mindforge-cc 11.3.1 → 11.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (475) hide show
  1. package/.agent/CLAUDE.md +13 -0
  2. package/.agent/hooks/lib/hook-flags.js +78 -0
  3. package/.agent/hooks/lib/pretooluse-visible-output.js +46 -0
  4. package/.agent/hooks/mindforge-block-no-verify.js +552 -0
  5. package/.agent/hooks/mindforge-config-protection.js +144 -0
  6. package/.agent/hooks/run-with-flags.js +207 -0
  7. package/.agent/mindforge/checkpoint.md +76 -0
  8. package/.agent/mindforge/harness-audit.md +59 -0
  9. package/.agent/mindforge/instinct.md +46 -0
  10. package/.agent/mindforge/orch-add-feature.md +43 -0
  11. package/.agent/mindforge/orch-build-mvp.md +48 -0
  12. package/.agent/mindforge/orch-change-feature.md +45 -0
  13. package/.agent/mindforge/orch-fix-defect.md +43 -0
  14. package/.agent/mindforge/orch-refine-code.md +43 -0
  15. package/.agent/skills/mindforge-add-backlog/SKILL.md +2 -2
  16. package/.agent/skills/mindforge-add-phase/SKILL.md +2 -2
  17. package/.agent/skills/mindforge-add-tests/SKILL.md +2 -2
  18. package/.agent/skills/mindforge-add-todo/SKILL.md +2 -2
  19. package/.agent/skills/mindforge-audit-milestone/SKILL.md +2 -2
  20. package/.agent/skills/mindforge-audit-uat/SKILL.md +2 -2
  21. package/.agent/skills/mindforge-autonomous/SKILL.md +2 -2
  22. package/.agent/skills/mindforge-brainstorming/SKILL.md +1 -1
  23. package/.agent/skills/mindforge-check-todos/SKILL.md +2 -2
  24. package/.agent/skills/mindforge-cleanup/SKILL.md +2 -2
  25. package/.agent/skills/mindforge-complete-milestone/SKILL.md +2 -2
  26. package/.agent/skills/mindforge-debug/SKILL.md +2 -2
  27. package/.agent/skills/mindforge-debug_extended/SKILL.md +2 -2
  28. package/.agent/skills/mindforge-discuss-phase/SKILL.md +2 -2
  29. package/.agent/skills/mindforge-do/SKILL.md +2 -2
  30. package/.agent/skills/mindforge-execute-phase/SKILL.md +2 -2
  31. package/.agent/skills/mindforge-execute-phase_extended/SKILL.md +2 -2
  32. package/.agent/skills/mindforge-fast/SKILL.md +2 -2
  33. package/.agent/skills/mindforge-forensics/SKILL.md +2 -2
  34. package/.agent/skills/mindforge-health/SKILL.md +2 -2
  35. package/.agent/skills/mindforge-help/SKILL.md +2 -2
  36. package/.agent/skills/mindforge-insert-phase/SKILL.md +2 -2
  37. package/.agent/skills/mindforge-join-discord/SKILL.md +2 -2
  38. package/.agent/skills/mindforge-list-phase-assumptions/SKILL.md +2 -2
  39. package/.agent/skills/mindforge-list-workspaces/SKILL.md +2 -2
  40. package/.agent/skills/mindforge-manager/SKILL.md +2 -2
  41. package/.agent/skills/mindforge-map-codebase/SKILL.md +2 -2
  42. package/.agent/skills/mindforge-milestone-summary/SKILL.md +2 -2
  43. package/.agent/skills/mindforge-neural-orchestrator/SKILL.md +2 -2
  44. package/.agent/skills/mindforge-new-milestone/SKILL.md +2 -2
  45. package/.agent/skills/mindforge-new-project/SKILL.md +2 -2
  46. package/.agent/skills/mindforge-new-workspace/SKILL.md +2 -2
  47. package/.agent/skills/mindforge-next/SKILL.md +2 -2
  48. package/.agent/skills/mindforge-note/SKILL.md +2 -2
  49. package/.agent/skills/mindforge-parallel-mesh_extended/SKILL.md +2 -2
  50. package/.agent/skills/mindforge-pause-work/SKILL.md +2 -2
  51. package/.agent/skills/mindforge-plan-milestone-gaps/SKILL.md +2 -2
  52. package/.agent/skills/mindforge-plan-phase/SKILL.md +2 -2
  53. package/.agent/skills/mindforge-plan-phase_extended/SKILL.md +2 -2
  54. package/.agent/skills/mindforge-plant-seed/SKILL.md +2 -2
  55. package/.agent/skills/mindforge-pr-branch/SKILL.md +2 -2
  56. package/.agent/skills/mindforge-profile-user/SKILL.md +2 -2
  57. package/.agent/skills/mindforge-progress/SKILL.md +2 -2
  58. package/.agent/skills/mindforge-quick/SKILL.md +2 -2
  59. package/.agent/skills/mindforge-reapply-patches/SKILL.md +2 -2
  60. package/.agent/skills/mindforge-remove-phase/SKILL.md +2 -2
  61. package/.agent/skills/mindforge-remove-workspace/SKILL.md +2 -2
  62. package/.agent/skills/mindforge-research-phase/SKILL.md +2 -2
  63. package/.agent/skills/mindforge-resume-work/SKILL.md +2 -2
  64. package/.agent/skills/mindforge-review/SKILL.md +2 -2
  65. package/.agent/skills/mindforge-review-backlog/SKILL.md +2 -2
  66. package/.agent/skills/mindforge-review-inbound/SKILL.md +2 -2
  67. package/.agent/skills/mindforge-review-request/SKILL.md +2 -2
  68. package/.agent/skills/mindforge-session-report/SKILL.md +2 -2
  69. package/.agent/skills/mindforge-set-profile/SKILL.md +2 -2
  70. package/.agent/skills/mindforge-settings/SKILL.md +2 -2
  71. package/.agent/skills/mindforge-ship/SKILL.md +2 -2
  72. package/.agent/skills/mindforge-ship_extended/SKILL.md +2 -2
  73. package/.agent/skills/mindforge-skill-creation/SKILL.md +2 -2
  74. package/.agent/skills/mindforge-stats/SKILL.md +2 -2
  75. package/.agent/skills/mindforge-swarm-execution/SKILL.md +2 -2
  76. package/.agent/skills/mindforge-system-architecture/SKILL.md +2 -2
  77. package/.agent/skills/mindforge-tdd/SKILL.md +2 -2
  78. package/.agent/skills/mindforge-tdd_extended/SKILL.md +2 -2
  79. package/.agent/skills/mindforge-thread/SKILL.md +2 -2
  80. package/.agent/skills/mindforge-ui-phase/SKILL.md +2 -2
  81. package/.agent/skills/mindforge-ui-review/SKILL.md +2 -2
  82. package/.agent/skills/mindforge-update/SKILL.md +2 -2
  83. package/.agent/skills/mindforge-validate-phase/SKILL.md +2 -2
  84. package/.agent/skills/mindforge-verify-work/SKILL.md +2 -2
  85. package/.agent/skills/mindforge-verify-work_extended/SKILL.md +2 -2
  86. package/.agent/skills/mindforge-workspace-isolated/SKILL.md +2 -2
  87. package/.agent/skills/mindforge-workstreams/SKILL.md +2 -2
  88. package/.claude/CLAUDE.md +13 -0
  89. package/.claude/commands/mindforge/add-backlog.md +2 -2
  90. package/.claude/commands/mindforge/agent-deploy.md +1 -1
  91. package/.claude/commands/mindforge/agent-design.md +1 -1
  92. package/.claude/commands/mindforge/agent.md +2 -2
  93. package/.claude/commands/mindforge/ai-cost.md +1 -1
  94. package/.claude/commands/mindforge/ai-safety.md +1 -1
  95. package/.claude/commands/mindforge/approve.md +1 -1
  96. package/.claude/commands/mindforge/audit.md +1 -1
  97. package/.claude/commands/mindforge/auto.md +1 -1
  98. package/.claude/commands/mindforge/benchmark.md +1 -1
  99. package/.claude/commands/mindforge/browse.md +1 -1
  100. package/.claude/commands/mindforge/build-opt.md +1 -1
  101. package/.claude/commands/mindforge/cache.md +1 -1
  102. package/.claude/commands/mindforge/causal.md +1 -1
  103. package/.claude/commands/mindforge/cdn.md +1 -1
  104. package/.claude/commands/mindforge/change.md +1 -1
  105. package/.claude/commands/mindforge/checkpoint.md +76 -0
  106. package/.claude/commands/mindforge/cli.md +1 -1
  107. package/.claude/commands/mindforge/cluster-instincts.md +1 -1
  108. package/.claude/commands/mindforge/communicate.md +1 -1
  109. package/.claude/commands/mindforge/complete-milestone.md +1 -1
  110. package/.claude/commands/mindforge/compliance.md +1 -1
  111. package/.claude/commands/mindforge/consult.md +1 -1
  112. package/.claude/commands/mindforge/contract-test.md +1 -1
  113. package/.claude/commands/mindforge/cost-report.md +1 -1
  114. package/.claude/commands/mindforge/costs.md +1 -1
  115. package/.claude/commands/mindforge/council.md +1 -1
  116. package/.claude/commands/mindforge/create-skill.md +1 -1
  117. package/.claude/commands/mindforge/cross-review.md +1 -1
  118. package/.claude/commands/mindforge/dashboard.md +1 -1
  119. package/.claude/commands/mindforge/data-mesh.md +1 -1
  120. package/.claude/commands/mindforge/data-pipeline.md +1 -1
  121. package/.claude/commands/mindforge/de-slop.md +1 -1
  122. package/.claude/commands/mindforge/debug.md +1 -1
  123. package/.claude/commands/mindforge/degrade.md +1 -1
  124. package/.claude/commands/mindforge/delegate.md +1 -1
  125. package/.claude/commands/mindforge/deploy.md +1 -1
  126. package/.claude/commands/mindforge/discuss-phase.md +1 -1
  127. package/.claude/commands/mindforge/dmux.md +1 -1
  128. package/.claude/commands/mindforge/do.md +2 -2
  129. package/.claude/commands/mindforge/ecommerce.md +1 -1
  130. package/.claude/commands/mindforge/edge.md +1 -1
  131. package/.claude/commands/mindforge/edtech.md +1 -1
  132. package/.claude/commands/mindforge/embeddings.md +1 -1
  133. package/.claude/commands/mindforge/environments.md +1 -1
  134. package/.claude/commands/mindforge/eval.md +1 -1
  135. package/.claude/commands/mindforge/events.md +1 -1
  136. package/.claude/commands/mindforge/evolve-skills.md +1 -1
  137. package/.claude/commands/mindforge/execute-phase.md +48 -7
  138. package/.claude/commands/mindforge/feature-flags.md +1 -1
  139. package/.claude/commands/mindforge/feature-store.md +1 -1
  140. package/.claude/commands/mindforge/finops.md +1 -1
  141. package/.claude/commands/mindforge/fintech.md +1 -1
  142. package/.claude/commands/mindforge/flutter.md +1 -1
  143. package/.claude/commands/mindforge/gaming.md +1 -1
  144. package/.claude/commands/mindforge/graphql.md +1 -1
  145. package/.claude/commands/mindforge/harness-audit.md +59 -0
  146. package/.claude/commands/mindforge/health.md +1 -1
  147. package/.claude/commands/mindforge/healthcare.md +1 -1
  148. package/.claude/commands/mindforge/help.md +1 -1
  149. package/.claude/commands/mindforge/hire.md +1 -1
  150. package/.claude/commands/mindforge/i18n.md +1 -1
  151. package/.claude/commands/mindforge/idempotent.md +1 -1
  152. package/.claude/commands/mindforge/init-org.md +1 -1
  153. package/.claude/commands/mindforge/init-project.md +1 -1
  154. package/.claude/commands/mindforge/install-skill.md +1 -1
  155. package/.claude/commands/mindforge/instinct.md +46 -0
  156. package/.claude/commands/mindforge/introspect.md +1 -1
  157. package/.claude/commands/mindforge/iot.md +1 -1
  158. package/.claude/commands/mindforge/knowledge-graph.md +1 -1
  159. package/.claude/commands/mindforge/lakehouse.md +1 -1
  160. package/.claude/commands/mindforge/lead.md +1 -1
  161. package/.claude/commands/mindforge/learn-instinct.md +1 -1
  162. package/.claude/commands/mindforge/learn.md +1 -1
  163. package/.claude/commands/mindforge/learning.md +1 -1
  164. package/.claude/commands/mindforge/llm-route.md +1 -1
  165. package/.claude/commands/mindforge/load-test.md +1 -1
  166. package/.claude/commands/mindforge/logistics.md +1 -1
  167. package/.claude/commands/mindforge/map-codebase.md +1 -1
  168. package/.claude/commands/mindforge/marketplace.md +1 -1
  169. package/.claude/commands/mindforge/meeting-design.md +1 -1
  170. package/.claude/commands/mindforge/metrics.md +1 -1
  171. package/.claude/commands/mindforge/migrate.md +1 -1
  172. package/.claude/commands/mindforge/migration-mgmt.md +1 -1
  173. package/.claude/commands/mindforge/milestone.md +1 -1
  174. package/.claude/commands/mindforge/mobile.md +1 -1
  175. package/.claude/commands/mindforge/monorepo.md +1 -1
  176. package/.claude/commands/mindforge/multi-tenant.md +1 -1
  177. package/.claude/commands/mindforge/multimodal.md +1 -1
  178. package/.claude/commands/mindforge/new-runtime.md +1 -1
  179. package/.claude/commands/mindforge/next.md +1 -1
  180. package/.claude/commands/mindforge/note.md +2 -2
  181. package/.claude/commands/mindforge/observability-platform.md +1 -1
  182. package/.claude/commands/mindforge/offline.md +1 -1
  183. package/.claude/commands/mindforge/onboard.md +1 -1
  184. package/.claude/commands/mindforge/orch-add-feature.md +43 -0
  185. package/.claude/commands/mindforge/orch-build-mvp.md +48 -0
  186. package/.claude/commands/mindforge/orch-change-feature.md +45 -0
  187. package/.claude/commands/mindforge/orch-fix-defect.md +43 -0
  188. package/.claude/commands/mindforge/orch-refine-code.md +43 -0
  189. package/.claude/commands/mindforge/plan-phase.md +1 -1
  190. package/.claude/commands/mindforge/plan-write.md +11 -0
  191. package/.claude/commands/mindforge/plant-seed.md +2 -2
  192. package/.claude/commands/mindforge/platform.md +1 -1
  193. package/.claude/commands/mindforge/plugins.md +1 -1
  194. package/.claude/commands/mindforge/pr-review.md +1 -1
  195. package/.claude/commands/mindforge/privacy-eng.md +1 -1
  196. package/.claude/commands/mindforge/product-spec.md +76 -0
  197. package/.claude/commands/mindforge/profile-team.md +1 -1
  198. package/.claude/commands/mindforge/publish-skill.md +1 -1
  199. package/.claude/commands/mindforge/push-notify.md +1 -1
  200. package/.claude/commands/mindforge/pwa.md +1 -1
  201. package/.claude/commands/mindforge/qa.md +1 -1
  202. package/.claude/commands/mindforge/quality-audit.md +1 -1
  203. package/.claude/commands/mindforge/queue.md +1 -1
  204. package/.claude/commands/mindforge/quick.md +1 -1
  205. package/.claude/commands/mindforge/rag.md +1 -1
  206. package/.claude/commands/mindforge/rate-limit.md +1 -1
  207. package/.claude/commands/mindforge/react-native.md +1 -1
  208. package/.claude/commands/mindforge/realtime-analytics.md +1 -1
  209. package/.claude/commands/mindforge/record-learning.md +1 -1
  210. package/.claude/commands/mindforge/release.md +1 -1
  211. package/.claude/commands/mindforge/remember.md +1 -1
  212. package/.claude/commands/mindforge/research.md +1 -1
  213. package/.claude/commands/mindforge/retrospective.md +1 -1
  214. package/.claude/commands/mindforge/review-backlog.md +2 -2
  215. package/.claude/commands/mindforge/review.md +1 -1
  216. package/.claude/commands/mindforge/rfc.md +1 -1
  217. package/.claude/commands/mindforge/santa.md +1 -1
  218. package/.claude/commands/mindforge/secrets-mgmt.md +1 -1
  219. package/.claude/commands/mindforge/secrets.md +1 -1
  220. package/.claude/commands/mindforge/security-scan.md +1 -1
  221. package/.claude/commands/mindforge/serverless.md +1 -1
  222. package/.claude/commands/mindforge/session-report.md +2 -2
  223. package/.claude/commands/mindforge/ship.md +1 -1
  224. package/.claude/commands/mindforge/skills.md +1 -1
  225. package/.claude/commands/mindforge/status.md +1 -1
  226. package/.claude/commands/mindforge/steer.md +1 -1
  227. package/.claude/commands/mindforge/stream.md +1 -1
  228. package/.claude/commands/mindforge/sync-confluence.md +1 -1
  229. package/.claude/commands/mindforge/sync-jira.md +1 -1
  230. package/.claude/commands/mindforge/tech-debt.md +1 -1
  231. package/.claude/commands/mindforge/threat-model.md +1 -1
  232. package/.claude/commands/mindforge/tokens.md +1 -1
  233. package/.claude/commands/mindforge/ui-phase.md +2 -2
  234. package/.claude/commands/mindforge/ui-review.md +2 -2
  235. package/.claude/commands/mindforge/update.md +1 -1
  236. package/.claude/commands/mindforge/validate-phase.md +2 -2
  237. package/.claude/commands/mindforge/verify-loop.md +1 -1
  238. package/.claude/commands/mindforge/verify-phase.md +1 -1
  239. package/.claude/commands/mindforge/vibe-check.md +1 -1
  240. package/.claude/commands/mindforge/workspace.md +1 -1
  241. package/.claude/commands/mindforge/workstreams.md +2 -2
  242. package/.claude/commands/mindforge/zero-trust.md +1 -1
  243. package/.mindforge/config.json +2 -2
  244. package/.mindforge/engine/instincts/instinct-schema.md +17 -9
  245. package/.mindforge/imported-agents.jsonl +10 -0
  246. package/.mindforge/manifests/install-components.json +36 -0
  247. package/.mindforge/manifests/install-modules.json +193 -0
  248. package/.mindforge/manifests/install-profiles.json +57 -0
  249. package/.mindforge/memory/sync-manifest.json +1 -1
  250. package/.mindforge/personas/gan-evaluator.md +226 -0
  251. package/.mindforge/personas/gan-generator.md +151 -0
  252. package/.mindforge/personas/gan-planner.md +118 -0
  253. package/.mindforge/personas/harness-optimizer.md +55 -0
  254. package/.mindforge/personas/loop-operator.md +58 -0
  255. package/.mindforge/schemas/hooks.schema.json +199 -0
  256. package/.mindforge/schemas/install-modules.schema.json +44 -0
  257. package/.mindforge/schemas/install-state.schema.json +95 -0
  258. package/.mindforge/schemas/plugin.schema.json +75 -0
  259. package/.mindforge/schemas/provenance.schema.json +31 -0
  260. package/.mindforge/skills/agent-architecture-audit/SKILL.md +272 -0
  261. package/.mindforge/skills/continuous-learning/SKILL.md +16 -0
  262. package/.mindforge/skills/orch-pipeline/SKILL.md +284 -0
  263. package/.mindforge/skills/writing-plans/SKILL.md +76 -0
  264. package/CHANGELOG.md +111 -0
  265. package/MINDFORGE.md +3 -3
  266. package/README.md +25 -3
  267. package/RELEASENOTES.md +131 -1
  268. package/SECURITY.md +16 -0
  269. package/bin/autonomous/auto-runner.js +46 -5
  270. package/bin/autonomous/handoff-schema.js +114 -0
  271. package/bin/autonomous/session-guardian.sh +138 -0
  272. package/bin/autonomous/supervisor.js +98 -0
  273. package/bin/change-classifier.js +19 -5
  274. package/bin/governance/approve.js +61 -28
  275. package/bin/governance/config-manager.js +3 -1
  276. package/bin/governance/rbac-manager.js +14 -6
  277. package/bin/harness-audit.js +520 -0
  278. package/bin/hooks/instinct-capture-hook.js +16 -1
  279. package/bin/hooks/lib/detect-project.js +72 -0
  280. package/bin/installer/harness-adapter-compliance.js +321 -0
  281. package/bin/installer/install-manifests.js +200 -0
  282. package/bin/installer/install-state.js +243 -0
  283. package/bin/installer-core.js +1 -1
  284. package/bin/learning/instinct-cli.js +359 -0
  285. package/bin/learning/lib/ssrf-guard.js +252 -0
  286. package/bin/memory/eis-client.js +31 -10
  287. package/bin/models/llm-errors.js +79 -0
  288. package/bin/models/model-client.js +39 -4
  289. package/bin/models/ollama-provider.js +115 -0
  290. package/bin/models/openai-provider.js +40 -9
  291. package/bin/models/profiles-loader.js +147 -0
  292. package/bin/models/provider-registry.js +59 -0
  293. package/bin/revops/market-evaluator.js +23 -2
  294. package/bin/revops/router-steering-v2.js +17 -2
  295. package/bin/security/trust-boundaries.js +15 -3
  296. package/bin/utils/readiness-gate.js +169 -0
  297. package/bin/worktree/engine.js +497 -0
  298. package/docs/getting-started.md +1 -1
  299. package/docs/troubleshooting.md +1 -1
  300. package/docs/user-guide.md +1 -1
  301. package/package.json +8 -2
  302. package/subagents/categories/01-core-development/.claude-plugin/plugin.json +2 -2
  303. package/subagents/categories/01-core-development/api-designer-cc.md +1 -1
  304. package/subagents/categories/01-core-development/backend-developer.md +1 -1
  305. package/subagents/categories/01-core-development/design-bridge.md +1 -1
  306. package/subagents/categories/01-core-development/electron-pro.md +1 -1
  307. package/subagents/categories/01-core-development/frontend-developer.md +1 -1
  308. package/subagents/categories/01-core-development/fullstack-developer.md +1 -1
  309. package/subagents/categories/01-core-development/graphql-architect.md +1 -1
  310. package/subagents/categories/01-core-development/microservices-architect.md +1 -1
  311. package/subagents/categories/01-core-development/mobile-developer.md +1 -1
  312. package/subagents/categories/01-core-development/ui-designer.md +1 -1
  313. package/subagents/categories/01-core-development/websocket-engineer.md +1 -1
  314. package/subagents/categories/02-language-specialists/.claude-plugin/plugin.json +2 -2
  315. package/subagents/categories/02-language-specialists/angular-architect.md +1 -1
  316. package/subagents/categories/02-language-specialists/cpp-pro.md +1 -1
  317. package/subagents/categories/02-language-specialists/csharp-developer.md +1 -1
  318. package/subagents/categories/02-language-specialists/django-developer.md +1 -1
  319. package/subagents/categories/02-language-specialists/dotnet-core-expert.md +1 -1
  320. package/subagents/categories/02-language-specialists/dotnet-framework-48-expert.md +1 -1
  321. package/subagents/categories/02-language-specialists/elixir-expert.md +1 -1
  322. package/subagents/categories/02-language-specialists/expo-react-native-expert.md +1 -1
  323. package/subagents/categories/02-language-specialists/fastapi-developer.md +1 -1
  324. package/subagents/categories/02-language-specialists/flutter-expert.md +1 -1
  325. package/subagents/categories/02-language-specialists/golang-pro.md +1 -1
  326. package/subagents/categories/02-language-specialists/java-architect.md +1 -1
  327. package/subagents/categories/02-language-specialists/javascript-pro.md +1 -1
  328. package/subagents/categories/02-language-specialists/kotlin-specialist.md +1 -1
  329. package/subagents/categories/02-language-specialists/laravel-specialist.md +1 -1
  330. package/subagents/categories/02-language-specialists/nextjs-developer.md +1 -1
  331. package/subagents/categories/02-language-specialists/node-specialist.md +1 -1
  332. package/subagents/categories/02-language-specialists/php-pro.md +1 -1
  333. package/subagents/categories/02-language-specialists/powershell-51-expert.md +1 -1
  334. package/subagents/categories/02-language-specialists/powershell-7-expert.md +1 -1
  335. package/subagents/categories/02-language-specialists/python-pro.md +1 -1
  336. package/subagents/categories/02-language-specialists/rails-expert.md +1 -1
  337. package/subagents/categories/02-language-specialists/react-specialist-cc.md +1 -1
  338. package/subagents/categories/02-language-specialists/rust-engineer.md +1 -1
  339. package/subagents/categories/02-language-specialists/spring-boot-engineer.md +1 -1
  340. package/subagents/categories/02-language-specialists/sql-pro.md +1 -1
  341. package/subagents/categories/02-language-specialists/swift-expert.md +1 -1
  342. package/subagents/categories/02-language-specialists/symfony-specialist.md +1 -1
  343. package/subagents/categories/02-language-specialists/typescript-pro.md +1 -1
  344. package/subagents/categories/02-language-specialists/vue-expert.md +1 -1
  345. package/subagents/categories/03-infrastructure/.claude-plugin/plugin.json +5 -5
  346. package/subagents/categories/03-infrastructure/azure-infra-engineer.md +1 -1
  347. package/subagents/categories/03-infrastructure/cloud-architect-cc.md +1 -1
  348. package/subagents/categories/03-infrastructure/database-administrator.md +1 -1
  349. package/subagents/categories/03-infrastructure/deployment-engineer.md +1 -1
  350. package/subagents/categories/03-infrastructure/devops-engineer-cc.md +1 -1
  351. package/subagents/categories/03-infrastructure/devops-incident-responder.md +1 -1
  352. package/subagents/categories/03-infrastructure/docker-expert.md +1 -1
  353. package/subagents/categories/03-infrastructure/incident-responder.md +1 -1
  354. package/subagents/categories/03-infrastructure/kubernetes-specialist.md +1 -1
  355. package/subagents/categories/03-infrastructure/network-engineer.md +1 -1
  356. package/subagents/categories/03-infrastructure/platform-engineer-cc.md +1 -1
  357. package/subagents/categories/03-infrastructure/security-engineer.md +1 -1
  358. package/subagents/categories/03-infrastructure/sre-engineer.md +1 -1
  359. package/subagents/categories/03-infrastructure/terraform-engineer.md +1 -1
  360. package/subagents/categories/03-infrastructure/terragrunt-expert.md +2 -2
  361. package/subagents/categories/03-infrastructure/windows-infra-admin.md +1 -1
  362. package/subagents/categories/04-quality-security/.claude-plugin/plugin.json +15 -5
  363. package/subagents/categories/04-quality-security/accessibility-tester-cc.md +1 -1
  364. package/subagents/categories/04-quality-security/ad-security-reviewer.md +1 -1
  365. package/subagents/categories/04-quality-security/ai-writing-auditor.md +1 -1
  366. package/subagents/categories/04-quality-security/architect-reviewer.md +1 -1
  367. package/subagents/categories/04-quality-security/chaos-engineer-cc.md +1 -1
  368. package/subagents/categories/04-quality-security/code-reviewer.md +1 -1
  369. package/subagents/categories/04-quality-security/compliance-auditor-cc.md +1 -1
  370. package/subagents/categories/04-quality-security/debugger-cc.md +1 -1
  371. package/subagents/categories/04-quality-security/error-detective.md +1 -1
  372. package/subagents/categories/04-quality-security/gdpr-ccpa-compliance.md +2 -2
  373. package/subagents/categories/04-quality-security/go-build-resolver.md +105 -0
  374. package/subagents/categories/04-quality-security/go-reviewer.md +87 -0
  375. package/subagents/categories/04-quality-security/penetration-tester.md +1 -1
  376. package/subagents/categories/04-quality-security/performance-engineer.md +1 -1
  377. package/subagents/categories/04-quality-security/powershell-security-hardening.md +1 -1
  378. package/subagents/categories/04-quality-security/python-reviewer.md +109 -0
  379. package/subagents/categories/04-quality-security/qa-expert.md +1 -1
  380. package/subagents/categories/04-quality-security/react-build-resolver.md +215 -0
  381. package/subagents/categories/04-quality-security/react-reviewer.md +167 -0
  382. package/subagents/categories/04-quality-security/rust-build-resolver.md +159 -0
  383. package/subagents/categories/04-quality-security/rust-reviewer.md +105 -0
  384. package/subagents/categories/04-quality-security/security-auditor.md +1 -1
  385. package/subagents/categories/04-quality-security/silent-failure-hunter.md +67 -0
  386. package/subagents/categories/04-quality-security/test-automator.md +1 -1
  387. package/subagents/categories/04-quality-security/type-design-analyzer.md +58 -0
  388. package/subagents/categories/04-quality-security/typescript-reviewer.md +126 -0
  389. package/subagents/categories/04-quality-security/ui-ux-tester.md +1 -1
  390. package/subagents/categories/05-data-ai/.claude-plugin/plugin.json +4 -4
  391. package/subagents/categories/05-data-ai/ai-engineer.md +1 -1
  392. package/subagents/categories/05-data-ai/data-analyst.md +1 -1
  393. package/subagents/categories/05-data-ai/data-engineer-cc.md +1 -1
  394. package/subagents/categories/05-data-ai/data-scientist.md +1 -1
  395. package/subagents/categories/05-data-ai/database-optimizer.md +1 -1
  396. package/subagents/categories/05-data-ai/llm-architect.md +1 -1
  397. package/subagents/categories/05-data-ai/machine-learning-engineer.md +1 -1
  398. package/subagents/categories/05-data-ai/ml-engineer-cc.md +1 -1
  399. package/subagents/categories/05-data-ai/mlops-engineer.md +1 -1
  400. package/subagents/categories/05-data-ai/nlp-engineer.md +1 -1
  401. package/subagents/categories/05-data-ai/postgres-pro.md +1 -1
  402. package/subagents/categories/05-data-ai/prompt-engineer-cc.md +1 -1
  403. package/subagents/categories/05-data-ai/reinforcement-learning-engineer.md +1 -1
  404. package/subagents/categories/06-developer-experience/.claude-plugin/plugin.json +2 -2
  405. package/subagents/categories/06-developer-experience/build-engineer-cc.md +1 -1
  406. package/subagents/categories/06-developer-experience/cli-developer.md +1 -1
  407. package/subagents/categories/06-developer-experience/dependency-manager.md +1 -1
  408. package/subagents/categories/06-developer-experience/documentation-engineer.md +1 -1
  409. package/subagents/categories/06-developer-experience/dx-optimizer.md +1 -1
  410. package/subagents/categories/06-developer-experience/git-workflow-manager.md +1 -1
  411. package/subagents/categories/06-developer-experience/legacy-modernizer.md +1 -1
  412. package/subagents/categories/06-developer-experience/mcp-developer.md +1 -1
  413. package/subagents/categories/06-developer-experience/powershell-module-architect.md +1 -1
  414. package/subagents/categories/06-developer-experience/powershell-ui-architect.md +1 -1
  415. package/subagents/categories/06-developer-experience/readme-generator.md +1 -1
  416. package/subagents/categories/06-developer-experience/refactoring-specialist.md +1 -1
  417. package/subagents/categories/06-developer-experience/slack-expert.md +1 -1
  418. package/subagents/categories/06-developer-experience/tooling-engineer.md +1 -1
  419. package/subagents/categories/06-developer-experience/visual-asset-generator.md +1 -1
  420. package/subagents/categories/07-specialized-domains/.claude-plugin/plugin.json +2 -2
  421. package/subagents/categories/07-specialized-domains/api-documenter.md +1 -1
  422. package/subagents/categories/07-specialized-domains/blockchain-developer.md +1 -1
  423. package/subagents/categories/07-specialized-domains/embedded-systems.md +1 -1
  424. package/subagents/categories/07-specialized-domains/fintech-engineer.md +1 -1
  425. package/subagents/categories/07-specialized-domains/game-developer.md +1 -1
  426. package/subagents/categories/07-specialized-domains/healthcare-admin.md +1 -1
  427. package/subagents/categories/07-specialized-domains/hipaa-compliance.md +2 -2
  428. package/subagents/categories/07-specialized-domains/iot-engineer.md +1 -1
  429. package/subagents/categories/07-specialized-domains/m365-admin.md +1 -1
  430. package/subagents/categories/07-specialized-domains/mobile-app-developer.md +1 -1
  431. package/subagents/categories/07-specialized-domains/payment-integration.md +1 -1
  432. package/subagents/categories/07-specialized-domains/quant-analyst.md +1 -1
  433. package/subagents/categories/07-specialized-domains/risk-manager.md +1 -1
  434. package/subagents/categories/07-specialized-domains/seo-specialist-cc.md +1 -1
  435. package/subagents/categories/08-business-product/.claude-plugin/plugin.json +3 -3
  436. package/subagents/categories/08-business-product/assumption-mapping.md +2 -2
  437. package/subagents/categories/08-business-product/backlog-grooming.md +2 -2
  438. package/subagents/categories/08-business-product/business-analyst-cc.md +1 -1
  439. package/subagents/categories/08-business-product/content-marketer.md +1 -1
  440. package/subagents/categories/08-business-product/content-quality-editor.md +1 -1
  441. package/subagents/categories/08-business-product/customer-success-manager.md +1 -1
  442. package/subagents/categories/08-business-product/growth-loops.md +2 -2
  443. package/subagents/categories/08-business-product/legal-advisor.md +1 -1
  444. package/subagents/categories/08-business-product/license-engineer.md +1 -1
  445. package/subagents/categories/08-business-product/product-manager-cc.md +1 -1
  446. package/subagents/categories/08-business-product/project-manager.md +1 -1
  447. package/subagents/categories/08-business-product/sales-engineer.md +1 -1
  448. package/subagents/categories/08-business-product/scrum-master.md +1 -1
  449. package/subagents/categories/08-business-product/technical-writer.md +1 -1
  450. package/subagents/categories/08-business-product/ux-researcher.md +1 -1
  451. package/subagents/categories/08-business-product/wordpress-master.md +1 -1
  452. package/subagents/categories/09-meta-orchestration/.claude-plugin/plugin.json +1 -1
  453. package/subagents/categories/09-meta-orchestration/agent-installer.md +1 -1
  454. package/subagents/categories/09-meta-orchestration/agent-organizer.md +1 -1
  455. package/subagents/categories/09-meta-orchestration/codebase-orchestrator.md +1 -1
  456. package/subagents/categories/09-meta-orchestration/context-manager.md +1 -1
  457. package/subagents/categories/09-meta-orchestration/error-coordinator.md +1 -1
  458. package/subagents/categories/09-meta-orchestration/it-ops-orchestrator.md +1 -1
  459. package/subagents/categories/09-meta-orchestration/knowledge-synthesizer.md +1 -1
  460. package/subagents/categories/09-meta-orchestration/multi-agent-coordinator.md +1 -1
  461. package/subagents/categories/09-meta-orchestration/performance-monitor.md +1 -1
  462. package/subagents/categories/09-meta-orchestration/task-distributor.md +1 -1
  463. package/subagents/categories/09-meta-orchestration/workflow-orchestrator.md +1 -1
  464. package/subagents/categories/10-research-analysis/.claude-plugin/plugin.json +1 -1
  465. package/subagents/categories/10-research-analysis/ab-test-analysis.md +2 -2
  466. package/subagents/categories/10-research-analysis/cohort-analysis.md +2 -2
  467. package/subagents/categories/10-research-analysis/competitive-analyst.md +1 -1
  468. package/subagents/categories/10-research-analysis/data-researcher.md +1 -1
  469. package/subagents/categories/10-research-analysis/first-principles-thinking.md +2 -2
  470. package/subagents/categories/10-research-analysis/market-researcher.md +1 -1
  471. package/subagents/categories/10-research-analysis/project-idea-validator.md +1 -1
  472. package/subagents/categories/10-research-analysis/research-analyst.md +1 -1
  473. package/subagents/categories/10-research-analysis/scientific-literature-researcher.md +1 -1
  474. package/subagents/categories/10-research-analysis/search-specialist.md +1 -1
  475. package/subagents/categories/10-research-analysis/trend-analyst.md +1 -1
@@ -0,0 +1,98 @@
1
+ 'use strict';
2
+
3
+ /**
4
+ * MindForge — Autonomous session supervisor (PID-liveness crash recovery).
5
+ *
6
+ * Adapted from ECC's Rust session daemon (ecc2/src/session/daemon.rs). Ports
7
+ * ONLY the two pure, high-value functions — NOT the tokio daemon or ECC's
8
+ * dispatch/merge/rebalance machinery (which overlaps MindForge's existing
9
+ * task-dispatcher / wave-executor / mesh-self-healer):
10
+ *
11
+ * 1. pidIsAlive(pid) — process.kill(pid, 0): ESRCH=dead, EPERM=alive.
12
+ * 2. resumeCrashedSessions — sweep sessions left "running" whose pid is dead
13
+ * and mark them "failed" (stale-pid recovery).
14
+ *
15
+ * Plus a heartbeat() that stamps auto-state.json so a supervisor can detect a
16
+ * wedged/abandoned session. Layered OVER state-manager.js — it does not replace
17
+ * it. Default-inert: nothing runs unless explicitly invoked.
18
+ */
19
+
20
+ const SUPERVISOR_STATUSES = ['idle', 'running', 'paused', 'completed', 'escalated', 'timeout', 'failed'];
21
+
22
+ /**
23
+ * Probe whether a process is alive. Cross-platform via Node's process.kill with
24
+ * signal 0 (no signal delivered — existence check only):
25
+ * - kill succeeds -> alive
26
+ * - throws EPERM -> alive (exists, owned by another user)
27
+ * - throws ESRCH (or other) -> dead
28
+ * A null/0/invalid pid is treated as dead.
29
+ */
30
+ function pidIsAlive(pid) {
31
+ const n = Number(pid);
32
+ if (!Number.isInteger(n) || n <= 0) return false;
33
+ try {
34
+ process.kill(n, 0);
35
+ return true;
36
+ } catch (err) {
37
+ return err && err.code === 'EPERM';
38
+ }
39
+ }
40
+
41
+ /**
42
+ * Sweep a sessions list and mark any that are "running" with a dead pid as
43
+ * "failed". Pure over its inputs: takes the sessions array + an isAlive probe
44
+ * (injectable for tests, matching ECC's resume_crashed_sessions_with) and
45
+ * returns { failed: [...ids], sessions: [...updated] } without side effects.
46
+ *
47
+ * @param {Array<{id:string,status:string,pid?:number}>} sessions
48
+ * @param {(pid:number)=>boolean} [isAlive] defaults to pidIsAlive
49
+ */
50
+ function resumeCrashedSessions(sessions, isAlive = pidIsAlive) {
51
+ const failed = [];
52
+ const updated = (Array.isArray(sessions) ? sessions : []).map(session => {
53
+ if (session.status !== 'running') return session;
54
+ if (session.pid != null && isAlive(session.pid)) return session;
55
+ failed.push(session.id);
56
+ // Immutable: new object with failed status, pid cleared.
57
+ return Object.assign({}, session, { status: 'failed', pid: null });
58
+ });
59
+ return { failed, sessions: updated };
60
+ }
61
+
62
+ /**
63
+ * Stamp a heartbeat onto auto-state.json via a state manager. A supervisor in a
64
+ * separate process can compare heartbeatAt against now to detect a stalled loop
65
+ * (pairs with bin/autonomous/session-guardian.sh + loop-operator escalation).
66
+ *
67
+ * @param {{updateState:Function}} stateManager from createStateManager(planningDir)
68
+ * @param {number} [pid] the live worker pid to record (defaults to current pid)
69
+ */
70
+ function heartbeat(stateManager, pid = process.pid) {
71
+ return stateManager.updateState({
72
+ pid,
73
+ heartbeatAt: new Date().toISOString(),
74
+ });
75
+ }
76
+
77
+ /**
78
+ * Recover a single state file: if it shows status "running" with a dead pid,
79
+ * transition it to "failed". Returns true if a recovery was applied.
80
+ *
81
+ * @param {{getState:Function,updateState:Function}} stateManager
82
+ * @param {(pid:number)=>boolean} [isAlive]
83
+ */
84
+ function recoverState(stateManager, isAlive = pidIsAlive) {
85
+ const state = stateManager.getState();
86
+ if (state.status !== 'running') return false;
87
+ if (state.pid != null && isAlive(state.pid)) return false;
88
+ stateManager.updateState({ status: 'failed', pid: null, failedAt: new Date().toISOString() });
89
+ return true;
90
+ }
91
+
92
+ module.exports = {
93
+ SUPERVISOR_STATUSES,
94
+ pidIsAlive,
95
+ resumeCrashedSessions,
96
+ heartbeat,
97
+ recoverState,
98
+ };
@@ -31,10 +31,21 @@ const SENSITIVE_PATTERNS = [
31
31
 
32
32
  function classify() {
33
33
  try {
34
- // Get list of changed files compared to origin/main or HEAD~1
34
+ // Get list of changed files compared to origin/<base> or HEAD~1.
35
+ // Three-dot (...) diffs against the MERGE-BASE, so on a PR branch that is behind its base
36
+ // we see ONLY this branch's own changes — not unrelated commits already on the base.
37
+ // (Two-dot here caused Tier-3 false positives by pulling in base-only changes.)
35
38
  const base = process.env.GITHUB_BASE_REF ? `origin/${process.env.GITHUB_BASE_REF}` : 'HEAD~1';
36
- const diffFiles = execFileSync('git', ['diff', '--name-only', `${base}..HEAD`], { encoding: 'utf8' }).split('\n').filter(Boolean);
37
-
39
+ const range = process.env.GITHUB_BASE_REF ? `${base}...HEAD` : `${base}..HEAD`;
40
+ const diffFiles = execFileSync('git', ['diff', '--name-only', range], { encoding: 'utf8' }).split('\n').filter(Boolean);
41
+
42
+ // Test and documentation files are excluded from the sensitive-PATTERN scan below: a test
43
+ // asserting on "password"/key patterns, or a doc mentioning secrets, is not a sensitive
44
+ // change and must not trip Tier 3. (Path-based detection still covers genuinely sensitive
45
+ // source paths.) This is the fix for test-only PRs being misclassified as Tier 3.
46
+ const isTestOrDoc = (f) =>
47
+ /(^|\/)(tests?|__tests__|docs)\//.test(f) || /\.(test|spec)\.[cm]?[jt]s$/.test(f) || f.endsWith('.md');
48
+
38
49
  let tier = 1;
39
50
  let reasons = [];
40
51
 
@@ -45,9 +56,12 @@ function classify() {
45
56
  reasons.push(`Sensitive path modified: ${matchedPath}`);
46
57
  }
47
58
 
48
- // 2. Pattern-based detection in diff (Tier 3)
59
+ // 2. Pattern-based detection in diff (Tier 3) — non-test/doc files only
49
60
  if (tier < 3) {
50
- const diffContent = execFileSync('git', ['diff', `${base}..HEAD`], { encoding: 'utf8' });
61
+ const scanFiles = diffFiles.filter(f => !isTestOrDoc(f));
62
+ const diffContent = scanFiles.length
63
+ ? execFileSync('git', ['diff', range, '--', ...scanFiles], { encoding: 'utf8' })
64
+ : '';
51
65
  for (const pattern of SENSITIVE_PATTERNS) {
52
66
  if (pattern.test(diffContent)) {
53
67
  tier = 3;
@@ -12,14 +12,9 @@ const os = require('os');
12
12
  const crypto = require('crypto');
13
13
  const { execFileSync } = require('child_process');
14
14
 
15
- const REASON = process.argv[2] || 'Manual approval for sensitive changes.';
16
15
  const ROOT = path.resolve(__dirname, '../../');
17
16
  const APPROVALS_DIR = path.join(ROOT, '.planning/approvals');
18
17
 
19
- if (!fs.existsSync(APPROVALS_DIR)) {
20
- fs.mkdirSync(APPROVALS_DIR, { recursive: true });
21
- }
22
-
23
18
  /**
24
19
  * Attempts to retrieve the GPG signing key configured in git.
25
20
  * Returns null if no key is configured or git is unavailable.
@@ -34,35 +29,65 @@ function getGPGSigningKey() {
34
29
  }
35
30
 
36
31
  /**
37
- * Verifies the identity of the approver using GPG if available.
38
- * Falls back to git identity only (with warning) if no GPG key is configured.
32
+ * Verifies the identity of the approver using GPG.
33
+ *
34
+ * FAIL-CLOSED (Wave 6): a Tier 3 approval is a security gate. If no GPG signing
35
+ * key is configured, identity cannot be cryptographically attributed — git
36
+ * identity comes from spoofable env (USER / git config), so it is NOT a
37
+ * verification. We therefore REFUSE to mint an approval unless the operator
38
+ * explicitly opts into the weaker git-identity mode via
39
+ * MINDFORGE_ALLOW_UNVERIFIED_APPROVAL=1 (audited as unverified). Previously this
40
+ * returned {verified:false} but the record was written anyway and no consumer
41
+ * checked the flag — a cosmetic gate.
42
+ *
39
43
  * @param {string} approver - The approver identity string
44
+ * @returns {{verified:boolean, method:string, identity:string, keyId?:string}}
45
+ * @throws if no GPG key AND the unverified-approval opt-in is not set.
40
46
  */
41
47
  function verifyApproverIdentity(approver) {
42
48
  const gpgKey = getGPGSigningKey();
43
49
 
44
50
  if (!gpgKey) {
45
- console.warn('[GOVERNANCE] No GPG signing key configured — approval accepted with git identity only');
46
- return { verified: false, method: 'git_identity', identity: approver };
51
+ const allowUnverified = process.env.MINDFORGE_ALLOW_UNVERIFIED_APPROVAL === '1';
52
+ if (!allowUnverified) {
53
+ throw new Error(
54
+ 'No GPG signing key configured (git config user.signingkey is empty). ' +
55
+ 'A Tier 3 approval requires a verifiable identity. Either configure GPG signing, ' +
56
+ 'or explicitly accept an UNVERIFIED approval by setting ' +
57
+ 'MINDFORGE_ALLOW_UNVERIFIED_APPROVAL=1 (the record will be marked verified:false).'
58
+ );
59
+ }
60
+ console.warn('[GOVERNANCE] No GPG key — minting an UNVERIFIED approval (MINDFORGE_ALLOW_UNVERIFIED_APPROVAL=1). ' +
61
+ 'git identity is spoofable; this approval is NOT cryptographically attributed.');
62
+ return { verified: false, method: 'git_identity_unverified', identity: approver };
47
63
  }
48
64
 
49
65
  return { verified: true, method: 'gpg_key', identity: approver, keyId: gpgKey };
50
66
  }
51
67
 
52
- async function approve() {
53
- const pkgPath = path.join(ROOT, 'package.json');
54
- const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
68
+ /**
69
+ * Mint a Tier 3 approval record. Throws (fail-closed) if identity cannot be
70
+ * verified and the unverified-approval opt-in is not set — the record is NOT
71
+ * written in that case.
72
+ * @param {{reason?:string, approvalsDir?:string, root?:string}} [opts]
73
+ * @returns {{filePath:string, record:object}}
74
+ */
75
+ function approve(opts = {}) {
76
+ const reason = opts.reason || 'Manual approval for sensitive changes.';
77
+ const root = opts.root || ROOT;
78
+ const approvalsDir = opts.approvalsDir || APPROVALS_DIR;
79
+
80
+ const pkg = JSON.parse(fs.readFileSync(path.join(root, 'package.json'), 'utf8'));
55
81
 
56
82
  const id = `MF-AUTH-${Date.now().toString(36).toUpperCase()}`;
57
83
  const timestamp = new Date().toISOString();
58
84
  const approver = process.env.USER || 'MindForge User';
59
85
 
60
- // Verify approver identity (GPG if available, git identity fallback)
86
+ // Verify approver identity THROWS fail-closed if unverifiable (before any write).
61
87
  const identityVerification = verifyApproverIdentity(approver);
62
88
 
63
- // Calculate a signature based on current state
64
89
  const signature = crypto.createHash('sha256')
65
- .update(`${id}:${REASON}:${timestamp}:${os.hostname()}`)
90
+ .update(`${id}:${reason}:${timestamp}:${os.hostname()}`)
66
91
  .digest('hex');
67
92
 
68
93
  const record = {
@@ -72,25 +97,33 @@ async function approve() {
72
97
  tier: 3,
73
98
  approved_by: approver,
74
99
  timestamp,
75
- reason: REASON,
100
+ reason,
76
101
  signature: `sha256:${signature}`,
77
102
  identity_verification: identityVerification
78
103
  };
79
104
 
105
+ if (!fs.existsSync(approvalsDir)) fs.mkdirSync(approvalsDir, { recursive: true });
80
106
  const filename = `approval-${id.toLowerCase()}.json`;
81
- const filePath = path.join(APPROVALS_DIR, filename);
82
-
107
+ const filePath = path.join(approvalsDir, filename);
83
108
  fs.writeFileSync(filePath, JSON.stringify(record, null, 2));
84
109
 
85
- console.log('\n✅ Governance approval generated!\n');
86
- console.log(`ID: ${id}`);
87
- console.log(`Reason: ${REASON}`);
88
- console.log(`Verified: ${identityVerification.verified ? 'GPG (' + identityVerification.keyId + ')' : 'git identity only (no GPG key)'}`);
89
- console.log(`File: .planning/approvals/${filename}`);
90
- console.log('\nCommit this file to unblock Tier 3 gates in CI.\n');
110
+ return { filePath, record, filename };
91
111
  }
92
112
 
93
- approve().catch(err => {
94
- console.error(`❌ Approval failed: ${err.message}`);
95
- process.exit(1);
96
- });
113
+ module.exports = { verifyApproverIdentity, getGPGSigningKey, approve };
114
+
115
+ if (require.main === module) {
116
+ try {
117
+ const { filename, record } = approve({ reason: process.argv[2] });
118
+ const iv = record.identity_verification;
119
+ console.log('\n✅ Governance approval generated!\n');
120
+ console.log(`ID: ${record.id}`);
121
+ console.log(`Reason: ${record.reason}`);
122
+ console.log(`Verified: ${iv.verified ? 'GPG (' + iv.keyId + ')' : 'git identity only — UNVERIFIED'}`);
123
+ console.log(`File: .planning/approvals/${filename}`);
124
+ console.log('\nCommit this file to unblock Tier 3 gates in CI.\n');
125
+ } catch (err) {
126
+ console.error(`❌ Approval failed: ${err.message}`);
127
+ process.exit(1);
128
+ }
129
+ }
@@ -21,7 +21,9 @@ class ConfigManager {
21
21
  if (fs.existsSync(this.configPath)) {
22
22
  const raw = fs.readFileSync(this.configPath, 'utf8');
23
23
  this.config = JSON.parse(raw);
24
- console.log(`[ConfigManager] Loaded configuration from ${this.configPath}`);
24
+ // Diagnostic goes to stderr (not stdout) so it never pollutes JSON that a
25
+ // consumer parses from this process's stdout. Matches the warn/error lines below.
26
+ console.error(`[ConfigManager] Loaded configuration from ${this.configPath}`);
25
27
  } else {
26
28
  console.warn(`[ConfigManager] Config file not found at ${this.configPath}. Using defaults.`);
27
29
  this.config = { env: 'default' };
@@ -40,18 +40,26 @@ class RBACManager {
40
40
  }
41
41
 
42
42
  /**
43
- * [HARDEN] Dynamically binds roles based on ZTAI trust tiers if no explicit role exists.
44
- * Ensures high-trust agents automatically get architect-level visibility.
43
+ * [HARDEN] Dynamically binds roles based on ZTAI trust tiers on top of the
44
+ * agent's explicit/default roles. High-trust agents automatically gain
45
+ * architect-level visibility.
46
+ *
47
+ * ztai-manager is a SINGLETON instance (not a constructor), and exposes no
48
+ * getIdentity(); the agent's tier lives in the trust registry, read via
49
+ * getAgent(did). Fails SAFE: an unregistered/unknown DID has no resolvable
50
+ * tier, so it receives only its base roles (no tier-based elevation) rather
51
+ * than throwing. (Wave 6: the previous `new ztai().getIdentity()` threw on
52
+ * every call — "ztai is not a constructor".)
45
53
  */
46
54
  async getRolesByTier(did) {
47
- const manager = new ztai();
48
- const identity = await manager.getIdentity();
49
55
  const explicit = this.getRoles(did);
56
+ const agent = ztai.getAgent(did);
57
+ const tier = agent && typeof agent.tier === 'number' ? agent.tier : 0;
50
58
 
51
- if (identity.tier >= 3) {
59
+ if (tier >= 3) {
52
60
  return [...new Set([...explicit, 'lead-architect'])];
53
61
  }
54
- if (identity.tier >= 2) {
62
+ if (tier >= 2) {
55
63
  return [...new Set([...explicit, 'developer'])];
56
64
  }
57
65
  return explicit;