open-multi-agent-kit 0.78.3 → 0.78.5

package/MATURITY.md

@@ -1,7 +1,7 @@
 # OMK Command Maturity Matrix
 
 Last updated: 2026-06-07
-Current source version: v0.78.1 (`v1.2` runtime contract family)
+Current source version: v0.78.5 (`v1.2` runtime contract family)
 
 | Level | Meaning |
 |-------|---------|
@@ -76,6 +76,6 @@ Regression Proof Matrix is a release-defense gate, not a stable-release claim. S
 | Native runtime safety | OMK owns the root-orchestrator direction, but native chat must still lock turn-risk inference, approval/sandbox propagation, authority resolution, provider health probes, and DeepSeek read-only enforcement before stable provider-neutral claims. | Treat `docs/native-root-runtime-hardening.md` and `.omk/specs/native-orchestrator-phase1/` as the active hardening contract. |
 | MCP diagnostics | `mcp list/doctor/test` exist; invalid project/global MCP JSON now fails visibly through diagnostics without exposing config contents. | Add machine-readable MCP JSON and structured failure categories for command resolution, timeout, permission, and server health. |
 | Skills and harness templates | `omk skill` exposes current core/TypeScript/review packs, while init templates document project MCP scope, runtime skills, portable `.agents/skills`, and run-scoped harness manifests. | Keep external-inspired skills compact, source-linked, and non-vendored; verify install/sync through `skill-command` tests and package audit. |
-| Release docs and site | README, CHANGELOG, MATURITY, ROADMAP, versioning docs, provider-maturity docs, package audit, and release-gate commands distinguish the `0.78.x` public package line from the `v1.2` runtime contract family while documenting alpha/experimental surfaces, current harness templates, provider limits, and the public project repository at `https://github.com/dmae97/open-multi-agent-kit`. | Treat `npm run release:check`, native safety packaging, tarball install smoke, and CI evidence on the exact commit as the publish/deploy gate before claiming `0.78.1` published or release-ready. |
+| Release docs and site | README, CHANGELOG, MATURITY, ROADMAP, versioning docs, provider-maturity docs, package audit, and release-gate commands distinguish the `0.78.x` public package line from the `v1.2` runtime contract family while documenting alpha/experimental surfaces, current harness templates, provider limits, and the public project repository at `https://github.com/dmae97/open-multi-agent-kit`. | Treat `npm run release:check`, native safety packaging, tarball install smoke, and CI evidence on the exact commit as the publish/deploy gate before claiming `0.78.5` published or release-ready. |
 | Public proof bundles | `omk.proof-bundle.v1`, `npm run proof:check`, `npm run proof:index`, and ten scoped RC hardening bundles now cover no-Kimi, provider/doctor, fallback routing, native safety, contract/version, evidence-block, replay/inspect, and graph-audit axes. Proof integrity includes runId/commit/evidence/decision linkage and per-bundle `sha256sums.txt` artifact hashes. | Keep strengthening proof authenticity with sanitized repo-relative artifacts, non-empty known limitations, and broader provider fallback variants. |
 | Goal planner | Goal lifecycle exists, including continue, generated plan/evidence criteria, and verification. | Expand planner quality scoring and release evidence. |

package/README.md

@@ -39,7 +39,7 @@ Use OMK when one coding agent is not enough: route Codex, OpenCode, Kimi, DeepSe
 - Teams that need MCP-scoped agent execution instead of unrestricted tool access.
 - Agent builders who want routing, fallback, evidence gates, telemetry, and replay.
 
-> Current package source target: `open-multi-agent-kit@0.78.1`.
+> Current package source target: `open-multi-agent-kit@0.78.5`.
 > Public package name: `open-multi-agent-kit` (`@omk/cli` is not the active npm package).
 > Runtime contract family: `v1.2` (contract family, not a stable npm `1.x` release).
 > Release channel: `pre-1.0`.
@@ -63,8 +63,8 @@ omk chat
 
 ## Current release reality
 
-- The public npm line is `open-multi-agent-kit@0.78.x`. Published npm `latest` is `0.78.0`;
-  source/target is `0.78.1` and is published only after the release workflow passes on the tagged commit.
+- The public npm line is `open-multi-agent-kit@0.78.x`. Published npm `latest` is `0.78.5`;
+  source/target is `0.78.5` and is published only after the release workflow passes on the tagged commit.
 - The `v1.2` label in docs is a runtime contract family for the source tree, not a claim that
   an npm `1.2.x` stable release exists.
 - Provider support is intentionally uneven: Kimi remains the most mature authority path;
@@ -305,7 +305,7 @@ The npm package is intentionally package-safe:
 | Contract          | Value                                                                                                                                                                                                                          |
 | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | Package           | [`open-multi-agent-kit`](https://www.npmjs.com/package/open-multi-agent-kit)                                                                                                                                                   |
-| Version           | `0.78.1`                                                                                                                                                                                                                       |
+| Version           | `0.78.5`                                                                                                                                                                                                                       |
 | Runtime contract family | `v1.2`                                                                                                                                                                                                                         |
 | Bins              | `omk`, `omk-project-mcp`, `omk-acp`, `omk-mcp-host`                                                                                                                                                                            |
 | Packaged docs     | `README.md`, `docs/`, `SECURITY.md`, `ROADMAP.md`, `MATURITY.md`, `DESIGN.md`                                                                                                                                                  |

package/dist/benchmark/fixtures.js

@@ -67,11 +67,14 @@ function makeAttemptStub(taskId, category, attemptNumber, rng, outcomeOverride)
 function makeTask(index, category, seed, omkVersion, treeHash, providerConfigHash) {
     const rng = seededRandom(seed + index * 7919);
     const taskId = `bench-${category}-${String(index).padStart(3, "0")}`;
-    const expectedOutcome = pick(["success", "success", "failure", "fallback"], rng);
+    const expectedOutcome = category === "provider-failure-fallback" || category === "quota-auth-failure-fallback"
+        ? "fallback"
+        : "success";
     const attempts = [];
     const attemptCount = expectedOutcome === "fallback" ? 2 : 1;
     for (let i = 1; i <= attemptCount; i++) {
-        attempts.push(makeAttemptStub(taskId, category, i, rng, i === 1 ? undefined : "success"));
+        const outcome = expectedOutcome === "fallback" && i === 1 ? "fallback" : "success";
+        attempts.push(makeAttemptStub(taskId, category, i, rng, outcome));
     }
     return {
         taskId,

package/dist/benchmark/shadow-mode.js

@@ -86,7 +86,6 @@ export function createShadowModeEngine(options) {
     return { evaluate, toBenchmarkDecision };
 }
 export function computeRouterRegret(candidates, intent, history, selectedId) {
-    const engine = createRouterV2ScoringEngine();
     const scores = scoreRuntimes(candidates, intent, history);
     if (scores.length === 0)
         return 0;

package/dist/cli/release-promotion-gate.js

@@ -12,6 +12,9 @@ export function createReleasePromotionGate() {
             const w = RELEASE_GATE_WEIGHTS;
             const demoRun = inputs.demoRun ?? false;
             const maturity = inputs.maturity ?? inputs.providerMinimum ?? 0;
+            const versionConsistency = inputs.versionConsistency ?? inputs.semver ?? 1;
+            const liveBenchmarkPass = inputs.liveBenchmarkPass ?? false;
+            const sandboxViolationCount = inputs.sandboxViolationCount ?? Number.POSITIVE_INFINITY;
             const rawScore = w.ci * inputs.ci +
                 w.build * (inputs.build ?? 0) +
                 w.types * (inputs.types ?? 0) +
@@ -20,11 +23,11 @@ export function createReleasePromotionGate() {
                 w.demo * (demoRun ? 1 : 0) +
                 w.proof * inputs.proofMedian +
                 w.maturity * maturity +
-                w.docs * inputs.docs -
+                w.docs * inputs.docs * versionConsistency -
                 w.regression * inputs.regressionSeverity;
             const score = clamp01(rawScore);
             const reasons = [];
-            const blocked = inputs.ci === 0 || inputs.freshInstallSmoke === 0 || !demoRun;
+            const blocked = inputs.ci === 0 || inputs.freshInstallSmoke === 0 || versionConsistency === 0 || !demoRun;
             if (blocked) {
                 if (inputs.ci === 0) {
                     reasons.push("CI score is 0 (blocking)");
@@ -32,21 +35,28 @@ export function createReleasePromotionGate() {
                 if (inputs.freshInstallSmoke === 0) {
                     reasons.push("Fresh install smoke is 0 (blocking)");
                 }
+                if (versionConsistency === 0) {
+                    reasons.push("Version/package/proof consistency is 0 (blocking)");
+                }
                 if (!demoRun) {
                     reasons.push("Minimal verified demo run failed or missing (blocking)");
                 }
             }
+            const stableEligible = liveBenchmarkPass && sandboxViolationCount === 0;
             let verdict;
             if (blocked) {
                 verdict = "block";
             }
-            else if (score >= 0.90 && inputs.proofMedian >= 0.85 && maturity >= 0.80) {
+            else if (score >= 0.90 && inputs.proofMedian >= 0.85 && maturity >= 0.80 && stableEligible) {
                 verdict = "stable";
-                reasons.push(`Score ${formatScore(score)} meets stable threshold (≥0.90) with proof≥0.85 and maturity≥0.80`);
+                reasons.push(`Score ${formatScore(score)} meets stable threshold (≥0.90) with proof≥0.85, maturity≥0.80, live benchmark pass, and sandbox violations=0`);
             }
             else if (score >= 0.75 && inputs.proofMedian >= 0.75) {
                 verdict = "pre-release";
                 reasons.push(`Score ${formatScore(score)} meets pre-release threshold (≥0.75) with proof≥0.75`);
+                if (score >= 0.90 && inputs.proofMedian >= 0.85 && maturity >= 0.80 && !stableEligible) {
+                    reasons.push("Stable verdict withheld until live benchmark passes and sandboxViolationCount is 0");
+                }
             }
             else {
                 verdict = "block";

package/dist/providers/router.js

@@ -200,13 +200,6 @@ function requestedExternalProvider(input) {
 function isGenericExternalProvider(value) {
     return typeof value === "string" && value !== "auto" && value !== "kimi" && value !== "deepseek";
 }
-function providerVectorMeets(vector, minState) {
-    if (!vector)
-        return true;
-    const current = PROVIDER_CAPABILITY_ORDINAL[vector.auth];
-    const required = PROVIDER_CAPABILITY_ORDINAL[minState];
-    return current >= required;
-}
 function providerVectorQuotaOk(vector) {
     if (!vector)
         return true;

package/dist/runtime/contracts/weakness-remediation.d.ts

@@ -55,6 +55,12 @@ export interface ReleasePromotionInputs {
     readonly maturity?: number;
     /** Algorithm 8 — minimal verified demo run gate. Hard block when false/undefined. */
     readonly demoRun?: boolean;
+    /** Stable claim gate — live/recorded benchmark must pass before stable verdict. */
+    readonly liveBenchmarkPass?: boolean;
+    /** Stable claim gate — must be exactly 0 before stable verdict. */
+    readonly sandboxViolationCount?: number;
+    /** Stable claim gate — package/lock/docs/proof/bin invariant. */
+    readonly versionConsistency?: number;
 }
 export interface ReleasePromotionResult {
     readonly score: number;

package/dist/runtime/provider-maturity-gate.js

@@ -76,8 +76,6 @@ export function createProviderMaturityTable() {
 function vectorToAdapterResults(vector) {
     const authOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.auth];
     const binaryOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.binary];
-    const modelOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.model];
-    const quotaOrdinal = PROVIDER_CAPABILITY_ORDINAL[vector.quota];
     const authScore = authOrdinal >= PROVIDER_CAPABILITY_ORDINAL["auth_valid"] ? 1.0 : authOrdinal / PROVIDER_CAPABILITY_ORDINAL["auth_valid"];
     const readScore = vector.supportsRead ? 1.0 : 0.0;
     const writeScore = vector.supportsWrite ? 1.0 : 0.0;

package/docs/getting-started.md

@@ -1,6 +1,6 @@
 # Getting Started
 
-Source release target: `open-multi-agent-kit@0.78.1` (`pre-1.0`).
+Source release target: `open-multi-agent-kit@0.78.5` (`pre-1.0`).
 
 ## Prerequisites
 

package/docs/provider-maturity.md

@@ -4,7 +4,7 @@ This page documents provider status for the current source tree.
 
 ## Current source target
 
-- Package version: `0.78.1`
+- Package version: `0.78.5`
 - Runtime contract family: `v1.2`
 - Release channel: `pre-1.0`
 

package/docs/versioning.md

@@ -4,11 +4,11 @@ OMK uses two version fields in release artifacts:
 
 | Field | Current value | Source | Meaning |
 | --- | --- | --- | --- |
-| Package version | `0.78.1` | `package.json`, `package-lock.json` | npm/package source version. |
+| Package version | `0.78.5` | `package.json`, `package-lock.json` | npm/package source version. |
 | Runtime version | `v1.2` | `src/version.ts`, JSON schemas | Contract/runtime family used by OMK envelopes. |
 | Release channel | `pre-1.0` | `src/version.ts` | Pre-1.0 package channel. |
 
-`0.78.1` is the package source version for the `v1.2` runtime contract family.
+`0.78.5` is the package source version for the `v1.2` runtime contract family.
 Use `v1.2` only for runtime contracts; do not substitute it for the package version.
 
 ## Contract versions
@@ -44,6 +44,6 @@ The `version --json` command emits one `omk.contract.v1` envelope whose data pay
 
 ## Documentation rules
 
-- Use `0.78.1` when referring to the current package source version.
+- Use `0.78.5` when referring to the current package source version.
 - Use `v1.2` only for the runtime contract family.
 - Keep historical changelog entries unchanged unless the text is not clearly historical.

package/package.json

@@ -1,9 +1,10 @@
 {
   "name": "open-multi-agent-kit",
-  "version": "0.78.3",
+  "version": "0.78.5",
   "description": "Provider-neutral multi-agent control plane for coding workflows: route agents, verify evidence, orchestrate MCP-aware DAGs, and control the loop from the omk CLI.",
   "type": "module",
   "bin": {
+    "omk": "dist/cli.js",
     "omk-project-mcp": "dist/mcp/omk-project-server.js",
     "omk-acp": "dist/mcp/acp-server.js",
     "omk-mcp-host": "dist/mcp/host.js"
@@ -32,7 +33,7 @@
     "version:check": "node scripts/check-version-consistency.mjs",
     "contract:check": "npm run build:clean && npm run schema:check && node scripts/check-json-stdout.mjs",
     "verify:contracts": "npm run contract:check",
-    "release:check": "node scripts/release-gate.mjs",
+    "release:check": "npm run verify:no-kimi && npm run contract:check && npm run schema:check && npm run version:check && npm run proof:check && npm run smoke:execution && npm run native:build && npm run pack:dry && npm run audit:package && npm run smoke:pack && OMK_RELEASE_DEMO=1 node scripts/release-gate.mjs",
     "release:full": "npm run verify && npm run verify:no-kimi && npm run contract:check && npm run schema:check && npm run version:check && npm run proof:check && npm run smoke:execution && npm run native:build && npm run pack:dry && npm run audit:package && npm run smoke:pack",
     "regression:matrix": "node scripts/regression-proof-matrix.mjs",
     "release:rc": "npm run verify && npm run verify:no-kimi && npm run contract:check && npm run schema:check && npm run version:check && npm run proof:check && npm run smoke:execution && npm run native:build && npm run pack:dry && npm run audit:package && npm run smoke:pack",