moltblock 0.5.0 → 0.6.0

package/{readme.md → README.md}

@@ -208,6 +208,87 @@ npm test
 - **Molt and governance** — `GovernanceConfig` (rate limit, veto); `canMolt()`, `triggerMolt()`, `pause()`, `resume()`, `emergencyShutdown()`; audit log and governance state in `Store`.
 - **Multi-entity handoff** — `signArtifact()` / `verifyArtifact()`; inbox per entity; `sendArtifact()`, `receiveArtifacts()` for Entity A → Entity B.
 
+### New in v0.6
+
+- **Pluggable verifier system** — `Verifier` interface so verification isn't limited to vitest. Implement `verify(memory, context)` to plug in any gating strategy.
+- **PolicyVerifier** — Rule-based verifier with ~20 built-in deny rules. Catches destructive commands (`rm -rf`, `DROP TABLE`), sensitive file access (`.ssh/`, `/etc/shadow`), hardcoded secrets, and exfiltration patterns — all without an LLM call.
+- **CodeVerifier** — Adapter wrapping the existing vitest verifier into the pluggable interface.
+- **CompositeVerifier** — Chains multiple verifiers (e.g. policy + code); all must pass. Supports fail-fast and collect-all modes.
+- **Generic Entity** — `Entity` class with pluggable verifier and domain-aware prompts. Use `new Entity({ domain: "general" })` for non-code tasks.
+- **Domain prompts** — Registry mapping domains to role-specific system prompts. Built-in `"code"` and `"general"` domains; register custom domains with `registerDomain()`.
+- **Risk classification** — `classifyRisk(task)` returns `"low"` / `"medium"` / `"high"` with reasons. Pure regex matching, no LLM needed.
+- **Policy rules in config** — Add custom `policy.rules` to `moltblock.json` for project-specific allow/deny rules.
+- **OpenClaw skill** — `skill/SKILL.md` for one-step installation into OpenClaw workspace.
+
+---
+
+## Policy Verifier
+
+The `PolicyVerifier` catches dangerous patterns in artifacts and tasks without needing an LLM:
+
+```typescript
+import { PolicyVerifier, WorkingMemory } from "moltblock";
+
+const verifier = new PolicyVerifier();
+const memory = new WorkingMemory();
+memory.setFinalCandidate("rm -rf /");
+
+const result = await verifier.verify(memory);
+// result.passed === false
+// result.evidence includes "[cmd-rm-rf] Recursive force delete"
+```
+
+Custom rules can be added via constructor or config:
+
+```typescript
+const verifier = new PolicyVerifier([
+  {
+    id: "allow-tmp-cleanup",
+    description: "Allow cleanup in /tmp",
+    target: "artifact",
+    pattern: "\\/tmp\\/",
+    action: "allow",
+    category: "destructive-cmd",
+    enabled: true,
+  },
+]);
+```
+
+---
+
+## Risk Classification
+
+Classify task risk before deciding whether to verify:
+
+```typescript
+import { classifyRisk } from "moltblock";
+
+classifyRisk("write a hello world function");
+// { level: "low", reasons: [] }
+
+classifyRisk("sudo rm -rf /home/user");
+// { level: "high", reasons: ["Sudo privilege escalation", "Recursive file deletion (rm -rf)"] }
+```
+
+---
+
+## Generic Entity
+
+For non-code tasks, use the generic `Entity` with domain-aware prompts:
+
+```typescript
+import { Entity, PolicyVerifier, CompositeVerifier, CodeVerifier } from "moltblock";
+
+// General-purpose entity (policy verification only)
+const entity = new Entity({ domain: "general" });
+
+// Code entity with both policy and vitest verification
+const codeEntity = new Entity({
+  domain: "code",
+  verifier: new CompositeVerifier([new PolicyVerifier(), new CodeVerifier()]),
+});
+```
+
 ---
 
 ## Roadmap
@@ -215,6 +296,7 @@ npm test
 - v0.1 — Protocol + architecture
 - v0.2 — MVP Entity implementation (spec + Code Entity loop + graph, memory, improvement, governance, handoff)
 - v0.3 — Multi-Entity collaboration (orchestration and tooling)
+- v0.6 — Pluggable verification, policy rules, generic entity, risk classification, OpenClaw skill
 
 ---
 

package/dist/agents.d.ts

@@ -7,17 +7,17 @@ import { Store } from "./persistence.js";
 /**
  * Generator: task -> draft artifact (code).
  */
-export declare function runGenerator(gateway: LLMGateway, memory: WorkingMemory, store?: Store | null): Promise<void>;
+export declare function runGenerator(gateway: LLMGateway, memory: WorkingMemory, store?: Store | null, domain?: string): Promise<void>;
 /**
  * Critic: draft + task -> critique.
  */
-export declare function runCritic(gateway: LLMGateway, memory: WorkingMemory, store?: Store | null): Promise<void>;
+export declare function runCritic(gateway: LLMGateway, memory: WorkingMemory, store?: Store | null, domain?: string): Promise<void>;
 /**
  * Judge: task + draft + critique -> final candidate artifact.
  */
-export declare function runJudge(gateway: LLMGateway, memory: WorkingMemory, store?: Store | null): Promise<void>;
+export declare function runJudge(gateway: LLMGateway, memory: WorkingMemory, store?: Store | null, domain?: string): Promise<void>;
 /**
  * Run a single role with task and inputs (node_id -> content from predecessors).
  * Returns the role's output string. Used by the graph runner.
  */
-export declare function runRole(role: string, gateway: LLMGateway, task: string, inputs: Record<string, string>, longTermContext?: string, store?: Store | null): Promise<string>;
+export declare function runRole(role: string, gateway: LLMGateway, task: string, inputs: Record<string, string>, longTermContext?: string, store?: Store | null, domain?: string): Promise<string>;

package/dist/agents.js

@@ -1,35 +1,49 @@
 /**
  * Agents: Generator, Critic, Judge. Each uses LLMGateway and reads/writes WorkingMemory.
  */
+import { getDomainPrompts } from "./domain-prompts.js";
 import { getStrategy } from "./persistence.js";
 // Default prompts; can be overridden by strategy store (recursive improvement)
 // Note: Prompts updated to produce TypeScript instead of Python
 const CODE_GENERATOR_SYSTEM = `You are the Generator for a Code Entity. You produce a single TypeScript implementation that satisfies the user's task. Output only valid TypeScript code, no markdown fences or extra commentary. The code will be reviewed by a Critic and then verified by running tests.`;
 const CODE_CRITIC_SYSTEM = `You are the Critic. Review the draft code for bugs, edge cases, and style. Be concise. List specific issues and suggestions. Do not rewrite the code; only critique.`;
 const CODE_JUDGE_SYSTEM = `You are the Judge. Given the task, the draft code, and the critique, produce the final single TypeScript implementation. Output only valid TypeScript code, no markdown fences or extra commentary. Incorporate the critic's feedback. The result will be run through vitest.`;
-function systemPrompt(role, store) {
+function systemPrompt(role, store, domain = "code") {
     if (store) {
         const s = getStrategy(store, role);
         if (s) {
             return s;
         }
     }
-    const defaults = {
-        generator: CODE_GENERATOR_SYSTEM,
-        critic: CODE_CRITIC_SYSTEM,
-        judge: CODE_JUDGE_SYSTEM,
+    // Hard-coded defaults for "code" domain (backward compat)
+    if (domain === "code") {
+        const defaults = {
+            generator: CODE_GENERATOR_SYSTEM,
+            critic: CODE_CRITIC_SYSTEM,
+            judge: CODE_JUDGE_SYSTEM,
+        };
+        const d = defaults[role];
+        if (d)
+            return d;
+    }
+    // Fall back to domain prompt registry
+    const prompts = getDomainPrompts(domain);
+    const roleMap = {
+        generator: prompts.generator,
+        critic: prompts.critic,
+        judge: prompts.judge,
     };
-    return defaults[role] ?? CODE_GENERATOR_SYSTEM;
+    return roleMap[role] ?? prompts.generator;
 }
 /**
  * Generator: task -> draft artifact (code).
  */
-export async function runGenerator(gateway, memory, store = null) {
+export async function runGenerator(gateway, memory, store = null, domain = "code") {
     let userContent = memory.task;
     if (memory.longTermContext) {
         userContent = userContent + "\n\nRelevant verified knowledge:\n" + memory.longTermContext;
     }
-    const system = systemPrompt("generator", store);
+    const system = systemPrompt("generator", store, domain);
     const messages = [
         { role: "system", content: system },
         { role: "user", content: userContent },
@@ -40,8 +54,8 @@ export async function runGenerator(gateway, memory, store = null) {
 /**
  * Critic: draft + task -> critique.
  */
-export async function runCritic(gateway, memory, store = null) {
-    const system = systemPrompt("critic", store);
+export async function runCritic(gateway, memory, store = null, domain = "code") {
+    const system = systemPrompt("critic", store, domain);
     const messages = [
         { role: "system", content: system },
         { role: "user", content: `Task:\n${memory.task}\n\nDraft code:\n${memory.draft}` },
@@ -52,8 +66,8 @@ export async function runCritic(gateway, memory, store = null) {
 /**
  * Judge: task + draft + critique -> final candidate artifact.
  */
-export async function runJudge(gateway, memory, store = null) {
-    const system = systemPrompt("judge", store);
+export async function runJudge(gateway, memory, store = null, domain = "code") {
+    const system = systemPrompt("judge", store, domain);
     const messages = [
         { role: "system", content: system },
         {
@@ -68,13 +82,13 @@ export async function runJudge(gateway, memory, store = null) {
  * Run a single role with task and inputs (node_id -> content from predecessors).
  * Returns the role's output string. Used by the graph runner.
  */
-export async function runRole(role, gateway, task, inputs, longTermContext = "", store = null) {
+export async function runRole(role, gateway, task, inputs, longTermContext = "", store = null, domain = "code") {
     let userContent = task;
     if (longTermContext) {
         userContent = task + "\n\nRelevant verified knowledge:\n" + longTermContext;
     }
     if (role === "generator") {
-        const system = systemPrompt("generator", store);
+        const system = systemPrompt("generator", store, domain);
         const messages = [
             { role: "system", content: system },
             { role: "user", content: userContent },
@@ -87,7 +101,7 @@ export async function runRole(role, gateway, task, inputs, longTermContext = "",
         if (longTermContext) {
             content = content + "\n\nRelevant verified knowledge:\n" + longTermContext;
         }
-        const system = systemPrompt("critic", store);
+        const system = systemPrompt("critic", store, domain);
         const messages = [
             { role: "system", content: system },
             { role: "user", content: content },
@@ -101,7 +115,7 @@ export async function runRole(role, gateway, task, inputs, longTermContext = "",
         if (longTermContext) {
             content = content + "\n\nRelevant verified knowledge:\n" + longTermContext;
         }
-        const system = systemPrompt("judge", store);
+        const system = systemPrompt("judge", store, domain);
         const messages = [
             { role: "system", content: system },
             { role: "user", content: content },

package/dist/code-verifier.d.ts

@@ -0,0 +1,13 @@
+/**
+ * CodeVerifier: adapter that wraps the existing vitest-based runVerifier into the Verifier interface.
+ */
+import type { WorkingMemory } from "./memory.js";
+import type { Verifier, VerificationResult, VerifierContext } from "./verifier-interface.js";
+/**
+ * Wraps the existing vitest verifier (runVerifier) into the pluggable Verifier interface.
+ * Uses context.testCode for the test file, same as CodeEntity.
+ */
+export declare class CodeVerifier implements Verifier {
+    readonly name = "CodeVerifier";
+    verify(memory: WorkingMemory, context?: VerifierContext): Promise<VerificationResult>;
+}

package/dist/code-verifier.js

@@ -0,0 +1,21 @@
+/**
+ * CodeVerifier: adapter that wraps the existing vitest-based runVerifier into the Verifier interface.
+ */
+import { runVerifier } from "./verifier.js";
+/**
+ * Wraps the existing vitest verifier (runVerifier) into the pluggable Verifier interface.
+ * Uses context.testCode for the test file, same as CodeEntity.
+ */
+export class CodeVerifier {
+    name = "CodeVerifier";
+    async verify(memory, context) {
+        const testCode = context?.testCode;
+        // runVerifier mutates memory.verificationPassed / verificationEvidence
+        await runVerifier(memory, testCode);
+        return {
+            passed: memory.verificationPassed,
+            evidence: memory.verificationEvidence || (memory.verificationPassed ? "Verification passed." : "Verification failed."),
+            verifierName: this.name,
+        };
+    }
+}

package/dist/composite-verifier.d.ts

@@ -0,0 +1,21 @@
+/**
+ * CompositeVerifier: runs multiple verifiers, all must pass.
+ */
+import type { WorkingMemory } from "./memory.js";
+import type { Verifier, VerificationResult, VerifierContext } from "./verifier-interface.js";
+export interface CompositeVerifierOptions {
+    /** If true, stop at first failure. Defaults to true. */
+    failFast?: boolean;
+}
+/**
+ * Runs verifiers sequentially. All must pass for the composite to pass.
+ * Fail-fast mode (default) stops at the first failure.
+ * Collect-all mode runs every verifier and reports all results.
+ */
+export declare class CompositeVerifier implements Verifier {
+    readonly name = "CompositeVerifier";
+    private verifiers;
+    private failFast;
+    constructor(verifiers: Verifier[], options?: CompositeVerifierOptions);
+    verify(memory: WorkingMemory, context?: VerifierContext): Promise<VerificationResult>;
+}

package/dist/composite-verifier.js

@@ -0,0 +1,42 @@
+/**
+ * CompositeVerifier: runs multiple verifiers, all must pass.
+ */
+/**
+ * Runs verifiers sequentially. All must pass for the composite to pass.
+ * Fail-fast mode (default) stops at the first failure.
+ * Collect-all mode runs every verifier and reports all results.
+ */
+export class CompositeVerifier {
+    name = "CompositeVerifier";
+    verifiers;
+    failFast;
+    constructor(verifiers, options) {
+        if (verifiers.length === 0) {
+            throw new Error("CompositeVerifier requires at least one verifier");
+        }
+        this.verifiers = verifiers;
+        this.failFast = options?.failFast ?? true;
+    }
+    async verify(memory, context) {
+        const details = [];
+        let allPassed = true;
+        for (const verifier of this.verifiers) {
+            const result = await verifier.verify(memory, context);
+            details.push(result);
+            if (!result.passed) {
+                allPassed = false;
+                if (this.failFast)
+                    break;
+            }
+        }
+        const evidence = details
+            .map((d) => `[${d.verifierName}] ${d.passed ? "PASS" : "FAIL"}: ${d.evidence}`)
+            .join("\n");
+        return {
+            passed: allPassed,
+            evidence,
+            verifierName: this.name,
+            details,
+        };
+    }
+}

package/dist/config.d.ts

@@ -19,6 +19,23 @@ export declare const AgentConfigSchema: z.ZodObject<{
     }, z.core.$strip>>>;
 }, z.core.$strip>;
 export type AgentConfig = z.infer<typeof AgentConfigSchema>;
+export declare const PolicyRuleSchema: z.ZodObject<{
+    id: z.ZodString;
+    description: z.ZodString;
+    target: z.ZodEnum<{
+        artifact: "artifact";
+        task: "task";
+        both: "both";
+    }>;
+    pattern: z.ZodString;
+    action: z.ZodEnum<{
+        deny: "deny";
+        allow: "allow";
+    }>;
+    category: z.ZodString;
+    enabled: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+export type PolicyRuleConfig = z.infer<typeof PolicyRuleSchema>;
 export declare const MoltblockConfigSchema: z.ZodObject<{
     agent: z.ZodOptional<z.ZodObject<{
         bindings: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
@@ -28,6 +45,24 @@ export declare const MoltblockConfigSchema: z.ZodObject<{
             api_key: z.ZodOptional<z.ZodNullable<z.ZodString>>;
         }, z.core.$strip>>>;
     }, z.core.$strip>>;
+    policy: z.ZodOptional<z.ZodObject<{
+        rules: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            description: z.ZodString;
+            target: z.ZodEnum<{
+                artifact: "artifact";
+                task: "task";
+                both: "both";
+            }>;
+            pattern: z.ZodString;
+            action: z.ZodEnum<{
+                deny: "deny";
+                allow: "allow";
+            }>;
+            category: z.ZodString;
+            enabled: z.ZodDefault<z.ZodBoolean>;
+        }, z.core.$strip>>>;
+    }, z.core.$strip>>;
 }, z.core.$strip>;
 export type MoltblockConfig = z.infer<typeof MoltblockConfigSchema>;
 export declare const ModelBindingSchema: z.ZodObject<{
@@ -68,3 +103,8 @@ export declare function detectProvider(overrideProvider?: string, overrideModel?
  * If no JSON, auto-detects provider from env vars. API keys from env win over JSON.
  */
 export declare function defaultCodeEntityBindings(overrides?: BindingOverrides): Record<string, ModelBinding>;
+/**
+ * Load custom policy rules from moltblock config.
+ * Returns empty array if no config or no rules defined.
+ */
+export declare function loadPolicyRules(): PolicyRuleConfig[];

package/dist/config.js

@@ -40,8 +40,20 @@ export const BindingEntrySchema = z.object({
 export const AgentConfigSchema = z.object({
     bindings: z.record(z.string(), BindingEntrySchema).optional().describe("Per-role model bindings"),
 });
+export const PolicyRuleSchema = z.object({
+    id: z.string().describe("Unique rule identifier"),
+    description: z.string().describe("Human-readable rule description"),
+    target: z.enum(["artifact", "task", "both"]).describe("What to match against"),
+    pattern: z.string().describe("Regex pattern string"),
+    action: z.enum(["deny", "allow"]).describe("deny blocks; allow overrides deny in same category"),
+    category: z.string().describe("Rule category for allow/deny grouping"),
+    enabled: z.boolean().default(true).describe("Whether the rule is active"),
+});
 export const MoltblockConfigSchema = z.object({
     agent: AgentConfigSchema.optional().describe("Agent defaults and bindings"),
+    policy: z.object({
+        rules: z.array(PolicyRuleSchema).optional().describe("Custom policy rules"),
+    }).optional().describe("Policy verifier configuration"),
 });
 export const ModelBindingSchema = z.object({
     backend: z.string().describe("e.g. 'local' or 'zai' or 'openai'"),
@@ -365,3 +377,11 @@ export function defaultCodeEntityBindings(overrides) {
         verifier: bindingFor("verifier"),
     };
 }
+/**
+ * Load custom policy rules from moltblock config.
+ * Returns empty array if no config or no rules defined.
+ */
+export function loadPolicyRules() {
+    const cfg = loadMoltblockConfig();
+    return cfg?.policy?.rules ?? [];
+}

package/dist/domain-prompts.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Domain prompt registry: maps domain names to role-specific system prompts.
+ */
+/** Prompt set for a single domain: one system prompt per agent role. */
+export interface DomainPrompts {
+    generator: string;
+    critic: string;
+    judge: string;
+}
+/**
+ * Get prompts for a domain. Falls back to "general" if domain is unknown.
+ */
+export declare function getDomainPrompts(domain: string): DomainPrompts;
+/**
+ * Register a custom domain with its prompts. Overwrites if already exists.
+ */
+export declare function registerDomain(domain: string, prompts: DomainPrompts): void;
+/**
+ * List all registered domain names.
+ */
+export declare function listDomains(): string[];

package/dist/domain-prompts.js

@@ -0,0 +1,33 @@
+/**
+ * Domain prompt registry: maps domain names to role-specific system prompts.
+ */
+const registry = new Map();
+// --- Built-in domains ---
+registry.set("code", {
+    generator: "You are the Generator for a Code Entity. You produce a single TypeScript implementation that satisfies the user's task. Output only valid TypeScript code, no markdown fences or extra commentary. The code will be reviewed by a Critic and then verified by running tests.",
+    critic: "You are the Critic. Review the draft code for bugs, edge cases, and style. Be concise. List specific issues and suggestions. Do not rewrite the code; only critique.",
+    judge: "You are the Judge. Given the task, the draft code, and the critique, produce the final single TypeScript implementation. Output only valid TypeScript code, no markdown fences or extra commentary. Incorporate the critic's feedback. The result will be run through vitest.",
+});
+registry.set("general", {
+    generator: "You are the Generator. Produce a clear, complete response that satisfies the user's task. Focus on accuracy and completeness. Your output will be reviewed by a Critic.",
+    critic: "You are the Critic. Review the draft response for factual errors, gaps, unclear reasoning, and potential risks. Be concise. List specific issues and suggestions. Do not rewrite the response; only critique.",
+    judge: "You are the Judge. Given the task, the draft response, and the critique, produce the final response. Incorporate the critic's feedback. Ensure the result is accurate, safe, and complete.",
+});
+/**
+ * Get prompts for a domain. Falls back to "general" if domain is unknown.
+ */
+export function getDomainPrompts(domain) {
+    return registry.get(domain) ?? registry.get("general");
+}
+/**
+ * Register a custom domain with its prompts. Overwrites if already exists.
+ */
+export function registerDomain(domain, prompts) {
+    registry.set(domain, prompts);
+}
+/**
+ * List all registered domain names.
+ */
+export function listDomains() {
+    return [...registry.keys()];
+}

package/dist/entity-base.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Generic Entity: pluggable verifier and domain support for any task type.
+ * CodeEntity remains unchanged for backward compatibility.
+ */
+import { type ModelBinding } from "./config.js";
+import { WorkingMemory } from "./memory.js";
+import { Store } from "./persistence.js";
+import type { Verifier } from "./verifier-interface.js";
+/** Options for constructing a generic Entity. */
+export interface EntityOptions {
+    /** Verifier to gate artifacts. Defaults to PolicyVerifier. */
+    verifier?: Verifier;
+    /** Domain for agent prompts. Defaults to "general". */
+    domain?: string;
+    /** Per-role model bindings. Auto-detected if omitted. */
+    bindings?: Record<string, ModelBinding>;
+}
+/**
+ * Generic Entity: same Generator -> Critic -> Judge pipeline as CodeEntity,
+ * but with a pluggable verifier and domain-aware prompts.
+ */
+export declare class Entity {
+    private gateways;
+    private verifier;
+    private domain;
+    constructor(options?: EntityOptions);
+    /**
+     * One full loop: task -> Generator -> Critic -> Judge -> Verifier -> gating.
+     * Returns working memory with authoritative_artifact set only if verification passed.
+     */
+    run(task: string, options?: {
+        testCode?: string;
+        store?: Store;
+        entityVersion?: string;
+        writeCheckpointAfter?: boolean;
+    }): Promise<WorkingMemory>;
+}

package/dist/entity-base.js

@@ -0,0 +1,87 @@
+/**
+ * Generic Entity: pluggable verifier and domain support for any task type.
+ * CodeEntity remains unchanged for backward compatibility.
+ */
+import { runCritic, runGenerator, runJudge } from "./agents.js";
+import { defaultCodeEntityBindings } from "./config.js";
+import { LLMGateway } from "./gateway.js";
+import { WorkingMemory } from "./memory.js";
+import { hashMemory, recordOutcome } from "./persistence.js";
+import { PolicyVerifier } from "./policy-verifier.js";
+import { validateTask } from "./validation.js";
+/**
+ * Generic Entity: same Generator -> Critic -> Judge pipeline as CodeEntity,
+ * but with a pluggable verifier and domain-aware prompts.
+ */
+export class Entity {
+    gateways;
+    verifier;
+    domain;
+    constructor(options) {
+        const resolvedBindings = options?.bindings ?? defaultCodeEntityBindings();
+        this.verifier = options?.verifier ?? new PolicyVerifier();
+        this.domain = options?.domain ?? "general";
+        this.gateways = {
+            generator: new LLMGateway(resolvedBindings["generator"]),
+            critic: new LLMGateway(resolvedBindings["critic"]),
+            judge: new LLMGateway(resolvedBindings["judge"]),
+        };
+    }
+    /**
+     * One full loop: task -> Generator -> Critic -> Judge -> Verifier -> gating.
+     * Returns working memory with authoritative_artifact set only if verification passed.
+     */
+    async run(task, options = {}) {
+        const { testCode, store, entityVersion = "0.5.0", writeCheckpointAfter = false, } = options;
+        // Validate input
+        const taskValidation = validateTask(task);
+        if (!taskValidation.valid) {
+            throw new Error(`Invalid task: ${taskValidation.error}`);
+        }
+        const t0 = performance.now();
+        const memory = new WorkingMemory();
+        memory.setTask(task);
+        // Inject long-term context from verified memory
+        if (store) {
+            const recent = store.getRecentVerified(5);
+            const parts = [];
+            for (const e of recent) {
+                if (e.content_preview) {
+                    parts.push(e.content_preview.slice(0, 500));
+                }
+                else if (e.summary) {
+                    parts.push(e.summary);
+                }
+            }
+            memory.longTermContext = parts.length > 0 ? parts.join("\n---\n") : "";
+        }
+        // Run the agent pipeline with domain-aware prompts
+        await runGenerator(this.gateways["generator"], memory, store ?? null, this.domain);
+        await runCritic(this.gateways["critic"], memory, store ?? null, this.domain);
+        await runJudge(this.gateways["judge"], memory, store ?? null, this.domain);
+        // Run pluggable verifier
+        const ctx = {
+            task,
+            testCode,
+            domain: this.domain,
+        };
+        const result = await this.verifier.verify(memory, ctx);
+        memory.setVerification(result.passed, result.evidence);
+        // Record outcome and persist if verification passed
+        const latencySec = (performance.now() - t0) / 1000;
+        if (store) {
+            recordOutcome(store, memory.verificationPassed, latencySec, task.slice(0, 100));
+        }
+        if (store && memory.verificationPassed && memory.authoritativeArtifact) {
+            const artifactRef = `artifact_${Date.now()}`;
+            store.addVerified(artifactRef, `Verified artifact (${memory.authoritativeArtifact.length} chars)`, memory.authoritativeArtifact.slice(0, 2000));
+            if (writeCheckpointAfter) {
+                const graphHash = `entity-${this.domain}`;
+                const refs = [artifactRef];
+                const memHash = hashMemory(refs);
+                store.writeCheckpoint(entityVersion, graphHash, memHash, refs);
+            }
+        }
+        return memory;
+    }
+}

package/dist/graph-runner.d.ts

@@ -5,6 +5,14 @@ import { type ModelBinding } from "./config.js";
 import { AgentGraph } from "./graph-schema.js";
 import { WorkingMemory } from "./memory.js";
 import { Store } from "./persistence.js";
+import type { Verifier } from "./verifier-interface.js";
+/** Options for configuring the GraphRunner beyond bindings. */
+export interface GraphRunnerOptions {
+    /** Pluggable verifier. If omitted, falls back to the existing vitest-based runVerifier. */
+    verifier?: Verifier;
+    /** Domain for agent prompts. Defaults to "code". */
+    domain?: string;
+}
 /**
  * Runs a declarative agent graph: nodes (role + binding), edges (data flow).
  * After all nodes run, verifier runs on the final node's output and gating is applied.
@@ -12,7 +20,9 @@ import { Store } from "./persistence.js";
 export declare class GraphRunner {
     private graph;
     private gateways;
-    constructor(graph: AgentGraph, bindings?: Record<string, ModelBinding>);
+    private pluggableVerifier?;
+    private domain;
+    constructor(graph: AgentGraph, bindings?: Record<string, ModelBinding>, options?: GraphRunnerOptions);
     /**
      * Execute graph: task in -> run nodes in topo order -> run verifier on final node -> gating.
      * If store is provided and verification passed: admit to verified memory; optionally write checkpoint.

package/dist/graph-runner.js

@@ -14,8 +14,12 @@ import { runVerifier } from "./verifier.js";
 export class GraphRunner {
     graph;
     gateways = new Map();
-    constructor(graph, bindings) {
+    pluggableVerifier;
+    domain;
+    constructor(graph, bindings, options) {
         this.graph = graph;
+        this.pluggableVerifier = options?.verifier;
+        this.domain = options?.domain ?? "code";
         const resolvedBindings = bindings ?? defaultCodeEntityBindings();
         for (const node of graph.nodes) {
             if (node.role === "verifier") {
@@ -71,7 +75,7 @@ export class GraphRunner {
             if (!gateway) {
                 throw new Error(`No gateway for binding '${node.binding}'`);
             }
-            const out = await runRole(node.role, gateway, task, inputs, memory.longTermContext, store ?? null);
+            const out = await runRole(node.role, gateway, task, inputs, memory.longTermContext, store ?? null, this.domain);
             memory.setSlot(nodeId, out);
         }
         // Set final candidate from final node
@@ -79,8 +83,15 @@ export class GraphRunner {
         if (finalId) {
             memory.finalCandidate = memory.getSlot(finalId);
         }
-        // Run verification
-        await runVerifier(memory, testCode);
+        // Run verification: pluggable verifier if provided, otherwise legacy runVerifier
+        if (this.pluggableVerifier) {
+            const ctx = { task, testCode, domain: this.domain };
+            const result = await this.pluggableVerifier.verify(memory, ctx);
+            memory.setVerification(result.passed, result.evidence);
+        }
+        else {
+            await runVerifier(memory, testCode);
+        }
         // Record outcome and persist if verification passed
         const latencySec = (performance.now() - t0) / 1000;
         if (store) {

package/dist/improvement.d.ts

@@ -7,7 +7,7 @@ import type { StrategySuggestion } from "./types.js";
  * Review recent outcomes and return suggested strategy updates (rule-based for MVP).
  * Returns list of { role, suggestion } for human or governance to apply.
  */
-export declare function critiqueStrategies(store: Store, recentCount?: number): StrategySuggestion[];
+export declare function critiqueStrategies(store: Store, recentCount?: number, domain?: string): StrategySuggestion[];
 /**
  * Apply a new prompt for role (strategy update). Under governance, this would require approval.
  */

package/dist/improvement.js

@@ -6,7 +6,7 @@ import { getRecentOutcomes, recordOutcome, setStrategy, } from "./persistence.js
  * Review recent outcomes and return suggested strategy updates (rule-based for MVP).
  * Returns list of { role, suggestion } for human or governance to apply.
  */
-export function critiqueStrategies(store, recentCount = 10) {
+export function critiqueStrategies(store, recentCount = 10, domain = "code") {
     const outcomes = getRecentOutcomes(store, recentCount);
     if (outcomes.length < 3) {
         return [];
@@ -15,14 +15,26 @@ export function critiqueStrategies(store, recentCount = 10) {
     const failRate = 1.0 - passed / outcomes.length;
     const suggestions = [];
     if (failRate >= 0.5) {
-        suggestions.push({
-            role: "generator",
-            suggestion: "Add explicit instruction: output only valid TypeScript with no markdown fences or commentary.",
-        });
-        suggestions.push({
-            role: "judge",
-            suggestion: "Ensure Judge incorporates all critic feedback and outputs runnable code only.",
-        });
+        if (domain === "code") {
+            suggestions.push({
+                role: "generator",
+                suggestion: "Add explicit instruction: output only valid TypeScript with no markdown fences or commentary.",
+            });
+            suggestions.push({
+                role: "judge",
+                suggestion: "Ensure Judge incorporates all critic feedback and outputs runnable code only.",
+            });
+        }
+        else {
+            suggestions.push({
+                role: "generator",
+                suggestion: "Add explicit instruction: produce clear, complete, and accurate responses. Avoid ambiguity.",
+            });
+            suggestions.push({
+                role: "judge",
+                suggestion: "Ensure Judge addresses all critic concerns and produces a safe, well-structured final response.",
+            });
+        }
     }
     return suggestions;
 }

package/dist/index.d.ts

@@ -1,19 +1,26 @@
 /**
  * Moltblock — framework for evolving composite intelligences (Entities).
  */
-export declare const VERSION = "0.5.0";
+export declare const VERSION = "0.6.0";
 export type { ModelBinding, BindingEntry, AgentConfig, MoltblockConfig, ChatMessage, VerifiedMemoryEntry, CheckpointEntry, OutcomeEntry, InboxEntry, StrategySuggestion, ReceivedArtifact, GovernanceConfig, } from "./types.js";
 export { WorkingMemory } from "./memory.js";
 export { signArtifact, verifyArtifact, artifactHash } from "./signing.js";
-export { loadMoltblockConfig, defaultCodeEntityBindings, detectProvider, getConfigSource, BindingEntrySchema, AgentConfigSchema, MoltblockConfigSchema, ModelBindingSchema, type BindingOverrides, type ConfigSource, } from "./config.js";
+export { loadMoltblockConfig, defaultCodeEntityBindings, detectProvider, getConfigSource, loadPolicyRules, BindingEntrySchema, AgentConfigSchema, MoltblockConfigSchema, ModelBindingSchema, PolicyRuleSchema, type BindingOverrides, type ConfigSource, type PolicyRuleConfig, } from "./config.js";
 export { Store, hashGraph, hashMemory, auditLog, getGovernanceValue, setGovernanceValue, putInbox, getInbox, recordOutcome, getRecentOutcomes, getStrategy, setStrategy, } from "./persistence.js";
 export { LLMGateway } from "./gateway.js";
 export { runGenerator, runCritic, runJudge, runRole, } from "./agents.js";
 export { AgentGraph, GraphNodeSchema, GraphEdgeSchema, AgentGraphSchema, type GraphNode, type GraphEdge, type AgentGraphData, } from "./graph-schema.js";
-export { GraphRunner } from "./graph-runner.js";
+export { GraphRunner, type GraphRunnerOptions } from "./graph-runner.js";
 export { extractCodeBlock, runVitestOnCode, runVerifier } from "./verifier.js";
+export type { Verifier, VerificationResult, VerifierContext, } from "./verifier-interface.js";
+export { PolicyVerifier, type PolicyRule } from "./policy-verifier.js";
+export { CodeVerifier } from "./code-verifier.js";
+export { CompositeVerifier, type CompositeVerifierOptions } from "./composite-verifier.js";
+export { getDomainPrompts, registerDomain, listDomains, type DomainPrompts, } from "./domain-prompts.js";
+export { classifyRisk, type RiskLevel, type RiskClassification } from "./risk.js";
 export { createGovernanceConfig, canMolt, triggerMolt, pause, resume, isPaused, emergencyShutdown, } from "./governance.js";
 export { sendArtifact, receiveArtifacts } from "./handoff.js";
 export { critiqueStrategies, applySuggestion, runEval, runImprovementCycle, } from "./improvement.js";
 export { validateTask, validateTestCode, MAX_TASK_LENGTH, MIN_TASK_LENGTH, type ValidationResult, } from "./validation.js";
 export { CodeEntity, loadEntityWithGraph } from "./entity.js";
+export { Entity, type EntityOptions } from "./entity-base.js";

package/dist/index.js

@@ -1,13 +1,13 @@
 /**
  * Moltblock — framework for evolving composite intelligences (Entities).
  */
-export const VERSION = "0.5.0";
+export const VERSION = "0.6.0";
 // Memory
 export { WorkingMemory } from "./memory.js";
 // Signing
 export { signArtifact, verifyArtifact, artifactHash } from "./signing.js";
 // Config
-export { loadMoltblockConfig, defaultCodeEntityBindings, detectProvider, getConfigSource, BindingEntrySchema, AgentConfigSchema, MoltblockConfigSchema, ModelBindingSchema, } from "./config.js";
+export { loadMoltblockConfig, defaultCodeEntityBindings, detectProvider, getConfigSource, loadPolicyRules, BindingEntrySchema, AgentConfigSchema, MoltblockConfigSchema, ModelBindingSchema, PolicyRuleSchema, } from "./config.js";
 // Persistence
 export { Store, hashGraph, hashMemory, auditLog, getGovernanceValue, setGovernanceValue, putInbox, getInbox, recordOutcome, getRecentOutcomes, getStrategy, setStrategy, } from "./persistence.js";
 // Gateway
@@ -18,8 +18,18 @@ export { runGenerator, runCritic, runJudge, runRole, } from "./agents.js";
 export { AgentGraph, GraphNodeSchema, GraphEdgeSchema, AgentGraphSchema, } from "./graph-schema.js";
 // Graph Runner
 export { GraphRunner } from "./graph-runner.js";
-// Verifier
+// Verifier (legacy vitest-based)
 export { extractCodeBlock, runVitestOnCode, runVerifier } from "./verifier.js";
+// Policy Verifier
+export { PolicyVerifier } from "./policy-verifier.js";
+// Code Verifier (adapter)
+export { CodeVerifier } from "./code-verifier.js";
+// Composite Verifier
+export { CompositeVerifier } from "./composite-verifier.js";
+// Domain Prompts
+export { getDomainPrompts, registerDomain, listDomains, } from "./domain-prompts.js";
+// Risk Classification
+export { classifyRisk } from "./risk.js";
 // Governance
 export { createGovernanceConfig, canMolt, triggerMolt, pause, resume, isPaused, emergencyShutdown, } from "./governance.js";
 // Handoff
@@ -28,5 +38,7 @@ export { sendArtifact, receiveArtifacts } from "./handoff.js";
 export { critiqueStrategies, applySuggestion, runEval, runImprovementCycle, } from "./improvement.js";
 // Validation
 export { validateTask, validateTestCode, MAX_TASK_LENGTH, MIN_TASK_LENGTH, } from "./validation.js";
-// Entity
+// Entity (code-specific, backward compat)
 export { CodeEntity, loadEntityWithGraph } from "./entity.js";
+// Entity (generic, pluggable)
+export { Entity } from "./entity-base.js";

package/dist/policy-verifier.d.ts

@@ -0,0 +1,29 @@
+/**
+ * PolicyVerifier: rule-based verifier that catches dangerous patterns without an LLM call.
+ */
+import type { WorkingMemory } from "./memory.js";
+import type { Verifier, VerificationResult, VerifierContext } from "./verifier-interface.js";
+/** A single policy rule. */
+export interface PolicyRule {
+    id: string;
+    description: string;
+    /** What to match against: "artifact", "task", or "both". */
+    target: "artifact" | "task" | "both";
+    /** Regex pattern string. */
+    pattern: string;
+    /** "deny" blocks the artifact; "allow" overrides deny rules in the same category. */
+    action: "deny" | "allow";
+    category: string;
+    enabled: boolean;
+}
+/**
+ * Rule-based policy verifier. Checks artifacts and tasks against deny/allow rules.
+ * Allow rules in the same category override deny rules.
+ */
+export declare class PolicyVerifier implements Verifier {
+    readonly name = "PolicyVerifier";
+    private rules;
+    constructor(customRules?: PolicyRule[]);
+    verify(memory: WorkingMemory, context?: VerifierContext): Promise<VerificationResult>;
+    private getTargetText;
+}

package/dist/policy-verifier.js

@@ -0,0 +1,90 @@
+/**
+ * PolicyVerifier: rule-based verifier that catches dangerous patterns without an LLM call.
+ */
+// --- Built-in deny rules ---
+const BUILTIN_RULES = [
+    // Destructive commands
+    { id: "cmd-rm-rf", description: "Recursive force delete", target: "artifact", pattern: "\\brm\\s+-rf\\b", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-rm-r", description: "Recursive delete", target: "artifact", pattern: "\\brm\\s+-r\\s+/", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-drop-table", description: "SQL DROP TABLE", target: "artifact", pattern: "\\bDROP\\s+(TABLE|DATABASE)\\b", action: "deny", category: "destructive-sql", enabled: true },
+    { id: "cmd-truncate", description: "SQL TRUNCATE", target: "artifact", pattern: "\\bTRUNCATE\\s+TABLE\\b", action: "deny", category: "destructive-sql", enabled: true },
+    { id: "cmd-dd", description: "Raw disk write (dd)", target: "artifact", pattern: "\\bdd\\s+if=", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-chmod-777", description: "World-writable permissions", target: "artifact", pattern: "\\bchmod\\s+777\\b", action: "deny", category: "destructive-cmd", enabled: true },
+    { id: "cmd-mkfs", description: "Filesystem creation", target: "artifact", pattern: "\\bmkfs\\b", action: "deny", category: "destructive-cmd", enabled: true },
+    // Sensitive file paths
+    { id: "path-ssh", description: "SSH directory access", target: "both", pattern: "~?\\/?\\.ssh\\/", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-etc-passwd", description: "/etc/passwd access", target: "both", pattern: "\\/etc\\/passwd\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-etc-shadow", description: "/etc/shadow access", target: "both", pattern: "\\/etc\\/shadow\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-dotenv", description: ".env file access", target: "artifact", pattern: "\\.(env|env\\.local|env\\.production)\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-id-rsa", description: "Private key file", target: "both", pattern: "\\bid_rsa\\b|\\bid_ed25519\\b", action: "deny", category: "sensitive-path", enabled: true },
+    { id: "path-credentials", description: "Credentials file", target: "both", pattern: "\\bcredentials\\.(json|yaml|yml|xml)\\b", action: "deny", category: "sensitive-path", enabled: true },
+    // Hardcoded secrets
+    { id: "secret-api-key", description: "Hardcoded API key pattern", target: "artifact", pattern: "(api[_-]?key|apikey)\\s*[=:]\\s*[\"'][A-Za-z0-9_\\-]{20,}", action: "deny", category: "hardcoded-secret", enabled: true },
+    { id: "secret-password", description: "Hardcoded password", target: "artifact", pattern: "(password|passwd|pwd)\\s*[=:]\\s*[\"'][^\"']{4,}", action: "deny", category: "hardcoded-secret", enabled: true },
+    { id: "secret-private-key", description: "Private key material", target: "artifact", pattern: "-----BEGIN\\s+(RSA|EC|DSA|OPENSSH)?\\s*PRIVATE\\s+KEY-----", action: "deny", category: "hardcoded-secret", enabled: true },
+    { id: "secret-token", description: "Hardcoded token/secret", target: "artifact", pattern: "(secret|token)\\s*[=:]\\s*[\"'][A-Za-z0-9_\\-]{20,}", action: "deny", category: "hardcoded-secret", enabled: true },
+    // Data exfiltration
+    { id: "exfil-curl-post", description: "curl POST request", target: "artifact", pattern: "\\bcurl\\s+.*-X\\s*POST\\b", action: "deny", category: "exfiltration", enabled: true },
+    { id: "exfil-wget", description: "wget to HTTP", target: "artifact", pattern: "\\bwget\\s+http", action: "deny", category: "exfiltration", enabled: true },
+];
+/**
+ * Rule-based policy verifier. Checks artifacts and tasks against deny/allow rules.
+ * Allow rules in the same category override deny rules.
+ */
+export class PolicyVerifier {
+    name = "PolicyVerifier";
+    rules;
+    constructor(customRules) {
+        this.rules = [...BUILTIN_RULES];
+        if (customRules) {
+            this.rules.push(...customRules);
+        }
+    }
+    async verify(memory, context) {
+        const artifact = memory.finalCandidate || "";
+        const task = context?.task ?? memory.task ?? "";
+        const violations = [];
+        const allowedCategories = new Set();
+        // First pass: collect allowed categories
+        for (const rule of this.rules) {
+            if (!rule.enabled || rule.action !== "allow")
+                continue;
+            const text = this.getTargetText(rule.target, artifact, task);
+            const regex = new RegExp(rule.pattern, "i");
+            if (regex.test(text)) {
+                allowedCategories.add(rule.category);
+            }
+        }
+        // Second pass: check deny rules (skip allowed categories)
+        for (const rule of this.rules) {
+            if (!rule.enabled || rule.action !== "deny")
+                continue;
+            if (allowedCategories.has(rule.category))
+                continue;
+            const text = this.getTargetText(rule.target, artifact, task);
+            const regex = new RegExp(rule.pattern, "i");
+            if (regex.test(text)) {
+                violations.push(`[${rule.id}] ${rule.description}`);
+            }
+        }
+        if (violations.length > 0) {
+            return {
+                passed: false,
+                evidence: `Policy violations:\n${violations.join("\n")}`,
+                verifierName: this.name,
+            };
+        }
+        return {
+            passed: true,
+            evidence: "All policy rules passed.",
+            verifierName: this.name,
+        };
+    }
+    getTargetText(target, artifact, task) {
+        if (target === "artifact")
+            return artifact;
+        if (target === "task")
+            return task;
+        return `${task}\n${artifact}`;
+    }
+}

package/dist/risk.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Risk classification: keyword-based risk levels for tasks.
+ */
+export type RiskLevel = "low" | "medium" | "high";
+export interface RiskClassification {
+    level: RiskLevel;
+    reasons: string[];
+}
+/**
+ * Classify a task's risk level based on keyword/pattern matching.
+ * Returns the highest risk level found and all matching reasons.
+ */
+export declare function classifyRisk(task: string): RiskClassification;

package/dist/risk.js

@@ -0,0 +1,63 @@
+/**
+ * Risk classification: keyword-based risk levels for tasks.
+ */
+const RISK_PATTERNS = [
+    // High: destructive operations
+    { pattern: /\brm\s+-rf\b/i, level: "high", reason: "Recursive file deletion (rm -rf)" },
+    { pattern: /\brm\s+-r\b/i, level: "high", reason: "Recursive file deletion (rm -r)" },
+    { pattern: /\brmdir\b/i, level: "high", reason: "Directory removal" },
+    { pattern: /\bdrop\s+(table|database)\b/i, level: "high", reason: "SQL DROP statement" },
+    { pattern: /\btruncate\s+table\b/i, level: "high", reason: "SQL TRUNCATE statement" },
+    { pattern: /\bformat\s+[a-z]:/i, level: "high", reason: "Disk format command" },
+    { pattern: /\bmkfs\b/i, level: "high", reason: "Filesystem creation (mkfs)" },
+    { pattern: /\bdd\s+if=/i, level: "high", reason: "Raw disk write (dd)" },
+    // High: privilege escalation
+    { pattern: /\bsudo\b/i, level: "high", reason: "Sudo privilege escalation" },
+    { pattern: /\bchmod\s+777\b/i, level: "high", reason: "World-writable permissions (chmod 777)" },
+    { pattern: /\bchmod\s+\+s\b/i, level: "high", reason: "Set-UID/GID bit (chmod +s)" },
+    // High: credential/key access
+    { pattern: /\b(private[_\s]?key|id_rsa|id_ed25519)\b/i, level: "high", reason: "Private key access" },
+    { pattern: /\/etc\/shadow\b/i, level: "high", reason: "Shadow password file access" },
+    { pattern: /~?\/?\.ssh\//i, level: "high", reason: "SSH directory access" },
+    { pattern: /\bcredentials?\.(json|yaml|yml|xml|conf)\b/i, level: "high", reason: "Credentials file access" },
+    // High: system modification
+    { pattern: /\/etc\/passwd\b/i, level: "high", reason: "System password file access" },
+    { pattern: /\bsystemctl\s+(stop|disable|mask)\b/i, level: "high", reason: "System service modification" },
+    { pattern: /\bkill\s+-9\b/i, level: "high", reason: "Force kill process" },
+    // Medium: network operations
+    { pattern: /\bcurl\b/i, level: "medium", reason: "Network request (curl)" },
+    { pattern: /\bwget\b/i, level: "medium", reason: "Network download (wget)" },
+    { pattern: /\bfetch\s*\(/i, level: "medium", reason: "Network fetch call" },
+    { pattern: /\bhttp(s)?:\/\//i, level: "medium", reason: "HTTP URL reference" },
+    // Medium: file writes
+    { pattern: /\bwrite\s*file\b/i, level: "medium", reason: "File write operation" },
+    { pattern: /\bfs\.write/i, level: "medium", reason: "Filesystem write (fs.write)" },
+    { pattern: /\bfs\.unlink/i, level: "medium", reason: "File deletion (fs.unlink)" },
+    // Medium: database modifications
+    { pattern: /\b(insert|update|delete|alter)\s+(into|from|table)\b/i, level: "medium", reason: "Database modification" },
+    // Medium: subprocess spawning
+    { pattern: /\bexec\s*\(/i, level: "medium", reason: "Subprocess execution (exec)" },
+    { pattern: /\bspawn\s*\(/i, level: "medium", reason: "Subprocess spawning" },
+    { pattern: /\bchild_process\b/i, level: "medium", reason: "Child process module" },
+    { pattern: /\beval\s*\(/i, level: "medium", reason: "Dynamic code evaluation (eval)" },
+];
+/**
+ * Classify a task's risk level based on keyword/pattern matching.
+ * Returns the highest risk level found and all matching reasons.
+ */
+export function classifyRisk(task) {
+    const reasons = [];
+    let level = "low";
+    for (const { pattern, level: patternLevel, reason } of RISK_PATTERNS) {
+        if (pattern.test(task)) {
+            reasons.push(reason);
+            if (patternLevel === "high") {
+                level = "high";
+            }
+            else if (patternLevel === "medium" && level !== "high") {
+                level = "medium";
+            }
+        }
+    }
+    return { level, reasons };
+}

package/dist/verifier-interface.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Pluggable verifier interface: any verification strategy implements this contract.
+ */
+import type { WorkingMemory } from "./memory.js";
+/** Result of a single verification run. */
+export interface VerificationResult {
+    passed: boolean;
+    evidence: string;
+    verifierName: string;
+    /** Per-verifier details when running a composite verifier. */
+    details?: VerificationResult[];
+}
+/** Context passed to verifiers alongside working memory. */
+export interface VerifierContext {
+    task?: string;
+    testCode?: string;
+    domain?: string;
+    meta?: Record<string, unknown>;
+}
+/** A verifier that can gate artifacts before they gain authority. */
+export interface Verifier {
+    readonly name: string;
+    verify(memory: WorkingMemory, context?: VerifierContext): Promise<VerificationResult>;
+}

package/dist/verifier-interface.js

@@ -0,0 +1,4 @@
+/**
+ * Pluggable verifier interface: any verification strategy implements this contract.
+ */
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moltblock",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Framework for building evolving composite AI intelligences (Entities)",
   "type": "module",
   "main": "dist/index.js",
@@ -41,7 +41,8 @@
   },
   "files": [
     "dist",
-    "config"
+    "config",
+    "skill"
   ],
   "dependencies": {
     "better-sqlite3": "^12.6.2",

package/skill/SKILL.md

@@ -0,0 +1,103 @@
+# moltblock — Trust Layer for AI Agents
+
+## Description
+
+Moltblock provides verification gating for AI-generated artifacts. Before any high-risk action (file deletion, credential access, system modification, network exfiltration), the `moltblock_verify` tool runs policy checks and optional code verification to catch dangerous patterns.
+
+## When to Use
+
+Use `moltblock_verify` when the task involves:
+
+- **High risk** (always verify): Destructive operations (`rm -rf`, `DROP TABLE`), privilege escalation (`sudo`, `chmod 777`), credential/key access (`.ssh/`, `id_rsa`, `.env`), system modification, raw disk writes
+- **Medium risk** (verify when uncertain): Network requests (`curl`, `wget`, `fetch`), file writes, database modifications, subprocess spawning, dynamic code evaluation
+- **Low risk** (skip verification): Simple text responses, math, reading public information, code that doesn't touch the filesystem or network
+
+## Tool: moltblock_verify
+
+Verify a task before execution.
+
+### Usage
+
+```bash
+npx moltblock "<task description>" --provider <provider> --json
+```
+
+### Parameters
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| task | Yes | The task description to verify |
+| --provider | No | LLM provider: openai, google, zai, local (auto-detected from env) |
+| --model | No | Model override |
+| --test | No | Path to test file (for code verification) |
+| --json | No | Output structured JSON result |
+
+### Environment Variables
+
+Set one of these for provider auto-detection:
+- `OPENAI_API_KEY` — OpenAI
+- `GOOGLE_API_KEY` — Google/Gemini
+- `MOLTBLOCK_ZAI_API_KEY` — ZAI
+
+### Example
+
+```bash
+# Verify a potentially dangerous task
+npx moltblock "delete all temporary files older than 30 days" --json
+
+# Verify code with tests
+npx moltblock "implement user authentication" --test ./tests/auth.test.ts --json
+```
+
+### Output (JSON mode)
+
+```json
+{
+  "task": "...",
+  "verificationPassed": true,
+  "verificationEvidence": "All policy rules passed.",
+  "riskLevel": "high",
+  "riskReasons": ["Recursive file deletion (rm -rf)"]
+}
+```
+
+## Installation
+
+```bash
+npm install -g moltblock
+```
+
+Or use directly with npx (no install needed):
+
+```bash
+npx moltblock "your task" --json
+```
+
+## Configuration
+
+Optional. Place `moltblock.json` in your project root or `~/.moltblock/moltblock.json`:
+
+```json
+{
+  "agent": {
+    "bindings": {
+      "generator": { "backend": "google", "base_url": "https://generativelanguage.googleapis.com/v1beta/openai/", "model": "gemini-2.0-flash" },
+      "critic": { "backend": "google", "base_url": "https://generativelanguage.googleapis.com/v1beta/openai/", "model": "gemini-2.0-flash" },
+      "judge": { "backend": "google", "base_url": "https://generativelanguage.googleapis.com/v1beta/openai/", "model": "gemini-2.0-flash" }
+    }
+  },
+  "policy": {
+    "rules": [
+      {
+        "id": "custom-allow-tmp",
+        "description": "Allow operations in /tmp",
+        "target": "artifact",
+        "pattern": "\\/tmp\\/",
+        "action": "allow",
+        "category": "destructive-cmd",
+        "enabled": true
+      }
+    ]
+  }
+}
+```