quorumkit-engine 3.0.0

package/dist/992.index.js

@@ -0,0 +1,211 @@
+export const id = 992;
+export const ids = [992,563];
+export const modules = {
+
+/***/ 3563:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   isRetryable: () => (/* binding */ isRetryable),
+/* harmony export */   withRetry: () => (/* binding */ withRetry)
+/* harmony export */ });
+/**
+ * runtimes/_retry.js
+ * Bounded exponential-backoff retry helper shared by all runtime adapters
+ * (ADR-007 §8, FR-030).
+ *
+ * Policy (defaults): 3 attempts, base 2 s, jitter ±25 %, max wait 30 s total.
+ * Retries are triggered by network errors, HTTP 5xx, and HTTP 429 (rate-limit).
+ * Non-retryable errors are rethrown immediately.
+ *
+ * Returns the function's resolved value plus the number of retries used,
+ * so the caller can record `runtime_retries` in the audit comment without
+ * counting the invocation as a separate loop-budget iteration.
+ */
+
+const DEFAULT_OPTS = Object.freeze({
+  maxAttempts: 3,
+  baseMs: 2_000,
+  maxTotalMs: 30_000,
+  jitter: 0.25,
+});
+
+/**
+ * Determine whether an error is retryable.
+ * @param {any} err
+ * @returns {boolean}
+ */
+function isRetryable(err) {
+  if (!err) return false;
+  // Octokit / fetch error styles
+  if (err.status === 429) return true;
+  if (typeof err.status === 'number' && err.status >= 500 && err.status < 600) return true;
+  // Node fetch network errors
+  const code = err.code ?? err.cause?.code;
+  if (code && /^(ECONNRESET|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|UND_ERR_SOCKET)$/.test(code)) return true;
+  if (typeof err.message === 'string' && /timeout|network/i.test(err.message)) return true;
+  return false;
+}
+
+/**
+ * Run `fn` with bounded exponential backoff.
+ *
+ * @template T
+ * @param {() => Promise<T>} fn
+ * @param {object} [options]
+ * @param {object} [options.clock] - injectable clock { now(): number, sleep(ms): Promise<void> }
+ * @returns {Promise<{ value: T, retries: number }>}
+ */
+async function withRetry(fn, options = {}) {
+  const opts = { ...DEFAULT_OPTS, ...options };
+  const clock = options.clock ?? defaultClock;
+
+  const start = clock.now();
+  let attempt = 0;
+  let lastError;
+
+  while (attempt < opts.maxAttempts) {
+    try {
+      const value = await fn();
+      return { value, retries: attempt };
+    } catch (err) {
+      lastError = err;
+      attempt += 1;
+      if (!isRetryable(err) || attempt >= opts.maxAttempts) break;
+
+      const elapsed = clock.now() - start;
+      if (elapsed >= opts.maxTotalMs) break;
+
+      const exp = Math.pow(2, attempt - 1) * opts.baseMs;
+      const jitter = exp * opts.jitter * (Math.random() * 2 - 1);
+      const wait = Math.max(0, Math.min(exp + jitter, opts.maxTotalMs - elapsed));
+      await clock.sleep(wait);
+    }
+  }
+
+  throw lastError;
+}
+
+const defaultClock = {
+  now: () => Date.now(),
+  sleep: ms => new Promise(r => setTimeout(r, ms)),
+};
+
+
+/***/ }),
+
+/***/ 1992:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   KIND: () => (/* binding */ KIND),
+/* harmony export */   invoke: () => (/* binding */ invoke),
+/* harmony export */   requiredPermissions: () => (/* binding */ requiredPermissions)
+/* harmony export */ });
+/* harmony import */ var _retry_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3563);
+/**
+ * runtimes/copilot.js
+ * Adapter for the Copilot (GitHub Models) runtime kind (ADR-005, ADR-003).
+ *
+ * Dispatches the agent's Copilot workflow file (`copilot-agent-<slug>.yml`)
+ * via repository_dispatch / workflow_dispatch through the supplied client.
+ * Wraps the call in the shared bounded-backoff retry helper (ADR-007 §8).
+ *
+ * The adapter is purely a dispatch layer — the LLM call itself happens
+ * inside the dispatched GHA workflow, where the GITHUB_TOKEN is already
+ * scoped via the workflow file. No secret value ever crosses this module.
+ *
+ * Exports:
+ *   requiredPermissions      — GH Actions token scopes consumed by this kind
+ *   invoke(context)          — dispatch entry point
+ */
+
+
+
+const KIND = 'copilot';
+
+/**
+ * Permissions consumed by the dispatched copilot workflow. The orchestrator
+ * unions these with the scopes of every other adapter actually used at run
+ * time (ADR-007 §7) when composing dispatched workflow `permissions:` blocks.
+ */
+const requiredPermissions = Object.freeze({
+  contents: 'read',
+  issues: 'write',
+  'pull-requests': 'write',
+  models: 'read', // GitHub Models inference
+});
+
+/**
+ * Resolve the credential for a runtime entry. Returns the env var value or
+ * throws { code: 'runtime-credential-missing', credential_ref } if absent.
+ *
+ * NEVER returns the value to a caller that logs/comments — only the dispatch
+ * call uses it, and only the *name* (credential_ref) is recorded in audits.
+ */
+function resolveCredential(runtime, env = process.env) {
+  const ref = runtime.credential_ref;
+  if (!ref) {
+    const e = new Error('runtime-credential-missing');
+    e.code = 'runtime-credential-missing';
+    e.credential_ref = '(none declared)';
+    throw e;
+  }
+  const value = env[ref];
+  if (!value) {
+    const e = new Error('runtime-credential-missing');
+    e.code = 'runtime-credential-missing';
+    e.credential_ref = ref;
+    throw e;
+  }
+  return value;
+}
+
+/**
+ * Invoke the runtime for one step.
+ *
+ * @param {object} context
+ * @param {object} context.client      - GitHub client with triggerWorkflow()
+ * @param {string} context.owner
+ * @param {string} context.repo
+ * @param {string} context.agent       - agent slug (e.g. "qa-agent")
+ * @param {string} context.ref         - git ref to dispatch on
+ * @param {number} context.issueNumber
+ * @param {string} context.runId
+ * @param {string} context.step
+ * @param {number} context.iteration
+ * @param {object} context.runtime     - resolved runtime entry
+ * @param {string} context.runtimeName
+ * @param {object} [context.env]       - injectable env (for tests)
+ * @returns {Promise<{ dispatched: true, retries: number, workflow: string }>}
+ */
+async function invoke(context) {
+  const env = context.env ?? process.env;
+  // Trigger credential check (throws on absence) but never expose value:
+  resolveCredential(context.runtime, env);
+
+  const workflow = `copilot-agent-${context.agent}.yml`;
+  const dispatchRef = context.ref ?? 'main';
+  const inputs = {
+    issue_number: String(context.issueNumber),
+    run_id: context.runId ?? '',
+    step: context.step ?? '',
+    iteration: String(context.iteration ?? 1),
+    runtime: context.runtimeName ?? '',
+  };
+
+  const { retries } = await (0,_retry_js__WEBPACK_IMPORTED_MODULE_0__.withRetry)(
+    () => context.client.triggerWorkflow(context.owner, context.repo, workflow, dispatchRef, inputs),
+    { clock: context.clock }
+  );
+  return { dispatched: true, retries, workflow };
+}
+
+
+/***/ })
+
+};
+
+//# sourceMappingURL=992.index.js.map

package/dist/992.index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"992.index.js","mappings":";;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;;;;;;;;;;;;AChFA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","sources":[".././orchestrator/runtimes/_retry.js",".././orchestrator/runtimes/copilot.js"],"sourcesContent":["/**\n * runtimes/_retry.js\n * Bounded exponential-backoff retry helper shared by all runtime adapters\n * (ADR-007 §8, FR-030).\n *\n * Policy (defaults): 3 attempts, base 2 s, jitter ±25 %, max wait 30 s total.\n * Retries are triggered by network errors, HTTP 5xx, and HTTP 429 (rate-limit).\n * Non-retryable errors are rethrown immediately.\n *\n * Returns the function's resolved value plus the number of retries used,\n * so the caller can record `runtime_retries` in the audit comment without\n * counting the invocation as a separate loop-budget iteration.\n */\n\nconst DEFAULT_OPTS = Object.freeze({\n  maxAttempts: 3,\n  baseMs: 2_000,\n  maxTotalMs: 30_000,\n  jitter: 0.25,\n});\n\n/**\n * Determine whether an error is retryable.\n * @param {any} err\n * @returns {boolean}\n */\nexport function isRetryable(err) {\n  if (!err) return false;\n  // Octokit / fetch error styles\n  if (err.status === 429) return true;\n  if (typeof err.status === 'number' && err.status >= 500 && err.status < 600) return true;\n  // Node fetch network errors\n  const code = err.code ?? err.cause?.code;\n  if (code && /^(ECONNRESET|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|UND_ERR_SOCKET)$/.test(code)) return true;\n  if (typeof err.message === 'string' && /timeout|network/i.test(err.message)) return true;\n  return false;\n}\n\n/**\n * Run `fn` with bounded exponential backoff.\n *\n * @template T\n * @param {() => Promise<T>} fn\n * @param {object} [options]\n * @param {object} [options.clock] - injectable clock { now(): number, sleep(ms): Promise<void> }\n * @returns {Promise<{ value: T, retries: number }>}\n */\nexport async function withRetry(fn, options = {}) {\n  const opts = { ...DEFAULT_OPTS, ...options };\n  const clock = options.clock ?? defaultClock;\n\n  const start = clock.now();\n  let attempt = 0;\n  let lastError;\n\n  while (attempt < opts.maxAttempts) {\n    try {\n      const value = await fn();\n      return { value, retries: attempt };\n    } catch (err) {\n      lastError = err;\n      attempt += 1;\n      if (!isRetryable(err) || attempt >= opts.maxAttempts) break;\n\n      const elapsed = clock.now() - start;\n      if (elapsed >= opts.maxTotalMs) break;\n\n      const exp = Math.pow(2, attempt - 1) * opts.baseMs;\n      const jitter = exp * opts.jitter * (Math.random() * 2 - 1);\n      const wait = Math.max(0, Math.min(exp + jitter, opts.maxTotalMs - elapsed));\n      await clock.sleep(wait);\n    }\n  }\n\n  throw lastError;\n}\n\nconst defaultClock = {\n  now: () => Date.now(),\n  sleep: ms => new Promise(r => setTimeout(r, ms)),\n};\n","/**\n * runtimes/copilot.js\n * Adapter for the Copilot (GitHub Models) runtime kind (ADR-005, ADR-003).\n *\n * Dispatches the agent's Copilot workflow file (`copilot-agent-<slug>.yml`)\n * via repository_dispatch / workflow_dispatch through the supplied client.\n * Wraps the call in the shared bounded-backoff retry helper (ADR-007 §8).\n *\n * The adapter is purely a dispatch layer — the LLM call itself happens\n * inside the dispatched GHA workflow, where the GITHUB_TOKEN is already\n * scoped via the workflow file. No secret value ever crosses this module.\n *\n * Exports:\n *   requiredPermissions      — GH Actions token scopes consumed by this kind\n *   invoke(context)          — dispatch entry point\n */\n\nimport { withRetry } from './_retry.js';\n\nexport const KIND = 'copilot';\n\n/**\n * Permissions consumed by the dispatched copilot workflow. The orchestrator\n * unions these with the scopes of every other adapter actually used at run\n * time (ADR-007 §7) when composing dispatched workflow `permissions:` blocks.\n */\nexport const requiredPermissions = Object.freeze({\n  contents: 'read',\n  issues: 'write',\n  'pull-requests': 'write',\n  models: 'read', // GitHub Models inference\n});\n\n/**\n * Resolve the credential for a runtime entry. Returns the env var value or\n * throws { code: 'runtime-credential-missing', credential_ref } if absent.\n *\n * NEVER returns the value to a caller that logs/comments — only the dispatch\n * call uses it, and only the *name* (credential_ref) is recorded in audits.\n */\nfunction resolveCredential(runtime, env = process.env) {\n  const ref = runtime.credential_ref;\n  if (!ref) {\n    const e = new Error('runtime-credential-missing');\n    e.code = 'runtime-credential-missing';\n    e.credential_ref = '(none declared)';\n    throw e;\n  }\n  const value = env[ref];\n  if (!value) {\n    const e = new Error('runtime-credential-missing');\n    e.code = 'runtime-credential-missing';\n    e.credential_ref = ref;\n    throw e;\n  }\n  return value;\n}\n\n/**\n * Invoke the runtime for one step.\n *\n * @param {object} context\n * @param {object} context.client      - GitHub client with triggerWorkflow()\n * @param {string} context.owner\n * @param {string} context.repo\n * @param {string} context.agent       - agent slug (e.g. \"qa-agent\")\n * @param {string} context.ref         - git ref to dispatch on\n * @param {number} context.issueNumber\n * @param {string} context.runId\n * @param {string} context.step\n * @param {number} context.iteration\n * @param {object} context.runtime     - resolved runtime entry\n * @param {string} context.runtimeName\n * @param {object} [context.env]       - injectable env (for tests)\n * @returns {Promise<{ dispatched: true, retries: number, workflow: string }>}\n */\nexport async function invoke(context) {\n  const env = context.env ?? process.env;\n  // Trigger credential check (throws on absence) but never expose value:\n  resolveCredential(context.runtime, env);\n\n  const workflow = `copilot-agent-${context.agent}.yml`;\n  const dispatchRef = context.ref ?? 'main';\n  const inputs = {\n    issue_number: String(context.issueNumber),\n    run_id: context.runId ?? '',\n    step: context.step ?? '',\n    iteration: String(context.iteration ?? 1),\n    runtime: context.runtimeName ?? '',\n  };\n\n  const { retries } = await withRetry(\n    () => context.client.triggerWorkflow(context.owner, context.repo, workflow, dispatchRef, inputs),\n    { clock: context.clock }\n  );\n  return { dispatched: true, retries, workflow };\n}\n"],"names":[],"sourceRoot":""}

package/dist/agent-identities.schema.json

@@ -0,0 +1,33 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://apm.dev/schemas/agent-identities.schema.json",
+  "title": "QuorumKit Agent Identity Registry",
+  "description": "Maps GitHub user/app identities to agent slugs (FR-013).",
+  "type": "object",
+  "required": ["identities"],
+  "additionalProperties": false,
+  "properties": {
+    "identities": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "required": ["agent", "logins"],
+        "additionalProperties": false,
+        "properties": {
+          "agent": {
+            "type": "string",
+            "minLength": 1,
+            "description": "Agent slug (e.g. 'qa-agent')."
+          },
+          "logins": {
+            "type": "array",
+            "minItems": 1,
+            "items": { "type": "string", "minLength": 1 },
+            "description": "GitHub logins or app installation slugs that map to this agent."
+          }
+        }
+      }
+    }
+  }
+}

package/dist/apm-msg.schema.json

@@ -0,0 +1,62 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://apm.dev/schemas/apm-msg.schema.json",
+  "title": "QuorumKit Agent Message (apm-msg)",
+  "description": "Single machine-readable message emitted by an agent at the end of a step (FR-011, FR-012).",
+  "type": "object",
+  "required": ["version", "runId", "step", "agent", "iteration", "outcome", "summary"],
+  "additionalProperties": false,
+  "properties": {
+    "version": {
+      "type": "string",
+      "enum": ["2"],
+      "description": "apm-msg schema version. v2 is the only supported value."
+    },
+    "runId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Pipeline run UUID; must equal the active run."
+    },
+    "step": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Step name as declared in the pipeline."
+    },
+    "agent": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Agent slug (e.g. 'qa-agent', 'dev-agent') matching the agent identity registry."
+    },
+    "iteration": {
+      "type": "integer",
+      "minimum": 1,
+      "description": "1-based iteration counter for the step on the current edge."
+    },
+    "outcome": {
+      "type": "string",
+      "enum": [
+        "success",
+        "fail",
+        "blocker",
+        "spec_gap",
+        "timeout",
+        "needs-human",
+        "runtime-error",
+        "protocol-violation",
+        "orchestrator-failure"
+      ],
+      "description": "Declared outcome enum. Source of truth: docs/AGENT_PROTOCOL.md."
+    },
+    "summary": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 280,
+      "description": "Single-line human summary (max 280 chars)."
+    },
+    "payload": {
+      "type": "object",
+      "description": "Optional per-outcome payload. Schema is per-outcome; see regulation document.",
+      "additionalProperties": true
+    }
+  }
+}