traceforge-toolkit 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (205) hide show
  1. traceforge/__init__.py +72 -0
  2. traceforge/__main__.py +5 -0
  3. traceforge/_generated.py +254 -0
  4. traceforge/adapters/__init__.py +12 -0
  5. traceforge/adapters/base.py +82 -0
  6. traceforge/adapters/genai_otel.py +164 -0
  7. traceforge/adapters/mapped_json.py +297 -0
  8. traceforge/adapters/otel.py +220 -0
  9. traceforge/boundary/__init__.py +46 -0
  10. traceforge/boundary/data/boundary-model.joblib +0 -0
  11. traceforge/boundary/decode.py +87 -0
  12. traceforge/boundary/features.py +137 -0
  13. traceforge/boundary/inference.py +267 -0
  14. traceforge/boundary/inferencer.py +146 -0
  15. traceforge/classify/__init__.py +95 -0
  16. traceforge/classify/cmd.py +109 -0
  17. traceforge/classify/coding.py +213 -0
  18. traceforge/classify/config.py +554 -0
  19. traceforge/classify/core.py +266 -0
  20. traceforge/classify/data/binary_info.yaml +358 -0
  21. traceforge/classify/data/canonical_tools.yaml +251 -0
  22. traceforge/classify/data/effect_overrides.yaml +480 -0
  23. traceforge/classify/data/mcp_profiles.yaml +711 -0
  24. traceforge/classify/data/recommendation_rules.yaml +111 -0
  25. traceforge/classify/data/risk.yaml +534 -0
  26. traceforge/classify/data/shell_defaults.yaml +95 -0
  27. traceforge/classify/data/shell_rules.yaml +1192 -0
  28. traceforge/classify/data/tool_classifications.yaml +215 -0
  29. traceforge/classify/data/verb_inference.yaml +218 -0
  30. traceforge/classify/mcp.py +181 -0
  31. traceforge/classify/phases.py +75 -0
  32. traceforge/classify/powershell.py +93 -0
  33. traceforge/classify/registry.py +138 -0
  34. traceforge/classify/risk.py +553 -0
  35. traceforge/classify/rules.py +215 -0
  36. traceforge/classify/schema.yaml +282 -0
  37. traceforge/classify/shell.py +503 -0
  38. traceforge/classify/tools.py +91 -0
  39. traceforge/classify/workflow.py +32 -0
  40. traceforge/cli/__init__.py +42 -0
  41. traceforge/cli/config_cmd.py +130 -0
  42. traceforge/cli/detect.py +46 -0
  43. traceforge/cli/download_cmd.py +74 -0
  44. traceforge/cli/factory.py +60 -0
  45. traceforge/cli/gate_cmd.py +30 -0
  46. traceforge/cli/init_cmd.py +86 -0
  47. traceforge/cli/replay.py +130 -0
  48. traceforge/cli/runner.py +181 -0
  49. traceforge/cli/score.py +217 -0
  50. traceforge/cli/status.py +65 -0
  51. traceforge/cli/watch.py +297 -0
  52. traceforge/config/__init__.py +80 -0
  53. traceforge/config/defaults.py +149 -0
  54. traceforge/config/loader.py +239 -0
  55. traceforge/config/mappings.py +104 -0
  56. traceforge/config/models.py +579 -0
  57. traceforge/enricher.py +576 -0
  58. traceforge/formatting/__init__.py +12 -0
  59. traceforge/formatting/budget.py +92 -0
  60. traceforge/formatting/density.py +154 -0
  61. traceforge/gate/__init__.py +17 -0
  62. traceforge/gate/client.py +145 -0
  63. traceforge/gate/external.py +305 -0
  64. traceforge/gate/registry.py +108 -0
  65. traceforge/gate/server.py +174 -0
  66. traceforge/gates/__init__.py +8 -0
  67. traceforge/gates/pii.py +352 -0
  68. traceforge/gates/pii_patterns.yaml +228 -0
  69. traceforge/governance/__init__.py +121 -0
  70. traceforge/governance/assessor.py +441 -0
  71. traceforge/governance/budget.py +59 -0
  72. traceforge/governance/canonical.py +56 -0
  73. traceforge/governance/codec.py +414 -0
  74. traceforge/governance/context.py +249 -0
  75. traceforge/governance/drift.py +196 -0
  76. traceforge/governance/emitter.py +234 -0
  77. traceforge/governance/envelope.py +138 -0
  78. traceforge/governance/ifc.py +364 -0
  79. traceforge/governance/integrity.py +162 -0
  80. traceforge/governance/labeler.py +250 -0
  81. traceforge/governance/mcp_drift.py +328 -0
  82. traceforge/governance/monitor.py +539 -0
  83. traceforge/governance/observer.py +276 -0
  84. traceforge/governance/persistence.py +401 -0
  85. traceforge/governance/phase1.py +77 -0
  86. traceforge/governance/pii.py +276 -0
  87. traceforge/governance/pipeline.py +840 -0
  88. traceforge/governance/registry.py +110 -0
  89. traceforge/governance/results.py +183 -0
  90. traceforge/governance/risk_wrapper.py +113 -0
  91. traceforge/governance/rules.py +368 -0
  92. traceforge/governance/scorer.py +262 -0
  93. traceforge/governance/shield.py +318 -0
  94. traceforge/governance/state.py +466 -0
  95. traceforge/governance/types.py +176 -0
  96. traceforge/mappings/__init__.py +1 -0
  97. traceforge/mappings/aider.yaml +216 -0
  98. traceforge/mappings/aider_markdown.yaml +113 -0
  99. traceforge/mappings/amazonq.yaml +56 -0
  100. traceforge/mappings/antigravity.yaml +88 -0
  101. traceforge/mappings/claude.yaml +93 -0
  102. traceforge/mappings/cline.yaml +286 -0
  103. traceforge/mappings/codex.yaml +158 -0
  104. traceforge/mappings/continue_dev.yaml +57 -0
  105. traceforge/mappings/copilot.yaml +266 -0
  106. traceforge/mappings/copilot_markdown.yaml +72 -0
  107. traceforge/mappings/copilot_vscode.yaml +181 -0
  108. traceforge/mappings/crewai.yaml +592 -0
  109. traceforge/mappings/goose.yaml +128 -0
  110. traceforge/mappings/langgraph.yaml +165 -0
  111. traceforge/mappings/maf.yaml +90 -0
  112. traceforge/mappings/maf_transcript.yaml +99 -0
  113. traceforge/mappings/openai_agents.yaml +144 -0
  114. traceforge/mappings/opencode.yaml +473 -0
  115. traceforge/mappings/openhands.yaml +320 -0
  116. traceforge/mappings/pydantic_ai.yaml +183 -0
  117. traceforge/mappings/smolagents.yaml +89 -0
  118. traceforge/mappings/sweagent.yaml +82 -0
  119. traceforge/migrations/__init__.py +1 -0
  120. traceforge/migrations/env.py +60 -0
  121. traceforge/migrations/models.py +145 -0
  122. traceforge/migrations/runner.py +44 -0
  123. traceforge/migrations/script.py.mako +25 -0
  124. traceforge/migrations/versions/0001_initial.py +176 -0
  125. traceforge/migrations/versions/__init__.py +4 -0
  126. traceforge/models.py +29 -0
  127. traceforge/parsers/__init__.py +21 -0
  128. traceforge/parsers/aider.py +416 -0
  129. traceforge/parsers/base.py +226 -0
  130. traceforge/parsers/copilot.py +314 -0
  131. traceforge/phase/__init__.py +50 -0
  132. traceforge/phase/data/phase-model.joblib +0 -0
  133. traceforge/phase/data/potion-base-8M/README.md +99 -0
  134. traceforge/phase/data/potion-base-8M/config.json +13 -0
  135. traceforge/phase/data/potion-base-8M/model.safetensors +0 -0
  136. traceforge/phase/data/potion-base-8M/modules.json +14 -0
  137. traceforge/phase/data/potion-base-8M/tokenizer.json +1 -0
  138. traceforge/phase/event_rows.py +107 -0
  139. traceforge/phase/features.py +468 -0
  140. traceforge/phase/inference.py +279 -0
  141. traceforge/phase/inferencer.py +171 -0
  142. traceforge/phase/segmentation.py +258 -0
  143. traceforge/pipeline.py +891 -0
  144. traceforge/preprocessors/__init__.py +34 -0
  145. traceforge/preprocessors/amazonq.py +224 -0
  146. traceforge/preprocessors/antigravity.py +116 -0
  147. traceforge/preprocessors/claude.py +95 -0
  148. traceforge/preprocessors/cline.py +36 -0
  149. traceforge/preprocessors/codex.py +311 -0
  150. traceforge/preprocessors/continue_dev.py +119 -0
  151. traceforge/preprocessors/copilot_vscode.py +171 -0
  152. traceforge/preprocessors/goose.py +156 -0
  153. traceforge/preprocessors/maf_transcript.py +84 -0
  154. traceforge/preprocessors/openai_agents.py +86 -0
  155. traceforge/preprocessors/opencode.py +85 -0
  156. traceforge/preprocessors/openhands.py +36 -0
  157. traceforge/preprocessors/pydantic_ai.py +62 -0
  158. traceforge/preprocessors/registry.py +24 -0
  159. traceforge/preprocessors/smolagents.py +90 -0
  160. traceforge/py.typed +0 -0
  161. traceforge/sdk/__init__.py +59 -0
  162. traceforge/sdk/gate_policy.py +63 -0
  163. traceforge/sdk/gate_types.py +140 -0
  164. traceforge/sdk/pipeline.py +265 -0
  165. traceforge/sdk/verdict.py +81 -0
  166. traceforge/sinks/__init__.py +23 -0
  167. traceforge/sinks/base.py +95 -0
  168. traceforge/sinks/callback.py +132 -0
  169. traceforge/sinks/console.py +112 -0
  170. traceforge/sinks/factory.py +94 -0
  171. traceforge/sinks/jsonl.py +125 -0
  172. traceforge/sinks/otel_exporter.py +212 -0
  173. traceforge/sinks/parquet.py +260 -0
  174. traceforge/sinks/s3.py +206 -0
  175. traceforge/sinks/sqlite_output.py +234 -0
  176. traceforge/sinks/webhook.py +136 -0
  177. traceforge/sources/__init__.py +18 -0
  178. traceforge/sources/auto_detect.py +173 -0
  179. traceforge/sources/base.py +45 -0
  180. traceforge/sources/file_poll.py +136 -0
  181. traceforge/sources/file_watch.py +221 -0
  182. traceforge/sources/http_poll.py +141 -0
  183. traceforge/sources/replay.py +63 -0
  184. traceforge/sources/sqlite.py +187 -0
  185. traceforge/sources/sse.py +198 -0
  186. traceforge/telemetry/__init__.py +192 -0
  187. traceforge/title/__init__.py +23 -0
  188. traceforge/title/_resolve.py +79 -0
  189. traceforge/title/context.py +295 -0
  190. traceforge/title/data/boilerplate_files.json +14 -0
  191. traceforge/title/heuristics.py +429 -0
  192. traceforge/title/hygiene.py +90 -0
  193. traceforge/title/inference.py +314 -0
  194. traceforge/title/inferencer.py +477 -0
  195. traceforge/title/naming.py +398 -0
  196. traceforge/trace.py +291 -0
  197. traceforge/tracking/__init__.py +30 -0
  198. traceforge/tracking/models.py +115 -0
  199. traceforge/tracking/phase_tracker.py +288 -0
  200. traceforge/types.py +315 -0
  201. traceforge_toolkit-0.1.0.dist-info/METADATA +188 -0
  202. traceforge_toolkit-0.1.0.dist-info/RECORD +205 -0
  203. traceforge_toolkit-0.1.0.dist-info/WHEEL +4 -0
  204. traceforge_toolkit-0.1.0.dist-info/entry_points.txt +2 -0
  205. traceforge_toolkit-0.1.0.dist-info/licenses/LICENSE +21 -0
@@ -0,0 +1,215 @@
1
+ """Declarative classification helpers shared across all shell backends."""
2
+
3
+ from __future__ import annotations
4
+
5
+ from dataclasses import dataclass
6
+ from enum import StrEnum
7
+ from typing import TYPE_CHECKING
8
+
9
+ if TYPE_CHECKING:
10
+ from traceforge.classify.config import ClassificationEngine
11
+ from traceforge.classify.core import Classification
12
+
13
+ from traceforge.classify.core import Effect
14
+ from traceforge.classify.coding import CodingRole
15
+
16
+
17
+ class ShellActivity(StrEnum):
18
+ """Internal: what a shell command primarily does (command-local intent)."""
19
+
20
+ VERIFICATION = "verification"
21
+ DELIVERY = "delivery"
22
+ SETUP = "setup"
23
+ INVESTIGATION = "investigation"
24
+ IMPLEMENTATION = "implementation"
25
+
26
+
27
+ SHELL_VERIFICATION = ShellActivity.VERIFICATION
28
+ SHELL_DELIVERY = ShellActivity.DELIVERY
29
+ SHELL_SETUP = ShellActivity.SETUP
30
+ SHELL_INVESTIGATION = ShellActivity.INVESTIGATION
31
+ SHELL_IMPLEMENTATION = ShellActivity.IMPLEMENTATION
32
+
33
+
34
+ def activity_from_classification(cls: Classification) -> ShellActivity:
35
+ """Derive ShellActivity from a Classification's action/role dimensions."""
36
+ if cls.has_action("validate"):
37
+ return ShellActivity.VERIFICATION
38
+ if (
39
+ cls.has_action("configure")
40
+ or cls.has_scope("configuration.dependency")
41
+ or cls.has_role("orchestrator.package_manager")
42
+ ):
43
+ return ShellActivity.SETUP
44
+ if cls.has_action("retrieve") or cls.has_action("analyze"):
45
+ return ShellActivity.INVESTIGATION
46
+ if cls.has_role("persistence.version_control"):
47
+ return ShellActivity.DELIVERY
48
+ if cls.has_action("deliver"):
49
+ return ShellActivity.DELIVERY
50
+ if cls.has_action("persist") and cls.has_role("persistence"):
51
+ return ShellActivity.DELIVERY
52
+ return ShellActivity.IMPLEMENTATION
53
+
54
+
55
+ @dataclass(frozen=True)
56
+ class Rule:
57
+ """A declarative classification rule."""
58
+
59
+ binaries: frozenset[str]
60
+ activity: ShellActivity
61
+ subcmds: frozenset[str] | None = None
62
+ flags_require: frozenset[str] | None = None
63
+ flags_reject: frozenset[str] | None = None
64
+ role: CodingRole | str = ""
65
+ effect: Effect | str = ""
66
+ scope: str = ""
67
+ action: str = ""
68
+ phase: str = ""
69
+
70
+
71
+ @dataclass(frozen=True)
72
+ class BinaryInfo:
73
+ """Static metadata about a known binary."""
74
+
75
+ role: CodingRole | str
76
+ default_effect: Effect | None
77
+ network: bool = False
78
+ destructive: bool = False
79
+
80
+
81
+ def _flags_satisfy(required: frozenset[str], actual: list[str]) -> bool:
82
+ """Check if actual flags satisfy required flags (with short-flag prefix matching)."""
83
+ actual_set = set(actual)
84
+ for req in required:
85
+ if req in actual_set:
86
+ continue
87
+ # Short-flag prefix match: -i matches -i.bak, -X matches -XPOST
88
+ if len(req) == 2 and req[0] == "-" and req[1] != "-":
89
+ if any(f.startswith(req) and len(f) > 2 for f in actual):
90
+ continue
91
+ return False
92
+ return True
93
+
94
+
95
+ def match_rule(
96
+ binary: str,
97
+ subcmd: str | None,
98
+ flags: list[str],
99
+ *,
100
+ engine: ClassificationEngine,
101
+ ) -> Rule | None:
102
+ """Find the first matching rule for a (binary, subcmd, flags) tuple.
103
+
104
+ Uses the engine's pre-built binary→rules index for O(1) lookup instead
105
+ of scanning all rules.
106
+ """
107
+ for rule in engine.rules_by_binary.get(binary, ()):
108
+ if rule.subcmds is not None and subcmd not in rule.subcmds:
109
+ continue
110
+ if rule.flags_require is not None and not _flags_satisfy(rule.flags_require, flags):
111
+ continue
112
+ if rule.flags_reject is not None and rule.flags_reject.intersection(flags):
113
+ continue
114
+ return rule
115
+ return None
116
+
117
+
118
+ def classify_binary(
119
+ binary: str,
120
+ subcmd: str | None,
121
+ flags: list[str],
122
+ all_words: list[str] | None = None,
123
+ *,
124
+ engine: ClassificationEngine,
125
+ ) -> ShellActivity:
126
+ """Classify a command into a ShellActivity using rules plus special cases."""
127
+ if not binary:
128
+ return ShellActivity.IMPLEMENTATION
129
+
130
+ rule = match_rule(binary, subcmd, flags, engine=engine)
131
+ npm_scripts = engine.npm_verify_scripts
132
+ interp_modules = engine.interpreter_verify_modules
133
+ if rule:
134
+ if binary in ("npm", "pnpm", "yarn") and subcmd == "run" and all_words:
135
+ script = all_words[2].lower() if len(all_words) > 2 else ""
136
+ if script in npm_scripts:
137
+ return SHELL_VERIFICATION
138
+ return SHELL_IMPLEMENTATION
139
+ return rule.activity
140
+
141
+ if binary in ("python", "python3", "node") and all_words and "-m" in all_words:
142
+ try:
143
+ m_idx = all_words.index("-m")
144
+ if m_idx + 1 < len(all_words) and all_words[m_idx + 1].lower() in interp_modules:
145
+ return SHELL_VERIFICATION
146
+ except ValueError:
147
+ pass
148
+
149
+ return SHELL_IMPLEMENTATION
150
+
151
+
152
+ def effect_for_binary(
153
+ binary: str,
154
+ subcmd: str | None,
155
+ flags: list[str],
156
+ *,
157
+ engine: ClassificationEngine,
158
+ all_words: list[str] | None = None,
159
+ ) -> Effect | None:
160
+ """Determine effect from binary + context, using effect overrides and binary info."""
161
+ if binary in engine.effect_overrides:
162
+ from traceforge.classify.config import EffectOverrideConfig
163
+
164
+ override: EffectOverrideConfig = engine.effect_overrides[binary]
165
+
166
+ # Check flags (dash-prefixed words)
167
+ for fe in override.flag_effects:
168
+ if fe.mode == "any_present":
169
+ override_flags = set(fe.flags)
170
+ # Direct match
171
+ if override_flags.intersection(flags):
172
+ return Effect(fe.effect)
173
+ # Prefix match for short flags with attached values (e.g., -i.bak matches -i)
174
+ for f in flags:
175
+ if len(f) > 2 and f[0] == "-" and f[1] != "-":
176
+ # Short flag with attached value: check if -X prefix matches
177
+ short_prefix = f[:2]
178
+ if short_prefix in override_flags:
179
+ return Effect(fe.effect)
180
+
181
+ # For multi-level subcommands (e.g., docker system prune),
182
+ # check compound_subcmd_effects nested dict first
183
+ if subcmd and all_words and override.compound_subcmd_effects:
184
+ positionals = [w for w in all_words[1:] if not w.startswith("-")]
185
+ if len(positionals) >= 2:
186
+ parent = positionals[0]
187
+ child = positionals[1]
188
+ nested = override.compound_subcmd_effects.get(parent)
189
+ if nested and child in nested:
190
+ return Effect(nested[child])
191
+
192
+ # Verb prefix matching for multi-level CLIs (aws <svc> <verb>, az <grp> <verb>)
193
+ # Skips the first positional (service/group name) to avoid collisions
194
+ # with service names that happen to also be verb-like words (e.g., 'connect').
195
+ if all_words and override.verb_prefix_effects:
196
+ positionals = [w for w in all_words[1:] if not w.startswith("-")]
197
+ # Start from index 1 to skip service/group name
198
+ for word in positionals[1:]:
199
+ for prefix, eff in override.verb_prefix_effects.items():
200
+ if word == prefix or word.startswith(prefix + "-"):
201
+ return Effect(eff)
202
+
203
+ if subcmd and subcmd in override.subcmd_effects:
204
+ return Effect(override.subcmd_effects[subcmd])
205
+
206
+ if override.default_effect is not None:
207
+ return Effect(override.default_effect)
208
+
209
+ bi = engine.binary_info
210
+ info = bi.get(binary)
211
+ if info:
212
+ if info.destructive:
213
+ return Effect.DESTRUCTIVE
214
+ return info.default_effect
215
+ return None
@@ -0,0 +1,282 @@
1
+ # Traceforge Tier 1 Schema — Source of truth for all dimension types.
2
+ # Codegen reads this to produce src/traceforge/_generated.py.
3
+ # CI enforces: make types && git diff --exit-code
4
+ openapi: "3.1.0"
5
+ info:
6
+ title: Traceforge Taxonomy Schema
7
+ version: "1.0.0"
8
+ description: >
9
+ Defines the finite vocabulary for every typed dimension in the Trace pipeline.
10
+ Tier 2 knowledge-base YAMLs are validated against these enums at runtime.
11
+
12
+ components:
13
+ schemas:
14
+
15
+ EventKind:
16
+ type: string
17
+ description: "Canonical event kinds in <domain>.<object>.<phase> grammar."
18
+ enum:
19
+ - agent.completed
20
+ - agent.failed
21
+ - agent.handoff
22
+ - agent.spawned
23
+ - browser.action
24
+ - browser.launched
25
+ - browser.result
26
+ - checkpoint.created
27
+ - checkpoint.restored
28
+ - command.completed
29
+ - command.failed
30
+ - command.output
31
+ - command.started
32
+ - file.created
33
+ - file.deleted
34
+ - file.edited
35
+ - file.read
36
+ - guardrail.failed
37
+ - guardrail.passed
38
+ - guardrail.started
39
+ - hook.completed
40
+ - hook.failed
41
+ - hook.started
42
+ - input.received
43
+ - input.requested
44
+ - knowledge.query.completed
45
+ - knowledge.query.started
46
+ - llm.call.completed
47
+ - llm.call.failed
48
+ - llm.call.started
49
+ - llm.output.chunk
50
+ - llm.thinking.chunk
51
+ - mcp.connection.completed
52
+ - mcp.connection.failed
53
+ - mcp.connection.started
54
+ - memory.query.completed
55
+ - memory.query.started
56
+ - memory.save.completed
57
+ - memory.save.started
58
+ - message.assistant
59
+ - message.assistant.chunk
60
+ - message.system
61
+ - message.user
62
+ - permission.denied
63
+ - permission.granted
64
+ - permission.requested
65
+ - planning.completed
66
+ - planning.failed
67
+ - planning.started
68
+ - raw
69
+ - reasoning.completed
70
+ - reasoning.started
71
+ - session.abort
72
+ - session.ended
73
+ - session.error
74
+ - session.idle
75
+ - session.info
76
+ - session.paused
77
+ - session.resumed
78
+ - session.started
79
+ - session.warning
80
+ - skill.invoked
81
+ - task.completed
82
+ - task.failed
83
+ - task.started
84
+ - telemetry.usage
85
+ - tool.call.completed
86
+ - tool.call.failed
87
+ - tool.call.started
88
+ - tool.output
89
+ - tool.progress
90
+ - tool.result.chunk
91
+ - tool.validation.failed
92
+ - turn.ended
93
+ - turn.skipped
94
+ - turn.started
95
+ - workflow.completed
96
+ - workflow.failed
97
+ - workflow.started
98
+
99
+ Mechanism:
100
+ type: string
101
+ description: "How the tool interacts with the environment."
102
+ enum:
103
+ - communication.system
104
+ - communication.user
105
+ - database
106
+ - database.nosql
107
+ - database.sql
108
+ - delegation.agent
109
+ - filesystem
110
+ - network.http
111
+ - process
112
+ - process.shell
113
+ - unknown
114
+
115
+ Effect:
116
+ type: string
117
+ description: "What the tool does to state."
118
+ enum:
119
+ - destructive
120
+ - mutating
121
+ - read_only
122
+
123
+ Scope:
124
+ type: string
125
+ description: "What domain the action targets."
126
+ enum:
127
+ - artifact.build_output
128
+ - artifact.config
129
+ - artifact.container_image
130
+ - artifact.dependency
131
+ - artifact.documentation
132
+ - artifact.repository
133
+ - artifact.source_code
134
+ - artifact.test_code
135
+ - configuration.ci_cd
136
+ - configuration.dependency
137
+ - configuration.infrastructure
138
+ - external.api
139
+ - external.service
140
+ - state.deployment
141
+ - state.repository
142
+ - system.network
143
+ - system.os
144
+ - system.secrets
145
+
146
+ Role:
147
+ type: string
148
+ description: "What persona the tool fills."
149
+ enum:
150
+ - communicator.system_reporter
151
+ - communicator.user_prompt
152
+ - executor.container_runtime
153
+ - executor.script_runner
154
+ - modifier.file_editor
155
+ - orchestrator.ci_cd
156
+ - orchestrator.package_manager
157
+ - orchestrator.task_runner
158
+ - persistence.cache
159
+ - persistence.database
160
+ - persistence.version_control
161
+ - retriever.api_client
162
+ - retriever.file_browser
163
+ - retriever.search_index
164
+ - retriever.web_scraper
165
+ - validator.security_scanner
166
+ - validator.test_runner
167
+
168
+ Action:
169
+ type: string
170
+ description: "What verb the tool performs."
171
+ enum:
172
+ - analyze
173
+ - analyze.diff
174
+ - analyze.measure
175
+ - analyze.profile
176
+ - configure
177
+ - configure.install
178
+ - configure.provision
179
+ - configure.setup
180
+ - deliver
181
+ - deliver.deploy
182
+ - deliver.publish
183
+ - deliver.push
184
+ - deliver.release
185
+ - execute
186
+ - execute.repl
187
+ - execute.run_script
188
+ - execute.script
189
+ - execute.service
190
+ - generate
191
+ - generate.code
192
+ - generate.documentation
193
+ - generate.scaffold
194
+ - modify
195
+ - modify.edit
196
+ - modify.merge
197
+ - modify.rebase
198
+ - persist
199
+ - persist.commit
200
+ - persist.install
201
+ - persist.stage
202
+ - persist.write
203
+ - remove
204
+ - remove.clean
205
+ - remove.delete
206
+ - remove.teardown
207
+ - remove.uninstall
208
+ - retrieve
209
+ - retrieve.browse
210
+ - retrieve.diff
211
+ - retrieve.query
212
+ - retrieve.read
213
+ - retrieve.search
214
+ - transform
215
+ - transform.bundle
216
+ - transform.compile
217
+ - transform.format
218
+ - transform.refactor
219
+ - transform.transpile
220
+ - validate
221
+ - validate.build_check
222
+ - validate.lint
223
+ - validate.security_scan
224
+ - validate.test
225
+ - validate.typecheck
226
+
227
+ Capability:
228
+ type: string
229
+ description: "What capabilities/risks the tool exposes."
230
+ enum:
231
+ - budget_pressure
232
+ - credential_exposure
233
+ - elevated_privilege
234
+ - filesystem_read
235
+ - filesystem_write
236
+ - human_interaction
237
+ - integrity_unverified
238
+ - mcp_drift
239
+ - network_inbound
240
+ - network_outbound
241
+ - pii_exposure
242
+ - subprocess
243
+ - uses_credentials
244
+
245
+ Structure:
246
+ type: string
247
+ description: "Structural patterns detected in the invocation."
248
+ enum:
249
+ - conditional
250
+ - ifc_violation
251
+ - interactive
252
+ - parallel
253
+ - phase_anomaly
254
+ - piped
255
+ - sequential
256
+ - tainted_flow
257
+
258
+ RiskBand:
259
+ type: string
260
+ description: "Risk severity tier."
261
+ enum:
262
+ - safe
263
+ - caution
264
+ - danger
265
+ - critical
266
+ - unknown
267
+
268
+ Recommendation:
269
+ type: string
270
+ description: "Governance action to take."
271
+ enum:
272
+ - allow
273
+ - deny
274
+ - escalate
275
+ - warn
276
+
277
+ Decision:
278
+ type: string
279
+ description: "Gate verdict outcome."
280
+ enum:
281
+ - allow
282
+ - deny