npm - domainforge - Versions diffs - 0.13.0 - Mend

domainforge 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (481) hide show

package/.cargo/config.toml +6 -0
package/.claude/settings.local.json +18 -0
package/.coderabbit.yml +43 -0
package/.codex/skills/release-management/SKILL.md +151 -0
package/.codex/skills/release-management/agents/openai.yaml +4 -0
package/.github/actions/decrypt-secrets/action.yml +121 -0
package/.github/agents/Coder.agent.md +97 -0
package/.github/agents/DeepResearch.agent.md +61 -0
package/.github/chatmodes/tdd.vibepro.chatmode.md +1183 -0
package/.github/copilot-instructions.md +13 -0
package/.github/dependabot.yml +68 -0
package/.github/workflows/README.md +165 -0
package/.github/workflows/ci.yml +335 -0
package/.github/workflows/dependabot-automerge.yml +114 -0
package/.github/workflows/dependency-review.yml +27 -0
package/.github/workflows/deploy.yml +87 -0
package/.github/workflows/prepare-release.yml +168 -0
package/.github/workflows/release-crates.yml +42 -0
package/.github/workflows/release-npm.yml +137 -0
package/.github/workflows/release-please.yml +29 -0
package/.github/workflows/release-pypi.yml +96 -0
package/.gitkeep +1 -0
package/.release-please-manifest.json +5 -0
package/.sea-registry.toml +10 -0
package/.serena/project.yml +133 -0
package/.sops.yaml +10 -0
package/AGENTS.md +216 -0
package/CHANGELOG.md +400 -0
package/CLAUDE.md +62 -0
package/CONTRIBUTING.md +323 -0
package/Cargo.lock +3612 -0
package/Cargo.toml +12 -0
package/LICENSE +201 -0
package/README.md +660 -0
package/README_PYTHON.md +256 -0
package/README_TYPESCRIPT.md +305 -0
package/README_WASM.md +329 -0
package/RELEASE_NOTES.md +41 -0
package/bun.lock +378 -0
package/bunfig.toml +11 -0
package/check_output.txt +83 -0
package/clippy_output.txt +80 -0
package/commitlint.config.cjs +8 -0
package/deny.toml +42 -0
package/devbox.json +14 -0
package/devbox.lock +76 -0
package/docs/RELEASE_PROCESS.md +360 -0
package/docs/diagnostics.md +161 -0
package/docs/doc_guidelines.md +53 -0
package/docs/explanations/README.md +21 -0
package/docs/explanations/architecture-overview.md +109 -0
package/docs/explanations/cross-language-binding-strategy.md +68 -0
package/docs/explanations/graph-store-design.md +47 -0
package/docs/explanations/performance-benchmarks.md +63 -0
package/docs/explanations/policy-evaluation-logic.md +106 -0
package/docs/explanations/semantic-modeling-concepts.md +109 -0
package/docs/explanations/three-valued-logic.md +66 -0
package/docs/explanations/versioning-strategy.md +45 -0
package/docs/governance.md +168 -0
package/docs/how-tos/README.md +46 -0
package/docs/how-tos/ci-cd-validation.md +93 -0
package/docs/how-tos/create-custom-units.md +125 -0
package/docs/how-tos/define-policies.md +119 -0
package/docs/how-tos/export-to-calm.md +110 -0
package/docs/how-tos/export-to-protobuf.md +312 -0
package/docs/how-tos/extend-grammar.md +133 -0
package/docs/how-tos/generate-rdf-turtle.md +106 -0
package/docs/how-tos/import-from-calm.md +114 -0
package/docs/how-tos/import-from-sbvr.md +249 -0
package/docs/how-tos/install-cli.md +126 -0
package/docs/how-tos/parse-sea-files.md +132 -0
package/docs/how-tos/policy-evaluation-modes.md +30 -0
package/docs/how-tos/run-cross-language-tests.md +115 -0
package/docs/how-tos/troubleshoot-napi-builds.md +55 -0
package/docs/how-tos/use-modules-imports.md +285 -0
package/docs/index.md +13 -0
package/docs/plans/canonical-normalizer.md +121 -0
package/docs/plans/cd_improvement.md +112 -0
package/docs/plans/cli-ast.md +29 -0
package/docs/plans/expression-bindings-and-normalizer-integration.md +174 -0
package/docs/plans/protobuf_advanced_features_plan.md +597 -0
package/docs/plans/protobuf_plan.yml +525 -0
package/docs/plans/refactor_dsl_architecture.md +131 -0
package/docs/plans/release-plan.md +163 -0
package/docs/plans/sea_fmt_implementation_plan.md +516 -0
package/docs/playbooks/README.md +18 -0
package/docs/playbooks/adding-new-primitive.md +68 -0
package/docs/playbooks/debugging-parser-failures.md +42 -0
package/docs/playbooks/local-release-preparation.md +139 -0
package/docs/playbooks/migrating-schema-versions.md +43 -0
package/docs/playbooks/onboarding-contributors.md +64 -0
package/docs/playbooks/releasing-beta.md +86 -0
package/docs/playbooks/secret-management.md +64 -0
package/docs/reference/README.md +199 -0
package/docs/reference/ast-json-api.md +427 -0
package/docs/reference/calm-mapping.md +519 -0
package/docs/reference/cli-commands.md +588 -0
package/docs/reference/configuration.md +202 -0
package/docs/reference/error-codes.md +664 -0
package/docs/reference/generated-artifacts-policy.md +53 -0
package/docs/reference/grammar-spec.md +255 -0
package/docs/reference/primitives-api.md +317 -0
package/docs/reference/protobuf-api.md +426 -0
package/docs/reference/python-api.md +485 -0
package/docs/reference/registry.md +50 -0
package/docs/reference/sea-dsl-ai-cheatsheet.yaml +913 -0
package/docs/reference/security-model.md +74 -0
package/docs/reference/typescript-api.md +508 -0
package/docs/reference/wasm-api.md +420 -0
package/docs/semantic-pack-review.md +144 -0
package/docs/semantic-pack-signing.md +234 -0
package/docs/semantic-packs.md +284 -0
package/docs/specs/ADR-001-sea-dsl-semantic-source-of-truth.md +33 -0
package/docs/specs/ADR-002-projection-first-class-construct.md +50 -0
package/docs/specs/ADR-003-protobuf-projection-target.md +51 -0
package/docs/specs/ADR-004-projection-compatibility-semantics.md +57 -0
package/docs/specs/ADR-005-multi-language-support-strategy.md +112 -0
package/docs/specs/ADR-006-error-handling-strategy.md +115 -0
package/docs/specs/ADR-007-policy-evaluation-engine.md +95 -0
package/docs/specs/ADR-008-knowledge-graph-integration.md +90 -0
package/docs/specs/ADR-009-module-resolution-strategy.md +115 -0
package/docs/specs/ADR-010-unit-system.md +106 -0
package/docs/specs/PRD-001-sea-projection-framework.md +155 -0
package/docs/specs/PRD-002-sea-cli-tooling.md +169 -0
package/docs/specs/PRD-003-dsl-core-capabilities.md +275 -0
package/docs/specs/README.md +62 -0
package/docs/specs/SDS-001-protobuf-projection-engine.md +451 -0
package/docs/specs/SDS-002-sea-core-architecture.md +268 -0
package/docs/specs/SDS-003-parser-semantic-graph.md +377 -0
package/docs/specs/SDS-004-policy-engine-design.md +362 -0
package/docs/specs/SDS-005-knowledge-graph-module.md +364 -0
package/docs/specs/SDS-006-calm-integration.md +367 -0
package/docs/specs/SDS-007-sbvr-import.md +347 -0
package/docs/templates/template_explanation.md +14 -0
package/docs/templates/template_howto.md +21 -0
package/docs/templates/template_playbook.md +21 -0
package/docs/templates/template_reference.md +17 -0
package/docs/templates/template_tutorial.md +24 -0
package/docs/tutorials/README.md +12 -0
package/docs/tutorials/first-sea-model.md +85 -0
package/docs/tutorials/getting-started.md +98 -0
package/docs/tutorials/python-binding-quickstart.md +107 -0
package/docs/tutorials/typescript-binding-quickstart.md +91 -0
package/docs/tutorials/wasm-in-browser.md +75 -0
package/domainforge-core/CHANGELOG.md +138 -0
package/domainforge-core/Cargo.toml +101 -0
package/domainforge-core/MIGRATING.md +32 -0
package/domainforge-core/README.md +197 -0
package/domainforge-core/benchmark_results.txt +51 -0
package/domainforge-core/build.rs +6 -0
package/domainforge-core/deny.toml +31 -0
package/domainforge-core/docs/specs/projections/sbvr_kg_mapping.md +43 -0
package/domainforge-core/examples/basic.sea +7 -0
package/domainforge-core/examples/cli/import_export_workflow.sh +38 -0
package/domainforge-core/examples/cli/validate_example.sh +30 -0
package/domainforge-core/examples/evolution_semantics.sea +31 -0
package/domainforge-core/examples/parser_demo.rs +203 -0
package/domainforge-core/grammar/sea.pest +408 -0
package/domainforge-core/schemas/calm-v1.schema.json +170 -0
package/domainforge-core/schemas/shacl/sea_shapes.ttl +19 -0
package/domainforge-core/src/authority/compiler.rs +309 -0
package/domainforge-core/src/authority/environment.rs +203 -0
package/domainforge-core/src/authority/error.rs +164 -0
package/domainforge-core/src/authority/fact_resolver.rs +224 -0
package/domainforge-core/src/authority/mod.rs +25 -0
package/domainforge-core/src/authority/pack.rs +133 -0
package/domainforge-core/src/authority/policy.rs +224 -0
package/domainforge-core/src/authority/resolver.rs +446 -0
package/domainforge-core/src/authority/trace.rs +217 -0
package/domainforge-core/src/authority/transform.rs +168 -0
package/domainforge-core/src/authority/types.rs +617 -0
package/domainforge-core/src/bin/domainforge.rs +25 -0
package/domainforge-core/src/calm/export.rs +538 -0
package/domainforge-core/src/calm/import.rs +1220 -0
package/domainforge-core/src/calm/mod.rs +9 -0
package/domainforge-core/src/calm/models.rs +108 -0
package/domainforge-core/src/calm/sbvr_import.rs +9 -0
package/domainforge-core/src/cli/authority.rs +149 -0
package/domainforge-core/src/cli/format.rs +85 -0
package/domainforge-core/src/cli/import.rs +133 -0
package/domainforge-core/src/cli/mod.rs +64 -0
package/domainforge-core/src/cli/normalize.rs +180 -0
package/domainforge-core/src/cli/pack.rs +904 -0
package/domainforge-core/src/cli/parse.rs +112 -0
package/domainforge-core/src/cli/project.rs +294 -0
package/domainforge-core/src/cli/registry.rs +41 -0
package/domainforge-core/src/cli/test.rs +12 -0
package/domainforge-core/src/cli/validate.rs +195 -0
package/domainforge-core/src/cli/validate_kg.rs +80 -0
package/domainforge-core/src/concept_id.rs +89 -0
package/domainforge-core/src/error/diagnostics.rs +426 -0
package/domainforge-core/src/error/fuzzy.rs +253 -0
package/domainforge-core/src/error/mod.rs +13 -0
package/domainforge-core/src/formatter/comments.rs +223 -0
package/domainforge-core/src/formatter/config.rs +114 -0
package/domainforge-core/src/formatter/mod.rs +22 -0
package/domainforge-core/src/formatter/printer.rs +906 -0
package/domainforge-core/src/graph/mod.rs +858 -0
package/domainforge-core/src/graph/to_ast.rs +66 -0
package/domainforge-core/src/kg.rs +1476 -0
package/domainforge-core/src/kg_import.rs +251 -0
package/domainforge-core/src/lib.rs +203 -0
package/domainforge-core/src/module/mod.rs +1 -0
package/domainforge-core/src/module/resolver.rs +260 -0
package/domainforge-core/src/parser/ast.rs +2919 -0
package/domainforge-core/src/parser/ast_convert.rs +494 -0
package/domainforge-core/src/parser/ast_schema.rs +491 -0
package/domainforge-core/src/parser/error.rs +291 -0
package/domainforge-core/src/parser/lint.rs +39 -0
package/domainforge-core/src/parser/mod.rs +193 -0
package/domainforge-core/src/parser/printer.rs +702 -0
package/domainforge-core/src/parser/profiles.rs +71 -0
package/domainforge-core/src/parser/string_utils.rs +138 -0
package/domainforge-core/src/patterns.rs +68 -0
package/domainforge-core/src/policy/core.rs +1148 -0
package/domainforge-core/src/policy/expression.rs +399 -0
package/domainforge-core/src/policy/mod.rs +18 -0
package/domainforge-core/src/policy/normalize.rs +1028 -0
package/domainforge-core/src/policy/quantifier.rs +940 -0
package/domainforge-core/src/policy/three_valued.rs +140 -0
package/domainforge-core/src/policy/three_valued_microbench.rs +104 -0
package/domainforge-core/src/policy/type_inference.rs +67 -0
package/domainforge-core/src/policy/violation.rs +36 -0
package/domainforge-core/src/primitives/concept_change.rs +61 -0
package/domainforge-core/src/primitives/entity.rs +224 -0
package/domainforge-core/src/primitives/flow.rs +111 -0
package/domainforge-core/src/primitives/instance.rs +93 -0
package/domainforge-core/src/primitives/mapping_contract.rs +50 -0
package/domainforge-core/src/primitives/metric.rs +79 -0
package/domainforge-core/src/primitives/mod.rs +25 -0
package/domainforge-core/src/primitives/projection_contract.rs +50 -0
package/domainforge-core/src/primitives/quantity.rs +56 -0
package/domainforge-core/src/primitives/relation.rs +68 -0
package/domainforge-core/src/primitives/resource.rs +237 -0
package/domainforge-core/src/primitives/resource_instance.rs +88 -0
package/domainforge-core/src/primitives/role.rs +49 -0
package/domainforge-core/src/projection/buf.rs +404 -0
package/domainforge-core/src/projection/contracts.rs +22 -0
package/domainforge-core/src/projection/engine.rs +19 -0
package/domainforge-core/src/projection/mod.rs +16 -0
package/domainforge-core/src/projection/protobuf.rs +3331 -0
package/domainforge-core/src/projection/registry.rs +43 -0
package/domainforge-core/src/python/authority.rs +253 -0
package/domainforge-core/src/python/error.rs +227 -0
package/domainforge-core/src/python/formatter.rs +86 -0
package/domainforge-core/src/python/graph.rs +366 -0
package/domainforge-core/src/python/mod.rs +9 -0
package/domainforge-core/src/python/policy.rs +651 -0
package/domainforge-core/src/python/primitives.rs +796 -0
package/domainforge-core/src/python/registry.rs +98 -0
package/domainforge-core/src/python/semantic_pack.rs +619 -0
package/domainforge-core/src/python/units.rs +96 -0
package/domainforge-core/src/registry/mod.rs +432 -0
package/domainforge-core/src/registry/tests.rs +210 -0
package/domainforge-core/src/sbvr.rs +744 -0
package/domainforge-core/src/semantic_pack/builder.rs +470 -0
package/domainforge-core/src/semantic_pack/canonical_json.rs +184 -0
package/domainforge-core/src/semantic_pack/diagnostics.rs +214 -0
package/domainforge-core/src/semantic_pack/diff.rs +216 -0
package/domainforge-core/src/semantic_pack/mod.rs +31 -0
package/domainforge-core/src/semantic_pack/pack_set.rs +240 -0
package/domainforge-core/src/semantic_pack/resolver.rs +437 -0
package/domainforge-core/src/semantic_pack/review.rs +125 -0
package/domainforge-core/src/semantic_pack/schema.rs +342 -0
package/domainforge-core/src/semantic_pack/signing.rs +105 -0
package/domainforge-core/src/semantic_pack/validator.rs +368 -0
package/domainforge-core/src/semantic_version.rs +140 -0
package/domainforge-core/src/test_utils.rs +12 -0
package/domainforge-core/src/typescript/authority.rs +184 -0
package/domainforge-core/src/typescript/error.rs +146 -0
package/domainforge-core/src/typescript/formatter.rs +76 -0
package/domainforge-core/src/typescript/graph.rs +391 -0
package/domainforge-core/src/typescript/mod.rs +9 -0
package/domainforge-core/src/typescript/policy.rs +564 -0
package/domainforge-core/src/typescript/primitives.rs +784 -0
package/domainforge-core/src/typescript/registry.rs +88 -0
package/domainforge-core/src/typescript/semantic_pack.rs +470 -0
package/domainforge-core/src/typescript/units.rs +76 -0
package/domainforge-core/src/units/mod.rs +462 -0
package/domainforge-core/src/uuid_module.rs +42 -0
package/domainforge-core/src/validation_error.rs +818 -0
package/domainforge-core/src/validation_result.rs +30 -0
package/domainforge-core/src/wasm/authority.rs +192 -0
package/domainforge-core/src/wasm/error.rs +145 -0
package/domainforge-core/src/wasm/formatter.rs +69 -0
package/domainforge-core/src/wasm/graph.rs +471 -0
package/domainforge-core/src/wasm/mod.rs +16 -0
package/domainforge-core/src/wasm/policy.rs +607 -0
package/domainforge-core/src/wasm/primitives.rs +295 -0
package/domainforge-core/src/wasm/semantic_pack.rs +471 -0
package/domainforge-core/src/wasm/units.rs +62 -0
package/domainforge-core/std/aws.sea +6 -0
package/domainforge-core/std/core.sea +6 -0
package/domainforge-core/std/http.sea +27 -0
package/domainforge-core/tests/aggregation_enhanced_tests.rs +162 -0
package/domainforge-core/tests/aggregation_eval_tests.rs +248 -0
package/domainforge-core/tests/aggregation_integration_tests.rs +379 -0
package/domainforge-core/tests/aggregation_parser_tests.rs +92 -0
package/domainforge-core/tests/aggregation_tests.rs +102 -0
package/domainforge-core/tests/authority_conformance_tests.rs +1173 -0
package/domainforge-core/tests/calm_round_trip_tests.rs +283 -0
package/domainforge-core/tests/calm_schema_validation_tests.rs +137 -0
package/domainforge-core/tests/cast_operator_tests.rs +85 -0
package/domainforge-core/tests/cli_binary_check.rs +37 -0
package/domainforge-core/tests/cli_import_tests.rs +291 -0
package/domainforge-core/tests/cli_path_traversal_tests.rs +124 -0
package/domainforge-core/tests/cli_tests.rs +63 -0
package/domainforge-core/tests/diagnostics_tests.rs +203 -0
package/domainforge-core/tests/dimension_unit_tests.rs +80 -0
package/domainforge-core/tests/entity_tests.rs +69 -0
package/domainforge-core/tests/evolution_semantics_tests.rs +157 -0
package/domainforge-core/tests/flow_tests.rs +78 -0
package/domainforge-core/tests/flow_unit_validation_tests.rs +31 -0
package/domainforge-core/tests/graph_integration_tests.rs +218 -0
package/domainforge-core/tests/graph_tests.rs +626 -0
package/domainforge-core/tests/import_parsing_tests.rs +23 -0
package/domainforge-core/tests/instance_integration_tests.rs +98 -0
package/domainforge-core/tests/instance_parsing_tests.rs +58 -0
package/domainforge-core/tests/instance_tests.rs +61 -0
package/domainforge-core/tests/kg_uri_encoding_tests.rs +53 -0
package/domainforge-core/tests/lint_tests.rs +19 -0
package/domainforge-core/tests/metric_tests.rs +143 -0
package/domainforge-core/tests/module_resolution_tests.rs +100 -0
package/domainforge-core/tests/namespace_registry_tests.rs +247 -0
package/domainforge-core/tests/null_handling_tests.rs +26 -0
package/domainforge-core/tests/parser_ast_v3.rs +53 -0
package/domainforge-core/tests/parser_dimension_registry_tests.rs +20 -0
package/domainforge-core/tests/parser_integration_tests.rs +294 -0
package/domainforge-core/tests/parser_metadata_tests.rs +97 -0
package/domainforge-core/tests/parser_resource_domain_only_graph_test.rs +21 -0
package/domainforge-core/tests/parser_resource_limits_tests.rs +122 -0
package/domainforge-core/tests/parser_tests.rs +512 -0
package/domainforge-core/tests/pattern_semantics_tests.rs +87 -0
package/domainforge-core/tests/phase_14_determinism_tests.rs +166 -0
package/domainforge-core/tests/phase_15_validation_error_tests.rs +136 -0
package/domainforge-core/tests/phase_16_unicode_tests.rs +248 -0
package/domainforge-core/tests/phase_17_export_tests.rs +285 -0
package/domainforge-core/tests/phase_17_round_trip_tests.rs +264 -0
package/domainforge-core/tests/policy_tests.rs +635 -0
package/domainforge-core/tests/primitives_integration_tests.rs +151 -0
package/domainforge-core/tests/print_rdf_xml.rs +14 -0
package/domainforge-core/tests/printer_tests.rs +204 -0
package/domainforge-core/tests/profile_tests.rs +35 -0
package/domainforge-core/tests/projection_contracts_tests.rs +154 -0
package/domainforge-core/tests/protobuf_projection_tests.rs +199 -0
package/domainforge-core/tests/quantity_tests.rs +41 -0
package/domainforge-core/tests/rdf_xml_typed_literal_tests.rs +105 -0
package/domainforge-core/tests/registry_schema_tests.rs +33 -0
package/domainforge-core/tests/resource_tests.rs +50 -0
package/domainforge-core/tests/resource_unit_tests.rs +24 -0
package/domainforge-core/tests/roles_relations_tests.rs +61 -0
package/domainforge-core/tests/round_trip_tests.rs +34 -0
package/domainforge-core/tests/runtime_toggle_tests.rs +70 -0
package/domainforge-core/tests/sbvr_fact_schema_tests.rs +60 -0
package/domainforge-core/tests/sbvr_flow_facts_tests.rs +55 -0
package/domainforge-core/tests/sbvr_parsing_tests.rs +53 -0
package/domainforge-core/tests/semantic_pack_alias_resolution.rs +197 -0
package/domainforge-core/tests/semantic_pack_build.rs +302 -0
package/domainforge-core/tests/semantic_pack_consumer_smoke.rs +150 -0
package/domainforge-core/tests/semantic_pack_pack_set.rs +160 -0
package/domainforge-core/tests/semantic_pack_signing.rs +157 -0
package/domainforge-core/tests/semantic_pack_three_valued.rs +250 -0
package/domainforge-core/tests/semantic_pack_validate.rs +196 -0
package/domainforge-core/tests/std_lib_tests.rs +37 -0
package/domainforge-core/tests/temporal_evaluation_tests.rs +159 -0
package/domainforge-core/tests/temporal_semantics_tests.rs +214 -0
package/domainforge-core/tests/three_valued_quantifiers_tests.rs +164 -0
package/domainforge-core/tests/turtle_entity_export_tests.rs +38 -0
package/domainforge-core/tests/turtle_escaping_tests.rs +53 -0
package/domainforge-core/tests/turtle_resource_export_tests.rs +34 -0
package/domainforge-core/tests/type_inference_tests.rs +40 -0
package/domainforge-core/tests/unicode_validation_tests.rs +169 -0
package/domainforge-core/tests/unit_tests.rs +81 -0
package/domainforge-core/tests/validate_tests.rs +38 -0
package/domainforge-core/tests/validation_unit_mismatch_tests.rs +83 -0
package/domainforge-core/tests/wasm_tests.rs +229 -0
package/domainforge-python/CHANGELOG-python.md +12 -0
package/domainforge-python/MIGRATING.md +24 -0
package/domainforge-python/README.md +256 -0
package/domainforge-python/domainforge/__init__.py +95 -0
package/domainforge-python/domainforge/domainforge.pyi +519 -0
package/domainforge-python/pyproject.toml +36 -0
package/domainforge-typescript/CHANGELOG-typescript.md +12 -0
package/domainforge-typescript/LICENSE +201 -0
package/domainforge-typescript/MIGRATING.md +24 -0
package/domainforge-typescript/README.md +305 -0
package/domainforge-typescript/index.d.ts +452 -0
package/domainforge-typescript/index.js +361 -0
package/domainforge-typescript/package.json +60 -0
package/example.js +61 -0
package/examples/browser.html +366 -0
package/examples/namespaces/finance/cashflow.sea +5 -0
package/examples/namespaces/logistics/core.sea +7 -0
package/examples/observability_metrics.sea +38 -0
package/fixtures/semantic_packs/acme_procurement/domain/entities.sea +39 -0
package/fixtures/semantic_packs/acme_procurement/domain/metrics.sea +11 -0
package/fixtures/semantic_packs/acme_procurement/domain/relations.sea +7 -0
package/fixtures/semantic_packs/acme_procurement/domain/resources.sea +9 -0
package/fixtures/semantic_packs/acme_procurement/review/acme.procurement.semantic-review.jsonl +7 -0
package/fixtures/semantic_packs/acme_procurement/tests/ambiguous_vendor_alias.sea +8 -0
package/fixtures/semantic_packs/acme_procurement/tests/deprecated_vendor_alias.sea +8 -0
package/fixtures/semantic_packs/acme_procurement/tests/invalid_relation.sea +3 -0
package/fixtures/semantic_packs/acme_procurement/tests/proposed_concept.sea +8 -0
package/fixtures/semantic_packs/acme_procurement/tests/rejected_concept.sea +8 -0
package/fixtures/semantic_packs/acme_procurement/tests/unit_mismatch.sea +7 -0
package/fixtures/semantic_packs/acme_procurement/tests/unknown_vendor_policy.sea +8 -0
package/fixtures/semantic_packs/acme_procurement/tests/valid_purchase_policy.sea +8 -0
package/index.d.ts +2 -0
package/index.js +8 -0
package/justfile +200 -0
package/lefthook.yml +13 -0
package/lib/validate_native_exports.d.ts +4 -0
package/lib/validate_native_exports.js +12 -0
package/package.json +22 -0
package/pytest.ini +5 -0
package/python/tests/test_registry.py +75 -0
package/python/tests/test_units.py +18 -0
package/release-please-config.json +49 -0
package/requirements-dev.txt +3 -0
package/requirements.txt +3 -0
package/rust-toolchain.toml +3 -0
package/schemas/ast-v1.schema.json +72 -0
package/schemas/ast-v2.schema.json +1200 -0
package/schemas/ast-v3.schema.json +1200 -0
package/schemas/sea-registry.schema.json +45 -0
package/scripts/build-python.sh +37 -0
package/scripts/build-release.sh +279 -0
package/scripts/build-typescript.sh +13 -0
package/scripts/build-wasm.sh +113 -0
package/scripts/bump-version.sh +245 -0
package/scripts/check_unused_test_imports.py +85 -0
package/scripts/ci_tasks.py +379 -0
package/scripts/clear_debug_test.sh +10 -0
package/scripts/create-github-release.sh +262 -0
package/scripts/create-tag.sh +203 -0
package/scripts/find_and_link_test_binary.sh +70 -0
package/scripts/generate-changelog.sh +271 -0
package/scripts/generate-release-notes.sh +205 -0
package/scripts/lint_release_security.py +96 -0
package/scripts/lint_release_workflows.py +82 -0
package/scripts/lint_workflow_gates.py +113 -0
package/scripts/optimized-wasm-build.sh +61 -0
package/scripts/patch_napi_types.py +62 -0
package/scripts/pre-release-check.sh +289 -0
package/scripts/prepare_rust_debug.sh +52 -0
package/scripts/release.sh +373 -0
package/scripts/resolve_rust_binary.py +230 -0
package/scripts/run_commitlint.sh +29 -0
package/scripts/test-all.sh +77 -0
package/scripts/update_launch_program.py +93 -0
package/secrets/README.md +27 -0
package/secrets/secrets.yaml +21 -0
package/test_integration.py +67 -0
package/tests/test_authority.py +328 -0
package/tests/test_ci_tasks.py +143 -0
package/tests/test_expression.py +256 -0
package/tests/test_golden_payment_flow.py +42 -0
package/tests/test_graph.py +127 -0
package/tests/test_instance.py +136 -0
package/tests/test_parser.py +82 -0
package/tests/test_primitives.py +68 -0
package/tests/test_role_relation_parity.py +56 -0
package/tests/test_runtime_toggle.py +156 -0
package/tests/test_semantic_pack.py +639 -0
package/tests/test_three_valued_eval.py +159 -0
package/tsconfig.json +30 -0
package/typescript-tests/advanced.test.ts +165 -0
package/typescript-tests/authority.test.ts +216 -0
package/typescript-tests/expression.test.ts +228 -0
package/typescript-tests/golden-payment-flow.test.ts +51 -0
package/typescript-tests/graph.test.ts +142 -0
package/typescript-tests/native-binding.test.ts +20 -0
package/typescript-tests/primitives.test.ts +88 -0
package/typescript-tests/registry.test.ts +122 -0
package/typescript-tests/role_relation.test.ts +63 -0
package/typescript-tests/runtime_toggle.test.ts +141 -0
package/typescript-tests/semantic-pack.test.ts +556 -0
package/typescript-tests/three_valued_eval.test.ts +135 -0
package/typescript-tests/units.test.ts +36 -0
package/vitest.config.ts +13 -0
package/wasm_demo.html +225 -0

package/scripts/generate-changelog.sh ADDED Viewed

@@ -0,0 +1,271 @@
+#!/usr/bin/env bash
+# generate-changelog.sh - Generate changelog entries from git commits
+# Usage: ./scripts/generate-changelog.sh [VERSION] [OPTIONS]
+#
+# Parses conventional commits and updates CHANGELOG.md
+set -euo pipefail
+# ============================================================================
+# Configuration
+# ============================================================================
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+# Flags
+DRY_RUN=false
+NO_COMMIT=false
+# ============================================================================
+# Helper Functions
+# ============================================================================
+log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
+log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+log_error() { echo -e "${RED}[✗]${NC} $1"; }
+usage() {
+    cat <<EOF
+Usage: $(basename "$0") [VERSION] [OPTIONS]
+Generate changelog entries from git commits using conventional commit format.
+ARGUMENTS:
+    VERSION         Version number for the changelog entry (e.g., 0.7.0)
+                    If not provided, reads from domainforge-core/Cargo.toml
+OPTIONS:
+    --dry-run       Show what would be generated without modifying files
+    --no-commit     Update CHANGELOG.md but don't create git commit
+    -h, --help      Show this help message
+COMMIT CATEGORIES:
+    feat:       -> 🎉 Added
+    fix:        -> 🐛 Fixed
+    docs:       -> 📚 Documentation
+    refactor:   -> ✨ Changed
+    perf:       -> ⚡ Performance
+    test:       -> 🧪 Testing
+    chore:      -> 🔧 Maintenance
+EXAMPLES:
+    $(basename "$0")                      # Generate for current version
+    $(basename "$0") 0.7.0                # Generate for specific version
+    $(basename "$0") --dry-run            # Preview without changes
+EOF
+}
+get_last_tag() {
+    git describe --tags --abbrev=0 2>/dev/null || echo ""
+}
+get_current_version() {
+    grep -m1 '^version = ' "$PROJECT_ROOT/domainforge-core/Cargo.toml" | sed 's/version = "\(.*\)"/\1/'
+}
+# ============================================================================
+# Parse Arguments
+# ============================================================================
+VERSION=""
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        --no-commit)
+            NO_COMMIT=true
+            shift
+            ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        -*)
+            log_error "Unknown option: $1"
+            usage
+            exit 1
+            ;;
+        *)
+            if [[ -z "$VERSION" ]]; then
+                VERSION="$1"
+            fi
+            shift
+            ;;
+    esac
+done
+# Default to current version
+if [[ -z "$VERSION" ]]; then
+    VERSION=$(get_current_version)
+fi
+# ============================================================================
+# Main
+# ============================================================================
+cd "$PROJECT_ROOT"
+echo ""
+echo "=============================================="
+echo "  DomainForge Changelog Generator"
+echo "=============================================="
+echo ""
+if $DRY_RUN; then
+    log_warn "DRY RUN MODE - No files will be modified"
+    echo ""
+fi
+log_info "Generating changelog for version: $VERSION"
+# Get commit range
+LAST_TAG=$(get_last_tag)
+if [[ -n "$LAST_TAG" ]]; then
+    log_info "Commits since tag: $LAST_TAG"
+    COMMIT_RANGE="$LAST_TAG..HEAD"
+else
+    log_warn "No previous tags found, using all commits"
+    COMMIT_RANGE=""
+fi
+# Parse commits into categories
+declare -a ADDED=()
+declare -a FIXED=()
+declare -a CHANGED=()
+declare -a DOCS=()
+declare -a OTHER=()
+while IFS= read -r line; do
+    [[ -z "$line" ]] && continue
+    # Extract commit message (format: hash subject)
+    subject="${line#* }"
+    # Categorize by conventional commit prefix
+    case "$subject" in
+        feat:*|feat\(*)
+            ADDED+=("${subject#feat:} ")
+            ADDED+=("${subject#feat(*)}")
+            ;;
+        fix:*|fix\(*)
+            FIXED+=("${subject#fix:} ")
+            ;;
+        docs:*|docs\(*)
+            DOCS+=("${subject#docs:} ")
+            ;;
+        refactor:*|perf:*|style:*)
+            CHANGED+=("$subject")
+            ;;
+        chore:*|test:*|ci:*|build:*)
+            # Skip maintenance commits from changelog
+            ;;
+        *)
+            # Include non-conventional commits in other
+            if [[ ! "$subject" =~ ^(Merge|chore|test|ci|build) ]]; then
+                OTHER+=("$subject")
+            fi
+            ;;
+    esac
+done < <(git log $COMMIT_RANGE --oneline --no-merges 2>/dev/null || true)
+# Generate changelog entry
+DATE=$(date +%Y-%m-%d)
+ENTRY="## [$VERSION] - $DATE"
+ENTRY+="\n"
+if [[ ${#ADDED[@]} -gt 0 ]]; then
+    ENTRY+="\n### 🎉 Added\n"
+    for item in "${ADDED[@]}"; do
+        # Clean up the commit message
+        clean_item=$(echo "$item" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//')
+        [[ -n "$clean_item" ]] && ENTRY+="- $clean_item\n"
+    done
+fi
+if [[ ${#CHANGED[@]} -gt 0 ]]; then
+    ENTRY+="\n### ✨ Changed\n"
+    for item in "${CHANGED[@]}"; do
+        clean_item=$(echo "$item" | sed 's/^[a-z]*:[[:space:]]*//')
+        [[ -n "$clean_item" ]] && ENTRY+="- $clean_item\n"
+    done
+fi
+if [[ ${#FIXED[@]} -gt 0 ]]; then
+    ENTRY+="\n### 🐛 Fixed\n"
+    for item in "${FIXED[@]}"; do
+        clean_item=$(echo "$item" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//')
+        [[ -n "$clean_item" ]] && ENTRY+="- $clean_item\n"
+    done
+fi
+if [[ ${#DOCS[@]} -gt 0 ]]; then
+    ENTRY+="\n### 📚 Documentation\n"
+    for item in "${DOCS[@]}"; do
+        clean_item=$(echo "$item" | sed 's/^[[:space:]]*//' | sed 's/[[:space:]]*$//')
+        [[ -n "$clean_item" ]] && ENTRY+="- $clean_item\n"
+    done
+fi
+# If no categorized commits, add placeholder
+if [[ ${#ADDED[@]} -eq 0 && ${#CHANGED[@]} -eq 0 && ${#FIXED[@]} -eq 0 && ${#DOCS[@]} -eq 0 ]]; then
+    ENTRY+="\n### Added\n- (Add new features here)\n"
+    ENTRY+="\n### Changed\n- (Add changes here)\n"
+    ENTRY+="\n### Fixed\n- (Add bug fixes here)\n"
+fi
+ENTRY+="\n"
+# Show preview
+echo ""
+log_info "Generated changelog entry:"
+echo "---"
+echo -e "$ENTRY"
+echo "---"
+# Update CHANGELOG.md
+if $DRY_RUN; then
+    log_info "Would insert above entry into CHANGELOG.md"
+else
+    if [[ -f "CHANGELOG.md" ]]; then
+        # Find first version heading and insert before it
+        FIRST_VERSION_LINE=$(grep -n "^## \[" CHANGELOG.md | head -1 | cut -d: -f1 || echo "")
+        if [[ -n "$FIRST_VERSION_LINE" ]]; then
+            head -n $((FIRST_VERSION_LINE - 1)) CHANGELOG.md > /tmp/changelog_new.md
+            echo -e "$ENTRY" >> /tmp/changelog_new.md
+            tail -n "+$FIRST_VERSION_LINE" CHANGELOG.md >> /tmp/changelog_new.md
+            mv /tmp/changelog_new.md CHANGELOG.md
+        else
+            # No existing version entries, append
+            echo -e "$ENTRY" >> CHANGELOG.md
+        fi
+        log_success "Updated CHANGELOG.md"
+    else
+        # Create new CHANGELOG.md
+        echo "# Changelog" > CHANGELOG.md
+        echo "" >> CHANGELOG.md
+        echo -e "$ENTRY" >> CHANGELOG.md
+        log_success "Created CHANGELOG.md"
+    fi
+    # Create git commit
+    if ! $NO_COMMIT; then
+        git add CHANGELOG.md
+        git commit -m "docs: update changelog for v$VERSION" --quiet
+        log_success "Created commit: docs: update changelog for v$VERSION"
+    fi
+fi
+echo ""
+echo "=============================================="
+log_success "Changelog generation complete"
+echo "=============================================="

package/scripts/generate-release-notes.sh ADDED Viewed

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+# generate-release-notes.sh - Generate GitHub release notes
+# Usage: ./scripts/generate-release-notes.sh [VERSION] [OPTIONS]
+#
+# Extracts content from CHANGELOG.md and generates RELEASE_NOTES.md
+set -euo pipefail
+# ============================================================================
+# Configuration
+# ============================================================================
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+# Flags
+DRY_RUN=false
+# ============================================================================
+# Helper Functions
+# ============================================================================
+log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
+log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+log_error() { echo -e "${RED}[✗]${NC} $1"; }
+usage() {
+    cat <<EOF
+Usage: $(basename "$0") [VERSION] [OPTIONS]
+Generate GitHub release notes from CHANGELOG.md.
+ARGUMENTS:
+    VERSION         Version number (e.g., 0.7.0)
+                    If not provided, reads from domainforge-core/Cargo.toml
+OPTIONS:
+    --dry-run       Show what would be generated without creating file
+    -h, --help      Show this help message
+OUTPUT:
+    Creates RELEASE_NOTES.md with:
+    - Version header
+    - What's Changed section (from CHANGELOG)
+    - Breaking Changes (if any BREAKING CHANGE: footers found)
+    - Contributors list
+EXAMPLES:
+    $(basename "$0")              # Generate for current version
+    $(basename "$0") 0.7.0        # Generate for specific version
+    $(basename "$0") --dry-run    # Preview without creating file
+EOF
+}
+get_current_version() {
+    grep -m1 '^version = ' "$PROJECT_ROOT/domainforge-core/Cargo.toml" | sed 's/version = "\(.*\)"/\1/'
+}
+get_last_tag() {
+    git describe --tags --abbrev=0 2>/dev/null || echo ""
+}
+# ============================================================================
+# Parse Arguments
+# ============================================================================
+VERSION=""
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        -*)
+            log_error "Unknown option: $1"
+            usage
+            exit 1
+            ;;
+        *)
+            if [[ -z "$VERSION" ]]; then
+                VERSION="$1"
+            fi
+            shift
+            ;;
+    esac
+done
+if [[ -z "$VERSION" ]]; then
+    VERSION=$(get_current_version)
+fi
+# ============================================================================
+# Main
+# ============================================================================
+cd "$PROJECT_ROOT"
+echo ""
+echo "=============================================="
+echo "  DomainForge Release Notes Generator"
+echo "=============================================="
+echo ""
+if $DRY_RUN; then
+    log_warn "DRY RUN MODE - No files will be created"
+    echo ""
+fi
+log_info "Generating release notes for version: $VERSION"
+DATE=$(date +%Y-%m-%d)
+# Start building release notes
+NOTES="# Release v$VERSION ($DATE)\n\n"
+# Extract changelog section for this version
+if [[ -f "CHANGELOG.md" ]]; then
+    log_info "Extracting changes from CHANGELOG.md..."
+    # Find the section for this version
+    CHANGELOG_SECTION=$(awk -v version="$VERSION" '
+        /^## \[/ {
+            if (found) exit;
+            if ($0 ~ "\\[" version "\\]") found=1;
+        }
+        found { print }
+    ' CHANGELOG.md | tail -n +2)
+    if [[ -n "$CHANGELOG_SECTION" ]]; then
+        NOTES+="## What's Changed\n\n"
+        NOTES+="$CHANGELOG_SECTION\n"
+    else
+        log_warn "No changelog section found for version $VERSION"
+        NOTES+="## What's Changed\n\n"
+        NOTES+="See [CHANGELOG.md](./CHANGELOG.md) for details.\n\n"
+    fi
+else
+    log_warn "CHANGELOG.md not found"
+    NOTES+="## What's Changed\n\n"
+    NOTES+="See commit history for details.\n\n"
+fi
+# Check for breaking changes in commits
+LAST_TAG=$(get_last_tag)
+if [[ -n "$LAST_TAG" ]]; then
+    BREAKING_CHANGES=$(git log "$LAST_TAG..HEAD" --grep="BREAKING CHANGE" --pretty=format:"- %s" 2>/dev/null || true)
+    if [[ -n "$BREAKING_CHANGES" ]]; then
+        NOTES+="## ⚠️ Breaking Changes\n\n"
+        NOTES+="$BREAKING_CHANGES\n\n"
+    fi
+fi
+# Get contributors
+log_info "Collecting contributors..."
+if [[ -n "$LAST_TAG" ]]; then
+    CONTRIBUTORS=$(git log "$LAST_TAG..HEAD" --format="%an" 2>/dev/null | sort -u | head -20 || true)
+else
+    CONTRIBUTORS=$(git log --format="%an" -20 2>/dev/null | sort -u | head -10 || true)
+fi
+if [[ -n "$CONTRIBUTORS" ]]; then
+    NOTES+="## Contributors\n\n"
+    while IFS= read -r contributor; do
+        [[ -n "$contributor" ]] && NOTES+="- @$contributor\n"
+    done <<< "$CONTRIBUTORS"
+    NOTES+="\n"
+fi
+# Add links
+NOTES+="## Links\n\n"
+NOTES+="- [Full Changelog](./CHANGELOG.md)\n"
+NOTES+="- [Documentation](./docs/)\n"
+if [[ -n "$LAST_TAG" ]]; then
+    NOTES+="- [Compare with previous version](https://github.com/GodSpeedAI/DomainForge/compare/$LAST_TAG...v$VERSION)\n"
+fi
+# Preview or write
+echo ""
+log_info "Generated release notes:"
+echo "---"
+echo -e "$NOTES"
+echo "---"
+if $DRY_RUN; then
+    log_info "Would write above content to RELEASE_NOTES.md"
+else
+    echo -e "$NOTES" > RELEASE_NOTES.md
+    log_success "Created RELEASE_NOTES.md"
+fi
+echo ""
+echo "=============================================="
+log_success "Release notes generation complete"
+echo "=============================================="

package/scripts/lint_release_security.py ADDED Viewed

@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+"""Lint release workflows for publish safety and security."""
+import sys
+from pathlib import Path
+try:
+    import yaml
+except ImportError:
+    print("PyYAML is required: pip install pyyaml")
+    sys.exit(1)
+def lint_release_security(path):
+    errors = []
+    try:
+        with open(path) as f:
+            wf = yaml.safe_load(f)
+    except Exception as e:
+        return [f"{path.name}: failed to parse YAML: {e}"]
+    if wf is None:
+        return []
+    for job_name, job in wf.get("jobs", {}).items():
+        steps = job.get("steps", [])
+        for i, step in enumerate(steps):
+            run = step.get("run", "")
+            name = step.get("name", step.get("uses", "unnamed"))
+            if isinstance(run, str) and "curl" in run:
+                piped = run.split("|")[-1].strip() if "|" in run else ""
+                if piped.endswith("sh") or piped.endswith("bash"):
+                    if "sha256" not in run.lower() and "checksum" not in run.lower():
+                        errors.append(
+                            f"{path.name}:{job_name}/step[{i}]: "
+                            f"curl | sh without checksum verification"
+                        )
+            if step.get("continue-on-error"):
+                name_lower = str(name).lower()
+                run_lower = str(run).lower()
+                if "publish" in name_lower or "publish" in run_lower or "release" in name_lower:
+                    errors.append(
+                        f"{path.name}:{job_name}/step[{i}]: "
+                        f"continue-on-error on publish/release step '{name}'"
+                    )
+            if isinstance(run, str) and "publish" in run.lower():
+                if "|| echo" in run or "|| true" in run:
+                    if "already" not in run.lower() and "skip" not in run.lower():
+                        errors.append(
+                            f"{path.name}:{job_name}/step[{i}]: "
+                            f"publish failure masked by || echo/|| true in '{name}'"
+                        )
+            env_block = step.get("env", {})
+            uses = step.get("uses", "")
+            is_build = isinstance(run, str) and any(
+                kw in run for kw in ["cargo build", "npm run build", "wasm-pack build"]
+            )
+            is_publish = isinstance(run, str) and "publish" in run.lower()
+            if is_build and not is_publish:
+                token_keys = [k for k in env_block if "token" in k.lower() or "key" in k.lower()]
+                if token_keys:
+                    errors.append(
+                        f"{path.name}:{job_name}/step[{i}]: "
+                        f"secret env ({', '.join(token_keys)}) exposed during build step '{name}'"
+                    )
+    return errors
+def main():
+    workflows_dir = Path(".github/workflows")
+    if not workflows_dir.exists():
+        print("No .github/workflows directory found")
+        sys.exit(0)
+    all_errors = []
+    for wf in sorted(workflows_dir.glob("*.yml")):
+        all_errors.extend(lint_release_security(wf))
+    for wf in sorted(workflows_dir.glob("*.yaml")):
+        all_errors.extend(lint_release_security(wf))
+    if all_errors:
+        print("Release security lint FAILURES:")
+        for e in all_errors:
+            print(f"  - {e}")
+        sys.exit(1)
+    else:
+        print("All release security lints passed")
+        sys.exit(0)
+if __name__ == "__main__":
+    main()

package/scripts/lint_release_workflows.py ADDED Viewed

@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+"""Lint release workflows for security best practices."""
+import sys
+from pathlib import Path
+try:
+    import yaml
+except ImportError:
+    print("PyYAML is required: pip install pyyaml")
+    sys.exit(1)
+def lint_workflow(path):
+    errors = []
+    try:
+        with open(path) as f:
+            wf = yaml.safe_load(f)
+    except Exception as e:
+        return [f"{path.name}: failed to parse YAML: {e}"]
+    if wf is None:
+        return []
+    for job_name, job in wf.get("jobs", {}).items():
+        steps = job.get("steps", [])
+        for i, step in enumerate(steps):
+            run = step.get("run", "")
+            name = step.get("name", step.get("uses", "unnamed"))
+            if step.get("continue-on-error"):
+                run_lower = str(run).lower()
+                name_lower = str(name).lower()
+                if "publish" in name_lower or "publish" in run_lower:
+                    errors.append(
+                        f"{path.name}:{job_name}/step[{i}]: "
+                        f"continue-on-error on publish step '{name}'"
+                    )
+            if isinstance(run, str) and "curl" in run:
+                piped = run.split("|")[-1].strip() if "|" in run else ""
+                if piped.endswith("sh") or "sops" in run:
+                    if "sha256" not in run.lower() and "checksum" not in run.lower():
+                        errors.append(
+                            f"{path.name}:{job_name}/step[{i}]: "
+                            f"curl download without checksum verification"
+                        )
+            if isinstance(run, str) and "npm install" in run:
+                if "--frozen" not in run and "npm ci" not in run:
+                    if "release" in path.name:
+                        errors.append(
+                            f"{path.name}:{job_name}/step[{i}]: "
+                            f"unfrozen npm install in release workflow"
+                        )
+    return errors
+def main():
+    workflows_dir = Path(".github/workflows")
+    if not workflows_dir.exists():
+        print("No .github/workflows directory found")
+        sys.exit(0)
+    all_errors = []
+    for wf in sorted(workflows_dir.glob("*.yml")):
+        all_errors.extend(lint_workflow(wf))
+    for wf in sorted(workflows_dir.glob("*.yaml")):
+        all_errors.extend(lint_workflow(wf))
+    if all_errors:
+        print("Release workflow lint FAILURES:")
+        for e in all_errors:
+            print(f"  - {e}")
+        sys.exit(1)
+    else:
+        print("All release workflow lints passed")
+        sys.exit(0)
+if __name__ == "__main__":
+    main()