oh-my-super-agent 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.agents/agents/advisor.md +15 -0
- package/.agents/agents/conductor.md +32 -0
- package/.agents/agents/dreamer.md +13 -0
- package/.agents/agents/executor.md +17 -0
- package/.agents/agents/grader.md +15 -0
- package/.agents/config/endurance-policy.json +8 -0
- package/.agents/config/oms-config.json +119 -0
- package/.agents/config/release-policy.json +12 -0
- package/.agents/config/secret-scan-policy.json +7 -0
- package/.agents/config/verification-plan.json +33 -0
- package/.agents/registry.json +11 -0
- package/.agents/rules/constitution.md +7 -0
- package/.agents/skills/conductor/SKILL.md +23 -0
- package/.agents/skills/dream/SKILL.md +14 -0
- package/.agents/skills/executor/SKILL.md +13 -0
- package/.agents/skills/oms/SKILL.md +52 -0
- package/.agents/skills/quota-aware/SKILL.md +12 -0
- package/.agents/skills/schedule/SKILL.md +13 -0
- package/.agents/skills/team-protocol/SKILL.md +20 -0
- package/LICENSE +21 -0
- package/README.md +146 -0
- package/dist/src/audit/run-ledger.d.ts +183 -0
- package/dist/src/audit/run-ledger.js +1655 -0
- package/dist/src/audit/run-ledger.js.map +1 -0
- package/dist/src/cli.d.ts +61 -0
- package/dist/src/cli.js +2096 -0
- package/dist/src/cli.js.map +1 -0
- package/dist/src/commands/github-queue-probe.d.ts +26 -0
- package/dist/src/commands/github-queue-probe.js +51 -0
- package/dist/src/commands/github-queue-probe.js.map +1 -0
- package/dist/src/commands/trace-fixture.d.ts +20 -0
- package/dist/src/commands/trace-fixture.js +72 -0
- package/dist/src/commands/trace-fixture.js.map +1 -0
- package/dist/src/conductor/activity.d.ts +46 -0
- package/dist/src/conductor/activity.js +224 -0
- package/dist/src/conductor/activity.js.map +1 -0
- package/dist/src/conductor/bridge.d.ts +53 -0
- package/dist/src/conductor/bridge.js +652 -0
- package/dist/src/conductor/bridge.js.map +1 -0
- package/dist/src/conductor/notifications.d.ts +59 -0
- package/dist/src/conductor/notifications.js +381 -0
- package/dist/src/conductor/notifications.js.map +1 -0
- package/dist/src/conductor/recovery.d.ts +29 -0
- package/dist/src/conductor/recovery.js +198 -0
- package/dist/src/conductor/recovery.js.map +1 -0
- package/dist/src/conductor/start.d.ts +73 -0
- package/dist/src/conductor/start.js +519 -0
- package/dist/src/conductor/start.js.map +1 -0
- package/dist/src/conductor/waiter.d.ts +88 -0
- package/dist/src/conductor/waiter.js +427 -0
- package/dist/src/conductor/waiter.js.map +1 -0
- package/dist/src/config.d.ts +9 -0
- package/dist/src/config.js +40 -0
- package/dist/src/config.js.map +1 -0
- package/dist/src/dispatch/advice-source.d.ts +61 -0
- package/dist/src/dispatch/advice-source.js +198 -0
- package/dist/src/dispatch/advice-source.js.map +1 -0
- package/dist/src/dispatch/advice-store.d.ts +41 -0
- package/dist/src/dispatch/advice-store.js +201 -0
- package/dist/src/dispatch/advice-store.js.map +1 -0
- package/dist/src/dispatch/advice.d.ts +34 -0
- package/dist/src/dispatch/advice.js +371 -0
- package/dist/src/dispatch/advice.js.map +1 -0
- package/dist/src/dispatch/authority.d.ts +124 -0
- package/dist/src/dispatch/authority.js +1202 -0
- package/dist/src/dispatch/authority.js.map +1 -0
- package/dist/src/dispatch/intent.d.ts +66 -0
- package/dist/src/dispatch/intent.js +71 -0
- package/dist/src/dispatch/intent.js.map +1 -0
- package/dist/src/dispatch/runtime-authority.d.ts +42 -0
- package/dist/src/dispatch/runtime-authority.js +52 -0
- package/dist/src/dispatch/runtime-authority.js.map +1 -0
- package/dist/src/doctor.d.ts +20 -0
- package/dist/src/doctor.js +85 -0
- package/dist/src/doctor.js.map +1 -0
- package/dist/src/domain/records.d.ts +44 -0
- package/dist/src/domain/records.js +138 -0
- package/dist/src/domain/records.js.map +1 -0
- package/dist/src/domain/role-policy.d.ts +67 -0
- package/dist/src/domain/role-policy.js +547 -0
- package/dist/src/domain/role-policy.js.map +1 -0
- package/dist/src/events/bus.d.ts +32 -0
- package/dist/src/events/bus.js +115 -0
- package/dist/src/events/bus.js.map +1 -0
- package/dist/src/events/kinds.d.ts +126 -0
- package/dist/src/events/kinds.js +14 -0
- package/dist/src/events/kinds.js.map +1 -0
- package/dist/src/evidence/immutable-file.d.ts +12 -0
- package/dist/src/evidence/immutable-file.js +141 -0
- package/dist/src/evidence/immutable-file.js.map +1 -0
- package/dist/src/evidence/store.d.ts +125 -0
- package/dist/src/evidence/store.js +1189 -0
- package/dist/src/evidence/store.js.map +1 -0
- package/dist/src/evidence/verdict.d.ts +17 -0
- package/dist/src/evidence/verdict.js +23 -0
- package/dist/src/evidence/verdict.js.map +1 -0
- package/dist/src/generation/agent.d.ts +5 -0
- package/dist/src/generation/agent.js +34 -0
- package/dist/src/generation/agent.js.map +1 -0
- package/dist/src/generation/frontmatter.d.ts +7 -0
- package/dist/src/generation/frontmatter.js +33 -0
- package/dist/src/generation/frontmatter.js.map +1 -0
- package/dist/src/github/adapter.d.ts +44 -0
- package/dist/src/github/adapter.js +592 -0
- package/dist/src/github/adapter.js.map +1 -0
- package/dist/src/github/dispatch-eligibility.d.ts +9 -0
- package/dist/src/github/dispatch-eligibility.js +94 -0
- package/dist/src/github/dispatch-eligibility.js.map +1 -0
- package/dist/src/github/projector.d.ts +23 -0
- package/dist/src/github/projector.js +181 -0
- package/dist/src/github/projector.js.map +1 -0
- package/dist/src/github/review.d.ts +39 -0
- package/dist/src/github/review.js +1450 -0
- package/dist/src/github/review.js.map +1 -0
- package/dist/src/github/sync.d.ts +21 -0
- package/dist/src/github/sync.js +518 -0
- package/dist/src/github/sync.js.map +1 -0
- package/dist/src/github/types.d.ts +134 -0
- package/dist/src/github/types.js +11 -0
- package/dist/src/github/types.js.map +1 -0
- package/dist/src/goals/artifact-store.d.ts +31 -0
- package/dist/src/goals/artifact-store.js +241 -0
- package/dist/src/goals/artifact-store.js.map +1 -0
- package/dist/src/goals/authority.d.ts +112 -0
- package/dist/src/goals/authority.js +621 -0
- package/dist/src/goals/authority.js.map +1 -0
- package/dist/src/goals/native-snapshot.d.ts +12 -0
- package/dist/src/goals/native-snapshot.js +53 -0
- package/dist/src/goals/native-snapshot.js.map +1 -0
- package/dist/src/goals/runtime-authority.d.ts +7 -0
- package/dist/src/goals/runtime-authority.js +20 -0
- package/dist/src/goals/runtime-authority.js.map +1 -0
- package/dist/src/health/release-assessment.d.ts +11 -0
- package/dist/src/health/release-assessment.js +83 -0
- package/dist/src/health/release-assessment.js.map +1 -0
- package/dist/src/health/release-policy.d.ts +16 -0
- package/dist/src/health/release-policy.js +40 -0
- package/dist/src/health/release-policy.js.map +1 -0
- package/dist/src/hooks/native.d.ts +30 -0
- package/dist/src/hooks/native.js +495 -0
- package/dist/src/hooks/native.js.map +1 -0
- package/dist/src/hooks/provider-runtime.d.ts +55 -0
- package/dist/src/hooks/provider-runtime.js +479 -0
- package/dist/src/hooks/provider-runtime.js.map +1 -0
- package/dist/src/hooks/provider.d.ts +102 -0
- package/dist/src/hooks/provider.js +358 -0
- package/dist/src/hooks/provider.js.map +1 -0
- package/dist/src/live/contact-journal.d.ts +73 -0
- package/dist/src/live/contact-journal.js +439 -0
- package/dist/src/live/contact-journal.js.map +1 -0
- package/dist/src/live-probes/gh-adapter.d.ts +28 -0
- package/dist/src/live-probes/gh-adapter.js +188 -0
- package/dist/src/live-probes/gh-adapter.js.map +1 -0
- package/dist/src/live-probes/github-queue.d.ts +1 -0
- package/dist/src/live-probes/github-queue.js +2 -0
- package/dist/src/live-probes/github-queue.js.map +1 -0
- package/dist/src/notifications/slack-request.d.ts +13 -0
- package/dist/src/notifications/slack-request.js +40 -0
- package/dist/src/notifications/slack-request.js.map +1 -0
- package/dist/src/outbox/processor.d.ts +27 -0
- package/dist/src/outbox/processor.js +63 -0
- package/dist/src/outbox/processor.js.map +1 -0
- package/dist/src/outbox/store.d.ts +158 -0
- package/dist/src/outbox/store.js +834 -0
- package/dist/src/outbox/store.js.map +1 -0
- package/dist/src/package-root.d.ts +1 -0
- package/dist/src/package-root.js +26 -0
- package/dist/src/package-root.js.map +1 -0
- package/dist/src/project.d.ts +12 -0
- package/dist/src/project.js +60 -0
- package/dist/src/project.js.map +1 -0
- package/dist/src/projection/generated-file.d.ts +15 -0
- package/dist/src/projection/generated-file.js +72 -0
- package/dist/src/projection/generated-file.js.map +1 -0
- package/dist/src/projection/project-workspace.d.ts +11 -0
- package/dist/src/projection/project-workspace.js +94 -0
- package/dist/src/projection/project-workspace.js.map +1 -0
- package/dist/src/projection/registry.d.ts +15 -0
- package/dist/src/projection/registry.js +59 -0
- package/dist/src/projection/registry.js.map +1 -0
- package/dist/src/projection/safe-path.d.ts +4 -0
- package/dist/src/projection/safe-path.js +106 -0
- package/dist/src/projection/safe-path.js.map +1 -0
- package/dist/src/providers/claude-interactive.d.ts +38 -0
- package/dist/src/providers/claude-interactive.js +287 -0
- package/dist/src/providers/claude-interactive.js.map +1 -0
- package/dist/src/providers/claude-structured-bridge.d.ts +32 -0
- package/dist/src/providers/claude-structured-bridge.js +215 -0
- package/dist/src/providers/claude-structured-bridge.js.map +1 -0
- package/dist/src/providers/claude-structured-completion.d.ts +23 -0
- package/dist/src/providers/claude-structured-completion.js +229 -0
- package/dist/src/providers/claude-structured-completion.js.map +1 -0
- package/dist/src/providers/claude-structured-pane.d.ts +23 -0
- package/dist/src/providers/claude-structured-pane.js +156 -0
- package/dist/src/providers/claude-structured-pane.js.map +1 -0
- package/dist/src/providers/claude-structured-store.d.ts +48 -0
- package/dist/src/providers/claude-structured-store.js +212 -0
- package/dist/src/providers/claude-structured-store.js.map +1 -0
- package/dist/src/providers/claude-structured.d.ts +56 -0
- package/dist/src/providers/claude-structured.js +250 -0
- package/dist/src/providers/claude-structured.js.map +1 -0
- package/dist/src/providers/codex-exec.d.ts +29 -0
- package/dist/src/providers/codex-exec.js +127 -0
- package/dist/src/providers/codex-exec.js.map +1 -0
- package/dist/src/providers/grading.d.ts +2 -0
- package/dist/src/providers/grading.js +20 -0
- package/dist/src/providers/grading.js.map +1 -0
- package/dist/src/providers/native-dispatch.d.ts +24 -0
- package/dist/src/providers/native-dispatch.js +34 -0
- package/dist/src/providers/native-dispatch.js.map +1 -0
- package/dist/src/providers/preflight.d.ts +65 -0
- package/dist/src/providers/preflight.js +256 -0
- package/dist/src/providers/preflight.js.map +1 -0
- package/dist/src/providers/process.d.ts +18 -0
- package/dist/src/providers/process.js +21 -0
- package/dist/src/providers/process.js.map +1 -0
- package/dist/src/queue/model.d.ts +37 -0
- package/dist/src/queue/model.js +51 -0
- package/dist/src/queue/model.js.map +1 -0
- package/dist/src/queue/service.d.ts +1 -0
- package/dist/src/queue/service.js +2 -0
- package/dist/src/queue/service.js.map +1 -0
- package/dist/src/reflections/store.d.ts +21 -0
- package/dist/src/reflections/store.js +60 -0
- package/dist/src/reflections/store.js.map +1 -0
- package/dist/src/reports/daily-trust.d.ts +11 -0
- package/dist/src/reports/daily-trust.js +98 -0
- package/dist/src/reports/daily-trust.js.map +1 -0
- package/dist/src/runs/controller.d.ts +187 -0
- package/dist/src/runs/controller.js +1182 -0
- package/dist/src/runs/controller.js.map +1 -0
- package/dist/src/runtime/composition.d.ts +9 -0
- package/dist/src/runtime/composition.js +35 -0
- package/dist/src/runtime/composition.js.map +1 -0
- package/dist/src/runtime/endurance-authorities.d.ts +44 -0
- package/dist/src/runtime/endurance-authorities.js +101 -0
- package/dist/src/runtime/endurance-authorities.js.map +1 -0
- package/dist/src/runtime/endurance-policy.d.ts +12 -0
- package/dist/src/runtime/endurance-policy.js +13 -0
- package/dist/src/runtime/endurance-policy.js.map +1 -0
- package/dist/src/runtime/lock.d.ts +63 -0
- package/dist/src/runtime/lock.js +577 -0
- package/dist/src/runtime/lock.js.map +1 -0
- package/dist/src/runtime/process-identity.d.ts +10 -0
- package/dist/src/runtime/process-identity.js +43 -0
- package/dist/src/runtime/process-identity.js.map +1 -0
- package/dist/src/runtime/quota.d.ts +130 -0
- package/dist/src/runtime/quota.js +590 -0
- package/dist/src/runtime/quota.js.map +1 -0
- package/dist/src/runtime/record-store.d.ts +45 -0
- package/dist/src/runtime/record-store.js +272 -0
- package/dist/src/runtime/record-store.js.map +1 -0
- package/dist/src/runtime/schema.d.ts +28 -0
- package/dist/src/runtime/schema.js +194 -0
- package/dist/src/runtime/schema.js.map +1 -0
- package/dist/src/runtime/stable-id.d.ts +3 -0
- package/dist/src/runtime/stable-id.js +27 -0
- package/dist/src/runtime/stable-id.js.map +1 -0
- package/dist/src/runtime/system-clock.d.ts +8 -0
- package/dist/src/runtime/system-clock.js +35 -0
- package/dist/src/runtime/system-clock.js.map +1 -0
- package/dist/src/schedule/service-plan.d.ts +58 -0
- package/dist/src/schedule/service-plan.js +327 -0
- package/dist/src/schedule/service-plan.js.map +1 -0
- package/dist/src/schedule/user-installation.d.ts +62 -0
- package/dist/src/schedule/user-installation.js +701 -0
- package/dist/src/schedule/user-installation.js.map +1 -0
- package/dist/src/schedule/user-plan.d.ts +47 -0
- package/dist/src/schedule/user-plan.js +286 -0
- package/dist/src/schedule/user-plan.js.map +1 -0
- package/dist/src/scheduler/minute.d.ts +31 -0
- package/dist/src/scheduler/minute.js +441 -0
- package/dist/src/scheduler/minute.js.map +1 -0
- package/dist/src/schemas/registry.d.ts +10 -0
- package/dist/src/schemas/registry.js +36 -0
- package/dist/src/schemas/registry.js.map +1 -0
- package/dist/src/security/secret-scan.d.ts +50 -0
- package/dist/src/security/secret-scan.js +384 -0
- package/dist/src/security/secret-scan.js.map +1 -0
- package/dist/src/sessions/registry.d.ts +89 -0
- package/dist/src/sessions/registry.js +443 -0
- package/dist/src/sessions/registry.js.map +1 -0
- package/dist/src/state.d.ts +27 -0
- package/dist/src/state.js +235 -0
- package/dist/src/state.js.map +1 -0
- package/dist/src/status/hud.d.ts +37 -0
- package/dist/src/status/hud.js +88 -0
- package/dist/src/status/hud.js.map +1 -0
- package/dist/src/team/plan.d.ts +31 -0
- package/dist/src/team/plan.js +184 -0
- package/dist/src/team/plan.js.map +1 -0
- package/dist/src/team/projection.d.ts +24 -0
- package/dist/src/team/projection.js +79 -0
- package/dist/src/team/projection.js.map +1 -0
- package/dist/src/tickets/admission.d.ts +34 -0
- package/dist/src/tickets/admission.js +169 -0
- package/dist/src/tickets/admission.js.map +1 -0
- package/dist/src/tickets/materializer.d.ts +1 -0
- package/dist/src/tickets/materializer.js +2 -0
- package/dist/src/tickets/materializer.js.map +1 -0
- package/dist/src/tickets/runtime-authority.d.ts +32 -0
- package/dist/src/tickets/runtime-authority.js +46 -0
- package/dist/src/tickets/runtime-authority.js.map +1 -0
- package/dist/src/tickets/store.d.ts +221 -0
- package/dist/src/tickets/store.js +2025 -0
- package/dist/src/tickets/store.js.map +1 -0
- package/dist/src/tracer/one-ticket.d.ts +58 -0
- package/dist/src/tracer/one-ticket.js +578 -0
- package/dist/src/tracer/one-ticket.js.map +1 -0
- package/dist/src/trust/assessment.d.ts +24 -0
- package/dist/src/trust/assessment.js +124 -0
- package/dist/src/trust/assessment.js.map +1 -0
- package/dist/src/trust/runs.d.ts +13 -0
- package/dist/src/trust/runs.js +46 -0
- package/dist/src/trust/runs.js.map +1 -0
- package/dist/src/types.d.ts +6 -0
- package/dist/src/types.js +2 -0
- package/dist/src/types.js.map +1 -0
- package/dist/src/utils/fs.d.ts +13 -0
- package/dist/src/utils/fs.js +188 -0
- package/dist/src/utils/fs.js.map +1 -0
- package/dist/src/verification/authority.d.ts +28 -0
- package/dist/src/verification/authority.js +153 -0
- package/dist/src/verification/authority.js.map +1 -0
- package/dist/src/verification/grade-source.d.ts +17 -0
- package/dist/src/verification/grade-source.js +30 -0
- package/dist/src/verification/grade-source.js.map +1 -0
- package/dist/src/verification/plan.d.ts +20 -0
- package/dist/src/verification/plan.js +128 -0
- package/dist/src/verification/plan.js.map +1 -0
- package/dist/src/verification/protected-runner.d.ts +50 -0
- package/dist/src/verification/protected-runner.js +171 -0
- package/dist/src/verification/protected-runner.js.map +1 -0
- package/dist/src/verification/result-gate-store.d.ts +72 -0
- package/dist/src/verification/result-gate-store.js +193 -0
- package/dist/src/verification/result-gate-store.js.map +1 -0
- package/dist/src/verification/result-gate.d.ts +41 -0
- package/dist/src/verification/result-gate.js +731 -0
- package/dist/src/verification/result-gate.js.map +1 -0
- package/dist/src/verification/runner.d.ts +38 -0
- package/dist/src/verification/runner.js +143 -0
- package/dist/src/verification/runner.js.map +1 -0
- package/dist/src/verification/sandbox.d.ts +16 -0
- package/dist/src/verification/sandbox.js +199 -0
- package/dist/src/verification/sandbox.js.map +1 -0
- package/dist/src/verify.d.ts +8 -0
- package/dist/src/verify.js +35 -0
- package/dist/src/verify.js.map +1 -0
- package/dist/src/watchdog/reconcile.d.ts +42 -0
- package/dist/src/watchdog/reconcile.js +440 -0
- package/dist/src/watchdog/reconcile.js.map +1 -0
- package/dist/src/workers/bridge.d.ts +35 -0
- package/dist/src/workers/bridge.js +426 -0
- package/dist/src/workers/bridge.js.map +1 -0
- package/dist/src/workers/delivery.d.ts +31 -0
- package/dist/src/workers/delivery.js +876 -0
- package/dist/src/workers/delivery.js.map +1 -0
- package/dist/src/workers/panes.d.ts +32 -0
- package/dist/src/workers/panes.js +212 -0
- package/dist/src/workers/panes.js.map +1 -0
- package/dist/src/workers/registry.d.ts +80 -0
- package/dist/src/workers/registry.js +351 -0
- package/dist/src/workers/registry.js.map +1 -0
- package/dist/src/workers/runtime.d.ts +44 -0
- package/dist/src/workers/runtime.js +21 -0
- package/dist/src/workers/runtime.js.map +1 -0
- package/dist/src/worktrees/manager.d.ts +35 -0
- package/dist/src/worktrees/manager.js +315 -0
- package/dist/src/worktrees/manager.js.map +1 -0
- package/docs/ARCHITECTURE.md +323 -0
- package/docs/PLAN.md +216 -0
- package/docs/REFERENCES.md +42 -0
- package/docs/ROADMAP.md +327 -0
- package/docs/SECURITY.md +242 -0
- package/docs/adr/0001-tracer-first-file-backed-certification.md +41 -0
- package/docs/adr/0002-conductor-first-typed-dispatch.md +102 -0
- package/docs/adr/0003-mandatory-pre-dispatch-advice.md +59 -0
- package/docs/compatibility/claude-code-2.1.207.md +25 -0
- package/loop/contract.md +102 -0
- package/package.json +54 -0
- package/schemas/advisor-evidence.schema.json +54 -0
- package/schemas/advisor-output.schema.json +31 -0
- package/schemas/conductor-activity-payload.schema.json +38 -0
- package/schemas/conductor-decision.schema.json +29 -0
- package/schemas/conductor-dispatch-intent.schema.json +71 -0
- package/schemas/conductor-dispatch-preparation.schema.json +46 -0
- package/schemas/conductor-dispatch-proposal.schema.json +82 -0
- package/schemas/conductor-goal-proposal.schema.json +30 -0
- package/schemas/conductor-manage-worker.schema.json +17 -0
- package/schemas/conductor-notification-payload.schema.json +39 -0
- package/schemas/conductor-process-result.schema.json +14 -0
- package/schemas/conductor-route.schema.json +51 -0
- package/schemas/conductor-start-team.schema.json +16 -0
- package/schemas/conductor-waiter-payload.schema.json +68 -0
- package/schemas/deterministic-check.schema.json +107 -0
- package/schemas/dispatch-acknowledgement.schema.json +15 -0
- package/schemas/dispatch-advice-payload.schema.json +64 -0
- package/schemas/dispatch-payload.schema.json +131 -0
- package/schemas/dispatch-result.schema.json +28 -0
- package/schemas/endurance-policy.schema.json +16 -0
- package/schemas/events/dispatch-delivery-requested.schema.json +17 -0
- package/schemas/events/github-observed.schema.json +28 -0
- package/schemas/events/native-hook-observed.schema.json +35 -0
- package/schemas/events/provider-observed.schema.json +64 -0
- package/schemas/events/run-heartbeat-due.schema.json +10 -0
- package/schemas/events/slack-notification-requested.schema.json +14 -0
- package/schemas/events/structured-role-completed.schema.json +54 -0
- package/schemas/events/ticket-resume-due.schema.json +28 -0
- package/schemas/events/watchdog-lease-expired.schema.json +14 -0
- package/schemas/events/watchdog-outbox-stalled.schema.json +12 -0
- package/schemas/events/watchdog-session-stalled.schema.json +11 -0
- package/schemas/evidence-record.schema.json +37 -0
- package/schemas/executor-result.schema.json +17 -0
- package/schemas/github-observation.schema.json +33 -0
- package/schemas/github-watermark.schema.json +66 -0
- package/schemas/goal-artifact.schema.json +19 -0
- package/schemas/goal-create-input.schema.json +14 -0
- package/schemas/goal-executor-result.schema.json +18 -0
- package/schemas/goal-payload.schema.json +95 -0
- package/schemas/grader-output.schema.json +33 -0
- package/schemas/lease-expiry.schema.json +19 -0
- package/schemas/live-disclosure.schema.json +16 -0
- package/schemas/live-outcome.schema.json +52 -0
- package/schemas/native-goal-snapshot.schema.json +27 -0
- package/schemas/provider-observed.schema.json +64 -0
- package/schemas/quota-observation.schema.json +72 -0
- package/schemas/reflection-evidence.schema.json +61 -0
- package/schemas/reflection.schema.json +13 -0
- package/schemas/regression-request.schema.json +54 -0
- package/schemas/release-assessment.schema.json +34 -0
- package/schemas/release-policy.schema.json +30 -0
- package/schemas/result-gate-payload.schema.json +244 -0
- package/schemas/review-delivery-payload.schema.json +42 -0
- package/schemas/role-policy.schema.json +111 -0
- package/schemas/run-abort-input.schema.json +11 -0
- package/schemas/run-completion-proof.schema.json +62 -0
- package/schemas/run-ledger-entry.schema.json +78 -0
- package/schemas/run-manifest.schema.json +74 -0
- package/schemas/run-start-intent.schema.json +74 -0
- package/schemas/runtime-record.schema.json +111 -0
- package/schemas/service-plan.schema.json +35 -0
- package/schemas/session-payload.schema.json +80 -0
- package/schemas/structured-role-read-request.schema.json +14 -0
- package/schemas/structured-role-request.schema.json +44 -0
- package/schemas/structured-role-result.schema.json +38 -0
- package/schemas/structured-role-submit-result.schema.json +15 -0
- package/schemas/team-checkpoint.schema.json +42 -0
- package/schemas/team-plan.schema.json +30 -0
- package/schemas/ticket-content.schema.json +38 -0
- package/schemas/ticket-queue-payload.schema.json +191 -0
- package/schemas/trust-report.schema.json +68 -0
- package/schemas/trust-run.schema.json +47 -0
- package/schemas/ultragoal-checkpoint.schema.json +49 -0
- package/schemas/user-schedule-installation-v1.schema.json +32 -0
- package/schemas/user-schedule-installation.schema.json +38 -0
- package/schemas/user-schedule-plan.schema.json +39 -0
- package/schemas/verification-plan-evidence.schema.json +37 -0
- package/schemas/worker-acknowledge-dispatch.schema.json +12 -0
- package/schemas/worker-payload.schema.json +47 -0
- package/schemas/worker-read-dispatch.schema.json +11 -0
- package/schemas/worker-record-dispatch-result.schema.json +14 -0
package/docs/PLAN.md
ADDED
|
@@ -0,0 +1,216 @@
|
|
|
1
|
+
# OMS Build Plan
|
|
2
|
+
|
|
3
|
+
## Purpose and current status
|
|
4
|
+
|
|
5
|
+
Oh My Super Agent (OMS) is a Linux-first Node.js/TypeScript harness for
|
|
6
|
+
coordinating supported Claude Code and Codex CLI ticket workflows. It composes
|
|
7
|
+
native sessions, goals, hooks, subagents, git worktrees, and operator-managed
|
|
8
|
+
service managers instead of replacing them with a daemon or framework.
|
|
9
|
+
|
|
10
|
+
The local control plane described below is implemented. The release is still
|
|
11
|
+
`not_stable`: no real live GitHub ticket, elapsed 12-hour canary, fresh elapsed
|
|
12
|
+
24-hour canary, or completed executor-group evidence is
|
|
13
|
+
shipped. Those are evidence obligations, not claims inferred from unit tests or
|
|
14
|
+
from the existence of a `12h` or `24h` run option.
|
|
15
|
+
|
|
16
|
+
The approved next delivery sequence is tracked in
|
|
17
|
+
[`docs/ROADMAP.md`](ROADMAP.md). It replaces the earlier per-worker manual-start
|
|
18
|
+
direction with one human-started read-only conductor, OMS-native typed dispatch,
|
|
19
|
+
immediate provider observations, 60-second GitHub polling, and a 15-minute
|
|
20
|
+
recovery-only watchdog. The conductor, typed-dispatch, and interactive
|
|
21
|
+
worker-pane, event-synchronization, protected result-gate, and draft-review
|
|
22
|
+
delivery slices are implemented; the actual live GitHub and endurance evidence
|
|
23
|
+
remain pending.
|
|
24
|
+
|
|
25
|
+
The implementation follows this escalation ladder:
|
|
26
|
+
|
|
27
|
+
1. Use a native CLI feature.
|
|
28
|
+
2. Add a skill or prompt.
|
|
29
|
+
3. Compose it with a small Node.js/TypeScript command.
|
|
30
|
+
4. Add a larger custom service only after the command boundary is demonstrably
|
|
31
|
+
inadequate.
|
|
32
|
+
|
|
33
|
+
All tracked runtime automation is TypeScript. OMS has no tracked shell
|
|
34
|
+
automation scripts, custom daemon, application framework, database, or runtime
|
|
35
|
+
npm dependency.
|
|
36
|
+
|
|
37
|
+
## Operating constraints
|
|
38
|
+
|
|
39
|
+
- Runtime dependencies are Node.js 20+, `git`, Linux `bubblewrap` for the
|
|
40
|
+
protected live verifier, and pinned Gitleaks 8.30.1 for live review delivery;
|
|
41
|
+
npm and pinned development dependencies build and test the TypeScript source.
|
|
42
|
+
- Live authentication, billing, transport, model, sandbox, session, and
|
|
43
|
+
unattended eligibility remain explicit role policy. Unknown or incompatible
|
|
44
|
+
values fail closed.
|
|
45
|
+
- OMS never uses an interactive pane as a billing workaround and does not
|
|
46
|
+
implement Claude print-mode transport.
|
|
47
|
+
- `doctor`, `verify`, tests, the HUD, release assessment, and the local trace
|
|
48
|
+
fixture make no provider or network call.
|
|
49
|
+
- The named GitHub queue probe is disclosure-first and requires explicit live
|
|
50
|
+
confirmation before contact. Its presence is not live-ticket evidence.
|
|
51
|
+
- Normal progress is driven by provider hooks and 60-second GitHub polling. The
|
|
52
|
+
minute command remains an internal audit/due-work pass; the 15-minute
|
|
53
|
+
watchdog is limited to recovery and stall detection.
|
|
54
|
+
- Automatic merge is disabled. Trust assessment is review-only and cannot
|
|
55
|
+
grant merge or execution authority.
|
|
56
|
+
- OMS can explicitly generate, install, inspect, and remove one exact
|
|
57
|
+
user-scoped cron/systemd/launchd schedule containing only GitHub polling and
|
|
58
|
+
the recovery watchdog.
|
|
59
|
+
- Slack support ends at a typed request-only outbox event. OMS has no Slack
|
|
60
|
+
transport, credentials, or delivery receipt authority.
|
|
61
|
+
|
|
62
|
+
## Role roster
|
|
63
|
+
|
|
64
|
+
The tracked role policy is configuration, not proof that a provider ran:
|
|
65
|
+
|
|
66
|
+
| Role | Default surface | Implemented boundary |
|
|
67
|
+
| --- | --- | --- |
|
|
68
|
+
| conductor | Claude Opus persistent pane | Read-only goal/advice/dispatch routing; approved dispatches enter the typed OMS delivery adapter |
|
|
69
|
+
| advise | fresh Codex exec | Mandatory exact-intent verdict with protected immutable evidence before dispatch |
|
|
70
|
+
| execute | Claude Sonnet ticket worktree | OMS-managed interactive pane, session-bound worker tools, sandboxed worktree writes |
|
|
71
|
+
| execute-long | Codex goal in a ticket worktree | OMS-managed interactive TUI with native `/goal` input and resumable session state |
|
|
72
|
+
| grade | fresh engine different from executor when available | Supplemental structured evidence only; deterministic gate remains final |
|
|
73
|
+
| dream | fresh context or subagent | Bounded reflection evidence; no queue authority |
|
|
74
|
+
|
|
75
|
+
Every role declares authentication, billing, unattended eligibility, sandbox,
|
|
76
|
+
session mode, and evidence policy. Credit-billed or otherwise non-default models
|
|
77
|
+
remain opt-in and absent from the default roster; OMS does not infer billing
|
|
78
|
+
from a model name.
|
|
79
|
+
|
|
80
|
+
## Goal-mode routing
|
|
81
|
+
|
|
82
|
+
- Canonical OMS goal records are the durable authority.
|
|
83
|
+
- Configured long-running tickets may use an OMS-managed interactive Codex Goal pane.
|
|
84
|
+
- `oms team start` groups already accepted executor dispatches; it adds no verifier lane.
|
|
85
|
+
- Imported native goal or external team-workflow snapshots are evidence only and never a runtime dependency.
|
|
86
|
+
|
|
87
|
+
The shipped CLI exposes canonical `goal create` and `goal status` operator
|
|
88
|
+
surfaces, launches only configured OMS worker lanes, and keeps all workflow
|
|
89
|
+
authority in typed OMS records.
|
|
90
|
+
|
|
91
|
+
## Implemented ticket and runtime flow
|
|
92
|
+
|
|
93
|
+
```text
|
|
94
|
+
materialize pending ticket -> human goal -> journal/prepare/lease -> fresh exact-intent advice -> dispatch/run
|
|
95
|
+
-> deterministic verify -> supplemental grade
|
|
96
|
+
-> completed with human hold, retryable, blocked, or parked
|
|
97
|
+
|
|
98
|
+
provider hook -> typed outbox -> session/activity/health/quota observation
|
|
99
|
+
GitHub poll -> typed deduplicated event -> materialize pending ticket -> opaque conductor notification
|
|
100
|
+
passing result -> secret scan -> non-force branch/draft PR -> typed PR/check events -> READY_FOR_HUMAN
|
|
101
|
+
watchdog -> dead-waiter/conductor recovery + lease/session/outbox evidence
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
Ticket mutations use expected versions, attempts, actors, operation nonces, and
|
|
105
|
+
lease tokens. Raw issue content is held in immutable files and is not sent as a
|
|
106
|
+
command or tmux keystroke. The local `trace fixture` exercises the full local
|
|
107
|
+
ticket path without a provider, network call, or tracked source mutation; it is
|
|
108
|
+
explicitly non-certifying and leaves merge on human hold.
|
|
109
|
+
|
|
110
|
+
Fresh advice is mandatory before execution and cannot authorize a changed
|
|
111
|
+
intent. The deterministic verification gate votes after execution and finally.
|
|
112
|
+
A grader explains evidence and cannot turn a failed deterministic result into a pass. The trust
|
|
113
|
+
format accepts only protected live deterministic evidence bound to the same
|
|
114
|
+
ticket, attempt, lease, session, worktree commit, role policy, and
|
|
115
|
+
verification-plan digest. The protected result gate is the sole live writer;
|
|
116
|
+
it runs candidate checks in a native filesystem sandbox, requires one fresh
|
|
117
|
+
opposite-engine grade, records both passing and failed deterministic trust runs,
|
|
118
|
+
and keeps every completed ticket on human hold. The offline tracer remains
|
|
119
|
+
non-certifying and cannot complete tickets or mint trust.
|
|
120
|
+
|
|
121
|
+
## Delivered milestones
|
|
122
|
+
|
|
123
|
+
### M0: constitution and local scaffold
|
|
124
|
+
|
|
125
|
+
Delivered:
|
|
126
|
+
|
|
127
|
+
- `.agents/` source of truth and idempotent managed projection;
|
|
128
|
+
- compiled TypeScript CLI plus a small Node.js source-checkout shim;
|
|
129
|
+
- strict JSON schemas, private runtime root, immutable evidence, atomic record
|
|
130
|
+
replacement, branded authority boundaries, and offline verification;
|
|
131
|
+
- explicit role policy with unattended execution disabled by default.
|
|
132
|
+
|
|
133
|
+
### M1: local one-ticket tracer
|
|
134
|
+
|
|
135
|
+
Delivered:
|
|
136
|
+
|
|
137
|
+
- opaque ticket materialization, canonical lifecycle record, dedicated branch
|
|
138
|
+
and worktree management, deterministic check, supplemental grade, bounded
|
|
139
|
+
retry/reflection records, and human-held completion;
|
|
140
|
+
- a fully offline contributor fixture;
|
|
141
|
+
- a disclosure-first GitHub queue probe that cannot be confused with generic
|
|
142
|
+
evidence writing.
|
|
143
|
+
|
|
144
|
+
Not proven: a real GitHub issue completed through a live provider session.
|
|
145
|
+
|
|
146
|
+
### M2: durable endurance control plane
|
|
147
|
+
|
|
148
|
+
Delivered:
|
|
149
|
+
|
|
150
|
+
- typed event bus and idempotent outbox receipts;
|
|
151
|
+
- canonical session registry and quota observations bound to validated hook
|
|
152
|
+
events and session versions;
|
|
153
|
+
- bounded native-hook ingestion and projection;
|
|
154
|
+
- one-minute resume/audit reconciliation and 15-minute recovery watchdog;
|
|
155
|
+
- immutable audit-run service plans plus exact user schedule lifecycle;
|
|
156
|
+
- read-only HUD and non-certifying `run start`, `run tick`, `run close`, `run
|
|
157
|
+
abort`, `run recover-controller`, and `run status`;
|
|
158
|
+
- immutable start intents, full ticket identity/content admission snapshots,
|
|
159
|
+
persisted completion proofs, service-plan revalidation, and process-restart
|
|
160
|
+
continuity markers.
|
|
161
|
+
|
|
162
|
+
The user schedule is operator-invoked; the conductor remains the sole human
|
|
163
|
+
start and no daemon is installed.
|
|
164
|
+
Not proven: an elapsed 12-hour or fresh elapsed 24-hour run.
|
|
165
|
+
|
|
166
|
+
### M3: trust and goal authorities
|
|
167
|
+
|
|
168
|
+
Delivered:
|
|
169
|
+
|
|
170
|
+
- ticket-bound trust-run evidence and closed-UTC-day, review-only trust reports;
|
|
171
|
+
- one canonical OMS goal authority with immutable native, Team, Ultragoal, and
|
|
172
|
+
regression artifacts;
|
|
173
|
+
- fail-closed parking on stale or mismatched goal evidence;
|
|
174
|
+
- canonical `goal create` and `goal status` CLI commands.
|
|
175
|
+
|
|
176
|
+
Trust does not enable automatic merge, and the CLI does not automatically
|
|
177
|
+
execute native goals or regression tickets.
|
|
178
|
+
|
|
179
|
+
### M4 foundation: OMS-native executor groups and release truth
|
|
180
|
+
|
|
181
|
+
Delivered:
|
|
182
|
+
|
|
183
|
+
- immutable executor-group manifests over accepted dispatches;
|
|
184
|
+
- direct interactive Claude and Codex Goal panes behind typed OMS lifecycle commands;
|
|
185
|
+
- session-bound worker read, acknowledgement, and HEAD-derived result tools;
|
|
186
|
+
- a negative-only `release status` surface fixed to `not_stable`, human hold,
|
|
187
|
+
and automatic merge disabled;
|
|
188
|
+
- an opaque `conductor next` decision plus automatic delivery after accepted dispatch.
|
|
189
|
+
|
|
190
|
+
Also delivered: pinned provider hooks, typed GitHub polling with removal/re-add
|
|
191
|
+
inventory, conductor-selected version-bound ticket preparation, opaque notification/waiter
|
|
192
|
+
recovery, idempotent user scheduling, repository-scoped live-contact journals,
|
|
193
|
+
and a fixed secret-scanned branch/draft-PR handoff after the protected result
|
|
194
|
+
gate. Not implemented here: Slack sending or automatic merge. No real
|
|
195
|
+
provider-backed GitHub completion evidence is shipped yet.
|
|
196
|
+
|
|
197
|
+
## Remaining proof and product backlog
|
|
198
|
+
|
|
199
|
+
1. Complete one explicitly authorized live GitHub ticket using supported
|
|
200
|
+
provider authentication and retain the resulting evidence.
|
|
201
|
+
2. Run and independently review a real elapsed 12-hour canary.
|
|
202
|
+
3. Run and independently review a fresh elapsed 24-hour canary.
|
|
203
|
+
4. Capture a real multi-worker executor group through the normal ticket review
|
|
204
|
+
path.
|
|
205
|
+
5. Consider automatic merge only through a future, explicit positive-release
|
|
206
|
+
design. The current schema intentionally has no positive release state.
|
|
207
|
+
|
|
208
|
+
## Review and provenance policy
|
|
209
|
+
|
|
210
|
+
- The project is an original implementation under the repository license.
|
|
211
|
+
- External protocols may inform behavior, but code is not copied without
|
|
212
|
+
license review and attribution.
|
|
213
|
+
- Change size is a risk signal, not a substitute for review and evidence.
|
|
214
|
+
- Tests prove deterministic local contracts. They do not prove provider policy,
|
|
215
|
+
network availability, elapsed endurance, current remote GitHub state, or production
|
|
216
|
+
readiness.
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# References and Provenance
|
|
2
|
+
|
|
3
|
+
Last reviewed: 2026-07-11.
|
|
4
|
+
|
|
5
|
+
This file records the official sources used to review the OMS M0 design. Links describe provider behavior at the review date; they are not a promise that a feature, entitlement, price, or policy will remain unchanged.
|
|
6
|
+
|
|
7
|
+
## OpenAI sources
|
|
8
|
+
|
|
9
|
+
- [Codex authentication](https://developers.openai.com/codex/auth) documents ChatGPT subscription sign-in and usage-based API-key sign-in for local Codex clients. It recommends API-key authentication for programmatic CLI workflows and describes enterprise access tokens for trusted non-interactive automation.
|
|
10
|
+
- [Follow a goal](https://learn.chatgpt.com/codex/use-cases/follow-goals) documents `/goal`, `/goal pause`, `/goal resume`, and `/goal clear`. It frames a goal as one durable objective with a verifiable stopping condition, not an unrelated backlog.
|
|
11
|
+
- [Codex CLI developer commands](https://developers.openai.com/codex/cli/reference) is the official reference for supported CLI commands and flags. Local feature detection still uses the installed CLI's `--help` output because the binary version may differ from the current documentation.
|
|
12
|
+
|
|
13
|
+
## Anthropic sources
|
|
14
|
+
|
|
15
|
+
- [Claude Code CLI reference](https://code.claude.com/docs/en/cli-usage) documents named and resumable sessions, authentication-status commands, and interactive versus print-mode entry points.
|
|
16
|
+
- [Claude Code hooks reference](https://code.claude.com/docs/en/hooks) documents command hooks, asynchronous hooks, and `asyncRewake`. OMS uses hooks and outbox events for normal progress; its heartbeat remains a watchdog.
|
|
17
|
+
- [Claude Code subagents](https://code.claude.com/docs/en/sub-agents) documents foreground and background subagents and their fresh-context, permission, and concurrency behavior.
|
|
18
|
+
- [Claude Code setup](https://docs.anthropic.com/en/docs/claude-code/getting-started) documents supported authentication options, including Claude subscriptions, Anthropic Console billing, and enterprise cloud platforms.
|
|
19
|
+
- [Manage API key environment variables in Claude Code](https://support.claude.com/en/articles/12304248-manage-api-key-environment-variables-in-claude-code) documents authentication precedence and the risk of unexpected API charges when `ANTHROPIC_API_KEY` is set.
|
|
20
|
+
- [Use the Claude Agent SDK with your Claude plan](https://support.claude.com/en/articles/15036540-use-the-claude-agent-sdk-with-your-claude-plan) is a time-sensitive account-policy source for Agent SDK, `claude -p`, and third-party usage. Its June 15 update says the announced credit-pool change is paused and those surfaces continue to draw subscription limits for now.
|
|
21
|
+
- [Log in to your Claude account](https://support.claude.com/en/articles/13189465-log-in-to-your-claude-account) separately says third-party/open-source tools should prefer API or supported cloud authentication and prohibits attempts to route third-party traffic against subscription limits. OMS treats the two pages as a live policy gate rather than silently choosing the cheaper interpretation.
|
|
22
|
+
- [Claude API key security practices](https://support.claude.com/en/articles/9767949-api-key-best-practices-keeping-your-keys-safe-and-secure) supports keeping keys out of source control and treating third-party credential handling as a security boundary.
|
|
23
|
+
|
|
24
|
+
## GitHub and scanner sources
|
|
25
|
+
|
|
26
|
+
- [Gitleaks releases](https://github.com/gitleaks/gitleaks/releases) is the upstream source for the exact scanner version and release archive pinned by policy and CI.
|
|
27
|
+
- [GitHub-hosted runner images](https://github.com/actions/runner-images) documents the changing `ubuntu-latest` image inventory. The workflow installs `bubblewrap` explicitly rather than assuming it is preinstalled.
|
|
28
|
+
- [AppArmor's `bwrap-userns-restrict` profile](https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/profiles/extras/bwrap-userns-restrict) grants Bubblewrap the namespace setup capabilities its children do not retain. CI installs Ubuntu's `apparmor-profiles` package, loads its extra profile, and smoke-tests `--unshare-all` without relaxing the host-wide user-namespace policy.
|
|
29
|
+
|
|
30
|
+
## Provenance boundary
|
|
31
|
+
|
|
32
|
+
OMS is an original implementation. The sources above provide product facts and design constraints; they are not source-code inputs. No OpenAI, Anthropic, or third-party implementation code is copied into OMS.
|
|
33
|
+
|
|
34
|
+
Ideas such as leases, nonces, atomic replacement, outboxes, watchdogs, worktrees, and deterministic verification are reimplemented from general systems-design principles. If a later change uses code, schemas, or a distinctive protocol from another project, that change must first record the source, license, compatible terms, attribution requirements, and the exact material reused.
|
|
35
|
+
|
|
36
|
+
Documentation links do not grant a license to copy examples wholesale. Small command invocations may be restated as interoperability facts; substantive code requires a separate license review.
|
|
37
|
+
|
|
38
|
+
## Runtime policy prerequisite
|
|
39
|
+
|
|
40
|
+
Provider authentication, billing, acceptable-use, subscription, automation, data-handling, and feature-availability rules are runtime prerequisites. Before OMS enables a live or unattended provider workflow, an operator must verify the current official policy and configure an explicitly supported authentication mode.
|
|
41
|
+
|
|
42
|
+
OMS fails closed when authentication mode or unattended eligibility is absent, unknown, or incompatible with the requested run. Offline `doctor`, tests, and `make verify` do not contact providers or consume model usage. A passing link check proves only that a referenced page was reachable; it does not prove that the operator's account is eligible for a workflow.
|
package/docs/ROADMAP.md
ADDED
|
@@ -0,0 +1,327 @@
|
|
|
1
|
+
# OMS Conductor-First Live Delivery Roadmap
|
|
2
|
+
|
|
3
|
+
Status: approved on 2026-07-11; implementation pending
|
|
4
|
+
|
|
5
|
+
Baseline: commit `066777f`; the local file-backed control plane, schemas, hooks, queue, worktrees, reconciliation, HUD, and negative-only release assessment are implemented and verified.
|
|
6
|
+
|
|
7
|
+
## Outcome
|
|
8
|
+
|
|
9
|
+
A human runs interactive bare `oms`, which performs any one-time repository-scoped confirmation, then creates or resumes a persistent read-only Claude Opus conductor in the OMS tmux session. The human types a freeform goal. The conductor normalizes it into durable OMS goal state and then uses typed OMS commands to route tickets, start isolated Claude or Codex workers, observe immediate provider events, react to GitHub events, verify results, and prepare review-ready pull requests. The explicit `oms conductor start` form remains only for advanced recovery or state-root selection.
|
|
10
|
+
|
|
11
|
+
OMS v1 stops at `READY_FOR_HUMAN`. It never merges, tags, publishes, releases, or claims stability.
|
|
12
|
+
|
|
13
|
+
## Simplicity contract
|
|
14
|
+
|
|
15
|
+
Use the smallest existing primitive that works:
|
|
16
|
+
|
|
17
|
+
1. Native features: interactive Claude/Codex CLIs, Codex Goal and exec, Claude local stdio MCP tools and `asyncRewake` hooks, provider hooks, tmux, git worktrees, `gh`, and user-owned schedulers.
|
|
18
|
+
2. Skills: conductor routing, executor protocol, advisor, grader, bounded reflection, quota handling, scheduling, and team behavior.
|
|
19
|
+
3. Small Node.js/TypeScript commands: a session-scoped seven-tool conductor bridge, durable state, typed dispatch, provider delivery, event synchronization, reconciliation, deterministic verification, evidence, and process lifecycle.
|
|
20
|
+
4. No v1 framework layer: no daemon, database, webhook server, custom mux library, general workflow engine, or tracked shell automation.
|
|
21
|
+
|
|
22
|
+
Review remains deliberately simple: deterministic verification is the final vote; one fresh cross-engine structured grade is supplemental. Reflection occurs only after failure and is bounded by the configured attempt limit.
|
|
23
|
+
|
|
24
|
+
## Non-negotiable boundaries
|
|
25
|
+
|
|
26
|
+
- The human starts only the persistent conductor. Claude print mode and the Agent SDK are forbidden.
|
|
27
|
+
- The conductor has no Edit/Write tool and cannot invoke raw tmux. Goal,
|
|
28
|
+
ticket preparation, pre-dispatch advice, and approved dispatch cross four schema-bound data tools;
|
|
29
|
+
worker lifecycle, executor grouping, and protected result processing use three
|
|
30
|
+
fixed controls with opaque canonical IDs.
|
|
31
|
+
- `oms` is the only shipped orchestration surface. Product code, generated instructions, and public docs must not require another orchestration CLI.
|
|
32
|
+
- All provider/model/auth/billing combinations are explicit configuration. Unknown or ineligible combinations fail closed. Credit-billed models remain disabled by default.
|
|
33
|
+
- The conductor may make routing decisions only inside configured roles, budgets, capabilities, attempts, and stopping conditions.
|
|
34
|
+
- Raw issue, review, model, hook, and pane text are untrusted content. They never become commands or authority.
|
|
35
|
+
- Deterministic OMS state owns goals, tickets, leases, dispatches, sessions, events, verification, evidence, attempts, audit, and human holds.
|
|
36
|
+
- Workers may change only their isolated ticket worktrees. They never own goal, verification, trust, merge, or release authority.
|
|
37
|
+
- A worker reporting `done` moves its ticket to `verifying`, not `completed`.
|
|
38
|
+
- Provider hooks are immediate. GitHub polling defaults to 60 seconds. The 15-minute watchdog is recovery-only.
|
|
39
|
+
- Merge, automatic merge, tag, publish, release, and positive stability remain human-held or absent.
|
|
40
|
+
|
|
41
|
+
## Operator flow
|
|
42
|
+
|
|
43
|
+
```text
|
|
44
|
+
human: oms
|
|
45
|
+
-> OMS preflight + create/resume tmux session
|
|
46
|
+
-> interactive read-only Claude Opus conductor
|
|
47
|
+
|
|
48
|
+
human types freeform goal
|
|
49
|
+
-> conductor calls mcp__oms__propose_goal with structured JSON
|
|
50
|
+
-> session-scoped OMS bridge validates and commits it
|
|
51
|
+
-> durable canonical goal before first dispatch
|
|
52
|
+
|
|
53
|
+
conductor loop
|
|
54
|
+
-> read canonical queue/events/status
|
|
55
|
+
-> choose an eligible ticket and configured role
|
|
56
|
+
-> call mcp__oms__prepare_dispatch with expected_ticket_version and exact content digest
|
|
57
|
+
-> OMS proves current GitHub eligibility, journals the selection, and returns the leased intent
|
|
58
|
+
-> call mcp__oms__advise_dispatch with the exact structured intent
|
|
59
|
+
-> fresh Codex advice must approve that exact digest
|
|
60
|
+
-> call mcp__oms__propose_dispatch with the unchanged intent + evidence
|
|
61
|
+
-> OMS validates and starts isolated worker pane/worktree
|
|
62
|
+
-> provider hooks publish immediate lifecycle/quota/completion observations
|
|
63
|
+
-> GitHub sync publishes deduplicated issue/PR/review/check events
|
|
64
|
+
-> deterministic verify
|
|
65
|
+
-> one fresh cross-engine grade
|
|
66
|
+
-> completed + READY_FOR_HUMAN, retry, park, or block
|
|
67
|
+
|
|
68
|
+
watchdog
|
|
69
|
+
-> every 15 minutes, recover only stale panes/sessions/leases/outbox work
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
## Canonical state model
|
|
73
|
+
|
|
74
|
+
### Goal
|
|
75
|
+
|
|
76
|
+
The conductor normalizes the human request into a record containing:
|
|
77
|
+
|
|
78
|
+
- goal ID and version;
|
|
79
|
+
- objective;
|
|
80
|
+
- repository and queue scope;
|
|
81
|
+
- stopping condition;
|
|
82
|
+
- runtime horizon: `until-empty`, `12h`, or `24h`;
|
|
83
|
+
- budget and policy profile.
|
|
84
|
+
|
|
85
|
+
Every ticket, dispatch, attempt, event decision, result, and evidence record references the goal ID. Restarts re-read the record; conductor memory is never authoritative.
|
|
86
|
+
|
|
87
|
+
### Agent
|
|
88
|
+
|
|
89
|
+
- Activity: `idle | working | blocked | done`
|
|
90
|
+
- Health overlay: `healthy | parked | stalled | stopped`
|
|
91
|
+
|
|
92
|
+
### Ticket
|
|
93
|
+
|
|
94
|
+
`pending | leased | running | verifying | completed | retryable | parked | blocked`
|
|
95
|
+
|
|
96
|
+
Agent activity and ticket lifecycle are separate. A terminal worker result cannot bypass verification.
|
|
97
|
+
|
|
98
|
+
### Dispatch
|
|
99
|
+
|
|
100
|
+
Each accepted dispatch binds:
|
|
101
|
+
|
|
102
|
+
- goal, ticket, lease, attempt, and dispatch IDs;
|
|
103
|
+
- worker, configured role/model, provider mode, and worktree;
|
|
104
|
+
- capability set, budget snapshot, acceptance criteria, and evidence requirements;
|
|
105
|
+
- freeform agentic task body and operation nonce.
|
|
106
|
+
- canonical dispatch-intent digest and immutable advisor-evidence reference.
|
|
107
|
+
|
|
108
|
+
OMS validates and persists the envelope before a provider adapter delivers it. The worker acknowledges and returns typed receipts referencing the dispatch ID.
|
|
109
|
+
|
|
110
|
+
### Structured conductor ingress
|
|
111
|
+
|
|
112
|
+
Goal, advice, dispatch, and bounded controls use one native, session-scoped tool boundary:
|
|
113
|
+
|
|
114
|
+
1. Interactive bare `oms` (or the explicit `oms conductor start` form) generates a strict local stdio MCP configuration whose only server command is the installed `oms conductor bridge` TypeScript entrypoint bound to the exact workspace/state root.
|
|
115
|
+
2. CD-01 begins with `mcp__oms__propose_goal` and an inert `mcp__oms__propose_dispatch`; later slices activate dispatch and add version-bound `mcp__oms__prepare_dispatch` plus mandatory `mcp__oms__advise_dispatch` over a distinct exact-intent schema.
|
|
116
|
+
3. CD-03 adds `mcp__oms__manage_worker` for observe/park/resume/stop and `mcp__oms__start_team` for grouping already accepted dispatch IDs. CD-05 adds `mcp__oms__process_result` for the protected result and fixed review-delivery path. The complete bridge exposes exactly seven schema-bound tools: four data tools and three fixed controls.
|
|
117
|
+
4. Claude starts with `--strict-mcp-config`, `dontAsk`, those seven exact tool permissions, reviewed fixed OMS/read-only diagnostic rules, and no Edit/Write or raw tmux permission.
|
|
118
|
+
5. The bridge has no generic filesystem, shell, provider, GitHub, verification, merge, or release tool. Proposal tools validate current goal/ticket/lease/policy/budget authority; control tools accept only canonical IDs and bounded lifecycle fields. `process_result` can invoke only the installed deterministic gate and fixed human-held review delivery.
|
|
119
|
+
6. Tool calls are operation-nonce bound and replay-safe; tool output contains only bounded status and opaque canonical IDs.
|
|
120
|
+
|
|
121
|
+
The bridge is a local stdio child of the interactive conductor session, not a daemon, network listener, framework, or separate orchestrator. Freeform model text travels only through schema-bound goal, preparation, advice, and dispatch JSON and never enters argv or a shell. Because MCP subprocess capabilities are enforced inside OMS rather than by the Bash sandbox, the bridge must expose no ambient authority beyond those four data validators and three fixed-action controls.
|
|
122
|
+
|
|
123
|
+
## Events and clocks
|
|
124
|
+
|
|
125
|
+
Three mechanisms have distinct jobs:
|
|
126
|
+
|
|
127
|
+
1. Provider hooks immediately emit bounded session, activity, completion-observed, and quota observations. Hooks never provide the terminal result authority described below.
|
|
128
|
+
2. `oms events sync github` is a one-shot TypeScript command. A user-owned schedule runs it every 60 seconds by default. Durable watermarks and stable event keys deduplicate issue, comment/label, branch, PR, review, and check events.
|
|
129
|
+
3. `oms reconcile watchdog` runs every 15 minutes by default and handles only recovery and stall detection.
|
|
130
|
+
|
|
131
|
+
After successful event projection and pending-ticket materialization, OMS appends one deduplicated conductor-notification batch containing only opaque event IDs. A session-scoped `oms conductor wait-event` command is armed by Claude `SessionStart`/`Stop` command hooks with `asyncRewake`; it waits for the next batch, emits only its opaque notification ID, and exits with the documented wake code so an idle conductor re-reads canonical state. One durable waiter-generation record is bound to the conductor session and process identity with `armed | notified | failed | superseded` state plus expected-version/nonce transitions. The conductor consumes the notification only through the matching route/read operation. No raw GitHub/provider text is injected into the session.
|
|
132
|
+
|
|
133
|
+
The existing one-shot 15-minute watchdog is the sole dead-waiter recovery owner. After proving the waiter dead, it may CAS-claim one recovery generation only when the conductor is idle or dead, then resume/respawn the same conductor session so `SessionStart` arms a replacement. It never interrupts an active conductor; the next normal `Stop` re-arms instead. Unsafe or failed resume becomes visible `stalled`/`blocked` state while the notification remains pending. PID reuse, duplicate watchdog passes, and restarts cannot create two waiter generations.
|
|
134
|
+
|
|
135
|
+
Normal state progression is event-driven. The watchdog must not become a second scheduler or repeat valid work. OMS may install, inspect, and remove only the exact generated user-scoped schedule after the human explicitly starts the conductor; it does not ship an always-running daemon.
|
|
136
|
+
|
|
137
|
+
## Provider policy
|
|
138
|
+
|
|
139
|
+
- Claude conductor and ticket executors use supported interactive CLI sessions in tmux. No `claude -p` or Agent SDK path exists.
|
|
140
|
+
- Codex exec remains the fresh, schema-validated read-only advisor/grader surface when its configured auth/billing policy is eligible.
|
|
141
|
+
- Codex Goal is a resumable interactive worker lane for long tickets, not a headless-service promise.
|
|
142
|
+
- When Codex executes, one fresh Claude grade is mandatory; when Claude executes, one fresh Codex grade is mandatory. If the opposite engine is unavailable or ineligible, the ticket parks or blocks visibly—there is no same-engine fallback or skipped grade.
|
|
143
|
+
- Provider hooks authoritatively update provider session/activity/health observations within their documented local boundary. Only one schema-valid result receipt bound to the current goal/dispatch/attempt/lease/session/worktree/commit may set `agent=done` and move a ticket to `verifying`. Completion hooks alone cannot. Pane capture and sentinels are diagnostics only.
|
|
144
|
+
|
|
145
|
+
Official provider evidence was checked on 2026-07-11:
|
|
146
|
+
|
|
147
|
+
- https://code.claude.com/docs/en/authentication
|
|
148
|
+
- https://code.claude.com/docs/en/cli-usage
|
|
149
|
+
- https://code.claude.com/docs/en/headless
|
|
150
|
+
- https://code.claude.com/docs/en/legal-and-compliance
|
|
151
|
+
- https://code.claude.com/docs/en/hooks
|
|
152
|
+
- https://code.claude.com/docs/en/mcp
|
|
153
|
+
- https://code.claude.com/docs/en/permissions
|
|
154
|
+
- https://developers.openai.com/codex/cli/reference
|
|
155
|
+
- https://developers.openai.com/codex/auth
|
|
156
|
+
- https://developers.openai.com/codex/use-cases/follow-goals
|
|
157
|
+
|
|
158
|
+
## Delivery slices
|
|
159
|
+
|
|
160
|
+
### CD-01 — Conductor-first bootstrap and durable goal
|
|
161
|
+
|
|
162
|
+
Add the human-started interactive bare `oms` path, its explicit `oms conductor start` authorization/state override, repository-read-only permission/profile projection, session-scoped two-tool OMS bridge, conductor session resume, and freeform-to-canonical goal normalization. Promote the conductor-first ADR.
|
|
163
|
+
|
|
164
|
+
Acceptance:
|
|
165
|
+
|
|
166
|
+
- One human command creates or resumes the named tmux session and attaches to an interactive Claude Opus conductor.
|
|
167
|
+
- CD-01 begins with a pinned Claude Code compatibility proof (initial target: installed v2.1.207): the interactive subscription session loads only the generated local stdio OMS server, commits a goal through the goal tool, receives deterministic `dispatch-not-enabled` with no mutation from the dispatch tool, and cannot access Edit, Write, raw tmux, an unlisted MCP tool, or an unapproved shell command. Failure stops CD-01 and requires an ADR revision; permissions are never widened.
|
|
168
|
+
- The conductor cannot edit/write product files or canonical state, mutate policy directly, or invoke raw tmux. It can call only the two allowlisted structured proposal tools, fixed typed OMS commands with opaque IDs, and read-only diagnostics.
|
|
169
|
+
- Goal text crosses only JSON tool input and is committed only after exact schema/size/current-authority validation; shell metacharacters remain inert.
|
|
170
|
+
- No print mode, Agent SDK, provider proxy, or default credit-billed model appears in launch arguments or configuration.
|
|
171
|
+
- A canonical goal is durable before the first dispatch and is recovered after conductor restart.
|
|
172
|
+
- Unknown auth, billing, CLI version, permission profile, or repository scope blocks launch.
|
|
173
|
+
|
|
174
|
+
Blocked by: none.
|
|
175
|
+
|
|
176
|
+
### CD-02 — Typed dispatch and separated runtime states
|
|
177
|
+
|
|
178
|
+
Add canonical dispatch records, worker records, acceptance/result schemas, and deterministic transitions for agent activity, health, and ticket lifecycle.
|
|
179
|
+
|
|
180
|
+
Acceptance:
|
|
181
|
+
|
|
182
|
+
- OMS validates and persists a dispatch before delivery.
|
|
183
|
+
- CD-02 replaces the inert dispatch handler with exact canonical validation/commit while preserving the same tool name, input schema boundary, and conductor permission set.
|
|
184
|
+
- Dispatch freeform content crosses only the schema-bound
|
|
185
|
+
`mcp__oms__advise_dispatch` and `mcp__oms__propose_dispatch` tools; it never
|
|
186
|
+
enters a command argument or file Write.
|
|
187
|
+
- The envelope binds the exact goal, ticket, lease, attempt, worker, role/model, worktree, capabilities, budget, acceptance/evidence requirements, and nonce.
|
|
188
|
+
- `agent=done` can move a ticket only to `verifying`.
|
|
189
|
+
- Stale leases, replayed nonces, exhausted attempts, unconfigured roles/models, or expanded capabilities fail closed without mutation.
|
|
190
|
+
- The conductor cannot use dispatch to edit policy, expand goal scope, verify its own work, or grant merge/release authority.
|
|
191
|
+
|
|
192
|
+
Blocked by: CD-01.
|
|
193
|
+
|
|
194
|
+
### CD-03 — OMS-owned worker panes, provider adapters, and teams
|
|
195
|
+
|
|
196
|
+
Implement OMS-native worker delivery and pane lifecycle behind typed commands. A team is only a group of executor dispatches with isolated worktrees; all results later use the same deterministic gate and single cross-engine grade from CD-05.
|
|
197
|
+
|
|
198
|
+
Acceptance:
|
|
199
|
+
|
|
200
|
+
- OMS starts, observes, parks, resumes, and stops one or N isolated worker panes from accepted dispatches.
|
|
201
|
+
- Provider CLIs start directly; no public raw `tmux send-keys` command or pane text authority is exposed.
|
|
202
|
+
- Workers acknowledge dispatch IDs and return typed result receipts bound to the exact session and worktree commit.
|
|
203
|
+
- Claude remains interactive; Codex Goal remains resumable; Codex exec remains schema-validated and read-only for its configured role.
|
|
204
|
+
- Replace the current per-worker `human_attended` / `human_started_native` assumptions with one explicitly reviewed `operator_originated_oms_managed_interactive` session policy. It remains distinct from headless/unattended eligibility and must fail closed when current provider policy or version preflight cannot support it.
|
|
205
|
+
- Unknown provider eligibility blocks launch; capabilities cannot grant verification, trust, merge, or release authority.
|
|
206
|
+
- Teams add no verifier agent or second model-review lane; team outputs flow into CD-05.
|
|
207
|
+
- Product code, generated skills, tests, and docs contain no runtime dependency on an external orchestration CLI.
|
|
208
|
+
|
|
209
|
+
Blocked by: CD-02.
|
|
210
|
+
|
|
211
|
+
### CD-04 — Immediate events, GitHub sync, scheduling, and recovery
|
|
212
|
+
|
|
213
|
+
Extend the existing event/outbox path with provider session/activity/completion-observed events, typed GitHub events, durable sync watermarks, schedule lifecycle, and pane-aware recovery.
|
|
214
|
+
|
|
215
|
+
Acceptance:
|
|
216
|
+
|
|
217
|
+
- Provider hooks immediately publish bounded session, activity, completion-observed, and quota observations.
|
|
218
|
+
- Completion hooks can record `completion-observed` but cannot set `agent=done` or move a ticket to `verifying`; only the dispatch-bound typed result receipt can do that.
|
|
219
|
+
- `oms events sync github` emits deduplicated typed issue, comment/label, branch, PR, review, and check events; default schedule is 60 seconds and configurable.
|
|
220
|
+
- Each projected event batch creates one durable opaque conductor notification. The version-pinned `asyncRewake` waiter wakes an idle conductor, which re-reads canonical state and consumes the matching notification. Projection/notify/wake/consume is replay-safe.
|
|
221
|
+
- Waiter state is generation/CAS bound to the exact conductor session/process. The watchdog is the sole recovery writer: it resumes/respawns only a proven idle/dead conductor, never interrupts an active one, and otherwise records visible stalled/blocked state with the notification retained.
|
|
222
|
+
- `oms reconcile watchdog` runs every 15 minutes by default and only recovers or reports dead panes, stalled sessions/outbox work, expired leases, and resumable quota state.
|
|
223
|
+
- Generated user-scoped schedules can be installed, inspected, and removed idempotently; no daemon or webhook listener is introduced.
|
|
224
|
+
- Expired auth parks the lane for human login. Recovery never starts a duplicate worker or silently widens credentials.
|
|
225
|
+
- Raw provider/GitHub content never becomes a command, branch, path, or authority.
|
|
226
|
+
|
|
227
|
+
Blocked by: CD-03.
|
|
228
|
+
|
|
229
|
+
### CD-05 — Protected verification, cross-engine grade, and bounded retry
|
|
230
|
+
|
|
231
|
+
Connect typed worker results to the protected live deterministic verifier, then run exactly one fresh configured opposite-engine grade. On failure, store one bounded reflection and retry within the configured attempt limit.
|
|
232
|
+
|
|
233
|
+
Acceptance:
|
|
234
|
+
|
|
235
|
+
- A result binds the exact goal, dispatch, ticket, attempt, lease, session, worktree, and commit.
|
|
236
|
+
- The installed OMS runner and frozen verification plan produce immutable deterministic evidence outside the candidate's authority.
|
|
237
|
+
- Failed or incomplete deterministic verification is final and cannot be overridden by conductor, grader, trust, or operator text.
|
|
238
|
+
- Exactly one fresh schema-validated opposite-engine grade is mandatory and supplemental; it consumes raw bounded check output plus immutable diff/evidence references. Unavailable/ineligible opposite-engine grading parks or blocks visibly.
|
|
239
|
+
- State follows `agent done -> ticket verifying -> completed | retryable | blocked`; max attempts produce a visible block.
|
|
240
|
+
- Completed tickets remain `human_hold`, and trust input can originate only from the protected verdict.
|
|
241
|
+
|
|
242
|
+
Blocked by: CD-03.
|
|
243
|
+
|
|
244
|
+
### CD-06 — Real GitHub backlog-to-PR tracer
|
|
245
|
+
|
|
246
|
+
Use the normal GitHub event path to complete one small ready issue through conductor routing, execution, verification, grade, branch push, and a draft review-ready PR.
|
|
247
|
+
|
|
248
|
+
Implementation is present locally: human-start authorization, pre-notification
|
|
249
|
+
ticket admission, pinned secret scanning, non-force branch/draft-PR delivery,
|
|
250
|
+
typed-event waiting, and immutable review proof. CD-06 remains open until the
|
|
251
|
+
real provider/GitHub run and exact remote branch/PR/check evidence are captured.
|
|
252
|
+
|
|
253
|
+
Acceptance:
|
|
254
|
+
|
|
255
|
+
- One exact issue-to-goal-to-dispatch-to-session-to-commit-to-check-to-grade-to-PR evidence chain is independently replayable.
|
|
256
|
+
- OMS may create/update the isolated branch and draft PR, attach evidence, and report `READY_FOR_HUMAN`; no merge, auto-merge, tag, publish, or release command exists.
|
|
257
|
+
- Fresh GitHub read-back confirms the exact remote branch and draft PR still point at the verified commit; a typed event confirms the named deterministic check passed.
|
|
258
|
+
- A PR/check/review update becomes one deduplicated typed event and causes only a legal state transition.
|
|
259
|
+
- Secrets and raw credentials are absent from argv, tracked files, logs, evidence, and GitHub content.
|
|
260
|
+
- `release status` remains `not_stable`.
|
|
261
|
+
|
|
262
|
+
Blocked by: CD-04 and CD-05.
|
|
263
|
+
|
|
264
|
+
### CD-07 — Real elapsed 12-hour canary
|
|
265
|
+
|
|
266
|
+
Run a same-boot 12-hour goal with multiple short workers, at least one Codex long-goal lane, a grouped team delivery processed by the normal deterministic gate and single grade, quota park/resume, worker failure, conductor resume, GitHub polling, and recovery observation.
|
|
267
|
+
|
|
268
|
+
Acceptance:
|
|
269
|
+
|
|
270
|
+
- Wall and same-boot monotonic evidence both reach 12 hours; labels or simulated time do not count.
|
|
271
|
+
- There are no duplicate dispatches, active leases, provider sessions, unverified completions, hidden recoveries, or manual state repairs.
|
|
272
|
+
- A recoverable fault resolves within two watchdog intervals or becomes explicit blocked evidence with no active owner.
|
|
273
|
+
- Independent verification accepts the exact evidence set; PR merge and release remain human-held.
|
|
274
|
+
|
|
275
|
+
Blocked by: CD-06.
|
|
276
|
+
|
|
277
|
+
### CD-08 — Fresh elapsed 24-hour canary and closeout
|
|
278
|
+
|
|
279
|
+
After independent acceptance of CD-07, start a new goal/run/ticket set and execute the same invariants for 24 elapsed hours.
|
|
280
|
+
|
|
281
|
+
Acceptance:
|
|
282
|
+
|
|
283
|
+
- The 24-hour run uses fresh goal, run, ticket, dispatch, session, process, and evidence identities.
|
|
284
|
+
- Every CD-07 invariant holds for 24 real elapsed hours.
|
|
285
|
+
- GitHub event, team-delivery, deterministic-verification, and grade evidence are refreshed.
|
|
286
|
+
- Closeout lists proven and unproven obligations without adding a positive release state or automatic merge.
|
|
287
|
+
|
|
288
|
+
Blocked by: CD-07.
|
|
289
|
+
|
|
290
|
+
## Dependency graph
|
|
291
|
+
|
|
292
|
+
```text
|
|
293
|
+
CD-01 conductor + goal
|
|
294
|
+
-> CD-02 dispatch + states
|
|
295
|
+
-> CD-03 workers + teams
|
|
296
|
+
-> CD-04 events + recovery ----+
|
|
297
|
+
-> CD-05 verify + grade -------+-> CD-06 live GitHub PR
|
|
298
|
+
-> CD-07 12h canary
|
|
299
|
+
-> CD-08 fresh 24h canary
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
## Removed from the previous roadmap
|
|
303
|
+
|
|
304
|
+
- Per-ticket human launch ceremonies: the human starts only the conductor.
|
|
305
|
+
- Product-facing external team/goal workflow commands: OMS owns its team and long-worker adapters.
|
|
306
|
+
- Raw conductor tmux commands: provider adapters encapsulate transport.
|
|
307
|
+
- Separate quota, long-goal, and team-proof implementation tracks: each now lands in the vertical slice that consumes it.
|
|
308
|
+
- Custom shell scripts: all tracked deterministic automation remains TypeScript.
|
|
309
|
+
- Separate team-verifier/model-review layers: executor groups feed the same deterministic gate plus one fresh cross-engine grade used by every ticket.
|
|
310
|
+
|
|
311
|
+
## Global verification gate
|
|
312
|
+
|
|
313
|
+
Every implementation issue must run targeted tests first, then:
|
|
314
|
+
|
|
315
|
+
```text
|
|
316
|
+
npm run typecheck
|
|
317
|
+
npm test
|
|
318
|
+
npm run build
|
|
319
|
+
node dist/src/cli.js verify
|
|
320
|
+
git diff --check
|
|
321
|
+
```
|
|
322
|
+
|
|
323
|
+
Also verify no tracked runtime state or secrets, no tracked shell automation, no product/runtime dependency on another orchestration CLI, and no claim beyond the evidence class.
|
|
324
|
+
|
|
325
|
+
## Stop conditions
|
|
326
|
+
|
|
327
|
+
Stop and preserve evidence on unknown provider eligibility or billing, failed auth/version/tool-permission preflight, unavailable mandatory opposite-engine grading, invalid/replayed structured proposal, stale goal/ticket/lease/dispatch/result authority, completion without a valid result receipt, lost/contradictory notification authority, capability expansion, candidate-tree drift, deterministic failure, duplicate owner/start, continuity gap, exhausted attempts, secret finding, branch mismatch, or attempted merge/release authority. Recovery may choose only a path already allowed by the durable policy.
|