 'moduleB')).toBe(false);
+    });
+  });
+
+  describe('bare wildcard', () => {
+    it('should match any string with bare *', () => {
+      expect(matchPattern('*', 'anything')).toBe(true);
+    });
+
+    it('should match empty string with bare *', () => {
+      expect(matchPattern('*', '')).toBe(true);
+    });
+  });
+
+  describe('prefix wildcard', () => {
+    it('should match suffix with *suffix pattern', () => {
+      expect(matchPattern('*.handler', 'auth.handler')).toBe(true);
+    });
+
+    it('should reject non-matching suffix', () => {
+      expect(matchPattern('*.handler', 'auth.controller')).toBe(false);
+    });
+  });
+
+  describe('suffix wildcard', () => {
+    it('should match prefix with prefix* pattern', () => {
+      expect(matchPattern('auth.*', 'auth.login')).toBe(true);
+    });
+
+    it('should reject non-matching prefix', () => {
+      expect(matchPattern('auth.*', 'user.login')).toBe(false);
+    });
+  });
+
+  describe('infix wildcard', () => {
+    it('should match with pattern containing middle wildcard', () => {
+      expect(matchPattern('auth.*.handler', 'auth.login.handler')).toBe(true);
+    });
+
+    it('should reject when middle segment is absent', () => {
+      expect(matchPattern('auth.*.handler', 'user.login.handler')).toBe(false);
+    });
+  });
+
+  describe('multi-wildcard', () => {
+    it('should match with multiple wildcards', () => {
+      expect(matchPattern('a*b*c', 'aXXbYYc')).toBe(true);
+    });
+
+    it('should handle adjacent wildcards', () => {
+      expect(matchPattern('a**b', 'aXb')).toBe(true);
+    });
+  });
+
+  describe('edge cases', () => {
+    it('should handle pattern longer than moduleId', () => {
+      expect(matchPattern('very.long.pattern', 'short')).toBe(false);
+    });
+
+    it('should handle empty pattern with non-empty moduleId', () => {
+      expect(matchPattern('', '')).toBe(true);
+      expect(matchPattern('', 'notempty')).toBe(false);
+    });
+  });
+});
+```
+
+### 2. Implement matchPattern with segment-based algorithm
+
+```typescript
+// src/utils/pattern.ts
+export function matchPattern(pattern: string, moduleId: string): boolean {
+  if (pattern === '*') return true;
+  if (!pattern.includes('*')) return pattern === moduleId;
+
+  const segments = pattern.split('*');
+  let pos = 0;
+
+  // Check prefix (first segment before first *)
+  if (!pattern.startsWith('*')) {
+    if (!moduleId.startsWith(segments[0])) return false;
+    pos = segments[0].length;
+  }
+
+  // Check each intermediate segment appears in order
+  for (let i = 1; i < segments.length; i++) {
+    const segment = segments[i];
+    if (!segment) continue; // empty segment from adjacent ** or trailing *
+    const idx = moduleId.indexOf(segment, pos);
+    if (idx === -1) return false;
+    pos = idx + segment.length;
+  }
+
+  // Check suffix (last segment after last *)
+  if (!pattern.endsWith('*')) {
+    if (!moduleId.endsWith(segments[segments.length - 1])) return false;
+  }
+
+  return true;
+}
+```
+
+### 3. Run tests and verify
+
+Run `vitest` to confirm all pattern matching tests pass. Run `tsc --noEmit` to verify type safety.
+
+## Acceptance Criteria
+
+- [x] `matchPattern()` is exported from `src/utils/pattern.ts`
+- [x] Bare `*` matches any string (including empty)
+- [x] No `*` in pattern means exact string match
+- [x] Prefix wildcard (`*.suffix`) matches strings ending with the suffix
+- [x] Suffix wildcard (`prefix.*`) matches strings starting with the prefix
+- [x] Infix wildcard (`prefix.*.suffix`) matches strings with the prefix and suffix surrounding any middle content
+- [x] Multiple wildcards (`a*b*c`) verified by sequential segment search
+- [x] Adjacent wildcards (`a**b`) handled correctly (empty segments are skipped)
+- [x] Algorithm runs in O(n * m) worst case where n = moduleId length, m = number of segments
+- [x] All tests pass with `vitest`; zero errors from `tsc --noEmit`
+
+## Dependencies
+
+- None (standalone utility with no imports)
+
+## Estimated Time
+
+2 hours

package/planning/acl-system/tasks/yaml-loading.md

@@ -0,0 +1,271 @@
+# Task: ACL.load() from YAML and reload() Support
+
+## Goal
+
+Implement the static `ACL.load()` factory method that parses YAML configuration files into a validated `ACL` instance, and the `reload()` instance method that re-reads the original YAML file to hot-swap rules without reconstructing the ACL object.
+
+## Files Involved
+
+- `src/acl.ts` -- `ACL.load()` static method and `reload()` instance method
+- `src/errors.ts` -- `ACLRuleError` (invalid YAML/structure), `ConfigNotFoundError` (missing file)
+
+## Steps (TDD)
+
+### 1. Write failing tests for ACL.load() valid YAML
+
+```typescript
+// tests/acl.test.ts
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { writeFileSync, unlinkSync, mkdirSync } from 'node:fs';
+import { ACL } from '../src/acl.js';
+import { ACLRuleError, ConfigNotFoundError } from '../src/errors.js';
+
+describe('ACL.load()', () => {
+  const tmpDir = '/tmp/acl-test';
+  const yamlPath = `${tmpDir}/acl.yaml`;
+
+  beforeEach(() => {
+    mkdirSync(tmpDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    try { unlinkSync(yamlPath); } catch {}
+  });
+
+  it('should load valid YAML with rules and default_effect', () => {
+    writeFileSync(yamlPath, `
+default_effect: allow
+rules:
+  - callers: ["moduleA"]
+    targets: ["moduleB"]
+    effect: allow
+    description: "Allow A to B"
+`);
+    const acl = ACL.load(yamlPath);
+    expect(acl.check('moduleA', 'moduleB')).toBe(true);
+    expect(acl.check('moduleX', 'moduleY')).toBe(true); // default allow
+  });
+
+  it('should default to deny when default_effect is not specified', () => {
+    writeFileSync(yamlPath, `
+rules:
+  - callers: ["moduleA"]
+    targets: ["moduleB"]
+    effect: allow
+    description: "test"
+`);
+    const acl = ACL.load(yamlPath);
+    expect(acl.check('moduleX', 'moduleY')).toBe(false);
+  });
+
+  it('should load rules with conditions', () => {
+    writeFileSync(yamlPath, `
+rules:
+  - callers: ["*"]
+    targets: ["admin.*"]
+    effect: allow
+    description: "Admin access with role check"
+    conditions:
+      roles: ["admin"]
+`);
+    const acl = ACL.load(yamlPath);
+    // Without context, conditions fail
+    expect(acl.check('moduleA', 'admin.panel')).toBe(false);
+  });
+});
+```
+
+### 2. Write failing tests for ACL.load() error cases
+
+```typescript
+describe('ACL.load() error handling', () => {
+  it('should throw ConfigNotFoundError for missing file', () => {
+    expect(() => ACL.load('/nonexistent/acl.yaml')).toThrow(ConfigNotFoundError);
+  });
+
+  it('should throw ACLRuleError for invalid YAML', () => {
+    writeFileSync(yamlPath, '{ invalid yaml :::');
+    expect(() => ACL.load(yamlPath)).toThrow(ACLRuleError);
+  });
+
+  it('should throw ACLRuleError when rules key is missing', () => {
+    writeFileSync(yamlPath, 'default_effect: allow\n');
+    expect(() => ACL.load(yamlPath)).toThrow(ACLRuleError);
+  });
+
+  it('should throw ACLRuleError for invalid effect value', () => {
+    writeFileSync(yamlPath, `
+rules:
+  - callers: ["*"]
+    targets: ["*"]
+    effect: maybe
+    description: "bad effect"
+`);
+    expect(() => ACL.load(yamlPath)).toThrow(ACLRuleError);
+  });
+
+  it('should throw ACLRuleError when rule is not a mapping', () => {
+    writeFileSync(yamlPath, `
+rules:
+  - "not a mapping"
+`);
+    expect(() => ACL.load(yamlPath)).toThrow(ACLRuleError);
+  });
+
+  it('should throw ACLRuleError when rule is missing required keys', () => {
+    writeFileSync(yamlPath, `
+rules:
+  - callers: ["*"]
+    description: "missing targets and effect"
+`);
+    expect(() => ACL.load(yamlPath)).toThrow(ACLRuleError);
+  });
+});
+```
+
+### 3. Implement ACL.load() static method
+
+```typescript
+static load(yamlPath: string): ACL {
+  if (!existsSync(yamlPath)) {
+    throw new ConfigNotFoundError(yamlPath);
+  }
+
+  let data: unknown;
+  try {
+    const content = readFileSync(yamlPath, 'utf-8');
+    data = yaml.load(content);
+  } catch (e) {
+    if (e instanceof ConfigNotFoundError) throw e;
+    throw new ACLRuleError(`Invalid YAML in ${yamlPath}: ${e}`);
+  }
+
+  // Validate top-level structure
+  if (typeof data !== 'object' || data === null || Array.isArray(data)) {
+    throw new ACLRuleError(`ACL config must be a mapping, got ${typeof data}`);
+  }
+
+  const dataObj = data as Record<string, unknown>;
+  if (!('rules' in dataObj)) {
+    throw new ACLRuleError("ACL config missing required 'rules' key");
+  }
+
+  const rawRules = dataObj['rules'];
+  if (!Array.isArray(rawRules)) {
+    throw new ACLRuleError(`'rules' must be a list, got ${typeof rawRules}`);
+  }
+
+  const defaultEffect = (dataObj['default_effect'] as string) ?? 'deny';
+  const rules: ACLRule[] = [];
+
+  for (let i = 0; i < rawRules.length; i++) {
+    const rawRule = rawRules[i];
+    // Validate each rule is a mapping with required keys
+    if (typeof rawRule !== 'object' || rawRule === null || Array.isArray(rawRule)) {
+      throw new ACLRuleError(`Rule ${i} must be a mapping, got ${typeof rawRule}`);
+    }
+
+    const ruleObj = rawRule as Record<string, unknown>;
+    for (const key of ['callers', 'targets', 'effect']) {
+      if (!(key in ruleObj)) {
+        throw new ACLRuleError(`Rule ${i} missing required key '${key}'`);
+      }
+    }
+
+    const effect = ruleObj['effect'] as string;
+    if (effect !== 'allow' && effect !== 'deny') {
+      throw new ACLRuleError(`Rule ${i} has invalid effect '${effect}', must be 'allow' or 'deny'`);
+    }
+
+    rules.push({
+      callers: ruleObj['callers'] as string[],
+      targets: ruleObj['targets'] as string[],
+      effect,
+      description: (ruleObj['description'] as string) ?? '',
+      conditions: (ruleObj['conditions'] as Record<string, unknown>) ?? null,
+    });
+  }
+
+  const acl = new ACL(rules, defaultEffect);
+  acl._yamlPath = yamlPath;
+  return acl;
+}
+```
+
+### 4. Write failing tests for reload()
+
+```typescript
+describe('ACL.reload()', () => {
+  it('should reload rules from the original YAML path', () => {
+    writeFileSync(yamlPath, `
+rules:
+  - callers: ["moduleA"]
+    targets: ["moduleB"]
+    effect: deny
+    description: "initial deny"
+`);
+    const acl = ACL.load(yamlPath);
+    expect(acl.check('moduleA', 'moduleB')).toBe(false);
+
+    // Update YAML
+    writeFileSync(yamlPath, `
+rules:
+  - callers: ["moduleA"]
+    targets: ["moduleB"]
+    effect: allow
+    description: "updated allow"
+`);
+    acl.reload();
+    expect(acl.check('moduleA', 'moduleB')).toBe(true);
+  });
+
+  it('should throw ACLRuleError when not loaded from YAML', () => {
+    const acl = new ACL([]);
+    expect(() => acl.reload()).toThrow(ACLRuleError);
+    expect(() => acl.reload()).toThrow('Cannot reload: ACL was not loaded from a YAML file');
+  });
+});
+```
+
+### 5. Implement reload() method
+
+```typescript
+reload(): void {
+  if (this._yamlPath === null) {
+    throw new ACLRuleError('Cannot reload: ACL was not loaded from a YAML file');
+  }
+  const reloaded = ACL.load(this._yamlPath);
+  this._rules = reloaded._rules;
+  this._defaultEffect = reloaded._defaultEffect;
+}
+```
+
+### 6. Run full test suite and type-check
+
+Run `tsc --noEmit` and `vitest` to confirm everything passes.
+
+## Acceptance Criteria
+
+- [x] `ACL.load()` reads YAML via `readFileSync` and parses with `js-yaml`
+- [x] Throws `ConfigNotFoundError` when the YAML file does not exist
+- [x] Throws `ACLRuleError` for invalid YAML syntax
+- [x] Throws `ACLRuleError` when top-level structure is not a mapping
+- [x] Throws `ACLRuleError` when `rules` key is missing
+- [x] Throws `ACLRuleError` when `rules` is not an array
+- [x] Validates each rule has `callers`, `targets`, and `effect` keys
+- [x] Validates `effect` is either `'allow'` or `'deny'`
+- [x] Validates `callers` and `targets` are arrays
+- [x] Defaults `description` to empty string and `conditions` to `null`
+- [x] Defaults `default_effect` to `'deny'` when not specified in YAML
+- [x] Stores `_yamlPath` on the ACL instance for `reload()` support
+- [x] `reload()` re-reads the YAML and replaces `_rules` and `_defaultEffect` in-place
+- [x] `reload()` throws `ACLRuleError` when the ACL was not loaded from YAML
+- [x] All tests pass with `vitest`; zero errors from `tsc --noEmit`
+
+## Dependencies
+
+- **acl-core** -- ACL class constructor and rule storage
+
+## Estimated Time
+
+2 hours

package/planning/core-executor/overview.md

@@ -0,0 +1,53 @@
+# Feature: Core Executor
+
+## Overview
+
+The Core Execution Engine is the central orchestration component of apcore. It processes module calls through a structured 10-step pipeline: context creation, safety checks (call depth, circular detection, frequency throttling), module lookup from the registry, ACL enforcement, input validation with sensitive field redaction, middleware before chain, module execution with timeout enforcement, output validation, middleware after chain, and result return. The TypeScript implementation uses a single async `call()` method with `Promise.race` for timeout enforcement.
+
+## Scope
+
+### Included
+
+- `Context` class and `Identity` interface for call metadata propagation and caller identity
+- `Config` accessor with dot-path key support for executor settings
+- `Executor` class implementing the full 10-step async pipeline
+- Safety checks: call depth limits, circular call detection (cycles of length >= 2), frequency throttling
+- Timeout enforcement via `Promise.race` with `setTimeout`
+- `redactSensitive` utility for masking `x-sensitive` fields and `_secret_`-prefixed keys
+- Structured error hierarchy (`ModuleError` base with specialized subclasses for every failure mode)
+- Standalone `validate()` method for pre-flight schema checks without execution
+- Middleware management via `MiddlewareManager` with before/after/onError chains
+
+### Excluded
+
+- Registry implementation (consumed as a dependency)
+- Schema system internals (consumed via TypeBox validation)
+- ACL rule definition and management (consumed via `ACL.check()` interface)
+- Middleware implementation details (managed by `MiddlewareManager`)
+
+## Technology Stack
+
+- **TypeScript 5.5+** with strict mode
+- **@sinclair/typebox >= 0.34.0** for input/output schema validation
+- **Node.js >= 18.0.0** with ES Module support
+- **vitest** for unit and integration testing
+
+## Task Execution Order
+
+| # | Task File | Description | Status |
+|---|-----------|-------------|--------|
+| 1 | [setup](./tasks/setup.md) | Context, Identity, and Config classes | completed |
+| 2 | [safety-checks](./tasks/safety-checks.md) | Call depth limits, circular detection, frequency throttling | completed |
+| 3 | [execution-pipeline](./tasks/execution-pipeline.md) | 10-step async execution pipeline with middleware and timeout | completed |
+| 4 | [async-support](./tasks/async-support.md) | Unified async execution (single async call()) | completed |
+| 5 | [redaction](./tasks/redaction.md) | Sensitive field redaction utility (`redactSensitive`) | completed |
+
+## Progress
+
+| Total | Completed | In Progress | Pending |
+|-------|-----------|-------------|---------|
+| 5     | 5         | 0           | 0       |
+
+## Reference Documents
+
+- [Core Executor Feature Specification](../../features/core-executor.md)

package/planning/core-executor/plan.md

@@ -0,0 +1,88 @@
+# Implementation Plan: Core Executor
+
+## Goal
+
+Implement the central 10-step execution pipeline that orchestrates all module calls in apcore, supporting context propagation, safety constraints, access control, schema validation with sensitive field redaction, middleware chains, and timeout-enforced module execution through a unified async code path.
+
+## Architecture Design
+
+### Component Structure
+
+- **Executor** (`executor.ts`, ~300 lines) -- Main engine class implementing the 10-step pipeline. Accepts options object with `registry`, optional `middlewares` array, optional `acl`, and optional `config` at construction. Manages middleware registration via `MiddlewareManager`, configurable timeouts (default 30s, global 60s), max call depth (32), and max module repeat (3). Exposes `call()` (async) and `validate()` (pre-flight) entry points.
+
+- **Context** (`context.ts`, ~60 lines) -- Class carrying per-call metadata: `traceId` (UUID v4 via `crypto.randomUUID()`), `callerId`, `callChain` (array of module IDs visited), `executor` reference, `identity`, `redactedInputs`, and a shared `data` record. Factory methods `create()` for root contexts and `child()` for nested calls. The `data` record is intentionally shared (not copied) between parent and child contexts to support middleware span/timing stacks.
+
+- **Identity** (`context.ts`) -- Frozen interface representing the caller: `id`, `type` (default "user"), `roles` array, and `attrs` record. Created via `createIdentity()` factory with `Object.freeze()`.
+
+- **Config** (`config.ts`, ~20 lines) -- Configuration accessor with dot-path key support (e.g., `executor.default_timeout`). Wraps a nested record and navigates through path segments.
+
+- **Error Hierarchy** (`errors.ts`, ~280 lines) -- `ModuleError` base class with `timestamp`, `code`, `message`, `details` record, and `cause`. Specialized subclasses: `CallDepthExceededError`, `CircularCallError`, `CallFrequencyExceededError`, `ModuleNotFoundError`, `ACLDeniedError`, `SchemaValidationError`, `ModuleTimeoutError`, `InvalidInputError`.
+
+### Data Flow
+
+The 10-step pipeline processes every module call in this order:
+
+1. **Context Creation** -- Build or derive `Context` via `create()` / `child()`
+2. **Safety Checks** -- Call depth limit, circular detection (cycles >= 2), frequency throttling
+3. **Module Lookup** -- `Registry.get()` with `ModuleNotFoundError` on miss
+4. **ACL Enforcement** -- `ACL.check()` with `ACLDeniedError` on denial
+5. **Input Validation** -- TypeBox `Value.Check()` + `redactSensitive()` for context logging
+6. **Middleware Before** -- `MiddlewareManager.executeBefore()` with `MiddlewareChainError` handling
+7. **Module Execution** -- Timeout via `Promise.race` with `setTimeout`
+8. **Output Validation** -- TypeBox `Value.Check()` on return value
+9. **Middleware After** -- `MiddlewareManager.executeAfter()` in reverse order
+10. **Result Return** -- Return output record or propagate error with `onError` recovery
+
+### Technical Choices and Rationale
+
+- **`Promise.race` for timeout**: Simple and idiomatic for Node.js async timeout enforcement. The timeout promise rejects with `ModuleTimeoutError` if the execution exceeds the limit.
+- **Unified async `call()`**: TypeScript's async-first model eliminates the need for separate sync/async code paths. All module executions go through `Promise.resolve()` which handles both sync and async return values transparently.
+- **Shared `data` record in child contexts**: Enables middleware like tracing and metrics to maintain span stacks across nested module-to-module calls without additional plumbing.
+- **`JSON.parse(JSON.stringify())` in `redactSensitive`**: Simple deep clone for JSON-compatible input data. Suitable since module inputs are expected to be JSON-serializable.
+
+## Task Breakdown
+
+```mermaid
+graph TD
+    T1[setup] --> T2[safety-checks]
+    T1 --> T3[execution-pipeline]
+    T2 --> T3
+    T3 --> T4[async-support]
+    T1 --> T5[redaction]
+    T5 --> T3
+```
+
+| Task ID | Title | Estimated Time | Dependencies |
+|---------|-------|---------------|--------------|
+| setup | Context, Identity, and Config classes | 2h | none |
+| safety-checks | Call depth, circular detection, frequency throttling | 3h | setup |
+| execution-pipeline | 10-step async pipeline with middleware and timeout | 6h | setup, safety-checks, redaction |
+| async-support | Unified async execution and Promise-based bridge | 4h | execution-pipeline |
+| redaction | Sensitive field redaction utility | 2h | setup |
+
+## Risks and Considerations
+
+- **`setTimeout` timer leak**: The timeout timer is not cleaned up if execution completes before timeout. Harmless since the timer fires into a resolved promise, but wasteful.
+- **Middleware error recovery**: If a middleware `before()` fails, previously executed middlewares must have their `onError()` called. The `MiddlewareChainError` wrapping captures which middlewares have been executed.
+- **Circular detection strictness**: Only cycles of length >= 2 are detected (A calling B calling A), not self-recursion (A calling A), which is covered by frequency throttling.
+
+## Acceptance Criteria
+
+- [ ] All 10 pipeline steps are implemented and tested in isolation and end-to-end
+- [ ] Timeout enforcement works via `Promise.race` with `setTimeout`
+- [ ] Timeout of 0 disables enforcement with a logged warning
+- [ ] Negative timeout raises `InvalidInputError`
+- [ ] Safety checks correctly detect call depth violations, circular calls, and frequency throttling
+- [ ] `redactSensitive` handles nested objects, arrays with `x-sensitive` items, and `_secret_`-prefixed keys
+- [ ] Error recovery via `onError` returns recovery record or re-raises original exception
+- [ ] `validate()` provides standalone pre-flight schema checks without execution
+- [ ] All error types carry structured details with timestamps
+- [ ] All tests pass with `vitest`; zero errors from `tsc --noEmit`
+
+## References
+
+- `src/executor.ts` -- Core execution engine
+- `src/context.ts` -- Context and Identity classes
+- `src/config.ts` -- Configuration accessor
+- `src/errors.ts` -- Error hierarchy
+- [Core Executor Feature Specification](../../features/core-executor.md)

package/planning/core-executor/state.json

@@ -0,0 +1,76 @@
+{
+  "feature": "core-executor",
+  "created": "2026-02-16T00:00:00Z",
+  "updated": "2026-02-16T00:00:00Z",
+  "status": "completed",
+  "execution_order": [
+    "setup",
+    "safety-checks",
+    "execution-pipeline",
+    "async-support",
+    "redaction"
+  ],
+  "progress": {
+    "total_tasks": 5,
+    "completed": 5,
+    "in_progress": 0,
+    "pending": 0
+  },
+  "tasks": [
+    {
+      "id": "setup",
+      "file": "tasks/setup.md",
+      "title": "Context, Identity, and Config Classes",
+      "status": "completed",
+      "started_at": "2026-02-16T08:00:00Z",
+      "completed_at": "2026-02-16T09:30:00Z",
+      "assignee": null,
+      "commits": []
+    },
+    {
+      "id": "safety-checks",
+      "file": "tasks/safety-checks.md",
+      "title": "Call Depth Limits, Circular Detection, Frequency Throttling",
+      "status": "completed",
+      "started_at": "2026-02-16T09:30:00Z",
+      "completed_at": "2026-02-16T11:00:00Z",
+      "assignee": null,
+      "commits": []
+    },
+    {
+      "id": "execution-pipeline",
+      "file": "tasks/execution-pipeline.md",
+      "title": "10-Step Async Execution Pipeline",
+      "status": "completed",
+      "started_at": "2026-02-16T11:00:00Z",
+      "completed_at": "2026-02-16T15:00:00Z",
+      "assignee": null,
+      "commits": []
+    },
+    {
+      "id": "async-support",
+      "file": "tasks/async-support.md",
+      "title": "Unified Async Execution Path",
+      "status": "completed",
+      "started_at": "2026-02-16T15:00:00Z",
+      "completed_at": "2026-02-16T18:00:00Z",
+      "assignee": null,
+      "commits": []
+    },
+    {
+      "id": "redaction",
+      "file": "tasks/redaction.md",
+      "title": "Sensitive Field Redaction Utility",
+      "status": "completed",
+      "started_at": "2026-02-16T18:00:00Z",
+      "completed_at": "2026-02-16T19:00:00Z",
+      "assignee": null,
+      "commits": []
+    }
+  ],
+  "metadata": {
+    "source_doc": "planning/features/core-executor.md",
+    "created_by": "code-forge",
+    "version": "1.0"
+  }
+}