keystone-cli 1.0.3 → 1.1.0

package/src/runner/workflow-scheduler.ts

@@ -0,0 +1,75 @@
+import type { JoinStep, Step, Workflow } from '../parser/schema.ts';
+import { WorkflowParser } from '../parser/workflow-parser.ts';
+
+export class WorkflowScheduler {
+  private executionOrder: string[];
+  private pendingSteps: Set<string>;
+  private completedSteps: Set<string>;
+  private stepMap: Map<string, Step>;
+
+  constructor(
+    private readonly workflow: Workflow,
+    alreadyCompleted: Set<string> = new Set()
+  ) {
+    this.executionOrder = WorkflowParser.topologicalSort(workflow);
+    this.stepMap = new Map(workflow.steps.map((s) => [s.id, s]));
+
+    // Initialize completed steps (from already completed/restored state)
+    this.completedSteps = new Set(alreadyCompleted);
+
+    // Remaining steps to execute
+    const remaining = this.executionOrder.filter((id) => !this.completedSteps.has(id));
+    this.pendingSteps = new Set(remaining);
+  }
+
+  public getExecutionOrder(): string[] {
+    return this.executionOrder;
+  }
+
+  public getPendingCount(): number {
+    return this.pendingSteps.size;
+  }
+
+  public isComplete(): boolean {
+    return this.pendingSteps.size === 0;
+  }
+
+  public markStepComplete(stepId: string): void {
+    this.completedSteps.add(stepId);
+    this.pendingSteps.delete(stepId);
+  }
+
+  public getRunnableSteps(runningCount: number, globalConcurrencyLimit: number): Step[] {
+    const runnable: Step[] = [];
+
+    for (const stepId of this.pendingSteps) {
+      if (runningCount + runnable.length >= globalConcurrencyLimit) {
+        break;
+      }
+
+      const step = this.stepMap.get(stepId);
+      if (!step) continue;
+
+      if (this.isStepReady(step)) {
+        runnable.push(step);
+      }
+    }
+
+    return runnable;
+  }
+
+  public startStep(stepId: string): void {
+    this.pendingSteps.delete(stepId);
+  }
+
+  private isStepReady(step: Step): boolean {
+    if (step.type === 'join') {
+      const joinStep = step as JoinStep;
+      const needs = joinStep.needs ?? [];
+      if (needs.length === 0) return true;
+      return needs.every((dep) => this.completedSteps.has(dep));
+    }
+    const needs = step.needs ?? [];
+    return needs.every((dep: string) => this.completedSteps.has(dep));
+  }
+}

package/src/runner/workflow-state.ts

@@ -0,0 +1,269 @@
+import type { WorkflowDb } from '../db/workflow-db.ts';
+import type { ExpressionContext } from '../expression/evaluator.ts';
+import { ExpressionEvaluator } from '../expression/evaluator.ts';
+import type { Workflow } from '../parser/schema.ts';
+import { WorkflowParser } from '../parser/workflow-parser.ts';
+import type { StepStatusType } from '../types/status.ts';
+import { StepStatus, WorkflowStatus } from '../types/status.ts';
+import type { Logger } from '../utils/logger.ts';
+import { ForeachExecutor } from './executors/foreach-executor.ts';
+
+export interface StepContext {
+  output?: unknown;
+  outputs?: Record<string, unknown>;
+  status: StepStatusType;
+  error?: string;
+  usage?: {
+    prompt_tokens: number;
+    completion_tokens: number;
+    total_tokens: number;
+  };
+}
+
+export interface ForeachStepContext extends StepContext {
+  items: StepContext[];
+  foreachItems?: unknown[];
+}
+
+export class WorkflowState {
+  private stepContexts: Map<string, StepContext | ForeachStepContext> = new Map();
+
+  constructor(
+    private readonly runId: string,
+    private readonly workflow: Workflow,
+    private readonly db: WorkflowDb,
+    private readonly inputs: Record<string, unknown>,
+    private readonly secrets: Record<string, string>,
+    private readonly logger: Logger
+  ) {}
+
+  public get(stepId: string): StepContext | ForeachStepContext | undefined {
+    return this.stepContexts.get(stepId);
+  }
+
+  public set(stepId: string, context: StepContext | ForeachStepContext): void {
+    this.stepContexts.set(stepId, context);
+  }
+
+  public has(stepId: string): boolean {
+    return this.stepContexts.has(stepId);
+  }
+
+  public entries() {
+    return this.stepContexts.entries();
+  }
+
+  public get size(): number {
+    return this.stepContexts.size;
+  }
+
+  public getCompletedStepIds(): Set<string> {
+    const completed = new Set<string>();
+    for (const [stepId, context] of this.stepContexts.entries()) {
+      if (context.status === StepStatus.SUCCESS || context.status === StepStatus.SKIPPED) {
+        completed.add(stepId);
+      }
+    }
+    return completed;
+  }
+
+  public buildContext(item?: unknown, index?: number): ExpressionContext {
+    const stepsContext: Record<string, any> = {};
+
+    for (const [stepId, ctx] of this.stepContexts.entries()) {
+      stepsContext[stepId] = {
+        output: ctx.output,
+        outputs: ctx.outputs,
+        status: ctx.status,
+        error: ctx.error,
+        ...('items' in ctx ? { items: (ctx as ForeachStepContext).items } : {}),
+      };
+    }
+
+    return {
+      inputs: this.inputs,
+      secrets: this.secrets,
+      steps: stepsContext,
+      item,
+      index,
+      env: process.env as Record<string, string>,
+    };
+  }
+
+  public async restore(): Promise<void> {
+    const run = await this.db.getRun(this.runId);
+    if (!run) {
+      throw new Error(`Run ${this.runId} not found`);
+    }
+
+    // Restore inputs if they exist
+    if (run.inputs && run.inputs !== 'null' && run.inputs !== '') {
+      try {
+        const storedInputs = JSON.parse(run.inputs);
+        // Merge stored inputs, provided inputs to constructor have precedence
+        Object.assign(this.inputs, { ...storedInputs, ...this.inputs });
+      } catch (e) {
+        this.logger.error(`Failed to parse persisted inputs for run ${this.runId}`);
+      }
+    }
+
+    // Load all step executions for this run
+    const steps = await this.db.getStepsByRun(this.runId);
+
+    // Group steps by step_id
+    const stepExecutionsByStepId = new Map<string, typeof steps>();
+    for (const step of steps) {
+      if (!stepExecutionsByStepId.has(step.step_id)) {
+        stepExecutionsByStepId.set(step.step_id, []);
+      }
+      stepExecutionsByStepId.get(step.step_id)?.push(step);
+    }
+
+    const executionOrder = WorkflowParser.topologicalSort(this.workflow);
+
+    for (const stepId of executionOrder) {
+      const stepExecutions = stepExecutionsByStepId.get(stepId);
+      if (!stepExecutions || stepExecutions.length === 0) continue;
+
+      const stepDef = this.workflow.steps.find((s) => s.id === stepId);
+      if (!stepDef) continue;
+
+      const isForeach = !!stepDef.foreach;
+
+      if (isForeach) {
+        const items: StepContext[] = [];
+        const outputs: unknown[] = [];
+        let allSuccess = true;
+
+        const sortedExecs = [...stepExecutions].sort((a, b) => {
+          // Sort by iteration_index asc, then by created_at desc (newest first)
+          if ((a.iteration_index ?? 0) !== (b.iteration_index ?? 0)) {
+            return (a.iteration_index ?? 0) - (b.iteration_index ?? 0);
+          }
+          // If started_at is available, use it (newest first).
+          // Fallback to stable sort if nothing else.
+          if (a.started_at && b.started_at) {
+            return new Date(b.started_at).getTime() - new Date(a.started_at).getTime();
+          }
+          if (a.step_id && b.step_id) return 0; // Stability
+          return 0;
+        });
+
+        // Dedup by iteration_index, keeping the first (newest)
+        const uniqueExecs: typeof steps = [];
+        const seenIndices = new Set<number>();
+        for (const ex of sortedExecs) {
+          const idx = ex.iteration_index ?? 0;
+          if (!seenIndices.has(idx)) {
+            seenIndices.add(idx);
+            uniqueExecs.push(ex);
+          }
+        }
+
+        for (const exec of uniqueExecs) {
+          if (exec.iteration_index === null) continue;
+
+          let output: unknown = null;
+          if (exec.output) {
+            try {
+              output = JSON.parse(exec.output);
+            } catch (e) {
+              /* ignore */
+            }
+          }
+
+          items[exec.iteration_index] = {
+            output,
+            outputs:
+              typeof output === 'object' && output !== null && !Array.isArray(output)
+                ? (output as any)
+                : {},
+            status: exec.status as StepStatusType,
+            error: exec.error || undefined,
+          };
+          outputs[exec.iteration_index] = output;
+          if (exec.status !== StepStatus.SUCCESS && exec.status !== StepStatus.SKIPPED) {
+            allSuccess = false;
+          }
+        }
+
+        // deterministic resume support
+        let expectedCount = -1;
+        let persistedItems: unknown[] | undefined;
+        const parentExec = stepExecutions.find((e) => e.iteration_index === null);
+        if (parentExec?.output) {
+          try {
+            const parsed = JSON.parse(parentExec.output);
+            if (parsed.__foreachItems && Array.isArray(parsed.__foreachItems)) {
+              persistedItems = parsed.__foreachItems;
+              expectedCount = parsed.__foreachItems.length;
+            }
+          } catch {
+            /* ignore */
+          }
+        }
+
+        if (expectedCount === -1 && stepDef.foreach) {
+          try {
+            const baseContext = this.buildContext();
+            const foreachItems = ExpressionEvaluator.evaluate(stepDef.foreach, baseContext);
+            if (Array.isArray(foreachItems)) expectedCount = foreachItems.length;
+          } catch {
+            allSuccess = false;
+          }
+        }
+
+        const hasAllItems =
+          expectedCount !== -1 &&
+          items.length === expectedCount &&
+          !Array.from({ length: expectedCount }).some((_, i) => !items[i]);
+
+        let status: StepStatusType = StepStatus.SUCCESS;
+        if (allSuccess && hasAllItems) {
+          status = StepStatus.SUCCESS;
+        } else if (items.some((i) => i?.status === StepStatus.SUSPENDED)) {
+          status = StepStatus.SUSPENDED;
+        } else {
+          status = StepStatus.FAILED;
+        }
+
+        const mappedOutputs = ForeachExecutor.aggregateOutputs(outputs);
+        this.stepContexts.set(stepId, {
+          output: outputs,
+          outputs: mappedOutputs,
+          status,
+          items,
+          foreachItems: persistedItems,
+        } as ForeachStepContext);
+      } else {
+        // Fix: Sort by started_at desc (newest first) to avoid restoring stale retries
+        const sorted = [...stepExecutions].sort((a, b) => {
+          if (a.started_at && b.started_at) {
+            return new Date(b.started_at).getTime() - new Date(a.started_at).getTime();
+          }
+          return 0;
+        });
+        const exec = sorted[0];
+        let output: unknown = null;
+        if (exec.output) {
+          try {
+            output = JSON.parse(exec.output);
+          } catch (e) {
+            /* ignore */
+          }
+        }
+
+        this.stepContexts.set(stepId, {
+          output,
+          outputs:
+            typeof output === 'object' && output !== null && !Array.isArray(output)
+              ? (output as any)
+              : {},
+          status: exec.status as StepStatusType,
+          error: exec.error || undefined,
+        });
+      }
+    }
+    this.logger.log(`✓ Restored state: ${this.stepContexts.size} step(s) hydrated`);
+  }
+}

package/src/runner/workflow-subflows.test.ts

@@ -141,9 +141,6 @@ describe('WorkflowRunner - Subflows & Compensations', () => {
     const undo1Index = logs.findIndex((l) => l.includes('undoing step1'));
 
     if (undo2Index === -1 || undo1Index === -1 || undo2Index >= undo1Index) {
-      console.log('--- COMPENSATION LOGS ---');
-      console.log(logs.filter((l) => l.includes('undoing') || l.includes('rollback')).join('\n'));
-      console.log('--- END ---');
     }
 
     expect(undo2Index).toBeGreaterThan(-1);
@@ -159,12 +156,19 @@ describe('WorkflowRunner - Subflows & Compensations', () => {
 
     if (existsSync(compDbPath)) rmSync(compDbPath);
   });
-  it('should execute join step early if condition is "any" and one branch finishes', async () => {
-    // This is hard to test deterministically without timing, but we can verify it executes
+  it('should NOT execute join step early if condition is "any" (must wait for all dependencies to finish)', async () => {
+    // New behavior: Join waits for all dependencies to finish (success or failure)
+    // before evaluating the condition. This prevents missing inputs.
     const workflow: Workflow = {
-      name: 'early-join',
+      name: 'delayed-join',
       steps: [
-        { id: 'slow', type: 'shell', run: 'sleep 0.1 && echo "slow"', needs: [] },
+        {
+          id: 'slow',
+          type: 'shell',
+          run: 'sleep 0.1 && echo "slow"',
+          allowInsecure: true,
+          needs: [],
+        },
         { id: 'fast', type: 'shell', run: 'echo "fast"', needs: [] },
         {
           id: 'early_join',
@@ -196,13 +200,13 @@ describe('WorkflowRunner - Subflows & Compensations', () => {
     const runner = new WorkflowRunner(workflow, { dbPath, logger });
     await runner.run();
 
-    // Verify after_join started BEFORE slow finished
+    // Verify after_join started AFTER slow finished
     const afterJoinStart = logs.findIndex((l) => l.includes('Executing step: after_join'));
     const slowFinished = logs.findIndex((l) => l.includes('Step slow completed'));
 
     expect(afterJoinStart).toBeGreaterThan(-1);
     expect(slowFinished).toBeGreaterThan(-1);
-    expect(afterJoinStart).toBeLessThan(slowFinished);
+    expect(afterJoinStart).toBeGreaterThan(slowFinished);
   });
 
   it('should execute top-level workflow compensation on failure', async () => {
@@ -244,9 +248,6 @@ describe('WorkflowRunner - Subflows & Compensations', () => {
 
     const wfUndoIndex = logs.findIndex((l) => l.includes('undoing workflow'));
     if (wfUndoIndex === -1) {
-      console.log('--- WF COMP LOGS ---');
-      console.log(logs.join('\n'));
-      console.log('--- END ---');
     }
     expect(wfUndoIndex).toBeGreaterThan(-1);
 

package/src/scripts/generate-schemas.ts

@@ -0,0 +1,16 @@
+import { writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { zodToJsonSchema } from 'zod-to-json-schema';
+import { AgentSchema, WorkflowSchema } from '../parser/schema';
+
+const schemasDir = join(process.cwd(), 'schemas');
+
+// Workflow Schema
+const workflowJson = zodToJsonSchema(WorkflowSchema, 'keystone-workflow');
+writeFileSync(join(schemasDir, 'workflow.json'), JSON.stringify(workflowJson, null, 2));
+
+// Agent Schema
+// We omit systemPrompt because it comes from the markdown body, not the frontmatter
+const agentFrontmatterSchema = AgentSchema.omit({ systemPrompt: true });
+const agentJson = zodToJsonSchema(agentFrontmatterSchema, 'keystone-agent');
+writeFileSync(join(schemasDir, 'agent.json'), JSON.stringify(agentJson, null, 2));

package/src/templates/agents/explore.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: explore
 description: Agent for exploring and understanding codebases
 model: claude-sonnet-4.5

package/src/templates/agents/general.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: general
 description: "A general-purpose assistant for various tasks"
 model: gpt-4o

package/src/templates/agents/handoff-router.md

@@ -0,0 +1,14 @@
+---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
+name: handoff-router
+description: "Routes work to specialists when needed."
+model: gpt-4o
+---
+
+# Role
+You are a router agent.
+
+# Instructions
+- Always call `remember_context` with the current user and topic.
+- If you need deeper expertise, call `transfer_to_agent` with `handoff-specialist`.
+- Provide a concise final response after any handoff.

package/src/templates/agents/handoff-specialist.md

@@ -0,0 +1,15 @@
+---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
+name: handoff-specialist
+description: "Specialist agent for complex topics."
+model: gpt-4o
+---
+
+# Role
+You are a specialist for ${{ inputs.topic }}.
+
+# Context
+If available, address ${{ memory.user }} and confirm the focus is ${{ memory.topic }}.
+
+# Output
+Provide concise, expert guidance tailored to the topic.

package/src/templates/agents/keystone-architect.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: keystone-architect
 description: "Expert at designing Keystone workflows and agents"
 model: gpt-4o
@@ -9,52 +10,19 @@ You are the Keystone Architect. Your goal is to design and generate high-quality
 
 # Knowledge Base
 
-## Workflow Schema (.yaml)
-- **name**: Unique identifier for the workflow.
-- **description**: (Optional) Description of the workflow.
-- **inputs**: Map of `{ type: 'string'|'number'|'boolean'|'array'|'object', default: any, description?: string }` under the `inputs` key.
-- **outputs**: Map of expressions (e.g., `${{ steps.id.output }}`) under the `outputs` key.
-- **outputSchema**: (Optional) JSON Schema for final workflow outputs.
-- **env**: (Optional) Map of workflow-level environment variables.
-- **concurrency**: (Optional) Global concurrency limit for the workflow.
-- **pools**: (Optional) Map of resource pools `{ pool_name: limit }`.
-- **compensate**: (Optional) Workflow-level compensation step.
-- **eval**: (Optional) Configuration for prompt optimization `{ scorer: 'llm'|'script', agent, prompt, run, allowInsecure, allowSecrets }`.
-- **steps**: Array of step objects. Each step MUST have an `id` and a `type`:
-  - **shell**: `{ id, type: 'shell', run, dir, env, allowInsecure, transform }`
-  - **llm**: `{ id, type: 'llm', agent, prompt, outputSchema, provider, model, tools, maxIterations, maxMessageHistory, useGlobalMcp, allowClarification, useStandardTools, allowOutsideCwd, allowInsecure, mcpServers, handoff }`
-  - **workflow**: `{ id, type: 'workflow', path, inputs, outputMapping }`
-  - **file**: `{ id, type: 'file', path, op: 'read'|'write'|'append', content, allowOutsideCwd }`
-  - **request**: `{ id, type: 'request', url, method, body, headers, allowInsecure }`
-  - **human**: `{ id, type: 'human', message, inputType: 'confirm'|'text' }`
-  - **sleep**: `{ id, type: 'sleep', duration, durable }` (use `durable: true` for sleeps >= 60s)
-  - **script**: `{ id, type: 'script', run, allowInsecure }`
-  - **engine**: `{ id, type: 'engine', command, args, input, env, cwd, outputSchema }`
-  - **memory**: `{ id, type: 'memory', op: 'search'|'store', query, text, model, metadata, limit }`
-  - **join**: `{ id, type: 'join', target: 'steps'|'branches', condition: 'all'|'any'|number }`
-- **Common Step Fields**: `needs` (array), `if` (expr), `timeout` (ms), `retry` (`{ count, backoff, baseDelay }`), `auto_heal`, `reflexion`, `learn`, `foreach`, `concurrency`, `pool`, `compensate`, `transform`, `inputSchema`, `outputSchema`, `outputRetries`, `repairStrategy`.
-- **finally**: Optional array of steps to run at the end of the workflow, regardless of success or failure.
-- **IMPORTANT**: Steps run in **parallel** by default. To ensure sequential execution, a step must explicitly list the previous step's ID in its `needs` array.
+## 📖 Source of Truth
+You MUST consult the latest schemas before designing any workflow or agent. Use your `fetch` tool (or `request` step) to read:
+- **Workflow Schema**: [https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json](https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json)
+- **Agent Schema**: [https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json](https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json)
 
-## Standard Tools
-When `useStandardTools: true` is set on an `llm` step, the agent has access to:
-- `read_file(path)`: Read file contents.
-- `read_file_lines(path, start, count)`: Read a specific range of lines.
-- `write_file(path, content)`: Write/overwrite file.
-- `list_files(path)`: List directory contents.
-- `search_files(pattern, dir)`: Search for files by pattern (glob).
-- `search_content(query, pattern, dir)`: Search for text within files.
-- `run_command(command, dir)`: Run shell commands (restricted by `allowInsecure`).
-- **Path Gating**: Restricted to CWD by default. Use `allowOutsideCwd: true` to bypass.
 
-## Agent Schema (.md)
-Markdown files with YAML frontmatter:
-- **name**: Agent name.
-- **description**: (Optional) Agent description.
-- **provider**: (Optional) Provider name.
-- **model**: (Optional) e.g., `gpt-4o`, `claude-sonnet-4.5`.
-- **tools**: Array of `{ name, description, parameters, execution }` where `execution` is a standard Step object and `parameters` is a JSON Schema.
-- **Body**: The Markdown body is the `systemPrompt`.
+If you are running in the Keystone CLI repository, you can also use `read_file` on `schemas/workflow.json` and `schemas/agent.json`.
+
+## Guidelines
+1. **Always Consult Schema**: Do not rely on your internal training data for Keystone schema fields. Fetch or read the JSON schemas above to ensure you are using the latest properties and types.
+2. **Schema-Driven Design**: For every step type (shell, llm, request, etc.), check the `workflow.json` schema to see available fields, defaults, and requirements.
+3. **Tool Awareness**: Check the `STANDARD_TOOLS` array in the codebase (or consult your available tools) to see what built-in capabilities you can leverage.
+
 
 ## Expression Syntax
 - `${{ inputs.name }}`
@@ -64,6 +32,7 @@ Markdown files with YAML frontmatter:
 - `${{ item }}` (current item in a `foreach` loop)
 - `${{ secrets.NAME }}` (access redacted secrets)
 - `${{ env.NAME }}` (access environment variables)
+- `${{ memory.key }}` (tool-driven memory updates)
 - Standard JS-like expressions: `${{ steps.count > 0 ? 'yes' : 'no' }}`
 
 # Guidelines

package/src/templates/agents/my-agent.md

@@ -1,3 +1,4 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: my-agent
 ---

package/src/templates/agents/software-engineer.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: software-engineer
 description: "Expert at writing and debugging code"
 model: gpt-4o

package/src/templates/agents/summarizer.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: summarizer
 description: "Summarizes text content"
 model: gpt-4o

package/src/templates/agents/test-agent.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: test-agent
 model: gpt-4
 tools:

package/src/templates/agents/tester.md

@@ -1,4 +1,5 @@
 ---
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/agent.json
 name: tester
 description: "Expert at writing and running tests for Keystone CLI"
 model: gpt-4o

package/src/templates/{basic-inputs.yaml → basics/basic-inputs.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: basic-inputs
 description: "A simple workflow that greets a user with optional repetition"
 inputs:
@@ -13,6 +14,7 @@ inputs:
 steps:
   - id: hello
     type: shell
+    allowInsecure: true
     run: |
       for i in $(seq 1 ${{ inputs.count }}); do
         echo "Hello, ${{ escape(inputs.user_name) }}! (Attempt $i)"

package/src/templates/{basic-shell.yaml → basics/basic-shell.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: basic-shell
 description: "A simple example workflow demonstrating basic features"
 
@@ -17,4 +18,4 @@ steps:
   - id: print_message
     type: shell
     needs: [create_message]
-    run: echo "Generated message - ${{ steps.create_message.output }}"
+    run: echo "Generated message - ${{ escape(steps.create_message.output) }}"

package/src/templates/{full-feature-demo.yaml → basics/full-feature-demo.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: full-feature-demo
 description: "A comprehensive workflow demonstrating multiple feature types"
 
@@ -41,6 +42,7 @@ steps:
   - id: count_files
     type: shell
     needs: [write_file]
+    allowInsecure: true
     run: ls ./tmp/keystone-*.txt | wc -l
     transform: parseInt(stdout.trim())
 

package/src/templates/{stop-watch.yaml → basics/stop-watch.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: stop-watch
 description: "A simple stopwatch workflow"
 steps:

package/src/templates/{child-rollback.yaml → control-flow/child-rollback.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: nested-rollback-child
 description: Child workflow with a side effect and compensation
 

package/src/templates/{cleanup-finally.yaml → control-flow/cleanup-finally.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: cleanup-finally
 description: "Test the finally block"
 

package/src/templates/{fan-out-fan-in.yaml → control-flow/fan-out-fan-in.yaml}

@@ -1,3 +1,4 @@
+$schema: https://raw.githubusercontent.com/mhingston/keystone-cli/main/schemas/workflow.json
 name: fan-out-fan-in-example
 description: Demonstrates dynamic join conditions and nested compensations
 
@@ -17,6 +18,7 @@ steps:
 
   - id: parallel_1
     type: shell
+    allowInsecure: true
     run: sleep 2 && echo "Parallel 1 done"
     needs: [prepare]
     compensate:
@@ -26,6 +28,7 @@ steps:
 
   - id: parallel_2
     type: shell
+    allowInsecure: true
     run: |
       echo "Parallel 2 failing intentionally..."
       exit 1