npm - avorelo - Versions diffs - 0.1.0 - Mend

avorelo 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (258) hide show

package/LICENSE +21 -0
package/README.md +56 -0
package/bin/avorelo +9 -0
package/package.json +135 -0
package/scripts/README.md +40 -0
package/scripts/cco-dashboard.js +252 -0
package/scripts/cco-status.js +430 -0
package/scripts/lib/activation/account-state.js +37 -0
package/scripts/lib/activation/activation-runner.js +546 -0
package/scripts/lib/activation/activation-self-healing.js +480 -0
package/scripts/lib/activation/activation-state.js +83 -0
package/scripts/lib/activation/activation-summary.js +191 -0
package/scripts/lib/activation/adapters/claude-code.js +77 -0
package/scripts/lib/activation/adapters/codex-cli.js +52 -0
package/scripts/lib/activation/adapters/cursor.js +37 -0
package/scripts/lib/activation/adapters/github-agent.js +39 -0
package/scripts/lib/activation/adapters/terminal.js +42 -0
package/scripts/lib/activation/adapters/vscode.js +39 -0
package/scripts/lib/activation/adapters/windsurf.js +37 -0
package/scripts/lib/activation/ai-surface-detector.js +151 -0
package/scripts/lib/activation/connect-account.js +145 -0
package/scripts/lib/activation/detect-environment.js +75 -0
package/scripts/lib/activation/detect-hosts.js +62 -0
package/scripts/lib/activation/format-activation-output.js +109 -0
package/scripts/lib/activation/next-action.js +43 -0
package/scripts/lib/activation/repair-engine.js +219 -0
package/scripts/lib/activation-distribution-readiness.js +507 -0
package/scripts/lib/adapter-conformance.js +176 -0
package/scripts/lib/adapter-readiness.js +417 -0
package/scripts/lib/adapter-safety-boundaries.js +335 -0
package/scripts/lib/adapter-technical-readiness-gate.js +205 -0
package/scripts/lib/agent-access-governance.js +455 -0
package/scripts/lib/agent-enforcement.js +765 -0
package/scripts/lib/agent-policy-profile.js +210 -0
package/scripts/lib/agent-security/action-evaluator.js +507 -0
package/scripts/lib/agent-security/adapter-registry.js +98 -0
package/scripts/lib/agent-security/auto-policy.js +139 -0
package/scripts/lib/agent-security/bounded-scan.js +93 -0
package/scripts/lib/agent-security/enforcement-adapter.js +174 -0
package/scripts/lib/agent-security/enforcement-engine.js +1129 -0
package/scripts/lib/agent-security/file-write-adapter.js +183 -0
package/scripts/lib/agent-security/file-write-rules.js +178 -0
package/scripts/lib/agent-security/index.js +3342 -0
package/scripts/lib/agent-security/instruction-risk.js +181 -0
package/scripts/lib/agent-security/mcp-action-adapter.js +185 -0
package/scripts/lib/agent-security/mcp-action-rules.js +184 -0
package/scripts/lib/agent-security/package-action-adapter.js +175 -0
package/scripts/lib/agent-security/package-action-rules.js +233 -0
package/scripts/lib/agent-security/performance.js +148 -0
package/scripts/lib/agent-security/permission-minimizer.js +403 -0
package/scripts/lib/agent-security/scan-cache.js +74 -0
package/scripts/lib/agent-security/source-trust.js +146 -0
package/scripts/lib/ai-install-prompt.js +288 -0
package/scripts/lib/ai-workspace-hygiene.js +1499 -0
package/scripts/lib/alpha-activation.js +520 -0
package/scripts/lib/alpha-feedback.js +263 -0
package/scripts/lib/alpha-readiness-gate.js +332 -0
package/scripts/lib/anti-gaming.js +169 -0
package/scripts/lib/artifact-health.js +431 -0
package/scripts/lib/attribution.js +180 -0
package/scripts/lib/audit.js +289 -0
package/scripts/lib/avorelo-skill-registry.js +810 -0
package/scripts/lib/batch-jobs.js +71 -0
package/scripts/lib/brain-pack.js +578 -0
package/scripts/lib/brand-boundary.js +424 -0
package/scripts/lib/brand.js +74 -0
package/scripts/lib/browser-capability.js +1048 -0
package/scripts/lib/browser-proof-preflight.js +321 -0
package/scripts/lib/cache-readiness.js +187 -0
package/scripts/lib/canonical-reentry.js +162 -0
package/scripts/lib/capability-packs.js +314 -0
package/scripts/lib/capability-recommender.js +512 -0
package/scripts/lib/capability-registry.js +1059 -0
package/scripts/lib/carry-forward-surfacing.js +194 -0
package/scripts/lib/ccusage-adapter.js +188 -0
package/scripts/lib/company-loop.js +1149 -0
package/scripts/lib/config.js +637 -0
package/scripts/lib/context-acquisition-plan.js +287 -0
package/scripts/lib/context-budget-guard.js +170 -0
package/scripts/lib/context-budget-scanner.js +257 -0
package/scripts/lib/context-optimizer.js +715 -0
package/scripts/lib/context-reduction-plan.js +178 -0
package/scripts/lib/context-safety.js +88 -0
package/scripts/lib/context-savings-engine.js +158 -0
package/scripts/lib/cost-evidence.js +254 -0
package/scripts/lib/cross-host-install-plan.js +308 -0
package/scripts/lib/cross-host-install-readiness.js +237 -0
package/scripts/lib/cross-host-value-flow.js +268 -0
package/scripts/lib/dashboard.js +900 -0
package/scripts/lib/design-partner-feedback.js +346 -0
package/scripts/lib/entitlements.js +100 -0
package/scripts/lib/execution-packet.js +559 -0
package/scripts/lib/experimentation-events.js +547 -0
package/scripts/lib/external-capability-compliance.js +107 -0
package/scripts/lib/external-user-simulation.js +166 -0
package/scripts/lib/failure-recovery-readiness.js +81 -0
package/scripts/lib/failure-recovery.js +419 -0
package/scripts/lib/feedback-intelligence.js +537 -0
package/scripts/lib/feedback-signals.js +205 -0
package/scripts/lib/file-integrity.js +68 -0
package/scripts/lib/fsx.js +127 -0
package/scripts/lib/full-readiness-gate.js +451 -0
package/scripts/lib/guidance-builder.js +174 -0
package/scripts/lib/hook-apply.js +1019 -0
package/scripts/lib/hook-baseline.js +310 -0
package/scripts/lib/hook-config-preview.js +275 -0
package/scripts/lib/hook-contracts.js +290 -0
package/scripts/lib/hook-safety-boundary-readiness.js +80 -0
package/scripts/lib/host-capability-matrix.js +351 -0
package/scripts/lib/host-support-context.js +254 -0
package/scripts/lib/http-hook-action.js +538 -0
package/scripts/lib/install-ai-readiness.js +84 -0
package/scripts/lib/install-intake-risk.js +1037 -0
package/scripts/lib/install-journey-intelligence.js +329 -0
package/scripts/lib/intervention-guidance.js +57 -0
package/scripts/lib/known-limitations.js +115 -0
package/scripts/lib/l8-path-truth.js +146 -0
package/scripts/lib/launch-hardening-gate.js +436 -0
package/scripts/lib/launch-readiness.js +628 -0
package/scripts/lib/learning-memory.js +686 -0
package/scripts/lib/lifecycle-hooks.js +802 -0
package/scripts/lib/local-package-smoke.js +423 -0
package/scripts/lib/local-pricing.js +299 -0
package/scripts/lib/mcp-enforcement.js +311 -0
package/scripts/lib/mcp-least-privilege-policy.js +303 -0
package/scripts/lib/mcp-tool-inventory.js +388 -0
package/scripts/lib/mcp-tool-risk.js +0 -0
package/scripts/lib/memory.js +335 -0
package/scripts/lib/metrics.js +699 -0
package/scripts/lib/micro-proof.js +133 -0
package/scripts/lib/next-run-context.js +436 -0
package/scripts/lib/operating-value.js +1648 -0
package/scripts/lib/optimization-v3.js +122 -0
package/scripts/lib/orchestration/adapters/_shared.js +49 -0
package/scripts/lib/orchestration/adapters/aider.js +18 -0
package/scripts/lib/orchestration/adapters/claude-code.js +35 -0
package/scripts/lib/orchestration/adapters/codex.js +35 -0
package/scripts/lib/orchestration/adapters/gemini-cli.js +18 -0
package/scripts/lib/orchestration/adapters/git.js +25 -0
package/scripts/lib/orchestration/adapters/index.js +31 -0
package/scripts/lib/orchestration/adapters/lm-studio.js +18 -0
package/scripts/lib/orchestration/adapters/ollama.js +18 -0
package/scripts/lib/orchestration/adapters/opencode.js +18 -0
package/scripts/lib/orchestration/adapters/openrouter.js +18 -0
package/scripts/lib/orchestration/adapters/test-runner.js +25 -0
package/scripts/lib/orchestration/cli.js +438 -0
package/scripts/lib/orchestration/execution-manager.js +279 -0
package/scripts/lib/orchestration/handoff.js +314 -0
package/scripts/lib/orchestration/index.js +456 -0
package/scripts/lib/orchestration/inventory.js +47 -0
package/scripts/lib/orchestration/model-discovery.js +498 -0
package/scripts/lib/orchestration/model-profiler.js +170 -0
package/scripts/lib/orchestration/model-profiles.js +252 -0
package/scripts/lib/orchestration/model-refresh-policy.js +72 -0
package/scripts/lib/orchestration/proof-writer.js +349 -0
package/scripts/lib/orchestration/provider-discovery/aider.js +49 -0
package/scripts/lib/orchestration/provider-discovery/claude-code.js +56 -0
package/scripts/lib/orchestration/provider-discovery/codex.js +49 -0
package/scripts/lib/orchestration/provider-discovery/common.js +186 -0
package/scripts/lib/orchestration/provider-discovery/gemini.js +106 -0
package/scripts/lib/orchestration/provider-discovery/lm-studio.js +118 -0
package/scripts/lib/orchestration/provider-discovery/models-dev.js +12 -0
package/scripts/lib/orchestration/provider-discovery/ollama.js +100 -0
package/scripts/lib/orchestration/provider-discovery/opencode.js +47 -0
package/scripts/lib/orchestration/provider-discovery/openrouter.js +44 -0
package/scripts/lib/orchestration/risk-classifier.js +130 -0
package/scripts/lib/orchestration/routing-policy.js +486 -0
package/scripts/lib/orchestration/settings.js +112 -0
package/scripts/lib/orchestration/state.js +165 -0
package/scripts/lib/orchestration/verification-manager.js +138 -0
package/scripts/lib/output-profiles.js +146 -0
package/scripts/lib/package-content-audit.js +368 -0
package/scripts/lib/package-runtime.js +278 -0
package/scripts/lib/plan-surface.js +53 -0
package/scripts/lib/plans.js +2318 -0
package/scripts/lib/policy-provider.js +27 -0
package/scripts/lib/prelaunch-activation-readiness.js +409 -0
package/scripts/lib/prelaunch-evidence-store.js +816 -0
package/scripts/lib/prelaunch-intelligence.js +869 -0
package/scripts/lib/pricing-experiment.js +118 -0
package/scripts/lib/pro-moment-events.js +77 -0
package/scripts/lib/pro-moment-state.js +227 -0
package/scripts/lib/pro-moments.js +1216 -0
package/scripts/lib/product-learning-events.js +629 -0
package/scripts/lib/project-profile.js +555 -0
package/scripts/lib/prompt-compiler.js +280 -0
package/scripts/lib/prompt-lint.js +32 -0
package/scripts/lib/prompt-suggestions.js +52 -0
package/scripts/lib/proof-canonical.js +398 -0
package/scripts/lib/proof-drilldown.js +383 -0
package/scripts/lib/proof-events.js +342 -0
package/scripts/lib/proof-history.js +243 -0
package/scripts/lib/proof-metrics.js +296 -0
package/scripts/lib/proof-outcome-evidence.js +134 -0
package/scripts/lib/proof-receipt.js +335 -0
package/scripts/lib/proof-record.js +461 -0
package/scripts/lib/public-activation-distribution-gate.js +258 -0
package/scripts/lib/public-cli.js +3891 -0
package/scripts/lib/public-distribution-truth.js +211 -0
package/scripts/lib/public-install-claim-checker.js +294 -0
package/scripts/lib/publish-provenance-readiness.js +283 -0
package/scripts/lib/readiness-delta.js +218 -0
package/scripts/lib/readiness-evidence-closure.js +196 -0
package/scripts/lib/reentry-memory-capture.js +241 -0
package/scripts/lib/reentry-memory-retrieval.js +302 -0
package/scripts/lib/reentry-memory-status.js +146 -0
package/scripts/lib/reentry-memory-store.js +178 -0
package/scripts/lib/reentry-state.js +66 -0
package/scripts/lib/release-candidate-bundle.js +166 -0
package/scripts/lib/remediation.js +81 -0
package/scripts/lib/repo-map.js +391 -0
package/scripts/lib/run-improvements-lifecycle.js +330 -0
package/scripts/lib/run-improvements.js +789 -0
package/scripts/lib/runtime-decision-policy.js +387 -0
package/scripts/lib/safe-path-engine.js +705 -0
package/scripts/lib/safe-run-controller.js +887 -0
package/scripts/lib/score.js +262 -0
package/scripts/lib/seamless-enforcement.js +329 -0
package/scripts/lib/seamless-outcome.js +689 -0
package/scripts/lib/seamless-reality-gate.js +5043 -0
package/scripts/lib/security-risk-classifier.js +511 -0
package/scripts/lib/security-scan.js +384 -0
package/scripts/lib/session-context-optimizer.js +1211 -0
package/scripts/lib/session-timing.js +315 -0
package/scripts/lib/skill-hygiene.js +805 -0
package/scripts/lib/skill-packs.js +161 -0
package/scripts/lib/skills-operating-layer.js +580 -0
package/scripts/lib/smart-work-routing.js +768 -0
package/scripts/lib/source-catalog.js +700 -0
package/scripts/lib/status-value-summary.js +32 -0
package/scripts/lib/support-bundle.js +578 -0
package/scripts/lib/task-continuation.js +440 -0
package/scripts/lib/test-helpers.js +15 -0
package/scripts/lib/tier.js +38 -0
package/scripts/lib/token-context-quality-gate.js +370 -0
package/scripts/lib/token-cost-capture.js +187 -0
package/scripts/lib/token-cost-intelligence.js +358 -0
package/scripts/lib/token-efficiency-evidence.js +213 -0
package/scripts/lib/token-evidence.js +699 -0
package/scripts/lib/tokenish.js +17 -0
package/scripts/lib/tool-output-sandbox.js +304 -0
package/scripts/lib/trust-audit.js +136 -0
package/scripts/lib/unified-events.js +396 -0
package/scripts/lib/upgrade-interruption-recovery.js +407 -0
package/scripts/lib/usage-ledger.js +201 -0
package/scripts/lib/value-ledger.js +130 -0
package/scripts/lib/value-proof-calibration.js +531 -0
package/scripts/lib/visual-qa.js +231 -0
package/scripts/lib/voice-alpha.js +29 -0
package/scripts/lib/work-aware-orchestration.js +976 -0
package/scripts/lib/work-control-receipts.js +577 -0
package/scripts/lib/work-ledger.js +1123 -0
package/scripts/lib/work-panel-preview.js +352 -0
package/scripts/lib/workflow-discipline.js +280 -0
package/scripts/lib/workflow-signals.js +419 -0
package/scripts/lib/workspace-map.js +281 -0
package/scripts/lib/workspace-registry.js +1367 -0
package/scripts/lib/workspace-resolver.js +480 -0

package/scripts/lib/adapter-safety-boundaries.js ADDED Viewed

@@ -0,0 +1,335 @@
+"use strict";
+// ── Adapter Safety Boundaries ─────────────────────────────────────────────────
+// Contract: avorelo.adapterSafetyBoundaries.v1
+// Answers: "Are adapter safety contracts enforced? No cross-adapter state leaks?
+// Hook timeout respected? MCP isolation verified?"
+// Reads configs and artifacts. Does NOT mutate. Does NOT run hooks.
+const fs = require("fs");
+const path = require("path");
+const { nowIso } = require("./fsx");
+const { appendProductLearningEvent } = require("./product-learning-events");
+const CONTRACT = "avorelo.adapterSafetyBoundaries.v1";
+const SCHEMA_VERSION = 1;
+const ARTIFACT_DIR_REL = ".claude/cco/orchestration/adapter-readiness";
+const ARTIFACT_REL = ARTIFACT_DIR_REL + "/latest-adapter-safety-boundaries.json";
+function safeReadJson(absPath) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    return JSON.parse(fs.readFileSync(absPath, "utf8").replace(/^/, ""));
+  } catch { return null; }
+}
+function safeReadText(absPath, maxChars) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    const fd = fs.openSync(absPath, "r");
+    const buf = Buffer.alloc(maxChars || 8000);
+    const n = fs.readSync(fd, buf, 0, buf.length, 0);
+    fs.closeSync(fd);
+    return buf.slice(0, n).toString("utf8");
+  } catch { return null; }
+}
+function pass(id, label, evidence, detail) {
+  return { id, label, status: "pass", evidence: evidence || null, detail: detail || null, safeNextAction: null };
+}
+function warn(id, label, safeNextAction, evidence, detail) {
+  return { id, label, status: "warn", evidence: evidence || null, detail: detail || null, safeNextAction: safeNextAction || "Review and resolve." };
+}
+function blocked(id, label, safeNextAction, evidence, detail) {
+  return { id, label, status: "blocked", evidence: evidence || null, detail: detail || null, safeNextAction: safeNextAction || "Fix blocker before proceeding." };
+}
+// ── Safety Checks ─────────────────────────────────────────────────────────────
+function checkNoCrossAdapterStateLeak(cwd) {
+  // Check that state directories are per-host isolated
+  const hostsStateDir = path.join(cwd, ".claude/cco/state/hosts");
+  if (!fs.existsSync(hostsStateDir)) {
+    return pass("no_cross_adapter_state_leak", "No cross-adapter state found (hosts state dir absent)",
+      { hostsStateDirExists: false }, "Host state isolation not needed until multi-host session detected.");
+  }
+  // Check if host state files exist and that they have distinct ids (not sharing state)
+  let hostFiles = [];
+  try { hostFiles = fs.readdirSync(hostsStateDir).filter(function(f) { return f.endsWith(".json"); }); } catch { /* ignore */ }
+  const hostIds = new Set();
+  let hasConflict = false;
+  for (const f of hostFiles) {
+    const data = safeReadJson(path.join(hostsStateDir, f));
+    if (data && data.id) {
+      if (hostIds.has(data.id)) { hasConflict = true; break; }
+      hostIds.add(data.id);
+    }
+  }
+  if (hasConflict) {
+    return blocked("no_cross_adapter_state_leak", "Cross-adapter state conflict detected",
+      "Remove duplicate host state files from .claude/cco/state/hosts/.",
+      { hostFileCount: hostFiles.length });
+  }
+  return pass("no_cross_adapter_state_leak", "No cross-adapter state conflict",
+    { hostFileCount: hostFiles.length, hostIds: Array.from(hostIds) });
+}
+function checkHookTimeoutRespected(cwd) {
+  const settingsPath = path.join(cwd, ".claude/settings.json");
+  const settings = safeReadJson(settingsPath);
+  if (!settings) {
+    return warn("hook_timeout_respected", "No .claude/settings.json found",
+      "Run: node bin/avorelo activate to generate settings.json with hook timeout config.",
+      null, ".claude/settings.json not found.");
+  }
+  // Check if hooks have timeout configured
+  const hooks = settings.hooks || {};
+  const hookEntries = Object.values(hooks);
+  const allHaveTimeout = hookEntries.length === 0 || hookEntries.every(function(h) {
+    const hooksArr = Array.isArray(h) ? h : [h];
+    return hooksArr.every(function(entry) {
+      return !entry || entry.timeout !== undefined || entry.timeoutMs !== undefined;
+    });
+  });
+  if (!allHaveTimeout) {
+    return warn("hook_timeout_respected", "Some hooks may lack explicit timeout",
+      "Add timeoutMs to hook definitions in .claude/settings.json.",
+      { hookCount: hookEntries.length });
+  }
+  return pass("hook_timeout_respected", "Hook configuration present",
+    { hookCount: hookEntries.length, settingsPresent: true });
+}
+function checkMcpIsolation(cwd) {
+  const settingsPath = path.join(cwd, ".claude/settings.json");
+  const settings = safeReadJson(settingsPath);
+  if (!settings) {
+    return warn("mcp_isolation", "No .claude/settings.json found for MCP config check",
+      "Run: node bin/avorelo activate to initialize settings.",
+      null);
+  }
+  // Check for dangerouslyAllowUnrestrictedMcpTools or similar unsafe flags
+  const settingsText = safeReadText(settingsPath, 5000) || "";
+  if (/dangerouslyAllowUnrestrictedMcpTools.*true|skipMcpValidation.*true/i.test(settingsText)) {
+    return blocked("mcp_isolation", "Unsafe MCP config flag detected",
+      "Remove dangerouslyAllowUnrestrictedMcpTools or skipMcpValidation from settings.",
+      { flagFound: true });
+  }
+  return pass("mcp_isolation", "No unsafe MCP isolation flags found",
+    { settingsChecked: true });
+}
+function checkNoTokenInAdapterConfig(cwd) {
+  const pathsToCheck = [
+    ".claude/settings.json",
+    ".claude/settings.local.json",
+    ".cursor/settings.json",
+    ".windsurf/settings.json",
+  ];
+  const issues = [];
+  for (const relPath of pathsToCheck) {
+    const absPath = path.join(cwd, relPath);
+    const text = safeReadText(absPath, 5000);
+    if (text && /token|secret|password|_authToken/i.test(text)) {
+      // Filter out false positives from non-credential fields
+      if (/["']?(?:token|secret|password|_authToken)["']?\s*[:=]\s*["'][^"']{6,}/i.test(text)) {
+        issues.push(relPath);
+      }
+    }
+  }
+  if (issues.length > 0) {
+    return blocked("no_token_in_adapter_config", "Token/secret found in adapter config",
+      "Remove tokens from adapter config files: " + issues.join(", "),
+      { files: issues });
+  }
+  return pass("no_token_in_adapter_config", "No tokens found in adapter config files",
+    { checked: pathsToCheck });
+}
+function checkHookSafetyBoundaryArtifact(cwd) {
+  const artifactPath = path.join(cwd, ".claude/cco/orchestration/full-readiness/latest-hook-safety-boundary.json");
+  const artifact = safeReadJson(artifactPath);
+  if (!artifact) {
+    // Check alternate path
+    const altPath = path.join(cwd, ".claude/cco/orchestration/hook-safety-boundary/latest-hook-safety-boundary-readiness.json");
+    const altArtifact = safeReadJson(altPath);
+    if (!altArtifact) {
+      return warn("hook_safety_boundary_artifact", "Hook safety boundary artifact not found",
+        "Run: node bin/avorelo hook-safety --json to generate hook safety boundary.",
+        null, "Artifact not found.");
+    }
+    return pass("hook_safety_boundary_artifact", "Hook safety boundary artifact present",
+      { path: altPath });
+  }
+  return pass("hook_safety_boundary_artifact", "Hook safety boundary artifact present",
+    { path: artifactPath });
+}
+function checkNoAutoApplyWithoutApproval(cwd) {
+  const settingsPath = path.join(cwd, ".claude/settings.json");
+  const text = safeReadText(settingsPath, 8000);
+  if (!text) {
+    return warn("no_auto_apply_without_approval", "Cannot verify auto-apply policy — settings.json missing",
+      "Run: node bin/avorelo activate to initialize settings.",
+      null);
+  }
+  // Check for auto-apply patterns that skip user approval
+  if (/autoApply.*true|autoHookApply.*true|skipApproval.*true/i.test(text)) {
+    return blocked("no_auto_apply_without_approval", "Auto-apply without approval found in settings",
+      "Remove autoApply/autoHookApply/skipApproval flags. All hook config changes require explicit approval.",
+      { flagFound: true });
+  }
+  return pass("no_auto_apply_without_approval", "No auto-apply without approval found",
+    { settingsChecked: true });
+}
+// ── Build Adapter Safety Boundaries ───────────────────────────────────────────
+function buildAdapterSafetyBoundaries(cwd, options) {
+  const checks = [
+    checkNoCrossAdapterStateLeak(cwd),
+    checkHookTimeoutRespected(cwd),
+    checkMcpIsolation(cwd),
+    checkNoTokenInAdapterConfig(cwd),
+    checkHookSafetyBoundaryArtifact(cwd),
+    checkNoAutoApplyWithoutApproval(cwd),
+  ];
+  const blockers = checks.filter(function(c) { return c.status === "blocked"; });
+  const warnings = checks.filter(function(c) { return c.status === "warn"; });
+  var status;
+  if (blockers.length > 0) {
+    status = "blocked";
+  } else if (warnings.length > 0) {
+    status = "warn";
+  } else {
+    status = "pass";
+  }
+  const safeNextAction = blockers.length > 0
+    ? "Fix safety boundary blockers immediately. Remove tokens from configs. Remove auto-apply flags."
+    : warnings.length > 0
+    ? "Review safety warnings. Ensure hook timeout and MCP isolation config is in place."
+    : "All adapter safety boundaries verified. Proceed to host support context.";
+  return {
+    contract: CONTRACT,
+    schemaVersion: SCHEMA_VERSION,
+    generatedAt: nowIso(),
+    status,
+    checks,
+    blockerCount: blockers.length,
+    warningCount: warnings.length,
+    approvalRequiredBeforeApply: true,
+    safeNextAction,
+    noPublicLaunchClaim: true,
+    redacted: true,
+  };
+}
+// ── Write ─────────────────────────────────────────────────────────────────────
+function writeAdapterSafetyBoundaries(cwd, boundaries) {
+  const dir = path.join(cwd, ARTIFACT_DIR_REL);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(path.join(cwd, ARTIFACT_REL), JSON.stringify(boundaries, null, 2));
+}
+// ── Surface ───────────────────────────────────────────────────────────────────
+function buildAdapterSafetyBoundariesSurface(cwd, options) {
+  const boundaries = buildAdapterSafetyBoundaries(cwd, options);
+  writeAdapterSafetyBoundaries(cwd, boundaries);
+  try {
+    appendProductLearningEvent(cwd, {
+      event: "adapter_safety_boundaries_built",
+      contract: CONTRACT,
+      status: boundaries.status,
+      blockerCount: boundaries.blockerCount,
+    });
+  } catch { /* non-fatal */ }
+  return {
+    status: boundaries.status,
+    blockerCount: boundaries.blockerCount,
+    warningCount: boundaries.warningCount,
+    approvalRequiredBeforeApply: true,
+    noPublicLaunchClaim: true,
+  };
+}
+// ── Format ────────────────────────────────────────────────────────────────────
+function formatAdapterSafetyBoundariesText(boundaries) {
+  var lines = [
+    "Adapter Safety Boundaries [" + (boundaries.status || "?").toUpperCase() + "]",
+    "  Approval required before apply: true",
+    "  Blockers: " + (boundaries.blockerCount || 0),
+    "  Warnings: " + (boundaries.warningCount || 0),
+  ];
+  if (boundaries.checks) {
+    boundaries.checks.forEach(function(c) {
+      if (c.status === "blocked" || c.status === "warn") {
+        lines.push("  [" + c.status.toUpperCase() + "] " + c.label + (c.safeNextAction ? " → " + c.safeNextAction : ""));
+      }
+    });
+  }
+  lines.push("  Next: " + (boundaries.safeNextAction || "Review adapter safety boundaries."));
+  return lines.join("\n");
+}
+// ── Validate Host Safety Boundaries ──────────────────────────────────────────
+// Per-host validation wrapper used by PR #163 cross-host checks.
+function validateHostSafetyBoundaries(cwd, hostId, options) {
+  options = options || {};
+  const boundaries = buildAdapterSafetyBoundaries(cwd, options);
+  // Filter checks relevant to this host (most checks are host-agnostic)
+  const hostChecks = boundaries.checks.filter(function(c) {
+    // All checks apply to detected hosts; filter only if host-specific id patterns
+    return true;
+  });
+  const blockers = hostChecks.filter(function(c) { return c.status === "blocked"; });
+  const warnings = hostChecks.filter(function(c) { return c.status === "warn"; });
+  const status = blockers.length > 0 ? "blocked" : warnings.length > 0 ? "warn" : "pass";
+  return {
+    hostId: hostId || "unknown",
+    status,
+    checks: hostChecks,
+    blockerCount: blockers.length,
+    warningCount: warnings.length,
+    approvalRequiredBeforeApply: true,
+    safeNextAction: boundaries.safeNextAction,
+  };
+}
+module.exports = {
+  CONTRACT,
+  SCHEMA_VERSION,
+  ARTIFACT_REL,
+  buildAdapterSafetyBoundaries,
+  writeAdapterSafetyBoundaries,
+  buildAdapterSafetyBoundariesSurface,
+  formatAdapterSafetyBoundariesText,
+  checkNoCrossAdapterStateLeak,
+  checkHookTimeoutRespected,
+  checkMcpIsolation,
+  checkNoTokenInAdapterConfig,
+  checkHookSafetyBoundaryArtifact,
+  checkNoAutoApplyWithoutApproval,
+  validateHostSafetyBoundaries,
+};

package/scripts/lib/adapter-technical-readiness-gate.js ADDED Viewed

@@ -0,0 +1,205 @@
+"use strict";
+// ── Adapter Technical Readiness Gate ─────────────────────────────────────────
+// Contract: avorelo.adapterTechnicalReadinessGate.v1
+// Answers: "Are all plugin/adapter technical readiness signals green? Is it safe
+// to proceed to alpha launch with multi-host adapter support?"
+// Aggregates: host-capability-matrix, cross-host-install, cross-host-value-flow,
+//   adapter-safety-boundaries, host-support-context, browser-proof-preflight
+// Read-only. Does NOT write to any adapter config. Does NOT launch browsers.
+const fs = require("fs");
+const path = require("path");
+const { nowIso } = require("./fsx");
+const { appendProductLearningEvent } = require("./product-learning-events");
+const { buildHostCapabilityMatrix } = require("./host-capability-matrix");
+const { buildCrossHostInstallReadiness } = require("./cross-host-install-readiness");
+const { buildCrossHostValueFlow } = require("./cross-host-value-flow");
+const { buildAdapterSafetyBoundaries } = require("./adapter-safety-boundaries");
+const { buildHostSupportContext } = require("./host-support-context");
+const { buildBrowserProofPreflight } = require("./browser-proof-preflight");
+const CONTRACT = "avorelo.adapterTechnicalReadinessGate.v1";
+const SCHEMA_VERSION = 1;
+const ARTIFACT_DIR_REL = ".claude/cco/orchestration/adapter-readiness";
+const ARTIFACT_REL = ARTIFACT_DIR_REL + "/latest-technical-gate.json";
+// ── Score Weights ─────────────────────────────────────────────────────────────
+// Each sub-module contributes a portion of the total score (100 pts total).
+// Safety boundaries are weighted highest — a blocker there is critical.
+const SCORE_WEIGHTS = {
+  adapter_safety_boundaries:    25,  // Safety is highest priority
+  cross_host_value_flow:        20,  // Value must flow across hosts
+  host_capability_matrix:       15,  // Know what each host can do
+  cross_host_install:           15,  // Install path must work
+  host_support_context:         15,  // Support must be diagnosable per host
+  browser_proof_preflight:      10,  // Browser preflight: local-first verified
+};
+const STATUS_SCORE = { pass: 1.0, warn: 0.5, blocked: 0.0, info: 1.0 };
+function scoreSignal(moduleName, status) {
+  const weight = SCORE_WEIGHTS[moduleName] || 0;
+  const factor = STATUS_SCORE[status] != null ? STATUS_SCORE[status] : 0.5;
+  return Math.round(weight * factor);
+}
+// ── Build Gate ────────────────────────────────────────────────────────────────
+function buildAdapterTechnicalReadinessGate(cwd, options) {
+  // Run all sub-modules (read-only, no side effects)
+  const hostMatrix      = buildHostCapabilityMatrix(cwd, options);
+  const crossInstall    = buildCrossHostInstallReadiness(cwd, options);
+  const valueFlow       = buildCrossHostValueFlow(cwd, options);
+  const safetyBoundaries = buildAdapterSafetyBoundaries(cwd, options);
+  const supportContext  = buildHostSupportContext(cwd, options);
+  const browserPreflight = buildBrowserProofPreflight(cwd, options);
+  // Summary per sub-module
+  const signals = {
+    host_capability_matrix:    { status: hostMatrix.status,       blockers: hostMatrix.blockerCount,       warnings: hostMatrix.warningCount },
+    cross_host_install:        { status: crossInstall.status,     blockers: crossInstall.blockerCount,     warnings: crossInstall.warningCount },
+    cross_host_value_flow:     { status: valueFlow.status,        blockers: valueFlow.blockerCount,        warnings: valueFlow.warningCount },
+    adapter_safety_boundaries: { status: safetyBoundaries.status, blockers: safetyBoundaries.blockerCount, warnings: safetyBoundaries.warningCount },
+    host_support_context:      { status: supportContext.status,   blockers: supportContext.blockerCount,   warnings: supportContext.warningCount },
+    browser_proof_preflight:   { status: browserPreflight.status, blockers: browserPreflight.blockerCount, warnings: browserPreflight.warningCount, browserRequired: false, noBrowserLaunch: true },
+  };
+  // Score
+  var score = 0;
+  Object.keys(signals).forEach(function(k) {
+    score += scoreSignal(k, signals[k].status);
+  });
+  // Overall status
+  const anyBlocked = Object.values(signals).some(function(s) { return s.status === "blocked"; });
+  const anyWarn    = Object.values(signals).some(function(s) { return s.status === "warn"; });
+  var status;
+  if (anyBlocked) {
+    status = "blocked";
+  } else if (anyWarn) {
+    status = "warn";
+  } else {
+    status = "pass";
+  }
+  // Counts
+  const totalBlockers = Object.values(signals).reduce(function(n, s) { return n + (s.blockers || 0); }, 0);
+  const totalWarnings = Object.values(signals).reduce(function(n, s) { return n + (s.warnings || 0); }, 0);
+  // Safe next action
+  var safeNextAction;
+  if (anyBlocked) {
+    const blockedModules = Object.entries(signals)
+      .filter(function([, s]) { return s.status === "blocked"; })
+      .map(function([k]) { return k; });
+    safeNextAction = "Fix adapter readiness blockers in: " + blockedModules.join(", ") + ". Resolve before alpha launch.";
+  } else if (anyWarn) {
+    safeNextAction = "Review adapter readiness warnings. Run bounded tasks to populate proof/ledger/support-bundle artifacts.";
+  } else {
+    safeNextAction = "Adapter Technical Readiness gate passed (score " + score + "/100). Multi-host adapter support verified. Safe to proceed to alpha launch candidate prep.";
+  }
+  // Verdict for company loop
+  var verdict;
+  if (score >= 90) {
+    verdict = "adapter_ready";
+  } else if (score >= 60) {
+    verdict = "adapter_partial";
+  } else {
+    verdict = "adapter_not_ready";
+  }
+  return {
+    contract: CONTRACT,
+    schemaVersion: SCHEMA_VERSION,
+    generatedAt: nowIso(),
+    status,
+    score,
+    verdict,
+    signals,
+    totalBlockers,
+    totalWarnings,
+    blockerCount: totalBlockers,
+    warningCount: totalWarnings,
+    safeNextAction,
+    browserRequired: false,
+    noBrowserLaunch: true,
+    noWorksEverywhereClaim: true,
+    noPublicLaunchClaim: true,
+    redacted: true,
+  };
+}
+// ── Write ─────────────────────────────────────────────────────────────────────
+function writeAdapterTechnicalReadinessGate(cwd, gate) {
+  const dir = path.join(cwd, ARTIFACT_DIR_REL);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(path.join(cwd, ARTIFACT_REL), JSON.stringify(gate, null, 2));
+}
+// ── Surface ───────────────────────────────────────────────────────────────────
+function buildAdapterTechnicalReadinessSurface(cwd, options) {
+  const gate = buildAdapterTechnicalReadinessGate(cwd, options);
+  writeAdapterTechnicalReadinessGate(cwd, gate);
+  try {
+    appendProductLearningEvent(cwd, {
+      event: "adapter_technical_readiness_gate_run",
+      contract: CONTRACT,
+      status: gate.status,
+      score: gate.score,
+      verdict: gate.verdict,
+      totalBlockers: gate.totalBlockers,
+      browserRequired: false,
+    });
+  } catch { /* non-fatal */ }
+  return {
+    status: gate.status,
+    score: gate.score,
+    verdict: gate.verdict,
+    signals: gate.signals,
+    blockerCount: gate.blockerCount,
+    warningCount: gate.warningCount,
+    browserRequired: false,
+    noBrowserLaunch: true,
+    noPublicLaunchClaim: true,
+  };
+}
+// ── Format ────────────────────────────────────────────────────────────────────
+function formatAdapterTechnicalReadinessText(gate) {
+  var lines = [
+    "Adapter Technical Readiness Gate [" + (gate.status || "?").toUpperCase() + "] score=" + (gate.score || 0) + "/100 verdict=" + (gate.verdict || "?"),
+    "  Browser required: no | Browser launched: no",
+  ];
+  if (gate.signals) {
+    Object.entries(gate.signals).forEach(function([k, s]) {
+      var suffix = "";
+      if (s.blockers > 0) suffix += " (" + s.blockers + " blocker" + (s.blockers !== 1 ? "s" : "") + ")";
+      if (s.warnings > 0) suffix += " (" + s.warnings + " warning" + (s.warnings !== 1 ? "s" : "") + ")";
+      lines.push("  " + k + ": " + s.status + suffix);
+    });
+  }
+  lines.push(
+    "  Total blockers: " + (gate.totalBlockers || 0),
+    "  Total warnings: " + (gate.totalWarnings || 0),
+    "  Next: " + (gate.safeNextAction || "Review adapter technical readiness.")
+  );
+  return lines.join("\n");
+}
+module.exports = {
+  CONTRACT,
+  SCHEMA_VERSION,
+  ARTIFACT_REL,
+  SCORE_WEIGHTS,
+  buildAdapterTechnicalReadinessGate,
+  writeAdapterTechnicalReadinessGate,
+  buildAdapterTechnicalReadinessSurface,
+  formatAdapterTechnicalReadinessText,
+  scoreSignal,
+};