npm - cool-workflow - Versions diffs - 0.1.78 - Mend

cool-workflow 0.1.78

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/.claude-plugin/plugin.json +20 -0
package/.codex-plugin/mcp.json +10 -0
package/.codex-plugin/plugin.json +38 -0
package/.mcp.json +10 -0
package/LICENSE +24 -0
package/README.md +638 -0
package/apps/architecture-review/app.json +51 -0
package/apps/architecture-review/workflow.js +116 -0
package/apps/end-to-end-golden-path/app.json +30 -0
package/apps/end-to-end-golden-path/workflow.js +33 -0
package/apps/pr-review-fix-ci/app.json +59 -0
package/apps/pr-review-fix-ci/workflow.js +90 -0
package/apps/release-cut/app.json +54 -0
package/apps/release-cut/workflow.js +82 -0
package/apps/research-synthesis/app.json +50 -0
package/apps/research-synthesis/workflow.js +76 -0
package/apps/workflow-app-framework-demo/app.json +29 -0
package/apps/workflow-app-framework-demo/workflow.js +44 -0
package/dist/agent-config.js +223 -0
package/dist/candidate-scoring.js +715 -0
package/dist/capability-core.js +630 -0
package/dist/capability-dispatcher.js +86 -0
package/dist/capability-registry.js +523 -0
package/dist/cli.js +1276 -0
package/dist/collaboration.js +727 -0
package/dist/commit.js +570 -0
package/dist/contract-migration.js +234 -0
package/dist/coordinator.js +1163 -0
package/dist/daemon.js +44 -0
package/dist/dispatch.js +201 -0
package/dist/drive.js +503 -0
package/dist/error-feedback.js +415 -0
package/dist/evidence-grounding.js +179 -0
package/dist/evidence-reasoning.js +733 -0
package/dist/execution-backend.js +1279 -0
package/dist/harness.js +61 -0
package/dist/mcp-server.js +1615 -0
package/dist/multi-agent-eval.js +857 -0
package/dist/multi-agent-host.js +764 -0
package/dist/multi-agent-operator-ux.js +537 -0
package/dist/multi-agent-trust.js +366 -0
package/dist/multi-agent.js +1173 -0
package/dist/node-snapshot.js +270 -0
package/dist/observability.js +922 -0
package/dist/operator-ux.js +971 -0
package/dist/orchestrator/audit-operations.js +182 -0
package/dist/orchestrator/candidate-operations.js +117 -0
package/dist/orchestrator/cli-options.js +288 -0
package/dist/orchestrator/collaboration-operations.js +86 -0
package/dist/orchestrator/feedback-operations.js +81 -0
package/dist/orchestrator/host-operations.js +78 -0
package/dist/orchestrator/lifecycle-operations.js +462 -0
package/dist/orchestrator/migration-operations.js +44 -0
package/dist/orchestrator/multi-agent-operations.js +362 -0
package/dist/orchestrator/report.js +369 -0
package/dist/orchestrator/topology-operations.js +84 -0
package/dist/orchestrator.js +874 -0
package/dist/pipeline-contract.js +92 -0
package/dist/pipeline-runner.js +285 -0
package/dist/reclamation.js +882 -0
package/dist/result-normalize.js +194 -0
package/dist/run-export.js +64 -0
package/dist/run-registry.js +1347 -0
package/dist/run-state-schema.js +67 -0
package/dist/sandbox-profile.js +471 -0
package/dist/scheduler.js +266 -0
package/dist/scheduling.js +184 -0
package/dist/schema-validate.js +98 -0
package/dist/state-explosion.js +1213 -0
package/dist/state-migrations.js +463 -0
package/dist/state-node.js +301 -0
package/dist/state.js +308 -0
package/dist/telemetry-attestation.js +156 -0
package/dist/telemetry-ledger.js +145 -0
package/dist/topology.js +527 -0
package/dist/triggers.js +159 -0
package/dist/trust-audit.js +475 -0
package/dist/types/blackboard.js +2 -0
package/dist/types/boundary.js +29 -0
package/dist/types/candidate.js +2 -0
package/dist/types/collaboration.js +2 -0
package/dist/types/core.js +2 -0
package/dist/types/drive.js +10 -0
package/dist/types/error-feedback.js +2 -0
package/dist/types/evidence-reasoning.js +2 -0
package/dist/types/execution-backend.js +2 -0
package/dist/types/multi-agent.js +2 -0
package/dist/types/observability.js +2 -0
package/dist/types/pipeline.js +2 -0
package/dist/types/reclamation.js +8 -0
package/dist/types/result.js +2 -0
package/dist/types/run-registry.js +2 -0
package/dist/types/run.js +2 -0
package/dist/types/sandbox.js +2 -0
package/dist/types/schedule.js +2 -0
package/dist/types/state-node.js +2 -0
package/dist/types/topology.js +2 -0
package/dist/types/trust.js +2 -0
package/dist/types/workbench.js +2 -0
package/dist/types/worker.js +2 -0
package/dist/types/workflow-app.js +2 -0
package/dist/types.js +43 -0
package/dist/verifier-registry.js +46 -0
package/dist/verifier.js +78 -0
package/dist/version.js +8 -0
package/dist/workbench-host.js +172 -0
package/dist/workbench.js +190 -0
package/dist/worker-isolation.js +1028 -0
package/dist/workflow-api.js +98 -0
package/dist/workflow-app-framework.js +626 -0
package/docs/agent-delegation-drive.7.md +190 -0
package/docs/agent-framework.md +176 -0
package/docs/candidate-scoring.7.md +106 -0
package/docs/canonical-workflow-apps.7.md +137 -0
package/docs/capability-topology-registry.7.md +168 -0
package/docs/cli-mcp-parity.7.md +373 -0
package/docs/contract-migration-tooling.7.md +123 -0
package/docs/control-plane-scheduling.7.md +110 -0
package/docs/coordinator-blackboard.7.md +183 -0
package/docs/dogfood/architecture-review-cool-workflow.md +16 -0
package/docs/dogfood-one-real-repo.7.md +168 -0
package/docs/durable-state-and-locking.7.md +107 -0
package/docs/end-to-end-golden-path.7.md +117 -0
package/docs/error-feedback.7.md +153 -0
package/docs/evidence-adoption-reasoning-chain.7.md +270 -0
package/docs/execution-backends.7.md +300 -0
package/docs/getting-started.md +99 -0
package/docs/index.md +41 -0
package/docs/mcp-app-surface.7.md +235 -0
package/docs/multi-agent-cli-mcp-surface.7.md +265 -0
package/docs/multi-agent-eval-replay-harness.7.md +302 -0
package/docs/multi-agent-operator-ux.7.md +314 -0
package/docs/multi-agent-runtime-core.7.md +231 -0
package/docs/multi-agent-topologies.7.md +103 -0
package/docs/multi-agent-trust-policy-audit.7.md +154 -0
package/docs/node-snapshot-diff-replay.7.md +135 -0
package/docs/observability-cost-accounting.7.md +194 -0
package/docs/operator-ux.7.md +180 -0
package/docs/pipeline-runner.7.md +136 -0
package/docs/project-index.md +261 -0
package/docs/real-execution-backends.7.md +142 -0
package/docs/release-and-migration.7.md +280 -0
package/docs/release-tooling.7.md +159 -0
package/docs/routines.md +48 -0
package/docs/run-registry-control-plane.7.md +312 -0
package/docs/run-retention-reclamation.7.md +191 -0
package/docs/sandbox-profiles.7.md +137 -0
package/docs/scheduled-tasks.md +80 -0
package/docs/security-trust-hardening.7.md +117 -0
package/docs/state-explosion-management.7.md +264 -0
package/docs/state-node.7.md +96 -0
package/docs/team-collaboration.7.md +207 -0
package/docs/unix-principles.md +192 -0
package/docs/verifier-gated-commit.7.md +140 -0
package/docs/web-desktop-workbench.7.md +215 -0
package/docs/worker-isolation.7.md +167 -0
package/docs/workflow-app-framework.7.md +274 -0
package/manifest/README.md +43 -0
package/manifest/plugin.manifest.json +316 -0
package/manifest/pricing.policy.json +14 -0
package/package.json +79 -0
package/scripts/agents/claude-p-agent.js +104 -0
package/scripts/agents/claude-p-agent.sh +9 -0
package/scripts/agents/cw-attest-keygen.js +55 -0
package/scripts/agents/cw-attest-wrap.js +143 -0
package/scripts/block-unapproved-tag.sh +39 -0
package/scripts/bump-version.js +249 -0
package/scripts/canonical-apps.js +171 -0
package/scripts/cw.js +4 -0
package/scripts/dist-drift-check.js +79 -0
package/scripts/dogfood-architecture-review.js +237 -0
package/scripts/dogfood-release.js +624 -0
package/scripts/forward-ref-docs.js +73 -0
package/scripts/gen-manifests.js +232 -0
package/scripts/golden-path.js +300 -0
package/scripts/mcp-server.js +4 -0
package/scripts/new-feature.js +121 -0
package/scripts/parity-check.js +213 -0
package/scripts/release-check.js +118 -0
package/scripts/release-flow.js +272 -0
package/scripts/release-gate.sh +85 -0
package/scripts/sync-project-index.js +387 -0
package/scripts/validate-run-state-schema.js +126 -0
package/scripts/verify-container-selfref.js +64 -0
package/scripts/version-sync-check.js +237 -0
package/skills/cool-workflow/SKILL.md +162 -0
package/skills/cool-workflow/references/commands.md +282 -0
package/tsconfig.json +16 -0
package/ui/workbench/app.css +76 -0
package/ui/workbench/app.js +159 -0
package/ui/workbench/index.html +32 -0
package/workflows/architecture-review.workflow.js +84 -0
package/workflows/research-synthesis.workflow.js +47 -0

package/dist/multi-agent-trust.js ADDED Viewed

@@ -0,0 +1,366 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.policyForRole = policyForRole;
+exports.policyForGroup = policyForGroup;
+exports.policyForMembership = policyForMembership;
+exports.recordRolePolicyAudit = recordRolePolicyAudit;
+exports.authorizeMultiAgentAction = authorizeMultiAgentAction;
+exports.assertMultiAgentActionAllowed = assertMultiAgentActionAllowed;
+exports.recordBlackboardWriteAudit = recordBlackboardWriteAudit;
+exports.recordMessageProvenanceAudit = recordMessageProvenanceAudit;
+exports.recordJudgeRationaleAudit = recordJudgeRationaleAudit;
+exports.summarizeMultiAgentTrust = summarizeMultiAgentTrust;
+exports.hasAcceptedJudgeRationale = hasAcceptedJudgeRationale;
+exports.sourceForActor = sourceForActor;
+exports.hashText = hashText;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const trust_audit_1 = require("./trust-audit");
+function policyForRole(role) {
+    const topologyRole = String(role.metadata?.topologyRoleId || role.title || "").toLowerCase();
+    const isChair = topologyRole.includes("chair") || topologyRole.includes("reducer") || topologyRole.includes("synthesizer");
+    const isJudge = topologyRole.includes("judge");
+    return {
+        schemaVersion: 1,
+        id: `${role.id}-policy`,
+        policyRef: `multiAgent.roles.${role.id}.policy`,
+        subjectKind: "role",
+        subjectId: role.id,
+        allowedBlackboardTopicIds: unique(role.topicIds || ["*"]),
+        allowedWriteOperations: unique([
+            "message",
+            "context",
+            "artifact",
+            ...(isChair ? ["snapshot", "coordinator-decision"] : [])
+        ]),
+        allowedCandidateOperations: isChair ? ["score", "select"] : ["score"],
+        allowedJudgeOperations: unique([
+            ...(isJudge ? ["verdict", "rationale"] : []),
+            ...(isChair ? ["rationale", "panel-decision"] : [])
+        ]),
+        sandboxProfileHints: unique(role.sandboxProfileHints || []),
+        requiredEvidenceRefs: unique(role.requiredEvidence || []),
+        requiredEvidenceFor: {
+            "judge.rationale": ["judge rationale evidence"],
+            "judge.verdict": ["judge verdict evidence"],
+            "judge.panel-decision": ["judge messages", "score evidence", "coordinator decision"],
+            "candidate.select": ["score evidence", "judge rationale"]
+        },
+        deniedOperations: [],
+        metadata: { title: role.title, topologyRoleId: role.metadata?.topologyRoleId }
+    };
+}
+function policyForGroup(group) {
+    return {
+        schemaVersion: 1,
+        id: `${group.id}-policy`,
+        policyRef: `multiAgent.groups.${group.id}.policy`,
+        subjectKind: "group",
+        subjectId: group.id,
+        allowedBlackboardTopicIds: unique(group.topicIds || ["*"]),
+        allowedWriteOperations: ["message", "context", "artifact", "snapshot", "coordinator-decision"],
+        allowedCandidateOperations: ["register", "score", "select"],
+        allowedJudgeOperations: ["verdict", "rationale", "panel-decision"],
+        sandboxProfileHints: [],
+        requiredEvidenceRefs: [],
+        deniedOperations: [],
+        metadata: { phase: group.phase }
+    };
+}
+function policyForMembership(membership, role) {
+    const source = role?.policy || (role ? policyForRole(role) : undefined);
+    return {
+        ...(source || {
+            schemaVersion: 1,
+            id: `${membership.id}-policy`,
+            policyRef: `multiAgent.memberships.${membership.id}.policy`,
+            subjectKind: "membership",
+            subjectId: membership.id,
+            allowedBlackboardTopicIds: unique(membership.topicIds || ["*"]),
+            allowedWriteOperations: ["message", "context", "artifact"],
+            allowedCandidateOperations: [],
+            allowedJudgeOperations: [],
+            sandboxProfileHints: [],
+            requiredEvidenceRefs: [],
+            deniedOperations: []
+        }),
+        id: `${membership.id}-policy`,
+        policyRef: `multiAgent.memberships.${membership.id}.policy`,
+        subjectKind: "membership",
+        subjectId: membership.id
+    };
+}
+function recordRolePolicyAudit(run, role) {
+    return (0, trust_audit_1.recordTrustAuditEvent)(run, {
+        kind: "multi-agent.role-policy",
+        decision: "recorded",
+        source: "runtime-derived",
+        multiAgentRunId: role.multiAgentRunId,
+        agentRoleId: role.id,
+        blackboardId: role.blackboardId,
+        policyRef: role.policy?.policyRef,
+        metadata: role.policy
+    });
+}
+function authorizeMultiAgentAction(run, input) {
+    const roleId = input.agentRoleId || (input.actor?.kind === "role" ? input.actor.id : undefined);
+    const membershipId = input.agentMembershipId || (input.actor?.kind === "membership" ? input.actor.id : undefined);
+    const groupId = input.agentGroupId || (input.actor?.kind === "group" ? input.actor.id : undefined);
+    const policy = resolvePolicy(run, { roleId, membershipId, groupId });
+    const reason = evaluatePolicy(policy, input.operation, input.blackboardTopicId, input.evidenceRefs || []);
+    const allowed = !reason;
+    const metadata = {
+        operation: input.operation,
+        reason: reason || "allowed by explicit multi-agent policy",
+        policyRef: policy?.policyRef,
+        ...(input.metadata || {})
+    };
+    const event = (0, trust_audit_1.recordTrustAuditEvent)(run, {
+        kind: "multi-agent.permission",
+        decision: allowed ? "allowed" : "denied",
+        source: "cw-validated",
+        actor: input.actor?.id,
+        multiAgentRunId: input.multiAgentRunId || policyRunId(run, roleId, groupId, membershipId),
+        agentRoleId: roleId,
+        agentGroupId: groupId,
+        agentMembershipId: membershipId,
+        agentFanoutId: input.agentFanoutId,
+        agentFaninId: input.agentFaninId,
+        blackboardId: input.blackboardId,
+        blackboardTopicId: input.blackboardTopicId,
+        blackboardMessageId: input.blackboardMessageId,
+        blackboardContextId: input.blackboardContextId,
+        blackboardArtifactRefId: input.blackboardArtifactRefId,
+        blackboardSnapshotId: input.blackboardSnapshotId,
+        coordinatorDecisionId: input.coordinatorDecisionId,
+        candidateId: input.candidateId,
+        scoreId: input.scoreId,
+        selectionId: input.selectionId,
+        commitId: input.commitId,
+        sandboxProfileId: input.sandboxProfileId,
+        evidence: input.evidence,
+        evidenceRefs: input.evidenceRefs,
+        policyRef: policy?.policyRef,
+        metadata
+    });
+    if (!allowed) {
+        (0, trust_audit_1.recordTrustAuditEvent)(run, {
+            kind: "policy.violation",
+            decision: "denied",
+            source: "cw-validated",
+            actor: input.actor?.id,
+            multiAgentRunId: input.multiAgentRunId || policyRunId(run, roleId, groupId, membershipId),
+            agentRoleId: roleId,
+            agentGroupId: groupId,
+            agentMembershipId: membershipId,
+            blackboardId: input.blackboardId,
+            blackboardTopicId: input.blackboardTopicId,
+            candidateId: input.candidateId,
+            selectionId: input.selectionId,
+            evidenceRefs: input.evidenceRefs,
+            parentEventIds: [event.id],
+            policyRef: policy?.policyRef,
+            metadata
+        });
+    }
+    return {
+        allowed,
+        decision: allowed ? "allowed" : "denied",
+        reason: reason || "allowed by explicit multi-agent policy",
+        policyRef: policy?.policyRef,
+        policy,
+        missingEvidenceRefs: missingEvidence(policy, input.operation, input.evidenceRefs || []),
+        event
+    };
+}
+function assertMultiAgentActionAllowed(run, input) {
+    const decision = authorizeMultiAgentAction(run, input);
+    if (!decision.allowed)
+        throw new Error(decision.reason);
+    return decision;
+}
+function recordBlackboardWriteAudit(run, input) {
+    return (0, trust_audit_1.recordTrustAuditEvent)(run, {
+        kind: "blackboard.write",
+        decision: input.status === "denied" || input.status === "blocked" ? "denied" : input.status === "conflicting" ? "failed" : "accepted",
+        source: sourceForActor(input.actor),
+        actor: input.actor?.id,
+        multiAgentRunId: input.multiAgentRunId,
+        agentRoleId: input.agentRoleId,
+        agentGroupId: input.agentGroupId,
+        agentMembershipId: input.agentMembershipId,
+        agentFanoutId: input.agentFanoutId,
+        agentFaninId: input.agentFaninId,
+        blackboardId: input.blackboardId,
+        blackboardTopicId: input.blackboardTopicId,
+        blackboardMessageId: input.blackboardMessageId,
+        blackboardContextId: input.blackboardContextId,
+        blackboardArtifactRefId: input.blackboardArtifactRefId,
+        blackboardSnapshotId: input.blackboardSnapshotId,
+        coordinatorDecisionId: input.coordinatorDecisionId,
+        evidenceRefs: input.evidenceRefs,
+        parentEventIds: input.parentEventIds,
+        policyRef: input.policyRef,
+        metadata: { operation: input.operation, status: input.status, ...(input.metadata || {}) }
+    });
+}
+function recordMessageProvenanceAudit(run, input) {
+    return (0, trust_audit_1.recordTrustAuditEvent)(run, {
+        kind: "blackboard.message-provenance",
+        decision: "recorded",
+        source: sourceForActor(input.actor),
+        actor: input.actor?.id,
+        workerId: input.workerId,
+        multiAgentRunId: input.multiAgentRunId,
+        agentRoleId: input.agentRoleId,
+        agentGroupId: input.agentGroupId,
+        agentMembershipId: input.agentMembershipId,
+        blackboardId: input.blackboardId,
+        blackboardTopicId: input.topicId,
+        blackboardMessageId: input.messageId,
+        evidenceRefs: input.evidenceRefs,
+        parentEventIds: input.parentEventIds,
+        policyRef: input.policyRef,
+        metadata: {
+            authorKind: input.actor?.kind,
+            bodyHash: hashText(input.body),
+            summary: input.body.trim().slice(0, 120),
+            parentMessageIds: input.parentMessageIds || [],
+            topicScope: input.topicId,
+            locator: `${input.blackboardId}/messages/${input.messageId}`
+        }
+    });
+}
+function recordJudgeRationaleAudit(run, input) {
+    return (0, trust_audit_1.recordTrustAuditEvent)(run, {
+        kind: input.kind || "judge.rationale",
+        decision: input.evidenceRefs?.length && input.rationale ? "accepted" : "denied",
+        source: "cw-validated",
+        actor: input.actor?.id,
+        multiAgentRunId: input.multiAgentRunId,
+        agentRoleId: input.agentRoleId,
+        agentGroupId: input.agentGroupId,
+        agentMembershipId: input.agentMembershipId,
+        blackboardId: input.blackboardId,
+        blackboardTopicId: input.blackboardTopicId,
+        blackboardMessageId: input.blackboardMessageId,
+        coordinatorDecisionId: input.coordinatorDecisionId,
+        candidateId: input.candidateId,
+        scoreId: input.scoreId,
+        selectionId: input.selectionId,
+        evidenceRefs: input.evidenceRefs,
+        parentEventIds: input.parentEventIds,
+        policyRef: input.policyRef,
+        metadata: { rationale: input.rationale?.slice(0, 240) }
+    });
+}
+function summarizeMultiAgentTrust(run) {
+    const events = (0, trust_audit_1.listTrustAuditEvents)(run);
+    const rolePolicies = (run.multiAgent?.roles || []).map((role) => role.policy || policyForRole(role));
+    const byKind = (kind) => events.filter((event) => event.kind === kind);
+    const policyViolations = byKind("policy.violation");
+    return {
+        schemaVersion: 1,
+        runId: run.id,
+        rolePolicies,
+        permissionDecisions: byKind("multi-agent.permission"),
+        blackboardWrites: byKind("blackboard.write"),
+        messageProvenance: byKind("blackboard.message-provenance"),
+        judgeRationales: byKind("judge.rationale"),
+        panelDecisions: byKind("judge.panel-decision"),
+        policyViolations,
+        nextAction: policyViolations.length
+            ? `node scripts/cw.js audit policy ${run.id}`
+            : `node scripts/cw.js audit multi-agent ${run.id} --json`
+    };
+}
+function hasAcceptedJudgeRationale(run, input = {}) {
+    return (0, trust_audit_1.listTrustAuditEvents)(run).some((event) => event.kind === "judge.rationale" &&
+        event.decision === "accepted" &&
+        (!input.multiAgentRunId || event.multiAgentRunId === input.multiAgentRunId) &&
+        (!input.candidateId || event.candidateId === input.candidateId) &&
+        (!input.scoreId || !event.scoreId || event.scoreId === input.scoreId));
+}
+function sourceForActor(actor) {
+    if (!actor)
+        return "operator-recorded";
+    if (actor.kind === "worker")
+        return "host-attested";
+    if (actor.kind === "operator")
+        return "operator-recorded";
+    if (actor.kind === "runtime" || actor.kind === "coordinator" || actor.kind === "verifier")
+        return "runtime-derived";
+    return "cw-validated";
+}
+function hashText(value) {
+    return `sha256:${node_crypto_1.default.createHash("sha256").update(value).digest("hex")}`;
+}
+function resolvePolicy(run, input) {
+    const membership = input.membershipId ? run.multiAgent?.memberships.find((entry) => entry.id === input.membershipId) : undefined;
+    if (membership?.policy)
+        return membership.policy;
+    const roleId = input.roleId || membership?.roleId;
+    const role = roleId ? run.multiAgent?.roles.find((entry) => entry.id === roleId) : undefined;
+    if (role?.policy)
+        return role.policy;
+    if (role)
+        return policyForRole(role);
+    const group = input.groupId ? run.multiAgent?.groups.find((entry) => entry.id === input.groupId) : undefined;
+    if (group?.policy)
+        return group.policy;
+    if (group)
+        return policyForGroup(group);
+    return undefined;
+}
+function evaluatePolicy(policy, operation, topicId, evidenceRefs) {
+    if (!policy)
+        return "missing role authority or policy";
+    const denied = policy.deniedOperations.find((entry) => entry.operation === operation);
+    if (denied)
+        return denied.reason;
+    if (topicId && policy.allowedBlackboardTopicIds.length && !policy.allowedBlackboardTopicIds.includes("*") && !policy.allowedBlackboardTopicIds.includes(topicId)) {
+        return `topic ${topicId} is outside policy ${policy.policyRef}`;
+    }
+    if (operation.startsWith("candidate.")) {
+        const op = operation.slice("candidate.".length);
+        if (!policy.allowedCandidateOperations.includes(op))
+            return `candidate operation ${op} is outside policy ${policy.policyRef}`;
+    }
+    else if (operation.startsWith("judge.")) {
+        const op = operation.slice("judge.".length);
+        if (!policy.allowedJudgeOperations.includes(op))
+            return `judge operation ${op} is outside policy ${policy.policyRef}`;
+    }
+    else if (!policy.allowedWriteOperations.includes(operation)) {
+        return `blackboard write operation ${operation} is outside policy ${policy.policyRef}`;
+    }
+    const missing = missingEvidence(policy, operation, evidenceRefs);
+    if (missing.length)
+        return `operation ${operation} requires evidence refs: ${missing.join(", ")}`;
+    return undefined;
+}
+function missingEvidence(policy, operation, evidenceRefs) {
+    if (!policy)
+        return [];
+    const required = unique([...(policy.requiredEvidenceFor?.[operation] || [])]);
+    if (!required.length)
+        return [];
+    if (evidenceRefs.length)
+        return [];
+    return required;
+}
+function policyRunId(run, roleId, groupId, membershipId) {
+    const membership = membershipId ? run.multiAgent?.memberships.find((entry) => entry.id === membershipId) : undefined;
+    if (membership)
+        return membership.multiAgentRunId;
+    const role = roleId ? run.multiAgent?.roles.find((entry) => entry.id === roleId) : undefined;
+    if (role)
+        return role.multiAgentRunId;
+    const group = groupId ? run.multiAgent?.groups.find((entry) => entry.id === groupId) : undefined;
+    return group?.multiAgentRunId;
+}
+function unique(values) {
+    return Array.from(new Set(values.filter(Boolean)));
+}