bootproof 0.3.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +844 -152
- package/dist/agent-plan.d.ts +44 -0
- package/dist/agent-plan.js +826 -0
- package/dist/agent-run.d.ts +117 -0
- package/dist/agent-run.js +459 -0
- package/dist/ai-repair.d.ts +58 -0
- package/dist/ai-repair.js +380 -0
- package/dist/cli.js +730 -46
- package/dist/diagnosis.js +101 -16
- package/dist/diff.d.ts +29 -0
- package/dist/diff.js +569 -0
- package/dist/exec.d.ts +30 -2
- package/dist/exec.js +329 -51
- package/dist/external-health.d.ts +16 -0
- package/dist/external-health.js +214 -0
- package/dist/infer.js +238 -39
- package/dist/plan.js +2 -0
- package/dist/proof.d.ts +78 -2
- package/dist/proof.js +265 -12
- package/dist/receipt.d.ts +52 -0
- package/dist/receipt.js +356 -0
- package/dist/redact.d.ts +4 -0
- package/dist/redact.js +86 -2
- package/dist/registry.d.ts +82 -30
- package/dist/registry.js +355 -53
- package/dist/remote.js +3 -3
- package/dist/repair-playbooks.d.ts +24 -0
- package/dist/repair-playbooks.js +593 -0
- package/dist/repair-safety.d.ts +130 -0
- package/dist/repair-safety.js +766 -0
- package/dist/repair.d.ts +43 -11
- package/dist/repair.js +716 -7
- package/dist/run.d.ts +3 -0
- package/dist/run.js +218 -41
- package/dist/sbom.d.ts +22 -0
- package/dist/sbom.js +99 -0
- package/dist/taxonomy.d.ts +8 -3
- package/dist/taxonomy.js +404 -8
- package/dist/types.d.ts +40 -1
- package/docs/AGENT_IN_THE_LOOP.md +171 -0
- package/docs/AGENT_RUN_RECEIPTS.md +38 -0
- package/docs/CI_ACTION.md +67 -2
- package/docs/DETERMINISTIC_REPAIR_SAFETY_MODEL.md +705 -0
- package/docs/DISTRIBUTION.md +83 -0
- package/docs/FAILURE_TAXONOMY.md +28 -1
- package/docs/HONESTY_CONTRACT.md +34 -12
- package/docs/LAUNCH_PLAYBOOK.md +232 -0
- package/docs/REAL_WORLD_FIXTURES.md +105 -0
- package/docs/REGISTRY.md +48 -28
- package/docs/REPAIR_RECEIPT.md +54 -8
- package/docs/agent-loop-gap-analysis.md +188 -0
- package/docs/examples/registry-seeds/advertised-port-mismatch.json +28 -0
- package/docs/examples/registry-seeds/airbyte-abctl-external-orchestrator.json +36 -0
- package/docs/examples/registry-seeds/go-ollama-service.json +36 -0
- package/docs/examples/registry-seeds/laravel-vite-sqlite.json +36 -0
- package/docs/examples/registry-seeds/monorepo-ambiguous-health.json +29 -0
- package/docs/examples/registry-seeds/php-composer.json +33 -0
- package/docs/examples/registry-seeds/rails-bundler.json +32 -0
- package/docs/examples/registry-seeds/sentry-devenv-direnv.json +41 -0
- package/docs/schemas/action-verdict-v1.schema.json +64 -0
- package/docs/schemas/agent-plan-v1.schema.json +148 -0
- package/docs/schemas/agent-run-receipts-v1.schema.json +192 -0
- package/docs/schemas/ai-repair-suggestion-v1.schema.json +70 -0
- package/docs/schemas/ci-context-v1.schema.json +63 -0
- package/docs/schemas/diff-result-v1.schema.json +66 -0
- package/docs/schemas/federated-receipt-v1.schema.json +51 -0
- package/docs/schemas/registry-entry-v1.schema.json +95 -0
- package/docs/schemas/registry-seed-example-v1.schema.json +102 -0
- package/docs/schemas/repair-action-v1.schema.json +136 -0
- package/docs/schemas/repair-receipt-v1.schema.json +221 -0
- package/package.json +21 -11
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
# Agent-In-The-Loop Architecture
|
|
2
|
+
|
|
3
|
+
Works on my machine is dead.
|
|
4
|
+
|
|
5
|
+
No proof, no green check.
|
|
6
|
+
|
|
7
|
+
Predictable failure is a feature.
|
|
8
|
+
|
|
9
|
+
BootProof turns AI repo onboarding from a hallucinated shell loop into a
|
|
10
|
+
verified execution loop.
|
|
11
|
+
|
|
12
|
+
The distinction is evidence. A human or AI may suggest that a package should be
|
|
13
|
+
installed, a service started, or a command rerun. A suggestion is not proof.
|
|
14
|
+
Command completion is not proof. Planning is not proof. BootProof establishes a
|
|
15
|
+
successful result only through the verification contract, such as an observed
|
|
16
|
+
healthy HTTP response.
|
|
17
|
+
|
|
18
|
+
## The Loop
|
|
19
|
+
|
|
20
|
+
```text
|
|
21
|
+
Diagnose → Classify → Plan → Risk-Classify → Approve
|
|
22
|
+
→ Execute One Step → Verify → Receipt → Repeat
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
This is the target architecture and safety contract:
|
|
26
|
+
|
|
27
|
+
- diagnosis preserves observed evidence;
|
|
28
|
+
- classification names known failures and leaves unknown failures honest;
|
|
29
|
+
- planning proposes deterministic next actions;
|
|
30
|
+
- risk classification records mutation scope and approval requirements;
|
|
31
|
+
- approval applies to one exact local action, not a hidden chain;
|
|
32
|
+
- execution performs at most the approved step;
|
|
33
|
+
- verification observes the result before any success claim;
|
|
34
|
+
- receipts preserve the local audit trail;
|
|
35
|
+
- repetition requires a new plan or approval decision.
|
|
36
|
+
|
|
37
|
+
The complete autonomous loop is not implemented. `plan-agent` is planning-only.
|
|
38
|
+
It writes candidate actions and receipts but executes no candidate command.
|
|
39
|
+
Deterministic repair implements a narrower, human-approved loop for registered
|
|
40
|
+
failures. Unknown or blocked actions stop.
|
|
41
|
+
|
|
42
|
+
## Current Modes
|
|
43
|
+
|
|
44
|
+
### Direct Orchestration
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
bootproof up .
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
For a supported repository, BootProof constructs a deterministic local plan,
|
|
51
|
+
executes the selected path, observes health, and writes a signed attestation.
|
|
52
|
+
If the repository requires unsupported, ambiguous, or unsafe orchestration,
|
|
53
|
+
BootProof refuses and preserves the failure evidence.
|
|
54
|
+
|
|
55
|
+
`bootproof up` is zero-AI. It never treats an AI judgment as execution evidence.
|
|
56
|
+
|
|
57
|
+
### External Verification
|
|
58
|
+
|
|
59
|
+
```bash
|
|
60
|
+
bootproof verify-url http://localhost:8001/api/v1/health
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
This mode verifies a service managed outside BootProof. It records the HTTP
|
|
64
|
+
status, safe headers, response snippet, timestamp, and connection evidence.
|
|
65
|
+
A successful result is `external_service_verified`, with
|
|
66
|
+
`bootproofOrchestrated: false`.
|
|
67
|
+
|
|
68
|
+
External verification proves only that the endpoint responded according to the
|
|
69
|
+
health contract. It does not prove that BootProof started the application.
|
|
70
|
+
|
|
71
|
+
For repository-scoped evidence, use:
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
bootproof up . --external-health http://localhost:8001/api/v1/health
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
### Agent Planning
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
bootproof plan-agent .
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
Planning inspects repository evidence and existing attestations, then writes:
|
|
84
|
+
|
|
85
|
+
- `.bootproof/agent-plan.json`;
|
|
86
|
+
- a redacted receipt chain under `.bootproof/agent-runs/<run-id>/`;
|
|
87
|
+
- candidate actions with risk, mutation scope, approval, verification, and stop
|
|
88
|
+
fields.
|
|
89
|
+
|
|
90
|
+
It does not execute candidate actions. It does not claim the repository booted.
|
|
91
|
+
Use `bootproof explain-run <run-id>` to inspect the local chain.
|
|
92
|
+
|
|
93
|
+
### Deterministic Repair
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
bootproof fix
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
Deterministic repair reads a signature-valid classified failure and selects only
|
|
100
|
+
registered playbook actions. It shows the exact command or patch, mutation
|
|
101
|
+
scope, and risk. Commands and patches that require approval run only after the
|
|
102
|
+
literal response `Y`.
|
|
103
|
+
|
|
104
|
+
The repair path records declined, failed, progressed, and verified outcomes.
|
|
105
|
+
Only observed health can set the verified result.
|
|
106
|
+
|
|
107
|
+
## Airbyte Case Study
|
|
108
|
+
|
|
109
|
+
Airbyte demonstrated why BootProof needs more than a universal run command.
|
|
110
|
+
|
|
111
|
+
1. BootProof inspected the repository and refused direct orchestration.
|
|
112
|
+
2. Repository evidence showed that local Airbyte deployment required `abctl`,
|
|
113
|
+
`kind`, Helm, Kubernetes, Docker, and local authentication.
|
|
114
|
+
3. A human followed the documented Airbyte runbook and started the application
|
|
115
|
+
outside BootProof.
|
|
116
|
+
4. The resulting service exposed
|
|
117
|
+
`http://localhost:8001/api/v1/health`.
|
|
118
|
+
5. BootProof external verification observed a successful response from that
|
|
119
|
+
endpoint without claiming it ran `abctl` or started Airbyte.
|
|
120
|
+
|
|
121
|
+
This is a successful honesty outcome. BootProof withheld a false green check,
|
|
122
|
+
the manual runbook handled orchestration, and the health endpoint supplied
|
|
123
|
+
proof of the externally managed service.
|
|
124
|
+
|
|
125
|
+
**Airbyte validates the design of the loop, not full autonomous execution yet.**
|
|
126
|
+
|
|
127
|
+
BootProof currently recognizes the Airbyte runbook in planning mode. It may
|
|
128
|
+
describe `abctl local install --port 8001` as a high-risk,
|
|
129
|
+
approval-required Kubernetes action, but it does not execute Airbyte, abctl,
|
|
130
|
+
kind, Helm, Kubernetes, or credential commands through `plan-agent`.
|
|
131
|
+
|
|
132
|
+
Airbyte-style repositories are externally orchestrated. BootProof may produce a
|
|
133
|
+
local plan and may verify an already-running documented health endpoint, but it
|
|
134
|
+
must not silently create or mutate a cluster. Cluster-level actions, including
|
|
135
|
+
`abctl local install`, `kind create cluster`, and `helm install`, are high-risk
|
|
136
|
+
and require explicit approval. CI planning remains non-interactive and executes
|
|
137
|
+
none of those candidate actions.
|
|
138
|
+
|
|
139
|
+
## Open-Source Boundary
|
|
140
|
+
|
|
141
|
+
The public repository owns the local brakes and trust layer:
|
|
142
|
+
|
|
143
|
+
- local diagnosis;
|
|
144
|
+
- local planning;
|
|
145
|
+
- local receipts;
|
|
146
|
+
- local approvals;
|
|
147
|
+
- optional BYOK AI suggestions, when implemented, using the same redaction,
|
|
148
|
+
risk, approval, verification, and receipt model;
|
|
149
|
+
- no telemetry, hidden upload, or automatic receipt submission.
|
|
150
|
+
|
|
151
|
+
BYOK AI is optional and must remain outside `bootproof up`. AI output is
|
|
152
|
+
untrusted input: it may suggest, but BootProof must prove.
|
|
153
|
+
|
|
154
|
+
The local proof engine must work offline without a Cloud account.
|
|
155
|
+
|
|
156
|
+
## Cloud Boundary
|
|
157
|
+
|
|
158
|
+
BootProof Cloud is a separate private product boundary for:
|
|
159
|
+
|
|
160
|
+
- hosted AI;
|
|
161
|
+
- shared registry;
|
|
162
|
+
- team approval workflows;
|
|
163
|
+
- GitHub App;
|
|
164
|
+
- SSO/RBAC;
|
|
165
|
+
- policy;
|
|
166
|
+
- fleet dashboards;
|
|
167
|
+
- audit retention.
|
|
168
|
+
|
|
169
|
+
This public repository does not implement those capabilities. Registry or
|
|
170
|
+
evidence upload must remain explicit and opt-in; no Cloud service is required
|
|
171
|
+
for local diagnosis, planning, receipts, repair, or proof.
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# Agent Run Receipts
|
|
2
|
+
|
|
3
|
+
`bootproof plan-agent <path>` starts a local, redacted receipt chain under:
|
|
4
|
+
|
|
5
|
+
```text
|
|
6
|
+
.bootproof/agent-runs/<run-id>/
|
|
7
|
+
initial-attestation.json
|
|
8
|
+
agent-plan.json
|
|
9
|
+
actions/<timestamp>-action.json
|
|
10
|
+
verifications/<timestamp>-verification.json
|
|
11
|
+
final-summary.json
|
|
12
|
+
```
|
|
13
|
+
|
|
14
|
+
Each immutable receipt contains its own SHA-256 hash and the previous receipt
|
|
15
|
+
hash. `final-summary.json` is a replaceable derived snapshot that points to the
|
|
16
|
+
last immutable receipt; it is not itself part of the chain.
|
|
17
|
+
|
|
18
|
+
Planning records candidate actions as not executed. It does not approve or run
|
|
19
|
+
them and cannot claim success. A later repository-scoped
|
|
20
|
+
`bootproof up . --external-health <url>` appends the observed verification to
|
|
21
|
+
the latest local run. The standalone `bootproof verify-url` command keeps its
|
|
22
|
+
existing file-free behavior.
|
|
23
|
+
|
|
24
|
+
Inspect and verify a run from the repository root:
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
bootproof explain-run <run-id>
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
The explanation distinguishes planning-only, approval stops, blocked actions,
|
|
31
|
+
external health verification, and BootProof-orchestrated verification.
|
|
32
|
+
|
|
33
|
+
Receipts are local only. BootProof redacts secret-like values and local username
|
|
34
|
+
paths before hashing and writing them. It performs no upload, telemetry, or
|
|
35
|
+
registry submission.
|
|
36
|
+
|
|
37
|
+
The machine schema is
|
|
38
|
+
[`schemas/agent-run-receipts-v1.schema.json`](schemas/agent-run-receipts-v1.schema.json).
|
package/docs/CI_ACTION.md
CHANGED
|
@@ -8,7 +8,65 @@ bootproof up . --ci --json
|
|
|
8
8
|
|
|
9
9
|
Exit `0` means both `booted` and `healthVerified` are true. Every refusal or failure exits `1`.
|
|
10
10
|
|
|
11
|
-
## GitHub
|
|
11
|
+
## BootProof GitHub Action
|
|
12
|
+
|
|
13
|
+
The GitHub Action runs the same deterministic CLI interface, writes a Markdown
|
|
14
|
+
job summary, and can post or update a sticky pull request comment:
|
|
15
|
+
|
|
16
|
+
```yaml
|
|
17
|
+
name: bootproof
|
|
18
|
+
|
|
19
|
+
on:
|
|
20
|
+
pull_request:
|
|
21
|
+
|
|
22
|
+
permissions:
|
|
23
|
+
contents: read
|
|
24
|
+
pull-requests: write
|
|
25
|
+
|
|
26
|
+
jobs:
|
|
27
|
+
bootproof:
|
|
28
|
+
runs-on: ubuntu-latest
|
|
29
|
+
steps:
|
|
30
|
+
- uses: actions/checkout@v6
|
|
31
|
+
with:
|
|
32
|
+
fetch-depth: 0
|
|
33
|
+
|
|
34
|
+
- uses: bootproof/action@v1
|
|
35
|
+
with:
|
|
36
|
+
install: true
|
|
37
|
+
diff: true
|
|
38
|
+
upload-artifact: true
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
Evidence upload is explicit. `upload-artifact` defaults to `false`; setting it
|
|
42
|
+
to `true` uploads only the action's staged allowlist, including the attestation
|
|
43
|
+
when one was produced. It does not upload the whole `.bootproof/` directory.
|
|
44
|
+
|
|
45
|
+
The action can explicitly generate redacted registry or federated
|
|
46
|
+
public-candidate artifacts:
|
|
47
|
+
|
|
48
|
+
```yaml
|
|
49
|
+
- uses: bootproof/action@v1
|
|
50
|
+
with:
|
|
51
|
+
registry-export: true
|
|
52
|
+
federated-receipt: true
|
|
53
|
+
upload-artifact: true
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
Nothing is committed or uploaded to a registry. Cloud upload is not
|
|
57
|
+
implemented in this OSS action, and Cloud inputs are rejected rather than
|
|
58
|
+
silently ignored.
|
|
59
|
+
|
|
60
|
+
The action never runs `bootproof fix`, `bootproof plan-agent`, agent actions,
|
|
61
|
+
or repair commands. If `agent-plan-summary` is enabled, it only summarises an
|
|
62
|
+
existing `.bootproof/agent-plan.json`.
|
|
63
|
+
|
|
64
|
+
The action uses its bundled compiled CLI when present. Release tags without a
|
|
65
|
+
bundle install the exact `bootproof` version declared by that action release;
|
|
66
|
+
they never prefer a target repository's local `bootproof` executable. Publish
|
|
67
|
+
that npm version before creating the corresponding action tag.
|
|
68
|
+
|
|
69
|
+
## Manual GitHub Actions Example
|
|
12
70
|
|
|
13
71
|
This example records the JSON result and preserves the signed attestation even when verification fails:
|
|
14
72
|
|
|
@@ -71,6 +129,13 @@ Current attestations still say:
|
|
|
71
129
|
local_developer_signed
|
|
72
130
|
```
|
|
73
131
|
|
|
74
|
-
They are signed evidence generated on a CI runner
|
|
132
|
+
They are signed evidence generated on a CI runner. By default they are `local_developer_signed` (signed with the runner's local ed25519 key). To upgrade to `ci_oidc_signed`, set the `ci-oidc` input to `true` and grant `permissions: id-token: write` on the workflow — BootProof will fetch the runner's OIDC token and embed the claims in the attestation trust block.
|
|
75
133
|
|
|
76
134
|
BootProof does not silently push commits or upload evidence. The workflow owner chooses whether to retain artifacts or commit `.bootproof/`.
|
|
135
|
+
|
|
136
|
+
The action records GitHub workflow context as unsigned provenance metadata. When `ci-oidc: true` is set, it also requests an OIDC token and emits `ci_oidc_signed` attestations with embedded workload-identity claims.
|
|
137
|
+
|
|
138
|
+
The action-owned machine artifacts use strict schemas:
|
|
139
|
+
|
|
140
|
+
- [`schemas/action-verdict-v1.schema.json`](schemas/action-verdict-v1.schema.json)
|
|
141
|
+
- [`schemas/ci-context-v1.schema.json`](schemas/ci-context-v1.schema.json)
|