forgeos 0.1.0-alpha.3 → 0.1.0-alpha.4

package/AGENTS.md

@@ -1,4 +1,4 @@
-// @forge-generated generator=0.1.0-alpha.3 input=c6d07cc92a729a46f2ff02a05c005e7fe0d71a3a5800be6f670a3fca2db04d6f content=1611635edf59c122b013ba76c85bd333ab3b30b289aaea04a9074f9438782a50
+// @forge-generated generator=0.1.0-alpha.4 input=4af795b70ec62dc5967f6e9b78865cfbc8afb09275e575845cf80a360b3b85e2 content=1611635edf59c122b013ba76c85bd333ab3b30b289aaea04a9074f9438782a50
 # AGENTS.md
 
 <!-- forge-generated:start -->

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # forgeos
 
+## 0.1.0-alpha.4
+
+Security assurance and release evidence hardening:
+
+- Added value-aware telemetry redaction for known secret values in safe-looking fields, messages, details, outputs, and stack traces.
+- Added webhook signature, timestamp, and replay protection helpers with Stripe/GitHub/generic HMAC coverage.
+- Added HTTP tenant-isolation tests that exercise the dev server/API boundary, not only the internal runtime executor.
+- Added `forge rls mutate-test --json` to kill dangerous generated RLS mutations such as missing FORCE RLS, missing policies, unconditional predicates, and `BYPASSRLS`.
+- Extended `forge security prove --json` with RLS mutation proof and invariant-level evidence metadata.
+- Added scripts to split security evidence by invariant and emit basic release supply-chain evidence plus CycloneDX SBOM.
+- Strengthened publish/security workflows so release gates use Postgres-backed security proof, RLS mutation proof, release evidence, and SBOM generation.
+
+## 0.1.0-alpha.3
+
+Native Forge AI agents on top of Vercel AI SDK v6:
+
+- Added `aiTool` and `agent` primitives with generated `agentTools.json` / `agentTools.md`.
+- Added `ctx.agent.run` and `ctx.ai.runAgent` using AI SDK `ToolLoopAgent`.
+- Added auto-tools for commands, queries, and liveQueries with read-only vs approval-required writes.
+- Added dev agent endpoints: `POST /ai/agents/run` and `POST /ai/agents/chat`.
+- Extended `forge ai` CLI with `tools`, `agents`, and `trace` subcommands.
+- Added `forge inspect agent-tools` and agent tool metadata in `agentContract.json`.
+- Upgraded runtime dependency to AI SDK v6 for tool calling, streaming UI, and MCP compatibility.
+
+Documentation:
+
+- Added public [AI](https://forgeos.readthedocs.io/en/latest/ai/) page and AST-aware `rename command` codemod docs.
+- Expanded ReadTheDocs to full agent-native coverage: agent workflow (`forge do`), frontend/liveQuery, security/data, authoring, testing/repair, self-host, templates, Material theme, and changelog page.
+
 ## 0.1.0-alpha.2
 
 Windows and generated-app hardening:

package/README.md

@@ -2,9 +2,11 @@
 
 Agent-native application framework and compiler for building Forge apps without a mandatory dashboard. ForgeOS turns application source into deterministic runtime contracts, generated clients, safety checks, and machine-readable context that humans and AI coding agents can use safely.
 
-**Status:** private/public alpha MVP, implemented through H42. The core compiler, local runtime, frontend SDK, production auth, RLS compiler, repair/review loops, UI test bridge, guided intent router, full-stack capability map, clean templates, faster generated checks, showcase app, Windows-safe Bun resolution, native Windows diagnostics/setup, Node-compatible CLI/runtime paths, observable verify timeouts, multi-OS Node CI smoke, release packaging smoke, npm alpha publishing, Trusted Publisher/OIDC release wiring, ReadTheDocs-ready public docs, package/version-aligned generator metadata, AST-aware codemods for `extract-action`, `rename command`, `rename field`, and `rename table`, broader field-test automation, and quieter template workspaces are present. Public release hardening is still focused on deeper semantic codemods and more real-project field reports.
+**Status:** private/public alpha MVP, implemented through H43. ForgeOS already includes the compiler, local runtime, frontend SDK, production auth, RLS compiler, liveQuery, self-host artifacts, generated agent contract, guided dev loop, repair/review/test tooling, AST-aware codemods, package intelligence, native AI tools/agents, npm alpha publishing, and Read the Docs public docs. Public release hardening is still focused on deeper semantic codemods, broader field reports, and more production mileage.
 
-Public docs are configured for ReadTheDocs with `.readthedocs.yaml` and `mkdocs.yml`. The local docs entrypoint is `docs/index.md`.
+Public docs live at [forgeos.readthedocs.io](https://forgeos.readthedocs.io/). The repo builds them with `.readthedocs.yaml`, `mkdocs.yml`, and `docs/index.md`.
+
+Start with [Why ForgeOS](https://forgeos.readthedocs.io/en/latest/why-forgeos/) to understand the agent-native design.
 
 ## Agent-First Quickstart
 
@@ -243,12 +245,23 @@ See [`examples/showcase-forge-app`](examples/showcase-forge-app/README.md).
 
 ```bash
 cd examples/showcase-forge-app
-bun install
-bun run generate
-bun run dev
+npm install
+npm run generate
+npm run dev
+```
+
+For the reproducible public proof path:
+
+```bash
+npm run proof:inspect
+npm run proof:dev
+npm run proof:capabilities
+npm run proof:verify
 ```
 
-Examples are source-only where practical: generated artifacts, `forge.lock`, package lockfiles, and operational `.forge/**` state are recreated locally. The showcase demonstrates tenant-scoped data, policies, commands, queries, liveQueries, outbox actions, workflows, mock AI, telemetry trace IDs, generated React hooks, `agentContract`, `frontendGraph`, and `capabilityMap`.
+Read [`examples/showcase-forge-app/PUBLIC_PROOF.md`](examples/showcase-forge-app/PUBLIC_PROOF.md) for the full walkthrough.
+
+Examples are source-only where practical: generated artifacts, `forge.lock`, package lockfiles, and operational `.forge/**` state are recreated locally. The showcase demonstrates tenant-scoped data, policies, commands, queries, liveQueries, outbox actions, workflows, mock AI, telemetry trace IDs, generated React hooks, `agentContract`, `frontendGraph`, `capabilityMap`, and the standard agent handoff loop.
 
 ## Platform Support
 
@@ -394,6 +407,7 @@ H39  Showcase app
 H40  Windows/runtime hardening
 H41  Node-compatible CLI/runtime
 H42  Verify observability and quieter app workspaces
+H43  Native AI tools and agent loop
 ```
 
 ## Remaining Hardening Before Public Release

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "forgeos",
-  "version": "0.1.0-alpha.3",
+  "version": "0.1.0-alpha.4",
   "description": "Agent-native application framework and compiler for building Forge apps without a mandatory dashboard.",
   "type": "module",
   "files": [
@@ -36,6 +36,8 @@
     "release": "changeset publish --tag alpha",
     "release:pack": "npm pack --dry-run",
     "release:smoke": "node scripts/smoke-packed-package.mjs",
+    "release:evidence": "node scripts/write-release-evidence.mjs",
+    "security:evidence": "node scripts/write-security-evidence.mjs",
     "release:publish-alpha": "node scripts/publish-trusted-alpha.mjs",
     "release:publish-local-alpha": "node scripts/publish-local-alpha.mjs",
     "field:test": "node scripts/field-test-forgeos.mjs",
@@ -60,7 +62,7 @@
     "type": "git",
     "url": "git+https://github.com/Stahldavid/forge.git"
   },
-  "homepage": "https://github.com/Stahldavid/forge#readme",
+  "homepage": "https://forgeos.readthedocs.io/",
   "bugs": {
     "url": "https://github.com/Stahldavid/forge/issues"
   },

package/src/forge/_generated/actionSubscriptions.json

@@ -1,2 +1,2 @@
-// @forge-generated generator=0.1.0-alpha.3 input=c6d07cc92a729a46f2ff02a05c005e7fe0d71a3a5800be6f670a3fca2db04d6f content=2d023951fabe281a316ab0cfb3de2a66b02f8a8f79941d1131bdd5e473bbf07d
-{"analyzerVersion":"0.1.0","byEvent":{},"diagnostics":[],"generatorVersion":"0.1.0-alpha.3","inputHash":"c9475eac5a16004809cb3ec4a8a67a0d6c9a310cb414b8be0200c1f787d021df","schemaVersion":"0.1.0","subscriptions":[]}
+// @forge-generated generator=0.1.0-alpha.4 input=4af795b70ec62dc5967f6e9b78865cfbc8afb09275e575845cf80a360b3b85e2 content=e38472b113dc79a2390dcbc2f51741b8a86e33c858849367109b170f347b056e
+{"analyzerVersion":"0.1.0","byEvent":{},"diagnostics":[],"generatorVersion":"0.1.0-alpha.4","inputHash":"c52261a0b76af0f64feadff97d3852e815fa814de2566d0d1fce9e4805d1bfab","schemaVersion":"0.1.0","subscriptions":[]}

package/src/forge/_generated/actionSubscriptions.ts

@@ -1,10 +1,10 @@
-// @forge-generated generator=0.1.0-alpha.3 input=c6d07cc92a729a46f2ff02a05c005e7fe0d71a3a5800be6f670a3fca2db04d6f content=37a3e90789abd2ccddf4a70b82a8d7f377c97475268be530292c8ba1e830e616
+// @forge-generated generator=0.1.0-alpha.4 input=4af795b70ec62dc5967f6e9b78865cfbc8afb09275e575845cf80a360b3b85e2 content=a5b050935bb13ffac31c4e8f6b4a0a5e08cd84e7df079cce295b225302323b3a
 export const actionSubscriptions = {
   "analyzerVersion": "0.1.0",
   "byEvent": {},
   "diagnostics": [],
-  "generatorVersion": "0.1.0-alpha.3",
-  "inputHash": "c9475eac5a16004809cb3ec4a8a67a0d6c9a310cb414b8be0200c1f787d021df",
+  "generatorVersion": "0.1.0-alpha.4",
+  "inputHash": "c52261a0b76af0f64feadff97d3852e815fa814de2566d0d1fce9e4805d1bfab",
   "schemaVersion": "0.1.0",
   "subscriptions": []
 } as const;

package/src/forge/_generated/agentAdapterManifest.json

@@ -1,2 +1,2 @@
-// @forge-generated generator=0.1.0-alpha.3 input=c6d07cc92a729a46f2ff02a05c005e7fe0d71a3a5800be6f670a3fca2db04d6f content=29b0486d2fbd8fec9b07e00a910ef11bca3ce47cd33374878f81e34a9ddd8a4d
-{"generatorVersion":"0.1.0-alpha.3","schemaVersion":"0.1.0","sourceHash":"sha256:96d8a8d8dbf71b5a8b36a062aa69312aa540fe47ac1a3fc7e03c49befc428a30","targets":[{"adapterVersion":"agent-adapter-0.1.0","default":true,"files":["AGENTS.md",".forge/agent/context.json",".forge/agent/commands.json",".forge/agent/done-criteria.json",".forge/agent/playbooks/add-command.md",".forge/agent/playbooks/add-query.md",".forge/agent/playbooks/add-livequery.md",".forge/agent/playbooks/add-resource.md",".forge/agent/playbooks/refactor-field.md",".forge/agent/playbooks/fix-policy-denied.md",".forge/agent/playbooks/fix-guard-violation.md",".forge/agent/playbooks/upgrade-package.md",".forge/agent/playbooks/debug-trace.md",".forge/agent/playbooks/frontend-change.md",".forge/agent/playbooks/self-host-check.md"],"formatVersion":"2026-06","name":"generic"},{"adapterVersion":"agent-adapter-0.1.0","files":[".codex/skills/forge-add-command/SKILL.md",".codex/skills/forge-add-resource/SKILL.md",".codex/skills/forge-fix-guard-violation/SKILL.md",".codex/skills/forge-fix-policy-denied/SKILL.md",".codex/skills/forge-upgrade-package/SKILL.md",".codex/skills/forge-debug-trace/SKILL.md",".codex/agents/forge-explorer.toml",".codex/agents/forge-worker.toml",".codex/agents/forge-reviewer.toml",".codex/agents/forge-security.toml"],"formatVersion":"2026-06","name":"codex","optional":true},{"adapterVersion":"agent-adapter-0.1.0","files":[".cursor/rules/forge-runtime.mdc",".cursor/rules/forge-frontend.mdc",".cursor/rules/forge-security.mdc",".cursor/rules/forge-workflow.mdc"],"formatVersion":"2026-06","name":"cursor","optional":true},{"adapterVersion":"agent-adapter-0.1.0","files":["CLAUDE.md",".claude/forge-runtime.md",".claude/forge-playbooks.md",".claude/forge-security.md"],"formatVersion":"2026-06","name":"claude","optional":true}]}
+// @forge-generated generator=0.1.0-alpha.4 input=4af795b70ec62dc5967f6e9b78865cfbc8afb09275e575845cf80a360b3b85e2 content=488bf387fd048437f772a253b7b64f6a51c25d1f2e6d7d07f7a8c971e0c8c90d
+{"generatorVersion":"0.1.0-alpha.4","schemaVersion":"0.1.0","sourceHash":"sha256:69500f8aefc9e77c7049e70279cadc0242fbeb0be0390ef26b051889956ad680","targets":[{"adapterVersion":"agent-adapter-0.1.0","default":true,"files":["AGENTS.md",".forge/agent/context.json",".forge/agent/commands.json",".forge/agent/done-criteria.json",".forge/agent/playbooks/add-command.md",".forge/agent/playbooks/add-query.md",".forge/agent/playbooks/add-livequery.md",".forge/agent/playbooks/add-resource.md",".forge/agent/playbooks/refactor-field.md",".forge/agent/playbooks/fix-policy-denied.md",".forge/agent/playbooks/fix-guard-violation.md",".forge/agent/playbooks/upgrade-package.md",".forge/agent/playbooks/debug-trace.md",".forge/agent/playbooks/frontend-change.md",".forge/agent/playbooks/self-host-check.md"],"formatVersion":"2026-06","name":"generic"},{"adapterVersion":"agent-adapter-0.1.0","files":[".codex/skills/forge-add-command/SKILL.md",".codex/skills/forge-add-resource/SKILL.md",".codex/skills/forge-fix-guard-violation/SKILL.md",".codex/skills/forge-fix-policy-denied/SKILL.md",".codex/skills/forge-upgrade-package/SKILL.md",".codex/skills/forge-debug-trace/SKILL.md",".codex/agents/forge-explorer.toml",".codex/agents/forge-worker.toml",".codex/agents/forge-reviewer.toml",".codex/agents/forge-security.toml"],"formatVersion":"2026-06","name":"codex","optional":true},{"adapterVersion":"agent-adapter-0.1.0","files":[".cursor/rules/forge-runtime.mdc",".cursor/rules/forge-frontend.mdc",".cursor/rules/forge-security.mdc",".cursor/rules/forge-workflow.mdc"],"formatVersion":"2026-06","name":"cursor","optional":true},{"adapterVersion":"agent-adapter-0.1.0","files":["CLAUDE.md",".claude/forge-runtime.md",".claude/forge-playbooks.md",".claude/forge-security.md"],"formatVersion":"2026-06","name":"claude","optional":true}]}

package/src/forge/_generated/agentAdapterManifest.ts

@@ -1,8 +1,8 @@
-// @forge-generated generator=0.1.0-alpha.3 input=c6d07cc92a729a46f2ff02a05c005e7fe0d71a3a5800be6f670a3fca2db04d6f content=5fa75085c83aafc4d227978e3aeb555c16cfea75584c57fc75de474b2f230d5a
+// @forge-generated generator=0.1.0-alpha.4 input=4af795b70ec62dc5967f6e9b78865cfbc8afb09275e575845cf80a360b3b85e2 content=a111bf4de7c15892a6465afaf86be51e792266d18f2f526fd03a78f9f08f89c6
 export const agentAdapterManifest = {
-  "generatorVersion": "0.1.0-alpha.3",
+  "generatorVersion": "0.1.0-alpha.4",
   "schemaVersion": "0.1.0",
-  "sourceHash": "sha256:96d8a8d8dbf71b5a8b36a062aa69312aa540fe47ac1a3fc7e03c49befc428a30",
+  "sourceHash": "sha256:69500f8aefc9e77c7049e70279cadc0242fbeb0be0390ef26b051889956ad680",
   "targets": [
     {
       "adapterVersion": "agent-adapter-0.1.0",