avorelo 0.1.0

package/scripts/lib/readiness-evidence-closure.js

@@ -0,0 +1,196 @@
+"use strict";
+
+// ── Readiness Evidence Closure ────────────────────────────────────────────────
+// Contract: avorelo.readinessEvidenceClosure.v1
+// Attempts safe, local, non-destructive actions to collect missing evidence.
+// Does NOT apply hooks, modify MCP config, run destructive commands, or fake data.
+
+const fs = require("fs");
+const path = require("path");
+const { nowIso } = require("./fsx");
+const { appendProductLearningEvent } = require("./product-learning-events");
+
+const CONTRACT = "avorelo.readinessEvidenceClosure.v1";
+const SCHEMA_VERSION = 1;
+const CLOSURE_DIR_REL = ".claude/cco/orchestration/full-readiness";
+const ARTIFACT_REL = CLOSURE_DIR_REL + "/latest-evidence-closure.json";
+
+function safeReadJson(absPath) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    return JSON.parse(fs.readFileSync(absPath, "utf8").replace(/^/, ""));
+  } catch { return null; }
+}
+
+var EVIDENCE_CHECKS = [
+  { id: "install_ai_receipt", description: "AI install prompt receipt", artifactPath: ".claude/cco/orchestration/ai-install/latest-prompt.json", recoverCommand: "node bin/avorelo install-ai --json", safeToAutoRun: false, required: true },
+  { id: "prelaunch_readiness_receipt", description: "Prelaunch activation readiness receipt", artifactPath: ".claude/cco/orchestration/prelaunch-readiness/latest-activation-readiness.json", recoverCommand: "node bin/avorelo prelaunch-readiness --json", safeToAutoRun: false, required: true },
+  { id: "launch_hardening_receipt", description: "Launch hardening gate receipt", artifactPath: ".claude/cco/orchestration/launch-hardening/latest-gate.json", recoverCommand: "node bin/avorelo launch-hardening --json", safeToAutoRun: false, required: true },
+  { id: "token_efficiency_receipt", description: "Token efficiency evidence receipt", artifactPath: ".claude/cco/orchestration/token-efficiency/latest-evidence.json", recoverCommand: "node bin/avorelo token-efficiency --json", safeToAutoRun: false, required: false },
+  { id: "mcp_doctor_receipt", description: "MCP governance receipt", artifactPath: ".claude/cco/orchestration/mcp-tool-governance/latest-policy.json", recoverCommand: "node bin/avorelo mcp doctor --json", safeToAutoRun: false, required: true },
+  { id: "support_bundle_receipt", description: "Support bundle (redacted)", artifactPath: ".claude/cco/support/latest-support-bundle.json", recoverCommand: "node bin/avorelo support-bundle --json", safeToAutoRun: false, required: true },
+  { id: "proof_outcome_receipt", description: "Proof / value summary readiness evidence", artifactPath: ".claude/cco/orchestration/seamless-outcome/latest-proof-outcome-evidence.json", recoverCommand: "node bin/avorelo proof  (after completing a real task)", safeToAutoRun: false, required: true },
+  { id: "prelaunch_intelligence_receipt", description: "Prelaunch intelligence", artifactPath: ".claude/cco/orchestration/prelaunch-intelligence/latest-intelligence.json", recoverCommand: "node bin/avorelo prelaunch-intelligence --json", safeToAutoRun: false, required: true },
+  { id: "feedback_intelligence_receipt", description: "Feedback intelligence", artifactPath: ".claude/cco/orchestration/prelaunch-intelligence/latest-feedback-intelligence.json", recoverCommand: "node bin/avorelo feedback intake-pack --json", safeToAutoRun: false, required: true },
+  { id: "design_partner_feedback_receipt", description: "Design partner feedback summary", artifactPath: ".claude/cco/feedback/design-partner/latest-summary.json", recoverCommand: "node bin/avorelo feedback summary --json", safeToAutoRun: false, required: false },
+  { id: "readiness_delta_receipt", description: "Readiness delta (score movement)", artifactPath: ".claude/cco/orchestration/readiness-delta/latest-readiness-delta.json", recoverCommand: "node bin/avorelo readiness-delta --json", safeToAutoRun: false, required: false },
+  { id: "token_cost_intelligence_receipt", description: "Token/cost intelligence", artifactPath: ".claude/cco/orchestration/prelaunch-intelligence/latest-token-cost-intelligence.json", recoverCommand: "node bin/avorelo token-cost --json", safeToAutoRun: false, required: true },
+  { id: "token_cost_capture_receipt", description: "Real usage token/cost capture", artifactPath: ".claude/cco/evidence/token-cost/latest-capture.json", recoverCommand: "node bin/avorelo token-cost capture --json", safeToAutoRun: false, required: false },
+  { id: "token_cost_summary_receipt", description: "Token/cost evidence summary", artifactPath: ".claude/cco/evidence/token-cost/summary.json", recoverCommand: "node bin/avorelo token-cost summary --json", safeToAutoRun: false, required: true },
+  { id: "company_loop_receipt", description: "Company loop recommendation", artifactPath: ".claude/cco/orchestration/company-loop/latest-report.json", recoverCommand: "node bin/avorelo company-loop --json", safeToAutoRun: false, required: false },
+];
+
+var SAFETY_BOUNDARIES = ["hooks apply --yes", "mcp config patch", "deploy", "publish", "prod", "rm -rf", "destructive", "fake feedback", "fake token cost", "exact savings without source"];
+
+function buildEvidenceClosurePlan(cwd, options) {
+  options = options || {};
+  return EVIDENCE_CHECKS.map(function(check) {
+    var exists = fs.existsSync(path.join(cwd, check.artifactPath));
+    var artifact = exists ? safeReadJson(path.join(cwd, check.artifactPath)) : null;
+    var sufficient = exists;
+    if (check.id === "feedback_intelligence_receipt") {
+      sufficient = exists && artifact && artifact.qualifiedFeedbackItemsCount > 0;
+    } else if (check.id === "token_cost_intelligence_receipt") {
+      sufficient = exists && artifact && artifact.realUsageSamplesCount > 0;
+    } else if (check.id === "token_cost_capture_receipt") {
+      sufficient = exists && artifact && artifact.realUsageSamplesCount > 0;
+    } else if (check.id === "token_cost_summary_receipt") {
+      sufficient = exists && artifact && artifact.realUsageSamplesCount > 0;
+    } else if (check.id === "prelaunch_intelligence_receipt") {
+      sufficient = exists && artifact && artifact.status !== "insufficient_data" && (artifact.missingEvidence || []).length === 0;
+    } else if (check.id === "proof_outcome_receipt") {
+      sufficient = exists && artifact && artifact.latestProofAvailable === true && artifact.realTaskProofCount > 0;
+    } else if (check.id === "launch_hardening_receipt") {
+      sufficient = exists && artifact && artifact.status !== "fail";
+    }
+    return Object.assign({}, check, {
+      evidencePresent: exists,
+      sufficient: sufficient,
+      artifactStatus: artifact && artifact.status || (exists ? "present" : "missing"),
+      action: exists ? "read" : "missing",
+      artifact: artifact,
+    });
+  });
+}
+
+function executeSafeEvidenceClosure(cwd, plan, options) {
+  options = options || {};
+  var actionsAttempted = [], evidenceGenerated = [], evidenceStillMissing = [], skippedActions = [], gaps = [];
+  plan.forEach(function(item) {
+    if (item.evidencePresent) {
+      actionsAttempted.push({ id: item.id, action: "read", result: "present" });
+      evidenceGenerated.push({
+        id: item.id,
+        description: item.description,
+        artifactPath: item.artifactPath,
+        status: item.artifactStatus,
+        sufficient: item.sufficient,
+        required: item.required,
+      });
+      if (!item.sufficient) {
+        var recoverCommand = (item.artifact && item.artifact.safeNextActions && item.artifact.safeNextActions[0]) || item.recoverCommand;
+        gaps.push({
+          id: item.id,
+          description: item.description,
+          recoverCommand: recoverCommand,
+          required: item.required,
+          reason: "artifact_present_but_insufficient",
+          canAutoRun: false,
+        });
+      }
+    } else {
+      skippedActions.push({ id: item.id, reason: "requires_user_run", recoverCommand: item.recoverCommand });
+      evidenceStillMissing.push({ id: item.id, description: item.description, recoverCommand: item.recoverCommand, required: item.required, canAutoRun: false });
+      gaps.push({
+        id: item.id,
+        description: item.description,
+        recoverCommand: item.recoverCommand,
+        required: item.required,
+        reason: "artifact_missing",
+        canAutoRun: false,
+      });
+    }
+  });
+  return { actionsAttempted: actionsAttempted, evidenceGenerated: evidenceGenerated, evidenceStillMissing: evidenceStillMissing, skippedActions: skippedActions, safetyBoundaries: SAFETY_BOUNDARIES, gaps: gaps };
+}
+
+function runReadinessEvidenceClosure(cwd, options) {
+  options = options || {};
+  var plan = buildEvidenceClosurePlan(cwd, options);
+  var result = executeSafeEvidenceClosure(cwd, plan, options);
+  var totalItems = plan.length;
+  var presentCount = result.evidenceGenerated.filter(function(item) { return item.sufficient; }).length;
+  var missingCount = result.gaps.length;
+  var requiredEvidence = plan.filter(function(item) { return item.required; }).map(function(item) { return item.id; });
+  var optionalEvidence = plan.filter(function(item) { return !item.required; }).map(function(item) { return item.id; });
+  var status = missingCount === 0 ? "completed" : presentCount > 0 ? "partial" : "blocked";
+  var safeNextActions = [];
+  result.gaps.forEach(function(gap) {
+    if (gap.recoverCommand && safeNextActions.indexOf(gap.recoverCommand) === -1) safeNextActions.push(gap.recoverCommand);
+  });
+  var nextAction = safeNextActions[0] || "All evidence collected. Run: node bin/avorelo full-readiness --json";
+  var closure = {
+    contract: CONTRACT,
+    schemaVersion: SCHEMA_VERSION,
+    createdAt: nowIso(),
+    status: status,
+    totalChecked: totalItems,
+    evidencePresentCount: presentCount,
+    evidenceMissingCount: missingCount,
+    actionsAttempted: result.actionsAttempted,
+    evidenceGenerated: result.evidenceGenerated,
+    evidenceStillMissing: result.evidenceStillMissing,
+    skippedActions: result.skippedActions,
+    gaps: result.gaps,
+    requiredEvidence: requiredEvidence,
+    optionalEvidence: optionalEvidence,
+    evidenceItems: plan.map(function(item) {
+      return {
+        id: item.id,
+        description: item.description,
+        artifactPath: item.artifactPath,
+        evidencePresent: item.evidencePresent,
+        sufficient: item.sufficient,
+        required: item.required,
+        status: item.artifactStatus,
+        canAutoRun: false,
+      };
+    }),
+    safeNextActions: safeNextActions,
+    safetyBoundaries: result.safetyBoundaries,
+    nextAction: nextAction,
+    canAutoRun: false,
+    redacted: true,
+  };
+  try { appendProductLearningEvent(cwd, { eventName: "readiness_evidence_closure_run", category: "full_readiness", status: status, evidencePresentCount: presentCount, evidenceMissingCount: missingCount }); } catch (e) {}
+  return closure;
+}
+
+function writeEvidenceClosure(cwd, closure) {
+  var dir = path.join(cwd, CLOSURE_DIR_REL);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(path.join(cwd, ARTIFACT_REL), JSON.stringify(closure, null, 2));
+  return closure;
+}
+
+function buildEvidenceClosureSurface(cwd, options) {
+  options = options || {};
+  var closure = safeReadJson(path.join(cwd, ARTIFACT_REL));
+  if (!closure) return { status: "not_available", evidencePresentCount: 0, evidenceMissingCount: 0 };
+  return { status: closure.status, evidencePresentCount: closure.evidencePresentCount, evidenceMissingCount: closure.evidenceMissingCount, nextAction: closure.nextAction, gaps: closure.gaps || [] };
+}
+
+function formatEvidenceClosureText(closure, options) {
+  options = options || {};
+  var lines = [];
+  lines.push("Evidence closure: " + closure.status);
+  lines.push("Evidence: " + closure.evidencePresentCount + "/" + closure.totalChecked + " present");
+  if ((closure.gaps || []).length > 0) {
+    lines.push(""); lines.push("Missing evidence:");
+    closure.gaps.forEach(function(m) { lines.push("  - " + m.description); lines.push("    Run: " + m.recoverCommand); });
+  }
+  lines.push(""); lines.push("Next: " + closure.nextAction);
+  return lines.join("\n");
+}
+
+module.exports = { CONTRACT, SCHEMA_VERSION, ARTIFACT_REL, runReadinessEvidenceClosure, buildEvidenceClosurePlan, executeSafeEvidenceClosure, writeEvidenceClosure, buildEvidenceClosureSurface, formatEvidenceClosureText };

package/scripts/lib/reentry-memory-capture.js

@@ -0,0 +1,241 @@
+"use strict";
+
+const { ReentryMemoryStore } = require("./reentry-memory-store");
+
+// Patterns for sensitive content detection
+const SENSITIVE_PATTERNS = [
+  /sk-[a-zA-Z0-9._\-]{10,}/,        // Anthropic/OpenAI API keys
+  /Bearer\s+[a-zA-Z0-9._\-]{20,}/i, // Bearer tokens
+  /AKIA[A-Z0-9]{16}/,               // AWS access keys
+  /private[_\s]?key/i,              // Private key references
+  /-----BEGIN [A-Z ]+KEY-----/,     // PEM keys
+  /password\s*=\s*\S+/i,            // password= assignments
+  /secret\s*=\s*\S+/i,              // secret= assignments
+  /token\s*=\s*['"][a-zA-Z0-9._\-]{20,}['"]/i, // token= with value
+  /Authorization:\s*[^\n]{20,}/i,   // Auth headers
+  /\.env\s+\S+\s*=\s*\S{10,}/,     // .env style assignments
+  /GITHUB_TOKEN[^a-zA-Z0-9]/,       // GitHub tokens
+  /ghp_[a-zA-Z0-9]{36,}/,          // GitHub PATs
+  /ghs_[a-zA-Z0-9]{36,}/,          // GitHub secrets
+  /sk_live_[a-zA-Z0-9]{20,}/,      // Stripe live keys
+  /sk_test_[a-zA-Z0-9]{20,}/,      // Stripe test keys
+  /eyJ[a-zA-Z0-9_\-]{8,}\.eyJ[a-zA-Z0-9_\-]{8,}\.[a-zA-Z0-9_\-]{8,}/, // JWTs
+];
+
+const REDACTION_PLACEHOLDER = "[REDACTED]";
+const MAX_RAW_OUTPUT_BYTES = 4 * 1024; // 4KB max for raw output in evidence
+
+function detectSensitive(text) {
+  if (!text || typeof text !== "string") return false;
+  return SENSITIVE_PATTERNS.some((re) => re.test(text));
+}
+
+function redactSensitive(text) {
+  if (!text || typeof text !== "string") return text;
+  let result = text;
+  for (const re of SENSITIVE_PATTERNS) {
+    result = result.replace(new RegExp(re.source, re.flags + (re.flags.includes("g") ? "" : "g")), REDACTION_PLACEHOLDER);
+  }
+  return result;
+}
+
+function truncateLargeOutput(text, maxBytes = MAX_RAW_OUTPUT_BYTES) {
+  if (!text) return "";
+  const bytes = Buffer.byteLength(String(text), "utf8");
+  if (bytes <= maxBytes) return text;
+  const truncated = String(text).slice(0, maxBytes);
+  return truncated + `\n...(truncated, original ${bytes} bytes)`;
+}
+
+function isInternalProtocolPayload(text) {
+  if (!text || typeof text !== "string") return false;
+  // Skip task-notification-like system payloads
+  const lower = text.toLowerCase();
+  return (
+    lower.includes("<task-notification>") ||
+    lower.includes("<system-reminder>") ||
+    lower.includes("<local-command-caveat>") ||
+    lower.includes("<<autonomous-loop")
+  );
+}
+
+function captureMemoryItem(store, partial, opts = {}) {
+  const { captureSensitive = false } = opts;
+
+  // Skip internal protocol payloads
+  const combined = [partial.title, partial.summary, partial.evidence].join(" ");
+  if (isInternalProtocolPayload(combined)) return null;
+
+  // Sensitive detection
+  const isSensitive = detectSensitive(combined);
+  if (isSensitive && !captureSensitive) {
+    // Store a redacted version, flagged as sensitive and not auto-injectable
+    partial = {
+      ...partial,
+      summary: redactSensitive(partial.summary || ""),
+      evidence: redactSensitive(partial.evidence || ""),
+      sensitive: true,
+      safeForAutoInject: false,
+    };
+  } else if (isSensitive && captureSensitive) {
+    partial = {
+      ...partial,
+      sensitive: true,
+      safeForAutoInject: false,
+    };
+  }
+
+  // Deduplication: skip if same session already has this title+type
+  if (partial.sessionId && store.hasDuplicate(partial.sessionId, partial.title, partial.type)) {
+    return null;
+  }
+
+  // Truncate large evidence
+  if (partial.evidence) {
+    partial = { ...partial, evidence: truncateLargeOutput(partial.evidence) };
+  }
+
+  return store.append(partial);
+}
+
+function captureFromFailure(store, params, opts = {}) {
+  const {
+    sessionId,
+    toolName,
+    errorText,
+    relatedFiles = [],
+    relatedCommands = [],
+    repoRoot,
+  } = params;
+
+  if (!errorText || !errorText.trim()) return null;
+
+  const truncated = truncateLargeOutput(errorText, 800);
+  const title = `Tool failure: ${toolName || "unknown"} — ${truncated.slice(0, 80).replace(/\n/g, " ")}`;
+
+  return captureMemoryItem(store, {
+    sessionId,
+    type: "failure",
+    title,
+    summary: `${toolName || "unknown"} failed during session.`,
+    evidence: truncated,
+    relatedFiles,
+    relatedCommands: relatedCommands.length ? relatedCommands : (toolName ? [toolName] : []),
+    confidence: "medium",
+    riskLevel: "medium",
+    staleStatus: "fresh",
+    safeForAutoInject: false,
+    tags: ["tool-failure", toolName].filter(Boolean),
+    repoRoot,
+  }, opts);
+}
+
+function captureFromFileChange(store, params, opts = {}) {
+  const {
+    sessionId,
+    filePath,
+    toolName,
+    summary,
+    repoRoot,
+  } = params;
+
+  if (!filePath) return null;
+
+  const title = `File updated: ${filePath}`;
+
+  return captureMemoryItem(store, {
+    sessionId,
+    type: "file_change",
+    title,
+    summary: summary || `${toolName || "Write"} updated ${filePath}.`,
+    evidence: `file=${filePath} tool=${toolName || "Write"}`,
+    relatedFiles: [filePath],
+    relatedCommands: toolName ? [toolName] : [],
+    confidence: "high",
+    riskLevel: "low",
+    staleStatus: "fresh",
+    safeForAutoInject: true,
+    tags: ["file-change"],
+    repoRoot,
+  }, opts);
+}
+
+function captureFromValidation(store, params, opts = {}) {
+  const {
+    sessionId,
+    title,
+    summary,
+    evidence,
+    passed,
+    relatedFiles = [],
+    relatedCommands = [],
+    repoRoot,
+  } = params;
+
+  return captureMemoryItem(store, {
+    sessionId,
+    type: "validation",
+    title: title || (passed ? "Validation passed" : "Validation failed"),
+    summary: summary || (passed ? "Validation succeeded." : "Validation failed."),
+    evidence: evidence || "",
+    relatedFiles,
+    relatedCommands,
+    confidence: passed ? "high" : "medium",
+    riskLevel: passed ? "low" : "medium",
+    staleStatus: "fresh",
+    safeForAutoInject: passed,
+    tags: [passed ? "validation-pass" : "validation-fail"],
+    repoRoot,
+  }, opts);
+}
+
+function captureFromSessionEnd(store, params, opts = {}) {
+  const {
+    sessionId,
+    nextAction,
+    whereAmINow,
+    whatHappened,
+    relatedFiles = [],
+    repoRoot,
+  } = params;
+
+  if (!nextAction && !whereAmINow) return null;
+
+  const title = nextAction
+    ? `Next action: ${String(nextAction).slice(0, 120)}`
+    : `Session ended: ${String(whereAmINow || "unknown state").slice(0, 100)}`;
+
+  const summary = [
+    whereAmINow ? `State: ${whereAmINow}` : null,
+    whatHappened ? `What happened: ${whatHappened}` : null,
+    nextAction ? `Next: ${nextAction}` : null,
+  ].filter(Boolean).join(". ");
+
+  return captureMemoryItem(store, {
+    sessionId,
+    type: "next_action",
+    title,
+    summary,
+    evidence: `session=${sessionId}`,
+    relatedFiles,
+    relatedCommands: [],
+    confidence: "medium",
+    riskLevel: "low",
+    staleStatus: "fresh",
+    safeForAutoInject: false,
+    tags: ["session-end", "reentry"],
+    repoRoot,
+  }, opts);
+}
+
+module.exports = {
+  detectSensitive,
+  redactSensitive,
+  truncateLargeOutput,
+  isInternalProtocolPayload,
+  captureMemoryItem,
+  captureFromFailure,
+  captureFromFileChange,
+  captureFromValidation,
+  captureFromSessionEnd,
+};