npm - forgeos - Versions diffs - 0.1.0-alpha.1 → 0.1.0-alpha.10 - Mend

forgeos 0.1.0-alpha.1 → 0.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/AGENTS.md +38 -3
package/CHANGELOG.md +94 -0
package/README.md +72 -12
package/adapters/go/README.md +23 -0
package/adapters/go/go.mod +3 -0
package/adapters/go/http.go +149 -0
package/adapters/go/registry.go +234 -0
package/adapters/go/types.go +136 -0
package/bin/forge.mjs +4 -3
package/docs/changelog.md +116 -0
package/docs/forge-protocol.md +156 -0
package/examples/go-billing/go.mod +7 -0
package/examples/go-billing/main.go +120 -0
package/package.json +16 -7
package/schemas/forge-manifest.schema.json +57 -0
package/src/forge/_generated/actionSubscriptions.json +1 -2
package/src/forge/_generated/actionSubscriptions.ts +3 -3
package/src/forge/_generated/agentAdapterManifest.json +1 -2
package/src/forge/_generated/agentAdapterManifest.ts +3 -3
package/src/forge/_generated/agentContract.json +1 -2
package/src/forge/_generated/agentContract.ts +186 -50
package/src/forge/_generated/agentQuickstart.md +3 -1
package/src/forge/_generated/agentTools.json +1 -0
package/src/forge/_generated/agentTools.md +16 -0
package/src/forge/_generated/agentTools.ts +12 -0
package/src/forge/_generated/aiContext.ts +67 -1
package/src/forge/_generated/aiModels.json +1 -2
package/src/forge/_generated/aiModels.ts +17 -1
package/src/forge/_generated/aiProviders.json +0 -1
package/src/forge/_generated/aiProviders.ts +1 -1
package/src/forge/_generated/aiRegistry.json +1 -2
package/src/forge/_generated/aiRegistry.ts +7 -5
package/src/forge/_generated/api.json +1 -2
package/src/forge/_generated/api.ts +7 -2
package/src/forge/_generated/appGraph.json +1 -2
package/src/forge/_generated/appGraph.ts +1325 -641
package/src/forge/_generated/appMap.md +21 -1
package/src/forge/_generated/artifactManifest.json +1 -2
package/src/forge/_generated/artifactManifest.ts +2 -2
package/src/forge/_generated/authClaims.json +0 -1
package/src/forge/_generated/authClaims.ts +1 -1
package/src/forge/_generated/authConfig.json +0 -1
package/src/forge/_generated/authConfig.ts +1 -1
package/src/forge/_generated/authContext.ts +1 -1
package/src/forge/_generated/authRegistry.json +0 -1
package/src/forge/_generated/authRegistry.ts +1 -1
package/src/forge/_generated/buildInfo.json +1 -2
package/src/forge/_generated/buildInfo.ts +4 -4
package/src/forge/_generated/capabilityMap.json +1 -2
package/src/forge/_generated/capabilityMap.md +1 -1
package/src/forge/_generated/capabilityMap.ts +2 -2
package/src/forge/_generated/client.ts +88 -1
package/src/forge/_generated/clientApi.ts +2 -1
package/src/forge/_generated/clientManifest.json +1 -2
package/src/forge/_generated/clientManifest.ts +6 -4
package/src/forge/_generated/clientTypes.ts +19 -1
package/src/forge/_generated/configRegistry.json +0 -1
package/src/forge/_generated/configRegistry.ts +1 -1
package/src/forge/_generated/dataGraph.json +1 -2
package/src/forge/_generated/dataGraph.ts +3 -3
package/src/forge/_generated/db.json +0 -1
package/src/forge/_generated/db.ts +1 -1
package/src/forge/_generated/dbSecurityManifest.json +0 -1
package/src/forge/_generated/dbSecurityManifest.ts +1 -1
package/src/forge/_generated/dbSessionContext.json +0 -1
package/src/forge/_generated/dbSessionContext.ts +1 -1
package/src/forge/_generated/deployManifest.json +1 -2
package/src/forge/_generated/deployManifest.ts +7 -7
package/src/forge/_generated/devManifest.json +1 -2
package/src/forge/_generated/devManifest.ts +18 -3
package/src/forge/_generated/envSchema.json +0 -1
package/src/forge/_generated/envSchema.ts +1 -1
package/src/forge/_generated/externalServices.json +1 -0
package/src/forge/_generated/externalServices.ts +9 -0
package/src/forge/_generated/frontendGraph.json +0 -1
package/src/forge/_generated/frontendGraph.ts +1 -1
package/src/forge/_generated/importGuards.json +0 -1
package/src/forge/_generated/importGuards.ts +1 -1
package/src/forge/_generated/index.ts +3 -1
package/src/forge/_generated/liveProductionManifest.json +0 -1
package/src/forge/_generated/liveProductionManifest.ts +1 -1
package/src/forge/_generated/liveProtocol.json +0 -1
package/src/forge/_generated/liveProtocol.ts +1 -1
package/src/forge/_generated/liveQueryRegistry.json +1 -2
package/src/forge/_generated/liveQueryRegistry.ts +3 -3
package/src/forge/_generated/liveTransportConfig.json +0 -1
package/src/forge/_generated/liveTransportConfig.ts +1 -1
package/src/forge/_generated/makeRegistry.json +1 -2
package/src/forge/_generated/makeRegistry.ts +16 -2
package/src/forge/_generated/makeTemplates.json +1 -2
package/src/forge/_generated/makeTemplates.ts +6 -1
package/src/forge/_generated/mockMap.json +0 -1
package/src/forge/_generated/mockMap.ts +1 -1
package/src/forge/_generated/operationPlaybooks.md +34 -14
package/src/forge/_generated/packageGraph.json +1 -2
package/src/forge/_generated/packageGraph.ts +8808 -4723
package/src/forge/_generated/packageUpgradeRegistry.json +1 -2
package/src/forge/_generated/packageUpgradeRegistry.ts +2 -2
package/src/forge/_generated/permissionMatrix.json +1 -2
package/src/forge/_generated/permissionMatrix.ts +3 -3
package/src/forge/_generated/policyRegistry.json +1 -2
package/src/forge/_generated/policyRegistry.ts +3 -3
package/src/forge/_generated/queryRegistry.json +1 -2
package/src/forge/_generated/queryRegistry.ts +3 -3
package/src/forge/_generated/react.d.ts +1 -1
package/src/forge/_generated/react.ts +1 -1
package/src/forge/_generated/reactManifest.json +1 -2
package/src/forge/_generated/reactManifest.ts +3 -3
package/src/forge/_generated/releaseManifest.json +1 -2
package/src/forge/_generated/releaseManifest.ts +3 -3
package/src/forge/_generated/rlsPolicies.json +0 -1
package/src/forge/_generated/rlsPolicies.sql +1 -1
package/src/forge/_generated/rlsPolicies.ts +1 -1
package/src/forge/_generated/runtimeGraph.json +1 -2
package/src/forge/_generated/runtimeGraph.ts +3 -3
package/src/forge/_generated/runtimeMatrix.json +1 -2
package/src/forge/_generated/runtimeMatrix.ts +8684 -1939
package/src/forge/_generated/runtimeRegistry.ts +1 -1
package/src/forge/_generated/runtimeRules.md +13 -1
package/src/forge/_generated/secretRegistry.json +0 -1
package/src/forge/_generated/secretRegistry.ts +1 -1
package/src/forge/_generated/secretsContext.ts +1 -1
package/src/forge/_generated/serverApi.ts +2 -1
package/src/forge/_generated/sourceMapManifest.json +1 -2
package/src/forge/_generated/sourceMapManifest.ts +2 -2
package/src/forge/_generated/sqlPlan.json +0 -1
package/src/forge/_generated/sqlPlan.ts +1 -1
package/src/forge/_generated/subscriptionManifest.json +1 -2
package/src/forge/_generated/subscriptionManifest.ts +3 -3
package/src/forge/_generated/symbolicationManifest.json +1 -2
package/src/forge/_generated/symbolicationManifest.ts +2 -2
package/src/forge/_generated/telemetryRegistry.json +1 -2
package/src/forge/_generated/telemetryRegistry.ts +3 -3
package/src/forge/_generated/telemetrySinks.json +1 -2
package/src/forge/_generated/telemetrySinks.ts +2 -2
package/src/forge/_generated/tenantScope.json +1 -2
package/src/forge/_generated/tenantScope.ts +3 -3
package/src/forge/_generated/testGraph.json +1 -2
package/src/forge/_generated/testGraph.ts +465 -13
package/src/forge/_generated/testPlanRegistry.json +1 -2
package/src/forge/_generated/testPlanRegistry.ts +2 -2
package/src/forge/_generated/uiRoutes.json +0 -1
package/src/forge/_generated/uiRoutes.ts +1 -1
package/src/forge/_generated/uiScenarios.json +0 -1
package/src/forge/_generated/uiScenarios.ts +1 -1
package/src/forge/_generated/uiTestManifest.json +1 -2
package/src/forge/_generated/uiTestManifest.ts +2 -2
package/src/forge/_generated/workflowRegistry.json +1 -2
package/src/forge/_generated/workflowRegistry.ts +3 -3
package/src/forge/_generated/workflowSubscriptions.json +1 -2
package/src/forge/_generated/workflowSubscriptions.ts +3 -3
package/src/forge/bench.ts +248 -0
package/src/forge/cli/ai.ts +671 -3
package/src/forge/cli/auth.ts +36 -1
package/src/forge/cli/build.ts +1 -1
package/src/forge/cli/commands.ts +152 -0
package/src/forge/cli/dev.ts +32 -5
package/src/forge/cli/main.ts +3 -1
package/src/forge/cli/new.ts +29 -1
package/src/forge/cli/parse.ts +194 -10
package/src/forge/cli/query.ts +32 -0
package/src/forge/cli/rls.ts +568 -17
package/src/forge/cli/run.ts +41 -0
package/src/forge/cli/secrets.ts +46 -1
package/src/forge/cli/security.ts +381 -0
package/src/forge/cli/verify.ts +201 -24
package/src/forge/compiler/agent-contract/build.ts +407 -12
package/src/forge/compiler/agent-contract/types.ts +72 -0
package/src/forge/compiler/ai-registry/build.ts +62 -1
package/src/forge/compiler/ai-registry/constants.ts +1 -1
package/src/forge/compiler/ai-registry/parse.ts +98 -4
package/src/forge/compiler/api-surface/build.ts +47 -0
package/src/forge/compiler/app-graph/build.ts +33 -5
package/src/forge/compiler/app-graph/forge-apis.ts +1 -0
package/src/forge/compiler/app-graph/module-graph.ts +73 -78
package/src/forge/compiler/app-graph/parser.ts +24 -24
package/src/forge/compiler/app-graph/profile.ts +26 -0
package/src/forge/compiler/classifier/capabilities.ts +3 -2
package/src/forge/compiler/classifier/classify.ts +32 -8
package/src/forge/compiler/classifier/secrets.ts +3 -2
package/src/forge/compiler/classifier/signals.ts +91 -1
package/src/forge/compiler/client-sdk/build-manifest.ts +4 -0
package/src/forge/compiler/client-sdk/render-client.ts +105 -0
package/src/forge/compiler/dev-manifest/build.ts +3 -0
package/src/forge/compiler/diagnostics/codes.ts +27 -0
package/src/forge/compiler/diagnostics/create.ts +1 -1
package/src/forge/compiler/emitter/render.ts +5 -0
package/src/forge/compiler/external-manifest/registry.ts +204 -0
package/src/forge/compiler/external-manifest/types.ts +89 -0
package/src/forge/compiler/external-manifest/validate.ts +335 -0
package/src/forge/compiler/make-registry/build.ts +13 -0
package/src/forge/compiler/orchestrator/plan-profile.ts +23 -0
package/src/forge/compiler/orchestrator/plan.ts +63 -11
package/src/forge/compiler/orchestrator/profile.ts +65 -0
package/src/forge/compiler/orchestrator/run.ts +97 -31
package/src/forge/compiler/orchestrator/serialize.ts +81 -6
package/src/forge/compiler/package-graph/compiler.ts +13 -3
package/src/forge/compiler/policy-registry/build.ts +44 -1
package/src/forge/compiler/test-graph/build.ts +11 -3
package/src/forge/compiler/types/ai-registry.ts +25 -1
package/src/forge/compiler/types/app-graph.ts +1 -0
package/src/forge/compiler/types/cli.ts +4 -0
package/src/forge/compiler/types/dev-manifest.ts +3 -0
package/src/forge/dev/server.ts +592 -3
package/src/forge/make/index.ts +126 -3
package/src/forge/make/templates.ts +190 -2
package/src/forge/make/types.ts +1 -0
package/src/forge/runtime/ai/context.ts +210 -5
package/src/forge/runtime/ai/types.ts +70 -0
package/src/forge/runtime/auth/claims.ts +32 -0
package/src/forge/runtime/auth/errors.ts +2 -0
package/src/forge/runtime/context/create-context.ts +30 -6
package/src/forge/runtime/db/memory-adapter.ts +2 -2
package/src/forge/runtime/db/postgres-adapter.ts +6 -3
package/src/forge/runtime/executor.ts +3 -2
package/src/forge/runtime/external/bridge.ts +553 -0
package/src/forge/runtime/live/live-query-runner.ts +2 -1
package/src/forge/runtime/outbox/process.ts +2 -1
package/src/forge/runtime/query/run-query.ts +2 -1
package/src/forge/runtime/runner/run-entry.ts +2 -1
package/src/forge/runtime/telemetry/scrubber.ts +56 -5
package/src/forge/runtime/telemetry/sinks/posthog.ts +4 -5
package/src/forge/runtime/telemetry/sinks/sentry.ts +4 -5
package/src/forge/runtime/webhooks/security.ts +184 -0
package/src/forge/runtime/workflows/resolve-step.ts +2 -1
package/src/forge/server.ts +93 -0
package/src/forge/version.ts +1 -1
package/templates/b2b-support-web/package.json +2 -0
package/templates/b2b-support-web/src/actions/captureTicketCreated.ts +7 -2
package/templates/b2b-support-web/src/commands/closeTicket.ts +6 -1
package/templates/b2b-support-web/src/commands/createTicket.ts +8 -2
package/templates/b2b-support-web/src/queries/getTicket.ts +8 -1
package/templates/b2b-support-web/tsconfig.json +4 -1
package/templates/b2b-support-web/web/components/CreateTicketForm.tsx +1 -2
package/templates/b2b-support-web/web/components/PolicyDeniedDemo.tsx +1 -2
package/templates/b2b-support-web/web/components/TicketList.tsx +1 -2
package/templates/b2b-support-web/web/components/TraceDetails.tsx +1 -1
package/templates/b2b-support-web/web/lib/forge.ts +1 -0
package/templates/b2b-support-web/web/package.json +1 -1
package/templates/minimal-web/package.json +2 -1
package/templates/minimal-web/tsconfig.json +3 -1
package/templates/minimal-web/web/package.json +2 -2

package/AGENTS.md CHANGED Viewed

@@ -1,4 +1,4 @@
-// @forge-generated generator=0.1.0-alpha.1 input=d50515ea2f22c012d06e8794c2031206c9478d732b15ce6592aa8bf74bdaa665 content=e0bf36433d915daf5ad06ac6265b3ac6f2cd1706269c69618bbbc1cb1f44e465
+// @forge-generated generator=0.1.0-alpha.10 input=9b218d51e45bbb3220f861cec8dcd08f63224475d6356fc73d26c330ddf108e7 content=1611635edf59c122b013ba76c85bd333ab3b30b289aaea04a9074f9438782a50
 # AGENTS.md
 <!-- forge-generated:start -->
@@ -69,6 +69,7 @@ forge inspect app --json
 forge inspect all --json
 forge inspect frontend --json
 forge inspect capabilities --json
+forge inspect agent-tools --json
 forge deps inspect <package> --json
 forge deps api <package> <symbol> --json
 forge deps trace <package> --json
@@ -82,6 +83,9 @@ forge doctor
 forge doctor windows --json
 forge setup windows --json
 forge agent print-context --json
+forge ai tools --json
+forge ai agents --json
+forge ai trace <traceId> --json
 forge verify --smoke
 forge verify --standard
 forge verify --strict
@@ -103,6 +107,21 @@ Tenant-scoped tables:
 - ANTHROPIC_API_KEY (required)
 - OPENAI_API_KEY (required)
+## AI Tools And Agents
+- AI SDK engine: Vercel AI SDK v6.
+- Forge layer: generated registry, runtime rules, telemetry, secrets, tenant/auth context, and agent contract.
+- Use `ctx.agent.run` or `ctx.ai.runAgent` only in actions, workflows, endpoints, and server code.
+- Do not create custom tool loops; use Forge tools and AI SDK `ToolLoopAgent` through the Forge runtime.
+Tools:
+- none
+Agents:
+- none
 ## Auth
 - Modes: dev-headers, jwt, oidc, disabled
@@ -158,6 +177,7 @@ Use:
 forge make resource <name> --fields title:text,status:enum(open,closed) --dry-run --json
 forge make resource <name> --fields title:text,status:enum(open,closed) --with-ui --yes
 forge make ui --framework vite --dry-run --json
+forge make ai-chat support --dry-run --json
 ```
 Review the plan before applying when the resource touches schema or policies.
@@ -194,11 +214,13 @@ Use:
 ```bash
 forge refactor rename field tickets.priority tickets.urgency --dry-run --json
 forge refactor rename field tickets.priority tickets.urgency --yes
+forge refactor rename command createTicket openTicket --dry-run --json
+forge refactor rename command createTicket openTicket --yes
 ```
-These codemods are AST-aware for `extract-action`, `rename field`, and `rename table`. Field renames are scoped to the target table, so `tickets.priority` only rewrites references linked to `tickets`.
+These codemods are AST-aware for `extract-action`, `rename command`, `rename field`, and `rename table`. Command renames update runtime registries, generated client references, frontend hooks, tests, and string references where safe. Field renames are scoped to the target table, so `tickets.priority` only rewrites references linked to `tickets`.
-Never edit `src/forge/_generated/**` directly. Review migration hints before applying field or table renames.
+Never edit `src/forge/_generated/**` directly. Review migration hints before applying command, field, or table renames.
 ### Plan impact-based tests
@@ -224,6 +246,19 @@ forge repair plan --from-last-test-run --write
 Apply only high-confidence deterministic repairs automatically. Review medium or low confidence repairs before changing code.
+### Add AI tools or agents
+Use:
+```bash
+forge generate
+forge inspect all --json
+forge ai check --json
+forge ai trace <traceId> --json
+```
+Define tools with `aiTool({ inputSchema, outputSchema, risk, needsApproval, handler })` and agents with `agent({ provider, model, instructions, tools, stopWhen })`. Execute agents with `ctx.agent.run` or `ctx.ai.runAgent` only from actions, workflows, endpoints, or server code. In dev, POST `/ai/agents/run` returns JSON for automation and POST `/ai/agents/chat` returns an AI SDK UIMessage stream for React `useChat`; both accept `agent: "<exportedAgentName>"` and use generated auto-tools from `agentTools.json`.
 ### Export agent adapters
 Use:

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,99 @@
 # forgeos
+## 0.1.0-alpha.10
+Launch polish:
+- Fixed `forge run <external-command> --args ...` so CLI arguments reach the external runtime bridge.
+- Added direct external query CLI support through `forge query <service.query> --args ...`.
+- Emit generated `.json` artifacts as pure JSON while keeping deterministic headers on code/text artifacts.
+- Relaxed the `minimal-web` template verify script to `forge verify --smoke` and added the missing `check` script to `b2b-support-web`.
+- Updated public protocol/changelog docs for the external runtime and Go adapter alpha line.
+- Bumped the create-app wrapper package line to `create-forgeos-app@0.1.0-alpha.4`.
+## 0.1.0-alpha.9
+### Patch Changes
+- Added the Forge external runtime protocol bridge for manifest-backed commands and queries.
+- Added the Go adapter MVP with a real `go-billing` conformance example.
+- Emitted external service metadata into inspect/API/agent artifacts, including `needsApproval` for agent tools.
+- Reuse compiler classifier package signals across export classification, dropping repeated package signal scans.
+- Reuse serialized graph JSON when rendering the largest generated TypeScript graph artifacts.
+- Keep generated Forge artifacts aligned with the `0.1.0-alpha.9` compiler/runtime version.
+## 0.1.0-alpha.8
+### Patch Changes
+- [`7568756`](https://github.com/Stahldavid/forge/commit/756875688873dd60d3d6cf700a7bb7c211968c69) Thanks [@Stahldavid](https://github.com/Stahldavid)! - Publish prerelease packages through the ForgeOS alpha publisher so npm dist-tags stay aligned.
+## 0.1.0-alpha.7
+### Patch Changes
+- [`4ace311`](https://github.com/Stahldavid/forge/commit/4ace3113e3298b5c306000870922fcfbae9c1861) Thanks [@Stahldavid](https://github.com/Stahldavid)! - Keep npm prerelease publishing on the public alpha dist-tag.
+## 0.1.0-alpha.6
+### Patch Changes
+- [`c30f906`](https://github.com/Stahldavid/forge/commit/c30f9069c99ac747ce143ab5fbcbf13912ed8760) Thanks [@Stahldavid](https://github.com/Stahldavid)! - Add CLI version output, align create-app help with package metadata, and add release dependency audit evidence.
+## 0.1.0-alpha.5
+Release alignment for the public alpha channel:
+- Added `forge ai redteam --model-level --json` with deterministic prompt-injection, secret-exfiltration, approval-bypass, cross-tenant, and indirect tool-injection probes.
+- Added `forge security prove --full --json` support for source checkouts, with graceful structural-proof fallback when packaged apps do not include ForgeOS test fixtures.
+- Strengthened npm publish workflows to run `security prove --db postgres --full --json`.
+- Added public registry smoke coverage for `forgeos@alpha` and `create-forgeos-app@alpha`.
+- Bumped the create-app wrapper package line to `create-forgeos-app@0.1.0-alpha.1`.
+## 0.1.0-alpha.4
+Security assurance and release evidence hardening:
+- Added value-aware telemetry redaction for known secret values in safe-looking fields, messages, details, outputs, and stack traces.
+- Added webhook signature, timestamp, and replay protection helpers with Stripe/GitHub/generic HMAC coverage.
+- Added HTTP tenant-isolation tests that exercise the dev server/API boundary, not only the internal runtime executor.
+- Added `forge rls mutate-test --json` to kill dangerous generated RLS mutations such as missing FORCE RLS, missing policies, unconditional predicates, and `BYPASSRLS`.
+- Extended `forge security prove --json` with RLS mutation proof and invariant-level evidence metadata.
+- Added scripts to split security evidence by invariant and emit basic release supply-chain evidence plus CycloneDX SBOM.
+- Strengthened publish/security workflows so release gates use Postgres-backed security proof, RLS mutation proof, release evidence, and SBOM generation.
+## 0.1.0-alpha.3
+Native Forge AI agents on top of Vercel AI SDK v6:
+- Added `aiTool` and `agent` primitives with generated `agentTools.json` / `agentTools.md`.
+- Added `ctx.agent.run` and `ctx.ai.runAgent` using AI SDK `ToolLoopAgent`.
+- Added auto-tools for commands, queries, and liveQueries with read-only vs approval-required writes.
+- Added dev agent endpoints: `POST /ai/agents/run` and `POST /ai/agents/chat`.
+- Extended `forge ai` CLI with `tools`, `agents`, and `trace` subcommands.
+- Added `forge inspect agent-tools` and agent tool metadata in `agentContract.json`.
+- Upgraded runtime dependency to AI SDK v6 for tool calling, streaming UI, and MCP compatibility.
+Documentation:
+- Added public [AI](https://forgeos.readthedocs.io/en/latest/ai/) page and AST-aware `rename command` codemod docs.
+- Expanded ReadTheDocs to full agent-native coverage: agent workflow (`forge do`), frontend/liveQuery, security/data, authoring, testing/repair, self-host, templates, Material theme, and changelog page.
+## 0.1.0-alpha.2
+Windows and generated-app hardening:
+- Fixed Node ESM handler loading on Windows by importing generated app modules
+  through `file://` URLs across commands, queries, liveQueries, outbox actions,
+  workflow steps, mocks, and telemetry adapters.
+- Fixed `forge dev` SSE streaming on the Node HTTP fallback so liveQuery
+  snapshots are flushed immediately instead of buffering forever.
+- Hardened generated app scaffolding and web dev spawning on Windows.
+- Updated the B2B support template to route frontend imports through
+  `web/lib/forge.ts` and use safer handler input validation.
+- Added focused tests for Node compatibility, template scaffolding, runtime
+  imports, and streaming responses.
 ## 0.1.0-alpha.1
 Republish alpha with the dependency/API oracle improvements:

package/README.md CHANGED Viewed

@@ -2,9 +2,11 @@
 Agent-native application framework and compiler for building Forge apps without a mandatory dashboard. ForgeOS turns application source into deterministic runtime contracts, generated clients, safety checks, and machine-readable context that humans and AI coding agents can use safely.
-**Status:** private/public alpha MVP, implemented through H42. The core compiler, local runtime, frontend SDK, production auth, RLS compiler, repair/review loops, UI test bridge, guided intent router, full-stack capability map, clean templates, faster generated checks, showcase app, Windows-safe Bun resolution, native Windows diagnostics/setup, Node-compatible CLI/runtime paths, observable verify timeouts, multi-OS Node CI smoke, release packaging smoke, npm alpha publishing, Trusted Publisher/OIDC release wiring, ReadTheDocs-ready public docs, package/version-aligned generator metadata, AST-aware codemods for `extract-action`, `rename field`, and `rename table`, broader field-test automation, and quieter template workspaces are present. Public release hardening is still focused on deeper semantic codemods and more real-project field reports.
+**Status:** private/public alpha MVP, implemented through H43. ForgeOS already includes the compiler, local runtime, frontend SDK, production auth, RLS compiler, liveQuery, self-host artifacts, generated agent contract, guided dev loop, repair/review/test tooling, AST-aware codemods, package intelligence, native AI tools/agents, npm alpha publishing, and Read the Docs public docs. Public release hardening is still focused on deeper semantic codemods, broader field reports, and more production mileage.
-Public docs are configured for ReadTheDocs with `.readthedocs.yaml` and `mkdocs.yml`. The local docs entrypoint is `docs/index.md`.
+Public docs live at [forgeos.readthedocs.io](https://forgeos.readthedocs.io/). The repo builds them with `.readthedocs.yaml`, `mkdocs.yml`, and `docs/index.md`.
+Start with [Why ForgeOS](https://forgeos.readthedocs.io/en/latest/why-forgeos/) to understand the agent-native design.
 ## Agent-First Quickstart
@@ -44,6 +46,22 @@ These files describe the app surface, runtime rules, generated files, policies,
 ## Create a Test App
+Public one-command app creation:
+```bash
+npm create forgeos-app@alpha notes-app -- --template minimal-web
+cd notes-app
+npm run dev
+```
+Equivalent lower-level command without installing ForgeOS globally:
+```bash
+npm exec --package forgeos@alpha -- forge new notes-app --template minimal-web --package-manager npm
+```
+If ForgeOS is already installed or you are inside this repository:
 ```bash
 forge new notes-app --template minimal-web --package-manager npm
 cd notes-app
@@ -58,11 +76,11 @@ Templates also include workspace editor excludes for generated/runtime directori
 For release or external smoke testing, choose the Forge package source explicitly:
 ```bash
-forge new smoke-app --template minimal-web --package-manager npm --forge-spec "npm:forgeos@^0.1.0-alpha.0"
+forge new smoke-app --template minimal-web --package-manager npm --forge-spec "npm:forgeos@alpha"
 forge new local-app --template minimal-web --package-manager npm --local-forge
 ```
-`--forge-spec` writes that dependency spec into the generated app, while `--local-forge` keeps the monorepo/local package workflow. The npm package is published as `forgeos`, but generated apps keep the dependency key, CLI binary, and import surface as `forge` (`forge`, `forge/server`, `forge/react`) by using npm alias specs such as `"forge": "npm:forgeos@^0.1.0-alpha.0"`. CI uses both `--forge-spec "file:$GITHUB_WORKSPACE"` and a packed tarball smoke to prove freshly created apps can install ForgeOS and run outside the framework workspace.
+`--forge-spec` writes that dependency spec into the generated app, while `--local-forge` keeps the monorepo/local package workflow. The npm package is published as `forgeos`, but generated apps keep the dependency key, CLI binary, and import surface as `forge` (`forge`, `forge/server`, `forge/react`) by using npm alias specs such as `"forge": "npm:forgeos@alpha"`. CI uses both `--forge-spec "file:$GITHUB_WORKSPACE"` and a packed tarball smoke to prove freshly created apps can install ForgeOS and run outside the framework workspace.
 For broader field testing:
@@ -73,6 +91,35 @@ npm run field:test -- --package-managers npm --templates minimal-web --forge-spe
 The scheduled/manual `Field Tests` workflow expands that coverage across Linux, macOS, Windows, Node 22, Node 24, and npm/pnpm/yarn/bun.
+## External Runtimes And Go Adapter
+ForgeOS can import services written outside TypeScript through the Forge Protocol.
+External runtimes publish a `forge.manifest.json` that describes commands, queries,
+transport, policies, risk metadata, tenant scope, and schemas. Forge then emits
+the same machine-readable app/API/agent artifacts and exposes runtime bridge
+endpoints for those entries.
+The first adapter MVP is Go:
+```bash
+cd examples/go-billing
+go run . --manifest --base-url http://127.0.0.1:8787 > forge.manifest.json
+go run . --addr 127.0.0.1:8787 --base-url http://127.0.0.1:8787
+```
+In a Forge app:
+```bash
+forge manifest validate ./forge.manifest.json --json
+forge manifest import ./forge.manifest.json --json
+forge generate
+forge run billing.createInvoice --args '{"title":"Invoice"}' --user-id u1 --tenant-id tenant-a --role admin
+forge query billing.listInvoices --args '{}' --user-id u1 --tenant-id tenant-a --role admin
+```
+See [`docs/forge-protocol.md`](docs/forge-protocol.md), [`schemas/forge-manifest.schema.json`](schemas/forge-manifest.schema.json),
+and [`adapters/go`](adapters/go/README.md).
 ## What ForgeOS Generates
 ```txt
@@ -122,7 +169,7 @@ forge.lock
 | Auth | dev headers, JWT, OIDC discovery/JWKS verification via `jose`, production-mode guardrails |
 | RLS | Postgres RLS SQL compiler/checks for DB-enforced tenant isolation |
 | Secrets/env | secret registry, env schema, redaction, strict `process.env` checks |
-| AI | provider registry, `ctx.ai`, mock mode, telemetry without prompt/output retention by default |
+| AI | Vercel AI SDK v6 engine, provider registry, `ctx.ai`, `ctx.agent.run`, `aiTool`, `agent`, `/ai/agents/run` JSON automation, `/ai/agents/chat` UIMessage streaming, `forge ai trace`, structural and model-level redteam probes, mock mode, telemetry without prompt/output retention by default |
 | Frontend | generated client SDK, React/Next hooks, template app, liveQuery client support |
 | LiveQuery | durable invalidation log, reconnect/resume semantics, production hardening checks |
 | Self-host | compose/deploy artifacts and self-host checks |
@@ -198,6 +245,7 @@ Common command groups:
 Refactor codemods are AST-aware where safety matters most:
 - `forge refactor extract-action` is binding-aware and preserves unrelated imports, type-only imports, and shadowed locals.
+- `forge refactor rename command <oldName> <newName>` rewrites command declarations, generated client references, React hook usage, tests, and safe string references while preserving unrelated symbols.
 - `forge refactor rename field <table.field> <table.field>` rewrites structured TS/JS/JSX/TSX and JSON references, preserves locals, and scopes the field change to files/objects linked to the target table. For example, `tickets.priority -> tickets.urgency` does not rewrite a generic `priority` prop in a component with no `tickets` binding.
 - `forge refactor rename table <from> <to>` rewrites table definitions, `ctx.db.<table>` access, policy strings, JSON/blueprints, and import/export specifiers while preserving unrelated locals with the same name.
@@ -226,12 +274,23 @@ See [`examples/showcase-forge-app`](examples/showcase-forge-app/README.md).
 ```bash
 cd examples/showcase-forge-app
-bun install
-bun run generate
-bun run dev
+npm install
+npm run generate
+npm run dev
 ```
-Examples are source-only where practical: generated artifacts, `forge.lock`, package lockfiles, and operational `.forge/**` state are recreated locally. The showcase demonstrates tenant-scoped data, policies, commands, queries, liveQueries, outbox actions, workflows, mock AI, telemetry trace IDs, generated React hooks, `agentContract`, `frontendGraph`, and `capabilityMap`.
+For the reproducible public proof path:
+```bash
+npm run proof:inspect
+npm run proof:dev
+npm run proof:capabilities
+npm run proof:verify
+```
+Read [`examples/showcase-forge-app/PUBLIC_PROOF.md`](examples/showcase-forge-app/PUBLIC_PROOF.md) for the full walkthrough.
+Examples are source-only where practical: generated artifacts, `forge.lock`, package lockfiles, and operational `.forge/**` state are recreated locally. The showcase demonstrates tenant-scoped data, policies, commands, queries, liveQueries, outbox actions, workflows, mock AI, telemetry trace IDs, generated React hooks, `agentContract`, `frontendGraph`, `capabilityMap`, and the standard agent handoff loop.
 ## Platform Support
@@ -307,7 +366,7 @@ For the first prerelease publish, use the alpha dist-tag explicitly:
 ```bash
 npm run release:publish-local-alpha -- --dry-run
-npm run release:publish-local-alpha -- --yes
+npm run release:publish-alpha
 ```
 The normal path is:
@@ -330,7 +389,7 @@ Configure npm Trusted Publisher for package `forgeos`:
 | Environment | blank |
 | Allowed action | `npm publish` |
-Do not add `NPM_TOKEN` for normal releases. Alpha releases publish with the `alpha` dist-tag so prerelease builds do not become `latest` accidentally. The first manual package creation uses `release:publish-local-alpha`, which publishes from a temporary hardlink-free staging copy and disables provenance because local shells do not have a GitHub OIDC provider. The workflow uses `id-token: write`, Node 24/npm 11+, and provenance for subsequent releases. `npm run release:smoke` runs `npm pack`, creates a fresh app with the packed tarball, installs dependencies, runs `forge dev --once --json`, and verifies the app smoke path.
+Do not add `NPM_TOKEN` for normal releases. Alpha releases publish with the `alpha` dist-tag so prerelease builds do not become `latest` accidentally. Use `release:publish-local-alpha -- --dry-run` only to validate the staged tarball locally; real npm publishing should go through `release:publish-alpha`, which dispatches `publish.yml` and uses npm OIDC Trusted Publisher. The workflow checks whether the package version already exists before installing dependencies or running tests, then uses `id-token: write`, Node 24/npm 11+, and provenance for the actual publish. `npm run release:smoke` runs `npm pack`, creates a fresh app with the packed tarball, installs dependencies, runs `forge dev --once --json`, and verifies the app smoke path.
 ## Milestone History
@@ -377,11 +436,12 @@ H39  Showcase app
 H40  Windows/runtime hardening
 H41  Node-compatible CLI/runtime
 H42  Verify observability and quieter app workspaces
+H43  Native AI tools and agent loop
 ```
 ## Remaining Hardening Before Public Release
-- Keep expanding semantic codemods beyond the current AST-aware `extract-action`, `rename field`, and `rename table` paths.
+- Keep expanding semantic codemods beyond the current AST-aware `extract-action`, `rename command`, `rename field`, and `rename table` paths.
 - Reduce command-selection risk with more task routers and richer inline diagnostics.
 - Keep hardening native Windows setup beyond diagnostics and safe automatic environment fixes.
 - Keep broadening package manager CI from template smoke toward install/build smoke for pnpm and yarn apps.

package/adapters/go/README.md ADDED Viewed

@@ -0,0 +1,23 @@
+# Forge Go Adapter
+`adapters/go` is the minimal Go SDK for external Forge runtimes. It registers
+commands and queries, emits `forge.manifest.json`, and exposes a Forge-compatible
+HTTP handler.
+```go
+app := forge.New("billing", forge.BaseURL("http://127.0.0.1:8787"))
+app.Command("createInvoice", forge.Handle(createInvoice),
+    forge.Policy("billing.manage"),
+    forge.TenantScoped(true),
+    forge.NeedsApproval(true),
+)
+app.Query("listInvoices", forge.Handle(listInvoices),
+    forge.Policy("billing.manage"),
+    forge.TenantScoped(true),
+)
+```
+The HTTP handler accepts Forge runtime envelopes on `/commands/:name` and
+`/queries/:name`, then returns `{ "ok": true, "result": ... }` envelopes.

package/adapters/go/go.mod ADDED Viewed

@@ -0,0 +1,3 @@
+module github.com/Stahldavid/forge/adapters/go
+go 1.22

package/adapters/go/http.go ADDED Viewed

@@ -0,0 +1,149 @@
+package forge
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+)
+func (registry *Registry) HTTPHandler() http.Handler {
+	mux := http.NewServeMux()
+	mux.HandleFunc(registry.service.Health, registry.handleHealth)
+	mux.HandleFunc("/manifest", registry.handleManifest)
+	mux.HandleFunc("/commands/", registry.handleRuntime(KindCommand, "/commands/"))
+	mux.HandleFunc("/queries/", registry.handleRuntime(KindQuery, "/queries/"))
+	return mux
+}
+func (registry *Registry) handleHealth(response http.ResponseWriter, request *http.Request) {
+	writeJSON(response, http.StatusOK, map[string]any{
+		"ok":      true,
+		"service": registry.service.Name,
+	})
+}
+func (registry *Registry) handleManifest(response http.ResponseWriter, request *http.Request) {
+	baseURL := request.URL.Query().Get("baseUrl")
+	if baseURL == "" {
+		baseURL = registry.service.BaseURL
+	}
+	writeJSON(response, http.StatusOK, registry.Manifest(baseURL))
+}
+func (registry *Registry) handleRuntime(kind EntryKind, prefix string) http.HandlerFunc {
+	return func(response http.ResponseWriter, request *http.Request) {
+		name := strings.TrimPrefix(request.URL.Path, prefix)
+		registered, ok := registry.lookup[lookupKey(kind, name)]
+		if !ok {
+			writeError(response, http.StatusNotFound, "", "FORGE_GO_ENTRY_NOT_FOUND", "external entry not found")
+			return
+		}
+		if request.Method != http.MethodPost && request.Method != http.MethodGet {
+			writeError(response, http.StatusMethodNotAllowed, "", "FORGE_GO_METHOD_NOT_ALLOWED", "external entry only accepts GET or POST")
+			return
+		}
+		envelope, err := readRequestEnvelope(request)
+		traceID := traceIDFrom(request, envelope)
+		if err != nil {
+			writeError(response, http.StatusBadRequest, traceID, "FORGE_GO_BAD_REQUEST", err.Error())
+			return
+		}
+		if envelope.Forge.Service == "" {
+			envelope.Forge.Service = registry.service.Name
+		}
+		if envelope.Forge.Entry == "" {
+			envelope.Forge.Entry = name
+		}
+		if envelope.Forge.Kind == "" {
+			envelope.Forge.Kind = string(kind)
+		}
+		if envelope.Forge.TraceID == "" {
+			envelope.Forge.TraceID = traceID
+		}
+		if envelope.Auth.Kind == "" {
+			envelope.Auth = authFromHeaders(request.Header)
+		}
+		call := &Context{
+			Auth:    envelope.Auth,
+			Forge:   envelope.Forge,
+			Headers: request.Header,
+		}
+		result, err := registered.handler(request.Context(), call, envelope.Args)
+		if err != nil {
+			writeError(response, http.StatusInternalServerError, envelope.Forge.TraceID, "FORGE_GO_HANDLER_FAILED", err.Error())
+			return
+		}
+		writeJSON(response, http.StatusOK, ResponseEnvelope{
+			OK:      true,
+			Result:  result,
+			TraceID: envelope.Forge.TraceID,
+		})
+	}
+}
+func readRequestEnvelope(request *http.Request) (RequestEnvelope, error) {
+	if request.Method == http.MethodGet {
+		args := request.URL.Query().Get("args")
+		if args == "" {
+			args = "{}"
+		}
+		return RequestEnvelope{Args: json.RawMessage(args)}, nil
+	}
+	defer request.Body.Close()
+	var envelope RequestEnvelope
+	decoder := json.NewDecoder(request.Body)
+	if err := decoder.Decode(&envelope); err != nil {
+		return envelope, err
+	}
+	if len(envelope.Args) == 0 {
+		envelope.Args = json.RawMessage("{}")
+	}
+	if !json.Valid(envelope.Args) {
+		return envelope, errors.New("request args must be valid JSON")
+	}
+	return envelope, nil
+}
+func authFromHeaders(headers http.Header) Auth {
+	auth := Auth{Kind: headers.Get("x-forge-auth-kind")}
+	if auth.Kind == "" {
+		auth.Kind = "anonymous"
+	}
+	auth.UserID = headers.Get("x-forge-user-id")
+	auth.TenantID = headers.Get("x-forge-tenant-id")
+	auth.Role = headers.Get("x-forge-role")
+	return auth
+}
+func traceIDFrom(request *http.Request, envelope RequestEnvelope) string {
+	if envelope.Forge.TraceID != "" {
+		return envelope.Forge.TraceID
+	}
+	return request.Header.Get("x-forge-trace-id")
+}
+func writeError(response http.ResponseWriter, status int, traceID string, code string, message string) {
+	writeJSON(response, status, ResponseEnvelope{
+		OK: false,
+		Diagnostics: []Diagnostic{{
+			Severity: "error",
+			Code:     code,
+			Message:  message,
+			Docs:     []string{"docs/forge-protocol.md"},
+		}},
+		Error: &ErrorInfo{
+			Code:    code,
+			Message: message,
+		},
+		TraceID: traceID,
+	})
+}
+func writeJSON(response http.ResponseWriter, status int, body any) {
+	response.Header().Set("content-type", "application/json")
+	response.WriteHeader(status)
+	_ = json.NewEncoder(response).Encode(body)
+}