brainclaw 1.8.0 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (178) hide show
  1. package/README.md +592 -505
  2. package/dist/brainclaw-vscode.vsix +0 -0
  3. package/dist/cli.js +138 -13
  4. package/dist/commands/add-step.js +1 -1
  5. package/dist/commands/bootstrap.js +2 -26
  6. package/dist/commands/check-security-mcp.js +50 -33
  7. package/dist/commands/check-security.js +86 -43
  8. package/dist/commands/claim.js +22 -21
  9. package/dist/commands/confirm.js +26 -0
  10. package/dist/commands/context-diff.js +1 -1
  11. package/dist/commands/dispatch-watch.js +142 -0
  12. package/dist/commands/doctor.js +113 -2
  13. package/dist/commands/estimation-report.js +115 -16
  14. package/dist/commands/harvest.js +286 -23
  15. package/dist/commands/hooks.js +73 -73
  16. package/dist/commands/init.js +124 -22
  17. package/dist/commands/install-hooks.js +78 -78
  18. package/dist/commands/loops-handlers.js +4 -0
  19. package/dist/commands/mcp-read-handlers.js +253 -41
  20. package/dist/commands/mcp.js +664 -102
  21. package/dist/commands/memory.js +21 -17
  22. package/dist/commands/migrate.js +81 -17
  23. package/dist/commands/prune.js +78 -4
  24. package/dist/commands/reflect.js +26 -20
  25. package/dist/commands/register-agent.js +57 -1
  26. package/dist/commands/repair.js +20 -0
  27. package/dist/commands/session-end.js +15 -6
  28. package/dist/commands/session-start.js +18 -1
  29. package/dist/commands/setup-security.js +39 -18
  30. package/dist/commands/setup.js +26 -27
  31. package/dist/commands/stale.js +16 -2
  32. package/dist/commands/switch.js +26 -5
  33. package/dist/commands/uninstall.js +126 -34
  34. package/dist/commands/update-step.js +6 -0
  35. package/dist/commands/version.js +1 -1
  36. package/dist/commands/worktree.js +60 -0
  37. package/dist/core/actions.js +12 -3
  38. package/dist/core/agent-capability.js +30 -17
  39. package/dist/core/agent-files.js +963 -666
  40. package/dist/core/agent-integrations.js +0 -3
  41. package/dist/core/agent-inventory.js +67 -0
  42. package/dist/core/agent-registry.js +163 -29
  43. package/dist/core/agentrun-reconciler.js +33 -2
  44. package/dist/core/agentruns.js +7 -1
  45. package/dist/core/ai-agent-detection.js +31 -44
  46. package/dist/core/archival.js +15 -9
  47. package/dist/core/assignment-reconciler.js +56 -0
  48. package/dist/core/assignment-sweeper.js +127 -4
  49. package/dist/core/assignments.js +69 -11
  50. package/dist/core/bootstrap.js +233 -67
  51. package/dist/core/brainclaw-version.js +22 -0
  52. package/dist/core/candidates.js +21 -1
  53. package/dist/core/claims.js +313 -150
  54. package/dist/core/codev-prompts.js +38 -38
  55. package/dist/core/config.js +6 -1
  56. package/dist/core/context-diff.js +148 -20
  57. package/dist/core/context.js +129 -8
  58. package/dist/core/coordination.js +22 -3
  59. package/dist/core/default-profiles/doctor.yaml +11 -11
  60. package/dist/core/default-profiles/janitor.yaml +11 -11
  61. package/dist/core/default-profiles/onboarder.yaml +11 -11
  62. package/dist/core/default-profiles/reviewer.yaml +13 -13
  63. package/dist/core/dispatch-status.js +79 -5
  64. package/dist/core/dispatcher.js +65 -12
  65. package/dist/core/entity-operations.js +74 -27
  66. package/dist/core/entity-registry.js +31 -5
  67. package/dist/core/event-log.js +138 -21
  68. package/dist/core/events/checkpoint.js +258 -0
  69. package/dist/core/events/genesis.js +220 -0
  70. package/dist/core/events/journal.js +507 -0
  71. package/dist/core/events/materialize.js +126 -0
  72. package/dist/core/events/registry-post-image.js +110 -0
  73. package/dist/core/events/verify.js +109 -0
  74. package/dist/core/execution-adapters.js +23 -0
  75. package/dist/core/execution.js +1 -1
  76. package/dist/core/facade-schema.js +38 -0
  77. package/dist/core/gc-semantic.js +130 -5
  78. package/dist/core/handoff-snapshot.js +68 -0
  79. package/dist/core/ids.js +19 -8
  80. package/dist/core/instruction-templates.js +34 -115
  81. package/dist/core/io.js +39 -3
  82. package/dist/core/json-store.js +10 -1
  83. package/dist/core/lock.js +153 -28
  84. package/dist/core/loops/bootstrap-acquire.js +25 -1
  85. package/dist/core/loops/facade-schema.js +2 -0
  86. package/dist/core/loops/hooks/survey-signals-baseline.js +36 -0
  87. package/dist/core/loops/index.js +1 -0
  88. package/dist/core/loops/presets/bootstrap.js +7 -0
  89. package/dist/core/loops/store.js +17 -0
  90. package/dist/core/loops/verbs.js +24 -2
  91. package/dist/core/markdown.js +8 -76
  92. package/dist/core/mcp-command-resolution.js +245 -0
  93. package/dist/core/memory-compactor.js +5 -3
  94. package/dist/core/memory-lifecycle.js +282 -0
  95. package/dist/core/merge-risk.js +150 -0
  96. package/dist/core/messaging.js +10 -3
  97. package/dist/core/migration.js +11 -1
  98. package/dist/core/observer-mode.js +26 -0
  99. package/dist/core/operations/memory-mutation.js +90 -65
  100. package/dist/core/operations/plan.js +27 -1
  101. package/dist/core/protocol-skills.js +210 -0
  102. package/dist/core/reflection-safety.js +6 -7
  103. package/dist/core/reputation.js +84 -2
  104. package/dist/core/runtime-signals.js +72 -10
  105. package/dist/core/runtime.js +84 -1
  106. package/dist/core/schema.js +114 -0
  107. package/dist/core/search.js +19 -2
  108. package/dist/core/security-detectors.js +125 -0
  109. package/dist/core/security-extract.js +189 -0
  110. package/dist/core/security-guard.js +217 -139
  111. package/dist/core/security-packages.js +121 -0
  112. package/dist/core/security-scoring.js +76 -9
  113. package/dist/core/security.js +34 -2
  114. package/dist/core/sequence.js +11 -2
  115. package/dist/core/setup-flow.js +141 -13
  116. package/dist/core/spawn-check.js +16 -2
  117. package/dist/core/staleness.js +73 -2
  118. package/dist/core/state.js +250 -54
  119. package/dist/core/store-resolution.js +45 -12
  120. package/dist/core/worktree.js +90 -26
  121. package/dist/facts.js +8 -8
  122. package/dist/facts.json +7 -7
  123. package/docs/PROTOCOL.md +223 -0
  124. package/docs/adapters/openclaw.md +43 -43
  125. package/docs/architecture/project-refs.md +328 -328
  126. package/docs/cli.md +2097 -2096
  127. package/docs/concepts/coordination.md +52 -52
  128. package/docs/concepts/coordinator-runbook.md +129 -0
  129. package/docs/concepts/dispatch-lifecycle.md +245 -245
  130. package/docs/concepts/event-log-store.md +928 -0
  131. package/docs/concepts/ideation-loop.md +317 -317
  132. package/docs/concepts/loop-engine.md +520 -511
  133. package/docs/concepts/mcp-governance.md +268 -268
  134. package/docs/concepts/memory.md +89 -88
  135. package/docs/concepts/multi-agent-workflows.md +167 -167
  136. package/docs/concepts/observer-protocol.md +361 -0
  137. package/docs/concepts/parallel-merge-protocol.md +71 -0
  138. package/docs/concepts/plans-and-claims.md +217 -174
  139. package/docs/concepts/project-md-convention.md +35 -35
  140. package/docs/concepts/runtime-notes.md +38 -38
  141. package/docs/concepts/skills.md +78 -0
  142. package/docs/concepts/troubleshooting.md +254 -254
  143. package/docs/concepts/workspace-bootstrapping.md +142 -81
  144. package/docs/context-format-changelog.md +35 -35
  145. package/docs/context-format.md +48 -48
  146. package/docs/index.md +65 -65
  147. package/docs/integrations/agents.md +162 -162
  148. package/docs/integrations/claude-code.md +23 -23
  149. package/docs/integrations/cline.md +87 -88
  150. package/docs/integrations/codex.md +2 -2
  151. package/docs/integrations/continue.md +60 -60
  152. package/docs/integrations/copilot.md +82 -80
  153. package/docs/integrations/cursor.md +23 -23
  154. package/docs/integrations/kilocode.md +72 -72
  155. package/docs/integrations/mcp.md +377 -377
  156. package/docs/integrations/mistral-vibe.md +122 -122
  157. package/docs/integrations/openclaw.md +99 -98
  158. package/docs/integrations/opencode.md +84 -84
  159. package/docs/integrations/overview.md +122 -122
  160. package/docs/integrations/roo.md +74 -74
  161. package/docs/integrations/windsurf.md +83 -83
  162. package/docs/mcp-schema-changelog.md +360 -329
  163. package/docs/playbooks/integration/index.md +121 -121
  164. package/docs/playbooks/orchestration.md +37 -0
  165. package/docs/playbooks/productivity/index.md +99 -99
  166. package/docs/playbooks/team/index.md +117 -117
  167. package/docs/product/agent-first-model.md +184 -184
  168. package/docs/product/entity-model-audit.md +462 -462
  169. package/docs/product/positioning.md +86 -86
  170. package/docs/quickstart-existing-project.md +107 -107
  171. package/docs/quickstart.md +148 -147
  172. package/docs/release-maintenance.md +79 -79
  173. package/docs/reputation.md +52 -52
  174. package/docs/review.md +45 -45
  175. package/docs/security.md +212 -53
  176. package/docs/server-operations.md +118 -118
  177. package/docs/storage.md +110 -108
  178. package/package.json +86 -69
@@ -1,462 +1,462 @@
1
- # Entity model audit — pre-v1.0 strategic reflection
2
-
3
- Captured 2026-04-18 during a second round of strategic review before
4
- the MCP grammar Phase 3 refactor. This document complements
5
- `docs/product/agent-first-model.md` (which defines the two-layer
6
- product model) and should be read before any entity-shape or API-verb
7
- decision.
8
-
9
- ## Context
10
-
11
- brainclaw has grown organically over months and some older concepts
12
- deserve challenge before the public launch:
13
-
14
- - The MCP surface has 70 tools, 26 dedicated to CRUD variants per
15
- entity type.
16
- - Some lifecycles (candidate review queue) are rarely used as designed.
17
- - Some entities overlap in role (runtime_note vs decision-candidate,
18
- capability vs tool).
19
- - The upcoming API grammar refactor (Phase 3 in the broader plan)
20
- will bake current entity shapes into permanent verbs. Cleaning the
21
- model first avoids fossilising bad decisions.
22
-
23
- Since brainclaw is not yet publicly distributed, backward compatibility
24
- is not a blocker — the priority is internal coherence at v1.0 launch.
25
-
26
- ## Design principles that emerged
27
-
28
- ### P1 — Engine delivers value, cockpit sells adoption
29
- See `agent-first-model.md`. Every engine feature should emit
30
- machine-readable signals the cockpit can consume. Human visibility is
31
- a critical adoption gate at enterprise scale, not optional.
32
-
33
- ### P2 — Three review modes must coexist without penalty
34
- brainclaw must support three review intensities and let the agent
35
- choose consciously:
36
-
37
- | Mode | When | Cost | Entry point today |
38
- |---|---|---|---|
39
- | Self-review inline | Solo default path (~70% of sessions) | Few LLM cycles | No brainclaw tool, agent self-checks |
40
- | Dispatch-review | When a second opinion is worth a round-trip | One inbox message + reply | `bclaw_dispatch_review(openLoop: false)` |
41
- | Review loop | Quality bar high, multi-round likely, structured feedback needed | Multiple rounds, multi-slot | `bclaw_dispatch_review(openLoop: true)` or `bclaw_loop(intent='open', kind='review')` |
42
-
43
- The simpler modes must not pay a tax because the heavier mode exists.
44
- Primitives like session, claim, handoff, inbox must all work fully
45
- without loops.
46
-
47
- ### P3 — Loops are opt-in enhancement, not default path
48
- Loops (review, ideation, debug, research) are structured, multi-agent,
49
- expensive. In the majority of sessions agents work directly without
50
- them. Every primitive must be fully usable without a loop; loops are
51
- invoked when the complexity justifies the cost.
52
-
53
- ### P4 — Teams cross-machine is a first-class scenario
54
- brainclaw supports three modes of work without compromise:
55
-
56
- - **Solo agent** — local, no coordination, fast.
57
- - **Solo dev + external reviewer** — dispatch-review or review_loop.
58
- - **Teams cross-machine** — federation push/pull, inbox cross-project,
59
- handoff as the artifact for resuming on another machine.
60
-
61
- Team primitives (federation, cross-project inbox, handoff) must stay
62
- load-bearing; simplifications cannot break them.
63
-
64
- ## Entity-by-entity verdicts
65
-
66
- ### ✅ Keep as-is
67
-
68
- - **Plan / Step / Sequence** — the three-tier hierarchy is
69
- semantically distinct and useful for precise agent communication.
70
- - Plan: a work item with a goal, text, priority, status, tags,
71
- dependencies, steps.
72
- - Step: sub-element of a plan; inherits lifecycle from its parent
73
- but has its own status.
74
- - Sequence: coordinates execution across plans/steps by defining
75
- parallelizable lanes with hard/soft dependencies between items.
76
- The distinction was confirmed as valuable by the operator.
77
-
78
- - **Decision / Constraint / Trap (trichotomy)** — each carries
79
- distinct semantics that earn their keep:
80
- - **Decision**: anchors a strategic choice (e.g., "chose
81
- PostgreSQL", "use X testing framework"). Retrospective reference.
82
- - **Constraint**: imposes a process or rule that must be followed
83
- (e.g., "minimize core dependencies", "all APIs must be REST",
84
- "never init --force"). Strongest concept; drives hook injection
85
- to remind agents of the process.
86
- - **Trap**: environmental or process pitfall to avoid (e.g., "git
87
- merge wipes node_modules", "sandbox X blocks MCP writes"). May
88
- trigger a corrective plan when resolvable.
89
- All three drive different agent behaviours (decisions = retrieve for
90
- context, constraints = enforce, traps = warn + resolve).
91
-
92
- - **Claim** — file-level advisory lock, scope boundary, worktree
93
- attachment point. Clear lifecycle (active → released/expired).
94
-
95
- - **Session** — execution envelope, links work to an agent identity.
96
-
97
- - **Assignment / AgentRun** — runtime tracking of dispatched work.
98
- Distinction is technical (assignment = the ask, run = the execution)
99
- but useful for observability; the agent does not need to interact
100
- with them directly.
101
-
102
- ### 🔴 Remove
103
-
104
- - **Candidate lifecycle** — the "create candidate → accept/reject →
105
- promote to decision/constraint/trap/handoff" workflow is badly used
106
- in practice. Very few candidates in the current store have been
107
- processed; most are auto-generated and ignored. The review queue
108
- concept duplicates what the Loop engine now provides better via
109
- `review_loop`.
110
-
111
- **After removal:**
112
- - `bclaw_create_candidate`, `bclaw_list_candidates`, `bclaw_accept`,
113
- `bclaw_reject`, `bclaw_harvest_candidates` disappear from the
114
- surface.
115
- - Auto-reflection at session_end writes directly to decision /
116
- constraint / trap / handoff with a `source: 'auto'` field and a
117
- `confidence` score. Agents or humans filter low-confidence auto
118
- items via `bclaw_find(source: 'auto', confidence_gte: 0.8)`.
119
- - Intentional batch review moves to `review_loop` (open a loop
120
- whose change_summary points to the memory items under review).
121
- - Cross-project signals arrive directly in `inbox/cross-project/`
122
- (already the pattern for other signals).
123
-
124
- ### ⚠️ Downscale
125
-
126
- - **Handoff** — keep as a session-end auto-artifact, strip the
127
- review sub-flow.
128
-
129
- **Keep:**
130
- - Automatic generation at `bclaw_session_end` with commits, files
131
- touched, narrative, pre/post conditions, linked plans.
132
- - Read-only access via `bclaw_get(entity='handoff', id)` for context
133
- resumption on the same or another machine.
134
- - Federation push/pull across linked projects (critical for teams;
135
- without this teammate B's agent loses teammate A's session story).
136
- - Optional linking to a `review_loop` when a structured review is
137
- dispatched via `bclaw_dispatch_review(openLoop: true)`.
138
-
139
- **Drop:**
140
- - The `review` sub-object on the handoff entity (requester,
141
- reviewer, thread_id, requested_at, review_message_id). Never
142
- used as designed.
143
- - Active `update_handoff` for mid-life edits. Only the narrative
144
- override at session_end stays (single write at creation).
145
-
146
- **Rationale:** handoffs are a *passive artefact* of the default
147
- path, not a coordination surface. Review happens via dispatch-review
148
- or review_loop, not via mutating a handoff.
149
-
150
- ### 🟡 Examine further during implementation
151
-
152
- - **RuntimeNote** — if auto-reflect + direct memory writes land,
153
- runtime_note becomes redundant with low-confidence decision/trap
154
- candidates. Consider removing. Keep for this audit, revisit during
155
- Phase 3 implementation.
156
-
157
- - **Instruction layers** (global / project / agent) — functionally
158
- similar to constraints with different scopes. Could merge into a
159
- unified `memory` entity with a `scope` field. Not urgent; valid to
160
- keep distinct for now since instructions have lifecycle triggers
161
- (`trigger:post-claim`, `trigger:pre-session-end`) that constraints
162
- do not.
163
-
164
- - **Capability vs Tool** — two registries under `.brainclaw/memory/`
165
- with a thin distinction (capability = what the project can do, tool
166
- = what the project uses). Good candidate for merger under a
167
- `resource` entity with a `kind` field. Low priority.
168
-
169
- ## Phase 3 grammar outline (post-audit)
170
-
171
- ### Canonical verbs (6)
172
-
173
- ```
174
- bclaw_find(entity, filters, limit, offset) — query many
175
- bclaw_get(entity, id | short_label) — fetch one
176
- bclaw_create(entity, data) — new item, returns id
177
- bclaw_update(entity, id, patch) — partial merge
178
- bclaw_remove(entity, id, purge?) — archive (default) or hard delete
179
- bclaw_transition(entity, id, to, reason?) — state machine transitions with side effects
180
- ```
181
-
182
- ### Workflow intents that stay distinct
183
-
184
- ```
185
- bclaw_work(intent) — session + claim + context facade
186
- bclaw_coordinate(intent) — multi-agent coordination
187
- bclaw_loop(intent) — loop lifecycle
188
- bclaw_dispatch(intent) — dispatch analysis + execution + review (unified from 3 tools)
189
- bclaw_quick_capture(text) — NL → typed memory
190
- bclaw_bootstrap, bclaw_setup, bclaw_switch, bclaw_compact
191
- bclaw_context(kind) — unified from get_context, get_execution_context, get_discovery, get_agent_board, get_agent_board_summary
192
- bclaw_audit(mode) — chronological or governance report
193
- bclaw_doctor, bclaw_check_policy, bclaw_check_security
194
- bclaw_history, bclaw_estimation_report, bclaw_release_notes
195
- ```
196
-
197
- ### Approximate surface size
198
-
199
- From 70 tools to ~20. Each verb is memorable, schema-discoverable, and
200
- has a clear semantic.
201
-
202
- ### EntityRegistry as single source of truth
203
-
204
- A new `src/core/entity-registry.ts` module holds:
205
-
206
- - Short-label prefix per entity (plan → `pln`, claim → `clm`, …)
207
- - Updatable fields per entity (Zod schema — what `update` can touch)
208
- - Valid status transitions per entity (state machine definition)
209
- - Side effects per transition (hardcoded for MVP, configurable later)
210
-
211
- `bclaw_update` and `bclaw_transition` both consult this registry. A
212
- grammar-consistency test suite verifies every entity has a complete
213
- schema declaration.
214
-
215
- ### Transition logging — three destinations
216
-
217
- | Destination | For whom | Why |
218
- |---|---|---|
219
- | `audit.log` | Forensics, compliance, governance | Authoritative chronological record |
220
- | `events.jsonl` (already exists) | Reactive agents + cockpit live feed | Low-level event stream |
221
- | `bclaw_activity` (new derived tool) | Humans, coordinator agents | Narrative digest, aggregated by entity/agent/session |
222
-
223
- The cockpit (human-visibility layer) is built by consuming these
224
- signals. Engine features emit; cockpit aggregates.
225
-
226
- ## Open questions for external validation
227
-
228
- Before committing to implementation, we are consulting external
229
- perspectives (codex, another claude-code instance, github-copilot) to
230
- pressure-test these decisions. The four questions:
231
-
232
- **Q0 — Teams cross-machine completeness.** Our current primitives
233
- (handoff federation, inbox cross-project, claims local, runtime_note
234
- federation) — do they cover common team cases (2–5 devs on different
235
- machines, shared monorepo, distributed reviewers)? Is there an obvious
236
- missing pattern?
237
-
238
- **Q1 — Handoff simplification safety.** After stripping the review
239
- sub-flow and keeping the handoff as a passive session-end artefact
240
- (with federation + read-only + optional review_loop link), is there
241
- any agent-facing use case this simplification breaks that we haven't
242
- seen?
243
-
244
- **Q2 — Transition side effects hardcoded vs configurable.** For MVP we
245
- plan to hardcode side effects of transitions (close claims on
246
- plan.status=done, promote candidate on accept, etc.) in the
247
- `bclaw_transition` handler rather than declaring them in the
248
- EntityRegistry. Is this the right tradeoff for now, or does the
249
- configurable approach pay for itself early?
250
-
251
- **Q3 — Version strategy pre-public.** Given we are pre-public with no
252
- external integrators, should we:
253
- - (a) bump v0.8 → v1.0 directly with the cleaned grammar, accepting
254
- the internal breaking change in one go; or
255
- - (b) go v0.8 → v0.9 (add new verbs, deprecate legacy) → v1.0 (remove
256
- legacy), using two internal releases as buffer?
257
-
258
- Option (a) is cleaner but less battle-tested before public launch;
259
- (b) is slower but lets us dogfood the new grammar before removing the
260
- old.
261
-
262
- ## §6 — Patches integrated post-consult
263
-
264
- Three external reviewers (codex, a second claude-code instance,
265
- github-copilot) returned verdict `proceed_with_patches` on the audit.
266
- Their convergent recommendations are integrated below. Each patch is
267
- load-bearing for Phase 3 and must land either before or during the
268
- grammar refactor.
269
-
270
- ### P6.1 — Tombstone pattern for handoff corrections
271
-
272
- **What.** Handoffs stay immutable session-end artefacts. Post-session
273
- corrections (a teammate spotted a mistake, a follow-up clarified
274
- something) do not mutate the original handoff — they create a *new
275
- correction handoff* that carries a `superseded_by` pointer back to the
276
- original.
277
-
278
- **Why.** Preserves the "passive artefact" property while keeping an
279
- audit trail of who revised what. Federation remains safe (each record
280
- is whole, no partial merges).
281
-
282
- **How to apply.** Reject all `bclaw_update(entity='handoff', …)`
283
- outside the narrative override at creation. Expose instead a
284
- `bclaw_correct_handoff(original_id, correction_data)` helper that
285
- writes a new handoff and patches `original.superseded_by`.
286
-
287
- ### P6.2 — Declarative transition matrix + imperative side effects
288
-
289
- **What.** Valid status transitions per entity live in the
290
- EntityRegistry as a declarative matrix (`{ from: [to1, to2] }`). Side
291
- effects (close linked claims, write audit entry, emit event) stay
292
- imperative in `bclaw_transition` for MVP.
293
-
294
- **Why.** Hybrid lets us test the declarative matrix (grammar
295
- consistency tests, static analysis) without over-engineering a rules
296
- engine we do not need yet. Migration to declarative side effects later
297
- is a drop-in without breaking callers.
298
-
299
- **How to apply.** `EntityRegistry[entity].transitions` is the
300
- authoritative matrix; `bclaw_transition` rejects moves not in the
301
- matrix, then runs a hardcoded side-effect dispatch per (entity, to)
302
- pair.
303
-
304
- ### P6.3 — Provenance as a typed discriminated union
305
-
306
- **What.** Replace the single `source: 'auto' | 'user' | …` string with
307
- a typed discriminated union:
308
-
309
- ```ts
310
- type Provenance =
311
- | { kind: 'agent'; agent_id: string; session_id: string }
312
- | { kind: 'auto_reflect'; source_session: string; confidence: number }
313
- | { kind: 'user'; author: string }
314
- | { kind: 'loop_artifact'; loop_id: string; slot: string; turn: number }
315
- | { kind: 'federation'; source_project: string; remote_id: string }
316
- | { kind: 'correction'; supersedes: string }
317
- | { kind: 'legacy' };
318
- ```
319
-
320
- **Why.** Each origin has different downstream implications (retention,
321
- confidence, federation behavior, audit narrative). A single string
322
- field cannot carry the metadata cleanly; a union keeps type-safety and
323
- makes queries like `bclaw_find(provenance.kind='auto_reflect',
324
- confidence_gte:0.8)` natural.
325
-
326
- **How to apply.** Add `provenance` field to
327
- decision/constraint/trap/handoff/runtime_note schemas. On v1.0
328
- migration, existing records receive `{ kind: 'legacy' }`. Default
329
- filter on memory reads: exclude `legacy` + auto below threshold,
330
- configurable via the query.
331
-
332
- ### P6.4 — Delta context via bclaw_context(kind='delta')
333
-
334
- **What.** `bclaw_context` currently returns full state every call. Add
335
- a `kind: 'delta', since: <handoff_id | timestamp | event_seq>`
336
- parameter that returns only what changed since the reference point.
337
-
338
- **Why.** At scale (long sessions, cross-agent resumption, federation
339
- sync) returning full state is a token tax. Resumption needs the delta,
340
- not the world.
341
-
342
- **How to apply.** Implement as a filter over the events.jsonl stream +
343
- a diff against the referenced snapshot. Falls back to full context if
344
- the reference point is too old (compacted out).
345
-
346
- ### P6.5 — MCP schema version strategy: 0.6 → 0.7 → 0.8 → 1.0
347
-
348
- **What.** The MCP schema version (`SCHEMA_VERSION` in
349
- `src/commands/mcp.ts`, currently `0.6.0`) is distinct from the app
350
- version (`package.json`, currently `0.62.0`). Progression:
351
-
352
- | Step | MCP schema | App version | Scope |
353
- |---|---|---|---|
354
- | Now | 0.6.0 | 0.62.x | baseline |
355
- | Patches | 0.7.0 | 0.63.x | P6.1–P6.4 + provenance rollout |
356
- | Migration | 0.8.0 | 0.64.x | `brainclaw migrate` + candidate archive |
357
- | Phase 3 | 1.0.0 | 1.0.0 | canonical 6 verbs + legacy removal |
358
-
359
- **Why.** App version tracks code changes; schema version tracks the
360
- contract MCP clients bind to. Agents that cache tool catalogs need to
361
- know when verbs changed shape.
362
-
363
- **How to apply.** Bump `SCHEMA_VERSION` at each step. Tool catalog
364
- response always includes schema_version so clients can invalidate.
365
-
366
- ### P6.6 — Pending candidates archived on migration
367
-
368
- **What.** On v1.0 migration, existing candidates are not promoted or
369
- rejected — they are archived to `.brainclaw/archive/candidates/` with a
370
- manifest listing their original paths. The runtime stops reading them.
371
-
372
- **Why.** No information loss (archive stays on disk for later
373
- inspection), no forced triage on the operator, clean cutover.
374
-
375
- **How to apply.** `brainclaw migrate --to-schema=1.0` copies
376
- `.brainclaw/memory/candidates/` to `.brainclaw/archive/candidates/<date>/`,
377
- writes an index, removes the live directory.
378
-
379
- ### P6.7 — Schema migration as a hard pre-Phase-3 step
380
-
381
- **What.** Do not start Phase 3 (the grammar refactor) until
382
- `brainclaw migrate` command exists and has been dogfooded on both live
383
- installations (this machine + the monorepo test server).
384
-
385
- **Why.** Phase 3 ships the canonical grammar. Existing stores must
386
- upgrade cleanly to v1.0 schema before any tool rewrites remove the
387
- legacy paths. Migration first = safety net; grammar refactor second =
388
- execute with confidence.
389
-
390
- **How to apply.** Migration plan (`feat/v1-schema-migration`, see §7)
391
- is a hard blocker on the Phase 3 plan (`feat/phase-3-canonical-grammar`).
392
-
393
- ### P6.8 — Keep runtime_note / instruction / capability/tool distinct
394
-
395
- **What.** Reviewers recommended leaving runtime_note, instruction
396
- layers, and capability/tool as distinct entities for v1.0. They were
397
- flagged as "examine further" in §5 — verdict is *keep as-is*.
398
-
399
- **Why.** Instructions carry lifecycle triggers (`post-claim`,
400
- `pre-session-end`) that constraints do not. Capability vs tool has a
401
- semantic distinction (what the project *can do* vs what it *uses*)
402
- that matters for discoverability. Runtime notes remain a natural
403
- slot for low-confidence, scoped observations that do not yet deserve
404
- promotion to decision/trap. Premature merger would lose information.
405
-
406
- **How to apply.** No change for v1.0. Flag for a dedicated audit pass
407
- post-v1.0 once usage data confirms or contradicts the distinctions.
408
-
409
- ## §7 — Consolidated Phase 3 checklist
410
-
411
- Hard prerequisite before any item below: **`feat/v1-schema-migration`
412
- plan must be executed and dogfooded** (see P6.7).
413
-
414
- Phase 3 itself is sliced into nine sub-items; each is independently
415
- mergeable behind a feature flag or catalog filter:
416
-
417
- - **3a — EntityRegistry core.** New `src/core/entity-registry.ts`:
418
- short-label prefixes, updatable-field Zod schemas, transition
419
- matrices, side-effect map. Grammar consistency tests.
420
- - **3b — Six canonical CRUD verbs.** Implement `bclaw_find`,
421
- `bclaw_get`, `bclaw_create`, `bclaw_update`, `bclaw_remove`,
422
- `bclaw_transition` consuming EntityRegistry. Behind `catalog: "all"`
423
- filter first, public in `catalog: "default"` at v1.0.
424
- - **3c — `bclaw_context(kind)` unified.** Consolidates
425
- `bclaw_get_context`, `bclaw_get_execution_context`,
426
- `bclaw_get_agent_board`, `bclaw_get_agent_board_summary` under one
427
- intent with a `kind` discriminator. Includes `kind='delta'` from
428
- P6.4.
429
- - **3d — `bclaw_dispatch(intent)` unified.** Consolidates
430
- `bclaw_dispatch_analysis`, `bclaw_dispatch_review`, and the raw
431
- `bclaw_dispatch`. Review sub-intent carries `openLoop` flag for the
432
- review_loop escalation path.
433
- - **3e — Handoff downscale.** Strip the review sub-object, remove
434
- `bclaw_update_handoff`, expose `bclaw_correct_handoff` for tombstone
435
- corrections (P6.1). Federation push/pull preserved end-to-end.
436
- - **3f — Provenance rollout.** Apply discriminated-union provenance
437
- (P6.3) to decision/constraint/trap/handoff/runtime_note. Default
438
- memory reads filter on confidence + non-legacy.
439
- - **3g — Legacy deprecation warnings.** Keep old tool names in
440
- `catalog: "all"` with `LEGACY_MCP_TOOL_WARNINGS` entries pointing to
441
- the new verb. Warnings fire server-side on every call during 0.9.x.
442
- - **3h — Docs sync.** Update `docs/integrations/mcp.md`,
443
- `CLAUDE.md`, release notes, and agent profile exports. Canonical
444
- grammar example galleries.
445
- - **3i — Legacy removal + v1.0 cut.** Remove deprecated tool names
446
- from the MCP surface entirely. Bump schema to 1.0.0 and app to
447
- 1.0.0. Public launch candidate.
448
-
449
- Slices 3a–3b are the architecture core; 3c–3e are the intent
450
- consolidations; 3f is cross-cutting; 3g–3i are the soft→hard cutover.
451
-
452
- ## Sources
453
-
454
- - `docs/product/agent-first-model.md` — engine/cockpit two-layer model
455
- - `docs/concepts/loop-engine.md` — v8 RFC for the loop primitive
456
- - Session transcript 2026-04-18 (strategic round 2) — post-consult
457
- integration pass
458
- - Memory decisions `cnd#587` (product model) and `cnd#588` (loop
459
- protocols roadmap)
460
- - External consult verdicts 2026-04-18 (codex / claude-code /
461
- github-copilot) — all `proceed_with_patches`, patches integrated in
462
- §6
1
+ # Entity model audit — pre-v1.0 strategic reflection
2
+
3
+ Captured 2026-04-18 during a second round of strategic review before
4
+ the MCP grammar Phase 3 refactor. This document complements
5
+ `docs/product/agent-first-model.md` (which defines the two-layer
6
+ product model) and should be read before any entity-shape or API-verb
7
+ decision.
8
+
9
+ ## Context
10
+
11
+ brainclaw has grown organically over months and some older concepts
12
+ deserve challenge before the public launch:
13
+
14
+ - The MCP surface has 70 tools, 26 dedicated to CRUD variants per
15
+ entity type.
16
+ - Some lifecycles (candidate review queue) are rarely used as designed.
17
+ - Some entities overlap in role (runtime_note vs decision-candidate,
18
+ capability vs tool).
19
+ - The upcoming API grammar refactor (Phase 3 in the broader plan)
20
+ will bake current entity shapes into permanent verbs. Cleaning the
21
+ model first avoids fossilising bad decisions.
22
+
23
+ Since brainclaw is not yet publicly distributed, backward compatibility
24
+ is not a blocker — the priority is internal coherence at v1.0 launch.
25
+
26
+ ## Design principles that emerged
27
+
28
+ ### P1 — Engine delivers value, cockpit sells adoption
29
+ See `agent-first-model.md`. Every engine feature should emit
30
+ machine-readable signals the cockpit can consume. Human visibility is
31
+ a critical adoption gate at enterprise scale, not optional.
32
+
33
+ ### P2 — Three review modes must coexist without penalty
34
+ brainclaw must support three review intensities and let the agent
35
+ choose consciously:
36
+
37
+ | Mode | When | Cost | Entry point today |
38
+ |---|---|---|---|
39
+ | Self-review inline | Solo default path (~70% of sessions) | Few LLM cycles | No brainclaw tool, agent self-checks |
40
+ | Dispatch-review | When a second opinion is worth a round-trip | One inbox message + reply | `bclaw_dispatch_review(openLoop: false)` |
41
+ | Review loop | Quality bar high, multi-round likely, structured feedback needed | Multiple rounds, multi-slot | `bclaw_dispatch_review(openLoop: true)` or `bclaw_loop(intent='open', kind='review')` |
42
+
43
+ The simpler modes must not pay a tax because the heavier mode exists.
44
+ Primitives like session, claim, handoff, inbox must all work fully
45
+ without loops.
46
+
47
+ ### P3 — Loops are opt-in enhancement, not default path
48
+ Loops (review, ideation, debug, research) are structured, multi-agent,
49
+ expensive. In the majority of sessions agents work directly without
50
+ them. Every primitive must be fully usable without a loop; loops are
51
+ invoked when the complexity justifies the cost.
52
+
53
+ ### P4 — Teams cross-machine is a first-class scenario
54
+ brainclaw supports three modes of work without compromise:
55
+
56
+ - **Solo agent** — local, no coordination, fast.
57
+ - **Solo dev + external reviewer** — dispatch-review or review_loop.
58
+ - **Teams cross-machine** — federation push/pull, inbox cross-project,
59
+ handoff as the artifact for resuming on another machine.
60
+
61
+ Team primitives (federation, cross-project inbox, handoff) must stay
62
+ load-bearing; simplifications cannot break them.
63
+
64
+ ## Entity-by-entity verdicts
65
+
66
+ ### ✅ Keep as-is
67
+
68
+ - **Plan / Step / Sequence** — the three-tier hierarchy is
69
+ semantically distinct and useful for precise agent communication.
70
+ - Plan: a work item with a goal, text, priority, status, tags,
71
+ dependencies, steps.
72
+ - Step: sub-element of a plan; inherits lifecycle from its parent
73
+ but has its own status.
74
+ - Sequence: coordinates execution across plans/steps by defining
75
+ parallelizable lanes with hard/soft dependencies between items.
76
+ The distinction was confirmed as valuable by the operator.
77
+
78
+ - **Decision / Constraint / Trap (trichotomy)** — each carries
79
+ distinct semantics that earn their keep:
80
+ - **Decision**: anchors a strategic choice (e.g., "chose
81
+ PostgreSQL", "use X testing framework"). Retrospective reference.
82
+ - **Constraint**: imposes a process or rule that must be followed
83
+ (e.g., "minimize core dependencies", "all APIs must be REST",
84
+ "never init --force"). Strongest concept; drives hook injection
85
+ to remind agents of the process.
86
+ - **Trap**: environmental or process pitfall to avoid (e.g., "git
87
+ merge wipes node_modules", "sandbox X blocks MCP writes"). May
88
+ trigger a corrective plan when resolvable.
89
+ All three drive different agent behaviours (decisions = retrieve for
90
+ context, constraints = enforce, traps = warn + resolve).
91
+
92
+ - **Claim** — file-level advisory lock, scope boundary, worktree
93
+ attachment point. Clear lifecycle (active → released/expired).
94
+
95
+ - **Session** — execution envelope, links work to an agent identity.
96
+
97
+ - **Assignment / AgentRun** — runtime tracking of dispatched work.
98
+ Distinction is technical (assignment = the ask, run = the execution)
99
+ but useful for observability; the agent does not need to interact
100
+ with them directly.
101
+
102
+ ### 🔴 Remove
103
+
104
+ - **Candidate lifecycle** — the "create candidate → accept/reject →
105
+ promote to decision/constraint/trap/handoff" workflow is badly used
106
+ in practice. Very few candidates in the current store have been
107
+ processed; most are auto-generated and ignored. The review queue
108
+ concept duplicates what the Loop engine now provides better via
109
+ `review_loop`.
110
+
111
+ **After removal:**
112
+ - `bclaw_create_candidate`, `bclaw_list_candidates`, `bclaw_accept`,
113
+ `bclaw_reject`, `bclaw_harvest_candidates` disappear from the
114
+ surface.
115
+ - Auto-reflection at session_end writes directly to decision /
116
+ constraint / trap / handoff with a `source: 'auto'` field and a
117
+ `confidence` score. Agents or humans filter low-confidence auto
118
+ items via `bclaw_find(source: 'auto', confidence_gte: 0.8)`.
119
+ - Intentional batch review moves to `review_loop` (open a loop
120
+ whose change_summary points to the memory items under review).
121
+ - Cross-project signals arrive directly in `inbox/cross-project/`
122
+ (already the pattern for other signals).
123
+
124
+ ### ⚠️ Downscale
125
+
126
+ - **Handoff** — keep as a session-end auto-artifact, strip the
127
+ review sub-flow.
128
+
129
+ **Keep:**
130
+ - Automatic generation at `bclaw_session_end` with commits, files
131
+ touched, narrative, pre/post conditions, linked plans.
132
+ - Read-only access via `bclaw_get(entity='handoff', id)` for context
133
+ resumption on the same or another machine.
134
+ - Federation push/pull across linked projects (critical for teams;
135
+ without this teammate B's agent loses teammate A's session story).
136
+ - Optional linking to a `review_loop` when a structured review is
137
+ dispatched via `bclaw_dispatch_review(openLoop: true)`.
138
+
139
+ **Drop:**
140
+ - The `review` sub-object on the handoff entity (requester,
141
+ reviewer, thread_id, requested_at, review_message_id). Never
142
+ used as designed.
143
+ - Active `update_handoff` for mid-life edits. Only the narrative
144
+ override at session_end stays (single write at creation).
145
+
146
+ **Rationale:** handoffs are a *passive artefact* of the default
147
+ path, not a coordination surface. Review happens via dispatch-review
148
+ or review_loop, not via mutating a handoff.
149
+
150
+ ### 🟡 Examine further during implementation
151
+
152
+ - **RuntimeNote** — if auto-reflect + direct memory writes land,
153
+ runtime_note becomes redundant with low-confidence decision/trap
154
+ candidates. Consider removing. Keep for this audit, revisit during
155
+ Phase 3 implementation.
156
+
157
+ - **Instruction layers** (global / project / agent) — functionally
158
+ similar to constraints with different scopes. Could merge into a
159
+ unified `memory` entity with a `scope` field. Not urgent; valid to
160
+ keep distinct for now since instructions have lifecycle triggers
161
+ (`trigger:post-claim`, `trigger:pre-session-end`) that constraints
162
+ do not.
163
+
164
+ - **Capability vs Tool** — two registries under `.brainclaw/memory/`
165
+ with a thin distinction (capability = what the project can do, tool
166
+ = what the project uses). Good candidate for merger under a
167
+ `resource` entity with a `kind` field. Low priority.
168
+
169
+ ## Phase 3 grammar outline (post-audit)
170
+
171
+ ### Canonical verbs (6)
172
+
173
+ ```
174
+ bclaw_find(entity, filters, limit, offset) — query many
175
+ bclaw_get(entity, id | short_label) — fetch one
176
+ bclaw_create(entity, data) — new item, returns id
177
+ bclaw_update(entity, id, patch) — partial merge
178
+ bclaw_remove(entity, id, purge?) — archive (default) or hard delete
179
+ bclaw_transition(entity, id, to, reason?) — state machine transitions with side effects
180
+ ```
181
+
182
+ ### Workflow intents that stay distinct
183
+
184
+ ```
185
+ bclaw_work(intent) — session + claim + context facade
186
+ bclaw_coordinate(intent) — multi-agent coordination
187
+ bclaw_loop(intent) — loop lifecycle
188
+ bclaw_dispatch(intent) — dispatch analysis + execution + review (unified from 3 tools)
189
+ bclaw_quick_capture(text) — NL → typed memory
190
+ bclaw_bootstrap, bclaw_setup, bclaw_switch, bclaw_compact
191
+ bclaw_context(kind) — unified from get_context, get_execution_context, get_discovery, get_agent_board, get_agent_board_summary
192
+ bclaw_audit(mode) — chronological or governance report
193
+ bclaw_doctor, bclaw_check_policy, bclaw_check_security
194
+ bclaw_history, bclaw_estimation_report, bclaw_release_notes
195
+ ```
196
+
197
+ ### Approximate surface size
198
+
199
+ From 70 tools to ~20. Each verb is memorable, schema-discoverable, and
200
+ has a clear semantic.
201
+
202
+ ### EntityRegistry as single source of truth
203
+
204
+ A new `src/core/entity-registry.ts` module holds:
205
+
206
+ - Short-label prefix per entity (plan → `pln`, claim → `clm`, …)
207
+ - Updatable fields per entity (Zod schema — what `update` can touch)
208
+ - Valid status transitions per entity (state machine definition)
209
+ - Side effects per transition (hardcoded for MVP, configurable later)
210
+
211
+ `bclaw_update` and `bclaw_transition` both consult this registry. A
212
+ grammar-consistency test suite verifies every entity has a complete
213
+ schema declaration.
214
+
215
+ ### Transition logging — three destinations
216
+
217
+ | Destination | For whom | Why |
218
+ |---|---|---|
219
+ | `audit.log` | Forensics, compliance, governance | Authoritative chronological record |
220
+ | `events.jsonl` (already exists) | Reactive agents + cockpit live feed | Low-level event stream |
221
+ | `bclaw_activity` (new derived tool) | Humans, coordinator agents | Narrative digest, aggregated by entity/agent/session |
222
+
223
+ The cockpit (human-visibility layer) is built by consuming these
224
+ signals. Engine features emit; cockpit aggregates.
225
+
226
+ ## Open questions for external validation
227
+
228
+ Before committing to implementation, we are consulting external
229
+ perspectives (codex, another claude-code instance, github-copilot) to
230
+ pressure-test these decisions. The four questions:
231
+
232
+ **Q0 — Teams cross-machine completeness.** Our current primitives
233
+ (handoff federation, inbox cross-project, claims local, runtime_note
234
+ federation) — do they cover common team cases (2–5 devs on different
235
+ machines, shared monorepo, distributed reviewers)? Is there an obvious
236
+ missing pattern?
237
+
238
+ **Q1 — Handoff simplification safety.** After stripping the review
239
+ sub-flow and keeping the handoff as a passive session-end artefact
240
+ (with federation + read-only + optional review_loop link), is there
241
+ any agent-facing use case this simplification breaks that we haven't
242
+ seen?
243
+
244
+ **Q2 — Transition side effects hardcoded vs configurable.** For MVP we
245
+ plan to hardcode side effects of transitions (close claims on
246
+ plan.status=done, promote candidate on accept, etc.) in the
247
+ `bclaw_transition` handler rather than declaring them in the
248
+ EntityRegistry. Is this the right tradeoff for now, or does the
249
+ configurable approach pay for itself early?
250
+
251
+ **Q3 — Version strategy pre-public.** Given we are pre-public with no
252
+ external integrators, should we:
253
+ - (a) bump v0.8 → v1.0 directly with the cleaned grammar, accepting
254
+ the internal breaking change in one go; or
255
+ - (b) go v0.8 → v0.9 (add new verbs, deprecate legacy) → v1.0 (remove
256
+ legacy), using two internal releases as buffer?
257
+
258
+ Option (a) is cleaner but less battle-tested before public launch;
259
+ (b) is slower but lets us dogfood the new grammar before removing the
260
+ old.
261
+
262
+ ## §6 — Patches integrated post-consult
263
+
264
+ Three external reviewers (codex, a second claude-code instance,
265
+ github-copilot) returned verdict `proceed_with_patches` on the audit.
266
+ Their convergent recommendations are integrated below. Each patch is
267
+ load-bearing for Phase 3 and must land either before or during the
268
+ grammar refactor.
269
+
270
+ ### P6.1 — Tombstone pattern for handoff corrections
271
+
272
+ **What.** Handoffs stay immutable session-end artefacts. Post-session
273
+ corrections (a teammate spotted a mistake, a follow-up clarified
274
+ something) do not mutate the original handoff — they create a *new
275
+ correction handoff* that carries a `superseded_by` pointer back to the
276
+ original.
277
+
278
+ **Why.** Preserves the "passive artefact" property while keeping an
279
+ audit trail of who revised what. Federation remains safe (each record
280
+ is whole, no partial merges).
281
+
282
+ **How to apply.** Reject all `bclaw_update(entity='handoff', …)`
283
+ outside the narrative override at creation. Expose instead a
284
+ `bclaw_correct_handoff(original_id, correction_data)` helper that
285
+ writes a new handoff and patches `original.superseded_by`.
286
+
287
+ ### P6.2 — Declarative transition matrix + imperative side effects
288
+
289
+ **What.** Valid status transitions per entity live in the
290
+ EntityRegistry as a declarative matrix (`{ from: [to1, to2] }`). Side
291
+ effects (close linked claims, write audit entry, emit event) stay
292
+ imperative in `bclaw_transition` for MVP.
293
+
294
+ **Why.** Hybrid lets us test the declarative matrix (grammar
295
+ consistency tests, static analysis) without over-engineering a rules
296
+ engine we do not need yet. Migration to declarative side effects later
297
+ is a drop-in without breaking callers.
298
+
299
+ **How to apply.** `EntityRegistry[entity].transitions` is the
300
+ authoritative matrix; `bclaw_transition` rejects moves not in the
301
+ matrix, then runs a hardcoded side-effect dispatch per (entity, to)
302
+ pair.
303
+
304
+ ### P6.3 — Provenance as a typed discriminated union
305
+
306
+ **What.** Replace the single `source: 'auto' | 'user' | …` string with
307
+ a typed discriminated union:
308
+
309
+ ```ts
310
+ type Provenance =
311
+ | { kind: 'agent'; agent_id: string; session_id: string }
312
+ | { kind: 'auto_reflect'; source_session: string; confidence: number }
313
+ | { kind: 'user'; author: string }
314
+ | { kind: 'loop_artifact'; loop_id: string; slot: string; turn: number }
315
+ | { kind: 'federation'; source_project: string; remote_id: string }
316
+ | { kind: 'correction'; supersedes: string }
317
+ | { kind: 'legacy' };
318
+ ```
319
+
320
+ **Why.** Each origin has different downstream implications (retention,
321
+ confidence, federation behavior, audit narrative). A single string
322
+ field cannot carry the metadata cleanly; a union keeps type-safety and
323
+ makes queries like `bclaw_find(provenance.kind='auto_reflect',
324
+ confidence_gte:0.8)` natural.
325
+
326
+ **How to apply.** Add `provenance` field to
327
+ decision/constraint/trap/handoff/runtime_note schemas. On v1.0
328
+ migration, existing records receive `{ kind: 'legacy' }`. Default
329
+ filter on memory reads: exclude `legacy` + auto below threshold,
330
+ configurable via the query.
331
+
332
+ ### P6.4 — Delta context via bclaw_context(kind='delta')
333
+
334
+ **What.** `bclaw_context` currently returns full state every call. Add
335
+ a `kind: 'delta', since: <handoff_id | timestamp | event_seq>`
336
+ parameter that returns only what changed since the reference point.
337
+
338
+ **Why.** At scale (long sessions, cross-agent resumption, federation
339
+ sync) returning full state is a token tax. Resumption needs the delta,
340
+ not the world.
341
+
342
+ **How to apply.** Implement as a filter over the events.jsonl stream +
343
+ a diff against the referenced snapshot. Falls back to full context if
344
+ the reference point is too old (compacted out).
345
+
346
+ ### P6.5 — MCP schema version strategy: 0.6 → 0.7 → 0.8 → 1.0
347
+
348
+ **What.** The MCP schema version (`SCHEMA_VERSION` in
349
+ `src/commands/mcp.ts`, currently `0.6.0`) is distinct from the app
350
+ version (`package.json`, currently `0.62.0`). Progression:
351
+
352
+ | Step | MCP schema | App version | Scope |
353
+ |---|---|---|---|
354
+ | Now | 0.6.0 | 0.62.x | baseline |
355
+ | Patches | 0.7.0 | 0.63.x | P6.1–P6.4 + provenance rollout |
356
+ | Migration | 0.8.0 | 0.64.x | `brainclaw migrate` + candidate archive |
357
+ | Phase 3 | 1.0.0 | 1.0.0 | canonical 6 verbs + legacy removal |
358
+
359
+ **Why.** App version tracks code changes; schema version tracks the
360
+ contract MCP clients bind to. Agents that cache tool catalogs need to
361
+ know when verbs changed shape.
362
+
363
+ **How to apply.** Bump `SCHEMA_VERSION` at each step. Tool catalog
364
+ response always includes schema_version so clients can invalidate.
365
+
366
+ ### P6.6 — Pending candidates archived on migration
367
+
368
+ **What.** On v1.0 migration, existing candidates are not promoted or
369
+ rejected — they are archived to `.brainclaw/archive/candidates/` with a
370
+ manifest listing their original paths. The runtime stops reading them.
371
+
372
+ **Why.** No information loss (archive stays on disk for later
373
+ inspection), no forced triage on the operator, clean cutover.
374
+
375
+ **How to apply.** `brainclaw migrate --to-schema=1.0` copies
376
+ `.brainclaw/memory/candidates/` to `.brainclaw/archive/candidates/<date>/`,
377
+ writes an index, removes the live directory.
378
+
379
+ ### P6.7 — Schema migration as a hard pre-Phase-3 step
380
+
381
+ **What.** Do not start Phase 3 (the grammar refactor) until
382
+ `brainclaw migrate` command exists and has been dogfooded on both live
383
+ installations (this machine + the monorepo test server).
384
+
385
+ **Why.** Phase 3 ships the canonical grammar. Existing stores must
386
+ upgrade cleanly to v1.0 schema before any tool rewrites remove the
387
+ legacy paths. Migration first = safety net; grammar refactor second =
388
+ execute with confidence.
389
+
390
+ **How to apply.** Migration plan (`feat/v1-schema-migration`, see §7)
391
+ is a hard blocker on the Phase 3 plan (`feat/phase-3-canonical-grammar`).
392
+
393
+ ### P6.8 — Keep runtime_note / instruction / capability/tool distinct
394
+
395
+ **What.** Reviewers recommended leaving runtime_note, instruction
396
+ layers, and capability/tool as distinct entities for v1.0. They were
397
+ flagged as "examine further" in §5 — verdict is *keep as-is*.
398
+
399
+ **Why.** Instructions carry lifecycle triggers (`post-claim`,
400
+ `pre-session-end`) that constraints do not. Capability vs tool has a
401
+ semantic distinction (what the project *can do* vs what it *uses*)
402
+ that matters for discoverability. Runtime notes remain a natural
403
+ slot for low-confidence, scoped observations that do not yet deserve
404
+ promotion to decision/trap. Premature merger would lose information.
405
+
406
+ **How to apply.** No change for v1.0. Flag for a dedicated audit pass
407
+ post-v1.0 once usage data confirms or contradicts the distinctions.
408
+
409
+ ## §7 — Consolidated Phase 3 checklist
410
+
411
+ Hard prerequisite before any item below: **`feat/v1-schema-migration`
412
+ plan must be executed and dogfooded** (see P6.7).
413
+
414
+ Phase 3 itself is sliced into nine sub-items; each is independently
415
+ mergeable behind a feature flag or catalog filter:
416
+
417
+ - **3a — EntityRegistry core.** New `src/core/entity-registry.ts`:
418
+ short-label prefixes, updatable-field Zod schemas, transition
419
+ matrices, side-effect map. Grammar consistency tests.
420
+ - **3b — Six canonical CRUD verbs.** Implement `bclaw_find`,
421
+ `bclaw_get`, `bclaw_create`, `bclaw_update`, `bclaw_remove`,
422
+ `bclaw_transition` consuming EntityRegistry. Behind `catalog: "all"`
423
+ filter first, public in `catalog: "default"` at v1.0.
424
+ - **3c — `bclaw_context(kind)` unified.** Consolidates
425
+ `bclaw_get_context`, `bclaw_get_execution_context`,
426
+ `bclaw_get_agent_board`, `bclaw_get_agent_board_summary` under one
427
+ intent with a `kind` discriminator. Includes `kind='delta'` from
428
+ P6.4.
429
+ - **3d — `bclaw_dispatch(intent)` unified.** Consolidates
430
+ `bclaw_dispatch_analysis`, `bclaw_dispatch_review`, and the raw
431
+ `bclaw_dispatch`. Review sub-intent carries `openLoop` flag for the
432
+ review_loop escalation path.
433
+ - **3e — Handoff downscale.** Strip the review sub-object, remove
434
+ `bclaw_update_handoff`, expose `bclaw_correct_handoff` for tombstone
435
+ corrections (P6.1). Federation push/pull preserved end-to-end.
436
+ - **3f — Provenance rollout.** Apply discriminated-union provenance
437
+ (P6.3) to decision/constraint/trap/handoff/runtime_note. Default
438
+ memory reads filter on confidence + non-legacy.
439
+ - **3g — Legacy deprecation warnings.** Keep old tool names in
440
+ `catalog: "all"` with `LEGACY_MCP_TOOL_WARNINGS` entries pointing to
441
+ the new verb. Warnings fire server-side on every call during 0.9.x.
442
+ - **3h — Docs sync.** Update `docs/integrations/mcp.md`,
443
+ `CLAUDE.md`, release notes, and agent profile exports. Canonical
444
+ grammar example galleries.
445
+ - **3i — Legacy removal + v1.0 cut.** Remove deprecated tool names
446
+ from the MCP surface entirely. Bump schema to 1.0.0 and app to
447
+ 1.0.0. Public launch candidate.
448
+
449
+ Slices 3a–3b are the architecture core; 3c–3e are the intent
450
+ consolidations; 3f is cross-cutting; 3g–3i are the soft→hard cutover.
451
+
452
+ ## Sources
453
+
454
+ - `docs/product/agent-first-model.md` — engine/cockpit two-layer model
455
+ - `docs/concepts/loop-engine.md` — v8 RFC for the loop primitive
456
+ - Session transcript 2026-04-18 (strategic round 2) — post-consult
457
+ integration pass
458
+ - Memory decisions `cnd#587` (product model) and `cnd#588` (loop
459
+ protocols roadmap)
460
+ - External consult verdicts 2026-04-18 (codex / claude-code /
461
+ github-copilot) — all `proceed_with_patches`, patches integrated in
462
+ §6