jishengyang-cal/imparativ

# Imperativ Imperativ is a contracts-first, governed AI-Ops control plane and local development workbench. It gives AI agents, CLIs, Workbench surfaces, automation rules, external workflow engines, receiver adapters, and credential backends one auditable execution boundary instead of letting any caller run tools, providers, shells, SSH, cloud APIs, broker APIs, or production mutations directly. Documentation/manual: https://jishengyang-cal.github.io/imparativ/ The GitHub Pages manual explains the architecture, operator workflows, implementation themes, source-governed backlog status, AI/source-intelligence workflow, language-boundary roadmap, and remaining production boundaries. The current implementation themes cover governed agent entry, approved-memory context, construction source intelligence, Rust/SPARK gateway admission, the .NET shadow scaffold, coding-worker boundaries, repository imports, topology diagnostics, and worktree residue hygiene. Imperativ is not positioned as a replacement for Temporal, Argo, Backstage, Vault/OpenBao, OPA, OpenHands, or live production systems. Its role is to govern those systems and workers through CommandEnvelope, Command Gateway, authority, policy, approval, provider binding, audit evidence, and replayable operation state. contracts -> PostgreSQL imperativ_system -> Command Gateway -> Authority / Policy / Approval -> Provider / Runtime -> Task / Diagnostics / Audit / Outbox -> Operation Timeline / Event Publication / Reconciliation / Governance Graph ## Current Status Current construction status: - Governed entry: northbound callers submit CommandEnvelope objects through Command Gateway. The agent SDK now offers a fluent builder for `agent.run` and model-invocation requests while still generating idempotency, deadline, trace, actor, scope, target, capability, and evidence fields. - Approval and audit: high-risk commands, approval resume, provider dispatch, task state, operation timelines, outbox publication, audit hash checks, and evidence bundles remain part of the same control-plane path. - Memory and context: agent context is compiled from MemoryCandidate, MemoryApproval, and ApprovedMemory records. Approved memory can provide scoped read-only run context; new persistent memory still has to be proposed and approved. - Source intelligence: GitNexus, CodeGraph, target repository manifests, protected-surface checks, and lexical fallback are read-only pre-edit evidence for construction governance. Missing indexes are treated as missing evidence, not as permission to guess architecture. - Runtime adapters: Temporal, non-production Kubernetes, Argo, local receiver, webhook, and enterprise connector paths are implemented as governed adapters or evidence imports. Real execution remains opt-in, profile-scoped, and approval/audit/credential-bound where mutation is possible. - Language boundaries: TypeScript owns application orchestration, HTTP surfaces, Workbench, provider IO, and store integration. Rust owns gateway admission and audit-hash enforcement. SPARK/Ada carries the small non-bypass safety-kernel proof path. OCaml owns semantic policy, patch, repository-boundary, and topology checks. The .NET solution is a shadow parity scaffold, not a live runtime. - Workbench and docs: Workbench is a high-risk operation and governance surface, not a generic developer portal. The public manual now presents implementation work by theme rather than by chronological landing notes. - Explicit non-goals: no direct provider bypass, raw secret storage, direct SSH/shell mutation, live trading or broker writes, production cloud mutation, or SaaS business writes outside governed adapters. Implemented foundations and governed surfaces: | Area | Status | | --- | --- | | Contracts | JSON Schema contracts for command envelopes, providers, contributions, audit, diagnostics, tasks, operations, correlation, runbook templates, automation rules, credential leases, provider contract reports, remote inventory, server connection profiles, deployment/GCE staging/rollback drill readiness, production activation readiness/apply rehearsal, AI framework inventory, cross-arch verifier, memory governance, agent jobs, worktree leases, and agent sessions | | System store | PostgreSQL `imperativ_system` for command registry, authority, policy decisions, tasks, diagnostics, approvals, audit, outbox, runbook templates, automation rules, credential leases, provider contract test reports, source governance, backlog, deployment governance, production activation readiness, memory governance, and agent job/worktree lease governance | | Command Gateway | All executable effects enter through `CommandEnvelope -> CommandGateway` | | Authority and policy | Capability registry, authority rules, provider bindings, minimal risk guard, and approval lifecycle | | Authority explainability | Read-only `/v1/policy/explain`, `/v1/commands/dry-run`, `/v1/policy-decisions`, `/v1/audit-evidence`, `/v1/outbox-events/replay`, and `/v1/outbox/verify` surfaces | | Adapter certification | `AdapterCertificationRunRequest` / `AdapterCertificationResult`, `/v1/adapter-certifications`, and provider/connector/execution-adapter certification summaries without authority grants | | Operator workflows | `/v1/workbench/operator-workflows` aggregates governance review, release evidence, enterprise ingress, policy replay, and adapter certification as read-only workflow descriptors | | Production-readiness drills | `ProductionReadinessDrillRunRequest` / `ProductionReadinessDrillReport` provide read-only checks over audit, outbox, release, provider certification, governance review, and PostgreSQL metadata evidence | | Phase 4 governance workflows | Real adapter probe, Workbench evidence detail, approved environment rehearsal, and release promotion gate review surfaces are implemented as read-only or evidence-review paths | | Phase 5 execution planning | Business-action dispatch, runtime adapter execution plans, controlled rehearsal plans, and production promotion plans are governed and plan-only except local mock dispatch | | Phase 6-9 runtime path | Activation gates, webhook delivery, runtime adapter proof, and non-production runtime adapter execution run through Command Gateway with explicit controls, approval where required, artifacts, and audit | | Temporal durable workflows | `provider.node.temporal-runtime-adapter` and `apps/temporal-worker` support governed start/signal/cancel/query, approval-gated mutation, dry-run/default fail-closed controls, Temporal event-history evidence refs, and activities that call back into `/v1/commands` for real effects | | Credential boundary | Contract validation and provider-backed OpenBao gateway for health checks, approval-gated short-lived handles, and redacted snapshot reads without raw secret material | | Crypto governance boundary | CryptoPolicy, KeyReference, CryptoEvidence, TransportSecurityProfile, simulation-only signature evidence, PQC-ready external-verifier/signing/key-wrap attestations, and hybrid transport profile verification without replacing TLS/SSH, executing local PQC primitives, or storing raw key material | | Provider runtime | Local Node runtime provider for authorized local process execution and dedicated provider adapters including production activation apply rehearsal | | Remote inventory | Command Gateway-dispatched `provider.node.remote-inventory` for read-only Google VM inventory evidence and import-plan artifacts | | Server connection | Command Gateway-dispatched `provider.node.server-connection` for local Google VM connection profile probing and local migration planning | | Remote receiver boundary | Non-live `provider.node.remote-receiver-ssh` registration for governed receiver operations and rollback drill execution, non-live `provider.node.gce-staging-adapter` plan evidence, `provider.node.remote-receiver-supervisor` supervision evidence, `provider.node.remote-receiver-daemon-readiness` production daemon readiness evidence, `provider.node.remote-journal-reconciler` metadata-only journal reconciliation evidence, bounded `provider.node.remote-journal-content-importer` local artifact import evidence, and `provider.node.rollback-drill-readiness` prerequisite evidence; default smoke verifies authority/provider constraints and skips live SSH execution | | Audit | Append-only audit events, hash-link verifier, and diagnostic findings | | Diagnostics | Problem matcher MVP and diagnostics API | | Task visibility | Task events and SSE stream for workbench consumption | | Session event store | PostgreSQL-backed agent session store, session event replay cursor, SSE stream, and outbox fanout | | Event bus | PostgreSQL inbox/outbox, AutomationTrigger ingress, NATS JetStream publisher MVP, CloudEvents mapping, generated runtime AsyncAPI JSON, checked-in deterministic AsyncAPI artifact, artifact drift check, and event-consumer health read models | | Enterprise operability | Operation run/span ledger, timeline API, outbox LISTEN/NOTIFY wakeups, operation-orchestrator reconciler, provider deadline/idempotency guards, and project graph governance | | Enterprise workflow portfolio | Tenant, TenantProject, TenantEnvironment, WorkflowCase, GovernanceEvidenceExport, GovernanceReview, IntegrationConnectorProfile, EnterpriseIntegrationIngressRequest, ExecutionAdapterProfile, ExecutionAdapterEvidenceImportRequest, SupplyChainEvidenceRef, CommercialAssuranceReport, CommercialAssuranceReportExportRequest, CommercialAssuranceRetentionPolicy, and EnterpriseWorkflowCloseoutRequest/Report contracts, parsers, PostgreSQL persistence where appropriate, Control Plane APIs, Workbench read models, docs, and smoke coverage | | Production activation | ProductionExternalMutationPlan, CloudResourceProvisionPlan, ProductionCredentialBindingPlan, ProductionActivationReadinessReport, and ProductionActivationApplyReport contracts, PostgreSQL persistence for plans/readiness, Control Plane APIs, bounded audit summaries, approval-gated Command Gateway apply rehearsal, and smoke coverage. Apply rehearsal is dry-run-only at provider level: it proves production execution prerequisites without writing external systems or creating cloud resources. | | Workbench metadata/UI | Console web metadata endpoint, registry-owned panel/module/metric/theme/action definitions, read-model summary endpoint, initial HTML panel shell, command execution controls, log timeline, and global panel/command filter | | Industry packs | Generic industry pack/profile/adapter/verification contracts, Apple existing-flow wrapper metadata for `vision-web-workspace` and `spatial-spray`, Apple release mock-ready adapter contracts, and Quant profile split for HFT, Intraday, Options, portfolio research, and market-data diagnostics | | Provider SDK / Registry | Provider manifest validation, sandbox/compat/sign/verify CLI, registry bundle, publish plan, compatibility matrix, provider certification reports, and read-only provider registry summary | | Remote agent dev | Safe remote channel envelope, channel registry, safe ping/describe/echo calls, heartbeat stream, and RemoteExecutionRequest validation boundary | | Runtime session lifecycle | Dev runtime lifecycle contract and remote-agent-dev lifecycle advertisement | | Release / deployment governance | DeploymentTarget, ReleaseManifest, DeploymentPlan, DeploymentRun, RemoteReceiverManifest, RemoteReceiverSupervisionRequest/Report, RemoteReceiverDaemonReadinessRequest/Report, RemoteJournalRef, RemoteJournalReconcileRequest/Report, RemoteJournalContentImportRequest/Report, DeploymentSimulationRequest, GceStagingPrepareRequest, and GceStagingAdapterPlan contracts; PostgreSQL persistence, local-only deployment simulation, Command Gateway-dispatched local receiver provider, managed local artifact staging evidence, approval-gated non-live Google VM receiver SSH staging, receiver supervision/daemon readiness evidence, metadata-only journal reconciliation evidence, bounded journal content artifact import, and non-mutating GCE staging adapter plan evidence | | Operation runner | Formal `OperationPlan` / `OperationRun` contracts and CLI runner for local dev operations | | Source governance | Reviewed source index, generated PostgreSQL seed, and backlog derived from registered source inputs | | AI architecture | Scope envelope, AgentSession contracts, session message/event/artifact contracts, ToolSpec/ToolInvocation contracts, scoped ToolCatalog compiler, VerifierRun/VerifierGate contracts, CrossArchVerifierRunRequest, GoogleVMReadOnlyAnalysis, AIFrameworkInventory/ImportPlan, MemoryCandidate/MemoryApproval/ApprovedMemory, AgentJob/WorktreeLease runtime controller, AgentRuntimeSchedule, TurnSnapshot, AgentRolePolicy, LifecycleHook, AutomationTrigger ingress, CredentialBrokerBoundary, RuntimeSessionLifecycle, provider-backed AI inventory/Google VM analyzer/cross-arch verifier runners, and AI boundary docs | | Cross-arch verifier gates | `verifier.cross.arch.gate.run` aggregates design/context/change-capsule/trace/policy/release VerifierRun evidence into a blocking VerifierGate and Workbench-visible artifact | | AI framework Phase 2 backbone | `ai.framework.phase2.prepare` records governed metadata for agent runtime scheduler, coding-worker adapters, Workbench parity, GitNexus, research memory, MCP profiles, overlay catalog, and cross-machine AgentJob dispatch without granting authority | | Agent runtime scheduler | `agent.runtime.schedule` plans selected/skipped AgentJobs, WorktreeLease templates, role-bound child-session hints, verifier injection, Workbench blockers, and sha256 evidence bundle artifacts without executing model workers or remote/live mutations | | Coding worker adapter boundary | `coding.worker.adapter.prepare` prepares Codex/Claude ToolInvocation templates, AgentRolePolicy bindings, SessionArtifact raw-log templates, VerifierGate fail-closed policy, credential boundary metadata, and Workbench blockers while keeping OpenCode deferred and forbidding model execution/direct provider calls | | AI productization bundle | `ai.framework.productization.prepare` lands the nine-module productization bundle for Workbench AI parity, coding-worker runtime handoff, GitNexus read-only intelligence, overlay catalog, scheduler daemon, research memory runtime, profile-scoped MCP tools, cross-machine AgentJob execution, and production readiness proofs; it emits runtime handoff/readiness/artifact/audit evidence and keeps production promotion blocked | | AI runtime landing report | `ai.framework.runtime.land` lands the nine local AI framework runtime modules into governed runtime surfaces, Workbench surfaces, VerifierGate matrix, runtime handoff, local artifact, and audit evidence while keeping model execution, direct provider/shell/SSH, remote mutation, live trading writes, raw secrets, MCP/GitNexus authority, and production promotion blocked | | AI next-stage execution units | `ai.framework.nextstage.execute` materializes the nine next-stage execution units for scheduler daemon, Codex/Claude child sessions, Workbench parity, research memory, GitNexus, MCP sandbox, overlay conflict verifier, cross-machine AgentJob receiver/journal path, and production readiness proofs with gate plan, runtime handoff, Workbench mapping, local artifact, and audit evidence | | Independent follow-up lines | `independent.lines.close` closes Contract Productization v2, Quant diagnostics, VisionPro monitoring, Enterprise connector adapters, and Execution adapter runtime with generated OpenAPI/business-event/publication artifacts, registry-owned read-model panels, local artifact evidence, audit, and no direct provider/shell/SSH/remote/live/raw-secret/authority bypass | | AI Phase 2 runtime closeout | `ai.framework.phase2.runtime.close` closes the local runtime/evidence loop for the nine AI modules with execution paths, VerifierGate refs, Workbench surfaces, Phase 3 handoff, local artifact, and audit evidence while keeping model execution and production authority blocked | | AI Phase 3 readiness verification | `ai.framework.phase3.readiness.verify` verifies the production proof matrix through the high-risk approval/resume path, fails closed on missing external KMS/HSM, Rekor, OIDC, latency/ABI, qrel/qnode, and receiver-journal proofs, and does not promote production | | AI production promotion preflight | `ai.framework.production.promotion.preflight` runs the formal production promotion proof test plan for a release candidate, closes residual prerequisite blockers only when all required proofs are verified, and still does not execute promotion | | AI runtime completion | `ai.framework.runtime.complete` closes the remaining runtime surfaces for model/coding workers, receiver daemon deployment, GitNexus, research memory, MCP profiles, external proof chains, and promotion execution records | | AI production promotion execution | `ai.framework.production.promotion.execute` is the critical production promotion command boundary; in local/dev it records auditable execution intent only and performs no remote/live mutation | | AI memory and replay | MemoryCandidate, MemoryApproval, ApprovedMemory, session event replay, replay cursor, AI Console replay timeline, playback controls, and governed memory context injection are implemented as development context only | | Source intelligence | GitNexus CLI, CodeGraph MCP, cross-repo target resolution, missing-index classification, lexical fallback, Source Intelligence UI read models, and terminal Codex preflight hooks are implemented as read-only pre-edit evidence | | Semantic kernel | OCaml owns policy-context resolution, repository-boundary semantic decisions, patch-analyzer semantic checks, topology-model verification, and shared verifier rendering where semantic meaning must not be reimplemented in TypeScript | | Rust authority/audit boundary | Rust owns pre-dispatch authority boundary checks and deterministic audit hash preparation/verification; TypeScript/PostgreSQL still own transactions, provider dispatch, outbox publication, and audit persistence | | Coordination topology | Topology verification maps audit/policy/task/provider/source-intelligence evidence into read-only coordination diagnostics and Workbench read models without granting authority or dispatching providers | The remote Google VM live trading hotplane is treated as an existing external governed system. Imperativ does not rebuild it, mutate it, or move live trading execution into the workbench. ## Architecture Rules Imperativ is built around these constraints: Language is not unified; protocol is unified. Implementation is not unified; authority is unified. Runtime is not unified; lifecycle is unified. Important boundaries: - Workbench, CLI, extension host, MCP, automations, and agents are northbound callers. - Callers submit `CommandEnvelope`; they do not call providers directly. - Provider manifests declare capabilities; they do not grant execution authority. - Authority comes from authority maps, policy evaluation, approval state, and audit. - `AgentSession` is workflow context, not an authority source. - Task events are execution facts; session events are workflow facts; audit events are evidence. - PostgreSQL `imperativ_system` is the system transaction database. It is not ClickHouse/kdb and is not the trading data store. - Live trading hot paths remain outside the local workbench/control-plane execution path. ## Repository Layout apps/ cli/ Imperativ CLI and operation runner control-plane/ HTTP API, command gateway surface, registries, task/audit/diagnostics APIs console-web/ Workbench metadata and initial console surface extension-host/ Contribution manifest loading and extension host boundary outbox-publisher/ Postgres outbox to NATS JetStream publisher operation-orchestrator/ Stale task reconciliation and durable operation worker remote-agent-dev/ Safe development remote channel service mock-trading/ Development/test trading adapter surface mock-market-data/ Development/test market data adapter surface temporal-worker/ Optional Temporal worker for governed durable workflows and Command Gateway activity callbacks contracts/ schemas/ Platform JSON Schema authority surface cue/ CUE contract boundary where present authority/ capabilities.yaml authority-rules.yaml provider-bindings.yaml providers/ node/crypto-keywrap-pqc-ready/ PQC-ready external ML-KEM key wrap/unwrap attestation provider node/agent-runtime-scheduler/ Governed AgentJob scheduling plan/evidence provider node/ai-framework-phase2-backbone/ Governed AI framework Phase 2 module backbone provider node/ai-framework-productization-bundle/ Governed nine-module AI productization bundle provider node/ai-framework-runtime-landing/ Governed nine-module AI runtime landing report provider node/ai-framework-nextstage-execution/ Governed nine-module AI next-stage execution unit provider node/independent-lines-closure/ Governed five-line closure evidence provider node/ai-framework-phase2-runtime/ Governed AI Phase 2 local runtime closeout provider node/ai-framework-phase3-readiness/ Governed AI Phase 3 fail-closed readiness verifier node/ai-framework-production-promotion-preflight/ Governed production promotion proof preflight provider node/ai-framework-runtime-completion/ Governed remaining AI runtime completion and promotion execution provider node/ai-framework-inventory/ Read-only AI framework migration inventory/import-plan provider node/coding-worker-adapter-boundary/ Codex/Claude worker adapter boundary provider node/cross-arch-gate-workflow/ Cross-arch VerifierGate workflow provider node/cross-arch-verifier/ Metadata-only cross-arch VerifierRun evidence provider node/gce-staging-adapter/ Non-live GCE staging plan evidence provider node/rollback-drill-readiness/ Rollback drill prerequisite evidence provider node/local-runtime/ Local Node provider for authorized process execution node/local-receiver/ Local-only deployment receiver with staging evidence node/remote-inventory/ Read-only Google VM inventory evidence provider node/remote-journal-content-importer/ Bounded local remote-journal content artifact importer node/remote-journal-reconciler/ Metadata-only remote journal hash/cursor reconciliation provider node/remote-receiver-daemon-readiness/ Production receiver supervisor daemon readiness provider node/remote-receiver-supervisor/ Metadata-only remote receiver supervision evidence provider node/remote-receiver-ssh/ Approval-gated non-live Google VM receiver staging provider node/server-connection/ Local server connection/profile probe provider node/temporal-runtime-adapter/ Command Gateway-controlled Temporal workflow start/signal/cancel/query provider node/transport-security-profile-verifier/ Hybrid transport profile verifier node/openbao-credential-broker/ Redacted OpenBao credential gateway and short-lived handle provider node/crypto-signature-pqc-signer/ PQC-ready external signer attestation provider node/crypto-signature-pqc-ready/ PQC-ready external verifier attestation provider apps/ remote-receiver-supervisor/ Buildable receiver supervisor daemon with health, manifest, journal ref, and new-file-only journal segment append endpoints packages/ platform/ Common contracts, parsers, gateway, registries, in-memory kernel system-store-postgres/ problem-matcher/ extension-host/ service-runtime/ adapter-sdk/ infra/ compose/ Local Compose stack db/postgres/ Migrations, seed, optional migrations secrets/openbao/ Non-secret OpenBao local config docs/ architecture/ reviews/ source-index/ tools/ dev_up.sh dev_restart.sh dev_down.sh dev_smoke.py check_contracts.py check_boundaries.py openbao_bootstrap.py generate_dev_authority_seed.py generate_source_governance_seed.py ## Local Development Prerequisites: - Node.js and `pnpm` - Docker with Compose - PostgreSQL client tools if applying database scripts manually Fresh clone bootstrap: pnpm install pnpm run build pnpm run imperativ -- dev up Start the local stack with the governed OpenBao credential backend profile: pnpm run imperativ -- dev up --secrets Bootstrap only the local credential backend profile: pnpm run imperativ -- secrets bootstrap Compatibility bootstrap, useful before the CLI has been built: pnpm run dev:up `imperativ dev up` executes a contract-shaped `OperationPlan` and records an `OperationRun`. It regenerates authority/source seeds, checks contracts and package boundaries, builds TypeScript, starts the Compose stack, applies migrations, applies development seed data, restarts app services, checks health, and runs a Postgres-backed smoke test through the Command Gateway. `--secrets` includes the OpenBao Compose profile and performs a redacted OpenBao health/bootstrap status check. `imperativ secrets bootstrap` starts only the OpenBao local credential backend and checks `/v1/sys/health`. It does not initialize, unseal, read KV secrets, return tokens, or write raw secret material. `credential.handle.issue` and `credential.snapshot.read` are registered dev commands for short-lived OpenBao-backed credential handles. Handle issuance is high risk and approval-gated; snapshot reads are redacted and read-only. The current provider returns opaque handles, leases, and redacted metadata only; it does not read OpenBao KV secrets, expose raw secret material, or store raw secret material in PostgreSQL. `imperativ remote inventory` submits the governed Google VM read-only inventory request through Command Gateway. It stages inventory/import-plan evidence locally and keeps direct SSH, remote mutation, live trading writes, and high-volume payload storage disabled. `ai.framework.inventory.import`, `ai.workflow.evidence.package`, `ai.repo.governance.compile`, `ai.google.vm.analyze`, `verifier.cross.arch.run`, `verifier.cross.arch.gate.run`, `ai.framework.phase2.prepare`, `ai.framework.productization.prepare`, `ai.framework.runtime.land`, `ai.framework.nextstage.execute`, `ai.framework.phase2.runtime.close`, `ai.framework.phase3.readiness.verify`, `ai.framework.production.promotion.preflight`, `ai.framework.runtime.complete`, `ai.framework.production.promotion.execute`, `agent.runtime.schedule`, and `coding.worker.adapter.prepare` are registered dev commands for local AI framework landing. They stage local inventory/import-plan, AI workflow evidence packages, repo-local governance bundles, Google VM read-only analysis, VerifierRun evidence, blocking VerifierGate workflow evidence, Phase 2 backbone metadata, nine-module productization bundle evidence, nine-module runtime landing report evidence, nine-module next-stage execution unit evidence, Phase 2 runtime closeout evidence, Phase 3 readiness proof matrix evidence, production promotion proof preflight evidence, remaining runtime completion evidence, production promotion execution-record evidence, AgentJob scheduler evidence, and coding worker adapter boundary evidence through Command Gateway; they do not SSH to the VM, mutate remote services, run raw shell, call model providers directly, write live trading state, import secrets, or store high-volume payloads in PostgreSQL. `ai.workflow.evidence.package` covers capsule/Q3/A-B handoff drafts, research memory query packs, scoped MCP tool profiles, cross-arch MCP quality tools, GitNexus read-only freshness evidence, and GitHub Actions third-party detection without making those systems authority sources. `ai.repo.governance.compile` packages README/AGENTS/CLAUDE/source-index rule hashes, role-policy bindings, lifecycle reminders, verifier presets, and blocked actions without granting prompt-only authority. `verifier.cross.arch.run` also supports a governed `local_subprocess` mode for repo-relative Python verifier tools via `execFile` without shell access. `verifier.cross.arch.gate.run` aggregates required gate results and fails closed. `ai.framework.phase2.prepare` records scheduler/worker/Workbench/GitNexus/memory/MCP/overlay/cross-machine blockers as metadata, not production execution. `ai.framework.productization.prepare` creates the formal handoff/readiness bundle for Workbench parity, coding workers, GitNexus, overlays, scheduler daemon, research memory, MCP profiles, cross-machine AgentJobs, and production readiness proofs while keeping all production blockers visible. `ai.framework.runtime.land` turns those nine modules into the local runtime landing report: runtime surfaces, Workbench surfaces, fail-closed verifier gate matrix, runtime handoff, readiness blockers, local artifact, and audit evidence. `ai.framework.nextstage.execute` materializes the nine execution units, gate plan, runtime handoff map, Workbench panel map, readiness blockers, local artifact, and audit event for the next implementation slices. `ai.framework.phase2.runtime.close` closes the local runtime/evidence loop for those nine units and hands off to Phase 3 proofs. `ai.framework.phase3.readiness.verify` is high-risk and approval-gated; it verifies attached proof inputs, records missing external proof blockers, and fails closed without production promotion. `ai.framework.production.promotion.preflight` is also high-risk and approval-gated; it runs the formal production promotion proof test plan for a release candidate, closes residual prerequisite blockers only when every proof input is verified, and still keeps automatic/actual production promotion disabled. `ai.framework.runtime.complete` completes the remaining runtime surfaces for model/coding worker execution, receiver daemon deployment, GitNexus, research memory, MCP profiles, external proof chains, and promotion execution records. `ai.framework.production.promotion.execute` is critical and approval-gated; local/dev execution records intent only and still performs no remote mutation or live trading write. These commands still do not start unrestricted scheduler daemons, SSH sessions, receiver mutation, live trading writes, MCP authority, GitNexus authority, or automatic production promotion. `agent.runtime.schedule` plans selected/skipped jobs, WorktreeLease templates, role-bound child sessions, verifier injection, Workbench blockers, and evidence bundles; state changes still go through `/v1/agent-jobs/runtime/*`. `coding.worker.adapter.prepare` prepares Codex/Claude ToolInvocation templates, AgentRolePolicy bindings, raw-log SessionArtifact templates, VerifierGate policy, and credential boundary metadata; OpenCode remains deferred until native log schema proof exists. `deployment.remotereceiver.execute` is registered as a high-risk approval-gated command for non-live Google VM receiver staging. The default smoke suite verifies registration and constraints without touching the VM. Setting `IMPERATIV_ENABLE_REMOTE_RECEIVER_SSH_SMOKE=1` first checks that the provider runtime itself can use the configured SSH alias; when that preflight passes, smoke runs the approval/resume path and creates new staging files only under `$HOME/.imperativ/nonlive-receiver/...`. Use `IMPERATIV_REQUIRE_REMOTE_RECEIVER_SSH_SMOKE=1` when a missing provider-runtime SSH setup should fail the run instead of skipping the live SSH step. `deployment.gce.staging.prepare` is registered as a high-risk approval-gated non-live GCE staging adapter skeleton. It validates release/deployment/receiver/credential-handle boundaries and writes local `GceStagingAdapterPlan` evidence only; the provider records that no GCP API mutation and no remote mutation were performed. `deployment.remotereceiver.daemon.readiness` is registered as a high-risk approval-gated production receiver daemon readiness gate. It validates a systemd-style receiver supervisor daemon shape, restart evidence, heartbeat freshness, read-only health endpoints, append-only journal endpoints, and production-promotion blockers. The repository also includes `apps/remote-receiver-supervisor`, a buildable daemon skeleton whose journal append endpoint creates new segment files only. The gate writes local evidence only and does not SSH, deploy a unit, mutate VM files, call GCP APIs, or grant production write authority. `deployment.remotejournal.content.import` is registered as a high-risk approval-gated bounded content import. It reads caller-provided local journal artifacts, verifies size/hash/cursor, applies redaction, writes local evidence artifacts, and keeps journal body payloads out of PostgreSQL. It does not retrieve remote content by SSH, mutate remote files, touch the live hotplane, or import raw secret material. Inspect the operation plan without changing local state: pnpm --silent run imperativ -- dev up --dry-run --json Run a machine-readable smoke operation: pnpm --silent run imperativ -- dev smoke --json Useful operation commands: pnpm run imperativ -- dev restart pnpm run imperativ -- dev smoke pnpm run imperativ -- dev down pnpm run imperativ -- dev reset pnpm run imperativ -- bootstrap pnpm run imperativ -- secrets bootstrap pnpm run imperativ -- remote inventory Compatibility script entrypoints remain available: pnpm run dev:restart pnpm run dev:smoke pnpm run dev:down pnpm run dev:reset ## Main Local Endpoints | Service | URL | | --- | --- | | Control Plane | `http://localhost:8080` | | Command Registry | `http://localhost:8080/v1/command-registry` | | Tool Catalog | `http://localhost:8080/v1/tool-catalog` | | Tool Invocation validation | `http://localhost:8080/v1/tool-invocations/validate` | | Verifier Run validation | `http://localhost:8080/v1/verifier-runs/validate` | | Verifier Gate evaluation | `http://localhost:8080/v1/verifier-gates/evaluate` | | Cross-arch verifier request validation | `http://localhost:8080/v1/cross-arch-verifier-runs/validate` | | AI framework inventory import validation | `http://localhost:8080/v1/ai-framework-inventory-imports/validate` | | AI framework inventory validation | `http://localhost:8080/v1/ai-framework-inventories/validate` | | AI framework import plan validation | `http://localhost:8080/v1/ai-framework-import-plans/validate` | | AI workflow evidence request validation | `http://localhost:8080/v1/ai-workflow-evidence-package-requests/validate` | | AI workflow evidence package validation | `http://localhost:8080/v1/ai-workflow-evidence-packages/validate` | | AI productization prepare validation | `http://localhost:8080/v1/ai-framework-productization-prepare-requests/validate` | | AI productization bundle validation | `http://localhost:8080/v1/ai-framework-productization-bundles/validate` | | AI runtime landing request validation | `http://localhost:8080/v1/ai-framework-runtime-landing-requests/validate` | | AI runtime landing report validation | `http://localhost:8080/v1/ai-framework-runtime-landing-reports/validate` | | AI next-stage execution request validation | `http://localhost:8080/v1/ai-framework-nextstage-execution-requests/validate` | | AI next-stage execution report validation | `http://localhost:8080/v1/ai-framework-nextstage-execution-reports/validate` | | AI Phase 2 runtime close request validation | `http://localhost:8080/v1/ai-framework-phase2-runtime-close-requests/validate` | | AI Phase 2 runtime close report validation | `http://localhost:8080/v1/ai-framework-phase2-runtime-close-reports/validate` | | AI Phase 3 readiness request validation | `http://localhost:8080/v1/ai-framework-phase3-readiness-verify-requests/validate` | | AI Phase 3 readiness report validation | `http://localhost:8080/v1/ai-framework-phase3-readiness-reports/validate` | | AI production promotion preflight request validation | `http://localhost:8080/v1/ai-framework-production-promotion-preflight-requests/validate` | | AI production promotion preflight report validation | `http://localhost:8080/v1/ai-framework-production-promotion-preflight-reports/validate` | | AI runtime completion request validation | `http://localhost:8080/v1/ai-framework-runtime-completion-requests/validate` | | AI runtime completion report validation | `http://localhost:8080/v1/ai-framework-runtime-completion-reports/validate` | | Agent runtime schedule request validation | `http://localhost:8080/v1/agent-runtime-schedule-requests/validate` | | Agent runtime schedule validation | `http://localhost:8080/v1/agent-runtime-schedules/validate` | | Coding worker adapter prepare request validation | `http://localhost:8080/v1/coding-worker-adapter-prepare-requests/validate` | | Coding worker adapter boundary validation | `http://localhost:8080/v1/coding-worker-adapter-boundaries/validate` | | Temporal workflow command validation | `http://localhost:8080/v1/temporal-workflow-commands/validate` | | Temporal workflow command result validation | `http://localhost:8080/v1/temporal-workflow-command-results/validate` | | AI repo governance compile request validation | `http://localhost:8080/v1/ai-repo-governance-compiles/validate` | | AI repo governance bundle validation | `http://localhost:8080/v1/ai-repo-governance-bundles/validate` | | Turn Snapshot validation | `http://localhost:8080/v1/turn-snapshots/validate` | | Agent Role Policy validation | `http://localhost:8080/v1/agent-role-policies/validate` | | Lifecycle Hook validation | `http://localhost:8080/v1/lifecycle-hooks/validate` | | Automation Trigger validation | `http://localhost:8080/v1/automation-triggers/validate` | | Automation Trigger ingress | `http://localhost:8080/v1/automation-triggers` | | Credential Broker Boundary validation | `http://localhost:8080/v1/credential-broker-boundaries/validate` | | Runtime Session Lifecycle validation | `http://localhost:8080/v1/runtime-session-lifecycles/validate` | | Memory candidates | `http://localhost:8080/v1/memory-candidates` | | Memory candidate validation | `http://localhost:8080/v1/memory-candidates/validate` | | Memory approvals | `http://localhost:8080/v1/memory-approvals` | | Memory approval validation | `http://localhost:8080/v1/memory-approvals/validate` | | Approved memory | `http://localhost:8080/v1/approved-memory` | | Approved memory validation | `http://localhost:8080/v1/approved-memory/validate` | | Agent jobs | `http://localhost:8080/v1/agent-jobs` | | Agent job validation | `http://localhost:8080/v1/agent-jobs/validate` | | Worktree leases | `http://localhost:8080/v1/worktree-leases` | | Worktree lease validation | `http://localhost:8080/v1/worktree-leases/validate` | | Deployment Targets | `http://localhost:8080/v1/deployment-targets` | | Deployment Target validation | `http://localhost:8080/v1/deployment-targets/validate` | | Release Manifests | `http://localhost:8080/v1/release-manifests` | | Release Manifest validation | `http://localhost:8080/v1/release-manifests/validate` | | Deployment Plans | `http://localhost:8080/v1/deployment-plans` | | Deployment Plan validation | `http://localhost:8080/v1/deployment-plans/validate` | | Deployment Runs | `http://localhost:8080/v1/deployment-runs` | | Deployment Run validation | `http://localhost:8080/v1/deployment-runs/validate` | | Remote Receiver Manifests | `http://localhost:8080/v1/remote-receiver-manifests` | | Remote Receiver Manifest validation | `http://localhost:8080/v1/remote-receiver-manifests/validate` | | Remote Receiver Supervision validation | `http://localhost:8080/v1/remote-receiver-supervisions/validate` | | Remote Receiver Supervision report validation | `http://localhost:8080/v1/remote-receiver-supervision-reports/validate` | | Remote Journal Refs | `http://localhost:8080/v1/remote-journal-refs` | | Remote Journal Ref validation | `http://localhost:8080/v1/remote-journal-refs/validate` | | Remote Journal Reconcile validation | `http://localhost:8080/v1/remote-journal-reconciles/validate` | | Remote Journal Reconcile report validation | `http://localhost:8080/v1/remote-journal-reconcile-reports/validate` | | Deployment Simulation | `http://localhost:8080/v1/deployment-simulations` | | GCE staging prepare validation | `http://localhost:8080/v1/gce-staging-prepares/validate` | | GCE staging plan validation | `http://localhost:8080/v1/gce-staging-plans/validate` | | Rollback drill readiness validation | `http://localhost:8080/v1/rollback-drill-readiness/validate` | | Rollback drill readiness report validation | `http://localhost:8080/v1/rollback-drill-readiness-reports/validate` | | Remote Execution Request validation | `http://localhost:8080/v1/remote-execution-requests/validate` | | Production external mutation plans | `http://localhost:8080/v1/production/external-mutation-plans` | | Production cloud resource provision plans | `http://localhost:8080/v1/production/cloud-resource-provision-plans` | | Production credential binding plans | `http://localhost:8080/v1/production/credential-binding-plans` | | Production activation readiness | `http://localhost:8080/v1/production/activation-readiness` | | Production activation apply rehearsal | `http://localhost:8080/v1/commands` with `command=production.activation.apply` | | Server Connection Profile validation | `http://localhost:8080/v1/server-connection-profiles/validate` | | Server Connection Probe validation | `http://localhost:8080/v1/server-connection-probes/validate` | | Workbench metadata | `http://localhost:5173/v1/workbench` | | Workbench Governance Control Center | `http://localhost:5173/v1/workbench/governance-control-center` | | Workbench Observability Overview | `http://localhost:5173/v1/workbench/observability-overview` | | Workbench Project Inclusion Overview | `http://localhost:5173/v1/workbench/project-inclusion-overview` | | Workbench command proxy | `http://localhost:5173/v1/workbench/commands/execute` | | Workbench logs | `http://localhost:5173/v1/workbench/logs` | | Workbench terminal gateway | `http://localhost:5173/v1/workbench/terminal-gateway` | | Workbench UI services | `http://localhost:5173/v1/workbench/ui-services` | | Agent sessions | `http://localhost:8080/v1/agent-sessions` | | Session events | `http://localhost:8080/v1/session-events` | | Session event stream | `http://localhost:8080/v1/session-events/stream` | | Tasks | `http://localhost:8080/v1/tasks` | | Task events | `http://localhost:8080/v1/task-events` | | Task event stream | `http://localhost:8080/v1/task-events/stream` | | Operation runs | `http://localhost:8080/v1/operations` | | Operation spans | `http://localhost:8080/v1/operation-spans` | | Operation timeline | `http://localhost:8080/v1/operation-timeline` | | Task reconcile | `http://localhost:8080/v1/tasks/reconcile` | | Audit events | `http://localhost:8080/v1/audit-events` | | Audit verify | `http://localhost:8080/v1/audit/verify` | | Diagnostics | `http://localhost:8080/v1/diagnostics` | | Outbox events | `http://localhost:8080/v1/outbox-events` | | Outbox publisher status | `http://localhost:8093/v1/outbox-publisher/status` | | Operation orchestrator | `http://localhost:8094/v1/operation-orchestrator/status` | | Remote channels | `http://localhost:8080/v1/remote-channels` | | Console web | `http://localhost:5173` | | Extension host | `http://localhost:8091` | | Extension host runtimes | `http://localhost:8091/v1/runtimes` | | Extension host RPC | `http://localhost:8091/v1/rpc` | | Remote agent dev | `http://localhost:8092` | | Mock trading | `http://localhost:18080` | | Mock market data | `http://localhost:18081` | | Grafana | `http://localhost:3000` | | Prometheus | `http://localhost:9090` | | NATS monitoring | `http://localhost:8222` | | MinIO console | `http://localhost:9001` | ## Command Gateway Example Run the demo command path through PostgreSQL: pnpm cli -- demo Run an authorized local process through the command gateway: pnpm cli -- runtime.process.start -- pnpm run contracts:check Print audit events for the same path: pnpm cli -- --audit demo For unit tests and smoke checks only, use the explicit in-memory fake: pnpm cli -- --ephemeral demo Current minimal execution path: CLI -> CommandEnvelope -> CommandGateway -> operation.operation_run / operation.operation_span -> PostgreSQL imperativ_system -> AuthorityRule / PolicyDecision / ProviderBinding -> provider.node.local-runtime / provider.node.local-receiver / provider.node.remote-inventory -> runtime.task / runtime.task_event -> audit.audit_event / diagnostics.diagnostic / integration.outbox_event ## Checks Run the full local check: pnpm run check Individual checks: pnpm run contracts:check pnpm run boundaries:check pnpm run governance:check pnpm run build pnpm run compose:check pnpm run dev:smoke Development seed data is generated from the formal authority and source inputs: pnpm run seed:generate pnpm run contracts:check `0001_dev_authority.sql` is generated from `authority/*.yaml`, provider manifests, and contribution manifests. `0002_source_governance.sql` is generated from `docs/source-index/source-map.json` and `docs/source-index/backlog.json`. `contracts:check` fails if either generated PostgreSQL seed is stale. ## Source Governance The desktop folder `待落地项目` is an input source, not runtime authority. Files from that source set must be registered in: docs/source-index/source-map.json docs/source-index/backlog.json Current reviewed source domains include platform core, AI architecture, phase-1 foundation, remote trading governance, quant industry pack, VisionPro, workbench UI references, crypto/PQC hardening work, and deferred non-trading modules. ## Current Limitations These are intentional current boundaries: - The local control-plane and governance spine are implemented; production-grade remote mutation and live target writes remain outside the default local workbench path. - Extension host isolation is still shallow. - Remote agent only has safe development channel calls; host-effect operations must still go through Command Gateway. - Remote inventory provider is local read-only evidence staging for declared/sanitized Google VM structure; it does not SSH into, mutate, deploy to, or import live trading payloads from the VM. - Remote receiver SSH provider is registered as a non-live, high-risk provider boundary. It may only be exercised by explicit opt-in smoke and still goes through Command Gateway, policy, audit, approval, idempotency, and deadline controls. - Rollback drill readiness is only a prerequisite gate. It validates non-live release, staging, journal, deployment run, and PQC signature evidence and writes local evidence; it does not execute `rollback_release`, SSH to the VM, call GCP APIs, or mutate the live hotplane. Non-live rollback drill execution is wired through `deployment.remotereceiver.execute(rollback_release)` and remains explicit opt-in for SSH smoke. - Release/deployment governance uses a fake `local_docker` target and fake digest for smoke. It persists simulated runs, executes the local receiver through Command Gateway, and writes managed local staging evidence under `.imperativ/runtime/local-receiver`; it still does not connect to Google VM, Artifact Registry, or the live trading hotplane. - Production activation records production external mutation plans, cloud resource provision plans, and credential binding plans, then evaluates dry-run-only preflight checks and runs an approval-gated apply rehearsal. The rehearsal writes only local evidence and does not call cloud APIs, send external SaaS writes, run OpenTofu/Crossplane apply, read raw secrets, or create provider authority. - Multi-language provider runtime, gRPC, Wasm, FFI, live remote daemon deployment, and production promotion policy are deferred. - Crypto/PQC support is an attestation-based crypto-agility boundary. PQC-ready signature verification, signature creation, and key wrap/unwrap accept approved external evidence and emit CryptoEvidence; hybrid transport profile verification preserves current TLS/SSH. Phase 1 does not deploy QKD, replace production transport, expose raw key material, or execute local PQC primitives. - Quant diagnostics and VisionPro monitoring are now registry-backed read-model surfaces. Mutation-capable industry adapters, production connector binding, and live trading adapters remain deferred. - The audit verifier endpoint is active and current smoke expects it to pass. ## Roadmap Near-term governed runtime work: - Production-grade Workbench/operator interactions beyond registry-backed read models - Wire external OpenTelemetry Collector/Tempo/Loki exporters to the existing operation trace ledger - Live production promotion runbook and policy for the receiver daemon Recently closed: - Temporal runtime adapter integration: `temporal.workflow.start`, `temporal.workflow.signal`, `temporal.workflow.cancel`, `temporal.workflow.query`, `provider.node.temporal-runtime-adapter`, `apps/temporal-worker`, Temporal command/result contracts, authority rules, provider bindings, OpenAPI validation routes, SDK client adapter, optional real execution behind `IMPERATIV_ENABLE_REAL_TEMPORAL_EXECUTION=1`, local evidence artifacts, and unit/integration/provider SDK coverage are implemented while Imperativ remains the authority/audit owner. - Phase 9 governed runtime adapter execution: `runtime.adapter.execute`, `provider.node.runtime-adapter-executor`, `RuntimeAdapterExecutionRequest`, `RuntimeAdapterExecutionResult`, `/v1/runtime-adapter-executions/validate`, `/v1/runtime-adapter-execution-results/validate`, Workbench `phase9-runtime-executions`, authority seed, provider binding, approval-required command dispatch, dry-run command rendering, optional real CLI invocation behind `IMPERATIV_ENABLE_REAL_RUNTIME_ADAPTER_EXECUTION=1`, local artifact evidence, smoke coverage, and disposable k3d/Temporal/Argo runtime setup scripts are implemented for non-production governed targets only. - Phase 8 local runtime adapter proof: `runtime.adapter.proof.run`, `provider.node.runtime-adapter-proof`, runtime proof contracts, Workbench `phase8-runtime-proofs`, authority seed, provider binding, local proof artifact evidence, and smoke coverage are implemented. - Phase 7 governed webhook connector: `enterprise.connector.webhook.deliver`, `provider.node.enterprise-webhook-connector`, webhook delivery contracts, Workbench `phase7-webhook-deliveries`, authority seed, provider binding, and smoke coverage are implemented for development allowlist targets only. - Phase 6 activation gates and Phase 5 execution governance: activation reviews, runtime execution plans, controlled rehearsal plans, production promotion plans, local mock business-action dispatch, Workbench read models, authority seed, smoke coverage, and architecture deviation reviews are implemented without granting provider authority. - Independent follow-up closure: `independent.lines.close` now closes Contract Productization v2, Quant Research Diagnostics, VisionPro Monitoring, Enterprise Connector Adapters, and Execution Adapter Runtime through `provider.node.independent-lines-closure`, `/v1/independent-lines/closure`, `/v1/contracts/catalog`, `/v1/industry-packs/quant/diagnostics`, `/v1/visionpro/monitoring`, `/v1/enterprise-connectors/runtime`, `/v1/execution-adapters/runtime`, registry-owned Workbench panels, local sha256 artifact evidence, audit, and smoke coverage. - Production activation: `/v1/production/external-mutation-plans`, `/v1/production/cloud-resource-provision-plans`, `/v1/production/credential-binding-plans`, `/v1/production/activation-readiness`, and `production.activation.apply` now model real production external writes, cloud resource creation, credential binding, readiness, and approved apply rehearsal as governed plans with OpenBao/External Secrets/Crossplane/OpenTofu-compatible boundaries. Runtime smoke proves contract, persistence, query, dry-run-only controls, credential binding coverage, rollback/idempotency checks, approval/resume, local evidence, and bounded audit summaries without performing live apply. - Production receiver daemon readiness, bounded journal content import, hybrid transport verification, PQC signing, and PQC key wrap/unwrap: `deployment.remotereceiver.daemon.readiness`, `deployment.remotejournal.content.import`, `transport.session.verify`, `crypto.signature.create`, `crypto.key.wrap`, and `crypto.key.unwrap` now resolve through governed providers, approval where high/critical risk applies, local evidence, and audit. These paths keep VM mutation, GCP API mutation, live hotplane writes, raw key material, local PQC primitive execution, QKD deployment, and high-volume PostgreSQL payload storage out of scope. - Remote receiver supervision evidence gate: `deployment.remotereceiver.supervision.check` is now a high-risk approval-gated metadata-only provider path that records declared receiver health, heartbeat freshness, isolated receiver root, and production promotion blockers without SSH, remote mutation, GCP API calls, journal content import, or production write promotion. - Remote journal reconciliation gate: `deployment.remotejournal.reconcile` is now a high-risk approval-gated provider path that validates `RemoteJournalRef` hash/cursor/eventTypes against a `DeploymentRun` and `RemoteReceiverManifest`, emits local evidence, and returns a `reconciledJournalRef` with imported cursor metadata without SSH, remote mutation, journal content import, or high-volume PostgreSQL payload storage. - AI repo governance compiler: `ai.repo.governance.compile` is now a governed provider path that compiles README/AGENTS/CLAUDE/source-index rule refs into an `AIRepoGovernanceBundle` with source hashes, role-policy bindings, lifecycle reminders, verifier presets, blocked actions, and local artifact evidence while forbidding prompt-only authority, direct provider calls from agents, remote mutation, live trading writes, raw secrets, and high-volume PostgreSQL payload storage. - AI workflow evidence package: `ai.workflow.evidence.package` is now a governed provider path that packages capsule/Q3/A-B handoff, research memory query packs, profile-scoped MCP tools, cross-arch MCP quality tools, GitNexus read-only freshness requirements, and GitHub Actions third-party detector metadata into local sha256 evidence while forbidding authority bypass, remote mutation, live trading writes, raw secrets, high-volume PostgreSQL payload storage, and CI-driven release authority. - Non-live rollback drill execution path: `deployment.remotereceiver.execute(rollback_release)` now has a narrow rollback drill authority rule for `target.google-vm.rollback-drill-smoke`, carries readiness report/evidence refs into `DeploymentRun` and `RemoteJournalRef` metadata, and has opt-in smoke coverage that creates only new files under the isolated non-live receiver root. - Rollback drill readiness gate: `deployment.rollback.drill.readiness` is now registered as a high-risk approval-gated provider that validates non-live GCE rollback drill prerequisites, including release/plan/receiver/staging/journal/deployment-run/PQC signature evidence, and writes local evidence without executing rollback or mutating VM/GCP/live trading resources. - PQC-ready signature verification: `crypto.signature.verify` now also supports `pqc_attested_external` requests routed to `provider.node.crypto-signature-pqc-ready`, which validates approved external verifier attestation and artifact hashes while keeping raw key material, local PQC primitive implementation, remote mutation, live hotplane writes, QKD, and transport replacement out of scope. - Next-stage AI control-plane workflows: `ai.google.vm.analyze`, `ai.framework.productization.prepare`, `/v1/ai-framework-migration-workbench`, `/v1/agent-jobs/runtime/{claim,tick,transition}`, `/v1/memory-promotions`, and cross-arch `local_subprocess` verifier execution are implemented and covered by smoke. The implementation keeps VM services non-authoritative, memory non-authoritative for policy, and remote/live trading mutation disabled. - AI framework landing skeletons: `ai.framework.inventory.import` and `verifier.cross.arch.run` now resolve through Authority Map and Command Gateway to local providers, staging AI inventory/import-plan artifacts and metadata-only VerifierRun evidence without direct SSH, raw shell, remote mutation, live trading writes, raw secrets, or high-volume PostgreSQL payloads. - Coding worker adapter boundary: `coding.worker.adapter.prepare` now resolves through Authority Map and Command Gateway to `provider.node.coding-worker-adapter-boundary`, staging Codex/Claude ToolInvocation templates, AgentRolePolicy bindings, raw-log SessionArtifact templates, VerifierGate fail-closed policy, credential boundary metadata, Workbench blockers, and sha256 artifact evidence while keeping OpenCode deferred and forbidding model execution, direct provider calls, direct shell/SSH, remote mutation, live trading writes, and raw secrets. - Memory and agent-work governance stores: `MemoryCandidate`, `MemoryApproval`, `ApprovedMemory`, `AgentJob`, and `WorktreeLease` contracts now have parser coverage, PostgreSQL persistence, Control Plane validation/write/list endpoints, and smoke coverage with controls that keep memory non-authoritative and agent jobs local-governance-only. - GCE staging adapter skeleton: `deployment.gce.staging.prepare` is registered as a high-risk approval-gated non-live capability with receiver-mediated, credential-handle-backed, local evidence-only behavior; it validates plan boundaries and records no GCP API mutation or remote mutation. - Enterprise operability planes: Command Gateway now writes operation runs/spans and `/v1/operation-timeline`; outbox publisher uses PostgreSQL notification wakeups; provider dispatch is idempotent and deadline-aware; `operation-orchestrator` performs stale-task reconciliation; every workspace has project graph metadata checked by `governance:check`. - Remote receiver SSH provider boundary: `deployment.remotereceiver.execute` is registered as a high-risk non-live capability with provider binding constraints; default smoke verifies registration and policy metadata, while live SSH execution remains explicit opt-in. - Workbench terminal/log read surface: `console-web` now exposes `/v1/workbench/logs`, aggregates task events, session events, diagnostics, and audit events into a read-only timeline, and renders it as the Logs panel without direct shell authority. - Workbench command palette execution controls: `console-web` embeds the command catalog in `/v1/workbench` and exposes `/v1/workbench/commands/execute`; the browser submits a full `CommandEnvelope` to the Workbench same-origin proxy, the proxy validates the envelope, and execution still flows through Control Plane `/v1/commands`. - Workbench Governance Control Center: `console-web` now exposes `/v1/workbench/governance-control-center`, aggregating UI locks, terminal/credential posture, policy maintenance, OPA/Cedar sidecars, and system configuration into one registry-owned read model. Mutation affordances are non-executable CommandEnvelope drafts only; real changes still require registered commands, Command Gateway, policy, approval, and audit. - Workbench observation and project inclusion surfaces: `console-web` now exposes `/v1/workbench/observability-overview` for runtime/evidence/service/provider/credential posture and `/v1/workbench/project-inclusion-overview` for workspace projects, provider manifests, industry packs, credential definitions, services, modules, and panels. Both are registry-owned read models and grant no execution authority; Workbench bootstrap remains catalog-light, while overview aggregation uses bounded audit/outbox windows, short in-flight coalescing, and response-size guards. - AI Console source intelligence: `@colbymchenry/codegraph` and `gitnexus@1.6.5` are workspace dev dependencies, `.codegraph/` and `.gitnexus/` stay local-only, and `console-web` resolves repo-local CLIs before user/global fallbacks. `/v1/ai-console/model-dialogue` now runs real GitNexus CLI `status/query`, CodeGraph MCP `codegraph_status`/`codegraph_explore`, and a clearly labeled lexical fallback before `ai.model.invoke`; Source Intelligence renders both graph backends as read-only evidence, not authority or completion proof. Terminal agents use the same rule through `pnpm run source-intelligence:preflight -- ""`. - Workbench read-model UI shell: `http://localhost:5173/` now renders a local HTML shell over registry-owned modules, panels, metrics, and the active retro amber CRT theme. `ADR-010` classifies UI registry work as a platform functional adapter; industry packs can contribute surfaces through registry entries, but renderer code must not own product-specific surface lists or theme token sets. It is read-only except for CommandEnvelope-only submission through Command Gateway and grants no execution authority. - Crypto governance contract boundary: `CryptoPolicy`, `KeyReference`, `CryptoEvidence`, `TransportSecurityProfile`, simulation-only signature verification, PQC-ready external verification/signing/key-wrap attestations, and hybrid transport profile verification schemas/providers are in place for crypto-agility/PQC readiness. This stores references and evidence only, not raw key material. - Remote read-only inventory provider: `remote.inventory.read` now resolves through Authority Map and Command Gateway to `provider.node.remote-inventory`, stages `RemoteInventory` and `RemoteInventoryImportPlan` artifacts under `.imperativ/runtime/remote-inventory`, preserves ClickHouse/kdb references as external data-plane stores, and forbids direct SSH, remote mutation, live trading writes, and high-volume payload storage in `imperativ_system`. - Extension-host RPC/sandbox boundary MVP: activation now creates observable `ExtensionHostRuntime` records, `/v1/rpc` handles guarded runtime calls, and `command.proxy` returns Command Gateway requirements instead of executing providers directly. Later modules: - Live production promotion runbook, policy, and operator flow for receiver-mediated writes - Real external cryptographic service/HSM/KMS integration beyond approved attestation evidence - Multi-language provider runtime with JSON-RPC/gRPC/Wasm boundaries - Production remote-agent deployment model - Production-grade industry adapters and live target mutation adapters - VisionPro and other future interface layers ## Third-Party Tools Imperativ is a public repository. Third-party tools may appear in contracts, provider adapters, local Compose services, or architecture references, but raw secret material must never be committed. External projects do not become execution authority inside Imperativ; they are mediated through contracts, Command Gateway, policy, provider bindings, and audit. Runtime and development toolchain: - [Node.js](https://nodejs.org/) 22 Bookworm images run the TypeScript services in the local stack. - [TypeScript](https://www.typescriptlang.org/) owns application orchestration, HTTP surfaces, Workbench, provider IO, and store integration. - [Rust](https://www.rust-lang.org/) owns gateway admission and audit-hash enforcement boundaries. - SPARK/Ada carries the small safety-kernel proof path for non-bypass invariants. - [OCaml](https://ocaml.org/) owns semantic policy, patch, repository-boundary, and topology checks where meaning must not be reimplemented in TypeScript. - [.NET](https://dotnet.microsoft.com/) is present as a shadow parity scaffold for selected control-plane domains; it is not the live runtime. - [pnpm](https://pnpm.io/) manages the workspace and scripts. - [Python](https://www.python.org/) powers repository checks, seed generation, and smoke tests. - [Bash](https://www.gnu.org/software/bash/) is used by local operation scripts such as `tools/dev_up.sh`, `tools/dev_restart.sh`, and database migration wrappers. - [Git](https://git-scm.com/) and [GitHub](https://github.com/) host and version the public repository. - [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/) run the local first-stage stack. Local infrastructure services: - [PostgreSQL](https://www.postgresql.org/) 16 is the durable `imperativ_system` store for authority, command, task, audit, diagnostics, source-governance, deployment, and session data. - [pgvector](https://github.com/pgvector/pgvector) is reserved as an optional PostgreSQL extension for later memory/vector work. - [Redis](https://redis.io/) 7 is present as a local cache/queue dependency. - [NATS](https://nats.io/) 2 with JetStream enabled is used for local event fanout and outbox publishing. - [MinIO](https://min.io/) provides local S3-compatible object/artifact storage. - [OpenBao](https://github.com/openbao/openbao) and Vault-style systems are credential backend references; Imperativ stores references and leases, not raw secrets. - [Prometheus](https://prometheus.io/) scrapes local stack metrics. - [Grafana](https://grafana.com/) provides local dashboards. Node package dependencies: - [`pg`](https://www.npmjs.com/package/pg) is the PostgreSQL client used by `@imperativ/system-store-postgres`. - [`@nats-io/transport-node`](https://www.npmjs.com/package/@nats-io/transport-node) is the Node transport client for NATS. - [`@nats-io/jetstream`](https://www.npmjs.com/package/@nats-io/jetstream) is used by the outbox publisher for JetStream integration. - [`@types/node`](https://www.npmjs.com/package/@types/node) and [`@types/pg`](https://www.npmjs.com/package/@types/pg) provide TypeScript type declarations. GitHub Actions and detection tools: - [GitHub Actions](https://github.com/features/actions) runs the public-repo CI workflow in `.github/workflows/imperativ-ci.yml`. - [CodeQL](https://github.com/github/codeql-action) performs GitHub-hosted static analysis for JavaScript/TypeScript and Python. - [Gitleaks](https://github.com/gitleaks/gitleaks) scans repository history and content for secret leaks, complementing `tools/check_secret_leaks.py`. - [OSV-Scanner](https://github.com/google/osv-scanner) checks dependency vulnerability exposure. - [Trivy](https://github.com/aquasecurity/trivy) scans the filesystem for vulnerabilities, secrets, and misconfiguration. - [actionlint](https://github.com/rhysd/actionlint) checks GitHub Actions workflow syntax and common errors. - [Syft](https://github.com/anchore/syft) generates SBOM artifacts for supply-chain evidence. Architecture and implementation references: - [Visual Studio Code](https://code.visualstudio.com/) informs the workbench, contribution, activation, command, and extension-host layering model. - [OpenAI Codex](https://openai.com/codex/) and Codex CLI-style workflows inform the local developer/operator agent interface; they are not policy authority. - [Model Context Protocol](https://modelcontextprotocol.io/) is a northbound tool connectivity reference. MCP servers must still submit governed command envelopes. - [Hmbown/CodeWhale](https://github.com/Hmbown/CodeWhale), [can1357/oh-my-pi](https://github.com/can1357/oh-my-pi), and [ColeMurray/background-agents](https://github.com/ColeMurray/background-agents) are reviewed agent harness/runtime references. - [OpenTelemetry](https://opentelemetry.io/) is the trace-context model used by the operation ledger; external Collector export remains optional deployment work. - [Loki](https://grafana.com/oss/loki/) and [Grafana Tempo](https://grafana.com/oss/tempo/) are compatible external log/trace backends for the current operation timeline model. - [Nx](https://nx.dev/) is the project graph and affected-build governance model reflected by `nx.json` and workspace `project.json` metadata. - [Temporal](https://temporal.io/) is integrated as an optional external durable workflow runtime through `provider.node.temporal-runtime-adapter` and `apps/temporal-worker`; Imperativ still owns Command Gateway authority, policy, credential handles, approvals, and audit while Temporal event history is treated as execution-journal evidence. - [Infisical](https://github.com/Infisical/infisical) and [SOPS](https://github.com/getsops/sops) are credential/config management references; SOPS remains a possible GitOps-encrypted config option. Remote access, desktop, and operations references: - [OpenSSH](https://www.openssh.com/) is the local SSH configuration and emergency-access substrate, mediated by Imperativ governance. - [Google Cloud SDK](https://cloud.google.com/sdk), [Compute Engine](https://cloud.google.com/compute), [Identity-Aware Proxy](https://cloud.google.com/iap), and OS Login are the Google VM access/control-plane references for the live trading host connection line. - [Tailscale](https://tailscale.com/) is a private network underlay reference. - [UpSnap](https://github.com/seriousm4x/UpSnap) is a Wake-on-LAN relay UI reference. - [Sunshine](https://github.com/LizardByte/Sunshine) and [Moonlight](https://github.com/moonlight-stream/moonlight-qt) are low-latency desktop streaming references. - [GNOME Remote Desktop](https://gitlab.gnome.org/GNOME/gnome-remote-desktop) and RDP clients are standard desktop access references. - [Zellij](https://zellij.dev/) is a reusable terminal workspace layout reference. - [Homarr](https://github.com/homarr-labs/homarr) is a visual dashboard reference for Module Launchpad concepts, with Imperativ governance added. Access gateway and bastion/PAM references: - [Teleport](https://github.com/gravitational/teleport) is the preferred future access, credential lease, and audit provider candidate. - [JumpServer](https://github.com/jumpserver/jumpserver), [Warpgate](https://github.com/warp-tech/warpgate), [Apache Guacamole](https://github.com/apache/guacamole-client), [Next Terminal](https://github.com/dushixiang/next-terminal), [Bastillion](https://github.com/bastillion-io/Bastillion), [ShellHub](https://github.com/shellhub-io/shellhub), [MeshCentral](https://github.com/Ylianst/MeshCentral), [Pomerium](https://github.com/pomerium/pomerium), [OpenZiti](https://github.com/openziti/ziti), [NetBird](https://github.com/netbirdio/netbird), and [Octelium](https://github.com/octelium/octelium) are compared alternatives for future access gateway design.

标签：AI代理, AI运维, Rust, 可视化界面, 命令网关, 多人体追踪, 审计, 开发工作台, 提示词模板, 权限管控, 测试用例, 漏洞数据库, 生产预演, 网络流量审计, 自动化攻击