orionfold-relay 0.19.0 → 0.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -1
- package/dist/cli.js +4 -4
- package/package.json +1 -1
- package/src/lib/plugins/examples/echo-server/plugin.yaml +1 -1
- package/src/lib/plugins/examples/finance-pack/plugin.yaml +1 -1
- package/src/lib/plugins/examples/reading-radar/plugin.yaml +1 -1
- package/src/lib/plugins/registry.ts +1 -1
- package/src/lib/plugins/sdk/types.ts +1 -1
package/README.md
CHANGED
|
@@ -104,10 +104,13 @@ The governance is *in* the workflow, not bolted on. A blueprint is a fixed step
|
|
|
104
104
|
## Why it stays trustworthy
|
|
105
105
|
|
|
106
106
|
- **Local-first** — SQLite database, no cloud dependency, `npx orionfold-relay` and go
|
|
107
|
+
- **Never phones home** — no telemetry, no update checks, no license server; the complete outbound-network inventory is documented and code-linked in [docs/trust/data-flow.md](docs/trust/data-flow.md)
|
|
107
108
|
- **Your rules, enforced** — tool permissions, inbox approvals, and audit trails for every agent action
|
|
108
109
|
- **Your AI team** — 21 specialist profiles ready to deploy, each with instructions, tool policies, and runtime tuning
|
|
109
110
|
- **Know what you spend** — usage metering, budgets, and per-provider/per-model spend visibility on governed runs
|
|
110
|
-
- **Open source** — Apache-2.0, read the engine and run it yourself
|
|
111
|
+
- **Open source & verifiable** — Apache-2.0, read the engine and run it yourself; every npm release ships with a provenance attestation and a CycloneDX SBOM ([docs/trust/supply-chain.md](docs/trust/supply-chain.md))
|
|
112
|
+
|
|
113
|
+
Evaluating Relay for an enterprise? The full trust pack — [security packet](docs/trust/security-packet.md), [data-flow disclosure](docs/trust/data-flow.md), [supply-chain verification](docs/trust/supply-chain.md), [plain-language license terms](docs/trust/license-terms.md), and [continuity statement](docs/trust/continuity.md) — lives in [`docs/trust/`](docs/trust/). Vulnerability reports: [SECURITY.md](SECURITY.md).
|
|
111
114
|
|
|
112
115
|
<img src="https://raw.githubusercontent.com/orionfold/relay/main/public/readme/inbox-list.png" alt="The governance command center: tool-permission approvals, agent questions, and a permission queue — nothing reaches a client without sign-off" width="1200" />
|
|
113
116
|
|
|
@@ -139,6 +142,9 @@ relay license remove <license-id> # forget a license
|
|
|
139
142
|
- **What's free stays free.** Capabilities never move from the free engine into a paid
|
|
140
143
|
pack. Paid packs are new content, not repossessed features.
|
|
141
144
|
|
|
145
|
+
The full terms in plain language — seats, transfer, what expiry does and doesn't do —
|
|
146
|
+
are in [docs/trust/license-terms.md](docs/trust/license-terms.md).
|
|
147
|
+
|
|
142
148
|
---
|
|
143
149
|
|
|
144
150
|
## Runtime bridge
|
package/dist/cli.js
CHANGED
|
@@ -1186,7 +1186,7 @@ var CURRENT_PLUGIN_API_VERSION, CAPABILITY_VALUES, ORIGIN_VALUES, PrimitivesBund
|
|
|
1186
1186
|
var init_types = __esm({
|
|
1187
1187
|
"src/lib/plugins/sdk/types.ts"() {
|
|
1188
1188
|
"use strict";
|
|
1189
|
-
CURRENT_PLUGIN_API_VERSION = "0.
|
|
1189
|
+
CURRENT_PLUGIN_API_VERSION = "0.20";
|
|
1190
1190
|
CAPABILITY_VALUES = ["fs", "net", "child_process", "env"];
|
|
1191
1191
|
ORIGIN_VALUES = ["ainative-internal", "third-party"];
|
|
1192
1192
|
PrimitivesBundleManifestSchema = z.object({
|
|
@@ -12891,7 +12891,7 @@ var init_registry6 = __esm({
|
|
|
12891
12891
|
init_registry5();
|
|
12892
12892
|
init_installer();
|
|
12893
12893
|
init_schedule_spec();
|
|
12894
|
-
SUPPORTED_API_VERSIONS = /* @__PURE__ */ new Set([CURRENT_PLUGIN_API_VERSION, "0.
|
|
12894
|
+
SUPPORTED_API_VERSIONS = /* @__PURE__ */ new Set([CURRENT_PLUGIN_API_VERSION, "0.19"]);
|
|
12895
12895
|
pluginCache = null;
|
|
12896
12896
|
lastLoadedPluginIds = /* @__PURE__ */ new Set();
|
|
12897
12897
|
PluginTableSchema = z16.object({
|
|
@@ -25623,8 +25623,8 @@ import { execFileSync as execFileSync3 } from "child_process";
|
|
|
25623
25623
|
import yaml12 from "js-yaml";
|
|
25624
25624
|
import semver from "semver";
|
|
25625
25625
|
function relayCoreVersion() {
|
|
25626
|
-
if (semver.valid("0.
|
|
25627
|
-
return "0.
|
|
25626
|
+
if (semver.valid("0.20.0")) {
|
|
25627
|
+
return "0.20.0";
|
|
25628
25628
|
}
|
|
25629
25629
|
try {
|
|
25630
25630
|
const root = getAppRoot(import.meta.dirname, 3);
|
package/package.json
CHANGED
|
@@ -53,7 +53,7 @@ import type { ScheduleSpec } from "@/lib/validators/schedule-spec";
|
|
|
53
53
|
// unfixed from 0.15.0 through 0.16.0 — treat the window test's failure as
|
|
54
54
|
// a release blocker, not noise). The 0.13→0.14 three-MINOR bridge is over;
|
|
55
55
|
// this is the standard 2-MINOR window now.
|
|
56
|
-
const SUPPORTED_API_VERSIONS = new Set([CURRENT_PLUGIN_API_VERSION, "0.
|
|
56
|
+
const SUPPORTED_API_VERSIONS = new Set([CURRENT_PLUGIN_API_VERSION, "0.19"]);
|
|
57
57
|
|
|
58
58
|
/** Test-helper export so the window-enforcement test can read state. */
|
|
59
59
|
export function isSupportedApiVersion(apiVersion: string): boolean {
|
|
@@ -6,7 +6,7 @@ import { z } from "zod";
|
|
|
6
6
|
// (a hardcoded copy there once drifted to "0.14" — scaffolded plugins would
|
|
7
7
|
// have been disabled on load the moment the window tightened). Bump on every
|
|
8
8
|
// MINOR release; api-version-window.test.ts fails if this goes stale.
|
|
9
|
-
export const CURRENT_PLUGIN_API_VERSION = "0.
|
|
9
|
+
export const CURRENT_PLUGIN_API_VERSION = "0.20";
|
|
10
10
|
|
|
11
11
|
// Shared capability tuple — single source of truth used by Zod schema and
|
|
12
12
|
// capability-check.ts hash derivation. Exported so consumers don't need a
|