dominus-sdk-nodejs 6.6.0 → 7.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/README.md +28 -1
  2. package/dist/index.d.ts +3 -3
  3. package/dist/index.d.ts.map +1 -1
  4. package/dist/index.js +1 -1
  5. package/dist/lib/client.d.ts +10 -1
  6. package/dist/lib/client.d.ts.map +1 -1
  7. package/dist/lib/client.js +31 -16
  8. package/dist/lib/client.js.map +1 -1
  9. package/dist/namespaces/authority.d.ts +9 -21
  10. package/dist/namespaces/authority.d.ts.map +1 -1
  11. package/dist/namespaces/authority.js +10 -48
  12. package/dist/namespaces/authority.js.map +1 -1
  13. package/dist/namespaces/workflow.d.ts +2 -0
  14. package/dist/namespaces/workflow.d.ts.map +1 -1
  15. package/dist/namespaces/workflow.js +1 -0
  16. package/dist/namespaces/workflow.js.map +1 -1
  17. package/docs/agent-guide/2026-06-27-0849-sdk-orient/00-reading-order.md +35 -0
  18. package/docs/agent-guide/2026-06-27-0849-sdk-orient/01-purpose-and-boundaries.md +48 -0
  19. package/docs/agent-guide/2026-06-27-0849-sdk-orient/02-repo-map-and-entrypoints.md +46 -0
  20. package/docs/agent-guide/2026-06-27-0849-sdk-orient/03-api-surface.md +59 -0
  21. package/docs/agent-guide/2026-06-27-0849-sdk-orient/04-data-state-and-storage.md +36 -0
  22. package/docs/agent-guide/2026-06-27-0849-sdk-orient/05-integrations-and-runtime.md +40 -0
  23. package/docs/agent-guide/2026-06-27-0849-sdk-orient/06-workflows-commands-and-ci.md +58 -0
  24. package/docs/agent-guide/2026-06-27-0849-sdk-orient/07-operations-release-and-live-proof.md +40 -0
  25. package/docs/agent-guide/2026-06-27-0849-sdk-orient/08-security-privacy-and-secrets.md +38 -0
  26. package/docs/agent-guide/2026-06-27-0849-sdk-orient/09-known-risks-and-debt.md +34 -0
  27. package/docs/agent-guide/2026-06-27-0849-sdk-orient/10-agent-playbook.md +48 -0
  28. package/docs/agent-guide/INDEX.md +23 -0
  29. package/docs/agent-guide/current.md +22 -0
  30. package/docs/architecture.md +3 -1
  31. package/docs/janitor/2026-06-27-0849-sdk-orient-cleanup-audit.md +102 -0
  32. package/docs/routes-services.md +1 -1
  33. package/package.json +2 -2
@@ -0,0 +1,46 @@
1
+ # 02 Repo Map And Entrypoints
2
+
3
+ ## Directory Map
4
+
5
+ | Path | Purpose |
6
+ |---|---|
7
+ | `src/index.ts` | Singleton construction, 27 namespace wiring, root shortcuts, public type/util re-exports. |
8
+ | `src/lib/client.ts` | Transport: base64 wire protocol, JWT mint/cache, retries, circuit breaker, SSE, binary IO. |
9
+ | `src/lib/cache.ts` | Encrypted in-memory cache + circuit breaker primitives. |
10
+ | `src/lib/config.ts` | Env/config resolution (gateway/proxy). |
11
+ | `src/lib/errors.ts` | Typed SDK error hierarchy. |
12
+ | `src/lib/console-capture.ts` | Optional console forwarding to the logs namespace. |
13
+ | `src/lib/page-rules.ts`, `src/lib/user-session.ts` | Portal JWT / page-access local caches. |
14
+ | `src/lib/crypto.ts`, `schema-builder.ts`, `trace.ts`, `conversation-format.ts` | Helpers (crypto, schema-builder normalization, trace, conversation format). |
15
+ | `src/namespaces/*.ts` | One file per namespace (27 files). |
16
+ | `src/contracts/versioned-storage.ts` | Versioned-storage contract types. |
17
+ | `tests/` | 24 test files (`.test.js`, `.test.ts`, `.typecheck.ts`). |
18
+ | `docs/` | `architecture.md`, `routes-services.md`, `usage-reference.md`, `workflow-hard-cut-release.md`, plus this `agent-guide/` and `janitor/`. |
19
+ | `.github/workflows/` | npm publish workflows by branch (dev/staging/production). |
20
+ | `dist/` | Generated build output (gitignored). Not source. |
21
+ | `node_modules/` | Installed deps (gitignored). |
22
+
23
+ ## Main Entrypoints
24
+
25
+ - Public API: import `{ dominus }` from `dominus-sdk-nodejs` (resolves to
26
+ `dist/index.js`; source is `src/index.ts`).
27
+ - Source-of-truth surface: `src/index.ts` constructor wires each
28
+ `public readonly <name>` namespace; a second wiring block builds a
29
+ token-scoped client subset.
30
+
31
+ ## Test Entrypoints
32
+
33
+ - `npm test` builds, runs type tests, then runs the explicit node:test file list
34
+ in `package.json` `scripts.test`.
35
+ - `npm run test:types` runs `tsc -p tsconfig.type-tests.json` for the
36
+ `*.typecheck.ts` files.
37
+
38
+ ## Config / Build / Deploy Entrypoints
39
+
40
+ - `tsconfig.json` (build), `tsconfig.type-tests.json` (type tests).
41
+ - `npm run build` (`tsc`) → `dist/`.
42
+ - `.github/workflows/publish-production.yml` on push to `production`.
43
+
44
+ ## Avoid
45
+
46
+ - `dist/` and `node_modules/` — generated; never edit, never cite as source.
@@ -0,0 +1,59 @@
1
+ # 03 API Surface
2
+
3
+ The public surface is the `dominus` singleton (`src/index.ts`). Each namespace is
4
+ a `public readonly` property backed by one file in `src/namespaces/`. The
5
+ authoritative, exhaustive per-command reference is `docs/usage-reference.md`;
6
+ the service/endpoint matrix is `docs/routes-services.md`. This page is the map.
7
+
8
+ ## Namespaces (27, wired in `src/index.ts`)
9
+
10
+ | Namespace | File | Backend / role (see routes-services.md) |
11
+ |---|---|---|
12
+ | `dominus.secrets` | `secrets.ts` | warden (selected-scope grants). |
13
+ | `dominus.db` | `db.ts` | db-worker. |
14
+ | `dominus.secure` | `secure.ts` | scribe (audited secure-table access). |
15
+ | `dominus.redis` | `redis.ts` | redis-worker (ephemera building block). |
16
+ | `dominus.files` | `files.ts` | b2-worker / admin-worker. |
17
+ | `dominus.auth` | `auth.ts` | guardian + local JWT helpers. |
18
+ | `dominus.ddl` | `ddl.ts` | smith / db-worker (schema builder + provisioning). |
19
+ | `dominus.logs` | `logs.ts` | logs-worker (tail supports `machine_id`). |
20
+ | `dominus.portal` | `portal.ts` | portal-worker. |
21
+ | `dominus.courier` | `courier.ts` | courier-worker. |
22
+ | `dominus.health` | `health.ts` | gateway-local (`/health`, `/v1/ping`). |
23
+ | `dominus.admin` | `admin.ts` | admin-worker. |
24
+ | `dominus.ai` (+ `.rag`, `.tools`, `.workflow`, `.results`, `.artifacts`) | `ai.ts` | agent-runtime. |
25
+ | `dominus.workflow` | `workflow.ts` | workflow-manager (`ensure()` is the public launch path). |
26
+ | `dominus.sync` | `sync.ts` | sync-worker. |
27
+ | `dominus.jobs` | `jobs.ts` | job-worker. |
28
+ | `dominus.processor` | `processor.ts` | processor-service. |
29
+ | `dominus.artifacts` | `artifacts.ts` | artifact-worker (Artifact V2 `ar://`). |
30
+ | `dominus.authority` | `authority.ts` | authority (app/org/env cutover surface). |
31
+ | `dominus.browser` | `browser.ts` | browser-worker via `/svc/browser/*`. |
32
+ | `dominus.deployer` | `deployer.ts` | deploy surface. |
33
+ | `dominus.warden` | `warden.ts` | warden. |
34
+ | `dominus.stash` | `stash.ts` | **primary storage surface** (kind registry routes to backend). |
35
+ | `dominus.recipes` | `recipes.ts` | recipe-worker. |
36
+ | `dominus.platform` | `platform.ts` | platform-worker via `/svc/platform/*`. |
37
+ | `dominus.coder` | `coder.ts` | coder-runtime via `/svc/coder/*`. |
38
+ | `dominus.publisher` | `publisher.ts` | publisher. |
39
+
40
+ (`ai` sub-namespaces and `auth` local helpers are extra surfaces beyond the 27
41
+ top-level files; see routes-services.md for the full service matrix.)
42
+
43
+ ## Root Shortcuts And Utilities
44
+
45
+ - Root shortcuts on the singleton: `get`, `upsert`, `listTables`, `queryTable`,
46
+ `insertRow`, `addTable`, etc. (`src/index.ts`).
47
+ - Exported utilities/types: error classes, crypto helpers
48
+ (`hashPassword`, `hashPsk`, `generateToken`), cache utilities, JWT helpers
49
+ (`verifyJwtLocally`, `isJwtValid`, `mintSelectedScopeJwt`),
50
+ `normalizeSchemaBuilderMigration`, console-capture controls.
51
+
52
+ ## Auth / Scope Per Call
53
+
54
+ - Default: service JWT minted from `DOMINUS_TOKEN` PSK via `/jwt/mint`, cached
55
+ 55 min (`JWT_CACHE_TTL = 3300000`) vs the worker's 1h `JWT_EXPIRY_SECONDS`.
56
+ - Optional `userToken` passes a caller JWT through unchanged where backend
57
+ semantics require user context.
58
+ - `mintSelectedScopeJwt(targetOrgId, targetEnv)` is the canonical selected-scope
59
+ mint helper.
@@ -0,0 +1,36 @@
1
+ # 04 Data, State, And Storage
2
+
3
+ This SDK is a stateless client; it does not own backend storage. It exposes
4
+ storage-facing namespaces and keeps a few in-process caches. Backends own the
5
+ durable state.
6
+
7
+ ## Storage Surfaces (client-facing)
8
+
9
+ Per `docs/architecture.md` §2a (Two-Layer Storage Rule):
10
+
11
+ | Surface | Namespace | Role |
12
+ |---|---|---|
13
+ | Named, durable data of a registered kind | `dominus.stash.*` | **Primary** — kind registry routes to the right backend + policy. |
14
+ | Direct `ar://`-addressed Artifact V2 workflow | `dominus.artifacts.*` | Escape hatch when you already hold a canonical ref. |
15
+ | Locks, queues, counters, short-lived cache | `dominus.redis.*` | Ephemera building block. |
16
+ | Tables / SQL | `dominus.db.*`, `dominus.ddl.*` | db-worker / smith building blocks. |
17
+ | Object/file storage | `dominus.files.*` | b2-worker building block. |
18
+ | New kernel backend / documented fallback | primitives | Lowest layer only. |
19
+
20
+ Rule: application data → Stash. Primitives only for ephemera or when building a
21
+ kernel backend.
22
+
23
+ ## In-Process Client State (this repo)
24
+
25
+ - **Service JWT cache** — `src/lib/client.ts`, cached 55 min, refreshed via
26
+ `ensureValidJwt` mutex to avoid thundering herd.
27
+ - **Encrypted in-memory cache** — `src/lib/cache.ts`; encryption key seeded from
28
+ `DOMINUS_TOKEN` in `src/index.ts`.
29
+ - **Portal/session caches** — `src/lib/page-rules.ts`, `src/lib/user-session.ts`
30
+ for portal JWT / page-access acceleration.
31
+ - **JWKS cache** — `auth.getJwks` caches public signing keys.
32
+
33
+ ## Migrations
34
+
35
+ - None in this repo. Schema/migration helpers (`ddl`, `normalizeSchemaBuilderMigration`)
36
+ build requests for the db/smith workers; the migrations themselves run there.
@@ -0,0 +1,40 @@
1
+ # 05 Integrations And Runtime
2
+
3
+ ## External Dependencies
4
+
5
+ - Runtime deps (`package.json`): `jose` (JWT verify/mint helpers), `bcryptjs`
6
+ (password/PSK hashing).
7
+ - Dev deps: `typescript`, `@types/node`, `@types/bcryptjs`.
8
+
9
+ ## Cross-Repo / Gateway Calls
10
+
11
+ The SDK is a client to the Dominus gateway. Namespace code targets `/api/*`
12
+ paths; when a method sets `useGateway: true` the client transforms `/api/*` to
13
+ gateway `/svc/*` dispatch paths (`docs/architecture.md` §4,
14
+ `docs/routes-services.md`). Backends reached include guardian, authority,
15
+ workflow-manager, agent-runtime, db/redis/b2/logs workers, platform-worker,
16
+ coder-runtime, browser-worker, and others — see the service matrix in
17
+ `docs/routes-services.md`.
18
+
19
+ Notable routing facts (from `CLAUDE.md` / routes-services.md):
20
+
21
+ - `dominus.browser.*` must use `/api/browser/*` with `useGateway: true`
22
+ (gateway exposes `/svc/browser/*`); do not point at worker-local `/runs/*`.
23
+ - `dominus.platform.*` and `dominus.coder.*` call `/svc/*` via `gatewayFetch`
24
+ and forward `X-Actor-Type` / `X-Actor-Id`.
25
+ - `dominus.coder.ensureRun()` requires exactly one of `workflowRecipeRef` or
26
+ `pipelineRecipeRef`.
27
+ - `dominus.ai.stt` → `POST /api/agent/stt` (batch; legacy WebSocket STT retired).
28
+
29
+ ## Runtime Assumptions
30
+
31
+ - ESM only (`"type": "module"`), Node `>=18`.
32
+ - Single published entry point; import from `'dominus-sdk-nodejs'` only.
33
+
34
+ ## Environment Variables (by category, no values)
35
+
36
+ - **Auth:** `DOMINUS_TOKEN` (PSK; also seeds the in-memory cache encryption key).
37
+ - **Gateway/config:** resolved in `src/lib/config.ts` (gateway base URL / proxy
38
+ config). Read that file for the exact variable names before relying on one.
39
+
40
+ Never write secret values into docs or logs.
@@ -0,0 +1,58 @@
1
+ # 06 Workflows, Commands, And CI
2
+
3
+ All commands from `package.json` `scripts`.
4
+
5
+ ## Install
6
+
7
+ ```bash
8
+ npm ci # CI / reproducible
9
+ npm install # local
10
+ ```
11
+
12
+ ## Build / Dev
13
+
14
+ ```bash
15
+ npm run build # tsc -> dist/
16
+ npm run dev # tsc --watch
17
+ npm run clean # rm -rf dist
18
+ ```
19
+
20
+ ## Typecheck / Lint
21
+
22
+ ```bash
23
+ npm run typecheck # tsc --noEmit
24
+ npm run lint # tsc --noEmit (lint == typecheck in this repo)
25
+ npm run test:types # tsc -p tsconfig.type-tests.json (the *.typecheck.ts files)
26
+ ```
27
+
28
+ ## Test
29
+
30
+ ```bash
31
+ npm test
32
+ ```
33
+
34
+ `npm test` = `build` + `test:types` + an explicit `node --test` file list (24
35
+ files under `tests/`). Run before finalizing substantial changes (`CLAUDE.md`
36
+ Validation). Tests are committed and present — the older "no committed tests"
37
+ note is stale.
38
+
39
+ ## Fast Local Validation
40
+
41
+ `npm run typecheck` (or `lint`) for a quick compile check; `npm run test:types`
42
+ for the type-level contract tests.
43
+
44
+ ## Full Validation
45
+
46
+ `npm test` (build + type tests + unit/contract tests).
47
+
48
+ ## CI Workflows
49
+
50
+ | Workflow | Trigger | Signal |
51
+ |---|---|---|
52
+ | `.github/workflows/publish-production.yml` | push to `production` | `npm ci` + build + npm publish (skips if version already on registry; falls back to provenance publish). |
53
+ | `.github/workflows/publish-staging.yml` | (staging branch) | npm publish lane. |
54
+ | `.github/workflows/publish-development.yml` | (development branch) | npm publish lane. |
55
+
56
+ Per workspace reality, only the `production` lane is the live publish path for
57
+ this repo. Publishing is version-gated: bump `package.json` `version` or the
58
+ publish step no-ops.
@@ -0,0 +1,40 @@
1
+ # 07 Operations, Release, And Live Proof
2
+
3
+ ## Deployment Lane
4
+
5
+ This is a published npm package, not a deployed service. "Release" = npm publish.
6
+
7
+ - Push to `production` → `.github/workflows/publish-production.yml` →
8
+ `npm publish --access public`.
9
+ - Per workspace convention this repo's production branch is `production` (NOT
10
+ `dominus-production`, which is the convention for other Dominus repos).
11
+ - Requires GitHub Environment `production` with `NPM_TOKEN` (or npm OIDC trusted
12
+ publishing for the provenance-only retry).
13
+
14
+ ## Release Files And Version Rules
15
+
16
+ - `package.json` `version` is the single source of truth (6.6.0 at this
17
+ snapshot). The publish step checks `npm view <name>@<version>` and skips if the
18
+ version already exists, so **a version bump is required to publish**.
19
+ - `CHANGELOG.md` records each version's changes; update it with the bump.
20
+ - `package.json` `files` ships `dist`, `README.md`, and `docs`.
21
+ - `prepublishOnly` runs `npm run build` so `dist/` is fresh in the tarball.
22
+
23
+ ## Live Proof
24
+
25
+ - Registry: `npm view dominus-sdk-nodejs version` should match the pushed
26
+ `package.json` version after the workflow succeeds.
27
+ - CI: the publish-production workflow run on the `production` push.
28
+
29
+ ## Done Definitions
30
+
31
+ - **Local done:** `npm test` green (build + type tests + unit/contract tests).
32
+ - **CI done:** publish-production workflow succeeds.
33
+ - **Release done:** new version visible on npm.
34
+
35
+ ## Rollback
36
+
37
+ Per `docs/workflow-hard-cut-release.md`: downgrade target is the previously
38
+ published production SDK version. Trigger: customers report Authority-backed
39
+ recipe launch or native pipelines cannot start. (npm versions are immutable;
40
+ "rollback" means consumers pin the prior version.)
@@ -0,0 +1,38 @@
1
+ # 08 Security, Privacy, And Secrets
2
+
3
+ ## Auth Boundaries
4
+
5
+ - **Service auth:** `DOMINUS_TOKEN` PSK → minted short-lived JWT via gateway
6
+ `/jwt/mint`, cached (`src/lib/client.ts`). Default for namespace calls.
7
+ - **User auth:** optional `userToken` passes a caller JWT through unchanged;
8
+ the backend authorizes the user context.
9
+ - **Selected-scope:** `mintSelectedScopeJwt(targetOrgId, targetEnv)` is the only
10
+ supported selected-scope mint helper; scope keys off org + environment.
11
+ - **Local JWT helpers:** `verifyJwtLocally`, `isJwtValid`, `auth.validateJwt`
12
+ (local payload/expiry checks — not full remote introspection), `auth.getJwks`
13
+ (cached public keys).
14
+
15
+ Identity-family rule (workspace policy): service token, service JWT, portal user
16
+ JWT, client JWT, and selected-scope operator token are NOT interchangeable. Do
17
+ not forward a user or machine JWT to admin-only planes.
18
+
19
+ Service-side 401 rule (`CLAUDE.md`): a non-`/portal/auth/*` 401 must not be
20
+ laundered into user-session expiry by callers. Classify by
21
+ `DominusError.endpoint`, not message strings — every `getServiceJwt` throw
22
+ carries `endpoint='/jwt/mint'`.
23
+
24
+ ## Secret / Config Resolution
25
+
26
+ - `src/lib/config.ts` resolves gateway/proxy/url config and `DOMINUS_TOKEN`
27
+ from env. No secret values are committed.
28
+ - `.gitignore` excludes `.env`, `.env.local`, `.env.*.local`, `.npmrc`.
29
+
30
+ ## PHI / Sensitive-Data Rules
31
+
32
+ - This SDK carries no PHI itself, but it transports caller data to backends.
33
+ - Never log or write into docs: PHI, secret values, tokens, cookies, JWTs, raw
34
+ request/response bodies.
35
+
36
+ ## Must Never Be Written Into Docs
37
+
38
+ Tokens, PSKs, JWTs, secret values, raw response bodies, customer/patient data.
@@ -0,0 +1,34 @@
1
+ # 09 Known Risks And Debt
2
+
3
+ ## Stale Docs (corrected this pass)
4
+
5
+ - `docs/architecture.md` §10 and `CLAUDE.md` Validation note claimed "no
6
+ committed automated tests". STALE — `tests/` has 24 committed files run by
7
+ `npm test`. Corrected in both files in this janitor pass. If a future edit
8
+ re-introduces the claim, fix it; do not trust it.
9
+
10
+ ## Doc Maintenance Burden
11
+
12
+ - `docs/usage-reference.md` is ~98 KB and `docs/routes-services.md` cites
13
+ "450 commands across 29 namespace surfaces". These hand-maintained counts can
14
+ drift from source. Treat `src/namespaces/*.ts` + `src/index.ts` as authority;
15
+ re-derive counts before quoting them. (At this snapshot: 27 namespace files,
16
+ 24 test files.)
17
+
18
+ ## Generated Residue
19
+
20
+ - `dist/` (~1.6 MB) is built output, gitignored; safe to delete and rebuild with
21
+ `npm run build`. Auto-cleaned this pass (see janitor audit). `node_modules/`
22
+ likewise reproducible via `npm ci`.
23
+
24
+ ## Ownership / Boundaries
25
+
26
+ - The SDK must conform to kernel contracts (identity families, error envelope,
27
+ routing) defined in the Dominus workers — it does not define them. Changes that
28
+ touch wire protocol, JWT TTLs, or route transforms are contract-sensitive and
29
+ warrant `dominus-expert` review before shipping.
30
+
31
+ ## Cleanup Links
32
+
33
+ - Janitor audit: `docs/janitor/2026-06-27-0849-sdk-orient-cleanup-audit.md`.
34
+ - No `docs/atlas/` exists; run `kyle-atlas` if truth becomes scattered.
@@ -0,0 +1,48 @@
1
+ # 10 Agent Playbook
2
+
3
+ ## If You Are Changing X, Read Y First
4
+
5
+ - **A namespace command** → `src/namespaces/<name>.ts` + the relevant rows in
6
+ `docs/routes-services.md`. Follow the Public API Change Checklist in
7
+ `CLAUDE.md` (update namespace, wire in `src/index.ts` if new, export types,
8
+ update `docs/usage-reference.md` and `routes-services.md`).
9
+ - **Transport / auth / retries / streaming / binary** → `src/lib/client.ts` and
10
+ `docs/architecture.md` §3,§5,§6,§7. The 55-min JWT cache TTL is load-bearing;
11
+ do not regress it without raising the jwt-worker `JWT_EXPIRY_SECONDS` first.
12
+ - **A new public type or root shortcut** → `src/index.ts` (constructor + export).
13
+ - **Errors** → `src/lib/errors.ts`; pass `endpoint` on service-auth throws so
14
+ callers can classify by `DominusError.endpoint`.
15
+ - **Env/gateway config** → `src/lib/config.ts`.
16
+
17
+ ## If Validation Fails
18
+
19
+ - Build/type errors → `npm run typecheck`; the repo's lint IS tsc.
20
+ - Type-contract failures → `npm run test:types` (the `*.typecheck.ts` files).
21
+ - Unit/contract failures → `npm test` runs an explicit file list; run a single
22
+ file with `node --test tests/<file>.test.js` after `npm run build`.
23
+
24
+ ## Common Traps
25
+
26
+ - Importing from a subpath — there is only one export entry; import from
27
+ `'dominus-sdk-nodejs'`.
28
+ - Treating `dist/` as source — it is generated; edit `src/`.
29
+ - Forgetting the version bump — publish-production no-ops if the version already
30
+ exists on npm.
31
+ - Using `dominus-production` as this repo's branch — it is `production` here.
32
+ - Pointing `browser` methods at worker-local `/runs/*` — use `/api/browser/*`
33
+ with `useGateway: true`.
34
+
35
+ ## Which Kyle Skill For Common Work
36
+
37
+ - Behavior change / bug fix → `kyle-fix` (test-first via `kyle-tdd`).
38
+ - Root-cause unknown → `kyle-diagnose`.
39
+ - Plan a larger change → `kyle-plan`.
40
+ - Review a diff → `kyle-review`.
41
+ - Contract-sensitive change (wire protocol, JWT, routing) → route to
42
+ `dominus-expert` before shipping.
43
+ - Docs/cleanup drift → `kyle-janitor` (this pack).
44
+
45
+ ## Handoff Expectations
46
+
47
+ This is a Dominus platform repo: cross-contract or wire-protocol changes need
48
+ `dominus-expert` review. Releases are npm publishes gated on a version bump.
@@ -0,0 +1,23 @@
1
+ # Agent Guide Index
2
+
3
+ Last updated: 2026-06-27 08:49 local
4
+ Current snapshot: `2026-06-27-0849-sdk-orient/00-reading-order.md`
5
+
6
+ ## Use This When
7
+
8
+ You are a coding agent about to change `dominus-sdk-nodejs` and want to orient
9
+ from docs before reading source: what this repo is, how a request flows, where
10
+ to edit a namespace, how to prove a change, and which facts are stale.
11
+
12
+ ## Read Order
13
+
14
+ 1. `2026-06-27-0849-sdk-orient/00-reading-order.md`
15
+ 2. `2026-06-27-0849-sdk-orient/01-purpose-and-boundaries.md`
16
+ 3. `2026-06-27-0849-sdk-orient/03-api-surface.md`
17
+ 4. `2026-06-27-0849-sdk-orient/10-agent-playbook.md`
18
+
19
+ ## Snapshot History
20
+
21
+ | Snapshot | Reason | Notes |
22
+ |---|---|---|
23
+ | `2026-06-27-0849-sdk-orient` | First janitor agent-guide pack | Source-backed at SDK v6.6.0 on branch `production`. |
@@ -0,0 +1,22 @@
1
+ # Current Agent-Guide Snapshot
2
+
3
+ Latest snapshot: `2026-06-27-0849-sdk-orient/00-reading-order.md`
4
+
5
+ Generated 2026-06-27 from SDK v6.6.0 (`package.json`) on branch `production`.
6
+
7
+ ## Top Five Facts To Refresh Before Editing
8
+
9
+ 1. **Version + changelog.** Confirm `package.json` `version` and the top of
10
+ `CHANGELOG.md`; this pack was written at `6.6.0`.
11
+ 2. **Namespace count.** `src/namespaces/` had 27 files, each wired as a
12
+ `public readonly` property in `src/index.ts`. Re-count before claiming a
13
+ surface is missing.
14
+ 3. **Tests exist.** `tests/` has 24 test files run by `npm test`. The older
15
+ claim in `docs/architecture.md` §10 / `CLAUDE.md` ("no committed tests") was
16
+ stale and is corrected in this pass.
17
+ 4. **Storage rule.** `dominus.stash.*` is the primary storage surface;
18
+ `redis`/`db`/`files`/`artifacts` are building blocks (see
19
+ `docs/architecture.md` §2a).
20
+ 5. **Release lane.** Push to `production` triggers
21
+ `.github/workflows/publish-production.yml` (npm publish). Do not commit/push
22
+ from janitor work.
@@ -114,4 +114,6 @@ Canonical documentation set for this repository:
114
114
 
115
115
  ## 10. Known Gaps
116
116
 
117
- - Test script exists in `package.json`, but no committed automated tests are currently present in this repository.
117
+ - The hand-maintained command/namespace counts in `routes-services.md` and
118
+ `usage-reference.md` can drift from source; re-derive from `src/namespaces/*.ts`
119
+ and `src/index.ts` before quoting them.
@@ -0,0 +1,102 @@
1
+ # Janitor Cleanup Audit: dominus-sdk-nodejs
2
+
3
+ Generated: 2026-06-27 08:49 local
4
+ Target repo: C:\developer\codingroot\repos\dominus_active\dominus-sdk-nodejs
5
+ Git root: C:\developer\codingroot\repos\dominus_active\dominus-sdk-nodejs
6
+ Branch/status: `production` — clean before this pass (no tracked or untracked changes).
7
+
8
+ ## Summary
9
+
10
+ Wrote a source-backed agent-guide pack and wired it into `README.md` and
11
+ `CLAUDE.md`. Corrected one proven-stale fact ("no committed automated tests")
12
+ in three places. Auto-cleaned generated `dist/` (gitignored, reproducible).
13
+ Everything left uncommitted per instructions. No tracked source, branches,
14
+ worktrees, plans, or release artifacts deleted.
15
+
16
+ ## Executive Actions Applied
17
+
18
+ | Action | Path | Why safe | Verification |
19
+ |---|---|---|---|
20
+ | Wrote agent-guide pack | `docs/agent-guide/**` | New docs only; no source touched. | Files present; INDEX/current point at snapshot. |
21
+ | Wrote cleanup audit | `docs/janitor/2026-06-27-0849-sdk-orient-cleanup-audit.md` | New doc only. | This file. |
22
+ | Wired guide into README | `README.md` | Added small "Agent Guide" section near top; no other content changed. | `git diff README.md` is the one added block. |
23
+ | Wired guide into CLAUDE | `CLAUDE.md` | Added "Agent Guide Pack" pointer near top. | `git diff CLAUDE.md`. |
24
+ | Fixed stale tests fact | `CLAUDE.md`, `docs/architecture.md` | `tests/` has 24 committed files run by `npm test`; old "no committed tests" claim was provably false. | `ls tests` (24 files); `package.json scripts.test` lists them. |
25
+ | Auto-clean generated build | `dist/` | Gitignored, untracked, reproducible via `npm run build`; `prepublishOnly` rebuilds it. | `git check-ignore dist` = ignored; `git ls-files dist` empty; post-delete `git status` shows no tracked change. |
26
+
27
+ ## Docs Written
28
+
29
+ | File | Purpose | Source-backed by |
30
+ |---|---|---|
31
+ | `docs/agent-guide/INDEX.md` | Stable entrypoint + snapshot history. | repo layout. |
32
+ | `docs/agent-guide/current.md` | Latest snapshot pointer + top-5 refresh facts. | `package.json`, `src/index.ts`, `tests/`. |
33
+ | `.../00-reading-order.md` | Read order + per-task source map + stale flags. | existing docs, `src/`. |
34
+ | `.../01-purpose-and-boundaries.md` | Purpose, ownership, runtime class, boundary. | `package.json`, `CLAUDE.md`, workflows. |
35
+ | `.../02-repo-map-and-entrypoints.md` | Directory map + entrypoints. | `find src`, `package.json`, `.github/workflows`. |
36
+ | `.../03-api-surface.md` | 27 namespaces + auth/scope map. | `src/index.ts` wiring, `routes-services.md`. |
37
+ | `.../04-data-state-and-storage.md` | Storage surfaces + in-process caches. | `docs/architecture.md` §2a, `src/lib/*`. |
38
+ | `.../05-integrations-and-runtime.md` | Deps, gateway routing, env categories. | `package.json`, `CLAUDE.md`, `src/lib/config.ts`. |
39
+ | `.../06-workflows-commands-and-ci.md` | Commands + CI lanes. | `package.json scripts`, `.github/workflows`. |
40
+ | `.../07-operations-release-and-live-proof.md` | npm release lane + proof. | `publish-production.yml`, `package.json`, `workflow-hard-cut-release.md`. |
41
+ | `.../08-security-privacy-and-secrets.md` | Auth boundaries, secret resolution. | `CLAUDE.md`, `src/lib/config.ts`, `.gitignore`. |
42
+ | `.../09-known-risks-and-debt.md` | Stale docs, doc-drift, generated residue. | this audit, `docs/*`. |
43
+ | `.../10-agent-playbook.md` | If-changing-X-read-Y + Kyle routing. | `CLAUDE.md`, `src/`. |
44
+
45
+ ## Drift Findings
46
+
47
+ | Finding | Evidence | Risk | Recommendation | Approval needed |
48
+ |---|---|---|---|---|
49
+ | "No committed automated tests" claim stale | `tests/` has 24 files; `package.json scripts.test` runs them | Low (misleads agents) | Fixed in CLAUDE.md + architecture.md §10 | Done |
50
+ | Hand-maintained counts may drift | `routes-services.md` says "450 commands / 29 surfaces"; actual `src/namespaces/` = 27 files | Low | Noted in 09 + architecture §10; re-derive from source before quoting | No |
51
+
52
+ ## Stale Or Conflicting Docs
53
+
54
+ | Doc | Problem | Stronger source | Proposed action |
55
+ |---|---|---|---|
56
+ | `docs/architecture.md` §10 | claimed no committed tests | `tests/` + `package.json` | Fixed (replaced with count-drift note). |
57
+ | `CLAUDE.md` Validation | "If tests are absent" framing | `tests/` (24 files) | Fixed to state tests are committed. |
58
+ | `routes-services.md` counts | "29 namespace surfaces" vs 27 top-level files | `src/namespaces/` | Left as-is (counts include `ai.*` sub-namespaces + `auth` local helpers; not provably wrong). Flagged for re-derivation. |
59
+
60
+ ## Orphan / Generated / Scratch Candidates
61
+
62
+ | Path | Evidence | Proposed action | Safe now? |
63
+ |---|---|---|---|
64
+ | `dist/` | gitignored build output (~1.6 MB) | Deleted | Yes (done) |
65
+ | `node_modules/` | gitignored installed deps | Leave; not in the auto-apply allowlist; reproducible via `npm ci` but may be in use by a dev session | Not auto-deleted |
66
+
67
+ ## Auto-Cleanup Performed
68
+
69
+ | Path | Evidence | Action | Verification |
70
+ |---|---|---|---|
71
+ | `dist/` | `git check-ignore dist` = ignored; `git ls-files dist` empty; reproducible via `npm run build` | `rm -rf dist` | Post-delete `git status` shows no tracked change; rebuild with `npm run build`. |
72
+
73
+ ## Expert Review Queue
74
+
75
+ | Candidate | Why expert should view it first | Suggested expert | First review question |
76
+ |---|---|---|---|
77
+ | `routes-services.md` "450 commands / 29 surfaces" reconciliation | Authoritative re-count of public commands vs. the maintained matrix touches the platform client contract surface | dominus-expert | Are the documented counts accurate against current `src/namespaces/*.ts`, and should they be regenerated by a script instead of hand-maintained? |
78
+
79
+ ## Worktree / Branch / Plan Residue
80
+
81
+ | Item | Evidence | Proposed action | Owner |
82
+ |---|---|---|---|
83
+ | None | Single repo dir; no `.git/worktrees` scratch, no stray plans found | None | — |
84
+
85
+ ## Approval Queue
86
+
87
+ - [ ] Delete `node_modules/` (reproducible via `npm ci`) — only if no dev session is using it — validate with `npm ci && npm test`.
88
+
89
+ ## Not Touching
90
+
91
+ - `dist/` rebuild — left for the developer to regenerate via `npm run build`.
92
+ - `node_modules/` — installed deps; outside the granted auto-clean allowlist.
93
+ - `docs/usage-reference.md` (~98 KB) — large reference, not rewritten; only flagged for count drift.
94
+ - All tracked source, `CHANGELOG.md` history, CI workflows, branches.
95
+
96
+ ## Follow-Up Skills
97
+
98
+ | Need | Skill | First action |
99
+ |---|---|---|
100
+ | Reconcile documented command counts | dominus-expert | Re-count public commands against `src/namespaces/`. |
101
+ | If truth scatters across code/docs/CI | kyle-atlas | Build `docs/atlas/INDEX.md`. |
102
+ | Durable cross-repo facts | kyle-learn | Promote to `.claude/knowledge` if reused. |
@@ -2,7 +2,7 @@
2
2
 
3
3
  This assessment is derived from all public namespace methods under `src/namespaces/` and their configured routes in SDK request calls.
4
4
 
5
- Audited commands: **450** across **29** namespace surfaces.
5
+ Audited commands: **~450** (hand-counted) across **27** top-level namespace files in `src/namespaces/`. The Service Matrix below lists **29** namespace surfaces because it expands dotted sub-namespaces (e.g. `ai.*` and `auth.*`) into their own rows, so the surface count is intentionally higher than the file count, not a typo. These totals are hand-maintained — re-derive from source before quoting.
6
6
 
7
7
  ## Service Matrix
8
8
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "dominus-sdk-nodejs",
3
- "version": "6.6.0",
3
+ "version": "7.1.0",
4
4
  "description": "Node.js SDK for the Dominus gateway-first platform",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
@@ -21,7 +21,7 @@
21
21
  "clean": "rm -rf dist",
22
22
  "prepublishOnly": "npm run build",
23
23
  "typecheck": "tsc --noEmit",
24
- "test": "npm run build && npm run test:types && node --test tests/auth.test.js tests/health.test.js tests/browser.test.js tests/recipes.test.js tests/recipes-stash-routing.test.js tests/platform-coder.test.js tests/publisher.test.js tests/workflow-lifecycle.test.js tests/logs.test.js tests/public-exports.test.js tests/authority-contract.test.js tests/error-contract.test.js tests/admin.test.js tests/control-plane.test.js tests/schema-builder-contract.test.js tests/files-contract.test.js tests/storage-wire-contract.test.js tests/stash-artifact-facade.test.js tests/conversation-format.test.js",
24
+ "test": "npm run build && npm run test:types && node --test tests/auth.test.js tests/health.test.js tests/browser.test.js tests/recipes.test.js tests/recipes-stash-routing.test.js tests/platform-coder.test.js tests/publisher.test.js tests/workflow-lifecycle.test.js tests/logs.test.js tests/public-exports.test.js tests/authority-contract.test.js tests/error-contract.test.js tests/admin.test.js tests/control-plane.test.js tests/schema-builder-contract.test.js tests/files-contract.test.js tests/storage-wire-contract.test.js tests/stash-artifact-facade.test.js tests/conversation-format.test.js tests/per-call-controls.test.js",
25
25
  "test:types": "tsc -p tsconfig.type-tests.json",
26
26
  "lint": "tsc --noEmit"
27
27
  },