brainclaw 1.9.0 → 1.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +631 -499
- package/dist/brainclaw-vscode.vsix +0 -0
- package/dist/cli.js +18 -1
- package/dist/commands/code-map.js +129 -0
- package/dist/commands/codev.js +7 -0
- package/dist/commands/harvest.js +1 -1
- package/dist/commands/hooks.js +73 -73
- package/dist/commands/init.js +1 -1
- package/dist/commands/install-hooks.js +78 -78
- package/dist/commands/mcp-read-handlers.js +57 -14
- package/dist/commands/mcp.js +200 -13
- package/dist/commands/run-profile.js +3 -2
- package/dist/commands/switch.js +125 -93
- package/dist/commands/version.js +1 -1
- package/dist/core/agent-capability.js +19 -4
- package/dist/core/agent-files.js +131 -119
- package/dist/core/code-map/backend.js +123 -0
- package/dist/core/code-map/core.js +81 -0
- package/dist/core/code-map/drafts.js +2 -0
- package/dist/core/code-map/extractor.js +29 -0
- package/dist/core/code-map/finalizer.js +191 -0
- package/dist/core/code-map/freshness.js +108 -0
- package/dist/core/code-map/ids.js +0 -0
- package/dist/core/code-map/importable.js +35 -0
- package/dist/core/code-map/indexes.js +197 -0
- package/dist/core/code-map/lang/java/imports.scm +17 -0
- package/dist/core/code-map/lang/java/index.js +254 -0
- package/dist/core/code-map/lang/java/tags.scm +48 -0
- package/dist/core/code-map/lang/php/imports.scm +21 -0
- package/dist/core/code-map/lang/php/index.js +251 -0
- package/dist/core/code-map/lang/php/tags.scm +44 -0
- package/dist/core/code-map/lang/provider.js +9 -0
- package/dist/core/code-map/lang/providers.js +24 -0
- package/dist/core/code-map/lang/python/imports.scm +90 -0
- package/dist/core/code-map/lang/python/index.js +364 -0
- package/dist/core/code-map/lang/python/tags.scm +81 -0
- package/dist/core/code-map/lang/query-runtime.js +374 -0
- package/dist/core/code-map/lang/registry.js +125 -0
- package/dist/core/code-map/lang/typescript/imports.scm +90 -0
- package/dist/core/code-map/lang/typescript/index.js +306 -0
- package/dist/core/code-map/lang/typescript/tags.js.scm +106 -0
- package/dist/core/code-map/lang/typescript/tags.scm +151 -0
- package/dist/core/code-map/lock.js +210 -0
- package/dist/core/code-map/materialized.js +51 -0
- package/dist/core/code-map/memory-reader.js +59 -0
- package/dist/core/code-map/paths.js +53 -0
- package/dist/core/code-map/query.js +568 -0
- package/dist/core/code-map/refresh.js +0 -0
- package/dist/core/code-map/resolve.js +177 -0
- package/dist/core/code-map/store.js +206 -0
- package/dist/core/code-map/types.js +288 -0
- package/dist/core/code-map/vocabulary.js +57 -0
- package/dist/core/code-map/wasm-loader.js +294 -0
- package/dist/core/code-map/work-section.js +206 -0
- package/dist/core/codev-prompts.js +38 -38
- package/dist/core/codev-rounds.js +4 -0
- package/dist/core/default-profiles/doctor.yaml +11 -11
- package/dist/core/default-profiles/janitor.yaml +11 -11
- package/dist/core/default-profiles/onboarder.yaml +11 -11
- package/dist/core/default-profiles/reviewer.yaml +13 -13
- package/dist/core/dispatcher.js +1 -1
- package/dist/core/entity-operations.js +29 -3
- package/dist/core/execution-adapters.js +11 -10
- package/dist/core/execution-profile.js +58 -0
- package/dist/core/execution.js +1 -1
- package/dist/core/facade-schema.js +9 -0
- package/dist/core/instruction-templates.js +2 -0
- package/dist/core/loops/verbs.js +0 -1
- package/dist/core/mcp-command-resolution.js +3 -1
- package/dist/core/messaging.js +2 -2
- package/dist/core/protocol-skills.js +164 -164
- package/dist/core/runtime-signals.js +1 -1
- package/dist/core/search.js +19 -2
- package/dist/core/security-guard.js +207 -207
- package/dist/core/spawn-check.js +16 -2
- package/dist/core/staleness.js +1 -1
- package/dist/core/store-resolution.js +67 -11
- package/dist/core/worktree.js +18 -18
- package/dist/facts.js +9 -5
- package/dist/facts.json +8 -4
- package/dist/vendor/web-tree-sitter/tree-sitter.js +3980 -0
- package/dist/vendor/web-tree-sitter/tree-sitter.wasm +0 -0
- package/dist/wasm/tree-sitter-java.wasm +0 -0
- package/dist/wasm/tree-sitter-javascript.wasm +0 -0
- package/dist/wasm/tree-sitter-php.wasm +0 -0
- package/dist/wasm/tree-sitter-python.wasm +0 -0
- package/dist/wasm/tree-sitter-tsx.wasm +0 -0
- package/dist/wasm/tree-sitter-typescript.wasm +0 -0
- package/dist/wasm/tree-sitter.wasm +0 -0
- package/docs/PROTOCOL.md +1 -1
- package/docs/adapters/openclaw.md +43 -43
- package/docs/architecture/project-refs.md +328 -328
- package/docs/cli.md +2131 -2093
- package/docs/code-map.md +198 -0
- package/docs/concepts/coordination.md +52 -52
- package/docs/concepts/coordinator-runbook.md +129 -129
- package/docs/concepts/dispatch-lifecycle.md +245 -245
- package/docs/concepts/event-log-store.md +928 -928
- package/docs/concepts/ideation-loop.md +317 -317
- package/docs/concepts/loop-engine.md +520 -511
- package/docs/concepts/mcp-governance.md +268 -268
- package/docs/concepts/memory.md +84 -84
- package/docs/concepts/multi-agent-workflows.md +167 -167
- package/docs/concepts/observer-protocol.md +361 -361
- package/docs/concepts/plans-and-claims.md +217 -217
- package/docs/concepts/project-md-convention.md +35 -35
- package/docs/concepts/runtime-notes.md +38 -38
- package/docs/concepts/troubleshooting.md +254 -254
- package/docs/concepts/workspace-bootstrapping.md +142 -142
- package/docs/context-format-changelog.md +35 -35
- package/docs/context-format.md +48 -48
- package/docs/index.md +65 -65
- package/docs/integrations/agents.md +158 -158
- package/docs/integrations/claude-code.md +23 -23
- package/docs/integrations/cline.md +77 -77
- package/docs/integrations/continue.md +55 -55
- package/docs/integrations/copilot.md +68 -68
- package/docs/integrations/cursor.md +23 -23
- package/docs/integrations/kilocode.md +72 -72
- package/docs/integrations/mcp.md +385 -378
- package/docs/integrations/mistral-vibe.md +122 -122
- package/docs/integrations/openclaw.md +92 -92
- package/docs/integrations/opencode.md +84 -84
- package/docs/integrations/overview.md +115 -115
- package/docs/integrations/roo.md +71 -71
- package/docs/integrations/windsurf.md +77 -77
- package/docs/mcp-schema-changelog.md +364 -356
- package/docs/playbooks/integration/index.md +121 -121
- package/docs/playbooks/orchestration.md +37 -0
- package/docs/playbooks/productivity/index.md +99 -99
- package/docs/playbooks/team/index.md +117 -117
- package/docs/product/agent-first-model.md +184 -184
- package/docs/product/entity-model-audit.md +462 -462
- package/docs/product/positioning.md +86 -86
- package/docs/quickstart-existing-project.md +107 -107
- package/docs/quickstart.md +183 -183
- package/docs/release-maintenance.md +79 -79
- package/docs/reputation.md +52 -52
- package/docs/review.md +45 -45
- package/docs/security.md +212 -212
- package/docs/server-operations.md +118 -118
- package/docs/storage.md +106 -106
- package/package.json +86 -66
- package/docs/concepts/event-log-store-critique-A.md +0 -333
- package/docs/concepts/event-log-store-critique-B.md +0 -353
- package/docs/concepts/event-log-store-phase0-measurements.md +0 -58
- package/docs/concepts/event-log-store-proposal-A.md +0 -365
- package/docs/concepts/event-log-store-proposal-B.md +0 -404
- package/docs/concepts/identity-model-proposal.md +0 -371
|
@@ -1,462 +1,462 @@
|
|
|
1
|
-
# Entity model audit — pre-v1.0 strategic reflection
|
|
2
|
-
|
|
3
|
-
Captured 2026-04-18 during a second round of strategic review before
|
|
4
|
-
the MCP grammar Phase 3 refactor. This document complements
|
|
5
|
-
`docs/product/agent-first-model.md` (which defines the two-layer
|
|
6
|
-
product model) and should be read before any entity-shape or API-verb
|
|
7
|
-
decision.
|
|
8
|
-
|
|
9
|
-
## Context
|
|
10
|
-
|
|
11
|
-
brainclaw has grown organically over months and some older concepts
|
|
12
|
-
deserve challenge before the public launch:
|
|
13
|
-
|
|
14
|
-
- The MCP surface has 70 tools, 26 dedicated to CRUD variants per
|
|
15
|
-
entity type.
|
|
16
|
-
- Some lifecycles (candidate review queue) are rarely used as designed.
|
|
17
|
-
- Some entities overlap in role (runtime_note vs decision-candidate,
|
|
18
|
-
capability vs tool).
|
|
19
|
-
- The upcoming API grammar refactor (Phase 3 in the broader plan)
|
|
20
|
-
will bake current entity shapes into permanent verbs. Cleaning the
|
|
21
|
-
model first avoids fossilising bad decisions.
|
|
22
|
-
|
|
23
|
-
Since brainclaw is not yet publicly distributed, backward compatibility
|
|
24
|
-
is not a blocker — the priority is internal coherence at v1.0 launch.
|
|
25
|
-
|
|
26
|
-
## Design principles that emerged
|
|
27
|
-
|
|
28
|
-
### P1 — Engine delivers value, cockpit sells adoption
|
|
29
|
-
See `agent-first-model.md`. Every engine feature should emit
|
|
30
|
-
machine-readable signals the cockpit can consume. Human visibility is
|
|
31
|
-
a critical adoption gate at enterprise scale, not optional.
|
|
32
|
-
|
|
33
|
-
### P2 — Three review modes must coexist without penalty
|
|
34
|
-
brainclaw must support three review intensities and let the agent
|
|
35
|
-
choose consciously:
|
|
36
|
-
|
|
37
|
-
| Mode | When | Cost | Entry point today |
|
|
38
|
-
|---|---|---|---|
|
|
39
|
-
| Self-review inline | Solo default path (~70% of sessions) | Few LLM cycles | No brainclaw tool, agent self-checks |
|
|
40
|
-
| Dispatch-review | When a second opinion is worth a round-trip | One inbox message + reply | `bclaw_dispatch_review(openLoop: false)` |
|
|
41
|
-
| Review loop | Quality bar high, multi-round likely, structured feedback needed | Multiple rounds, multi-slot | `bclaw_dispatch_review(openLoop: true)` or `bclaw_loop(intent='open', kind='review')` |
|
|
42
|
-
|
|
43
|
-
The simpler modes must not pay a tax because the heavier mode exists.
|
|
44
|
-
Primitives like session, claim, handoff, inbox must all work fully
|
|
45
|
-
without loops.
|
|
46
|
-
|
|
47
|
-
### P3 — Loops are opt-in enhancement, not default path
|
|
48
|
-
Loops (review, ideation, debug, research) are structured, multi-agent,
|
|
49
|
-
expensive. In the majority of sessions agents work directly without
|
|
50
|
-
them. Every primitive must be fully usable without a loop; loops are
|
|
51
|
-
invoked when the complexity justifies the cost.
|
|
52
|
-
|
|
53
|
-
### P4 — Teams cross-machine is a first-class scenario
|
|
54
|
-
brainclaw supports three modes of work without compromise:
|
|
55
|
-
|
|
56
|
-
- **Solo agent** — local, no coordination, fast.
|
|
57
|
-
- **Solo dev + external reviewer** — dispatch-review or review_loop.
|
|
58
|
-
- **Teams cross-machine** — federation push/pull, inbox cross-project,
|
|
59
|
-
handoff as the artifact for resuming on another machine.
|
|
60
|
-
|
|
61
|
-
Team primitives (federation, cross-project inbox, handoff) must stay
|
|
62
|
-
load-bearing; simplifications cannot break them.
|
|
63
|
-
|
|
64
|
-
## Entity-by-entity verdicts
|
|
65
|
-
|
|
66
|
-
### ✅ Keep as-is
|
|
67
|
-
|
|
68
|
-
- **Plan / Step / Sequence** — the three-tier hierarchy is
|
|
69
|
-
semantically distinct and useful for precise agent communication.
|
|
70
|
-
- Plan: a work item with a goal, text, priority, status, tags,
|
|
71
|
-
dependencies, steps.
|
|
72
|
-
- Step: sub-element of a plan; inherits lifecycle from its parent
|
|
73
|
-
but has its own status.
|
|
74
|
-
- Sequence: coordinates execution across plans/steps by defining
|
|
75
|
-
parallelizable lanes with hard/soft dependencies between items.
|
|
76
|
-
The distinction was confirmed as valuable by the operator.
|
|
77
|
-
|
|
78
|
-
- **Decision / Constraint / Trap (trichotomy)** — each carries
|
|
79
|
-
distinct semantics that earn their keep:
|
|
80
|
-
- **Decision**: anchors a strategic choice (e.g., "chose
|
|
81
|
-
PostgreSQL", "use X testing framework"). Retrospective reference.
|
|
82
|
-
- **Constraint**: imposes a process or rule that must be followed
|
|
83
|
-
(e.g., "minimize core dependencies", "all APIs must be REST",
|
|
84
|
-
"never init --force"). Strongest concept; drives hook injection
|
|
85
|
-
to remind agents of the process.
|
|
86
|
-
- **Trap**: environmental or process pitfall to avoid (e.g., "git
|
|
87
|
-
merge wipes node_modules", "sandbox X blocks MCP writes"). May
|
|
88
|
-
trigger a corrective plan when resolvable.
|
|
89
|
-
All three drive different agent behaviours (decisions = retrieve for
|
|
90
|
-
context, constraints = enforce, traps = warn + resolve).
|
|
91
|
-
|
|
92
|
-
- **Claim** — file-level advisory lock, scope boundary, worktree
|
|
93
|
-
attachment point. Clear lifecycle (active → released/expired).
|
|
94
|
-
|
|
95
|
-
- **Session** — execution envelope, links work to an agent identity.
|
|
96
|
-
|
|
97
|
-
- **Assignment / AgentRun** — runtime tracking of dispatched work.
|
|
98
|
-
Distinction is technical (assignment = the ask, run = the execution)
|
|
99
|
-
but useful for observability; the agent does not need to interact
|
|
100
|
-
with them directly.
|
|
101
|
-
|
|
102
|
-
### 🔴 Remove
|
|
103
|
-
|
|
104
|
-
- **Candidate lifecycle** — the "create candidate → accept/reject →
|
|
105
|
-
promote to decision/constraint/trap/handoff" workflow is badly used
|
|
106
|
-
in practice. Very few candidates in the current store have been
|
|
107
|
-
processed; most are auto-generated and ignored. The review queue
|
|
108
|
-
concept duplicates what the Loop engine now provides better via
|
|
109
|
-
`review_loop`.
|
|
110
|
-
|
|
111
|
-
**After removal:**
|
|
112
|
-
- `bclaw_create_candidate`, `bclaw_list_candidates`, `bclaw_accept`,
|
|
113
|
-
`bclaw_reject`, `bclaw_harvest_candidates` disappear from the
|
|
114
|
-
surface.
|
|
115
|
-
- Auto-reflection at session_end writes directly to decision /
|
|
116
|
-
constraint / trap / handoff with a `source: 'auto'` field and a
|
|
117
|
-
`confidence` score. Agents or humans filter low-confidence auto
|
|
118
|
-
items via `bclaw_find(source: 'auto', confidence_gte: 0.8)`.
|
|
119
|
-
- Intentional batch review moves to `review_loop` (open a loop
|
|
120
|
-
whose change_summary points to the memory items under review).
|
|
121
|
-
- Cross-project signals arrive directly in `inbox/cross-project/`
|
|
122
|
-
(already the pattern for other signals).
|
|
123
|
-
|
|
124
|
-
### ⚠️ Downscale
|
|
125
|
-
|
|
126
|
-
- **Handoff** — keep as a session-end auto-artifact, strip the
|
|
127
|
-
review sub-flow.
|
|
128
|
-
|
|
129
|
-
**Keep:**
|
|
130
|
-
- Automatic generation at `bclaw_session_end` with commits, files
|
|
131
|
-
touched, narrative, pre/post conditions, linked plans.
|
|
132
|
-
- Read-only access via `bclaw_get(entity='handoff', id)` for context
|
|
133
|
-
resumption on the same or another machine.
|
|
134
|
-
- Federation push/pull across linked projects (critical for teams;
|
|
135
|
-
without this teammate B's agent loses teammate A's session story).
|
|
136
|
-
- Optional linking to a `review_loop` when a structured review is
|
|
137
|
-
dispatched via `bclaw_dispatch_review(openLoop: true)`.
|
|
138
|
-
|
|
139
|
-
**Drop:**
|
|
140
|
-
- The `review` sub-object on the handoff entity (requester,
|
|
141
|
-
reviewer, thread_id, requested_at, review_message_id). Never
|
|
142
|
-
used as designed.
|
|
143
|
-
- Active `update_handoff` for mid-life edits. Only the narrative
|
|
144
|
-
override at session_end stays (single write at creation).
|
|
145
|
-
|
|
146
|
-
**Rationale:** handoffs are a *passive artefact* of the default
|
|
147
|
-
path, not a coordination surface. Review happens via dispatch-review
|
|
148
|
-
or review_loop, not via mutating a handoff.
|
|
149
|
-
|
|
150
|
-
### 🟡 Examine further during implementation
|
|
151
|
-
|
|
152
|
-
- **RuntimeNote** — if auto-reflect + direct memory writes land,
|
|
153
|
-
runtime_note becomes redundant with low-confidence decision/trap
|
|
154
|
-
candidates. Consider removing. Keep for this audit, revisit during
|
|
155
|
-
Phase 3 implementation.
|
|
156
|
-
|
|
157
|
-
- **Instruction layers** (global / project / agent) — functionally
|
|
158
|
-
similar to constraints with different scopes. Could merge into a
|
|
159
|
-
unified `memory` entity with a `scope` field. Not urgent; valid to
|
|
160
|
-
keep distinct for now since instructions have lifecycle triggers
|
|
161
|
-
(`trigger:post-claim`, `trigger:pre-session-end`) that constraints
|
|
162
|
-
do not.
|
|
163
|
-
|
|
164
|
-
- **Capability vs Tool** — two registries under `.brainclaw/memory/`
|
|
165
|
-
with a thin distinction (capability = what the project can do, tool
|
|
166
|
-
= what the project uses). Good candidate for merger under a
|
|
167
|
-
`resource` entity with a `kind` field. Low priority.
|
|
168
|
-
|
|
169
|
-
## Phase 3 grammar outline (post-audit)
|
|
170
|
-
|
|
171
|
-
### Canonical verbs (6)
|
|
172
|
-
|
|
173
|
-
```
|
|
174
|
-
bclaw_find(entity, filters, limit, offset) — query many
|
|
175
|
-
bclaw_get(entity, id | short_label) — fetch one
|
|
176
|
-
bclaw_create(entity, data) — new item, returns id
|
|
177
|
-
bclaw_update(entity, id, patch) — partial merge
|
|
178
|
-
bclaw_remove(entity, id, purge?) — archive (default) or hard delete
|
|
179
|
-
bclaw_transition(entity, id, to, reason?) — state machine transitions with side effects
|
|
180
|
-
```
|
|
181
|
-
|
|
182
|
-
### Workflow intents that stay distinct
|
|
183
|
-
|
|
184
|
-
```
|
|
185
|
-
bclaw_work(intent) — session + claim + context facade
|
|
186
|
-
bclaw_coordinate(intent) — multi-agent coordination
|
|
187
|
-
bclaw_loop(intent) — loop lifecycle
|
|
188
|
-
bclaw_dispatch(intent) — dispatch analysis + execution + review (unified from 3 tools)
|
|
189
|
-
bclaw_quick_capture(text) — NL → typed memory
|
|
190
|
-
bclaw_bootstrap, bclaw_setup, bclaw_switch, bclaw_compact
|
|
191
|
-
bclaw_context(kind) — unified from get_context, get_execution_context, get_discovery, get_agent_board, get_agent_board_summary
|
|
192
|
-
bclaw_audit(mode) — chronological or governance report
|
|
193
|
-
bclaw_doctor, bclaw_check_policy, bclaw_check_security
|
|
194
|
-
bclaw_history, bclaw_estimation_report, bclaw_release_notes
|
|
195
|
-
```
|
|
196
|
-
|
|
197
|
-
### Approximate surface size
|
|
198
|
-
|
|
199
|
-
From 70 tools to ~20. Each verb is memorable, schema-discoverable, and
|
|
200
|
-
has a clear semantic.
|
|
201
|
-
|
|
202
|
-
### EntityRegistry as single source of truth
|
|
203
|
-
|
|
204
|
-
A new `src/core/entity-registry.ts` module holds:
|
|
205
|
-
|
|
206
|
-
- Short-label prefix per entity (plan → `pln`, claim → `clm`, …)
|
|
207
|
-
- Updatable fields per entity (Zod schema — what `update` can touch)
|
|
208
|
-
- Valid status transitions per entity (state machine definition)
|
|
209
|
-
- Side effects per transition (hardcoded for MVP, configurable later)
|
|
210
|
-
|
|
211
|
-
`bclaw_update` and `bclaw_transition` both consult this registry. A
|
|
212
|
-
grammar-consistency test suite verifies every entity has a complete
|
|
213
|
-
schema declaration.
|
|
214
|
-
|
|
215
|
-
### Transition logging — three destinations
|
|
216
|
-
|
|
217
|
-
| Destination | For whom | Why |
|
|
218
|
-
|---|---|---|
|
|
219
|
-
| `audit.log` | Forensics, compliance, governance | Authoritative chronological record |
|
|
220
|
-
| `events.jsonl` (already exists) | Reactive agents + cockpit live feed | Low-level event stream |
|
|
221
|
-
| `bclaw_activity` (new derived tool) | Humans, coordinator agents | Narrative digest, aggregated by entity/agent/session |
|
|
222
|
-
|
|
223
|
-
The cockpit (human-visibility layer) is built by consuming these
|
|
224
|
-
signals. Engine features emit; cockpit aggregates.
|
|
225
|
-
|
|
226
|
-
## Open questions for external validation
|
|
227
|
-
|
|
228
|
-
Before committing to implementation, we are consulting external
|
|
229
|
-
perspectives (codex, another claude-code instance, github-copilot) to
|
|
230
|
-
pressure-test these decisions. The four questions:
|
|
231
|
-
|
|
232
|
-
**Q0 — Teams cross-machine completeness.** Our current primitives
|
|
233
|
-
(handoff federation, inbox cross-project, claims local, runtime_note
|
|
234
|
-
federation) — do they cover common team cases (2–5 devs on different
|
|
235
|
-
machines, shared monorepo, distributed reviewers)? Is there an obvious
|
|
236
|
-
missing pattern?
|
|
237
|
-
|
|
238
|
-
**Q1 — Handoff simplification safety.** After stripping the review
|
|
239
|
-
sub-flow and keeping the handoff as a passive session-end artefact
|
|
240
|
-
(with federation + read-only + optional review_loop link), is there
|
|
241
|
-
any agent-facing use case this simplification breaks that we haven't
|
|
242
|
-
seen?
|
|
243
|
-
|
|
244
|
-
**Q2 — Transition side effects hardcoded vs configurable.** For MVP we
|
|
245
|
-
plan to hardcode side effects of transitions (close claims on
|
|
246
|
-
plan.status=done, promote candidate on accept, etc.) in the
|
|
247
|
-
`bclaw_transition` handler rather than declaring them in the
|
|
248
|
-
EntityRegistry. Is this the right tradeoff for now, or does the
|
|
249
|
-
configurable approach pay for itself early?
|
|
250
|
-
|
|
251
|
-
**Q3 — Version strategy pre-public.** Given we are pre-public with no
|
|
252
|
-
external integrators, should we:
|
|
253
|
-
- (a) bump v0.8 → v1.0 directly with the cleaned grammar, accepting
|
|
254
|
-
the internal breaking change in one go; or
|
|
255
|
-
- (b) go v0.8 → v0.9 (add new verbs, deprecate legacy) → v1.0 (remove
|
|
256
|
-
legacy), using two internal releases as buffer?
|
|
257
|
-
|
|
258
|
-
Option (a) is cleaner but less battle-tested before public launch;
|
|
259
|
-
(b) is slower but lets us dogfood the new grammar before removing the
|
|
260
|
-
old.
|
|
261
|
-
|
|
262
|
-
## §6 — Patches integrated post-consult
|
|
263
|
-
|
|
264
|
-
Three external reviewers (codex, a second claude-code instance,
|
|
265
|
-
github-copilot) returned verdict `proceed_with_patches` on the audit.
|
|
266
|
-
Their convergent recommendations are integrated below. Each patch is
|
|
267
|
-
load-bearing for Phase 3 and must land either before or during the
|
|
268
|
-
grammar refactor.
|
|
269
|
-
|
|
270
|
-
### P6.1 — Tombstone pattern for handoff corrections
|
|
271
|
-
|
|
272
|
-
**What.** Handoffs stay immutable session-end artefacts. Post-session
|
|
273
|
-
corrections (a teammate spotted a mistake, a follow-up clarified
|
|
274
|
-
something) do not mutate the original handoff — they create a *new
|
|
275
|
-
correction handoff* that carries a `superseded_by` pointer back to the
|
|
276
|
-
original.
|
|
277
|
-
|
|
278
|
-
**Why.** Preserves the "passive artefact" property while keeping an
|
|
279
|
-
audit trail of who revised what. Federation remains safe (each record
|
|
280
|
-
is whole, no partial merges).
|
|
281
|
-
|
|
282
|
-
**How to apply.** Reject all `bclaw_update(entity='handoff', …)`
|
|
283
|
-
outside the narrative override at creation. Expose instead a
|
|
284
|
-
`bclaw_correct_handoff(original_id, correction_data)` helper that
|
|
285
|
-
writes a new handoff and patches `original.superseded_by`.
|
|
286
|
-
|
|
287
|
-
### P6.2 — Declarative transition matrix + imperative side effects
|
|
288
|
-
|
|
289
|
-
**What.** Valid status transitions per entity live in the
|
|
290
|
-
EntityRegistry as a declarative matrix (`{ from: [to1, to2] }`). Side
|
|
291
|
-
effects (close linked claims, write audit entry, emit event) stay
|
|
292
|
-
imperative in `bclaw_transition` for MVP.
|
|
293
|
-
|
|
294
|
-
**Why.** Hybrid lets us test the declarative matrix (grammar
|
|
295
|
-
consistency tests, static analysis) without over-engineering a rules
|
|
296
|
-
engine we do not need yet. Migration to declarative side effects later
|
|
297
|
-
is a drop-in without breaking callers.
|
|
298
|
-
|
|
299
|
-
**How to apply.** `EntityRegistry[entity].transitions` is the
|
|
300
|
-
authoritative matrix; `bclaw_transition` rejects moves not in the
|
|
301
|
-
matrix, then runs a hardcoded side-effect dispatch per (entity, to)
|
|
302
|
-
pair.
|
|
303
|
-
|
|
304
|
-
### P6.3 — Provenance as a typed discriminated union
|
|
305
|
-
|
|
306
|
-
**What.** Replace the single `source: 'auto' | 'user' | …` string with
|
|
307
|
-
a typed discriminated union:
|
|
308
|
-
|
|
309
|
-
```ts
|
|
310
|
-
type Provenance =
|
|
311
|
-
| { kind: 'agent'; agent_id: string; session_id: string }
|
|
312
|
-
| { kind: 'auto_reflect'; source_session: string; confidence: number }
|
|
313
|
-
| { kind: 'user'; author: string }
|
|
314
|
-
| { kind: 'loop_artifact'; loop_id: string; slot: string; turn: number }
|
|
315
|
-
| { kind: 'federation'; source_project: string; remote_id: string }
|
|
316
|
-
| { kind: 'correction'; supersedes: string }
|
|
317
|
-
| { kind: 'legacy' };
|
|
318
|
-
```
|
|
319
|
-
|
|
320
|
-
**Why.** Each origin has different downstream implications (retention,
|
|
321
|
-
confidence, federation behavior, audit narrative). A single string
|
|
322
|
-
field cannot carry the metadata cleanly; a union keeps type-safety and
|
|
323
|
-
makes queries like `bclaw_find(provenance.kind='auto_reflect',
|
|
324
|
-
confidence_gte:0.8)` natural.
|
|
325
|
-
|
|
326
|
-
**How to apply.** Add `provenance` field to
|
|
327
|
-
decision/constraint/trap/handoff/runtime_note schemas. On v1.0
|
|
328
|
-
migration, existing records receive `{ kind: 'legacy' }`. Default
|
|
329
|
-
filter on memory reads: exclude `legacy` + auto below threshold,
|
|
330
|
-
configurable via the query.
|
|
331
|
-
|
|
332
|
-
### P6.4 — Delta context via bclaw_context(kind='delta')
|
|
333
|
-
|
|
334
|
-
**What.** `bclaw_context` currently returns full state every call. Add
|
|
335
|
-
a `kind: 'delta', since: <handoff_id | timestamp | event_seq>`
|
|
336
|
-
parameter that returns only what changed since the reference point.
|
|
337
|
-
|
|
338
|
-
**Why.** At scale (long sessions, cross-agent resumption, federation
|
|
339
|
-
sync) returning full state is a token tax. Resumption needs the delta,
|
|
340
|
-
not the world.
|
|
341
|
-
|
|
342
|
-
**How to apply.** Implement as a filter over the events.jsonl stream +
|
|
343
|
-
a diff against the referenced snapshot. Falls back to full context if
|
|
344
|
-
the reference point is too old (compacted out).
|
|
345
|
-
|
|
346
|
-
### P6.5 — MCP schema version strategy: 0.6 → 0.7 → 0.8 → 1.0
|
|
347
|
-
|
|
348
|
-
**What.** The MCP schema version (`SCHEMA_VERSION` in
|
|
349
|
-
`src/commands/mcp.ts`, currently `0.6.0`) is distinct from the app
|
|
350
|
-
version (`package.json`, currently `0.62.0`). Progression:
|
|
351
|
-
|
|
352
|
-
| Step | MCP schema | App version | Scope |
|
|
353
|
-
|---|---|---|---|
|
|
354
|
-
| Now | 0.6.0 | 0.62.x | baseline |
|
|
355
|
-
| Patches | 0.7.0 | 0.63.x | P6.1–P6.4 + provenance rollout |
|
|
356
|
-
| Migration | 0.8.0 | 0.64.x | `brainclaw migrate` + candidate archive |
|
|
357
|
-
| Phase 3 | 1.0.0 | 1.0.0 | canonical 6 verbs + legacy removal |
|
|
358
|
-
|
|
359
|
-
**Why.** App version tracks code changes; schema version tracks the
|
|
360
|
-
contract MCP clients bind to. Agents that cache tool catalogs need to
|
|
361
|
-
know when verbs changed shape.
|
|
362
|
-
|
|
363
|
-
**How to apply.** Bump `SCHEMA_VERSION` at each step. Tool catalog
|
|
364
|
-
response always includes schema_version so clients can invalidate.
|
|
365
|
-
|
|
366
|
-
### P6.6 — Pending candidates archived on migration
|
|
367
|
-
|
|
368
|
-
**What.** On v1.0 migration, existing candidates are not promoted or
|
|
369
|
-
rejected — they are archived to `.brainclaw/archive/candidates/` with a
|
|
370
|
-
manifest listing their original paths. The runtime stops reading them.
|
|
371
|
-
|
|
372
|
-
**Why.** No information loss (archive stays on disk for later
|
|
373
|
-
inspection), no forced triage on the operator, clean cutover.
|
|
374
|
-
|
|
375
|
-
**How to apply.** `brainclaw migrate --to-schema=1.0` copies
|
|
376
|
-
`.brainclaw/memory/candidates/` to `.brainclaw/archive/candidates/<date>/`,
|
|
377
|
-
writes an index, removes the live directory.
|
|
378
|
-
|
|
379
|
-
### P6.7 — Schema migration as a hard pre-Phase-3 step
|
|
380
|
-
|
|
381
|
-
**What.** Do not start Phase 3 (the grammar refactor) until
|
|
382
|
-
`brainclaw migrate` command exists and has been dogfooded on both live
|
|
383
|
-
installations (this machine + the monorepo test server).
|
|
384
|
-
|
|
385
|
-
**Why.** Phase 3 ships the canonical grammar. Existing stores must
|
|
386
|
-
upgrade cleanly to v1.0 schema before any tool rewrites remove the
|
|
387
|
-
legacy paths. Migration first = safety net; grammar refactor second =
|
|
388
|
-
execute with confidence.
|
|
389
|
-
|
|
390
|
-
**How to apply.** Migration plan (`feat/v1-schema-migration`, see §7)
|
|
391
|
-
is a hard blocker on the Phase 3 plan (`feat/phase-3-canonical-grammar`).
|
|
392
|
-
|
|
393
|
-
### P6.8 — Keep runtime_note / instruction / capability/tool distinct
|
|
394
|
-
|
|
395
|
-
**What.** Reviewers recommended leaving runtime_note, instruction
|
|
396
|
-
layers, and capability/tool as distinct entities for v1.0. They were
|
|
397
|
-
flagged as "examine further" in §5 — verdict is *keep as-is*.
|
|
398
|
-
|
|
399
|
-
**Why.** Instructions carry lifecycle triggers (`post-claim`,
|
|
400
|
-
`pre-session-end`) that constraints do not. Capability vs tool has a
|
|
401
|
-
semantic distinction (what the project *can do* vs what it *uses*)
|
|
402
|
-
that matters for discoverability. Runtime notes remain a natural
|
|
403
|
-
slot for low-confidence, scoped observations that do not yet deserve
|
|
404
|
-
promotion to decision/trap. Premature merger would lose information.
|
|
405
|
-
|
|
406
|
-
**How to apply.** No change for v1.0. Flag for a dedicated audit pass
|
|
407
|
-
post-v1.0 once usage data confirms or contradicts the distinctions.
|
|
408
|
-
|
|
409
|
-
## §7 — Consolidated Phase 3 checklist
|
|
410
|
-
|
|
411
|
-
Hard prerequisite before any item below: **`feat/v1-schema-migration`
|
|
412
|
-
plan must be executed and dogfooded** (see P6.7).
|
|
413
|
-
|
|
414
|
-
Phase 3 itself is sliced into nine sub-items; each is independently
|
|
415
|
-
mergeable behind a feature flag or catalog filter:
|
|
416
|
-
|
|
417
|
-
- **3a — EntityRegistry core.** New `src/core/entity-registry.ts`:
|
|
418
|
-
short-label prefixes, updatable-field Zod schemas, transition
|
|
419
|
-
matrices, side-effect map. Grammar consistency tests.
|
|
420
|
-
- **3b — Six canonical CRUD verbs.** Implement `bclaw_find`,
|
|
421
|
-
`bclaw_get`, `bclaw_create`, `bclaw_update`, `bclaw_remove`,
|
|
422
|
-
`bclaw_transition` consuming EntityRegistry. Behind `catalog: "all"`
|
|
423
|
-
filter first, public in `catalog: "default"` at v1.0.
|
|
424
|
-
- **3c — `bclaw_context(kind)` unified.** Consolidates
|
|
425
|
-
`bclaw_get_context`, `bclaw_get_execution_context`,
|
|
426
|
-
`bclaw_get_agent_board`, `bclaw_get_agent_board_summary` under one
|
|
427
|
-
intent with a `kind` discriminator. Includes `kind='delta'` from
|
|
428
|
-
P6.4.
|
|
429
|
-
- **3d — `bclaw_dispatch(intent)` unified.** Consolidates
|
|
430
|
-
`bclaw_dispatch_analysis`, `bclaw_dispatch_review`, and the raw
|
|
431
|
-
`bclaw_dispatch`. Review sub-intent carries `openLoop` flag for the
|
|
432
|
-
review_loop escalation path.
|
|
433
|
-
- **3e — Handoff downscale.** Strip the review sub-object, remove
|
|
434
|
-
`bclaw_update_handoff`, expose `bclaw_correct_handoff` for tombstone
|
|
435
|
-
corrections (P6.1). Federation push/pull preserved end-to-end.
|
|
436
|
-
- **3f — Provenance rollout.** Apply discriminated-union provenance
|
|
437
|
-
(P6.3) to decision/constraint/trap/handoff/runtime_note. Default
|
|
438
|
-
memory reads filter on confidence + non-legacy.
|
|
439
|
-
- **3g — Legacy deprecation warnings.** Keep old tool names in
|
|
440
|
-
`catalog: "all"` with `LEGACY_MCP_TOOL_WARNINGS` entries pointing to
|
|
441
|
-
the new verb. Warnings fire server-side on every call during 0.9.x.
|
|
442
|
-
- **3h — Docs sync.** Update `docs/integrations/mcp.md`,
|
|
443
|
-
`CLAUDE.md`, release notes, and agent profile exports. Canonical
|
|
444
|
-
grammar example galleries.
|
|
445
|
-
- **3i — Legacy removal + v1.0 cut.** Remove deprecated tool names
|
|
446
|
-
from the MCP surface entirely. Bump schema to 1.0.0 and app to
|
|
447
|
-
1.0.0. Public launch candidate.
|
|
448
|
-
|
|
449
|
-
Slices 3a–3b are the architecture core; 3c–3e are the intent
|
|
450
|
-
consolidations; 3f is cross-cutting; 3g–3i are the soft→hard cutover.
|
|
451
|
-
|
|
452
|
-
## Sources
|
|
453
|
-
|
|
454
|
-
- `docs/product/agent-first-model.md` — engine/cockpit two-layer model
|
|
455
|
-
- `docs/concepts/loop-engine.md` — v8 RFC for the loop primitive
|
|
456
|
-
- Session transcript 2026-04-18 (strategic round 2) — post-consult
|
|
457
|
-
integration pass
|
|
458
|
-
- Memory decisions `cnd#587` (product model) and `cnd#588` (loop
|
|
459
|
-
protocols roadmap)
|
|
460
|
-
- External consult verdicts 2026-04-18 (codex / claude-code /
|
|
461
|
-
github-copilot) — all `proceed_with_patches`, patches integrated in
|
|
462
|
-
§6
|
|
1
|
+
# Entity model audit — pre-v1.0 strategic reflection
|
|
2
|
+
|
|
3
|
+
Captured 2026-04-18 during a second round of strategic review before
|
|
4
|
+
the MCP grammar Phase 3 refactor. This document complements
|
|
5
|
+
`docs/product/agent-first-model.md` (which defines the two-layer
|
|
6
|
+
product model) and should be read before any entity-shape or API-verb
|
|
7
|
+
decision.
|
|
8
|
+
|
|
9
|
+
## Context
|
|
10
|
+
|
|
11
|
+
brainclaw has grown organically over months and some older concepts
|
|
12
|
+
deserve challenge before the public launch:
|
|
13
|
+
|
|
14
|
+
- The MCP surface has 70 tools, 26 dedicated to CRUD variants per
|
|
15
|
+
entity type.
|
|
16
|
+
- Some lifecycles (candidate review queue) are rarely used as designed.
|
|
17
|
+
- Some entities overlap in role (runtime_note vs decision-candidate,
|
|
18
|
+
capability vs tool).
|
|
19
|
+
- The upcoming API grammar refactor (Phase 3 in the broader plan)
|
|
20
|
+
will bake current entity shapes into permanent verbs. Cleaning the
|
|
21
|
+
model first avoids fossilising bad decisions.
|
|
22
|
+
|
|
23
|
+
Since brainclaw is not yet publicly distributed, backward compatibility
|
|
24
|
+
is not a blocker — the priority is internal coherence at v1.0 launch.
|
|
25
|
+
|
|
26
|
+
## Design principles that emerged
|
|
27
|
+
|
|
28
|
+
### P1 — Engine delivers value, cockpit sells adoption
|
|
29
|
+
See `agent-first-model.md`. Every engine feature should emit
|
|
30
|
+
machine-readable signals the cockpit can consume. Human visibility is
|
|
31
|
+
a critical adoption gate at enterprise scale, not optional.
|
|
32
|
+
|
|
33
|
+
### P2 — Three review modes must coexist without penalty
|
|
34
|
+
brainclaw must support three review intensities and let the agent
|
|
35
|
+
choose consciously:
|
|
36
|
+
|
|
37
|
+
| Mode | When | Cost | Entry point today |
|
|
38
|
+
|---|---|---|---|
|
|
39
|
+
| Self-review inline | Solo default path (~70% of sessions) | Few LLM cycles | No brainclaw tool, agent self-checks |
|
|
40
|
+
| Dispatch-review | When a second opinion is worth a round-trip | One inbox message + reply | `bclaw_dispatch_review(openLoop: false)` |
|
|
41
|
+
| Review loop | Quality bar high, multi-round likely, structured feedback needed | Multiple rounds, multi-slot | `bclaw_dispatch_review(openLoop: true)` or `bclaw_loop(intent='open', kind='review')` |
|
|
42
|
+
|
|
43
|
+
The simpler modes must not pay a tax because the heavier mode exists.
|
|
44
|
+
Primitives like session, claim, handoff, inbox must all work fully
|
|
45
|
+
without loops.
|
|
46
|
+
|
|
47
|
+
### P3 — Loops are opt-in enhancement, not default path
|
|
48
|
+
Loops (review, ideation, debug, research) are structured, multi-agent,
|
|
49
|
+
expensive. In the majority of sessions agents work directly without
|
|
50
|
+
them. Every primitive must be fully usable without a loop; loops are
|
|
51
|
+
invoked when the complexity justifies the cost.
|
|
52
|
+
|
|
53
|
+
### P4 — Teams cross-machine is a first-class scenario
|
|
54
|
+
brainclaw supports three modes of work without compromise:
|
|
55
|
+
|
|
56
|
+
- **Solo agent** — local, no coordination, fast.
|
|
57
|
+
- **Solo dev + external reviewer** — dispatch-review or review_loop.
|
|
58
|
+
- **Teams cross-machine** — federation push/pull, inbox cross-project,
|
|
59
|
+
handoff as the artifact for resuming on another machine.
|
|
60
|
+
|
|
61
|
+
Team primitives (federation, cross-project inbox, handoff) must stay
|
|
62
|
+
load-bearing; simplifications cannot break them.
|
|
63
|
+
|
|
64
|
+
## Entity-by-entity verdicts
|
|
65
|
+
|
|
66
|
+
### ✅ Keep as-is
|
|
67
|
+
|
|
68
|
+
- **Plan / Step / Sequence** — the three-tier hierarchy is
|
|
69
|
+
semantically distinct and useful for precise agent communication.
|
|
70
|
+
- Plan: a work item with a goal, text, priority, status, tags,
|
|
71
|
+
dependencies, steps.
|
|
72
|
+
- Step: sub-element of a plan; inherits lifecycle from its parent
|
|
73
|
+
but has its own status.
|
|
74
|
+
- Sequence: coordinates execution across plans/steps by defining
|
|
75
|
+
parallelizable lanes with hard/soft dependencies between items.
|
|
76
|
+
The distinction was confirmed as valuable by the operator.
|
|
77
|
+
|
|
78
|
+
- **Decision / Constraint / Trap (trichotomy)** — each carries
|
|
79
|
+
distinct semantics that earn their keep:
|
|
80
|
+
- **Decision**: anchors a strategic choice (e.g., "chose
|
|
81
|
+
PostgreSQL", "use X testing framework"). Retrospective reference.
|
|
82
|
+
- **Constraint**: imposes a process or rule that must be followed
|
|
83
|
+
(e.g., "minimize core dependencies", "all APIs must be REST",
|
|
84
|
+
"never init --force"). Strongest concept; drives hook injection
|
|
85
|
+
to remind agents of the process.
|
|
86
|
+
- **Trap**: environmental or process pitfall to avoid (e.g., "git
|
|
87
|
+
merge wipes node_modules", "sandbox X blocks MCP writes"). May
|
|
88
|
+
trigger a corrective plan when resolvable.
|
|
89
|
+
All three drive different agent behaviours (decisions = retrieve for
|
|
90
|
+
context, constraints = enforce, traps = warn + resolve).
|
|
91
|
+
|
|
92
|
+
- **Claim** — file-level advisory lock, scope boundary, worktree
|
|
93
|
+
attachment point. Clear lifecycle (active → released/expired).
|
|
94
|
+
|
|
95
|
+
- **Session** — execution envelope, links work to an agent identity.
|
|
96
|
+
|
|
97
|
+
- **Assignment / AgentRun** — runtime tracking of dispatched work.
|
|
98
|
+
Distinction is technical (assignment = the ask, run = the execution)
|
|
99
|
+
but useful for observability; the agent does not need to interact
|
|
100
|
+
with them directly.
|
|
101
|
+
|
|
102
|
+
### 🔴 Remove
|
|
103
|
+
|
|
104
|
+
- **Candidate lifecycle** — the "create candidate → accept/reject →
|
|
105
|
+
promote to decision/constraint/trap/handoff" workflow is badly used
|
|
106
|
+
in practice. Very few candidates in the current store have been
|
|
107
|
+
processed; most are auto-generated and ignored. The review queue
|
|
108
|
+
concept duplicates what the Loop engine now provides better via
|
|
109
|
+
`review_loop`.
|
|
110
|
+
|
|
111
|
+
**After removal:**
|
|
112
|
+
- `bclaw_create_candidate`, `bclaw_list_candidates`, `bclaw_accept`,
|
|
113
|
+
`bclaw_reject`, `bclaw_harvest_candidates` disappear from the
|
|
114
|
+
surface.
|
|
115
|
+
- Auto-reflection at session_end writes directly to decision /
|
|
116
|
+
constraint / trap / handoff with a `source: 'auto'` field and a
|
|
117
|
+
`confidence` score. Agents or humans filter low-confidence auto
|
|
118
|
+
items via `bclaw_find(source: 'auto', confidence_gte: 0.8)`.
|
|
119
|
+
- Intentional batch review moves to `review_loop` (open a loop
|
|
120
|
+
whose change_summary points to the memory items under review).
|
|
121
|
+
- Cross-project signals arrive directly in `inbox/cross-project/`
|
|
122
|
+
(already the pattern for other signals).
|
|
123
|
+
|
|
124
|
+
### ⚠️ Downscale
|
|
125
|
+
|
|
126
|
+
- **Handoff** — keep as a session-end auto-artifact, strip the
|
|
127
|
+
review sub-flow.
|
|
128
|
+
|
|
129
|
+
**Keep:**
|
|
130
|
+
- Automatic generation at `bclaw_session_end` with commits, files
|
|
131
|
+
touched, narrative, pre/post conditions, linked plans.
|
|
132
|
+
- Read-only access via `bclaw_get(entity='handoff', id)` for context
|
|
133
|
+
resumption on the same or another machine.
|
|
134
|
+
- Federation push/pull across linked projects (critical for teams;
|
|
135
|
+
without this teammate B's agent loses teammate A's session story).
|
|
136
|
+
- Optional linking to a `review_loop` when a structured review is
|
|
137
|
+
dispatched via `bclaw_dispatch_review(openLoop: true)`.
|
|
138
|
+
|
|
139
|
+
**Drop:**
|
|
140
|
+
- The `review` sub-object on the handoff entity (requester,
|
|
141
|
+
reviewer, thread_id, requested_at, review_message_id). Never
|
|
142
|
+
used as designed.
|
|
143
|
+
- Active `update_handoff` for mid-life edits. Only the narrative
|
|
144
|
+
override at session_end stays (single write at creation).
|
|
145
|
+
|
|
146
|
+
**Rationale:** handoffs are a *passive artefact* of the default
|
|
147
|
+
path, not a coordination surface. Review happens via dispatch-review
|
|
148
|
+
or review_loop, not via mutating a handoff.
|
|
149
|
+
|
|
150
|
+
### 🟡 Examine further during implementation
|
|
151
|
+
|
|
152
|
+
- **RuntimeNote** — if auto-reflect + direct memory writes land,
|
|
153
|
+
runtime_note becomes redundant with low-confidence decision/trap
|
|
154
|
+
candidates. Consider removing. Keep for this audit, revisit during
|
|
155
|
+
Phase 3 implementation.
|
|
156
|
+
|
|
157
|
+
- **Instruction layers** (global / project / agent) — functionally
|
|
158
|
+
similar to constraints with different scopes. Could merge into a
|
|
159
|
+
unified `memory` entity with a `scope` field. Not urgent; valid to
|
|
160
|
+
keep distinct for now since instructions have lifecycle triggers
|
|
161
|
+
(`trigger:post-claim`, `trigger:pre-session-end`) that constraints
|
|
162
|
+
do not.
|
|
163
|
+
|
|
164
|
+
- **Capability vs Tool** — two registries under `.brainclaw/memory/`
|
|
165
|
+
with a thin distinction (capability = what the project can do, tool
|
|
166
|
+
= what the project uses). Good candidate for merger under a
|
|
167
|
+
`resource` entity with a `kind` field. Low priority.
|
|
168
|
+
|
|
169
|
+
## Phase 3 grammar outline (post-audit)
|
|
170
|
+
|
|
171
|
+
### Canonical verbs (6)
|
|
172
|
+
|
|
173
|
+
```
|
|
174
|
+
bclaw_find(entity, filters, limit, offset) — query many
|
|
175
|
+
bclaw_get(entity, id | short_label) — fetch one
|
|
176
|
+
bclaw_create(entity, data) — new item, returns id
|
|
177
|
+
bclaw_update(entity, id, patch) — partial merge
|
|
178
|
+
bclaw_remove(entity, id, purge?) — archive (default) or hard delete
|
|
179
|
+
bclaw_transition(entity, id, to, reason?) — state machine transitions with side effects
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
### Workflow intents that stay distinct
|
|
183
|
+
|
|
184
|
+
```
|
|
185
|
+
bclaw_work(intent) — session + claim + context facade
|
|
186
|
+
bclaw_coordinate(intent) — multi-agent coordination
|
|
187
|
+
bclaw_loop(intent) — loop lifecycle
|
|
188
|
+
bclaw_dispatch(intent) — dispatch analysis + execution + review (unified from 3 tools)
|
|
189
|
+
bclaw_quick_capture(text) — NL → typed memory
|
|
190
|
+
bclaw_bootstrap, bclaw_setup, bclaw_switch, bclaw_compact
|
|
191
|
+
bclaw_context(kind) — unified from get_context, get_execution_context, get_discovery, get_agent_board, get_agent_board_summary
|
|
192
|
+
bclaw_audit(mode) — chronological or governance report
|
|
193
|
+
bclaw_doctor, bclaw_check_policy, bclaw_check_security
|
|
194
|
+
bclaw_history, bclaw_estimation_report, bclaw_release_notes
|
|
195
|
+
```
|
|
196
|
+
|
|
197
|
+
### Approximate surface size
|
|
198
|
+
|
|
199
|
+
From 70 tools to ~20. Each verb is memorable, schema-discoverable, and
|
|
200
|
+
has a clear semantic.
|
|
201
|
+
|
|
202
|
+
### EntityRegistry as single source of truth
|
|
203
|
+
|
|
204
|
+
A new `src/core/entity-registry.ts` module holds:
|
|
205
|
+
|
|
206
|
+
- Short-label prefix per entity (plan → `pln`, claim → `clm`, …)
|
|
207
|
+
- Updatable fields per entity (Zod schema — what `update` can touch)
|
|
208
|
+
- Valid status transitions per entity (state machine definition)
|
|
209
|
+
- Side effects per transition (hardcoded for MVP, configurable later)
|
|
210
|
+
|
|
211
|
+
`bclaw_update` and `bclaw_transition` both consult this registry. A
|
|
212
|
+
grammar-consistency test suite verifies every entity has a complete
|
|
213
|
+
schema declaration.
|
|
214
|
+
|
|
215
|
+
### Transition logging — three destinations
|
|
216
|
+
|
|
217
|
+
| Destination | For whom | Why |
|
|
218
|
+
|---|---|---|
|
|
219
|
+
| `audit.log` | Forensics, compliance, governance | Authoritative chronological record |
|
|
220
|
+
| `events.jsonl` (already exists) | Reactive agents + cockpit live feed | Low-level event stream |
|
|
221
|
+
| `bclaw_activity` (new derived tool) | Humans, coordinator agents | Narrative digest, aggregated by entity/agent/session |
|
|
222
|
+
|
|
223
|
+
The cockpit (human-visibility layer) is built by consuming these
|
|
224
|
+
signals. Engine features emit; cockpit aggregates.
|
|
225
|
+
|
|
226
|
+
## Open questions for external validation
|
|
227
|
+
|
|
228
|
+
Before committing to implementation, we are consulting external
|
|
229
|
+
perspectives (codex, another claude-code instance, github-copilot) to
|
|
230
|
+
pressure-test these decisions. The four questions:
|
|
231
|
+
|
|
232
|
+
**Q0 — Teams cross-machine completeness.** Our current primitives
|
|
233
|
+
(handoff federation, inbox cross-project, claims local, runtime_note
|
|
234
|
+
federation) — do they cover common team cases (2–5 devs on different
|
|
235
|
+
machines, shared monorepo, distributed reviewers)? Is there an obvious
|
|
236
|
+
missing pattern?
|
|
237
|
+
|
|
238
|
+
**Q1 — Handoff simplification safety.** After stripping the review
|
|
239
|
+
sub-flow and keeping the handoff as a passive session-end artefact
|
|
240
|
+
(with federation + read-only + optional review_loop link), is there
|
|
241
|
+
any agent-facing use case this simplification breaks that we haven't
|
|
242
|
+
seen?
|
|
243
|
+
|
|
244
|
+
**Q2 — Transition side effects hardcoded vs configurable.** For MVP we
|
|
245
|
+
plan to hardcode side effects of transitions (close claims on
|
|
246
|
+
plan.status=done, promote candidate on accept, etc.) in the
|
|
247
|
+
`bclaw_transition` handler rather than declaring them in the
|
|
248
|
+
EntityRegistry. Is this the right tradeoff for now, or does the
|
|
249
|
+
configurable approach pay for itself early?
|
|
250
|
+
|
|
251
|
+
**Q3 — Version strategy pre-public.** Given we are pre-public with no
|
|
252
|
+
external integrators, should we:
|
|
253
|
+
- (a) bump v0.8 → v1.0 directly with the cleaned grammar, accepting
|
|
254
|
+
the internal breaking change in one go; or
|
|
255
|
+
- (b) go v0.8 → v0.9 (add new verbs, deprecate legacy) → v1.0 (remove
|
|
256
|
+
legacy), using two internal releases as buffer?
|
|
257
|
+
|
|
258
|
+
Option (a) is cleaner but less battle-tested before public launch;
|
|
259
|
+
(b) is slower but lets us dogfood the new grammar before removing the
|
|
260
|
+
old.
|
|
261
|
+
|
|
262
|
+
## §6 — Patches integrated post-consult
|
|
263
|
+
|
|
264
|
+
Three external reviewers (codex, a second claude-code instance,
|
|
265
|
+
github-copilot) returned verdict `proceed_with_patches` on the audit.
|
|
266
|
+
Their convergent recommendations are integrated below. Each patch is
|
|
267
|
+
load-bearing for Phase 3 and must land either before or during the
|
|
268
|
+
grammar refactor.
|
|
269
|
+
|
|
270
|
+
### P6.1 — Tombstone pattern for handoff corrections
|
|
271
|
+
|
|
272
|
+
**What.** Handoffs stay immutable session-end artefacts. Post-session
|
|
273
|
+
corrections (a teammate spotted a mistake, a follow-up clarified
|
|
274
|
+
something) do not mutate the original handoff — they create a *new
|
|
275
|
+
correction handoff* that carries a `superseded_by` pointer back to the
|
|
276
|
+
original.
|
|
277
|
+
|
|
278
|
+
**Why.** Preserves the "passive artefact" property while keeping an
|
|
279
|
+
audit trail of who revised what. Federation remains safe (each record
|
|
280
|
+
is whole, no partial merges).
|
|
281
|
+
|
|
282
|
+
**How to apply.** Reject all `bclaw_update(entity='handoff', …)`
|
|
283
|
+
outside the narrative override at creation. Expose instead a
|
|
284
|
+
`bclaw_correct_handoff(original_id, correction_data)` helper that
|
|
285
|
+
writes a new handoff and patches `original.superseded_by`.
|
|
286
|
+
|
|
287
|
+
### P6.2 — Declarative transition matrix + imperative side effects
|
|
288
|
+
|
|
289
|
+
**What.** Valid status transitions per entity live in the
|
|
290
|
+
EntityRegistry as a declarative matrix (`{ from: [to1, to2] }`). Side
|
|
291
|
+
effects (close linked claims, write audit entry, emit event) stay
|
|
292
|
+
imperative in `bclaw_transition` for MVP.
|
|
293
|
+
|
|
294
|
+
**Why.** Hybrid lets us test the declarative matrix (grammar
|
|
295
|
+
consistency tests, static analysis) without over-engineering a rules
|
|
296
|
+
engine we do not need yet. Migration to declarative side effects later
|
|
297
|
+
is a drop-in without breaking callers.
|
|
298
|
+
|
|
299
|
+
**How to apply.** `EntityRegistry[entity].transitions` is the
|
|
300
|
+
authoritative matrix; `bclaw_transition` rejects moves not in the
|
|
301
|
+
matrix, then runs a hardcoded side-effect dispatch per (entity, to)
|
|
302
|
+
pair.
|
|
303
|
+
|
|
304
|
+
### P6.3 — Provenance as a typed discriminated union
|
|
305
|
+
|
|
306
|
+
**What.** Replace the single `source: 'auto' | 'user' | …` string with
|
|
307
|
+
a typed discriminated union:
|
|
308
|
+
|
|
309
|
+
```ts
|
|
310
|
+
type Provenance =
|
|
311
|
+
| { kind: 'agent'; agent_id: string; session_id: string }
|
|
312
|
+
| { kind: 'auto_reflect'; source_session: string; confidence: number }
|
|
313
|
+
| { kind: 'user'; author: string }
|
|
314
|
+
| { kind: 'loop_artifact'; loop_id: string; slot: string; turn: number }
|
|
315
|
+
| { kind: 'federation'; source_project: string; remote_id: string }
|
|
316
|
+
| { kind: 'correction'; supersedes: string }
|
|
317
|
+
| { kind: 'legacy' };
|
|
318
|
+
```
|
|
319
|
+
|
|
320
|
+
**Why.** Each origin has different downstream implications (retention,
|
|
321
|
+
confidence, federation behavior, audit narrative). A single string
|
|
322
|
+
field cannot carry the metadata cleanly; a union keeps type-safety and
|
|
323
|
+
makes queries like `bclaw_find(provenance.kind='auto_reflect',
|
|
324
|
+
confidence_gte:0.8)` natural.
|
|
325
|
+
|
|
326
|
+
**How to apply.** Add `provenance` field to
|
|
327
|
+
decision/constraint/trap/handoff/runtime_note schemas. On v1.0
|
|
328
|
+
migration, existing records receive `{ kind: 'legacy' }`. Default
|
|
329
|
+
filter on memory reads: exclude `legacy` + auto below threshold,
|
|
330
|
+
configurable via the query.
|
|
331
|
+
|
|
332
|
+
### P6.4 — Delta context via bclaw_context(kind='delta')
|
|
333
|
+
|
|
334
|
+
**What.** `bclaw_context` currently returns full state every call. Add
|
|
335
|
+
a `kind: 'delta', since: <handoff_id | timestamp | event_seq>`
|
|
336
|
+
parameter that returns only what changed since the reference point.
|
|
337
|
+
|
|
338
|
+
**Why.** At scale (long sessions, cross-agent resumption, federation
|
|
339
|
+
sync) returning full state is a token tax. Resumption needs the delta,
|
|
340
|
+
not the world.
|
|
341
|
+
|
|
342
|
+
**How to apply.** Implement as a filter over the events.jsonl stream +
|
|
343
|
+
a diff against the referenced snapshot. Falls back to full context if
|
|
344
|
+
the reference point is too old (compacted out).
|
|
345
|
+
|
|
346
|
+
### P6.5 — MCP schema version strategy: 0.6 → 0.7 → 0.8 → 1.0
|
|
347
|
+
|
|
348
|
+
**What.** The MCP schema version (`SCHEMA_VERSION` in
|
|
349
|
+
`src/commands/mcp.ts`, currently `0.6.0`) is distinct from the app
|
|
350
|
+
version (`package.json`, currently `0.62.0`). Progression:
|
|
351
|
+
|
|
352
|
+
| Step | MCP schema | App version | Scope |
|
|
353
|
+
|---|---|---|---|
|
|
354
|
+
| Now | 0.6.0 | 0.62.x | baseline |
|
|
355
|
+
| Patches | 0.7.0 | 0.63.x | P6.1–P6.4 + provenance rollout |
|
|
356
|
+
| Migration | 0.8.0 | 0.64.x | `brainclaw migrate` + candidate archive |
|
|
357
|
+
| Phase 3 | 1.0.0 | 1.0.0 | canonical 6 verbs + legacy removal |
|
|
358
|
+
|
|
359
|
+
**Why.** App version tracks code changes; schema version tracks the
|
|
360
|
+
contract MCP clients bind to. Agents that cache tool catalogs need to
|
|
361
|
+
know when verbs changed shape.
|
|
362
|
+
|
|
363
|
+
**How to apply.** Bump `SCHEMA_VERSION` at each step. Tool catalog
|
|
364
|
+
response always includes schema_version so clients can invalidate.
|
|
365
|
+
|
|
366
|
+
### P6.6 — Pending candidates archived on migration
|
|
367
|
+
|
|
368
|
+
**What.** On v1.0 migration, existing candidates are not promoted or
|
|
369
|
+
rejected — they are archived to `.brainclaw/archive/candidates/` with a
|
|
370
|
+
manifest listing their original paths. The runtime stops reading them.
|
|
371
|
+
|
|
372
|
+
**Why.** No information loss (archive stays on disk for later
|
|
373
|
+
inspection), no forced triage on the operator, clean cutover.
|
|
374
|
+
|
|
375
|
+
**How to apply.** `brainclaw migrate --to-schema=1.0` copies
|
|
376
|
+
`.brainclaw/memory/candidates/` to `.brainclaw/archive/candidates/<date>/`,
|
|
377
|
+
writes an index, removes the live directory.
|
|
378
|
+
|
|
379
|
+
### P6.7 — Schema migration as a hard pre-Phase-3 step
|
|
380
|
+
|
|
381
|
+
**What.** Do not start Phase 3 (the grammar refactor) until
|
|
382
|
+
`brainclaw migrate` command exists and has been dogfooded on both live
|
|
383
|
+
installations (this machine + the monorepo test server).
|
|
384
|
+
|
|
385
|
+
**Why.** Phase 3 ships the canonical grammar. Existing stores must
|
|
386
|
+
upgrade cleanly to v1.0 schema before any tool rewrites remove the
|
|
387
|
+
legacy paths. Migration first = safety net; grammar refactor second =
|
|
388
|
+
execute with confidence.
|
|
389
|
+
|
|
390
|
+
**How to apply.** Migration plan (`feat/v1-schema-migration`, see §7)
|
|
391
|
+
is a hard blocker on the Phase 3 plan (`feat/phase-3-canonical-grammar`).
|
|
392
|
+
|
|
393
|
+
### P6.8 — Keep runtime_note / instruction / capability/tool distinct
|
|
394
|
+
|
|
395
|
+
**What.** Reviewers recommended leaving runtime_note, instruction
|
|
396
|
+
layers, and capability/tool as distinct entities for v1.0. They were
|
|
397
|
+
flagged as "examine further" in §5 — verdict is *keep as-is*.
|
|
398
|
+
|
|
399
|
+
**Why.** Instructions carry lifecycle triggers (`post-claim`,
|
|
400
|
+
`pre-session-end`) that constraints do not. Capability vs tool has a
|
|
401
|
+
semantic distinction (what the project *can do* vs what it *uses*)
|
|
402
|
+
that matters for discoverability. Runtime notes remain a natural
|
|
403
|
+
slot for low-confidence, scoped observations that do not yet deserve
|
|
404
|
+
promotion to decision/trap. Premature merger would lose information.
|
|
405
|
+
|
|
406
|
+
**How to apply.** No change for v1.0. Flag for a dedicated audit pass
|
|
407
|
+
post-v1.0 once usage data confirms or contradicts the distinctions.
|
|
408
|
+
|
|
409
|
+
## §7 — Consolidated Phase 3 checklist
|
|
410
|
+
|
|
411
|
+
Hard prerequisite before any item below: **`feat/v1-schema-migration`
|
|
412
|
+
plan must be executed and dogfooded** (see P6.7).
|
|
413
|
+
|
|
414
|
+
Phase 3 itself is sliced into nine sub-items; each is independently
|
|
415
|
+
mergeable behind a feature flag or catalog filter:
|
|
416
|
+
|
|
417
|
+
- **3a — EntityRegistry core.** New `src/core/entity-registry.ts`:
|
|
418
|
+
short-label prefixes, updatable-field Zod schemas, transition
|
|
419
|
+
matrices, side-effect map. Grammar consistency tests.
|
|
420
|
+
- **3b — Six canonical CRUD verbs.** Implement `bclaw_find`,
|
|
421
|
+
`bclaw_get`, `bclaw_create`, `bclaw_update`, `bclaw_remove`,
|
|
422
|
+
`bclaw_transition` consuming EntityRegistry. Behind `catalog: "all"`
|
|
423
|
+
filter first, public in `catalog: "default"` at v1.0.
|
|
424
|
+
- **3c — `bclaw_context(kind)` unified.** Consolidates
|
|
425
|
+
`bclaw_get_context`, `bclaw_get_execution_context`,
|
|
426
|
+
`bclaw_get_agent_board`, `bclaw_get_agent_board_summary` under one
|
|
427
|
+
intent with a `kind` discriminator. Includes `kind='delta'` from
|
|
428
|
+
P6.4.
|
|
429
|
+
- **3d — `bclaw_dispatch(intent)` unified.** Consolidates
|
|
430
|
+
`bclaw_dispatch_analysis`, `bclaw_dispatch_review`, and the raw
|
|
431
|
+
`bclaw_dispatch`. Review sub-intent carries `openLoop` flag for the
|
|
432
|
+
review_loop escalation path.
|
|
433
|
+
- **3e — Handoff downscale.** Strip the review sub-object, remove
|
|
434
|
+
`bclaw_update_handoff`, expose `bclaw_correct_handoff` for tombstone
|
|
435
|
+
corrections (P6.1). Federation push/pull preserved end-to-end.
|
|
436
|
+
- **3f — Provenance rollout.** Apply discriminated-union provenance
|
|
437
|
+
(P6.3) to decision/constraint/trap/handoff/runtime_note. Default
|
|
438
|
+
memory reads filter on confidence + non-legacy.
|
|
439
|
+
- **3g — Legacy deprecation warnings.** Keep old tool names in
|
|
440
|
+
`catalog: "all"` with `LEGACY_MCP_TOOL_WARNINGS` entries pointing to
|
|
441
|
+
the new verb. Warnings fire server-side on every call during 0.9.x.
|
|
442
|
+
- **3h — Docs sync.** Update `docs/integrations/mcp.md`,
|
|
443
|
+
`CLAUDE.md`, release notes, and agent profile exports. Canonical
|
|
444
|
+
grammar example galleries.
|
|
445
|
+
- **3i — Legacy removal + v1.0 cut.** Remove deprecated tool names
|
|
446
|
+
from the MCP surface entirely. Bump schema to 1.0.0 and app to
|
|
447
|
+
1.0.0. Public launch candidate.
|
|
448
|
+
|
|
449
|
+
Slices 3a–3b are the architecture core; 3c–3e are the intent
|
|
450
|
+
consolidations; 3f is cross-cutting; 3g–3i are the soft→hard cutover.
|
|
451
|
+
|
|
452
|
+
## Sources
|
|
453
|
+
|
|
454
|
+
- `docs/product/agent-first-model.md` — engine/cockpit two-layer model
|
|
455
|
+
- `docs/concepts/loop-engine.md` — v8 RFC for the loop primitive
|
|
456
|
+
- Session transcript 2026-04-18 (strategic round 2) — post-consult
|
|
457
|
+
integration pass
|
|
458
|
+
- Memory decisions `cnd#587` (product model) and `cnd#588` (loop
|
|
459
|
+
protocols roadmap)
|
|
460
|
+
- External consult verdicts 2026-04-18 (codex / claude-code /
|
|
461
|
+
github-copilot) — all `proceed_with_patches`, patches integrated in
|
|
462
|
+
§6
|