mindforge-cc 4.3.0 → 5.0.0

package/bin/autonomous/context-refactorer.js

@@ -0,0 +1,64 @@
+/**
+ * MindForge — Context Refactorer Engine (v5.0.0-PAR)
+ * Monitors context density and triggers proactive summarization/refactoring.
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+class ContextRefactorer {
+  constructor(options = {}) {
+    this.threshold = options.threshold || 0.3; // Min density before refactor
+    this.windowSize = options.windowSize || 20;
+    this.history = [];
+  }
+
+  /**
+   * Analyze the current context density.
+   * Density = (Implementation Events) / (Total Events)
+   */
+  analyzeDensity(events) {
+    this.history = events.slice(-this.windowSize);
+    
+    if (this.history.length < 5) return { density: 1.0, shouldRefactor: false };
+
+    const implementationEvents = this.history.filter(h => 
+      h.tool === 'run_command' || 
+      h.tool === 'replace_file_content' || 
+      h.tool === 'multi_replace_file_content' ||
+      h.event === 'task_completed'
+    );
+
+    const totalEvents = this.history.length;
+    const density = implementationEvents.length / totalEvents;
+
+    return {
+      density: parseFloat(density.toFixed(2)),
+      shouldRefactor: density < this.threshold
+    };
+  }
+
+  /**
+   * Generates a "Context Refactor" recommendation.
+   */
+  generateRefactorPlan(events, phase) {
+    const reasoningChain = events
+      .filter(e => e.event === 'reasoning_trace')
+      .map(e => `- ${e.thought}`)
+      .join('\n');
+
+    return {
+      event: 'context_refactor_triggered',
+      phase,
+      message: 'Context density low. Initiating proactive refactoring.',
+      action: 'SUMMARIZE_AND_RESET',
+      payload: {
+        summary_prompt: `The current reasoning chain has become dense (${this.threshold}). Summarize the progress for Phase ${phase} and reset the active context window.`,
+        trace_sample: reasoningChain.slice(-500) // Last few thoughts for context
+      }
+    };
+  }
+}
+
+module.exports = ContextRefactorer;

package/bin/autonomous/steer.js

@@ -64,8 +64,26 @@ function injectSteering(planContent, guidanceItems) {
   });
 }
 
+/**
+ * Add human steering to the unified queue (v5 Pillar VII).
+ */
+function pushHumanSteering(instruction, bundleId = 'none') {
+  const STEER_PATH = path.join(process.cwd(), '.planning', 'STEER.json');
+  const item = {
+    id: `human-${Date.now()}`,
+    timestamp: new Date().toISOString(),
+    bundle_id: bundleId,
+    type: 'HUMAN_OVERRIDE',
+    instruction,
+    priority: 'CRITICAL'
+  };
+  fs.appendFileSync(STEER_PATH, JSON.stringify(item) + '\n');
+  return item.id;
+}
+
 module.exports = {
   pushGuidance,
   popGuidance,
-  injectSteering
+  injectSteering,
+  pushHumanSteering
 };

package/bin/autonomous/stuck-monitor.js

@@ -26,9 +26,52 @@ class StuckMonitor {
     // Check S02: Command Loop (Identical failing commands)
     if (this.detectS02(event)) return { pattern: 'S02', message: 'Stuck in command loop: identical failing commands.' };
 
+    // Check S03: Semantic Mirroring (Reasoning Loop)
+    if (this.detectS03(event)) return { pattern: 'S03', message: 'Stuck in reasoning loop: semantic mirroring detected.' };
+
+    // Check S04: Infinite Decomposition (Planning Paradox)
+    if (this.detectS04(event)) return { pattern: 'S04', message: 'Stuck in planning paradox: infinite decomposition detected.' };
+
     return null;
   }
 
+  detectS03(event) {
+    if (event.event !== 'reasoning_trace') return false;
+
+    // Compare with the last 5 thoughts in history
+    const reflections = this.history.filter(h => h.event === 'reasoning_trace');
+    if (reflections.length < 3) return false;
+
+    const currentThought = event.thought;
+    const previousThoughts = reflections.slice(-4, -1);
+
+    const isMirroring = previousThoughts.some(p => 
+      this.isContentSimilar(p.thought, currentThought)
+    );
+
+    return isMirroring;
+  }
+
+  detectS04(event) {
+    if (event.event !== 'reasoning_trace') return false;
+
+    const decompositions = this.history.filter(h => 
+      h.event === 'reasoning_trace' && 
+      (h.thought?.toLowerCase().includes('break down') || h.thought?.toLowerCase().includes('sub-task'))
+    );
+
+    // If more than 4 consecutive decompositions without a command or edit
+    const lastActionIndex = this.history.findLastIndex(h => 
+      h.tool === 'run_command' || h.tool === 'replace_file_content' || h.tool === 'multi_replace_file_content'
+    );
+
+    const recentDecomps = decompositions.filter(d => 
+      this.history.indexOf(d) > lastActionIndex
+    );
+
+    return recentDecomps.length >= 4;
+  }
+
   detectS01(event) {
     if (event.tool !== 'multi_replace_file_content') return false;
 

package/bin/engine/handover-manager.js

@@ -0,0 +1,69 @@
+/**
+ * MindForge — HandoverManager (Pillar VII: Dynamic Human-Agent Handover)
+ * Packages Nexus State Bundles for bidirectional steering and human escalation.
+ */
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+class HandoverManager {
+  constructor(config = {}) {
+    this.handoffPath = path.join(process.cwd(), '.planning', 'handoffs');
+  }
+
+  /**
+   * Packages a Nexus State Bundle for human review.
+   * @param {Object} state - Current execution state (audit, memory, goals)
+   * @returns {string} - Path to the state bundle.
+   */
+  createNexusBundle(state) {
+    if (!fs.existsSync(this.handoffPath)) {
+      fs.mkdirSync(this.handoffPath, { recursive: true });
+    }
+
+    const bundleId = `bundle_${crypto.randomBytes(6).toString('hex')}`;
+    const bundle = {
+      id: bundleId,
+      timestamp: new Date().toISOString(),
+      version: '5.0.0-nexus',
+      context: {
+        phase: state.phase,
+        wave: state.wave,
+        last_events: state.recentEvents,
+        memory_shards: state.memoryShards || []
+      },
+      reasoning_snapshot: state.reasoningTrace,
+      steering_requirements: state.blocks || []
+    };
+
+    const bundlePath = path.join(this.handoffPath, `${bundleId}.json`);
+    fs.writeFileSync(bundlePath, JSON.stringify(bundle, null, 2));
+
+    console.log(`[DHH-BUNDLE] Nexus State Bundle packaged: ${bundlePath}`);
+    return bundlePath;
+  }
+
+  /**
+   * Injects human steering into the agentic flow.
+   * @param {string} bundleId - The bundle being steered.
+   * @param {Object} steeringRequest - Human instructions/overrides.
+   */
+  injectSteering(bundleId, steeringRequest) {
+    const steerPath = path.join(process.cwd(), '.planning', 'STEER.json');
+    const instruction = {
+      id: crypto.randomUUID(),
+      timestamp: new Date().toISOString(),
+      bundle_id: bundleId,
+      type: 'HUMAN_OVERRIDE',
+      instruction: steeringRequest.instruction,
+      priority: 'CRITICAL'
+    };
+
+    fs.appendFileSync(steerPath, JSON.stringify(instruction) + '\n');
+    console.log(`[DHH-STEER] Human instruction injected into autonomous stream [Ref: ${bundleId}]`);
+  }
+}
+
+module.exports = HandoverManager;

package/bin/engine/nexus-tracer.js

@@ -9,6 +9,7 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const ztai = require('../governance/ztai-manager');
+const SREManager = require('./sre-manager');
 
 class NexusTracer {
   constructor(config = {}) {
@@ -18,6 +19,15 @@ class NexusTracer {
     this.activeSpans = new Map();
     this.did = config.did || null; // Active Agent DID
     this.enableZtai = config.enableZtai !== false;
+    this.sreManager = new SREManager();
+
+    // v5 Pillar IV: Agentic SBOM
+    this.sbom = {
+      manifest_version: '1.0.0',
+      models: new Set(),
+      skills: new Set(),
+      startTime: new Date().toISOString()
+    };
   }
 
   /**
@@ -50,12 +60,29 @@ class NexusTracer {
 
     this.activeSpans.set(spanId, span);
 
+    // Track model and skill in SBOM if provided in attributes
+    if (attributes.model_id) this.sbom.models.add(attributes.model_id);
+    if (attributes.skill) this.sbom.skills.add(attributes.skill);
+
+    // v5 Pillar VI: Enclave Check
+    if (attributes.is_confidential && !attributes.enclave_id) {
+      try {
+        span.attributes.enclave_id = this.sreManager.initializeEnclave({ 
+          tier: attributes.tier || 1, 
+          did: this.did 
+        });
+      } catch (err) {
+        console.warn(`[NexusTracer] Failed to initialize SRE for confidential span: ${err.message}`);
+      }
+    }
+
     // Record span start in AUDIT.jsonl
     this._recordEvent('span_started', { 
       span_id: spanId, 
       parent_span_id: parentSpanId,
       span_name: name,
-      ...attributes 
+      ...attributes,
+      enclave_id: span.attributes.enclave_id
     });
 
     return spanId;
@@ -71,6 +98,11 @@ class NexusTracer {
     span.status = status;
     span.end_time = new Date().toISOString();
     
+    // v5 Pillar VI: Enclave Termination
+    if (span.attributes.enclave_id) {
+      this.sreManager.terminateEnclave(span.attributes.enclave_id);
+    }
+
     this._recordEvent('span_completed', {
       span_id: spanId,
       status,
@@ -84,10 +116,17 @@ class NexusTracer {
    * Record a Reasoning Trace event (ART granularity).
    */
   recordReasoning(spanId, agent, thought, resolution = 'none') {
+    const span = this.activeSpans.get(spanId);
+    let sanitizedThought = thought;
+
+    if (span && span.attributes.enclave_id) {
+      sanitizedThought = this.sreManager.sanitizeThoughtChain(thought, span.attributes.enclave_id);
+    }
+
     this._recordEvent('reasoning_trace', {
       span_id: spanId,
       agent,
-      thought,
+      thought: sanitizedThought,
       resolution
     });
   }
@@ -145,6 +184,32 @@ class NexusTracer {
       ...report
     });
   }
+
+  /**
+   * Finalize and export the Agentic SBOM (Pillar IV).
+   */
+  exportSBOM(outputPath = null) {
+    const finalPath = outputPath || path.join(process.cwd(), '.planning', 'MANIFEST.sbom.json');
+    const manifest = {
+      ...this.sbom,
+      models: Array.from(this.sbom.models),
+      skills: Array.from(this.sbom.skills),
+      endTime: new Date().toISOString()
+    };
+
+    try {
+      if (!fs.existsSync(path.dirname(finalPath))) {
+        fs.mkdirSync(path.dirname(finalPath), { recursive: true });
+      }
+      fs.writeFileSync(finalPath, JSON.stringify(manifest, null, 2));
+      
+      this._recordEvent('sbom_exported', { path: finalPath });
+      return finalPath;
+    } catch (err) {
+      console.error(`[NexusTracer] Failed to export SBOM: ${err.message}`);
+      return null;
+    }
+  }
 }
 
 module.exports = NexusTracer;

package/bin/engine/sre-manager.js

@@ -0,0 +1,63 @@
+/**
+ * MindForge — SREManager (Pillar VI: Sovereign Reason Enclaves)
+ * Manages confidential reasoning sessions in simulated Trusted Execution Environments (TEE).
+ */
+'use strict';
+
+const crypto = require('crypto');
+
+class SREManager {
+  constructor() {
+    this.activeEnclaves = new Map();
+  }
+
+  /**
+   * Initializes a Sovereign Reason Enclave for a task.
+   * @param {Object} context - Task context (requires Tier 3 identity)
+   * @returns {string} - Enclave ID
+   */
+  initializeEnclave(context) {
+    if (context.tier < 3) {
+      throw new Error(`[SRE-DENY] Tier ${context.tier} principal is not authorized for Sovereign Reason Enclaves.`);
+    }
+
+    const enclaveId = crypto.randomBytes(12).toString('hex');
+    this.activeEnclaves.set(enclaveId, {
+      startedAt: new Date().toISOString(),
+      principal: context.did,
+      hasIP: true,
+      isolationLevel: 'Hardware-Enclave (Simulated)'
+    });
+
+    console.log(`[SRE-INIT] Initialized Sovereign Reason Enclave: ${enclaveId} for ${context.did}`);
+    return enclaveId;
+  }
+
+  /**
+   * Sanitizes a thought chain for global audit logging.
+   * Ensures that sensitive IP or "zero-visibility" thoughts are isolated.
+   * @param {string} thoughtChain - The raw agentic thought chain.
+   * @returns {string} - Sanitized/Isolated thought chain.
+   */
+  sanitizeThoughtChain(thoughtChain, enclaveId) {
+    if (!this.activeEnclaves.has(enclaveId)) return thoughtChain;
+
+    // Zero-Visibility Protocol: In SRE mode, the global audit log only receives a hash
+    // or a redacted summary. The full chain is kept in volatile enclave memory.
+    const digest = crypto.createHash('sha256').update(thoughtChain).digest('hex');
+    
+    return `[SRE-ISOLATED] Confidential reasoning executed in enclave ${enclaveId}. Verification Digest: ${digest}. Original trace is isolated from persistence.`;
+  }
+
+  /**
+   * Finalizes and purges the enclave.
+   */
+  terminateEnclave(enclaveId) {
+    if (this.activeEnclaves.has(enclaveId)) {
+      this.activeEnclaves.delete(enclaveId);
+      console.log(`[SRE-PURGE] Sovereign Reason Enclave ${enclaveId} has been securely purged.`);
+    }
+  }
+}
+
+module.exports = SREManager;

package/bin/governance/policies/default-policies.jsonl

@@ -0,0 +1,33 @@
+{
+  "id": "policy_enforce_tier_3_security",
+  "version": "1.0.0",
+  "effect": "DENY",
+  "description": "Agents with Tier < 3 cannot modify security or governance files.",
+  "conditions": {
+    "resource": "*/security/*,*/governance/*",
+    "min_tier": 3
+  }
+}
+<!-- slide -->
+{
+  "id": "policy_permit_developer_src",
+  "version": "1.0.0",
+  "effect": "PERMIT",
+  "description": "Developer agents can write to src and tests.",
+  "conditions": {
+    "action": "write_file",
+    "resource": "*/src/*,*/tests/*",
+    "min_tier": 2
+  }
+}
+<!-- slide -->
+{
+  "id": "policy_permit_global_sync_lead",
+  "version": "1.0.0",
+  "effect": "PERMIT",
+  "description": "Lead Architects can push to the Federated Intelligence Mesh.",
+  "conditions": {
+    "action": "federated_sync_push",
+    "min_tier": 3
+  }
+}

package/bin/governance/policy-engine.js

@@ -0,0 +1,106 @@
+/**
+ * MindForge v5 — Agentic Policy Orchestrator (APO) Engine
+ * Evaluates agent intents against organizational security policies.
+ */
+'use strict';
+
+const fs   = require('node:fs');
+const path = require('node:path');
+
+class PolicyEngine {
+  constructor(config = {}) {
+    this.policiesDir = config.policiesDir || path.join(__dirname, 'policies');
+    this.ensurePoliciesDir();
+  }
+
+  ensurePoliciesDir() {
+    if (!fs.existsSync(this.policiesDir)) {
+      fs.mkdirSync(this.policiesDir, { recursive: true });
+    }
+  }
+
+  /**
+   * Evaluates an agent's intent against all active policies.
+   * @param {Object} intent - The intent to evaluate.
+   * @param {string} intent.did - Source agent DID.
+   * @param {string} intent.action - Action type (e.g. 'write_file', 'delete_file').
+   * @param {string} intent.resource - Target resource (e.g. file path).
+   * @param {number} intent.tier - Agent trust tier.
+   * @returns {Object} - { verdict: 'PERMIT' | 'DENY', reason: string, requestId: string }
+   */
+  evaluate(intent) {
+    const requestId = `pol_${Date.now()}_${Math.random().toString(36).slice(2, 7)}`;
+    console.log(`[APO-EVAL] [${requestId}] Evaluating intent: ${intent.action} on ${intent.resource} by ${intent.did}`);
+
+    const policies = this.loadPolicies();
+    
+    // Default Deny if no policies found
+    if (policies.length === 0) {
+      return { verdict: 'DENY', reason: 'No organizational policies defined (Default Deny)', requestId };
+    }
+
+    // 1. Check for explicit DENY rules first
+    for (const policy of policies) {
+      if (policy.effect === 'DENY' && this.matches(policy, intent)) {
+        return { verdict: 'DENY', reason: `Violation: ${policy.description || policy.id}`, requestId };
+      }
+    }
+
+    // 2. Check for explicit PERMIT rules
+    for (const policy of policies) {
+      if (policy.effect === 'PERMIT' && this.matches(policy, intent)) {
+        return { verdict: 'PERMIT', reason: `Authorized by ${policy.id}`, requestId };
+      }
+    }
+
+    return { verdict: 'DENY', reason: 'No matching PERMIT policy found (Implicit Deny)', requestId };
+  }
+
+  loadPolicies() {
+    if (!fs.existsSync(this.policiesDir)) return [];
+    
+    return fs.readdirSync(this.policiesDir)
+      .filter(f => f.endsWith('.json'))
+      .map(f => {
+        try {
+          const content = fs.readFileSync(path.join(this.policiesDir, f), 'utf8');
+          return JSON.parse(content);
+        } catch (err) {
+          console.error(`[APO-ERROR] Failed to parse policy ${f}:`, err.message);
+          return null;
+        }
+      })
+      .filter(Boolean);
+  }
+
+  /**
+   * Simple rule matcher (simulated OPA/Rego logic).
+   */
+  matches(policy, intent) {
+    const { conditions } = policy;
+    if (!conditions) return true;
+
+    // Check DID match (supports wildcards)
+    if (conditions.did && !this.globMatch(conditions.did, intent.did)) return false;
+
+    // Check Action match
+    if (conditions.action && !this.globMatch(conditions.action, intent.action)) return false;
+
+    // Check Resource match
+    if (conditions.resource && !this.globMatch(conditions.resource, intent.resource)) return false;
+
+    // Check Tier match
+    if (conditions.min_tier && intent.tier < conditions.min_tier) return false;
+
+    return true;
+  }
+
+  globMatch(pattern, text) {
+    if (pattern === '*') return true;
+    if (pattern === text) return true;
+    const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+    return regex.test(text);
+  }
+}
+
+module.exports = PolicyEngine;

package/bin/governance/rbac-manager.js

@@ -0,0 +1,109 @@
+/**
+ * MindForge v5 — Agentic RBAC Manager
+ * Maps Agent DIDs to specific project roles and granular permissions.
+ */
+'use strict';
+
+const fs    = require('node:fs');
+const path  = require('node:path');
+const ztai  = require('./ztai-manager');
+
+class RBACManager {
+  constructor(config = {}) {
+    this.rolesPath = config.rolesPath || path.join(process.cwd(), '.planning/AGENT-ROLES.json');
+    this.defaultRoles = {
+      'did:mindforge:planner': ['lead-architect', 'resource-optimizer'],
+      'did:mindforge:executor': ['developer', 'test-automator'],
+      'did:mindforge:reviewer': ['security-auditor', 'compliance-checker'],
+      'did:mindforge:researcher': ['knowledge-detective'],
+      'did:mindforge:tool': ['system-operator']
+    };
+  }
+
+  /**
+   * Gets the roles assigned to a specific agent DID.
+   * @param {string} did 
+   */
+  getRoles(did) {
+    const roles = this.loadRoles();
+    // Return explicit roles OR default roles based on persona-matched DIDs
+    const explicit = roles[did];
+    if (explicit) return explicit;
+
+    // Default mapping (regex for persona-based DIDs)
+    for (const [pattern, defaultRoles] of Object.entries(this.defaultRoles)) {
+      if (did.includes(pattern)) return defaultRoles;
+    }
+
+    return ['guest-agent'];
+  }
+
+  /**
+   * [HARDEN] Dynamically binds roles based on ZTAI trust tiers if no explicit role exists.
+   * Ensures high-trust agents automatically get architect-level visibility.
+   */
+  async getRolesByTier(did) {
+    const manager = new ztai();
+    const identity = await manager.getIdentity();
+    const explicit = this.getRoles(did);
+
+    if (identity.tier >= 3) {
+      return [...new Set([...explicit, 'lead-architect'])];
+    }
+    if (identity.tier >= 2) {
+      return [...new Set([...explicit, 'developer'])];
+    }
+    return explicit;
+  }
+
+  loadRoles() {
+    if (!fs.existsSync(this.rolesPath)) return {};
+    try {
+      return JSON.parse(fs.readFileSync(this.rolesPath, 'utf8'));
+    } catch {
+      return {};
+    }
+  }
+
+  /**
+   * Assigns a role to an agent.
+   */
+  assignRole(did, roles) {
+    const current = this.loadRoles();
+    current[did] = Array.isArray(roles) ? roles : [roles];
+    fs.writeFileSync(this.rolesPath, JSON.stringify(current, null, 2));
+    console.log(`[RBAC] Assigned roles [${roles}] to agent ${did}`);
+  }
+
+  /**
+   * Revokes all roles for an agent.
+   */
+  revokeRoles(did) {
+    const current = this.loadRoles();
+    delete current[did];
+    fs.writeFileSync(this.rolesPath, JSON.stringify(current, null, 2));
+  }
+
+  /**
+   * Checks if an agent has a specific permission based on their roles.
+   * @param {string} did 
+   * @param {string} permission 
+   */
+  hasPermission(did, permission) {
+    const roles = this.getRoles(did);
+    const PERMISSION_MAP = {
+      'lead-architect': ['write_architecture', 'approve_adr', 'global_sync_push'],
+      'developer':      ['write_src', 'read_src', 'execute_tests'],
+      'security-auditor': ['read_security', 'write_audit_log', 'block_execution'],
+      'system-operator': ['write_bin', 'modify_infrastructure'],
+      'guest-agent':     ['read_src']
+    };
+
+    for (const role of roles) {
+      if (PERMISSION_MAP[role]?.includes(permission)) return true;
+    }
+    return false;
+  }
+}
+
+module.exports = RBACManager;