npm - oxe-cc - Versions diffs - 1.2.1 → 1.3.0 - Mend

oxe-cc 1.2.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (276) hide show

package/.cursor/commands/oxe-ask.md +2 -2
package/.cursor/commands/oxe-capabilities.md +2 -2
package/.cursor/commands/oxe-checkpoint.md +2 -2
package/.cursor/commands/oxe-compact.md +2 -2
package/.cursor/commands/oxe-dashboard.md +2 -2
package/.cursor/commands/oxe-debug.md +2 -2
package/.cursor/commands/oxe-discuss.md +2 -2
package/.cursor/commands/oxe-execute.md +5 -2
package/.cursor/commands/oxe-forensics.md +2 -2
package/.cursor/commands/oxe-help.md +2 -2
package/.cursor/commands/oxe-loop.md +2 -2
package/.cursor/commands/oxe-milestone.md +2 -2
package/.cursor/commands/oxe-next.md +2 -2
package/.cursor/commands/oxe-obs.md +2 -2
package/.cursor/commands/oxe-plan-agent.md +2 -2
package/.cursor/commands/oxe-plan.md +2 -2
package/.cursor/commands/oxe-project.md +2 -2
package/.cursor/commands/oxe-quick.md +2 -2
package/.cursor/commands/oxe-research.md +2 -2
package/.cursor/commands/oxe-retro.md +2 -2
package/.cursor/commands/oxe-review-pr.md +2 -2
package/.cursor/commands/oxe-route.md +2 -2
package/.cursor/commands/oxe-scan.md +2 -2
package/.cursor/commands/oxe-security.md +2 -2
package/.cursor/commands/oxe-session.md +2 -2
package/.cursor/commands/oxe-ship.md +2 -2
package/.cursor/commands/oxe-skill.md +2 -2
package/.cursor/commands/oxe-spec.md +2 -2
package/.cursor/commands/oxe-ui-review.md +2 -2
package/.cursor/commands/oxe-ui-spec.md +2 -2
package/.cursor/commands/oxe-update.md +2 -2
package/.cursor/commands/oxe-validate-gaps.md +2 -2
package/.cursor/commands/oxe-verify.md +5 -2
package/.cursor/commands/oxe-workstream.md +2 -2
package/.cursor/commands/oxe.md +2 -2
package/.github/copilot-instructions.md +13 -13
package/.github/prompts/oxe-ask.prompt.md +2 -2
package/.github/prompts/oxe-capabilities.prompt.md +2 -2
package/.github/prompts/oxe-checkpoint.prompt.md +2 -2
package/.github/prompts/oxe-compact.prompt.md +2 -2
package/.github/prompts/oxe-dashboard.prompt.md +2 -2
package/.github/prompts/oxe-debug.prompt.md +2 -2
package/.github/prompts/oxe-discuss.prompt.md +2 -2
package/.github/prompts/oxe-execute.prompt.md +5 -2
package/.github/prompts/oxe-forensics.prompt.md +2 -2
package/.github/prompts/oxe-help.prompt.md +2 -2
package/.github/prompts/oxe-loop.prompt.md +2 -2
package/.github/prompts/oxe-milestone.prompt.md +2 -2
package/.github/prompts/oxe-next.prompt.md +2 -2
package/.github/prompts/oxe-obs.prompt.md +2 -2
package/.github/prompts/oxe-plan-agent.prompt.md +2 -2
package/.github/prompts/oxe-plan.prompt.md +2 -2
package/.github/prompts/oxe-project.prompt.md +2 -2
package/.github/prompts/oxe-quick.prompt.md +2 -2
package/.github/prompts/oxe-research.prompt.md +2 -2
package/.github/prompts/oxe-retro.prompt.md +2 -2
package/.github/prompts/oxe-review-pr.prompt.md +2 -2
package/.github/prompts/oxe-route.prompt.md +2 -2
package/.github/prompts/oxe-scan.prompt.md +2 -2
package/.github/prompts/oxe-security.prompt.md +2 -2
package/.github/prompts/oxe-session.prompt.md +2 -2
package/.github/prompts/oxe-ship.prompt.md +2 -2
package/.github/prompts/oxe-skill.prompt.md +2 -2
package/.github/prompts/oxe-spec.prompt.md +2 -2
package/.github/prompts/oxe-ui-review.prompt.md +2 -2
package/.github/prompts/oxe-ui-spec.prompt.md +2 -2
package/.github/prompts/oxe-update.prompt.md +2 -2
package/.github/prompts/oxe-validate-gaps.prompt.md +2 -2
package/.github/prompts/oxe-verify.prompt.md +5 -2
package/.github/prompts/oxe-workstream.prompt.md +2 -2
package/.github/prompts/oxe.prompt.md +2 -2
package/CHANGELOG.md +52 -17
package/README.md +610 -551
package/bin/banner.txt +1 -1
package/bin/lib/oxe-agent-install.cjs +69 -69
package/bin/lib/oxe-azure.cjs +1445 -1445
package/bin/lib/oxe-context-engine.cjs +867 -867
package/bin/lib/oxe-dashboard.cjs +76 -28
package/bin/lib/oxe-operational.cjs +2144 -1340
package/bin/lib/oxe-project-health.cjs +483 -1
package/bin/lib/oxe-runtime-semantics.cjs +12 -0
package/bin/oxe-cc.js +554 -152
package/commands/oxe/ask.md +2 -2
package/commands/oxe/capabilities.md +2 -2
package/commands/oxe/checkpoint.md +2 -2
package/commands/oxe/compact.md +2 -2
package/commands/oxe/dashboard.md +2 -2
package/commands/oxe/debug.md +2 -2
package/commands/oxe/discuss.md +2 -2
package/commands/oxe/execute.md +5 -2
package/commands/oxe/forensics.md +2 -2
package/commands/oxe/help.md +2 -2
package/commands/oxe/loop.md +2 -2
package/commands/oxe/milestone.md +2 -2
package/commands/oxe/next.md +2 -2
package/commands/oxe/obs.md +2 -2
package/commands/oxe/oxe.md +2 -2
package/commands/oxe/plan-agent.md +2 -2
package/commands/oxe/plan.md +2 -2
package/commands/oxe/project.md +2 -2
package/commands/oxe/quick.md +2 -2
package/commands/oxe/research.md +2 -2
package/commands/oxe/retro.md +2 -2
package/commands/oxe/review-pr.md +2 -2
package/commands/oxe/route.md +2 -2
package/commands/oxe/scan.md +2 -2
package/commands/oxe/security.md +2 -2
package/commands/oxe/session.md +2 -2
package/commands/oxe/ship.md +2 -2
package/commands/oxe/skill.md +2 -2
package/commands/oxe/spec.md +2 -2
package/commands/oxe/ui-review.md +2 -2
package/commands/oxe/ui-spec.md +2 -2
package/commands/oxe/update.md +2 -2
package/commands/oxe/validate-gaps.md +2 -2
package/commands/oxe/verify.md +5 -2
package/commands/oxe/workstream.md +2 -2
package/lib/runtime/delivery/branch-manager.d.ts +1 -0
package/lib/runtime/delivery/branch-manager.js +7 -0
package/lib/runtime/delivery/ci-checks.js +34 -1
package/lib/runtime/delivery/delivery-records.d.ts +34 -0
package/lib/runtime/delivery/delivery-records.js +48 -0
package/lib/runtime/delivery/index.d.ts +1 -0
package/lib/runtime/delivery/index.js +1 -0
package/lib/runtime/delivery/promotion-pipeline.d.ts +26 -2
package/lib/runtime/delivery/promotion-pipeline.js +111 -14
package/lib/runtime/gate/gate-manager.d.ts +41 -0
package/lib/runtime/gate/gate-manager.js +108 -1
package/lib/runtime/index.d.ts +2 -2
package/lib/runtime/index.js +3 -1
package/lib/runtime/models/gate-decision.d.ts +4 -1
package/lib/runtime/models/workspace.d.ts +3 -0
package/lib/runtime/plugins/capability-adapter.d.ts +12 -0
package/lib/runtime/plugins/capability-adapter.js +204 -0
package/lib/runtime/plugins/capability-matrix.d.ts +5 -0
package/lib/runtime/plugins/capability-matrix.js +48 -17
package/lib/runtime/plugins/index.d.ts +1 -0
package/lib/runtime/plugins/index.js +1 -0
package/lib/runtime/plugins/plugin-abi.d.ts +2 -0
package/lib/runtime/plugins/plugin-manifest.d.ts +1 -1
package/lib/runtime/plugins/plugin-manifest.js +6 -2
package/lib/runtime/plugins/plugin-registry.d.ts +46 -0
package/lib/runtime/plugins/plugin-registry.js +79 -2
package/lib/runtime/policy/policy-engine.d.ts +19 -0
package/lib/runtime/policy/policy-engine.js +76 -4
package/lib/runtime/projection/projection-engine.d.ts +9 -1
package/lib/runtime/projection/projection-engine.js +73 -3
package/lib/runtime/scheduler/multi-agent-coordinator.d.ts +43 -1
package/lib/runtime/scheduler/multi-agent-coordinator.js +151 -39
package/lib/runtime/scheduler/run-journal.d.ts +1 -1
package/lib/runtime/scheduler/scheduler.d.ts +19 -1
package/lib/runtime/scheduler/scheduler.js +258 -13
package/lib/runtime/verification/verification-compiler.d.ts +43 -0
package/lib/runtime/verification/verification-compiler.js +137 -0
package/lib/runtime/verification/verification-manifest.d.ts +9 -0
package/lib/runtime/verification/verification-manifest.js +56 -6
package/lib/runtime/workspace/strategies/ephemeral-container.d.ts +1 -0
package/lib/runtime/workspace/strategies/ephemeral-container.js +4 -0
package/lib/runtime/workspace/strategies/git-worktree.d.ts +1 -0
package/lib/runtime/workspace/strategies/git-worktree.js +2 -0
package/lib/runtime/workspace/strategies/inplace.d.ts +1 -0
package/lib/runtime/workspace/strategies/inplace.js +2 -0
package/lib/runtime/workspace/workspace-manager.d.ts +2 -1
package/lib/sdk/README.md +9 -9
package/lib/sdk/index.cjs +33 -24
package/lib/sdk/index.d.ts +149 -14
package/oxe/templates/ACTIVE-RUN.template.json +32 -32
package/oxe/templates/CAPABILITIES.template.md +7 -7
package/oxe/templates/CAPABILITY.template.md +45 -45
package/oxe/templates/CHECKPOINTS.template.md +7 -7
package/oxe/templates/EXECUTION-RUNTIME.template.md +68 -68
package/oxe/templates/HYPOTHESES.template.md +33 -33
package/oxe/templates/LESSONS-METRICS.template.json +13 -13
package/oxe/templates/NOTES.template.md +16 -16
package/oxe/templates/PLAN-REVIEW.template.md +31 -31
package/oxe/templates/SESSION.template.md +34 -34
package/oxe/templates/SKILL.template.md +26 -26
package/oxe/templates/STATE.md +55 -55
package/oxe/templates/WORKFLOW_AUTHORING.md +18 -18
package/oxe/workflows/ask.md +96 -96
package/oxe/workflows/capabilities.md +25 -25
package/oxe/workflows/dashboard.md +33 -33
package/oxe/workflows/discuss.md +12 -12
package/oxe/workflows/execute.md +14 -0
package/oxe/workflows/help.md +352 -352
package/oxe/workflows/next.md +22 -22
package/oxe/workflows/oxe.md +6 -6
package/oxe/workflows/plan-agent.md +9 -9
package/oxe/workflows/quick.md +10 -10
package/oxe/workflows/references/reasoning-discovery.md +28 -28
package/oxe/workflows/references/reasoning-execution.md +29 -29
package/oxe/workflows/references/reasoning-planning.md +32 -32
package/oxe/workflows/references/reasoning-review.md +29 -29
package/oxe/workflows/references/reasoning-status.md +24 -24
package/oxe/workflows/references/robustness-elevation.md +295 -295
package/oxe/workflows/references/workflow-runtime-contracts.json +952 -930
package/oxe/workflows/route.md +16 -16
package/oxe/workflows/session.md +213 -213
package/oxe/workflows/ship.md +142 -142
package/oxe/workflows/skill.md +44 -44
package/oxe/workflows/ui-review.md +36 -36
package/oxe/workflows/verify-audit.md +73 -73
package/oxe/workflows/verify.md +10 -0
package/package.json +92 -92
package/packages/runtime/package.json +17 -17
package/packages/runtime/src/audit/audit-trail.ts +243 -243
package/packages/runtime/src/audit/index.ts +2 -2
package/packages/runtime/src/audit/policy-pack.ts +62 -62
package/packages/runtime/src/compiler/graph-compiler.ts +245 -245
package/packages/runtime/src/compiler/index.ts +1 -1
package/packages/runtime/src/context/context-pack-builder.ts +259 -259
package/packages/runtime/src/context/context-pack-store.ts +197 -197
package/packages/runtime/src/context/context-profiles.ts +60 -60
package/packages/runtime/src/context/index.ts +3 -3
package/packages/runtime/src/decision/decision-engine.ts +174 -174
package/packages/runtime/src/decision/decision-memo.ts +211 -211
package/packages/runtime/src/decision/index.ts +2 -2
package/packages/runtime/src/delivery/branch-manager.ts +91 -84
package/packages/runtime/src/delivery/ci-checks.ts +285 -252
package/packages/runtime/src/delivery/delivery-records.ts +75 -0
package/packages/runtime/src/delivery/index.ts +5 -4
package/packages/runtime/src/delivery/pr-manager.ts +112 -112
package/packages/runtime/src/delivery/promotion-pipeline.ts +334 -180
package/packages/runtime/src/events/bus.ts +92 -92
package/packages/runtime/src/events/catalog.ts +29 -29
package/packages/runtime/src/events/envelope.ts +14 -14
package/packages/runtime/src/events/index.ts +3 -3
package/packages/runtime/src/evidence/evidence-store.ts +130 -130
package/packages/runtime/src/evidence/index.ts +1 -1
package/packages/runtime/src/gate/gate-manager.ts +289 -137
package/packages/runtime/src/gate/index.ts +1 -1
package/packages/runtime/src/index.ts +41 -37
package/packages/runtime/src/models/attempt.ts +19 -19
package/packages/runtime/src/models/evidence.ts +21 -21
package/packages/runtime/src/models/gate-decision.ts +25 -21
package/packages/runtime/src/models/index.ts +8 -8
package/packages/runtime/src/models/run.ts +24 -24
package/packages/runtime/src/models/session.ts +11 -11
package/packages/runtime/src/models/verification-result.ts +10 -10
package/packages/runtime/src/models/work-item.ts +25 -25
package/packages/runtime/src/models/workspace.ts +31 -28
package/packages/runtime/src/plugins/capability-adapter.ts +206 -0
package/packages/runtime/src/plugins/capability-matrix.ts +126 -83
package/packages/runtime/src/plugins/index.ts +5 -4
package/packages/runtime/src/plugins/plugin-abi.ts +97 -95
package/packages/runtime/src/plugins/plugin-manifest.ts +118 -113
package/packages/runtime/src/plugins/plugin-registry.ts +232 -124
package/packages/runtime/src/policy/index.ts +1 -1
package/packages/runtime/src/policy/policy-engine.ts +330 -244
package/packages/runtime/src/projection/index.ts +1 -1
package/packages/runtime/src/projection/projection-engine.ts +328 -249
package/packages/runtime/src/reducers/debug-reducer.ts +36 -36
package/packages/runtime/src/reducers/index.ts +2 -2
package/packages/runtime/src/reducers/run-state-reducer.ts +269 -269
package/packages/runtime/src/scheduler/agent-registry.ts +132 -132
package/packages/runtime/src/scheduler/agent-roles.ts +109 -109
package/packages/runtime/src/scheduler/index.ts +4 -4
package/packages/runtime/src/scheduler/multi-agent-coordinator.ts +521 -333
package/packages/runtime/src/scheduler/run-journal.ts +62 -62
package/packages/runtime/src/scheduler/scheduler.ts +722 -441
package/packages/runtime/src/verification/index.ts +2 -2
package/packages/runtime/src/verification/verification-compiler.ts +436 -225
package/packages/runtime/src/verification/verification-manifest.ts +252 -192
package/packages/runtime/src/workspace/index.ts +5 -5
package/packages/runtime/src/workspace/strategies/ephemeral-container.ts +126 -121
package/packages/runtime/src/workspace/strategies/git-worktree.ts +79 -77
package/packages/runtime/src/workspace/strategies/inplace.ts +38 -35
package/packages/runtime/src/workspace/workspace-manager.ts +16 -15
package/packages/runtime/tsconfig.json +17 -17
package/vscode-extension/.vscodeignore +7 -7
package/vscode-extension/oxe-agents-1.0.0.vsix +0 -0
package/vscode-extension/package.json +185 -185
package/vscode-extension/src/extension.js +310 -310
package/vscode-extension/src/shared/contextLoader.js +137 -137
package/vscode-extension/src/shared/contractBuilder.js +159 -159
package/vscode-extension/src/shared/stateReader.js +101 -101

package/packages/runtime/src/audit/audit-trail.ts CHANGED Viewed

@@ -1,243 +1,243 @@
-import crypto from 'crypto';
-import path from 'path';
-import fs from 'fs';
-// ─── RemoteAuditSink ─────────────────────────────────────────────────────────
-export interface AuditQueryFilter {
-  action?: AuditAction;
-  severity?: AuditSeverity;
-  runId?: string;
-  since?: string;
-}
-export interface RemoteAuditSink {
-  write(entry: AuditEntry): Promise<void>;
-  query(filter: AuditQueryFilter): Promise<AuditEntry[]>;
-}
-// ─── AuditMetrics ────────────────────────────────────────────────────────────
-export interface AuditMetrics {
-  total_entries: number;
-  critical_count: number;
-  warn_count: number;
-  by_action: Partial<Record<AuditAction, number>>;
-  actors: string[];
-  oldest: string | null;
-  newest: string | null;
-}
-export type AuditAction =
-  | 'run_started'
-  | 'run_completed'
-  | 'run_paused'
-  | 'run_recovered'
-  | 'gate_requested'
-  | 'gate_resolved'
-  | 'policy_denied'
-  | 'plugin_registered'
-  | 'plugin_invoked'
-  | 'secret_accessed'
-  | 'infra_mutation'
-  | 'pr_created'
-  | 'merge_approved'
-  | 'merge_blocked';
-export type AuditSeverity = 'info' | 'warn' | 'critical';
-export interface AuditEntry {
-  audit_id: string;
-  action: AuditAction;
-  severity: AuditSeverity;
-  run_id: string | null;
-  work_item_id: string | null;
-  actor: string;
-  resource: string | null;
-  detail: Record<string, unknown>;
-  timestamp: string;
-}
-export interface RunQuota {
-  run_id: string;
-  max_work_items: number;
-  max_mutations: number;
-  max_retries_total: number;
-  consumed_work_items: number;
-  consumed_mutations: number;
-  consumed_retries: number;
-}
-export interface QuotaViolation {
-  quota_type: 'work_items' | 'mutations' | 'retries';
-  limit: number;
-  consumed: number;
-}
-const ACTION_SEVERITY: Record<AuditAction, AuditSeverity> = {
-  run_started: 'info',
-  run_completed: 'info',
-  run_paused: 'info',
-  run_recovered: 'warn',
-  gate_requested: 'warn',
-  gate_resolved: 'info',
-  policy_denied: 'warn',
-  plugin_registered: 'info',
-  plugin_invoked: 'info',
-  secret_accessed: 'critical',
-  infra_mutation: 'critical',
-  pr_created: 'info',
-  merge_approved: 'warn',
-  merge_blocked: 'warn',
-};
-export class AuditTrail {
-  constructor(
-    private readonly projectRoot: string,
-    private readonly remoteSink?: RemoteAuditSink
-  ) {}
-  record(
-    action: AuditAction,
-    actor: string,
-    options: {
-      runId?: string;
-      workItemId?: string;
-      resource?: string;
-      detail?: Record<string, unknown>;
-    } = {}
-  ): AuditEntry {
-    const entry: AuditEntry = {
-      audit_id: `aud-${crypto.randomBytes(4).toString('hex')}`,
-      action,
-      severity: ACTION_SEVERITY[action],
-      run_id: options.runId ?? null,
-      work_item_id: options.workItemId ?? null,
-      actor,
-      resource: options.resource ?? null,
-      detail: options.detail ?? {},
-      timestamp: new Date().toISOString(),
-    };
-    this.append(entry);
-    return entry;
-  }
-  query(filter: {
-    action?: AuditAction;
-    severity?: AuditSeverity;
-    runId?: string;
-    since?: string;
-  } = {}): AuditEntry[] {
-    return this.load().filter((e) => {
-      if (filter.action && e.action !== filter.action) return false;
-      if (filter.severity && e.severity !== filter.severity) return false;
-      if (filter.runId && e.run_id !== filter.runId) return false;
-      if (filter.since && e.timestamp < filter.since) return false;
-      return true;
-    });
-  }
-  critical(): AuditEntry[] {
-    return this.query({ severity: 'critical' });
-  }
-  metrics(): AuditMetrics {
-    const entries = this.load();
-    const by_action: Partial<Record<AuditAction, number>> = {};
-    const actorSet = new Set<string>();
-    let oldest: string | null = null;
-    let newest: string | null = null;
-    let critical_count = 0;
-    let warn_count = 0;
-    for (const e of entries) {
-      by_action[e.action] = (by_action[e.action] ?? 0) + 1;
-      actorSet.add(e.actor);
-      if (e.severity === 'critical') critical_count++;
-      if (e.severity === 'warn') warn_count++;
-      if (!oldest || e.timestamp < oldest) oldest = e.timestamp;
-      if (!newest || e.timestamp > newest) newest = e.timestamp;
-    }
-    return {
-      total_entries: entries.length,
-      critical_count,
-      warn_count,
-      by_action,
-      actors: [...actorSet],
-      oldest,
-      newest,
-    };
-  }
-  private append(entry: AuditEntry): void {
-    const p = this.trailPath();
-    fs.mkdirSync(path.dirname(p), { recursive: true });
-    fs.appendFileSync(p, JSON.stringify(entry) + '\n', 'utf8');
-    // Fire-and-forget remote sink (failures are non-fatal)
-    if (this.remoteSink) {
-      this.remoteSink.write(entry).catch(() => {});
-    }
-  }
-  private load(): AuditEntry[] {
-    const p = this.trailPath();
-    if (!fs.existsSync(p)) return [];
-    try {
-      return fs
-        .readFileSync(p, 'utf8')
-        .split('\n')
-        .filter(Boolean)
-        .map((line) => JSON.parse(line) as AuditEntry);
-    } catch {
-      return [];
-    }
-  }
-  private trailPath(): string {
-    return path.join(this.projectRoot, '.oxe', 'AUDIT-TRAIL.ndjson');
-  }
-}
-// ─── RunQuota ─────────────────────────────────────────────────────────────────
-export function createQuota(
-  runId: string,
-  limits: Partial<Omit<RunQuota, 'run_id' | 'consumed_work_items' | 'consumed_mutations' | 'consumed_retries'>> = {}
-): RunQuota {
-  return {
-    run_id: runId,
-    max_work_items: limits.max_work_items ?? Infinity,
-    max_mutations: limits.max_mutations ?? Infinity,
-    max_retries_total: limits.max_retries_total ?? Infinity,
-    consumed_work_items: 0,
-    consumed_mutations: 0,
-    consumed_retries: 0,
-  };
-}
-export function checkQuota(quota: RunQuota): QuotaViolation | null {
-  if (quota.consumed_work_items > quota.max_work_items) {
-    return { quota_type: 'work_items', limit: quota.max_work_items, consumed: quota.consumed_work_items };
-  }
-  if (quota.consumed_mutations > quota.max_mutations) {
-    return { quota_type: 'mutations', limit: quota.max_mutations, consumed: quota.consumed_mutations };
-  }
-  if (quota.consumed_retries > quota.max_retries_total) {
-    return { quota_type: 'retries', limit: quota.max_retries_total, consumed: quota.consumed_retries };
-  }
-  return null;
-}
-export function consumeQuota(
-  quota: RunQuota,
-  type: QuotaViolation['quota_type'],
-  amount = 1
-): RunQuota {
-  switch (type) {
-    case 'work_items': return { ...quota, consumed_work_items: quota.consumed_work_items + amount };
-    case 'mutations': return { ...quota, consumed_mutations: quota.consumed_mutations + amount };
-    case 'retries': return { ...quota, consumed_retries: quota.consumed_retries + amount };
-  }
-}
+import crypto from 'crypto';
+import path from 'path';
+import fs from 'fs';
+// ─── RemoteAuditSink ─────────────────────────────────────────────────────────
+export interface AuditQueryFilter {
+  action?: AuditAction;
+  severity?: AuditSeverity;
+  runId?: string;
+  since?: string;
+}
+export interface RemoteAuditSink {
+  write(entry: AuditEntry): Promise<void>;
+  query(filter: AuditQueryFilter): Promise<AuditEntry[]>;
+}
+// ─── AuditMetrics ────────────────────────────────────────────────────────────
+export interface AuditMetrics {
+  total_entries: number;
+  critical_count: number;
+  warn_count: number;
+  by_action: Partial<Record<AuditAction, number>>;
+  actors: string[];
+  oldest: string | null;
+  newest: string | null;
+}
+export type AuditAction =
+  | 'run_started'
+  | 'run_completed'
+  | 'run_paused'
+  | 'run_recovered'
+  | 'gate_requested'
+  | 'gate_resolved'
+  | 'policy_denied'
+  | 'plugin_registered'
+  | 'plugin_invoked'
+  | 'secret_accessed'
+  | 'infra_mutation'
+  | 'pr_created'
+  | 'merge_approved'
+  | 'merge_blocked';
+export type AuditSeverity = 'info' | 'warn' | 'critical';
+export interface AuditEntry {
+  audit_id: string;
+  action: AuditAction;
+  severity: AuditSeverity;
+  run_id: string | null;
+  work_item_id: string | null;
+  actor: string;
+  resource: string | null;
+  detail: Record<string, unknown>;
+  timestamp: string;
+}
+export interface RunQuota {
+  run_id: string;
+  max_work_items: number;
+  max_mutations: number;
+  max_retries_total: number;
+  consumed_work_items: number;
+  consumed_mutations: number;
+  consumed_retries: number;
+}
+export interface QuotaViolation {
+  quota_type: 'work_items' | 'mutations' | 'retries';
+  limit: number;
+  consumed: number;
+}
+const ACTION_SEVERITY: Record<AuditAction, AuditSeverity> = {
+  run_started: 'info',
+  run_completed: 'info',
+  run_paused: 'info',
+  run_recovered: 'warn',
+  gate_requested: 'warn',
+  gate_resolved: 'info',
+  policy_denied: 'warn',
+  plugin_registered: 'info',
+  plugin_invoked: 'info',
+  secret_accessed: 'critical',
+  infra_mutation: 'critical',
+  pr_created: 'info',
+  merge_approved: 'warn',
+  merge_blocked: 'warn',
+};
+export class AuditTrail {
+  constructor(
+    private readonly projectRoot: string,
+    private readonly remoteSink?: RemoteAuditSink
+  ) {}
+  record(
+    action: AuditAction,
+    actor: string,
+    options: {
+      runId?: string;
+      workItemId?: string;
+      resource?: string;
+      detail?: Record<string, unknown>;
+    } = {}
+  ): AuditEntry {
+    const entry: AuditEntry = {
+      audit_id: `aud-${crypto.randomBytes(4).toString('hex')}`,
+      action,
+      severity: ACTION_SEVERITY[action],
+      run_id: options.runId ?? null,
+      work_item_id: options.workItemId ?? null,
+      actor,
+      resource: options.resource ?? null,
+      detail: options.detail ?? {},
+      timestamp: new Date().toISOString(),
+    };
+    this.append(entry);
+    return entry;
+  }
+  query(filter: {
+    action?: AuditAction;
+    severity?: AuditSeverity;
+    runId?: string;
+    since?: string;
+  } = {}): AuditEntry[] {
+    return this.load().filter((e) => {
+      if (filter.action && e.action !== filter.action) return false;
+      if (filter.severity && e.severity !== filter.severity) return false;
+      if (filter.runId && e.run_id !== filter.runId) return false;
+      if (filter.since && e.timestamp < filter.since) return false;
+      return true;
+    });
+  }
+  critical(): AuditEntry[] {
+    return this.query({ severity: 'critical' });
+  }
+  metrics(): AuditMetrics {
+    const entries = this.load();
+    const by_action: Partial<Record<AuditAction, number>> = {};
+    const actorSet = new Set<string>();
+    let oldest: string | null = null;
+    let newest: string | null = null;
+    let critical_count = 0;
+    let warn_count = 0;
+    for (const e of entries) {
+      by_action[e.action] = (by_action[e.action] ?? 0) + 1;
+      actorSet.add(e.actor);
+      if (e.severity === 'critical') critical_count++;
+      if (e.severity === 'warn') warn_count++;
+      if (!oldest || e.timestamp < oldest) oldest = e.timestamp;
+      if (!newest || e.timestamp > newest) newest = e.timestamp;
+    }
+    return {
+      total_entries: entries.length,
+      critical_count,
+      warn_count,
+      by_action,
+      actors: [...actorSet],
+      oldest,
+      newest,
+    };
+  }
+  private append(entry: AuditEntry): void {
+    const p = this.trailPath();
+    fs.mkdirSync(path.dirname(p), { recursive: true });
+    fs.appendFileSync(p, JSON.stringify(entry) + '\n', 'utf8');
+    // Fire-and-forget remote sink (failures are non-fatal)
+    if (this.remoteSink) {
+      this.remoteSink.write(entry).catch(() => {});
+    }
+  }
+  private load(): AuditEntry[] {
+    const p = this.trailPath();
+    if (!fs.existsSync(p)) return [];
+    try {
+      return fs
+        .readFileSync(p, 'utf8')
+        .split('\n')
+        .filter(Boolean)
+        .map((line) => JSON.parse(line) as AuditEntry);
+    } catch {
+      return [];
+    }
+  }
+  private trailPath(): string {
+    return path.join(this.projectRoot, '.oxe', 'AUDIT-TRAIL.ndjson');
+  }
+}
+// ─── RunQuota ─────────────────────────────────────────────────────────────────
+export function createQuota(
+  runId: string,
+  limits: Partial<Omit<RunQuota, 'run_id' | 'consumed_work_items' | 'consumed_mutations' | 'consumed_retries'>> = {}
+): RunQuota {
+  return {
+    run_id: runId,
+    max_work_items: limits.max_work_items ?? Infinity,
+    max_mutations: limits.max_mutations ?? Infinity,
+    max_retries_total: limits.max_retries_total ?? Infinity,
+    consumed_work_items: 0,
+    consumed_mutations: 0,
+    consumed_retries: 0,
+  };
+}
+export function checkQuota(quota: RunQuota): QuotaViolation | null {
+  if (quota.consumed_work_items > quota.max_work_items) {
+    return { quota_type: 'work_items', limit: quota.max_work_items, consumed: quota.consumed_work_items };
+  }
+  if (quota.consumed_mutations > quota.max_mutations) {
+    return { quota_type: 'mutations', limit: quota.max_mutations, consumed: quota.consumed_mutations };
+  }
+  if (quota.consumed_retries > quota.max_retries_total) {
+    return { quota_type: 'retries', limit: quota.max_retries_total, consumed: quota.consumed_retries };
+  }
+  return null;
+}
+export function consumeQuota(
+  quota: RunQuota,
+  type: QuotaViolation['quota_type'],
+  amount = 1
+): RunQuota {
+  switch (type) {
+    case 'work_items': return { ...quota, consumed_work_items: quota.consumed_work_items + amount };
+    case 'mutations': return { ...quota, consumed_mutations: quota.consumed_mutations + amount };
+    case 'retries': return { ...quota, consumed_retries: quota.consumed_retries + amount };
+  }
+}

package/packages/runtime/src/audit/index.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-export * from './audit-trail';
-export * from './policy-pack';
+export * from './audit-trail';
+export * from './policy-pack';

package/packages/runtime/src/audit/policy-pack.ts CHANGED Viewed

@@ -1,62 +1,62 @@
-import path from 'path';
-import fs from 'fs';
-import type { PolicyRule, EnvironmentGuardrail } from '../policy/policy-engine';
-import { PolicyEngine } from '../policy/policy-engine';
-export interface PolicyPack {
-  pack_id: string;
-  org_id: string;
-  name: string;
-  version: string;
-  policies: PolicyRule[];
-  guardrail: EnvironmentGuardrail;
-  created_at: string;
-}
-function packDir(projectRoot: string): string {
-  return path.join(projectRoot, '.oxe', 'policy-packs');
-}
-function packFilePath(projectRoot: string, packId: string): string {
-  return path.join(packDir(projectRoot), `${packId}.json`);
-}
-export function savePolicyPack(projectRoot: string, pack: PolicyPack): void {
-  const dir = packDir(projectRoot);
-  fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(packFilePath(projectRoot, pack.pack_id), JSON.stringify(pack, null, 2), 'utf8');
-}
-export function loadPolicyPack(projectRoot: string, packId: string): PolicyPack | null {
-  const p = packFilePath(projectRoot, packId);
-  if (!fs.existsSync(p)) return null;
-  try {
-    return JSON.parse(fs.readFileSync(p, 'utf8')) as PolicyPack;
-  } catch {
-    return null;
-  }
-}
-export function listPolicyPacks(projectRoot: string): PolicyPack[] {
-  const dir = packDir(projectRoot);
-  if (!fs.existsSync(dir)) return [];
-  return fs
-    .readdirSync(dir)
-    .filter((f) => f.endsWith('.json'))
-    .map((f) => {
-      try {
-        return JSON.parse(fs.readFileSync(path.join(dir, f), 'utf8')) as PolicyPack;
-      } catch {
-        return null;
-      }
-    })
-    .filter((p): p is PolicyPack => p !== null);
-}
-export function applyPolicyPack(engine: PolicyEngine, pack: PolicyPack): PolicyEngine {
-  let result = engine.withGuardrail(pack.guardrail);
-  for (const rule of pack.policies) {
-    result = result.withRule(rule);
-  }
-  return result;
-}
+import path from 'path';
+import fs from 'fs';
+import type { PolicyRule, EnvironmentGuardrail } from '../policy/policy-engine';
+import { PolicyEngine } from '../policy/policy-engine';
+export interface PolicyPack {
+  pack_id: string;
+  org_id: string;
+  name: string;
+  version: string;
+  policies: PolicyRule[];
+  guardrail: EnvironmentGuardrail;
+  created_at: string;
+}
+function packDir(projectRoot: string): string {
+  return path.join(projectRoot, '.oxe', 'policy-packs');
+}
+function packFilePath(projectRoot: string, packId: string): string {
+  return path.join(packDir(projectRoot), `${packId}.json`);
+}
+export function savePolicyPack(projectRoot: string, pack: PolicyPack): void {
+  const dir = packDir(projectRoot);
+  fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(packFilePath(projectRoot, pack.pack_id), JSON.stringify(pack, null, 2), 'utf8');
+}
+export function loadPolicyPack(projectRoot: string, packId: string): PolicyPack | null {
+  const p = packFilePath(projectRoot, packId);
+  if (!fs.existsSync(p)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf8')) as PolicyPack;
+  } catch {
+    return null;
+  }
+}
+export function listPolicyPacks(projectRoot: string): PolicyPack[] {
+  const dir = packDir(projectRoot);
+  if (!fs.existsSync(dir)) return [];
+  return fs
+    .readdirSync(dir)
+    .filter((f) => f.endsWith('.json'))
+    .map((f) => {
+      try {
+        return JSON.parse(fs.readFileSync(path.join(dir, f), 'utf8')) as PolicyPack;
+      } catch {
+        return null;
+      }
+    })
+    .filter((p): p is PolicyPack => p !== null);
+}
+export function applyPolicyPack(engine: PolicyEngine, pack: PolicyPack): PolicyEngine {
+  let result = engine.withGuardrail(pack.guardrail);
+  for (const rule of pack.policies) {
+    result = result.withRule(rule);
+  }
+  return result;
+}