stargraph 0.2.2__tar.gz → 0.3.1__tar.gz

stargraph-0.3.1/.gitignore

@@ -0,0 +1,38 @@
+# Python
+__pycache__/
+*.pyc
+.venv/
+dist/
+build/
+*.egg-info/
+.coverage
+coverage.xml
+htmlcov/
+
+# IDE
+.vscode/
+.idea/
+
+# Tooling
+.ruff_cache/
+.pytest_cache/
+.mypy_cache/
+site/
+specs/
+
+# Local Claude Code state (user-specific)
+.claude/
+.remember/
+graphify-out/
+
+# cve_remediation demo — secrets + generated artifacts
+demos/cve_remediation/.env
+demos/cve_remediation/dev-keys/*.priv.pem
+demos/cve_remediation/dev-keys/*
+.harbor/
+
+# Pack signing artifacts (regenerated by bootstrap.py)
+demos/cve_remediation/graph/rules/*/manifest.jwt
+demos/cve_remediation/graph/rules/*/krakntrust-cve-rem-*.pub.pem
+audit.jsonl
+demos/cve_remediation/dev-keys/krakntrust-cve-rem.pub.pem

{stargraph-0.2.2 → stargraph-0.3.1}/CHANGELOG.md

@@ -5,6 +5,45 @@
 The harbor-knowledge surface — Stores, Skills, retrieval, memory, and
 consolidation built on top of harbor-engine.
 
+### Changed (graph-store backend)
+- Replaced `kuzu==0.11.3` with `ryugraph>=25.9.2,<26` in the `stores`
+  optional-dependency group. RyuGraph is the community fork of Kuzu
+  (predictable-labs/ryugraph) after Kuzu's GitHub repo was archived
+  2025-10-10 following Apple's acquisition of Kuzu Inc. The Python API
+  surface (`Database` / `AsyncConnection` / `QueryResult`) is unchanged
+  across the fork, so the swap was a one-module rename behind the
+  `GraphStore` Protocol — `harbor.stores.kuzu.KuzuGraphStore` is now
+  `harbor.stores.ryugraph.RyuGraphStore`. Provenance source URIs
+  emitted by `PromoteTriplesToFacts` change from `kuzu:<path>` to
+  `ryugraph:<path>` (FR-11, AC-12.1).
+
+### Added (Plan 1.5 — Shipwright runnable via `harbor run`)
+- IR `state_class: str | None` field — declare a Pydantic `BaseModel`
+  subclass via `module.path:ClassName` instead of the primitive
+  `state_schema: dict[str, str]` placeholder. Mutually exclusive with a
+  non-empty `state_schema`.
+- `module.path:ClassName` resolution for `NodeSpec.kind` — short kinds
+  (`echo`/`halt`/`dspy`) still match the static factory table; any kind
+  containing `:` is imported via `importlib` and validated as a
+  `NodeBase` subclass.
+- `harbor run --lm-url/--lm-model/--lm-key/--lm-timeout` flags —
+  `harbor run` calls `dspy.configure(lm=dspy.LM(...))` before driving
+  the graph when `--lm-url` and `--lm-model` are both set.
+- `--inputs key=value` honors `state_class` by walking the resolved
+  BaseModel's `model_fields`.
+
+### Changed
+- Bumped `nautilus-rkm` pin 0.1.3 → 0.1.4 (0.1.3 shipped Py2 except
+  syntax that crashed import on Python 3.13). Mirrors three dropped
+  `BrokerResponse` fields (`cap_breached`, `fact_set_hash`,
+  `source_session_signatures`) and the dropped `fact_set_hash` kwarg
+  on `Broker.arequest`. Removes the local sibling-path override now
+  that nautilus is on PyPI.
+- `SpecSlot.confidence`: `float = 1.0` → `int = 100` (percent). FR-4
+  forbids floats anywhere in the structural-hash payload, including
+  `model_json_schema` defaults; the field's old default tripped the
+  hash the moment `State` landed under `state_class`.
+
 ### Added
 - Five Store Protocols (`harbor.stores`): `VectorStore`, `GraphStore`,
   `DocStore`, `MemoryStore`, `FactStore` — each with `bootstrap`, `health`,

{stargraph-0.2.2 → stargraph-0.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: stargraph
-Version: 0.2.2
+Version: 0.3.1
 Summary: Stateful agent-graph framework with deterministic governance via Fathom
 Project-URL: Homepage, https://harbor.krakn.ai
 Project-URL: Repository, https://github.com/KrakenNet/harbor
@@ -29,17 +29,21 @@ Requires-Dist: cryptography>=47.0.0
 Requires-Dist: dspy<3.4,>=3.0.4
 Requires-Dist: fastapi>=0.115
 Requires-Dist: fathom-rules>=0.3.1
+Requires-Dist: graphglot>=0.11.0
 Requires-Dist: httpx>=0.27
+Requires-Dist: jinja2>=3.1.6
 Requires-Dist: jsonpatch>=1.33
 Requires-Dist: jsonschema>=4.21
 Requires-Dist: mcp>=1.0
-Requires-Dist: nautilus-rkm>=0.1.2
+Requires-Dist: nautilus-rkm>=0.1.5
 Requires-Dist: orjson>=3.10
 Requires-Dist: pluggy>=1.5
 Requires-Dist: prompt-toolkit>=3.0.50
 Requires-Dist: pydantic>=2.9
 Requires-Dist: pyjwt[crypto]>=2.8
+Requires-Dist: python-docx>=1.2.0
 Requires-Dist: pyyaml>=6.0
+Requires-Dist: redis>=7.4.0
 Requires-Dist: rfc8785<0.2,>=0.1.4
 Requires-Dist: structlog>=24.1
 Requires-Dist: typer>=0.12
@@ -54,13 +58,14 @@ Requires-Dist: xgboost>=2.1; extra == 'ml'
 Provides-Extra: skills-rag
 Requires-Dist: huggingface-hub>=0.25; extra == 'skills-rag'
 Requires-Dist: sentence-transformers<6,>=5.0; extra == 'skills-rag'
+Requires-Dist: torch>=2.1; extra == 'skills-rag'
 Provides-Extra: stores
-Requires-Dist: kuzu==0.11.3; extra == 'stores'
 Requires-Dist: lancedb<0.40,>=0.30.2; extra == 'stores'
 Requires-Dist: pyarrow>=15; extra == 'stores'
+Requires-Dist: ryugraph<26,>=25.9.2; extra == 'stores'
 Description-Content-Type: text/markdown
 
-# Harbor
+# StarGraph - Core (harbor)
 
 **Stateful agent-graph framework with deterministic governance.**
 
@@ -69,7 +74,7 @@ auditable, replayable graphs. Transitions between nodes are decided by
 [Fathom](https://github.com/KrakenNet/fathom) (a CLIPS rules engine) over
 provenance-typed facts — not by an LLM playing router.
 
-> **Status:** v0.2.2 — Alpha. Public API is unstable until v1.0.
+> **Status:** v0.3.0 — Alpha. Public API is unstable until v1.0.
 > Built for environments where auditability, determinism, and provenance matter
 > more than ecosystem size (DoD, regulated, air-gapped, cleared workloads).
 
@@ -101,7 +106,7 @@ inspectable, versioned, replayable, and free of stochastic drift.
   makes deterministic replay free. Re-execute from any step with mutated rule,
   node output, or fact, and diff against the original run.
 - **Pluggable stores behind Protocols.** `VectorStore` (LanceDB),
-  `GraphStore` (Kuzu), `DocStore`/`MemoryStore`/`FactStore` (SQLite). Embedded
+  `GraphStore` (RyuGraph), `DocStore`/`MemoryStore`/`FactStore` (SQLite). Embedded
   by default, swappable for hosted providers.
 - **Boundary-clean state.** Mutate Pydantic state freely inside a node. On
   exit, annotated fields mirror into CLIPS, rules fire, checkpoint persists.
@@ -132,7 +137,7 @@ Nodes:  DSPy │ ML models │ tools │ retrieval │ memory ops
 ```bash
 uv add harbor                          # core
 uv add 'harbor[ml]'                    # + sklearn / xgboost / onnxruntime
-uv add 'harbor[stores]'                # + lancedb / kuzu / pyarrow
+uv add 'harbor[stores]'                # + lancedb / ryugraph / pyarrow
 uv add 'harbor[skills-rag]'            # + sentence-transformers
 ```
 
@@ -197,7 +202,7 @@ _state vs facts_, lives in
 
 - **Not a prompt-optimization framework** — that's DSPy, which Harbor uses.
 - **Not an inference engine** — that's Fathom/CLIPS, which Harbor uses.
-- **Not a vector or graph DB** — Stores wrap real ones (LanceDB, Kuzu, …).
+- **Not a vector or graph DB** — Stores wrap real ones (LanceDB, RyuGraph, …).
 - **Not a workflow UI** — `harbor serve` is headless. UI is a future product.
 - **Not chasing LangGraph or n8n on mindshare.** It competes on correctness,
   inspectability, and ability to run where those tools can't.

{stargraph-0.2.2 → stargraph-0.3.1}/README.md

@@ -1,4 +1,4 @@
-# Harbor
+# StarGraph - Core (harbor)
 
 **Stateful agent-graph framework with deterministic governance.**
 
@@ -7,7 +7,7 @@ auditable, replayable graphs. Transitions between nodes are decided by
 [Fathom](https://github.com/KrakenNet/fathom) (a CLIPS rules engine) over
 provenance-typed facts — not by an LLM playing router.
 
-> **Status:** v0.2.2 — Alpha. Public API is unstable until v1.0.
+> **Status:** v0.3.0 — Alpha. Public API is unstable until v1.0.
 > Built for environments where auditability, determinism, and provenance matter
 > more than ecosystem size (DoD, regulated, air-gapped, cleared workloads).
 
@@ -39,7 +39,7 @@ inspectable, versioned, replayable, and free of stochastic drift.
   makes deterministic replay free. Re-execute from any step with mutated rule,
   node output, or fact, and diff against the original run.
 - **Pluggable stores behind Protocols.** `VectorStore` (LanceDB),
-  `GraphStore` (Kuzu), `DocStore`/`MemoryStore`/`FactStore` (SQLite). Embedded
+  `GraphStore` (RyuGraph), `DocStore`/`MemoryStore`/`FactStore` (SQLite). Embedded
   by default, swappable for hosted providers.
 - **Boundary-clean state.** Mutate Pydantic state freely inside a node. On
   exit, annotated fields mirror into CLIPS, rules fire, checkpoint persists.
@@ -70,7 +70,7 @@ Nodes:  DSPy │ ML models │ tools │ retrieval │ memory ops
 ```bash
 uv add harbor                          # core
 uv add 'harbor[ml]'                    # + sklearn / xgboost / onnxruntime
-uv add 'harbor[stores]'                # + lancedb / kuzu / pyarrow
+uv add 'harbor[stores]'                # + lancedb / ryugraph / pyarrow
 uv add 'harbor[skills-rag]'            # + sentence-transformers
 ```
 
@@ -135,7 +135,7 @@ _state vs facts_, lives in
 
 - **Not a prompt-optimization framework** — that's DSPy, which Harbor uses.
 - **Not an inference engine** — that's Fathom/CLIPS, which Harbor uses.
-- **Not a vector or graph DB** — Stores wrap real ones (LanceDB, Kuzu, …).
+- **Not a vector or graph DB** — Stores wrap real ones (LanceDB, RyuGraph, …).
 - **Not a workflow UI** — `harbor serve` is headless. UI is a future product.
 - **Not chasing LangGraph or n8n on mindshare.** It competes on correctness,
   inspectability, and ability to run where those tools can't.

{stargraph-0.2.2 → stargraph-0.3.1}/demos/README.md

@@ -16,6 +16,7 @@ single store + skill all the way up to the full stack.
 | 6 | [`regwatch/`](regwatch/regwatch.md) | medium | Cron trigger + air-gap deployment variant |
 | 7 | [`support-veto/`](support-veto/support-veto.md) | medium → hard | Fathom interrupt mid-run + signed-pack hot-swap |
 | 8 | [`pv-case-manager/`](pv-case-manager/pv-case-manager.md) | hard | Master-of-all (19 capabilities, regulated industry) |
+| 9 | [`cve_remediation/`](cve_remediation/README.md) | hard | Production showcase — every node kind, action, store, trigger; 10 IRs, 174 tests |
 
 ## How to read a demo doc
 
@@ -45,31 +46,36 @@ from design to running code.
 
 ## Feature coverage matrix
 
-| Capability | docs-qa | code-graph | pr-review | soc-triage | regwatch | support-veto | pv-cm |
-|---|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
-| DocStore | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
-| VectorStore | ✓ |   | ✓ | ✓ | ✓ | ✓ | ✓ |
-| GraphStore |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
-| FactStore |   |   |   | ✓ | ✓ | ✓ | ✓ |
-| MemoryStore |   |   |   | ✓ |   | ✓ | ✓ |
-| RAG / autoresearch | ✓ |   | ✓ | ✓ | ✓ | ✓ | ✓ |
-| RetrievalNode (RRF) | ✓ |   | ✓ | ✓ | ✓ | ✓ | ✓ |
-| MLNode + sha256 weights |   |   |   | ✓ |   |   | ✓ |
-| DSPy adapter | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
-| MCP adapter |   |   |   |   |   |   | ✓ |
-| Fathom + harbor_action |   |   | ✓ | ✓ | ✓ | ✓ | ✓ |
-| Bosun signed packs |   |   | ✓ | ✓ | ✓ | ✓ | ✓ |
-| InterruptAction (HITL) |   |   |   | ✓ |   | ✓ | ✓ |
-| Cron trigger |   |   |   |   | ✓ |   | ✓ |
-| Webhook trigger |   |   | ✓ | ✓ |   |   | ✓ |
-| Provenance bundle | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
-| BLAKE3 artifacts | ✓ |   |   | ✓ | ✓ | ✓ | ✓ |
-| Ed25519 audit | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
-| Checkpoint (sqlite/pg) |   | ✓ |   | ✓ |   | ✓ | ✓ |
-| Counterfactual replay |   | ✓ | ✓ | ✓ |   | ✓ | ✓ |
-| Air-gap variant |   |   |   |   | ✓ |   | ✓ |
-| harbor.serve API |   |   |   | ✓ |   | ✓ | ✓ |
-| mTLS + capabilities |   |   |   | ✓ |   | ✓ | ✓ |
-| KG promotion (memory) |   |   |   |   |   |   | ✓ |
-| Cypher subset linter |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
-| Lineage audit CI | ✓ |   |   | ✓ | ✓ |   | ✓ |
+| Capability | docs-qa | code-graph | pr-review | soc-triage | regwatch | support-veto | pv-cm | cve-rem |
+|---|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|
+| DocStore | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| VectorStore | ✓ |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| GraphStore |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| FactStore |   |   |   | ✓ | ✓ | ✓ | ✓ | ✓ |
+| MemoryStore |   |   |   | ✓ |   | ✓ | ✓ | ✓ |
+| RAG / autoresearch | ✓ |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| RetrievalNode (RRF) | ✓ |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| MLNode + sha256 weights |   |   |   | ✓ |   |   | ✓ | ✓ |
+| DSPy adapter | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| MCP adapter |   |   |   |   |   |   | ✓ | ✓ |
+| Fathom + harbor_action |   |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Bosun signed packs |   |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| InterruptAction (HITL) |   |   |   | ✓ |   | ✓ | ✓ | ✓ |
+| Cron trigger |   |   |   |   | ✓ |   | ✓ | ✓ |
+| Webhook trigger |   |   | ✓ | ✓ |   |   | ✓ | ✓ |
+| Provenance bundle | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| BLAKE3 artifacts | ✓ |   |   | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Ed25519 audit | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Checkpoint (sqlite/pg) |   | ✓ |   | ✓ |   | ✓ | ✓ | ✓ |
+| Counterfactual replay |   | ✓ | ✓ | ✓ |   | ✓ | ✓ | ✓ |
+| Air-gap variant |   |   |   |   | ✓ |   | ✓ | ✓ |
+| harbor.serve API |   |   |   | ✓ |   | ✓ | ✓ | ✓ |
+| mTLS + capabilities |   |   |   | ✓ |   | ✓ | ✓ | ✓ |
+| KG promotion (memory) |   |   |   |   |   |   | ✓ | ✓ |
+| Cypher subset linter |   | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Lineage audit CI | ✓ |   |   | ✓ | ✓ |   | ✓ | ✓ |
+| Multi-runtime sandbox |   |   |   |   |   |   |   | ✓ |
+| Progressive rollout (canary→fleet) |   |   |   |   |   |   |   | ✓ |
+| Triggered safety graphs (5×) |   |   |   |   |   |   |   | ✓ |
+| Audit-chain anchor (JWS) |   |   |   |   |   |   |   | ✓ |
+| GEPA + Shamir ship ceremony |   |   |   |   |   |   |   | ✓ |

stargraph-0.3.1/demos/cve-remediation/graph/README.md

@@ -0,0 +1,166 @@
+# cve-remediation graph scaffold
+
+Harbor IR scaffold for the CVE remediation pipeline (v6, P0+P1+P2+P3 applied).
+
+Design:
+- Spec: [`../cve-rem-graph.md`](../cve-rem-graph.md) (v6, definitive).
+- Source notes: [`../cve-rem-pipeline.md`](../cve-rem-pipeline.md).
+- Earlier draft: [`../pipeline-graph.md`](../pipeline-graph.md) (v5).
+
+## Layout
+
+```
+graph/
+  harbor.yaml                             parent IR — Phase 1..5 (steps 1-18)
+  state.py                                CveRemState pydantic schema
+  nodes/                                  production-wiring slot
+  rules/README.md                         custom rule packs referenced by IRs
+  subgraphs/
+    sandbox_dispatch.yaml                 step 11 — branched sandbox runtime
+    progressive_execute.yaml              step 13 — canary -> stage -> fleet
+  triggered/                              spawned independently by triggers
+    drift_watch.yaml                      step 15 — 24-72h passive watch
+    tier_re_eval.yaml                     hourly cron; re-fires SSVC on TRACK/DEFER
+    audit_anchor.yaml                     daily 03:00 UTC; chain head -> Nautilus JWS
+    lab_leak_reaper.yaml                  hourly cron; sweeps expired CargoNet labs
+    rolling_restart.yaml                  webhook (post-Shamir) + weekly cron
+  phase0/
+    doctrine_ingest.yaml                  one-shot doctrine load + manifest sign (idempotent)
+  phase6/
+    offline_learning.yaml                 network-isolated GEPA + Shamir + ship
+  tests/
+    test_smoke.py                         IR load / routing / structural checks
+```
+
+## Why split
+
+| boundary                      | rationale                                                    |
+| ----------------------------- | ------------------------------------------------------------ |
+| main vs phase 0               | bootstrap cadence; runs once per corpus version-pin bump    |
+| main vs phase 6               | network isolation boundary (firewall-enforced)              |
+| main vs sub-graph             | tightly-bound child workflows (probe, rollout)              |
+| main vs triggered             | independent cadences (drift watch, cron sweeps, signals)    |
+
+## Sandbox runtime selection
+
+Deterministic — not LLM-driven. `sandbox_dispatch` reads `vuln_class` from
+extractor output and sets `sandbox_runtime`:
+
+| `vuln_class`                                                      | runtime              | branch |
+| ----------------------------------------------------------------- | -------------------- | ------ |
+| `network-protocol / routing / switching / firewall / ipsec / bgp`| `cargonet_lab`       | 11a    |
+| `application / library / web-framework / container / host-os-pkg`| `docker_compose`     | 11b    |
+| `config-only / cipher-suite / tls-policy / acl-rule`             | `static_detection`   | 11c    |
+| `logic-flaw / business-rule / no-probe`                          | `skip` (forces HITL) | 11d    |
+
+## HITL gates
+
+4 durable-wait gates. All set `timeout: null` (Temporal `wait_condition`
+semantics — durable, zero CPU during wait, never auto-deny). Each gate is
+followed by a `branch_resp_<gate>` passthrough that pattern-matches
+`(response (decision approve|reject|approve_replan))` and routes:
+
+| gate                          | approve                            | reject                                  | approve_replan          |
+| ----------------------------- | ---------------------------------- | --------------------------------------- | ----------------------- |
+| `hitl_ingest_review`          | `correlate_assets`                 | halt (quarantine artifact retained)     | —                       |
+| `hitl_plan_review`            | `validate_dispatch`                | halt (pipeline aborted)                 | `mcp_retrieval_dispatch` |
+| `hitl_change_approval`        | `progressive_execute`              | halt (nothing applied to prod)          | —                       |
+| `hitl_retrospective_review`   | `action_done` (cmdb_match=true)    | `action_done` (cmdb_match=false; GEPA)  | —                       |
+
+Sandbox-fail (`r-sandbox-fail-replan`) routes to `hitl_plan_review` —
+re-plan only via human approval.
+
+## Parallel fan-outs
+
+| rule                  | targets                                                            | join                  |
+| --------------------- | ------------------------------------------------------------------ | --------------------- |
+| `r-mcp-fanout`        | 5 retrieval tools (vec_search_retros, graph_priors, blast, framework, cargonet_telemetry) | `planner`             |
+| `r-validate-fanout`   | `judge_safety`, `judge_lint`                                       | `validate_plan_join`  |
+| `r-retro-fanout`      | `publish_docplus`, `cargonet_writeback`, `plan_kg_writeback`       | `retro_join`          |
+
+## Artifacts emitted
+
+Main pipeline writes 6 ArtifactRefs across the run:
+
+| node                          | artifact                                                          |
+| ----------------------------- | ----------------------------------------------------------------- |
+| `emit_quarantine_artifact`    | raw untrusted text + canonicalized pair                           |
+| `emit_remediation_bundle`     | apply / rollback / verify / metadata 4-tuple per runtime          |
+| `emit_sandbox_evidence`       | probe traces, Batfish diffs, container logs                        |
+| `emit_evidence_bundle`        | plan + bundles + sandbox + JWS chain + Reflexion + recon_anomaly  |
+| `emit_retro_payload`          | retro record bytes                                                 |
+| `emit_docx_archive`           | DOCX summary (also serves as Doc+ staging)                         |
+
+Phase 0 emits `emit_manifest_artifact`. Phase 6 emits `emit_redacted_corpus`
++ `emit_compiled_artifact`. Triggered graphs emit summary artifacts
+(`emit_re_eval_summary`, `emit_anchor_receipt`, `emit_reaper_summary`,
+`emit_restart_summary`, `emit_rollback_record`).
+
+## Node kinds
+
+| kind             | usage in main                                                              |
+| ---------------- | -------------------------------------------------------------------------- |
+| `passthrough`    | branching/dispatch helpers, sub-state mutators                             |
+| `broker`         | external calls via Nautilus (Nautobot, CMDB, ServiceNow, Doc+, CargoNet, Harbor `/v1/runs` for drift_watch_spawn) |
+| `dspy`           | extractor, classifier, critique, planner, code_writer, critic, render_docx |
+| `tool`           | Fathom checks, runtime lints (ansible/k8s/tf/sbom/vendor), gNMI, Batfish, redis Reflexion buffer, Ed25519, sha256, TEI |
+| `ml`             | (used in triggered drift_watch.yaml + phase6 score_on_holdout)             |
+| `write_artifact` | 6 artifact emissions above                                                  |
+| `interrupt`      | 4 HITL gates                                                                |
+| `subgraph`       | sandbox_dispatch + progressive_execute                                      |
+
+## Triggers (declared outside IR)
+
+| graph                | trigger spec                                          |
+| -------------------- | ----------------------------------------------------- |
+| `harbor.yaml`        | webhook (Nautilus CVE feed event) + manual            |
+| `phase0/...`         | manual + cron (corpus-pin-bump check)                |
+| `phase6/...`         | cron (weekly Phase-2 / nightly Phase-3+; isolated host) |
+| `triggered/drift_watch`     | webhook (parent emits) + cron (orphan-sweep)   |
+| `triggered/tier_re_eval`    | cron (hourly default)                          |
+| `triggered/audit_anchor`    | cron (daily 03:00 UTC)                         |
+| `triggered/lab_leak_reaper` | cron (hourly)                                  |
+| `triggered/rolling_restart` | webhook (artifact_ready) + cron (Sun 04:00 UTC) + manual |
+
+## Rule packs (custom, contents stubs)
+
+| pack                          | mounted by                          |
+| ----------------------------- | ----------------------------------- |
+| `cve_rem.routing`             | main                                |
+| `cve_rem.kill_switches`       | main                                |
+| `cve_rem.doctrine_trust`      | phase0                              |
+| `cve_rem.offline_isolation`   | phase6                              |
+| `cve_rem.gepa_score_policy`   | phase6                              |
+
+## Stores
+
+| protocol      | provider     | use                                                                  |
+| ------------- | ------------ | -------------------------------------------------------------------- |
+| `VectorStore` | `lancedb`    | TEI embeddings: CVE text, doctrine corpus, retros similarity         |
+| `GraphStore`  | `ryugraph`   | Asset-KG + Plan-KG + Doctrine-KG + Retrospective-KG                  |
+| `DocStore`    | `sqlite`     | canonicalized records, doctrine docs, DOCX staging                    |
+| `MemoryStore` | `redis`      | Reflexion episodic buffer (per CWE-class, cross-class similarity)    |
+| `FactStore`   | `sqlite`     | CLIPS-mirrored facts at node-exit; provenance-typed                  |
+
+## Run smoke tests
+
+```bash
+uv run python -m pytest demos/cve-remediation/graph/tests/test_smoke.py -v
+```
+
+41 tests, all structural — should pass on a clean checkout with no
+external services.
+
+## What this scaffold does NOT yet include
+
+- Real node implementations. Many nodes carry the right `kind` label but
+  the runtime substitutes contextvar-bound stubs at run time per the
+  `tests/fixtures/cve_triage.yaml` validation-gate POC pattern.
+  Production wiring lands per-phase as nodes harden.
+- Custom Fathom rule pack contents. Pack ids are referenced; `pack.yaml`
+  files are the next deliverable.
+- End-to-end execution. Smoke tests cover IR-load + structural-hash
+  stability + routing-target resolution + phase coverage + multi-kind
+  invariant + parallel-action + artifact-emission + branch_resp +
+  durable-wait + sandbox-fail-replan + idempotency + triggered-graph
+  presence.

stargraph-0.3.1/demos/cve-remediation/graph/rules/README.md

@@ -0,0 +1,83 @@
+# Rule packs for cve-remediation
+
+5 custom packs supplement the 4 mandatory Bosun packs (`budgets`,
+`audit`, `safety_pii`, `retries`) mounted on the IRs.
+
+| pack                          | flavor       | mounted by                | files                                      |
+| ----------------------------- | ------------ | ------------------------- | ------------------------------------------ |
+| `cve_rem.routing`             | routing      | main `harbor.yaml`        | `pack.yaml`                                |
+| `cve_rem.kill_switches`       | governance   | main `harbor.yaml`        | `manifest.yaml`, `rules.clp`, `__init__.py` |
+| `cve_rem.doctrine_trust`      | governance   | `phase0/doctrine_ingest.yaml` | `manifest.yaml`, `rules.clp`, `__init__.py` |
+| `cve_rem.offline_isolation`   | governance   | `phase6/offline_learning.yaml` | `manifest.yaml`, `rules.clp`, `__init__.py` |
+| `cve_rem.gepa_score_policy`   | governance   | `phase6/offline_learning.yaml` | `manifest.yaml`, `rules.clp`, `__init__.py` |
+
+## Routing vs governance
+
+- **Routing packs** (YAML inline rules) supplement IR routing. They emit
+  `goto` / `assert` actions to add context-sensitive behavior without
+  changing the inline topology. Loaded as flavor `routing`.
+- **Governance packs** (CLIPS) enforce invariants. They consume facts
+  asserted by graph rules / external probes / RBAC-gated CLI and emit
+  `bosun.violation` (severity `halt`) when policy is breached. The
+  runtime auto-fires the appropriate Temporal kill-switch on
+  halt-severity violations.
+
+## What each pack does
+
+### `cve_rem.routing`
+- Tier escalation overlays — auto-escalate TRACK/DEFER on EPSS spike
+  or KEV listing flip.
+- Template-lookup ranking — weighted success × recency for multi-hit.
+- Code-runtime preference — deterministic pick when extractor returns
+  multiple candidates.
+- Defer-window computation — EPSS-inverse mapping to days.
+- Reflexion cross-CWE fallback — sibling-class buffer entries.
+- Sandbox-runtime override for air-gapped environments.
+
+### `cve_rem.kill_switches`
+- Error-budget rules: rollback-rate >5%/24h, sandbox-mismatch >3%/24h,
+  cross-bucket plan reuse, stuck-state >14d (informational page).
+- Signal RBAC for `halt-new` and `halt-pause-in-flight` (single-signer
+  roles: pipeline-owner OR security-eng).
+- 2-of-3 quorum collection for `halt-rollback-in-flight` (3 rules,
+  one per role pair: PO+SE, PO+NO, SE+NO).
+
+### `cve_rem.doctrine_trust`
+- Source-class policy — only trusted-doctrine sources may bypass
+  injection classifier on Phase 0.
+- Manifest-hash allowlist enforcement — active doctrine manifest hash
+  must be in boot-gate allowlist.
+- Pin sha256 immutability — same `corpus_version_pin` with divergent
+  sha256 across two source facts is a supply-chain compromise signal.
+- Deactivated-manifest refusal.
+
+### `cve_rem.offline_isolation`
+- No inbound from production zone (Phase 6 host).
+- Egress only to `approved-drop` zone (signed prompts.tar drop).
+- Replica load requires non-empty `redaction_pack_hash`.
+- Replica `redaction_pack_hash` must match the currently-active signed
+  redaction pack.
+
+### `cve_rem.gepa_score_policy`
+- Score-component range check (`[0,1]`); halt on out-of-range.
+- Weighted score computation: `0.35*validation + 0.25*sandbox +
+  0.15*cr_approved + 0.15*no_drift_7d + 0.10*no_rollback_30d`.
+- Strictly-better epsilon-margin gate; emits `gepa_decision` accept/reject.
+- Refuses Shamir ceremony on a rejected artifact.
+
+## JWT signing
+
+`manifest.jwt` files are NOT included in the scaffold. The deploy-time
+`krakntrust` signing pipeline produces them from `manifest.yaml` +
+`rules.clp` and the production signer key. For development, the
+runtime accepts unsigned packs from a configured dev-allowlist; for
+production all 5 packs are loaded only after their JWTs verify against
+the boot-gate trust root.
+
+## Tests
+
+```bash
+uv run python -m pytest demos/cve-remediation/graph/tests -v
+```
+
+74 tests total: 41 IR/graph structural + 33 pack structural.