npm - forgeos - Versions diffs - 0.1.0-alpha.2 → 0.1.0-alpha.4 - Mend

forgeos 0.1.0-alpha.2 → 0.1.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (180) hide show

package/AGENTS.md +38 -3
package/CHANGELOG.md +29 -0
package/README.md +25 -10
package/package.json +8 -5
package/src/forge/_generated/actionSubscriptions.json +2 -2
package/src/forge/_generated/actionSubscriptions.ts +3 -3
package/src/forge/_generated/agentAdapterManifest.json +2 -2
package/src/forge/_generated/agentAdapterManifest.ts +3 -3
package/src/forge/_generated/agentContract.json +2 -2
package/src/forge/_generated/agentContract.ts +183 -50
package/src/forge/_generated/agentQuickstart.md +3 -1
package/src/forge/_generated/agentTools.json +2 -0
package/src/forge/_generated/agentTools.md +16 -0
package/src/forge/_generated/agentTools.ts +12 -0
package/src/forge/_generated/aiContext.ts +67 -1
package/src/forge/_generated/aiModels.json +2 -2
package/src/forge/_generated/aiModels.ts +17 -1
package/src/forge/_generated/aiProviders.json +1 -1
package/src/forge/_generated/aiProviders.ts +1 -1
package/src/forge/_generated/aiRegistry.json +2 -2
package/src/forge/_generated/aiRegistry.ts +7 -5
package/src/forge/_generated/api.json +2 -2
package/src/forge/_generated/api.ts +1 -1
package/src/forge/_generated/appGraph.json +2 -2
package/src/forge/_generated/appGraph.ts +512 -260
package/src/forge/_generated/appMap.md +21 -1
package/src/forge/_generated/artifactManifest.json +2 -2
package/src/forge/_generated/artifactManifest.ts +2 -2
package/src/forge/_generated/authClaims.json +1 -1
package/src/forge/_generated/authClaims.ts +1 -1
package/src/forge/_generated/authConfig.json +1 -1
package/src/forge/_generated/authConfig.ts +1 -1
package/src/forge/_generated/authContext.ts +1 -1
package/src/forge/_generated/authRegistry.json +1 -1
package/src/forge/_generated/authRegistry.ts +1 -1
package/src/forge/_generated/buildInfo.json +2 -2
package/src/forge/_generated/buildInfo.ts +4 -4
package/src/forge/_generated/capabilityMap.json +2 -2
package/src/forge/_generated/capabilityMap.md +1 -1
package/src/forge/_generated/capabilityMap.ts +2 -2
package/src/forge/_generated/client.ts +1 -1
package/src/forge/_generated/clientApi.ts +1 -1
package/src/forge/_generated/clientManifest.json +2 -2
package/src/forge/_generated/clientManifest.ts +3 -3
package/src/forge/_generated/clientTypes.ts +1 -1
package/src/forge/_generated/configRegistry.json +1 -1
package/src/forge/_generated/configRegistry.ts +1 -1
package/src/forge/_generated/dataGraph.json +2 -2
package/src/forge/_generated/dataGraph.ts +3 -3
package/src/forge/_generated/db.json +1 -1
package/src/forge/_generated/db.ts +1 -1
package/src/forge/_generated/dbSecurityManifest.json +1 -1
package/src/forge/_generated/dbSecurityManifest.ts +1 -1
package/src/forge/_generated/dbSessionContext.json +1 -1
package/src/forge/_generated/dbSessionContext.ts +1 -1
package/src/forge/_generated/deployManifest.json +2 -2
package/src/forge/_generated/deployManifest.ts +7 -7
package/src/forge/_generated/devManifest.json +2 -2
package/src/forge/_generated/devManifest.ts +18 -3
package/src/forge/_generated/envSchema.json +1 -1
package/src/forge/_generated/envSchema.ts +1 -1
package/src/forge/_generated/frontendGraph.json +1 -1
package/src/forge/_generated/frontendGraph.ts +1 -1
package/src/forge/_generated/importGuards.json +1 -1
package/src/forge/_generated/importGuards.ts +1 -1
package/src/forge/_generated/index.ts +2 -1
package/src/forge/_generated/liveProductionManifest.json +1 -1
package/src/forge/_generated/liveProductionManifest.ts +1 -1
package/src/forge/_generated/liveProtocol.json +1 -1
package/src/forge/_generated/liveProtocol.ts +1 -1
package/src/forge/_generated/liveQueryRegistry.json +2 -2
package/src/forge/_generated/liveQueryRegistry.ts +3 -3
package/src/forge/_generated/liveTransportConfig.json +1 -1
package/src/forge/_generated/liveTransportConfig.ts +1 -1
package/src/forge/_generated/makeRegistry.json +2 -2
package/src/forge/_generated/makeRegistry.ts +16 -2
package/src/forge/_generated/makeTemplates.json +2 -2
package/src/forge/_generated/makeTemplates.ts +6 -1
package/src/forge/_generated/mockMap.json +1 -1
package/src/forge/_generated/mockMap.ts +1 -1
package/src/forge/_generated/operationPlaybooks.md +34 -14
package/src/forge/_generated/packageGraph.json +2 -2
package/src/forge/_generated/packageGraph.ts +8808 -4723
package/src/forge/_generated/packageUpgradeRegistry.json +2 -2
package/src/forge/_generated/packageUpgradeRegistry.ts +2 -2
package/src/forge/_generated/permissionMatrix.json +2 -2
package/src/forge/_generated/permissionMatrix.ts +3 -3
package/src/forge/_generated/policyRegistry.json +2 -2
package/src/forge/_generated/policyRegistry.ts +3 -3
package/src/forge/_generated/queryRegistry.json +2 -2
package/src/forge/_generated/queryRegistry.ts +3 -3
package/src/forge/_generated/react.d.ts +1 -1
package/src/forge/_generated/react.ts +1 -1
package/src/forge/_generated/reactManifest.json +2 -2
package/src/forge/_generated/reactManifest.ts +3 -3
package/src/forge/_generated/releaseManifest.json +2 -2
package/src/forge/_generated/releaseManifest.ts +3 -3
package/src/forge/_generated/rlsPolicies.json +1 -1
package/src/forge/_generated/rlsPolicies.sql +1 -1
package/src/forge/_generated/rlsPolicies.ts +1 -1
package/src/forge/_generated/runtimeGraph.json +2 -2
package/src/forge/_generated/runtimeGraph.ts +3 -3
package/src/forge/_generated/runtimeMatrix.json +2 -2
package/src/forge/_generated/runtimeMatrix.ts +8684 -1939
package/src/forge/_generated/runtimeRegistry.ts +1 -1
package/src/forge/_generated/runtimeRules.md +13 -1
package/src/forge/_generated/secretRegistry.json +1 -1
package/src/forge/_generated/secretRegistry.ts +1 -1
package/src/forge/_generated/secretsContext.ts +1 -1
package/src/forge/_generated/serverApi.ts +1 -1
package/src/forge/_generated/sourceMapManifest.json +2 -2
package/src/forge/_generated/sourceMapManifest.ts +2 -2
package/src/forge/_generated/sqlPlan.json +1 -1
package/src/forge/_generated/sqlPlan.ts +1 -1
package/src/forge/_generated/subscriptionManifest.json +2 -2
package/src/forge/_generated/subscriptionManifest.ts +3 -3
package/src/forge/_generated/symbolicationManifest.json +2 -2
package/src/forge/_generated/symbolicationManifest.ts +2 -2
package/src/forge/_generated/telemetryRegistry.json +2 -2
package/src/forge/_generated/telemetryRegistry.ts +3 -3
package/src/forge/_generated/telemetrySinks.json +2 -2
package/src/forge/_generated/telemetrySinks.ts +2 -2
package/src/forge/_generated/tenantScope.json +2 -2
package/src/forge/_generated/tenantScope.ts +3 -3
package/src/forge/_generated/testGraph.json +2 -2
package/src/forge/_generated/testGraph.ts +339 -17
package/src/forge/_generated/testPlanRegistry.json +2 -2
package/src/forge/_generated/testPlanRegistry.ts +2 -2
package/src/forge/_generated/uiRoutes.json +1 -1
package/src/forge/_generated/uiRoutes.ts +1 -1
package/src/forge/_generated/uiScenarios.json +1 -1
package/src/forge/_generated/uiScenarios.ts +1 -1
package/src/forge/_generated/uiTestManifest.json +2 -2
package/src/forge/_generated/uiTestManifest.ts +2 -2
package/src/forge/_generated/workflowRegistry.json +2 -2
package/src/forge/_generated/workflowRegistry.ts +3 -3
package/src/forge/_generated/workflowSubscriptions.json +2 -2
package/src/forge/_generated/workflowSubscriptions.ts +3 -3
package/src/forge/cli/ai.ts +351 -1
package/src/forge/cli/auth.ts +36 -1
package/src/forge/cli/commands.ts +19 -0
package/src/forge/cli/parse.ts +67 -8
package/src/forge/cli/rls.ts +529 -17
package/src/forge/cli/secrets.ts +46 -1
package/src/forge/cli/security.ts +269 -0
package/src/forge/compiler/agent-contract/build.ts +289 -8
package/src/forge/compiler/agent-contract/types.ts +43 -0
package/src/forge/compiler/ai-registry/build.ts +62 -1
package/src/forge/compiler/ai-registry/constants.ts +1 -1
package/src/forge/compiler/ai-registry/parse.ts +98 -4
package/src/forge/compiler/app-graph/forge-apis.ts +1 -0
package/src/forge/compiler/dev-manifest/build.ts +3 -0
package/src/forge/compiler/diagnostics/codes.ts +15 -0
package/src/forge/compiler/diagnostics/create.ts +1 -1
package/src/forge/compiler/make-registry/build.ts +13 -0
package/src/forge/compiler/orchestrator/plan.ts +11 -0
package/src/forge/compiler/orchestrator/serialize.ts +68 -0
package/src/forge/compiler/package-graph/compiler.ts +13 -3
package/src/forge/compiler/types/ai-registry.ts +25 -1
package/src/forge/compiler/types/app-graph.ts +1 -0
package/src/forge/compiler/types/cli.ts +1 -0
package/src/forge/compiler/types/dev-manifest.ts +3 -0
package/src/forge/dev/server.ts +508 -1
package/src/forge/make/index.ts +126 -3
package/src/forge/make/templates.ts +188 -0
package/src/forge/make/types.ts +1 -0
package/src/forge/runtime/ai/context.ts +210 -5
package/src/forge/runtime/ai/types.ts +70 -0
package/src/forge/runtime/auth/claims.ts +32 -0
package/src/forge/runtime/auth/errors.ts +2 -0
package/src/forge/runtime/context/create-context.ts +30 -6
package/src/forge/runtime/db/memory-adapter.ts +2 -2
package/src/forge/runtime/telemetry/scrubber.ts +56 -5
package/src/forge/runtime/webhooks/security.ts +184 -0
package/src/forge/server.ts +93 -0
package/src/forge/version.ts +1 -1
package/templates/b2b-support-web/package.json +1 -0
package/templates/b2b-support-web/tsconfig.json +4 -1
package/templates/minimal-web/package.json +1 -0
package/templates/minimal-web/tsconfig.json +3 -1

package/src/forge/compiler/ai-registry/parse.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import type { ForgeAiProvider } from "../types/ai-registry.ts";
 const AI_METHOD_PATTERN =
-  /(?:ctx\.ai|ai)\.(generateText|streamText|generateStructured)\s*\(/g;
+  /(?:(?:ctx\.ai|ai)\.(generateText|streamText|generateStructured|runAgent)|ctx\.agent\.(run))\s*\(/g;
 const PROVIDER_PATTERN =
   /provider\s*:\s*["'](openai|anthropic|gateway)["']/;
@@ -11,7 +11,7 @@ const MODEL_PATTERN = /model\s*:\s*["']([^"']+)["']/;
 const PURPOSE_PATTERN = /purpose\s*:\s*["']([^"']+)["']/;
 export interface ParsedAiCall {
-  method: "generateText" | "streamText" | "generateStructured";
+  method: "generateText" | "streamText" | "generateStructured" | "runAgent";
   provider?: ForgeAiProvider;
   model?: string;
   purpose?: string;
@@ -21,7 +21,7 @@ export function parseAiCallsFromSlice(sourceSlice: string): ParsedAiCall[] {
   const calls: ParsedAiCall[] = [];
   for (const match of sourceSlice.matchAll(AI_METHOD_PATTERN)) {
-    const method = match[1] as ParsedAiCall["method"];
+    const method = (match[1] ?? (match[2] ? "runAgent" : "")) as ParsedAiCall["method"];
     const start = match.index ?? 0;
     const window = sourceSlice.slice(start, start + 600);
@@ -49,8 +49,102 @@ export function parseAiCallsFromSlice(sourceSlice: string): ParsedAiCall[] {
   return calls;
 }
-const FORBIDDEN_AI_CONTEXT_PATTERN = /ctx\.ai\./;
+const FORBIDDEN_AI_CONTEXT_PATTERN = /ctx\.(?:ai\.|agent\.run\s*\()/;
 export function detectCtxAiUsage(sourceSlice: string): boolean {
   return FORBIDDEN_AI_CONTEXT_PATTERN.test(sourceSlice);
 }
+const DESCRIPTION_PATTERN = /description\s*:\s*["'`]([^"'`]+)["'`]/;
+const RISK_PATTERN = /risk\s*:\s*["'](read|write|external|destructive)["']/;
+const STRICT_PATTERN = /strict\s*:\s*(true|false)/;
+const NEEDS_APPROVAL_PATTERN = /needsApproval\s*:\s*(true|false|async\s*\(|\([^)]*\)\s*=>|[A-Za-z_$][A-Za-z0-9_$]*)/;
+const INSTRUCTIONS_PATTERN = /instructions\s*:\s*["'`]([^"'`]+)["'`]/;
+const TOOL_ARRAY_PATTERN = /tools\s*:\s*\[([^\]]*)\]/s;
+const TOOL_OBJECT_PATTERN = /tools\s*:\s*\{([^}]*)\}/s;
+const STOP_TOOL_PATTERN = /stopWhen\s*:\s*\{[^}]*kind\s*:\s*["']toolCall["'][^}]*toolName\s*:\s*["']([^"']+)["'][^}]*\}/s;
+const STOP_STEP_PATTERN = /stopWhen\s*:\s*\{[^}]*kind\s*:\s*["']stepCount["'][^}]*maxSteps\s*:\s*(\d+)[^}]*\}/s;
+const MAX_STEPS_PATTERN = /maxSteps\s*:\s*(\d+)/;
+export interface ParsedAiToolMeta {
+  description?: string;
+  risk: "read" | "write" | "external" | "destructive" | "unknown";
+  strict: boolean;
+  needsApproval: boolean | "dynamic";
+}
+export interface ParsedAiAgentMeta {
+  provider?: ForgeAiProvider;
+  model?: string;
+  instructions?: string;
+  tools: string[];
+  stopWhen:
+    | { kind: "stepCount"; maxSteps: number }
+    | { kind: "toolCall"; toolName: string }
+    | { kind: "default" };
+}
+function parseBooleanOrDynamic(value: string | undefined): boolean | "dynamic" {
+  if (value === "true") return true;
+  if (value === "false") return false;
+  return "dynamic";
+}
+function parseStringList(raw: string | undefined): string[] {
+  if (!raw) return [];
+  return [...raw.matchAll(/["'`]([^"'`]+)["'`]/g)]
+    .map((match) => match[1] ?? "")
+    .filter(Boolean)
+    .sort();
+}
+function parseObjectToolKeys(raw: string | undefined): string[] {
+  if (!raw) return [];
+  const explicit = [...raw.matchAll(/([A-Za-z_$][A-Za-z0-9_$]*)\s*:/g)]
+    .map((match) => match[1] ?? "")
+    .filter(Boolean);
+  const shorthand = raw
+    .split(",")
+    .map((part) => part.trim())
+    .filter((part) => /^[A-Za-z_$][A-Za-z0-9_$]*$/.test(part));
+  return [...new Set([...explicit, ...shorthand])].sort();
+}
+export function parseAiToolMeta(sourceSlice: string): ParsedAiToolMeta {
+  const description = DESCRIPTION_PATTERN.exec(sourceSlice)?.[1];
+  const risk = RISK_PATTERN.exec(sourceSlice)?.[1] as ParsedAiToolMeta["risk"] | undefined;
+  const strict = STRICT_PATTERN.exec(sourceSlice)?.[1] === "true";
+  const needsApprovalMatch = NEEDS_APPROVAL_PATTERN.exec(sourceSlice)?.[1];
+  return {
+    ...(description ? { description } : {}),
+    risk: risk ?? "unknown",
+    strict,
+    needsApproval: needsApprovalMatch
+      ? parseBooleanOrDynamic(needsApprovalMatch)
+      : false,
+  };
+}
+export function parseAiAgentMeta(sourceSlice: string): ParsedAiAgentMeta {
+  const provider = PROVIDER_PATTERN.exec(sourceSlice)?.[1] as ForgeAiProvider | undefined;
+  const model = MODEL_PATTERN.exec(sourceSlice)?.[1];
+  const instructions = INSTRUCTIONS_PATTERN.exec(sourceSlice)?.[1];
+  const arrayTools = parseStringList(TOOL_ARRAY_PATTERN.exec(sourceSlice)?.[1]);
+  const objectTools = parseObjectToolKeys(TOOL_OBJECT_PATTERN.exec(sourceSlice)?.[1]);
+  const stopTool = STOP_TOOL_PATTERN.exec(sourceSlice)?.[1];
+  const stopStepsRaw =
+    STOP_STEP_PATTERN.exec(sourceSlice)?.[1] ?? MAX_STEPS_PATTERN.exec(sourceSlice)?.[1];
+  return {
+    ...(provider ? { provider } : {}),
+    ...(model ? { model } : {}),
+    ...(instructions ? { instructions } : {}),
+    tools: [...new Set([...arrayTools, ...objectTools])].sort(),
+    stopWhen: stopTool
+      ? { kind: "toolCall", toolName: stopTool }
+      : stopStepsRaw
+        ? { kind: "stepCount", maxSteps: Number(stopStepsRaw) }
+        : { kind: "default" },
+  };
+}

package/src/forge/compiler/app-graph/forge-apis.ts CHANGED Viewed

@@ -13,6 +13,7 @@ export const FORGE_BUILDER_APIS: Readonly<Record<string, ForgeKind>> = {
   definePolicies: "policy",
   workflow: "workflow",
   agent: "agent",
+  aiTool: "aiTool",
   telemetryEvent: "telemetryEvent",
 };

package/src/forge/compiler/dev-manifest/build.ts CHANGED Viewed

@@ -61,6 +61,9 @@ function buildRoutes(
     { method: "GET", path: "/health", purpose: "health" },
     { method: "GET", path: "/entries", purpose: "entries" },
     { method: "GET", path: "/queries", purpose: "queries" },
+    { method: "POST", path: "/ai/agents/chat", purpose: "ai-agent-chat" },
+    { method: "POST", path: "/ai/agents/run", purpose: "ai-agent-run" },
+    { method: "GET", path: "/ai/providers", purpose: "ai-providers" },
     { method: "GET", path: "/workflows", purpose: "workflows" },
     { method: "GET", path: "/workflows/runs", purpose: "workflow-runs" },
     { method: "POST", path: "/workflows/process", purpose: "workflow-process" },

package/src/forge/compiler/diagnostics/codes.ts CHANGED Viewed

@@ -14,6 +14,7 @@ export const FORGE_AUTH_INVALID_AUDIENCE = "FORGE_AUTH_INVALID_AUDIENCE" as cons
 export const FORGE_AUTH_TOKEN_EXPIRED = "FORGE_AUTH_TOKEN_EXPIRED" as const;
 export const FORGE_AUTH_JWKS_FAILED = "FORGE_AUTH_JWKS_FAILED" as const;
 export const FORGE_AUTH_CLAIM_MISSING = "FORGE_AUTH_CLAIM_MISSING" as const;
+export const FORGE_AUTH_CLAIM_INVALID = "FORGE_AUTH_CLAIM_INVALID" as const;
 export const FORGE_AUTH_TENANT_MISSING = "FORGE_AUTH_TENANT_MISSING" as const;
 export const FORGE_AUTH_DEV_HEADERS_IN_PRODUCTION =
   "FORGE_AUTH_DEV_HEADERS_IN_PRODUCTION" as const;
@@ -47,6 +48,7 @@ export const FORGE_RLS_UNSUPPORTED_TENANT_TYPE =
 export const FORGE_RLS_FORCE_DISABLED = "FORGE_RLS_FORCE_DISABLED" as const;
 export const FORGE_RLS_APPLY_FAILED = "FORGE_RLS_APPLY_FAILED" as const;
 export const FORGE_RLS_TEST_FAILED = "FORGE_RLS_TEST_FAILED" as const;
+export const FORGE_RLS_MUTATION_FAILED = "FORGE_RLS_MUTATION_FAILED" as const;
 export const FORGE_RLS_SESSION_CONTEXT_MISSING =
   "FORGE_RLS_SESSION_CONTEXT_MISSING" as const;
 export const FORGE_RLS_SESSION_CONTEXT_UNSAFE =
@@ -315,6 +317,12 @@ export const FORGE_TELEMETRY_PAYLOAD_TRUNCATED =
   "FORGE_TELEMETRY_PAYLOAD_TRUNCATED" as const;
 export const FORGE_TELEMETRY_SINK_FAILED = "FORGE_TELEMETRY_SINK_FAILED" as const;
 export const FORGE_TELEMETRY_UNKNOWN_SINK = "FORGE_TELEMETRY_UNKNOWN_SINK" as const;
+export const FORGE_WEBHOOK_SIGNATURE_INVALID =
+  "FORGE_WEBHOOK_SIGNATURE_INVALID" as const;
+export const FORGE_WEBHOOK_TIMESTAMP_INVALID =
+  "FORGE_WEBHOOK_TIMESTAMP_INVALID" as const;
+export const FORGE_WEBHOOK_REPLAY_DETECTED =
+  "FORGE_WEBHOOK_REPLAY_DETECTED" as const;
 export const FORGE_POLICY_DENIED = "FORGE_POLICY_DENIED" as const;
 export const FORGE_POLICY_MISSING = "FORGE_POLICY_MISSING" as const;
 export const FORGE_POLICY_UNKNOWN = "FORGE_POLICY_UNKNOWN" as const;
@@ -338,6 +346,7 @@ export const FORGE_AI_SECRET_MISSING = "FORGE_AI_SECRET_MISSING" as const;
 export const FORGE_AI_DYNAMIC_PROVIDER = "FORGE_AI_DYNAMIC_PROVIDER" as const;
 export const FORGE_AI_GENERATION_FAILED = "FORGE_AI_GENERATION_FAILED" as const;
 export const FORGE_AI_USAGE_UNAVAILABLE = "FORGE_AI_USAGE_UNAVAILABLE" as const;
+export const FORGE_AI_REDTEAM_FAILED = "FORGE_AI_REDTEAM_FAILED" as const;
 export const FORGE_QUERY_WRITE_FORBIDDEN = "FORGE_QUERY_WRITE_FORBIDDEN" as const;
 export const FORGE_QUERY_EMIT_FORBIDDEN = "FORGE_QUERY_EMIT_FORBIDDEN" as const;
 export const FORGE_QUERY_SECRET_FORBIDDEN = "FORGE_QUERY_SECRET_FORBIDDEN" as const;
@@ -379,6 +388,7 @@ export const DIAGNOSTIC_CODES = [
   FORGE_AUTH_TOKEN_EXPIRED,
   FORGE_AUTH_JWKS_FAILED,
   FORGE_AUTH_CLAIM_MISSING,
+  FORGE_AUTH_CLAIM_INVALID,
   FORGE_AUTH_TENANT_MISSING,
   FORGE_AUTH_DEV_HEADERS_IN_PRODUCTION,
   FORGE_AUTH_MODE_INVALID,
@@ -406,6 +416,7 @@ export const DIAGNOSTIC_CODES = [
   FORGE_RLS_FORCE_DISABLED,
   FORGE_RLS_APPLY_FAILED,
   FORGE_RLS_TEST_FAILED,
+  FORGE_RLS_MUTATION_FAILED,
   FORGE_RLS_SESSION_CONTEXT_MISSING,
   FORGE_RLS_SESSION_CONTEXT_UNSAFE,
   FORGE_DB_SUPERUSER_RUNTIME,
@@ -575,6 +586,9 @@ export const DIAGNOSTIC_CODES = [
   FORGE_TELEMETRY_PAYLOAD_TRUNCATED,
   FORGE_TELEMETRY_SINK_FAILED,
   FORGE_TELEMETRY_UNKNOWN_SINK,
+  FORGE_WEBHOOK_SIGNATURE_INVALID,
+  FORGE_WEBHOOK_TIMESTAMP_INVALID,
+  FORGE_WEBHOOK_REPLAY_DETECTED,
   FORGE_POLICY_DENIED,
   FORGE_POLICY_MISSING,
   FORGE_POLICY_UNKNOWN,
@@ -595,6 +609,7 @@ export const DIAGNOSTIC_CODES = [
   FORGE_AI_DYNAMIC_PROVIDER,
   FORGE_AI_GENERATION_FAILED,
   FORGE_AI_USAGE_UNAVAILABLE,
+  FORGE_AI_REDTEAM_FAILED,
   FORGE_QUERY_WRITE_FORBIDDEN,
   FORGE_QUERY_EMIT_FORBIDDEN,
   FORGE_QUERY_SECRET_FORBIDDEN,

package/src/forge/compiler/diagnostics/create.ts CHANGED Viewed

@@ -71,7 +71,7 @@ function defaultGuidanceForCode(code: string): DiagnosticGuidance | null {
   if (code.startsWith("FORGE_RLS_")) {
     return {
       fixHint: "Inspect generated RLS SQL and validate tenant isolation before applying migrations.",
-      suggestedCommands: ["forge rls check --json", "forge rls print --json"],
+      suggestedCommands: ["forge rls check --json", "forge rls test --db postgres --json"],
       docs: ["src/forge/_generated/agentContract.json"],
     };
   }

package/src/forge/compiler/make-registry/build.ts CHANGED Viewed

@@ -34,6 +34,7 @@ export function buildMakeRegistry(generatorVersion: string): MakeRegistryArtifac
       "forge make list --json",
       "forge make explain <primitive> --json",
       "forge make ui --framework vite --dry-run --json",
+      "forge make ai-chat support --dry-run --json",
       "forge make resource <name> --fields title:text,status:enum(open,closed) --dry-run --json",
       "forge make resource <name> --fields title:text --with-ui --yes",
       "forge make apply <planId>",
@@ -123,6 +124,17 @@ export function buildMakeRegistry(generatorVersion: string): MakeRegistryArtifac
         modifies: [],
         examples: ["forge make ui --framework vite --yes"],
       },
+      {
+        name: "ai-chat",
+        summary: "Add a Forge AI agent and React chat component backed by /ai/agents/run.",
+        creates: [
+          "src/ai/<name>Agent.ts",
+          "web/components/<Name>AiChat.tsx",
+          "web/app/<name>-ai/page.tsx when web/app exists",
+        ],
+        modifies: [],
+        examples: ["forge make ai-chat support --yes"],
+      },
       {
         name: "resource",
         summary: "Add schema, policies, CRUD, queries, liveQuery, optional UI, and tests.",
@@ -155,6 +167,7 @@ export function buildMakeTemplates(): MakeTemplateArtifact {
       { name: "component", sourceKind: "frontend", outputPattern: "web/components/<name>.tsx" },
       { name: "page", sourceKind: "frontend", outputPattern: "web/app/<route>/page.tsx" },
       { name: "ui", sourceKind: "frontend", outputPattern: "web/src/App.tsx" },
+      { name: "ai-chat", sourceKind: "frontend", outputPattern: "web/components/<name>AiChat.tsx" },
       { name: "placeholder-test", sourceKind: "test", outputPattern: "tests/make-generated/<name>.test.ts" },
     ],
   };

package/src/forge/compiler/orchestrator/plan.ts CHANGED Viewed

@@ -54,6 +54,8 @@ import { buildDevManifest } from "../dev-manifest/build.ts";
 import { buildRuntimeGraph } from "../runtime-graph/build.ts";
 import {
   buildAgentContractArtifacts,
+  serializeAgentToolRegistryJson,
+  serializeAgentToolRegistryTs,
   serializeCapabilityMapJson,
   serializeCapabilityMapTs,
   serializeAgentContractJson,
@@ -399,6 +401,15 @@ export function plan(input: PlanInput): EmitPlan {
       serializeAgentContractJson(agentArtifacts.contract),
     ),
     makeEmitFile(`${GENERATED_DIR}/appMap.md`, agentArtifacts.appMapMd),
+    makeEmitFile(
+      `${GENERATED_DIR}/agentTools.ts`,
+      serializeAgentToolRegistryTs(agentArtifacts.toolRegistry),
+    ),
+    makeEmitFile(
+      `${GENERATED_DIR}/agentTools.json`,
+      serializeAgentToolRegistryJson(agentArtifacts.toolRegistry),
+    ),
+    makeEmitFile(`${GENERATED_DIR}/agentTools.md`, agentArtifacts.agentToolsMd),
     makeEmitFile(
       `${GENERATED_DIR}/capabilityMap.ts`,
       serializeCapabilityMapTs(agentArtifacts.capabilityMap),

package/src/forge/compiler/orchestrator/serialize.ts CHANGED Viewed

@@ -680,6 +680,8 @@ export function serializeAiRegistryJson(registry: import("../types/ai-registry.t
     inputHash: registry.inputHash,
     providers: registry.providers,
     generations: registry.generations,
+    tools: registry.tools,
+    agents: registry.agents,
     diagnostics: registry.diagnostics,
   };
   return serializeCanonical(payload);
@@ -762,10 +764,76 @@ export interface ForgeGenerateStructuredInput<T> {
   schema: ForgeFlexibleSchema<T>;
 }
+export type ForgeAiToolRisk = "read" | "write" | "external" | "destructive";
+export interface ForgeAiToolRuntimeContext {
+  secrets: {
+    get(name: string): string;
+    optional(name: string): string | undefined;
+    has(name: string): boolean;
+  };
+  env: Record<string, string | undefined>;
+  telemetry?: {
+    traceId?: string;
+    capture(name: string, properties?: Record<string, unknown>): Promise<void>;
+  };
+  auth?: unknown;
+}
+export interface ForgeAiToolDefinition<TArgs = unknown, TResult = unknown> {
+  description: string;
+  inputSchema: unknown;
+  outputSchema?: unknown;
+  strict?: boolean;
+  needsApproval?: boolean | ((args: TArgs) => boolean | Promise<boolean>);
+  risk?: ForgeAiToolRisk;
+  handler: (
+    ctx: ForgeAiToolRuntimeContext,
+    args: TArgs,
+  ) => TResult | Promise<TResult>;
+}
+export type ForgeAgentStopWhen =
+  | { kind: "stepCount"; maxSteps: number }
+  | { kind: "toolCall"; toolName: string };
+export interface ForgeRunAgentInput {
+  provider?: ForgeAiProvider;
+  model: string;
+  prompt: string;
+  instructions: string;
+  purpose?: string;
+  tools?: Record<string, ForgeAiToolDefinition>;
+  stopWhen?: ForgeAgentStopWhen;
+  maxSteps?: number;
+  temperature?: number;
+  maxTokens?: number;
+}
+export interface ForgeRunAgentResult {
+  text: string;
+  provider: ForgeAiProvider;
+  model: string;
+  purpose?: string;
+  usage: ForgeAiUsage;
+  latencyMs: number;
+  toolCalls: Array<{
+    toolName: string;
+    input: unknown;
+  }>;
+  toolResults: Array<{
+    toolName: string;
+    output: unknown;
+  }>;
+  steps: number;
+  estimatedCostUsd?: number;
+}
 export interface AiContext {
   generateText(input: ForgeGenerateTextInput): Promise<ForgeGenerateTextResult>;
   streamText(input: ForgeStreamTextInput): Promise<ForgeStreamTextResult>;
   generateStructured<T>(input: ForgeGenerateStructuredInput<T>): Promise<T>;
+  runAgent(input: ForgeRunAgentInput): Promise<ForgeRunAgentResult>;
 }
 `;
 }

package/src/forge/compiler/package-graph/compiler.ts CHANGED Viewed

@@ -73,6 +73,10 @@ export interface BuildResult {
   diagnostics: Diagnostic[];
 }
+function shouldWarnNoTypes(packageName: string): boolean {
+  return !packageName.startsWith("@types/");
+}
 export class PackageGraphCompiler {
   async build(
     deps: Dependency[],
@@ -363,7 +367,9 @@ export class PackageGraphCompiler {
     }
     if (resolved.dtsPath == null) {
-      diagnostics.push(forgePkgNoTypes(dep.name, subpath));
+      if (shouldWarnNoTypes(dep.name)) {
+        diagnostics.push(forgePkgNoTypes(dep.name, subpath));
+      }
       return {
         subpath,
         conditions: resolved.conditions,
@@ -382,7 +388,9 @@ export class PackageGraphCompiler {
         subpath,
       );
     } catch {
-      diagnostics.push(forgePkgNoTypes(dep.name, subpath));
+      if (shouldWarnNoTypes(dep.name)) {
+        diagnostics.push(forgePkgNoTypes(dep.name, subpath));
+      }
       return {
         subpath,
         conditions: resolved.conditions,
@@ -401,7 +409,9 @@ export class PackageGraphCompiler {
     }
     if (exports.length === 0) {
-      diagnostics.push(forgePkgNoTypes(dep.name, subpath));
+      if (shouldWarnNoTypes(dep.name)) {
+        diagnostics.push(forgePkgNoTypes(dep.name, subpath));
+      }
     }
     return {

package/src/forge/compiler/types/ai-registry.ts CHANGED Viewed

@@ -18,10 +18,32 @@ export interface AiGenerationCall {
   provider: ForgeAiProvider;
   model: string;
   purpose?: string;
-  method: "generateText" | "streamText" | "generateStructured";
+  method: "generateText" | "streamText" | "generateStructured" | "runAgent";
   file: string;
 }
+export interface AiToolDefinition {
+  name: string;
+  file: string;
+  description?: string;
+  risk: "read" | "write" | "external" | "destructive" | "unknown";
+  strict: boolean;
+  needsApproval: boolean | "dynamic";
+}
+export interface AiAgentDefinition {
+  name: string;
+  file: string;
+  provider: ForgeAiProvider;
+  model: string;
+  instructions?: string;
+  tools: string[];
+  stopWhen:
+    | { kind: "stepCount"; maxSteps: number }
+    | { kind: "toolCall"; toolName: string }
+    | { kind: "default" };
+}
 export interface AiRegistry {
   schemaVersion: string;
   generatorVersion: string;
@@ -29,5 +51,7 @@ export interface AiRegistry {
   inputHash: string;
   providers: AiProviderDefinition[];
   generations: AiGenerationCall[];
+  tools: AiToolDefinition[];
+  agents: AiAgentDefinition[];
   diagnostics: unknown[];
 }

package/src/forge/compiler/types/app-graph.ts CHANGED Viewed

@@ -12,6 +12,7 @@ export type ForgeKind =
   | "policy"
   | "workflow"
   | "agent"
+  | "aiTool"
   | "telemetryEvent";
 export interface ForgeSymbol {

package/src/forge/compiler/types/cli.ts CHANGED Viewed

@@ -79,6 +79,7 @@ export type InspectTarget =
   | "test-graph"
   | "test-plans"
   | "agent-contract"
+  | "agent-tools"
   | "agent-adapters"
   | "capability-map"
   | "framework"

package/src/forge/compiler/types/dev-manifest.ts CHANGED Viewed

@@ -11,6 +11,9 @@ export interface DevRoute {
     | "workflows"
     | "workflow-runs"
     | "workflow-process"
+    | "ai-agent-chat"
+    | "ai-agent-run"
+    | "ai-providers"
     | "queries"
     | "query";
   entryName?: string;