claude-flow 3.22.0 → 3.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/.claude/helpers/.helpers-version +1 -0
  2. package/.claude/helpers/auto-memory-hook.mjs +59 -274
  3. package/.claude/helpers/helpers.manifest.json +12 -0
  4. package/.claude/helpers/hook-handler.cjs +132 -112
  5. package/.claude/helpers/intelligence.cjs +992 -196
  6. package/package.json +1 -1
  7. package/v3/@claude-flow/cli/dist/src/commands/memory-backup.d.ts +11 -0
  8. package/v3/@claude-flow/cli/dist/src/commands/memory-backup.js +46 -0
  9. package/v3/@claude-flow/cli/dist/src/commands/memory.js +2 -1
  10. package/v3/@claude-flow/cli/dist/src/config/harness-feedback-applier.d.ts +50 -0
  11. package/v3/@claude-flow/cli/dist/src/config/harness-feedback-applier.js +122 -0
  12. package/v3/@claude-flow/cli/dist/src/config/proven-config-refresh.d.ts +39 -0
  13. package/v3/@claude-flow/cli/dist/src/config/proven-config-refresh.js +154 -0
  14. package/v3/@claude-flow/cli/dist/src/config/proven-config-rvfa.d.ts +23 -0
  15. package/v3/@claude-flow/cli/dist/src/config/proven-config-rvfa.js +73 -0
  16. package/v3/@claude-flow/cli/dist/src/config/proven-config.d.ts +86 -0
  17. package/v3/@claude-flow/cli/dist/src/config/proven-config.js +176 -0
  18. package/v3/@claude-flow/cli/dist/src/index.js +35 -0
  19. package/v3/@claude-flow/cli/dist/src/mcp-tools/neural-tools.d.ts +10 -0
  20. package/v3/@claude-flow/cli/dist/src/mcp-tools/neural-tools.js +107 -18
  21. package/v3/@claude-flow/cli/dist/src/services/daemon-autostart.d.ts +17 -0
  22. package/v3/@claude-flow/cli/dist/src/services/daemon-autostart.js +79 -0
  23. package/v3/@claude-flow/cli/dist/src/services/evolve-proof.d.ts +247 -0
  24. package/v3/@claude-flow/cli/dist/src/services/evolve-proof.js +341 -0
  25. package/v3/@claude-flow/cli/dist/src/services/harness-benchmark.d.ts +68 -0
  26. package/v3/@claude-flow/cli/dist/src/services/harness-benchmark.js +94 -0
  27. package/v3/@claude-flow/cli/dist/src/services/harness-canary.d.ts +60 -0
  28. package/v3/@claude-flow/cli/dist/src/services/harness-canary.js +69 -0
  29. package/v3/@claude-flow/cli/dist/src/services/harness-corpus-harvester.d.ts +51 -0
  30. package/v3/@claude-flow/cli/dist/src/services/harness-corpus-harvester.js +74 -0
  31. package/v3/@claude-flow/cli/dist/src/services/harness-flywheel-generations.d.ts +111 -0
  32. package/v3/@claude-flow/cli/dist/src/services/harness-flywheel-generations.js +354 -0
  33. package/v3/@claude-flow/cli/dist/src/services/harness-flywheel-runtime.d.ts +25 -0
  34. package/v3/@claude-flow/cli/dist/src/services/harness-flywheel-runtime.js +101 -0
  35. package/v3/@claude-flow/cli/dist/src/services/harness-flywheel.d.ts +48 -0
  36. package/v3/@claude-flow/cli/dist/src/services/harness-flywheel.js +207 -0
  37. package/v3/@claude-flow/cli/dist/src/services/harness-hosts.d.ts +40 -0
  38. package/v3/@claude-flow/cli/dist/src/services/harness-hosts.js +88 -0
  39. package/v3/@claude-flow/cli/dist/src/services/harness-improvement-ledger.d.ts +63 -0
  40. package/v3/@claude-flow/cli/dist/src/services/harness-improvement-ledger.js +101 -0
  41. package/v3/@claude-flow/cli/dist/src/services/harness-loop.d.ts +53 -0
  42. package/v3/@claude-flow/cli/dist/src/services/harness-loop.js +85 -0
  43. package/v3/@claude-flow/cli/dist/src/services/harness-qualification.d.ts +66 -0
  44. package/v3/@claude-flow/cli/dist/src/services/harness-qualification.js +143 -0
  45. package/v3/@claude-flow/cli/dist/src/services/harness-replay.d.ts +37 -0
  46. package/v3/@claude-flow/cli/dist/src/services/harness-replay.js +92 -0
  47. package/v3/@claude-flow/cli/dist/src/services/harness-verify.d.ts +33 -0
  48. package/v3/@claude-flow/cli/dist/src/services/harness-verify.js +26 -0
  49. package/v3/@claude-flow/cli/dist/src/services/harness-worker.d.ts +23 -0
  50. package/v3/@claude-flow/cli/dist/src/services/harness-worker.js +66 -0
  51. package/v3/@claude-flow/cli/dist/src/services/memory-backup.d.ts +24 -0
  52. package/v3/@claude-flow/cli/dist/src/services/memory-backup.js +94 -0
  53. package/v3/@claude-flow/cli/dist/src/services/worker-daemon.d.ts +16 -1
  54. package/v3/@claude-flow/cli/dist/src/services/worker-daemon.js +84 -0
  55. package/v3/@claude-flow/cli/package.json +1 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claude-flow",
3
- "version": "3.22.0",
3
+ "version": "3.24.0",
4
4
  "description": "Ruflo - Enterprise AI agent orchestration for Claude Code. Deploy 60+ specialized agents in coordinated swarms with self-learning, fault-tolerant consensus, vector memory, and MCP integration",
5
5
  "main": "dist/index.js",
6
6
  "type": "module",
@@ -0,0 +1,11 @@
1
+ /**
2
+ * V3 CLI `memory backup` command.
3
+ *
4
+ * WAL-safe snapshot of the vector-memory DB (`.swarm/memory.db`) with rotation
5
+ * and optional GCS offsite. Thin surface over ../services/memory-backup.js; the
6
+ * daemon's nightly `backup` worker calls the same service.
7
+ */
8
+ import type { Command } from '../types.js';
9
+ export declare const backupCommand: Command;
10
+ export default backupCommand;
11
+ //# sourceMappingURL=memory-backup.d.ts.map
@@ -0,0 +1,46 @@
1
+ import { output } from '../output.js';
2
+ import { backupMemoryDb, defaultMemoryDbPath } from '../services/memory-backup.js';
3
+ export const backupCommand = {
4
+ name: 'backup',
5
+ description: 'Snapshot the vector-memory DB (.swarm/memory.db) — WAL-safe, rotated, optional GCS offsite',
6
+ options: [
7
+ { name: 'db', description: 'Source DB (default: .swarm/memory.db)', type: 'string' },
8
+ { name: 'dir', description: 'Destination dir (default: .swarm/backups)', type: 'string' },
9
+ { name: 'keep', description: 'Rotation — keep the newest N snapshots (default 7)', type: 'number', default: 7 },
10
+ { name: 'gcs', description: 'Also upload the snapshot to a gs://bucket/prefix (offsite)', type: 'string' },
11
+ { name: 'verbose', short: 'v', description: 'Verbose logging', type: 'boolean' },
12
+ ],
13
+ examples: [
14
+ { command: 'claude-flow memory backup', description: 'Snapshot to .swarm/backups, keep last 7' },
15
+ { command: 'claude-flow memory backup --keep 30', description: 'Keep a month of nightly snapshots' },
16
+ { command: 'claude-flow memory backup --gcs gs://my-bucket/ruflo-backups', description: 'Also upload offsite to GCS' },
17
+ ],
18
+ action: async (ctx) => {
19
+ const r = await backupMemoryDb({
20
+ dbPath: ctx.flags.db || defaultMemoryDbPath(ctx.cwd),
21
+ destDir: ctx.flags.dir,
22
+ keep: typeof ctx.flags.keep === 'number' ? ctx.flags.keep : 7,
23
+ gcs: ctx.flags.gcs,
24
+ verbose: ctx.flags.verbose === true,
25
+ });
26
+ if (!r.backedUp) {
27
+ // no-db is a benign "nothing to back up yet"; anything else is a real skip.
28
+ if (r.skipped === 'no-db') {
29
+ output.printWarning('No memory DB found to back up (.swarm/memory.db). Nothing to do.');
30
+ return { success: true, data: r };
31
+ }
32
+ output.printError(`Backup skipped: ${r.skipped}`);
33
+ return { success: false, exitCode: 1, data: r };
34
+ }
35
+ output.writeln();
36
+ output.writeln(output.success(`Backed up → ${r.path}`));
37
+ output.printList([
38
+ `Size: ${Math.round((r.sizeBytes ?? 0) / 1024)} KB`,
39
+ `Rotated: ${r.rotatedAway?.length ?? 0} old snapshot(s) removed`,
40
+ ...(r.gcsUri ? [`Offsite: ${r.gcsUri}`] : []),
41
+ ]);
42
+ return { success: true, data: r };
43
+ },
44
+ };
45
+ export default backupCommand;
46
+ //# sourceMappingURL=memory-backup.js.map
@@ -6,6 +6,7 @@ import { output } from '../output.js';
6
6
  import { select, confirm, input } from '../prompt.js';
7
7
  import { callMCPTool, MCPClientError } from '../mcp-client.js';
8
8
  import { distillCommand } from './memory-distill.js';
9
+ import { backupCommand } from './memory-backup.js';
9
10
  // Memory backends
10
11
  const BACKENDS = [
11
12
  { value: 'agentdb', label: 'AgentDB', hint: 'Vector database with HNSW indexing (150x-12,500x faster)' },
@@ -1472,7 +1473,7 @@ const initMemoryCommand = {
1472
1473
  export const memoryCommand = {
1473
1474
  name: 'memory',
1474
1475
  description: 'Memory management commands',
1475
- subcommands: [initMemoryCommand, storeCommand, retrieveCommand, searchCommand, listCommand, deleteCommand, statsCommand, configureCommand, cleanupCommand, compressCommand, exportCommand, importCommand, distillCommand],
1476
+ subcommands: [initMemoryCommand, storeCommand, retrieveCommand, searchCommand, listCommand, deleteCommand, statsCommand, configureCommand, cleanupCommand, compressCommand, exportCommand, importCommand, distillCommand, backupCommand],
1476
1477
  options: [],
1477
1478
  examples: [
1478
1479
  { command: 'claude-flow memory store -k "key" -v "value"', description: 'Store data' },
@@ -0,0 +1,50 @@
1
+ export declare const ADOPTED_CONFIG_FILE = "proven-config.json";
2
+ export declare const ACTIVE_POLICY_FILE = "harness-active-policy.json";
3
+ export interface ActivePolicy {
4
+ championId: string;
5
+ provenanceTier: string;
6
+ layer?: string;
7
+ appliedAt: number;
8
+ previous?: string | null;
9
+ rolledBack?: boolean;
10
+ params?: Record<string, unknown>;
11
+ }
12
+ export interface ApplyResult {
13
+ applied: boolean;
14
+ from?: string | null;
15
+ to?: string;
16
+ reason?: string;
17
+ }
18
+ /**
19
+ * Apply the adopted champion to the active harness policy. Idempotent (applying
20
+ * the same champion is a no-op), reversible (records the superseded champion),
21
+ * best-effort. `now` is injectable for tests.
22
+ */
23
+ export declare function applyChampion(cwd: string, opts?: {
24
+ now?: number;
25
+ }): ApplyResult;
26
+ /**
27
+ * Apply a champion directly by its config payload (local self-optimization,
28
+ * ADR-176 flywheel). Unlike applyChampion (which reads a propagated, signed,
29
+ * adopted record), this activates a LOCALLY-mined champion that just cleared the
30
+ * install's own measured gate — no signing, because nothing is propagated. Still
31
+ * reversible (records `previous`) and idempotent. Consumers read `params`.
32
+ */
33
+ export declare function applyChampionParams(cwd: string, opts: {
34
+ championId: string;
35
+ params?: Record<string, unknown>;
36
+ layer?: string;
37
+ previous?: string | null;
38
+ now?: number;
39
+ }): ApplyResult;
40
+ /**
41
+ * Reverse the last apply: point the active policy back at its `previous`
42
+ * champion (reversibility, ADR-177 rollback pointer). No-op if there is no
43
+ * previous. The previous champion's policy is fetched by ref by consumers.
44
+ */
45
+ export declare function rollbackActivePolicy(cwd: string, opts?: {
46
+ now?: number;
47
+ }): ApplyResult;
48
+ /** The champion routing/agents should currently use, or null. */
49
+ export declare function activeChampion(cwd: string): ActivePolicy | null;
50
+ //# sourceMappingURL=harness-feedback-applier.d.ts.map
@@ -0,0 +1,122 @@
1
+ /**
2
+ * Feedback applier — close the loop (ADR-176 phase 9).
3
+ *
4
+ * A proven champion adopted by the propagation channel (ADR-177,
5
+ * proven-config-refresh.ts writes `.claude/proven-config.json`) is inert until
6
+ * something *applies* it to what ruflo actually runs. This applier promotes the
7
+ * adopted champion to the ACTIVE harness policy that routing/agents consume —
8
+ * reversibly (keeps the previous pointer) and provenance-tagged (ADR-171), so
9
+ * it composes with the promote-gate discipline rather than bypassing it. It only
10
+ * ever sets a pointer to a proven, signed champion; it never invents config.
11
+ * Zero deps, $0.
12
+ */
13
+ import * as fs from 'fs';
14
+ import * as path from 'path';
15
+ export const ADOPTED_CONFIG_FILE = 'proven-config.json'; // written by proven-config-refresh (in .claude)
16
+ export const ACTIVE_POLICY_FILE = 'harness-active-policy.json'; // consumed by routing/agents (in .claude-flow)
17
+ function readJson(p) {
18
+ try {
19
+ return JSON.parse(fs.readFileSync(p, 'utf-8'));
20
+ }
21
+ catch {
22
+ return null;
23
+ }
24
+ }
25
+ /**
26
+ * Apply the adopted champion to the active harness policy. Idempotent (applying
27
+ * the same champion is a no-op), reversible (records the superseded champion),
28
+ * best-effort. `now` is injectable for tests.
29
+ */
30
+ export function applyChampion(cwd, opts = {}) {
31
+ try {
32
+ const claudeDir = path.join(cwd, '.claude');
33
+ const adopted = readJson(path.join(claudeDir, ADOPTED_CONFIG_FILE));
34
+ if (!adopted?.championId)
35
+ return { applied: false, reason: 'no adopted champion' };
36
+ const cfDir = path.join(cwd, '.claude-flow');
37
+ const activePath = path.join(cfDir, ACTIVE_POLICY_FILE);
38
+ const current = readJson(activePath);
39
+ if (current?.championId === adopted.championId && !current.rolledBack) {
40
+ return { applied: false, reason: 'already active' }; // idempotent
41
+ }
42
+ const active = {
43
+ championId: adopted.championId,
44
+ // A champion only reaches adoption if it cleared the promote-gate, so it is
45
+ // oracle/judge-backed; proxy can never be here (ADR-171). Default oracle.
46
+ provenanceTier: 'oracle:test-exec',
47
+ layer: adopted.manifest?.layer,
48
+ appliedAt: opts.now ?? Date.now(),
49
+ previous: current?.championId ?? adopted.previous ?? null,
50
+ params: adopted.manifest?.policy?.value,
51
+ };
52
+ fs.mkdirSync(cfDir, { recursive: true });
53
+ fs.writeFileSync(activePath, JSON.stringify(active, null, 2), 'utf-8');
54
+ return { applied: true, from: active.previous, to: active.championId };
55
+ }
56
+ catch (e) {
57
+ return { applied: false, reason: `error: ${e?.message ?? e}` };
58
+ }
59
+ }
60
+ /**
61
+ * Apply a champion directly by its config payload (local self-optimization,
62
+ * ADR-176 flywheel). Unlike applyChampion (which reads a propagated, signed,
63
+ * adopted record), this activates a LOCALLY-mined champion that just cleared the
64
+ * install's own measured gate — no signing, because nothing is propagated. Still
65
+ * reversible (records `previous`) and idempotent. Consumers read `params`.
66
+ */
67
+ export function applyChampionParams(cwd, opts) {
68
+ try {
69
+ const cfDir = path.join(cwd, '.claude-flow');
70
+ const activePath = path.join(cfDir, ACTIVE_POLICY_FILE);
71
+ const current = readJson(activePath);
72
+ if (current?.championId === opts.championId && !current.rolledBack)
73
+ return { applied: false, reason: 'already active' };
74
+ const active = {
75
+ championId: opts.championId,
76
+ provenanceTier: 'oracle:test-exec', // only a gate-cleared champion reaches here
77
+ layer: opts.layer,
78
+ appliedAt: opts.now ?? Date.now(),
79
+ previous: opts.previous ?? current?.championId ?? null,
80
+ params: opts.params,
81
+ };
82
+ fs.mkdirSync(cfDir, { recursive: true });
83
+ fs.writeFileSync(activePath, JSON.stringify(active, null, 2), 'utf-8');
84
+ return { applied: true, from: active.previous, to: active.championId };
85
+ }
86
+ catch (e) {
87
+ return { applied: false, reason: `error: ${e?.message ?? e}` };
88
+ }
89
+ }
90
+ /**
91
+ * Reverse the last apply: point the active policy back at its `previous`
92
+ * champion (reversibility, ADR-177 rollback pointer). No-op if there is no
93
+ * previous. The previous champion's policy is fetched by ref by consumers.
94
+ */
95
+ export function rollbackActivePolicy(cwd, opts = {}) {
96
+ try {
97
+ const activePath = path.join(cwd, '.claude-flow', ACTIVE_POLICY_FILE);
98
+ const current = readJson(activePath);
99
+ if (!current)
100
+ return { applied: false, reason: 'no active policy' };
101
+ if (!current.previous)
102
+ return { applied: false, reason: 'no previous to roll back to' };
103
+ const reverted = {
104
+ championId: current.previous,
105
+ provenanceTier: current.provenanceTier,
106
+ layer: current.layer,
107
+ appliedAt: opts.now ?? Date.now(),
108
+ previous: null,
109
+ rolledBack: true,
110
+ };
111
+ fs.writeFileSync(activePath, JSON.stringify(reverted, null, 2), 'utf-8');
112
+ return { applied: true, from: current.championId, to: reverted.championId };
113
+ }
114
+ catch (e) {
115
+ return { applied: false, reason: `error: ${e?.message ?? e}` };
116
+ }
117
+ }
118
+ /** The champion routing/agents should currently use, or null. */
119
+ export function activeChampion(cwd) {
120
+ return readJson(path.join(cwd, '.claude-flow', ACTIVE_POLICY_FILE));
121
+ }
122
+ //# sourceMappingURL=harness-feedback-applier.js.map
@@ -0,0 +1,39 @@
1
+ import { type InstallEnv, type SignedProvenConfig } from './proven-config.js';
2
+ export declare const PROVEN_CONFIG_STAMP = ".proven-config-version";
3
+ /** The signed champion manifest shipped in the package (metadata; the RVFA payload rides alongside). */
4
+ export declare const PROVEN_CONFIG_FILE = "proven-config.signed.json";
5
+ /** The RVFA-packaged champion (ADR-177 final phase). Preferred when present. */
6
+ export declare const PROVEN_CONFIG_RVFA_FILE = "proven-config.signed.rvf";
7
+ /** Where an adopted champion is recorded in the project (consumed by the feedback applier, ADR-176 phase 9). */
8
+ export declare const ADOPTED_CONFIG_FILE = "proven-config.json";
9
+ /**
10
+ * Read a shipped champion from either packaging. `.rvf` → unpack the RVFA
11
+ * envelope (integrity-checked); anything else → parse as signed JSON. Returns
12
+ * null (never throws) on any failure. The Ed25519 signature is still verified
13
+ * downstream by adoptSignedConfig — this only decodes the transport.
14
+ */
15
+ export declare function loadShippedChampion(srcPath: string): SignedProvenConfig | null;
16
+ /** Build the local environment the champion's constraints are checked against. */
17
+ export declare function currentInstallEnv(cwd?: string): InstallEnv;
18
+ export interface AdoptResult {
19
+ adopted: boolean;
20
+ from?: string;
21
+ to?: string;
22
+ reason?: string;
23
+ skipped?: string;
24
+ }
25
+ /**
26
+ * The testable adoption core: given a signed champion and the local env, adopt
27
+ * it into `cwd/.claude` iff it is newer than the stamp AND passes both gates.
28
+ * Fail-closed; never throws. `pubkeyPem` is injectable for tests.
29
+ */
30
+ export declare function adoptSignedConfig(cwd: string, signed: SignedProvenConfig, env: InstallEnv, opts?: {
31
+ pubkeyPem?: string;
32
+ }): AdoptResult;
33
+ /**
34
+ * On CLI startup: if the package ships a signed champion newer than the
35
+ * project's stamp, adopt it when authentic + suitable. Best-effort, never
36
+ * throws. No-op when no manifest ships or the project isn't initialized.
37
+ */
38
+ export declare function autoAdoptProvenConfigIfStale(cwd?: string): Promise<AdoptResult>;
39
+ //# sourceMappingURL=proven-config-refresh.d.ts.map
@@ -0,0 +1,154 @@
1
+ /**
2
+ * Proven-configuration propagation to existing installs (ADR-177).
3
+ *
4
+ * A SIBLING of the helper auto-refresh (ADR-174), deliberately independent so it
5
+ * never touches the hook-code channel that older CLIs verify:
6
+ * - its own stamp file (`.proven-config-version`, the adopted champion id),
7
+ * - its own trust root (RUFLO_CONFIG_PUBKEY),
8
+ * - additive-only: a project with no shipped manifest is a no-op.
9
+ *
10
+ * On a CLI command, if the package ships a signed champion newer than the
11
+ * project's stamp, it is adopted ONLY when both gates pass (ADR-177):
12
+ * authenticity (Ed25519) AND suitability (host/platform/compatibility/layer).
13
+ * A signed-but-unsuitable champion is a SAFE skip (not an error), which is also
14
+ * the backwards-compatibility version gate. Zero deps on the decision path.
15
+ */
16
+ import * as fs from 'fs';
17
+ import * as path from 'path';
18
+ import { fileURLToPath } from 'url';
19
+ import { createRequire } from 'module';
20
+ import { getInstalledCliVersion } from '../init/helper-refresh.js';
21
+ import { evaluateForAdoption } from './proven-config.js';
22
+ import { unpackProvenConfigRvfa } from './proven-config-rvfa.js';
23
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
24
+ export const PROVEN_CONFIG_STAMP = '.proven-config-version';
25
+ /** The signed champion manifest shipped in the package (metadata; the RVFA payload rides alongside). */
26
+ export const PROVEN_CONFIG_FILE = 'proven-config.signed.json';
27
+ /** The RVFA-packaged champion (ADR-177 final phase). Preferred when present. */
28
+ export const PROVEN_CONFIG_RVFA_FILE = 'proven-config.signed.rvf';
29
+ /** Where an adopted champion is recorded in the project (consumed by the feedback applier, ADR-176 phase 9). */
30
+ export const ADOPTED_CONFIG_FILE = 'proven-config.json';
31
+ /**
32
+ * Locate the package's shipped signed champion, if any. Null when none ships.
33
+ * The RVFA package is preferred over the raw JSON when both are present.
34
+ */
35
+ function findPackageProvenConfig() {
36
+ const dirs = [];
37
+ try {
38
+ const esmRequire = createRequire(import.meta.url);
39
+ const pkgRoot = path.dirname(esmRequire.resolve('@claude-flow/cli/package.json'));
40
+ dirs.push(path.join(pkgRoot, '.claude'));
41
+ }
42
+ catch { /* not resolvable */ }
43
+ dirs.push(path.resolve(__dirname, '..', '..', '..', '.claude'));
44
+ // RVFA form first (ruvnet-native envelope), then the raw signed JSON fallback.
45
+ for (const d of dirs) {
46
+ const rvf = path.join(d, PROVEN_CONFIG_RVFA_FILE);
47
+ if (fs.existsSync(rvf))
48
+ return rvf;
49
+ const json = path.join(d, PROVEN_CONFIG_FILE);
50
+ if (fs.existsSync(json))
51
+ return json;
52
+ }
53
+ return null;
54
+ }
55
+ /**
56
+ * Read a shipped champion from either packaging. `.rvf` → unpack the RVFA
57
+ * envelope (integrity-checked); anything else → parse as signed JSON. Returns
58
+ * null (never throws) on any failure. The Ed25519 signature is still verified
59
+ * downstream by adoptSignedConfig — this only decodes the transport.
60
+ */
61
+ export function loadShippedChampion(srcPath) {
62
+ try {
63
+ if (srcPath.endsWith('.rvf')) {
64
+ return unpackProvenConfigRvfa(fs.readFileSync(srcPath));
65
+ }
66
+ return JSON.parse(fs.readFileSync(srcPath, 'utf-8'));
67
+ }
68
+ catch {
69
+ return null;
70
+ }
71
+ }
72
+ /** Build the local environment the champion's constraints are checked against. */
73
+ export function currentInstallEnv(cwd = process.cwd()) {
74
+ const env = {
75
+ platform: process.platform,
76
+ versions: { ruflo: getInstalledCliVersion() },
77
+ };
78
+ // Layer, if the project declares one (ADR-176 hierarchy). Optional.
79
+ try {
80
+ const layerFile = path.join(cwd, '.claude', '.harness-layer');
81
+ if (fs.existsSync(layerFile))
82
+ env.layer = fs.readFileSync(layerFile, 'utf-8').trim();
83
+ }
84
+ catch { /* none */ }
85
+ return env;
86
+ }
87
+ /**
88
+ * The testable adoption core: given a signed champion and the local env, adopt
89
+ * it into `cwd/.claude` iff it is newer than the stamp AND passes both gates.
90
+ * Fail-closed; never throws. `pubkeyPem` is injectable for tests.
91
+ */
92
+ export function adoptSignedConfig(cwd, signed, env, opts = {}) {
93
+ try {
94
+ const claudeDir = path.join(cwd, '.claude');
95
+ if (!fs.existsSync(claudeDir))
96
+ return { adopted: false }; // not a ruflo project
97
+ const championId = signed.manifest?.policy?.ref;
98
+ if (!championId)
99
+ return { adopted: false, skipped: 'manifest missing policy.ref' };
100
+ let stamped = '';
101
+ try {
102
+ stamped = fs.readFileSync(path.join(claudeDir, PROVEN_CONFIG_STAMP), 'utf-8').trim();
103
+ }
104
+ catch { /* unstamped */ }
105
+ if (stamped === championId)
106
+ return { adopted: false }; // already current — fast path
107
+ const decision = evaluateForAdoption(signed, env, opts.pubkeyPem);
108
+ if (!decision.adopt) {
109
+ // A safe skip (unsuitable) or a refusal (bad signature). Do NOT advance the stamp.
110
+ return { adopted: false, skipped: decision.reason };
111
+ }
112
+ // Adopt: record the champion for the feedback applier + retain the previous (rollback pointer).
113
+ const record = {
114
+ adoptedAt: Date.now(),
115
+ championId,
116
+ manifest: decision.manifest,
117
+ previous: signed.manifest.rollback?.previousManifest ?? stamped ?? null,
118
+ };
119
+ try {
120
+ fs.writeFileSync(path.join(claudeDir, ADOPTED_CONFIG_FILE), JSON.stringify(record, null, 2), 'utf-8');
121
+ }
122
+ catch { /* */ }
123
+ try {
124
+ fs.writeFileSync(path.join(claudeDir, PROVEN_CONFIG_STAMP), championId, 'utf-8');
125
+ }
126
+ catch { /* */ }
127
+ return { adopted: true, from: stamped || '(none)', to: championId };
128
+ }
129
+ catch {
130
+ return { adopted: false };
131
+ }
132
+ }
133
+ /**
134
+ * On CLI startup: if the package ships a signed champion newer than the
135
+ * project's stamp, adopt it when authentic + suitable. Best-effort, never
136
+ * throws. No-op when no manifest ships or the project isn't initialized.
137
+ */
138
+ export async function autoAdoptProvenConfigIfStale(cwd = process.cwd()) {
139
+ try {
140
+ if (!fs.existsSync(path.join(cwd, '.claude')))
141
+ return { adopted: false };
142
+ const src = findPackageProvenConfig();
143
+ if (!src)
144
+ return { adopted: false }; // no champion ships → no-op (additive)
145
+ const signed = loadShippedChampion(src);
146
+ if (!signed)
147
+ return { adopted: false, skipped: 'unreadable manifest' };
148
+ return adoptSignedConfig(cwd, signed, currentInstallEnv(cwd));
149
+ }
150
+ catch {
151
+ return { adopted: false };
152
+ }
153
+ }
154
+ //# sourceMappingURL=proven-config-refresh.js.map
@@ -0,0 +1,23 @@
1
+ import type { SignedProvenConfig } from './proven-config.js';
2
+ /** The single RVFA section id that carries the signed manifest JSON. */
3
+ export declare const PROVEN_CONFIG_SECTION = "proven-config";
4
+ /** Header capability marker so a reader can tell this appliance apart. */
5
+ export declare const PROVEN_CONFIG_CAPABILITY = "proven-config";
6
+ /**
7
+ * Pack a signed proven-config manifest into an RVFA appliance binary.
8
+ *
9
+ * The whole SignedProvenConfig (manifest + signature + algorithm) becomes the
10
+ * payload, so the config-root signature travels inside the envelope. The RVFA
11
+ * layer contributes integrity (footer + section hash), not authenticity.
12
+ */
13
+ export declare function packProvenConfigRvfa(signed: SignedProvenConfig): Buffer;
14
+ /** True if `buf` looks like an RVFA container (starts with the RVFA magic). */
15
+ export declare function isProvenConfigRvfa(buf: Buffer): boolean;
16
+ /**
17
+ * Unpack + integrity-check an RVFA-packed champion. Returns the inner
18
+ * SignedProvenConfig, or null on ANY failure (bad magic, corrupt footer,
19
+ * missing section, malformed JSON). Fail-closed — does NOT verify the Ed25519
20
+ * signature; that stays with adoptSignedConfig (single config trust root).
21
+ */
22
+ export declare function unpackProvenConfigRvfa(buf: Buffer): SignedProvenConfig | null;
23
+ //# sourceMappingURL=proven-config-rvfa.d.ts.map
@@ -0,0 +1,73 @@
1
+ /**
2
+ * RVFA packaging for proven-configuration manifests (ADR-177, final phase).
3
+ *
4
+ * Keeps champion propagation inside the ruvnet RVFA ecosystem: the *already
5
+ * config-signed* SignedProvenConfig is carried as the sole section of a small
6
+ * RVFA appliance binary. This adds a ruvnet-native transport + tamper-evident
7
+ * envelope (RVFA's SHA256 footer + per-section hash) WITHOUT a second trust
8
+ * root — adoption still verifies the inner manifest's Ed25519 signature against
9
+ * RUFLO_CONFIG_PUBKEY (see adoptSignedConfig). Signed ≠ suitable is unchanged:
10
+ * unpack → verifyProvenConfig → isSuitable, fail-closed at every step.
11
+ *
12
+ * Pure Node (RvfaWriter/RvfaReader) — no LLM, no network, $0. Additive: a raw
13
+ * `.signed.json` champion still adopts exactly as before; the `.rvf` form is a
14
+ * second, optional packaging the same adopt path understands.
15
+ */
16
+ import { RvfaWriter, RvfaReader, RVFA_MAGIC } from '../appliance/rvfa-format.js';
17
+ /** The single RVFA section id that carries the signed manifest JSON. */
18
+ export const PROVEN_CONFIG_SECTION = 'proven-config';
19
+ /** Header capability marker so a reader can tell this appliance apart. */
20
+ export const PROVEN_CONFIG_CAPABILITY = 'proven-config';
21
+ /**
22
+ * Pack a signed proven-config manifest into an RVFA appliance binary.
23
+ *
24
+ * The whole SignedProvenConfig (manifest + signature + algorithm) becomes the
25
+ * payload, so the config-root signature travels inside the envelope. The RVFA
26
+ * layer contributes integrity (footer + section hash), not authenticity.
27
+ */
28
+ export function packProvenConfigRvfa(signed) {
29
+ const m = signed.manifest;
30
+ const writer = new RvfaWriter({
31
+ name: `proven-config:${m.policy?.ref ?? 'unknown'}`,
32
+ // Carry the compat floor for humans/tools; the real gate is isSuitable.
33
+ appVersion: m.compatibility?.ruflo ?? '0',
34
+ platform: m.platform?.[0] ?? 'any',
35
+ arch: 'any',
36
+ profile: 'offline',
37
+ capabilities: [PROVEN_CONFIG_CAPABILITY],
38
+ });
39
+ writer.addSection(PROVEN_CONFIG_SECTION, Buffer.from(JSON.stringify(signed), 'utf-8'), {
40
+ compression: 'gzip',
41
+ type: 'application/json',
42
+ });
43
+ return writer.build();
44
+ }
45
+ /** True if `buf` looks like an RVFA container (starts with the RVFA magic). */
46
+ export function isProvenConfigRvfa(buf) {
47
+ return buf.length >= RVFA_MAGIC.length && buf.subarray(0, RVFA_MAGIC.length).equals(RVFA_MAGIC);
48
+ }
49
+ /**
50
+ * Unpack + integrity-check an RVFA-packed champion. Returns the inner
51
+ * SignedProvenConfig, or null on ANY failure (bad magic, corrupt footer,
52
+ * missing section, malformed JSON). Fail-closed — does NOT verify the Ed25519
53
+ * signature; that stays with adoptSignedConfig (single config trust root).
54
+ */
55
+ export function unpackProvenConfigRvfa(buf) {
56
+ try {
57
+ if (!isProvenConfigRvfa(buf))
58
+ return null;
59
+ const reader = RvfaReader.fromBuffer(buf);
60
+ const integrity = reader.verify();
61
+ if (!integrity.valid)
62
+ return null; // tampered envelope → reject
63
+ const payload = reader.extractSection(PROVEN_CONFIG_SECTION);
64
+ const signed = JSON.parse(payload.toString('utf-8'));
65
+ if (!signed || signed.algorithm !== 'ed25519' || !signed.signature || !signed.manifest)
66
+ return null;
67
+ return signed;
68
+ }
69
+ catch {
70
+ return null;
71
+ }
72
+ }
73
+ //# sourceMappingURL=proven-config-rvfa.js.map
@@ -0,0 +1,86 @@
1
+ /** Ruflo config-signing PUBLIC key (safe to commit). Private half in GCP Secret Manager (ruflo-config-signing-key). */
2
+ export declare const RUFLO_CONFIG_PUBKEY = "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA3zr3BLCFKyrjvjZg9BXxchXIuGYwYwq21FYCjTpQO6A=\n-----END PUBLIC KEY-----";
3
+ /** The receipt bundle (ADR-176) — reproducible proof-of-work summary. */
4
+ export interface ProvenConfigReceipt {
5
+ heldOutDelta?: number;
6
+ redblue?: 'PASS' | 'FAIL' | 'SKIPPED';
7
+ drift?: number;
8
+ canary?: {
9
+ rollbackRate?: number;
10
+ latencyP95?: number;
11
+ costPerTask?: number;
12
+ };
13
+ receiptCoverage?: number;
14
+ }
15
+ /** The constraint contract (ADR-177 §signed != suitable) + policy reference + receipt. */
16
+ export interface ProvenConfigManifest {
17
+ schema: string;
18
+ policy: {
19
+ ref: string;
20
+ value?: Record<string, unknown>;
21
+ };
22
+ host?: Record<string, string>;
23
+ platform?: string[];
24
+ compatibility?: Record<string, string>;
25
+ benchmark?: {
26
+ corpus: string;
27
+ corpusHash: string;
28
+ };
29
+ layer?: string;
30
+ receipt?: ProvenConfigReceipt;
31
+ rollback?: {
32
+ previousManifest?: string;
33
+ };
34
+ }
35
+ export interface SignedProvenConfig {
36
+ manifest: ProvenConfigManifest;
37
+ signature: string;
38
+ algorithm: 'ed25519';
39
+ }
40
+ /** The local environment a manifest's constraints are checked against. */
41
+ export interface InstallEnv {
42
+ platform: string;
43
+ hosts?: Record<string, string>;
44
+ versions?: Record<string, string>;
45
+ layer?: string;
46
+ }
47
+ export declare function sha256Hex(content: string | Buffer): string;
48
+ /**
49
+ * Deterministic canonical bytes — recursively sorted object keys so signer and
50
+ * verifier agree byte-for-byte regardless of insertion order.
51
+ */
52
+ export declare function canonicalManifestBytes(m: ProvenConfigManifest): Buffer;
53
+ /** Sign a manifest (publish-time; key from GCP via scripts). */
54
+ export declare function signProvenConfig(manifest: ProvenConfigManifest, privateKeyPem: string): SignedProvenConfig;
55
+ /**
56
+ * Verify a signed manifest against ruflo's config public key. Returns the
57
+ * manifest on success, or null on ANY failure (bad signature, malformed JSON,
58
+ * wrong algorithm, missing fields). Fail-closed.
59
+ */
60
+ export declare function verifyProvenConfig(signedJson: string | SignedProvenConfig, pubkeyPem?: string): ProvenConfigManifest | null;
61
+ /**
62
+ * Minimal semver-range satisfier for the compat contract. Supports `>=X`, `>X`,
63
+ * `<=X`, `<X`, `=X`, and a bare version `X` (treated as `>=X`). Deliberately
64
+ * small — the manifest contract only uses min-version bounds.
65
+ */
66
+ export declare function satisfiesRange(installed: string, range: string): boolean;
67
+ export interface SuitabilityResult {
68
+ suitable: boolean;
69
+ reason?: string;
70
+ }
71
+ /**
72
+ * Check a manifest's constraint contract against the local environment.
73
+ * Fail-closed: a missing/unsatisfiable constraint => not suitable (safe skip).
74
+ * A constraint the manifest doesn't declare is not required.
75
+ */
76
+ export declare function isSuitable(manifest: ProvenConfigManifest, env: InstallEnv): SuitabilityResult;
77
+ /**
78
+ * The combined adoption decision (ADR-177): a manifest is adoptable iff it is
79
+ * both authentic (signature verifies) AND suitable (constraints satisfied).
80
+ */
81
+ export declare function evaluateForAdoption(signedJson: string | SignedProvenConfig, env: InstallEnv, pubkeyPem?: string): {
82
+ adopt: boolean;
83
+ manifest?: ProvenConfigManifest;
84
+ reason: string;
85
+ };
86
+ //# sourceMappingURL=proven-config.d.ts.map