diff --git a/.github/workflows/ci-security.yml b/.github/workflows/ci-security.yml index 5a685a6526a..000f629eb00 100644 --- a/.github/workflows/ci-security.yml +++ b/.github/workflows/ci-security.yml @@ -70,6 +70,7 @@ jobs: uses: actions/checkout@v4 # v4.1.7 with: fetch-depth: 0 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Prepare report directory run: mkdir -p "$REPORT_DIR" - name: Run Gitleaks @@ -122,15 +123,15 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Prepare report directory run: mkdir -p "$REPORT_DIR" - name: Run Semgrep CI ruleset uses: returntocorp/semgrep-action@713efdd345f3035192eaa63f56867b88e63e4e5d # v1 with: config: p/ci - generateSarif: true - sarifFile: ${{ env.REPORT_DIR }}/semgrep.sarif - auditOn: push + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - name: Upload Semgrep SARIF if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.25.10 @@ -153,6 +154,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN || secrets.snyk_token }} steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Prepare report directory run: mkdir -p "$REPORT_DIR" - name: Ensure SNYK_TOKEN is configured @@ -193,6 +195,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Install Trivy uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.0 - name: Prepare report directory @@ -228,6 +231,7 @@ jobs: security-events: write steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Prepare report directory run: mkdir -p "$REPORT_DIR" - name: Build server image for scanning @@ -276,6 +280,7 @@ jobs: needs: context steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.5 - name: Prepare report directory run: mkdir -p "$REPORT_DIR" @@ -301,6 +306,7 @@ jobs: needs: context steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Install Checkov run: pip install --no-cache-dir checkov==3.2.23 - name: Run Checkov across Terraform and Helm assets @@ -331,6 +337,8 @@ jobs: needs: context steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Install Helm uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.1.0 with: @@ -402,6 +410,7 @@ jobs: needs: context steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Execute baseline checks run: | chmod +x scripts/security/baseline-check.sh @@ -422,6 +431,7 @@ jobs: timeout-minutes: 45 steps: - uses: actions/checkout@v4 # v4.1.7 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Prepare report directory run: mkdir -p "$REPORT_DIR" - name: Boot application stack @@ -559,7 +569,7 @@ jobs: uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4.1.0 with: retention-days: 14 - name: security-reports + name: security-reports-aggregated path: aggregated-security/security-summary.json - name: Record dashboard location id: dashboard diff --git a/.github/workflows/ci-verify.yml b/.github/workflows/ci-verify.yml index e6efd8e13ed..b2ecdebf7f2 100644 --- a/.github/workflows/ci-verify.yml +++ b/.github/workflows/ci-verify.yml @@ -146,6 +146,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # v6 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - uses: actions/setup-node@v4 # v6 with: cache: 'pnpm' @@ -311,6 +312,7 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 # v6 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - uses: actions/setup-node@v4 # v6 with: cache: 'pnpm' diff --git a/.github/workflows/governance-lockfile-verify.yml b/.github/workflows/governance-lockfile-verify.yml index 392251d0e7f..51d56c71a89 100644 --- a/.github/workflows/governance-lockfile-verify.yml +++ b/.github/workflows/governance-lockfile-verify.yml @@ -58,6 +58,8 @@ jobs: - name: Checkout uses: actions/checkout@v4 # v4 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 + - name: Make Scripts Executable run: chmod +x scripts/release/*.sh diff --git a/.github/workflows/mvp4-gate.yml b/.github/workflows/mvp4-gate.yml index 282a4273e9e..6346d742b9d 100644 --- a/.github/workflows/mvp4-gate.yml +++ b/.github/workflows/mvp4-gate.yml @@ -78,7 +78,7 @@ jobs: - name: Setup OPA uses: open-policy-agent/setup-opa@950f159a49aa91f9323f36f1de81c7f6b5de9576 # v2 with: - version: v0.61.0 + version: v0.68.0 - name: Verify Policies run: | opa check policies/ diff --git a/.github/workflows/pr-quality-gate.yml b/.github/workflows/pr-quality-gate.yml index 2bd7a22acc4..29392ef3e36 100644 --- a/.github/workflows/pr-quality-gate.yml +++ b/.github/workflows/pr-quality-gate.yml @@ -16,17 +16,17 @@ jobs: - name: Checkout uses: actions/checkout@v4 # v6 + - name: Install pnpm + uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 + with: + version: 9 + - name: Setup Node.js uses: actions/setup-node@v4 # v6 with: node-version: 20 cache: "pnpm" - - name: Install pnpm - uses: pnpm/action-setup@v4 - with: - version: 9 - - name: Install Dependencies run: pnpm install --frozen-lockfile @@ -40,17 +40,17 @@ jobs: - name: Checkout uses: actions/checkout@v4 # v6 + - name: Install pnpm + uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 + with: + version: 9 + - name: Setup Node.js uses: actions/setup-node@v4 # v6 with: node-version: 20 cache: "pnpm" - - name: Install pnpm - uses: pnpm/action-setup@v4 - with: - version: 9 - - name: Install Dependencies run: pnpm install --frozen-lockfile @@ -73,6 +73,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # v6 + - uses: pnpm/action-setup@c5ba7f7862a0f64c1b1a05fbac13e0b8e86ba08c # v4 - name: Install Syft uses: anchore/sbom-action/download-syft@v0 diff --git a/intel/targets/.gitkeep b/intel/targets/.gitkeep new file mode 100644 index 00000000000..e69de29bb2d diff --git a/packages/advanced-caching/package.json b/packages/advanced-caching/package.json index 7e69b9df9ef..899cf79a168 100644 --- a/packages/advanced-caching/package.json +++ b/packages/advanced-caching/package.json @@ -17,7 +17,7 @@ "zod": "^3.24.1", "lru-cache": "^11.0.0", "async-mutex": "^0.5.0", - "xxhash": "^0.3.0" + "xxhash-wasm": "^1.0.2" }, "devDependencies": { "@types/node": "^20.0.0", diff --git a/packages/nlp/package.json b/packages/nlp/package.json index faf4cb5c62f..caf1ce43af4 100644 --- a/packages/nlp/package.json +++ b/packages/nlp/package.json @@ -44,7 +44,6 @@ "stopword": "^3.1.1", "wink-nlp": "^2.2.0", "wink-eng-lite-web-model": "^1.5.0", - "spellchecker": "^3.7.1", "unorm": "^1.6.0" }, "devDependencies": { diff --git a/prompts/competitive/summit-competitive-subsumption-protocol.md b/prompts/competitive/summit-competitive-subsumption-protocol.md new file mode 100644 index 00000000000..b1bc9400d63 --- /dev/null +++ b/prompts/competitive/summit-competitive-subsumption-protocol.md @@ -0,0 +1,298 @@ +# Summit Competitive Subsumption Protocol v1.0 + +## 0) Operator Contract + +**Role:** You are Summit’s competitive subsumption agent. +**Goal:** Convert a TARGET (public artifact) into: + +1. **Extracted intelligence** (what’s real and reusable), +2. **Summit-native integration plan** (patch-first, minimal blast radius), +3. **Transcendence roadmap** (features they can’t match), +4. **Moat + gates** (defensibility + assurance + compliance), +5. **Deterministic evidence** (repeatable artifacts). + +### Hard Constraints (Non-Negotiables) + +* **Public-only**: Use only information available in the TARGET’s public materials (repo, docs, site, papers, talks). +* **No copying**: No direct code copying beyond what the license explicitly allows; default to **re-implementation from concepts**. +* **License discipline**: Identify license(s). If uncertain, treat as **restrictive** and avoid code-level reuse. +* **Determinism**: All outputs must be stable (sorted lists, fixed headings, no timestamps in artifacts unless explicitly required). +* **Patch-first**: Prefer small, mergeable changes; avoid refactors unless directly justified by extracted value. +* **Security posture**: Do not propose unsafe exploitation steps; focus on defensive validation and hardening. + +--- + +## 1) Inputs + +Provide the following at runtime (explicitly in the run context): + +* **TARGET.name** +* **TARGET.type**: `repo | product | paper | vendor | dataset | mixed` +* **TARGET.url(s)** +* **TARGET.scope**: what to analyze (full / specific modules / certain docs) +* **SUMMIT.baseline**: current Summit commit/branch (or release tag) +* **SUMMIT.constraints**: deployment constraints (air-gapped? FedRAMP-ish? CUI? etc.) +* **RUN.mode**: `fast-scan | deep-dive | integration-sprint | moat-sprint` + +If any input is missing, proceed with best-effort and mark assumptions explicitly. + +--- + +## 2) Outputs (Required Artifacts) + +You must produce **exactly** these artifacts (stable filenames), each with consistent structure: + +1. `intel/targets//00_target_manifest.json` +2. `intel/targets//10_extraction_report.md` +3. `intel/targets//20_capability_matrix.csv` +4. `intel/targets//30_gap_and_risk_register.md` +5. `intel/targets//40_integration_backlog.md` +6. `intel/targets//50_transcendence_plan.md` +7. `intel/targets//60_moat_and_gates.md` +8. `intel/targets//70_evidence_map.md` +9. `intel/targets//80_pr_stack_plan.md` + +### Deterministic Rules for Files + +* JSON keys in alphabetical order. +* CSV columns fixed and documented. +* Markdown headings fixed; bullets sorted where possible. +* No dates in filenames. If you need a date, put it in content as `analysis_date` in JSON. + +--- + +## 3) Phase A — Target Intake & Legality Gate + +### A1: Identify provenance + +* What is the TARGET? Who publishes it? What artifacts exist (repo, docs, binaries, demos)? +* Extract **license(s)** and **usage constraints**. +* Identify **supply-chain posture** signals (signed releases? SBOM? SLSA? provenance?). + +### A2: Legal/ethical “go/no-go” + +* If license prohibits intended usage or is unclear → limit to **conceptual analysis** only. +* Explicitly enumerate what is safe to reuse: “ideas/patterns”, “public APIs”, “data formats”, etc. + +**Deliverable impact:** Populate `00_target_manifest.json` + sections in `10_extraction_report.md`. + +--- + +## 4) Phase B — Deep Intelligence Extraction + +You must extract **evidence-backed** claims only. For every significant claim, include a citation pointer to the exact file/URL section. + +### B1: Architecture & design patterns + +* System boundaries, components, dependencies, trust zones. +* Data flows, state management, failure modes. +* API conventions, interface boundaries, versioning approach. + +### B2: Technical implementation + +* Algorithms & data structures (at conceptual level if code reuse is restricted). +* Perf patterns: caching, batching, async, indexing. +* Test strategy and quality gates: CI, linting, fuzzing, invariant tests. + +### B3: Agent systems & orchestration + +* Agent model: planner/executor? hierarchical? tool-calling? +* Prompt patterns: templates, role separation, eval loops, guardrails. +* Fall-back behaviors: multi-model routing, retries, circuit breakers. + +### B4: Knowledge graph & data engineering + +* Graph schema modeling: entities, relations, constraints. +* Entity resolution, dedupe, provenance/lineage. +* Retrieval: GraphRAG vs vector-only; hybrid retrieval; ranking and filters. + +### B5: Product & UX + +* Workflows: ingest → enrich → analyze → collaborate → export. +* UX primitives: timelines, graph views, alerts, investigations. +* Integration patterns and user onboarding friction points. + +### B6: Operational excellence + +* Deploy topology: containers, k8s, serverless, on-prem. +* Observability: logs/metrics/traces; SLOs. +* Security: authn/authz, secrets, isolation, audit logs, data retention. + +**Deliverable impact:** `10_extraction_report.md` and `20_capability_matrix.csv`. + +--- + +## 5) Phase C — Summit Mapping & Integration Plan + +### C1: Map to Summit primitives + +Map extracted patterns into Summit’s likely domains (example categories): + +* **Connectors & ingestion** (scheduler, normalization, provenance) +* **Graph layer** (schema, constraints, traversal, GraphRAG) +* **Vector layer** (Qdrant/embeddings, hybrid retrieval, ranking) +* **Agents** (tool registry, orchestrator, eval harness, policy) +* **Ops** (CI gates, evidence bundles, SBOM, provenance, deployment) + +### C2: Compatibility analysis + +For each extracted capability: + +* **Drop-in?** (small additive module) +* **Adaptation needed?** (interface changes) +* **Not compatible** (conflicts with Summit architecture or governance) + +### C3: Patch-first backlog + +Create backlog items with: + +* User value +* Minimal change surface +* Test plan +* Evidence outputs expected +* Rollback plan +* Owners/agents (e.g., Codex, Jules, Atlas review) + +**Deliverable impact:** `40_integration_backlog.md` + `80_pr_stack_plan.md`. + +--- + +## 6) Phase D — Transcendence (Outrun Them) + +Produce an explicit plan to exceed TARGET in at least **3 measurable dimensions**: + +### D1: Architectural superiority + +* Simplify and modularize what they made complex. +* Make it more deployable (offline, air-gapped, multi-tenant). +* Stronger invariants: schema constraints, provenance guarantees, reproducible pipelines. + +### D2: Agentic innovation + +* Multi-agent coordination patterns they don’t have: + + * hierarchical planning + verification + * tool-risk scoring + policy enforcement + * eval-driven prompt/skill improvement loops +* Multi-model routing with deterministic fallback. + +### D3: Performance domination + +* Identify 3 bottlenecks and propose: + + * caching & precomputation + * incremental indexing + * async batching and bounded concurrency +* Define benchmarks and acceptance thresholds. + +### D4: Developer experience + +* Better SDK boundaries, typed contracts, auto-generated docs. +* “Golden Path” templates that remove config burden. +* Debuggability: trace viewer for agent tool calls + retrieval steps. + +**Deliverable impact:** `50_transcendence_plan.md`. + +--- + +## 7) Phase E — Moat & Gates + +### E1: Moat primitives (defensible differentiation) + +* Unique data/lineage guarantees +* Audit-grade observability for investigations +* Policy-aware agent execution +* Connector ecosystem + marketplace mechanics (where appropriate) +* Benchmarks and published evals + +### E2: Gates (hard control points) + +* Enterprise RBAC + audit logs + retention controls +* Supply-chain gates (SBOM, provenance, dependency policy) +* Model governance (prompt registry, red-team eval, drift detection) +* Regulated deployment profiles (CUI/FedRAMP-ish patterns) + +### E3: IP posture (safe) + +* Patentable claims (concept-level) +* Open-core vs proprietary split recommendations + +**Deliverable impact:** `60_moat_and_gates.md` + risk notes in `30_gap_and_risk_register.md`. + +--- + +## 8) Evidence & Acceptance Criteria + +### Evidence Map + +For every integration/backlog item, define: + +* Required artifact(s) (tests, benchmarks, docs) +* Deterministic generation method +* CI check name(s) +* Traceability links (issue ↔ PR ↔ evidence) + +### Acceptance Criteria + +Each PR in the stack must have: + +* Clear scope and rollback plan +* Tests updated/added +* Evidence artifacts produced +* No breaking changes without migration plan + +**Deliverable impact:** `70_evidence_map.md` + `80_pr_stack_plan.md`. + +--- + +# 9) Standard Templates (Embed in Artifacts) + +## 00_target_manifest.json schema (minimum) + +* `analysis_date` (YYYY-MM-DD) +* `target` { `name`, `type`, `slug`, `urls`[] } +* `license` { `name`, `url`, `reuse_policy` } +* `artifacts` { `repos`[], `docs`[], `demos`[], `papers`[] } +* `assumptions`[] +* `confidence` { `overall` 0-1, `notes`[] } + +## 20_capability_matrix.csv columns (fixed) + +`capability_category,capability,exists_in_target,quality_score_0_5,evidence_pointer,summit_equivalent,integration_effort_s_m_l,risk_low_med_high,notes` + +--- + +# 10) “Run Modes” (Choose one) + +* `fast-scan`: broad extraction + matrix + high-level backlog (no PR plan detail) +* `deep-dive`: full extraction + risk register + integration plan +* `integration-sprint`: focus on 3–5 highest ROI items + PR stack + tests +* `moat-sprint`: focus on defensibility + gates + evals + benchmarks + +--- + +# 11) Final Output Format + +At the end of the run, print a **single executive summary** with: + +* Top 5 extracted advantages +* Top 5 Summit integration opportunities +* Top 3 transcendence plays +* Top 3 moats + top 3 gates +* Risks and license constraints + +No additional commentary. + +--- + +## Optional: Summit-Optimized “PR Stack Skeleton” + +Use this structure in `80_pr_stack_plan.md`: + +* PR 1: Evidence scaffolding (schemas, matrices, CI checks) +* PR 2: Minimal integration slice (one capability, end-to-end) +* PR 3: Eval/benchmark harness for the capability +* PR 4: DX improvements (docs, SDK helpers) +* PR 5: Moat gate (policy enforcement, audit trace, or provenance control) + +Each PR: scope, files touched, tests, evidence outputs, rollback.