nexus-prime 7.9.7 → 7.9.8

package/dist/engines/orchestrator/scoring.js

@@ -293,6 +293,9 @@ export function decideWorkers(requestedWorkers, plannedWorkers, phaseCount, inte
     if (typeof requestedWorkers === 'number' && requestedWorkers > 0) {
         return Math.max(1, Math.min(7, requestedWorkers));
     }
+    if (intent.taskType === 'release') {
+        return 1;
+    }
     if (intent.riskClass !== 'high'
         && intent.complexity <= 3
         && phaseCount <= 2

package/dist/engines/orchestrator.js

@@ -2316,6 +2316,23 @@ export class OrchestratorEngine {
             limit: 4,
             selector: 'name',
         });
+        const selectedWorkflowValues = intent.taskType === 'release'
+            ? dedupeStrings(['release-pipeline', ...workflowSelection.selectedValues])
+            : workflowSelection.selectedValues;
+        const workflowSelectedEntries = [
+            ...workflowSelection.selectedEntries,
+            ...selectedWorkflowValues
+                .filter((value) => !workflowSelection.selectedEntries.some((entry) => entry.name === value || entry.id === value))
+                .map((value) => this.toArtifactAuditEntry('workflow', value, workflowItems, {
+                score: 1,
+                source: 'planner',
+                confidence: 'high',
+                reason: 'Release intent requires the release-pipeline workflow so package, audit, and smoke evidence is collected.',
+                selector: 'name',
+                selectionPolicy: 'global-first',
+                authorityTier: this.getAuthorityTier('workflow'),
+            })),
+        ];
         const hookSelection = this.resolveCatalogVotes('hook', task, intent, hookItems, {
             explicit: options.hookSelectors,
             planner: [],
@@ -2356,7 +2373,7 @@ export class OrchestratorEngine {
             selectionSummary: {
                 specialists: specialistSelection.selectedValues.length,
                 skills: skillSelection.selectedValues.length,
-                workflows: workflowSelection.selectedValues.length,
+                workflows: selectedWorkflowValues.length,
                 hooks: hookSelection.selectedValues.length,
                 automations: automationSelection.selectedValues.length,
                 crews: crewSelection.selectedValues.length,
@@ -2367,7 +2384,7 @@ export class OrchestratorEngine {
             ...crewSelection.selectedEntries,
             ...specialistSelection.selectedEntries,
             ...skillSelection.selectedEntries,
-            ...workflowSelection.selectedEntries,
+            ...workflowSelectedEntries,
             ...hookSelection.selectedEntries,
             ...automationSelection.selectedEntries,
         ];
@@ -2388,7 +2405,7 @@ export class OrchestratorEngine {
             selectionSummary: {
                 specialists: specialistSelection.selectedValues.length,
                 skills: skillSelection.selectedValues.length,
-                workflows: workflowSelection.selectedValues.length,
+                workflows: selectedWorkflowValues.length,
                 hooks: hookSelection.selectedValues.length,
                 automations: automationSelection.selectedValues.length,
                 crews: crewSelection.selectedValues.length,
@@ -2400,7 +2417,7 @@ export class OrchestratorEngine {
             crew: crewSelection.selectedValues[0],
             specialists: specialistSelection.selectedValues,
             skills: skillSelection.selectedValues,
-            workflows: workflowSelection.selectedValues,
+            workflows: selectedWorkflowValues,
             hooks: hookSelection.selectedValues,
             automations: automationSelection.selectedValues,
             audit: {

package/dist/engines/runtime-assets.js

@@ -595,6 +595,9 @@ const SPECIALIZED_WORKFLOW_PACKS = [
                 title: 'Collect package, audit, and smoke evidence',
                 checkpoint: 'before-verify',
                 role: 'verifier',
+                bindings: [
+                    { type: 'run_command', command: 'npm run qa:release' },
+                ],
             },
             {
                 title: 'Record publish readiness and remaining blockers',

package/dist/phantom/runtime/worktree.d.ts

@@ -8,6 +8,10 @@ import { type WorktreeHealthSnapshot } from '../../engines/worktree-health.js';
 import type { MergeDecision } from '../index.js';
 import type { RuntimeWorkerResult, WorkerRole } from '../runtime.js';
 import { type CommandRecord } from './worker.js';
+export interface BindingApplicationResult {
+    modifiedFiles: string[];
+    commandRecords: CommandRecord[];
+}
 /**
  * Lightweight per-run artifact writer. Maintains a flat index of paths
  * written so callers can recover the full run artifact layout.
@@ -36,11 +40,12 @@ export declare class WorktreeSession {
     constructor(repoRoot: string, workerId: string, role: WorkerRole, recorder: ArtifactRecorder, reportHealth?: (snapshot: WorktreeHealthSnapshot) => void);
     create(): Promise<void>;
     run(command: string, allowFailure?: boolean, timeoutMs?: number): Promise<CommandRecord>;
-    applyBindings(bindings: SkillBinding[], timeoutMs?: number): Promise<string[]>;
+    applyBindings(bindings: SkillBinding[], timeoutMs?: number): Promise<BindingApplicationResult>;
     captureDiff(): Promise<string>;
     applyPatchContent(diff: string): Promise<void>;
     cleanup(): Promise<void>;
     private resolve;
+    private linkWorkspaceDependencies;
 }
 /** Thin adapter that wraps a MemoryBackend for use inside MergeOracle. */
 export declare class MergeMemoryAdapter {

package/dist/phantom/runtime/worktree.js

@@ -75,6 +75,7 @@ export class WorktreeSession {
                 cwd: this.repoRoot,
                 maxBuffer: 1024 * 1024 * 20,
             });
+            await this.linkWorkspaceDependencies();
         }
         catch (error) {
             const retryHealth = await doctorGitWorktrees(this.repoRoot);
@@ -87,6 +88,7 @@ export class WorktreeSession {
     }
     async applyBindings(bindings, timeoutMs) {
         const modified = new Set();
+        const commandRecords = [];
         for (const binding of bindings) {
             switch (binding.type) {
                 case 'write_file': {
@@ -114,12 +116,13 @@ export class WorktreeSession {
                 }
                 case 'run_command': {
                     const record = await this.run(binding.command || '', false, timeoutMs);
+                    commandRecords.push(record);
                     this.recorder.writeJson(path.join('workers', this.workerId, `${sanitizeFileName(record.command)}.json`), record);
                     break;
                 }
             }
         }
-        return [...modified];
+        return { modifiedFiles: [...modified], commandRecords };
     }
     async captureDiff() {
         try {
@@ -130,6 +133,12 @@ export class WorktreeSession {
             catch {
                 // Runtime skill overlays stay outside repo patches.
             }
+            try {
+                await exec('git reset HEAD -- node_modules', { cwd: this.worktreeDir, maxBuffer: 1024 * 1024 * 20 });
+            }
+            catch {
+                // Shared dependency symlink stays outside repo patches.
+            }
             const { stdout } = await exec('git diff --binary --cached HEAD', {
                 cwd: this.worktreeDir,
                 maxBuffer: 1024 * 1024 * 20,
@@ -167,6 +176,23 @@ export class WorktreeSession {
             return target;
         return path.join(this.worktreeDir, target);
     }
+    async linkWorkspaceDependencies() {
+        const source = path.join(this.repoRoot, 'node_modules');
+        const target = path.join(this.worktreeDir, 'node_modules');
+        try {
+            const stat = await fs.promises.lstat(source);
+            if (!stat.isDirectory() && !stat.isSymbolicLink())
+                return;
+            await fs.promises.lstat(target).then(() => undefined).catch(async (error) => {
+                if (error?.code !== 'ENOENT')
+                    throw error;
+                await fs.promises.symlink(source, target, 'dir');
+            });
+        }
+        catch {
+            // Worktrees remain valid for repos that do not use node_modules or have not installed deps.
+        }
+    }
 }
 // ─── MergeMemoryAdapter ───────────────────────────────────────────────────────
 /** Thin adapter that wraps a MemoryBackend for use inside MergeOracle. */

package/dist/phantom/runtime.d.ts

@@ -199,6 +199,7 @@ export interface RuntimeWorkerResult extends WorkerResult {
     verification?: WorkerVerification;
     artifactsPath: string;
     modifiedFiles: string[];
+    commandRecords?: CommandRecord[];
 }
 export interface PlannerResult {
     summary: string;
@@ -533,6 +534,7 @@ export declare class SubAgentRuntime {
     private applyDecision;
     private evaluatePromotions;
     private resolveCandidateDiff;
+    private isCommandOnlyOperationalSuccess;
     private resolveFileRefs;
     private discoverTargetFiles;
     private collectLibraryCounts;

package/dist/phantom/runtime.js

@@ -688,14 +688,15 @@ export class SubAgentRuntime {
             : enforcedBlockingGate
                 ? { applied: false, rolledBack: false, summary: `Review gate ${enforcedBlockingGate.gate} remains ${enforcedBlockingGate.status}.` }
                 : await this.applyDecision(recorder, { ...task, verifyCommands: beforeVerifyResolved.verifyCommands }, decision, consensusPolicy);
-        // Read-only intents (inspect/plan) don't produce a diff to apply, so applied=false
-        // is the expected outcome — not a failure. Only mark 'failed' when a shield blocked,
-        // a review gate enforced, or a mutate run produced no applicable diff.
+        const commandOnlyOperationalSuccess = this.isCommandOnlyOperationalSuccess(task, decision);
+        // Read-only and command-only operational runs don't produce a diff to apply.
+        // Only mark 'failed' when a shield blocked, a review gate enforced, or a
+        // mutate run produced neither a patch nor successful command evidence.
         const readOnlyIntent = task.intent === 'inspect' || task.intent === 'plan';
         const failureExpected = preApplyShield.blocked || Boolean(enforcedBlockingGate);
         run.state = applied.applied
             ? (applied.rolledBack ? 'rolled_back' : 'merged')
-            : (readOnlyIntent && !failureExpected ? 'inspected' : 'failed');
+            : ((readOnlyIntent || commandOnlyOperationalSuccess) && !failureExpected ? 'inspected' : 'failed');
         // Surface completion on the SSE feed so the dashboard can move the
         // run from "Running" to "Done" without a poll round-trip.
         try {
@@ -2048,13 +2049,20 @@ export class SubAgentRuntime {
                     verified: false,
                     artifactsPath: workerDir,
                     modifiedFiles: [],
+                    commandRecords: [],
                 };
             }
-            const modifiedFiles = await session.applyBindings(allowedActions, timeoutMs);
+            const bindingResult = await session.applyBindings(allowedActions, timeoutMs);
+            const modifiedFiles = bindingResult.modifiedFiles;
+            const commandRecords = bindingResult.commandRecords;
             modifiedFiles.forEach(file => {
                 this.sessionDNA?.recordFileModified(file);
                 learnings.push(`Modified ${file}`);
             });
+            if (commandRecords.length > 0) {
+                const passedCommands = commandRecords.filter((record) => record.exitCode === 0).length;
+                learnings.push(`Ran ${commandRecords.length} command binding(s), ${passedCommands} passed.`);
+            }
             const diff = await session.captureDiff();
             recorder.writeText(path.join('workers', manifest.workerId, 'diff.patch'), diff);
             podNetwork.publish(manifest.workerId, `Produced ${modifiedFiles.length} modified files`, 0.8, ['#runtime-worker']);
@@ -2063,23 +2071,30 @@ export class SubAgentRuntime {
             if (budgetExceeded) {
                 learnings.push(`Token budget exceeded: used ${estimatedTokens}, budget ${manifest.tokenBudget}`);
             }
-            nexusEventBus.emit('phantom.worker.complete', { workerId: manifest.workerId, confidence: budgetExceeded ? 0.1 : (diff.trim() ? 0.7 : 0.2) });
+            const commandOnlySuccess = !diff.trim()
+                && commandRecords.length > 0
+                && commandRecords.every((record) => record.exitCode === 0);
+            nexusEventBus.emit('phantom.worker.complete', {
+                workerId: manifest.workerId,
+                confidence: budgetExceeded ? 0.1 : (diff.trim() ? 0.7 : (commandOnlySuccess ? 0.75 : 0.2)),
+            });
             return {
                 workerId: manifest.workerId,
                 role: manifest.role,
                 taskId: runId,
                 approach: manifest.strategy,
                 diff,
-                outcome: budgetExceeded ? 'budgetExceeded' : (diff.trim() ? 'partial' : 'failed'),
-                confidence: budgetExceeded ? 0.1 : (diff.trim() ? 0.68 : 0.18),
+                outcome: budgetExceeded ? 'budgetExceeded' : (diff.trim() ? 'partial' : (commandOnlySuccess ? 'success' : 'failed')),
+                confidence: budgetExceeded ? 0.1 : (diff.trim() ? 0.68 : (commandOnlySuccess ? 0.82 : 0.18)),
                 tokensUsed: estimatedTokens,
                 tokenEstimateSource: 'runtime-estimate',
                 budgetExceeded,
                 learnings,
-                testsPassing: 0,
+                testsPassing: commandRecords.filter((record) => record.exitCode === 0).length,
                 verified: false,
                 artifactsPath: workerDir,
                 modifiedFiles,
+                commandRecords,
             };
         }
         catch (error) {
@@ -2102,6 +2117,7 @@ export class SubAgentRuntime {
                 verified: false,
                 artifactsPath: workerDir,
                 modifiedFiles: [],
+                commandRecords: [],
             };
         }
         finally {
@@ -2133,11 +2149,25 @@ export class SubAgentRuntime {
         const verifier = new WorktreeSession(this.repoRoot, `${runId}-${manifest.workerId}`, 'verifier', recorder, (snapshot) => this.recordWorktreeHealth(snapshot));
         const records = [];
         const artifactsPath = recorder.workerDir(manifest.workerId);
-        // Skip worktree creation if there is nothing to verify. An empty diff
-        // is not a verification failure — it means the worker produced no
-        // mutation (typical for inspect/plan intents). This is a skipped
-        // verification, not evidence that implementation passed.
+        const commandRecords = target?.commandRecords ?? [];
+        const commandOnlySuccess = !target?.diff?.trim()
+            && commandRecords.length > 0
+            && commandRecords.every((record) => record.exitCode === 0);
+        // Skip worktree creation if there is no diff. Command-only operational
+        // workers are verified from their command records; pure no-op workers
+        // remain skipped rather than counted as implementation evidence.
         if (!target?.diff?.trim()) {
+            if (commandOnlySuccess) {
+                return {
+                    workerId: manifest.targetWorkerId ?? 'unknown',
+                    verifierId: manifest.workerId,
+                    passed: true,
+                    status: 'passed',
+                    commands: commandRecords,
+                    summary: `Verifier accepted command-only evidence (${commandRecords.length} command binding(s) passed).`,
+                    artifactsPath,
+                };
+            }
             return {
                 workerId: manifest.targetWorkerId ?? 'unknown',
                 verifierId: manifest.workerId,
@@ -2209,6 +2239,14 @@ export class SubAgentRuntime {
     async applyDecision(recorder, task, decision, consensusPolicy) {
         const candidateDiff = this.resolveCandidateDiff(decision);
         if (!candidateDiff.trim()) {
+            if (this.isCommandOnlyOperationalSuccess(task, decision)) {
+                const records = decision.winner?.commandRecords ?? [];
+                return {
+                    applied: false,
+                    rolledBack: false,
+                    summary: `Operational workflow completed with command evidence only (${records.length} command binding(s) passed); no repository patch was required.`,
+                };
+            }
             return {
                 applied: false,
                 rolledBack: false,
@@ -2409,6 +2447,20 @@ export class SubAgentRuntime {
         }
         return decision.winner?.diff ?? '';
     }
+    isCommandOnlyOperationalSuccess(task, decision) {
+        if (decision.action === 'reject')
+            return false;
+        if (this.resolveCandidateDiff(decision).trim())
+            return false;
+        const winner = decision.winner;
+        const records = winner?.commandRecords ?? [];
+        if (records.length === 0 || !records.every((record) => record.exitCode === 0)) {
+            return false;
+        }
+        return task.releasePolicy.mode === 'ship-ready'
+            || task.workflowSelectors.some((selector) => /release|deploy|publish|ci|smoke|audit/i.test(selector))
+            || /release|publish|deploy|npm|github action|ci\/cd|smoke|audit/i.test(task.goal);
+    }
     async resolveFileRefs(files) {
         return Promise.all(files.map(async (file) => {
             const resolved = path.isAbsolute(file) ? file : path.join(this.repoRoot, file);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nexus-prime",
-  "version": "7.9.7",
+  "version": "7.9.8",
   "description": "Local-first MCP control plane for coding agents with bootstrap-orchestrate execution, memory fabric, token budgeting, and worktree-backed swarms",
   "type": "module",
   "main": "dist/index.js",